1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/dccp.h> 69 #include <linux/sctp.h> 70 #include <net/sctp/structs.h> 71 #include <linux/quota.h> 72 #include <linux/un.h> /* for Unix socket types */ 73 #include <net/af_unix.h> /* for Unix socket types */ 74 #include <linux/parser.h> 75 #include <linux/nfs_mount.h> 76 #include <net/ipv6.h> 77 #include <linux/hugetlb.h> 78 #include <linux/personality.h> 79 #include <linux/audit.h> 80 #include <linux/string.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 #include <uapi/linux/shm.h> 89 #include <linux/bpf.h> 90 #include <linux/kernfs.h> 91 #include <linux/stringhash.h> /* for hashlen_string() */ 92 #include <uapi/linux/mount.h> 93 #include <linux/fsnotify.h> 94 #include <linux/fanotify.h> 95 #include <linux/io_uring/cmd.h> 96 #include <uapi/linux/lsm.h> 97 98 #include "avc.h" 99 #include "objsec.h" 100 #include "netif.h" 101 #include "netnode.h" 102 #include "netport.h" 103 #include "ibpkey.h" 104 #include "xfrm.h" 105 #include "netlabel.h" 106 #include "audit.h" 107 #include "avc_ss.h" 108 109 #define SELINUX_INODE_INIT_XATTRS 1 110 111 struct selinux_state selinux_state; 112 113 /* SECMARK reference count */ 114 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 115 116 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 117 static int selinux_enforcing_boot __initdata; 118 119 static int __init enforcing_setup(char *str) 120 { 121 unsigned long enforcing; 122 if (!kstrtoul(str, 0, &enforcing)) 123 selinux_enforcing_boot = enforcing ? 1 : 0; 124 return 1; 125 } 126 __setup("enforcing=", enforcing_setup); 127 #else 128 #define selinux_enforcing_boot 1 129 #endif 130 131 int selinux_enabled_boot __initdata = 1; 132 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 133 static int __init selinux_enabled_setup(char *str) 134 { 135 unsigned long enabled; 136 if (!kstrtoul(str, 0, &enabled)) 137 selinux_enabled_boot = enabled ? 1 : 0; 138 return 1; 139 } 140 __setup("selinux=", selinux_enabled_setup); 141 #endif 142 143 static int __init checkreqprot_setup(char *str) 144 { 145 unsigned long checkreqprot; 146 147 if (!kstrtoul(str, 0, &checkreqprot)) { 148 if (checkreqprot) 149 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 150 } 151 return 1; 152 } 153 __setup("checkreqprot=", checkreqprot_setup); 154 155 /** 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 157 * 158 * Description: 159 * This function checks the SECMARK reference counter to see if any SECMARK 160 * targets are currently configured, if the reference counter is greater than 161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network 163 * policy capability is enabled, SECMARK is always considered enabled. 164 * 165 */ 166 static int selinux_secmark_enabled(void) 167 { 168 return (selinux_policycap_alwaysnetwork() || 169 atomic_read(&selinux_secmark_refcount)); 170 } 171 172 /** 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 174 * 175 * Description: 176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 177 * (1) if any are enabled or false (0) if neither are enabled. If the 178 * always_check_network policy capability is enabled, peer labeling 179 * is always considered enabled. 180 * 181 */ 182 static int selinux_peerlbl_enabled(void) 183 { 184 return (selinux_policycap_alwaysnetwork() || 185 netlbl_enabled() || selinux_xfrm_enabled()); 186 } 187 188 static int selinux_netcache_avc_callback(u32 event) 189 { 190 if (event == AVC_CALLBACK_RESET) { 191 sel_netif_flush(); 192 sel_netnode_flush(); 193 sel_netport_flush(); 194 synchronize_net(); 195 } 196 return 0; 197 } 198 199 static int selinux_lsm_notifier_avc_callback(u32 event) 200 { 201 if (event == AVC_CALLBACK_RESET) { 202 sel_ib_pkey_flush(); 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 204 } 205 206 return 0; 207 } 208 209 /* 210 * initialise the security for the init task 211 */ 212 static void cred_init_security(void) 213 { 214 struct task_security_struct *tsec; 215 216 /* NOTE: the lsm framework zeros out the buffer on allocation */ 217 218 tsec = selinux_cred(unrcu_pointer(current->real_cred)); 219 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; 220 } 221 222 /* 223 * get the security ID of a set of credentials 224 */ 225 static inline u32 cred_sid(const struct cred *cred) 226 { 227 const struct task_security_struct *tsec; 228 229 tsec = selinux_cred(cred); 230 return tsec->sid; 231 } 232 233 static void __ad_net_init(struct common_audit_data *ad, 234 struct lsm_network_audit *net, 235 int ifindex, struct sock *sk, u16 family) 236 { 237 ad->type = LSM_AUDIT_DATA_NET; 238 ad->u.net = net; 239 net->netif = ifindex; 240 net->sk = sk; 241 net->family = family; 242 } 243 244 static void ad_net_init_from_sk(struct common_audit_data *ad, 245 struct lsm_network_audit *net, 246 struct sock *sk) 247 { 248 __ad_net_init(ad, net, 0, sk, 0); 249 } 250 251 static void ad_net_init_from_iif(struct common_audit_data *ad, 252 struct lsm_network_audit *net, 253 int ifindex, u16 family) 254 { 255 __ad_net_init(ad, net, ifindex, NULL, family); 256 } 257 258 /* 259 * get the objective security ID of a task 260 */ 261 static inline u32 task_sid_obj(const struct task_struct *task) 262 { 263 u32 sid; 264 265 rcu_read_lock(); 266 sid = cred_sid(__task_cred(task)); 267 rcu_read_unlock(); 268 return sid; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @dentry parameter should be set to a dentry of the inode. 278 */ 279 static int __inode_security_revalidate(struct inode *inode, 280 struct dentry *dentry, 281 bool may_sleep) 282 { 283 if (!selinux_initialized()) 284 return 0; 285 286 if (may_sleep) 287 might_sleep(); 288 else 289 return -ECHILD; 290 291 /* 292 * Check to ensure that an inode's SELinux state is valid and try 293 * reloading the inode security label if necessary. This will fail if 294 * @dentry is NULL and no dentry for this inode can be found; in that 295 * case, continue using the old label. 296 */ 297 inode_doinit_with_dentry(inode, dentry); 298 return 0; 299 } 300 301 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 302 { 303 return selinux_inode(inode); 304 } 305 306 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 307 bool rcu) 308 { 309 int rc; 310 struct inode_security_struct *isec = selinux_inode(inode); 311 312 /* check below is racy, but revalidate will recheck with lock held */ 313 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 314 return isec; 315 rc = __inode_security_revalidate(inode, NULL, !rcu); 316 if (rc) 317 return ERR_PTR(rc); 318 return isec; 319 } 320 321 /* 322 * Get the security label of an inode. 323 */ 324 static inline struct inode_security_struct *inode_security(struct inode *inode) 325 { 326 struct inode_security_struct *isec = selinux_inode(inode); 327 328 /* check below is racy, but revalidate will recheck with lock held */ 329 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 330 return isec; 331 __inode_security_revalidate(inode, NULL, true); 332 return isec; 333 } 334 335 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 336 { 337 return selinux_inode(d_backing_inode(dentry)); 338 } 339 340 /* 341 * Get the security label of a dentry's backing inode. 342 */ 343 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 344 { 345 struct inode *inode = d_backing_inode(dentry); 346 struct inode_security_struct *isec = selinux_inode(inode); 347 348 /* check below is racy, but revalidate will recheck with lock held */ 349 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 350 return isec; 351 __inode_security_revalidate(inode, dentry, true); 352 return isec; 353 } 354 355 static void inode_free_security(struct inode *inode) 356 { 357 struct inode_security_struct *isec = selinux_inode(inode); 358 struct superblock_security_struct *sbsec; 359 360 if (!isec) 361 return; 362 sbsec = selinux_superblock(inode->i_sb); 363 /* 364 * As not all inode security structures are in a list, we check for 365 * empty list outside of the lock to make sure that we won't waste 366 * time taking a lock doing nothing. 367 * 368 * The list_del_init() function can be safely called more than once. 369 * It should not be possible for this function to be called with 370 * concurrent list_add(), but for better safety against future changes 371 * in the code, we use list_empty_careful() here. 372 */ 373 if (!list_empty_careful(&isec->list)) { 374 spin_lock(&sbsec->isec_lock); 375 list_del_init(&isec->list); 376 spin_unlock(&sbsec->isec_lock); 377 } 378 } 379 380 struct selinux_mnt_opts { 381 u32 fscontext_sid; 382 u32 context_sid; 383 u32 rootcontext_sid; 384 u32 defcontext_sid; 385 }; 386 387 static void selinux_free_mnt_opts(void *mnt_opts) 388 { 389 kfree(mnt_opts); 390 } 391 392 enum { 393 Opt_error = -1, 394 Opt_context = 0, 395 Opt_defcontext = 1, 396 Opt_fscontext = 2, 397 Opt_rootcontext = 3, 398 Opt_seclabel = 4, 399 }; 400 401 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 402 static const struct { 403 const char *name; 404 int len; 405 int opt; 406 bool has_arg; 407 } tokens[] = { 408 A(context, true), 409 A(fscontext, true), 410 A(defcontext, true), 411 A(rootcontext, true), 412 A(seclabel, false), 413 }; 414 #undef A 415 416 static int match_opt_prefix(char *s, int l, char **arg) 417 { 418 unsigned int i; 419 420 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 421 size_t len = tokens[i].len; 422 if (len > l || memcmp(s, tokens[i].name, len)) 423 continue; 424 if (tokens[i].has_arg) { 425 if (len == l || s[len] != '=') 426 continue; 427 *arg = s + len + 1; 428 } else if (len != l) 429 continue; 430 return tokens[i].opt; 431 } 432 return Opt_error; 433 } 434 435 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 436 437 static int may_context_mount_sb_relabel(u32 sid, 438 struct superblock_security_struct *sbsec, 439 const struct cred *cred) 440 { 441 const struct task_security_struct *tsec = selinux_cred(cred); 442 int rc; 443 444 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 445 FILESYSTEM__RELABELFROM, NULL); 446 if (rc) 447 return rc; 448 449 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 450 FILESYSTEM__RELABELTO, NULL); 451 return rc; 452 } 453 454 static int may_context_mount_inode_relabel(u32 sid, 455 struct superblock_security_struct *sbsec, 456 const struct cred *cred) 457 { 458 const struct task_security_struct *tsec = selinux_cred(cred); 459 int rc; 460 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 461 FILESYSTEM__RELABELFROM, NULL); 462 if (rc) 463 return rc; 464 465 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 466 FILESYSTEM__ASSOCIATE, NULL); 467 return rc; 468 } 469 470 static int selinux_is_genfs_special_handling(struct super_block *sb) 471 { 472 /* Special handling. Genfs but also in-core setxattr handler */ 473 return !strcmp(sb->s_type->name, "sysfs") || 474 !strcmp(sb->s_type->name, "pstore") || 475 !strcmp(sb->s_type->name, "debugfs") || 476 !strcmp(sb->s_type->name, "tracefs") || 477 !strcmp(sb->s_type->name, "rootfs") || 478 (selinux_policycap_cgroupseclabel() && 479 (!strcmp(sb->s_type->name, "cgroup") || 480 !strcmp(sb->s_type->name, "cgroup2"))); 481 } 482 483 static int selinux_is_sblabel_mnt(struct super_block *sb) 484 { 485 struct superblock_security_struct *sbsec = selinux_superblock(sb); 486 487 /* 488 * IMPORTANT: Double-check logic in this function when adding a new 489 * SECURITY_FS_USE_* definition! 490 */ 491 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 492 493 switch (sbsec->behavior) { 494 case SECURITY_FS_USE_XATTR: 495 case SECURITY_FS_USE_TRANS: 496 case SECURITY_FS_USE_TASK: 497 case SECURITY_FS_USE_NATIVE: 498 return 1; 499 500 case SECURITY_FS_USE_GENFS: 501 return selinux_is_genfs_special_handling(sb); 502 503 /* Never allow relabeling on context mounts */ 504 case SECURITY_FS_USE_MNTPOINT: 505 case SECURITY_FS_USE_NONE: 506 default: 507 return 0; 508 } 509 } 510 511 static int sb_check_xattr_support(struct super_block *sb) 512 { 513 struct superblock_security_struct *sbsec = selinux_superblock(sb); 514 struct dentry *root = sb->s_root; 515 struct inode *root_inode = d_backing_inode(root); 516 u32 sid; 517 int rc; 518 519 /* 520 * Make sure that the xattr handler exists and that no 521 * error other than -ENODATA is returned by getxattr on 522 * the root directory. -ENODATA is ok, as this may be 523 * the first boot of the SELinux kernel before we have 524 * assigned xattr values to the filesystem. 525 */ 526 if (!(root_inode->i_opflags & IOP_XATTR)) { 527 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 528 sb->s_id, sb->s_type->name); 529 goto fallback; 530 } 531 532 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 533 if (rc < 0 && rc != -ENODATA) { 534 if (rc == -EOPNOTSUPP) { 535 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 536 sb->s_id, sb->s_type->name); 537 goto fallback; 538 } else { 539 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 540 sb->s_id, sb->s_type->name, -rc); 541 return rc; 542 } 543 } 544 return 0; 545 546 fallback: 547 /* No xattr support - try to fallback to genfs if possible. */ 548 rc = security_genfs_sid(sb->s_type->name, "/", 549 SECCLASS_DIR, &sid); 550 if (rc) 551 return -EOPNOTSUPP; 552 553 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 554 sb->s_id, sb->s_type->name); 555 sbsec->behavior = SECURITY_FS_USE_GENFS; 556 sbsec->sid = sid; 557 return 0; 558 } 559 560 static int sb_finish_set_opts(struct super_block *sb) 561 { 562 struct superblock_security_struct *sbsec = selinux_superblock(sb); 563 struct dentry *root = sb->s_root; 564 struct inode *root_inode = d_backing_inode(root); 565 int rc = 0; 566 567 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 568 rc = sb_check_xattr_support(sb); 569 if (rc) 570 return rc; 571 } 572 573 sbsec->flags |= SE_SBINITIALIZED; 574 575 /* 576 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 577 * leave the flag untouched because sb_clone_mnt_opts might be handing 578 * us a superblock that needs the flag to be cleared. 579 */ 580 if (selinux_is_sblabel_mnt(sb)) 581 sbsec->flags |= SBLABEL_MNT; 582 else 583 sbsec->flags &= ~SBLABEL_MNT; 584 585 /* Initialize the root inode. */ 586 rc = inode_doinit_with_dentry(root_inode, root); 587 588 /* Initialize any other inodes associated with the superblock, e.g. 589 inodes created prior to initial policy load or inodes created 590 during get_sb by a pseudo filesystem that directly 591 populates itself. */ 592 spin_lock(&sbsec->isec_lock); 593 while (!list_empty(&sbsec->isec_head)) { 594 struct inode_security_struct *isec = 595 list_first_entry(&sbsec->isec_head, 596 struct inode_security_struct, list); 597 struct inode *inode = isec->inode; 598 list_del_init(&isec->list); 599 spin_unlock(&sbsec->isec_lock); 600 inode = igrab(inode); 601 if (inode) { 602 if (!IS_PRIVATE(inode)) 603 inode_doinit_with_dentry(inode, NULL); 604 iput(inode); 605 } 606 spin_lock(&sbsec->isec_lock); 607 } 608 spin_unlock(&sbsec->isec_lock); 609 return rc; 610 } 611 612 static int bad_option(struct superblock_security_struct *sbsec, char flag, 613 u32 old_sid, u32 new_sid) 614 { 615 char mnt_flags = sbsec->flags & SE_MNTMASK; 616 617 /* check if the old mount command had the same options */ 618 if (sbsec->flags & SE_SBINITIALIZED) 619 if (!(sbsec->flags & flag) || 620 (old_sid != new_sid)) 621 return 1; 622 623 /* check if we were passed the same options twice, 624 * aka someone passed context=a,context=b 625 */ 626 if (!(sbsec->flags & SE_SBINITIALIZED)) 627 if (mnt_flags & flag) 628 return 1; 629 return 0; 630 } 631 632 /* 633 * Allow filesystems with binary mount data to explicitly set mount point 634 * labeling information. 635 */ 636 static int selinux_set_mnt_opts(struct super_block *sb, 637 void *mnt_opts, 638 unsigned long kern_flags, 639 unsigned long *set_kern_flags) 640 { 641 const struct cred *cred = current_cred(); 642 struct superblock_security_struct *sbsec = selinux_superblock(sb); 643 struct dentry *root = sb->s_root; 644 struct selinux_mnt_opts *opts = mnt_opts; 645 struct inode_security_struct *root_isec; 646 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 647 u32 defcontext_sid = 0; 648 int rc = 0; 649 650 /* 651 * Specifying internal flags without providing a place to 652 * place the results is not allowed 653 */ 654 if (kern_flags && !set_kern_flags) 655 return -EINVAL; 656 657 mutex_lock(&sbsec->lock); 658 659 if (!selinux_initialized()) { 660 if (!opts) { 661 /* Defer initialization until selinux_complete_init, 662 after the initial policy is loaded and the security 663 server is ready to handle calls. */ 664 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 665 sbsec->flags |= SE_SBNATIVE; 666 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 667 } 668 goto out; 669 } 670 rc = -EINVAL; 671 pr_warn("SELinux: Unable to set superblock options " 672 "before the security server is initialized\n"); 673 goto out; 674 } 675 676 /* 677 * Binary mount data FS will come through this function twice. Once 678 * from an explicit call and once from the generic calls from the vfs. 679 * Since the generic VFS calls will not contain any security mount data 680 * we need to skip the double mount verification. 681 * 682 * This does open a hole in which we will not notice if the first 683 * mount using this sb set explicit options and a second mount using 684 * this sb does not set any security options. (The first options 685 * will be used for both mounts) 686 */ 687 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 688 && !opts) 689 goto out; 690 691 root_isec = backing_inode_security_novalidate(root); 692 693 /* 694 * parse the mount options, check if they are valid sids. 695 * also check if someone is trying to mount the same sb more 696 * than once with different security options. 697 */ 698 if (opts) { 699 if (opts->fscontext_sid) { 700 fscontext_sid = opts->fscontext_sid; 701 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 702 fscontext_sid)) 703 goto out_double_mount; 704 sbsec->flags |= FSCONTEXT_MNT; 705 } 706 if (opts->context_sid) { 707 context_sid = opts->context_sid; 708 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 709 context_sid)) 710 goto out_double_mount; 711 sbsec->flags |= CONTEXT_MNT; 712 } 713 if (opts->rootcontext_sid) { 714 rootcontext_sid = opts->rootcontext_sid; 715 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 716 rootcontext_sid)) 717 goto out_double_mount; 718 sbsec->flags |= ROOTCONTEXT_MNT; 719 } 720 if (opts->defcontext_sid) { 721 defcontext_sid = opts->defcontext_sid; 722 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 723 defcontext_sid)) 724 goto out_double_mount; 725 sbsec->flags |= DEFCONTEXT_MNT; 726 } 727 } 728 729 if (sbsec->flags & SE_SBINITIALIZED) { 730 /* previously mounted with options, but not on this attempt? */ 731 if ((sbsec->flags & SE_MNTMASK) && !opts) 732 goto out_double_mount; 733 rc = 0; 734 goto out; 735 } 736 737 if (strcmp(sb->s_type->name, "proc") == 0) 738 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 739 740 if (!strcmp(sb->s_type->name, "debugfs") || 741 !strcmp(sb->s_type->name, "tracefs") || 742 !strcmp(sb->s_type->name, "binder") || 743 !strcmp(sb->s_type->name, "bpf") || 744 !strcmp(sb->s_type->name, "pstore") || 745 !strcmp(sb->s_type->name, "securityfs")) 746 sbsec->flags |= SE_SBGENFS; 747 748 if (!strcmp(sb->s_type->name, "sysfs") || 749 !strcmp(sb->s_type->name, "cgroup") || 750 !strcmp(sb->s_type->name, "cgroup2")) 751 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 752 753 if (!sbsec->behavior) { 754 /* 755 * Determine the labeling behavior to use for this 756 * filesystem type. 757 */ 758 rc = security_fs_use(sb); 759 if (rc) { 760 pr_warn("%s: security_fs_use(%s) returned %d\n", 761 __func__, sb->s_type->name, rc); 762 goto out; 763 } 764 } 765 766 /* 767 * If this is a user namespace mount and the filesystem type is not 768 * explicitly whitelisted, then no contexts are allowed on the command 769 * line and security labels must be ignored. 770 */ 771 if (sb->s_user_ns != &init_user_ns && 772 strcmp(sb->s_type->name, "tmpfs") && 773 strcmp(sb->s_type->name, "ramfs") && 774 strcmp(sb->s_type->name, "devpts") && 775 strcmp(sb->s_type->name, "overlay")) { 776 if (context_sid || fscontext_sid || rootcontext_sid || 777 defcontext_sid) { 778 rc = -EACCES; 779 goto out; 780 } 781 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 782 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 783 rc = security_transition_sid(current_sid(), 784 current_sid(), 785 SECCLASS_FILE, NULL, 786 &sbsec->mntpoint_sid); 787 if (rc) 788 goto out; 789 } 790 goto out_set_opts; 791 } 792 793 /* sets the context of the superblock for the fs being mounted. */ 794 if (fscontext_sid) { 795 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 796 if (rc) 797 goto out; 798 799 sbsec->sid = fscontext_sid; 800 } 801 802 /* 803 * Switch to using mount point labeling behavior. 804 * sets the label used on all file below the mountpoint, and will set 805 * the superblock context if not already set. 806 */ 807 if (sbsec->flags & SE_SBNATIVE) { 808 /* 809 * This means we are initializing a superblock that has been 810 * mounted before the SELinux was initialized and the 811 * filesystem requested native labeling. We had already 812 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 813 * in the original mount attempt, so now we just need to set 814 * the SECURITY_FS_USE_NATIVE behavior. 815 */ 816 sbsec->behavior = SECURITY_FS_USE_NATIVE; 817 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 818 sbsec->behavior = SECURITY_FS_USE_NATIVE; 819 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 820 } 821 822 if (context_sid) { 823 if (!fscontext_sid) { 824 rc = may_context_mount_sb_relabel(context_sid, sbsec, 825 cred); 826 if (rc) 827 goto out; 828 sbsec->sid = context_sid; 829 } else { 830 rc = may_context_mount_inode_relabel(context_sid, sbsec, 831 cred); 832 if (rc) 833 goto out; 834 } 835 if (!rootcontext_sid) 836 rootcontext_sid = context_sid; 837 838 sbsec->mntpoint_sid = context_sid; 839 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 840 } 841 842 if (rootcontext_sid) { 843 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 844 cred); 845 if (rc) 846 goto out; 847 848 root_isec->sid = rootcontext_sid; 849 root_isec->initialized = LABEL_INITIALIZED; 850 } 851 852 if (defcontext_sid) { 853 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 854 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 855 rc = -EINVAL; 856 pr_warn("SELinux: defcontext option is " 857 "invalid for this filesystem type\n"); 858 goto out; 859 } 860 861 if (defcontext_sid != sbsec->def_sid) { 862 rc = may_context_mount_inode_relabel(defcontext_sid, 863 sbsec, cred); 864 if (rc) 865 goto out; 866 } 867 868 sbsec->def_sid = defcontext_sid; 869 } 870 871 out_set_opts: 872 rc = sb_finish_set_opts(sb); 873 out: 874 mutex_unlock(&sbsec->lock); 875 return rc; 876 out_double_mount: 877 rc = -EINVAL; 878 pr_warn("SELinux: mount invalid. Same superblock, different " 879 "security settings for (dev %s, type %s)\n", sb->s_id, 880 sb->s_type->name); 881 goto out; 882 } 883 884 static int selinux_cmp_sb_context(const struct super_block *oldsb, 885 const struct super_block *newsb) 886 { 887 struct superblock_security_struct *old = selinux_superblock(oldsb); 888 struct superblock_security_struct *new = selinux_superblock(newsb); 889 char oldflags = old->flags & SE_MNTMASK; 890 char newflags = new->flags & SE_MNTMASK; 891 892 if (oldflags != newflags) 893 goto mismatch; 894 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 895 goto mismatch; 896 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 897 goto mismatch; 898 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 899 goto mismatch; 900 if (oldflags & ROOTCONTEXT_MNT) { 901 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 902 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 903 if (oldroot->sid != newroot->sid) 904 goto mismatch; 905 } 906 return 0; 907 mismatch: 908 pr_warn("SELinux: mount invalid. Same superblock, " 909 "different security settings for (dev %s, " 910 "type %s)\n", newsb->s_id, newsb->s_type->name); 911 return -EBUSY; 912 } 913 914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 915 struct super_block *newsb, 916 unsigned long kern_flags, 917 unsigned long *set_kern_flags) 918 { 919 int rc = 0; 920 const struct superblock_security_struct *oldsbsec = 921 selinux_superblock(oldsb); 922 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 923 924 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 925 int set_context = (oldsbsec->flags & CONTEXT_MNT); 926 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 927 928 /* 929 * Specifying internal flags without providing a place to 930 * place the results is not allowed. 931 */ 932 if (kern_flags && !set_kern_flags) 933 return -EINVAL; 934 935 mutex_lock(&newsbsec->lock); 936 937 /* 938 * if the parent was able to be mounted it clearly had no special lsm 939 * mount options. thus we can safely deal with this superblock later 940 */ 941 if (!selinux_initialized()) { 942 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 943 newsbsec->flags |= SE_SBNATIVE; 944 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 945 } 946 goto out; 947 } 948 949 /* how can we clone if the old one wasn't set up?? */ 950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 951 952 /* if fs is reusing a sb, make sure that the contexts match */ 953 if (newsbsec->flags & SE_SBINITIALIZED) { 954 mutex_unlock(&newsbsec->lock); 955 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 956 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 957 return selinux_cmp_sb_context(oldsb, newsb); 958 } 959 960 newsbsec->flags = oldsbsec->flags; 961 962 newsbsec->sid = oldsbsec->sid; 963 newsbsec->def_sid = oldsbsec->def_sid; 964 newsbsec->behavior = oldsbsec->behavior; 965 966 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 967 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 968 rc = security_fs_use(newsb); 969 if (rc) 970 goto out; 971 } 972 973 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 974 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 975 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 976 } 977 978 if (set_context) { 979 u32 sid = oldsbsec->mntpoint_sid; 980 981 if (!set_fscontext) 982 newsbsec->sid = sid; 983 if (!set_rootcontext) { 984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 985 newisec->sid = sid; 986 } 987 newsbsec->mntpoint_sid = sid; 988 } 989 if (set_rootcontext) { 990 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 991 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 992 993 newisec->sid = oldisec->sid; 994 } 995 996 sb_finish_set_opts(newsb); 997 out: 998 mutex_unlock(&newsbsec->lock); 999 return rc; 1000 } 1001 1002 /* 1003 * NOTE: the caller is responsible for freeing the memory even if on error. 1004 */ 1005 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1006 { 1007 struct selinux_mnt_opts *opts = *mnt_opts; 1008 u32 *dst_sid; 1009 int rc; 1010 1011 if (token == Opt_seclabel) 1012 /* eaten and completely ignored */ 1013 return 0; 1014 if (!s) 1015 return -EINVAL; 1016 1017 if (!selinux_initialized()) { 1018 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1019 return -EINVAL; 1020 } 1021 1022 if (!opts) { 1023 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1024 if (!opts) 1025 return -ENOMEM; 1026 *mnt_opts = opts; 1027 } 1028 1029 switch (token) { 1030 case Opt_context: 1031 if (opts->context_sid || opts->defcontext_sid) 1032 goto err; 1033 dst_sid = &opts->context_sid; 1034 break; 1035 case Opt_fscontext: 1036 if (opts->fscontext_sid) 1037 goto err; 1038 dst_sid = &opts->fscontext_sid; 1039 break; 1040 case Opt_rootcontext: 1041 if (opts->rootcontext_sid) 1042 goto err; 1043 dst_sid = &opts->rootcontext_sid; 1044 break; 1045 case Opt_defcontext: 1046 if (opts->context_sid || opts->defcontext_sid) 1047 goto err; 1048 dst_sid = &opts->defcontext_sid; 1049 break; 1050 default: 1051 WARN_ON(1); 1052 return -EINVAL; 1053 } 1054 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1055 if (rc) 1056 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1057 s, rc); 1058 return rc; 1059 1060 err: 1061 pr_warn(SEL_MOUNT_FAIL_MSG); 1062 return -EINVAL; 1063 } 1064 1065 static int show_sid(struct seq_file *m, u32 sid) 1066 { 1067 char *context = NULL; 1068 u32 len; 1069 int rc; 1070 1071 rc = security_sid_to_context(sid, &context, &len); 1072 if (!rc) { 1073 bool has_comma = strchr(context, ','); 1074 1075 seq_putc(m, '='); 1076 if (has_comma) 1077 seq_putc(m, '\"'); 1078 seq_escape(m, context, "\"\n\\"); 1079 if (has_comma) 1080 seq_putc(m, '\"'); 1081 } 1082 kfree(context); 1083 return rc; 1084 } 1085 1086 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1087 { 1088 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1089 int rc; 1090 1091 if (!(sbsec->flags & SE_SBINITIALIZED)) 1092 return 0; 1093 1094 if (!selinux_initialized()) 1095 return 0; 1096 1097 if (sbsec->flags & FSCONTEXT_MNT) { 1098 seq_putc(m, ','); 1099 seq_puts(m, FSCONTEXT_STR); 1100 rc = show_sid(m, sbsec->sid); 1101 if (rc) 1102 return rc; 1103 } 1104 if (sbsec->flags & CONTEXT_MNT) { 1105 seq_putc(m, ','); 1106 seq_puts(m, CONTEXT_STR); 1107 rc = show_sid(m, sbsec->mntpoint_sid); 1108 if (rc) 1109 return rc; 1110 } 1111 if (sbsec->flags & DEFCONTEXT_MNT) { 1112 seq_putc(m, ','); 1113 seq_puts(m, DEFCONTEXT_STR); 1114 rc = show_sid(m, sbsec->def_sid); 1115 if (rc) 1116 return rc; 1117 } 1118 if (sbsec->flags & ROOTCONTEXT_MNT) { 1119 struct dentry *root = sb->s_root; 1120 struct inode_security_struct *isec = backing_inode_security(root); 1121 seq_putc(m, ','); 1122 seq_puts(m, ROOTCONTEXT_STR); 1123 rc = show_sid(m, isec->sid); 1124 if (rc) 1125 return rc; 1126 } 1127 if (sbsec->flags & SBLABEL_MNT) { 1128 seq_putc(m, ','); 1129 seq_puts(m, SECLABEL_STR); 1130 } 1131 return 0; 1132 } 1133 1134 static inline u16 inode_mode_to_security_class(umode_t mode) 1135 { 1136 switch (mode & S_IFMT) { 1137 case S_IFSOCK: 1138 return SECCLASS_SOCK_FILE; 1139 case S_IFLNK: 1140 return SECCLASS_LNK_FILE; 1141 case S_IFREG: 1142 return SECCLASS_FILE; 1143 case S_IFBLK: 1144 return SECCLASS_BLK_FILE; 1145 case S_IFDIR: 1146 return SECCLASS_DIR; 1147 case S_IFCHR: 1148 return SECCLASS_CHR_FILE; 1149 case S_IFIFO: 1150 return SECCLASS_FIFO_FILE; 1151 1152 } 1153 1154 return SECCLASS_FILE; 1155 } 1156 1157 static inline int default_protocol_stream(int protocol) 1158 { 1159 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1160 protocol == IPPROTO_MPTCP); 1161 } 1162 1163 static inline int default_protocol_dgram(int protocol) 1164 { 1165 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1166 } 1167 1168 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1169 { 1170 bool extsockclass = selinux_policycap_extsockclass(); 1171 1172 switch (family) { 1173 case PF_UNIX: 1174 switch (type) { 1175 case SOCK_STREAM: 1176 case SOCK_SEQPACKET: 1177 return SECCLASS_UNIX_STREAM_SOCKET; 1178 case SOCK_DGRAM: 1179 case SOCK_RAW: 1180 return SECCLASS_UNIX_DGRAM_SOCKET; 1181 } 1182 break; 1183 case PF_INET: 1184 case PF_INET6: 1185 switch (type) { 1186 case SOCK_STREAM: 1187 case SOCK_SEQPACKET: 1188 if (default_protocol_stream(protocol)) 1189 return SECCLASS_TCP_SOCKET; 1190 else if (extsockclass && protocol == IPPROTO_SCTP) 1191 return SECCLASS_SCTP_SOCKET; 1192 else 1193 return SECCLASS_RAWIP_SOCKET; 1194 case SOCK_DGRAM: 1195 if (default_protocol_dgram(protocol)) 1196 return SECCLASS_UDP_SOCKET; 1197 else if (extsockclass && (protocol == IPPROTO_ICMP || 1198 protocol == IPPROTO_ICMPV6)) 1199 return SECCLASS_ICMP_SOCKET; 1200 else 1201 return SECCLASS_RAWIP_SOCKET; 1202 case SOCK_DCCP: 1203 return SECCLASS_DCCP_SOCKET; 1204 default: 1205 return SECCLASS_RAWIP_SOCKET; 1206 } 1207 break; 1208 case PF_NETLINK: 1209 switch (protocol) { 1210 case NETLINK_ROUTE: 1211 return SECCLASS_NETLINK_ROUTE_SOCKET; 1212 case NETLINK_SOCK_DIAG: 1213 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1214 case NETLINK_NFLOG: 1215 return SECCLASS_NETLINK_NFLOG_SOCKET; 1216 case NETLINK_XFRM: 1217 return SECCLASS_NETLINK_XFRM_SOCKET; 1218 case NETLINK_SELINUX: 1219 return SECCLASS_NETLINK_SELINUX_SOCKET; 1220 case NETLINK_ISCSI: 1221 return SECCLASS_NETLINK_ISCSI_SOCKET; 1222 case NETLINK_AUDIT: 1223 return SECCLASS_NETLINK_AUDIT_SOCKET; 1224 case NETLINK_FIB_LOOKUP: 1225 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1226 case NETLINK_CONNECTOR: 1227 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1228 case NETLINK_NETFILTER: 1229 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1230 case NETLINK_DNRTMSG: 1231 return SECCLASS_NETLINK_DNRT_SOCKET; 1232 case NETLINK_KOBJECT_UEVENT: 1233 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1234 case NETLINK_GENERIC: 1235 return SECCLASS_NETLINK_GENERIC_SOCKET; 1236 case NETLINK_SCSITRANSPORT: 1237 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1238 case NETLINK_RDMA: 1239 return SECCLASS_NETLINK_RDMA_SOCKET; 1240 case NETLINK_CRYPTO: 1241 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1242 default: 1243 return SECCLASS_NETLINK_SOCKET; 1244 } 1245 case PF_PACKET: 1246 return SECCLASS_PACKET_SOCKET; 1247 case PF_KEY: 1248 return SECCLASS_KEY_SOCKET; 1249 case PF_APPLETALK: 1250 return SECCLASS_APPLETALK_SOCKET; 1251 } 1252 1253 if (extsockclass) { 1254 switch (family) { 1255 case PF_AX25: 1256 return SECCLASS_AX25_SOCKET; 1257 case PF_IPX: 1258 return SECCLASS_IPX_SOCKET; 1259 case PF_NETROM: 1260 return SECCLASS_NETROM_SOCKET; 1261 case PF_ATMPVC: 1262 return SECCLASS_ATMPVC_SOCKET; 1263 case PF_X25: 1264 return SECCLASS_X25_SOCKET; 1265 case PF_ROSE: 1266 return SECCLASS_ROSE_SOCKET; 1267 case PF_DECnet: 1268 return SECCLASS_DECNET_SOCKET; 1269 case PF_ATMSVC: 1270 return SECCLASS_ATMSVC_SOCKET; 1271 case PF_RDS: 1272 return SECCLASS_RDS_SOCKET; 1273 case PF_IRDA: 1274 return SECCLASS_IRDA_SOCKET; 1275 case PF_PPPOX: 1276 return SECCLASS_PPPOX_SOCKET; 1277 case PF_LLC: 1278 return SECCLASS_LLC_SOCKET; 1279 case PF_CAN: 1280 return SECCLASS_CAN_SOCKET; 1281 case PF_TIPC: 1282 return SECCLASS_TIPC_SOCKET; 1283 case PF_BLUETOOTH: 1284 return SECCLASS_BLUETOOTH_SOCKET; 1285 case PF_IUCV: 1286 return SECCLASS_IUCV_SOCKET; 1287 case PF_RXRPC: 1288 return SECCLASS_RXRPC_SOCKET; 1289 case PF_ISDN: 1290 return SECCLASS_ISDN_SOCKET; 1291 case PF_PHONET: 1292 return SECCLASS_PHONET_SOCKET; 1293 case PF_IEEE802154: 1294 return SECCLASS_IEEE802154_SOCKET; 1295 case PF_CAIF: 1296 return SECCLASS_CAIF_SOCKET; 1297 case PF_ALG: 1298 return SECCLASS_ALG_SOCKET; 1299 case PF_NFC: 1300 return SECCLASS_NFC_SOCKET; 1301 case PF_VSOCK: 1302 return SECCLASS_VSOCK_SOCKET; 1303 case PF_KCM: 1304 return SECCLASS_KCM_SOCKET; 1305 case PF_QIPCRTR: 1306 return SECCLASS_QIPCRTR_SOCKET; 1307 case PF_SMC: 1308 return SECCLASS_SMC_SOCKET; 1309 case PF_XDP: 1310 return SECCLASS_XDP_SOCKET; 1311 case PF_MCTP: 1312 return SECCLASS_MCTP_SOCKET; 1313 #if PF_MAX > 46 1314 #error New address family defined, please update this function. 1315 #endif 1316 } 1317 } 1318 1319 return SECCLASS_SOCKET; 1320 } 1321 1322 static int selinux_genfs_get_sid(struct dentry *dentry, 1323 u16 tclass, 1324 u16 flags, 1325 u32 *sid) 1326 { 1327 int rc; 1328 struct super_block *sb = dentry->d_sb; 1329 char *buffer, *path; 1330 1331 buffer = (char *)__get_free_page(GFP_KERNEL); 1332 if (!buffer) 1333 return -ENOMEM; 1334 1335 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1336 if (IS_ERR(path)) 1337 rc = PTR_ERR(path); 1338 else { 1339 if (flags & SE_SBPROC) { 1340 /* each process gets a /proc/PID/ entry. Strip off the 1341 * PID part to get a valid selinux labeling. 1342 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1343 while (path[1] >= '0' && path[1] <= '9') { 1344 path[1] = '/'; 1345 path++; 1346 } 1347 } 1348 rc = security_genfs_sid(sb->s_type->name, 1349 path, tclass, sid); 1350 if (rc == -ENOENT) { 1351 /* No match in policy, mark as unlabeled. */ 1352 *sid = SECINITSID_UNLABELED; 1353 rc = 0; 1354 } 1355 } 1356 free_page((unsigned long)buffer); 1357 return rc; 1358 } 1359 1360 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1361 u32 def_sid, u32 *sid) 1362 { 1363 #define INITCONTEXTLEN 255 1364 char *context; 1365 unsigned int len; 1366 int rc; 1367 1368 len = INITCONTEXTLEN; 1369 context = kmalloc(len + 1, GFP_NOFS); 1370 if (!context) 1371 return -ENOMEM; 1372 1373 context[len] = '\0'; 1374 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1375 if (rc == -ERANGE) { 1376 kfree(context); 1377 1378 /* Need a larger buffer. Query for the right size. */ 1379 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1380 if (rc < 0) 1381 return rc; 1382 1383 len = rc; 1384 context = kmalloc(len + 1, GFP_NOFS); 1385 if (!context) 1386 return -ENOMEM; 1387 1388 context[len] = '\0'; 1389 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1390 context, len); 1391 } 1392 if (rc < 0) { 1393 kfree(context); 1394 if (rc != -ENODATA) { 1395 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1396 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1397 return rc; 1398 } 1399 *sid = def_sid; 1400 return 0; 1401 } 1402 1403 rc = security_context_to_sid_default(context, rc, sid, 1404 def_sid, GFP_NOFS); 1405 if (rc) { 1406 char *dev = inode->i_sb->s_id; 1407 unsigned long ino = inode->i_ino; 1408 1409 if (rc == -EINVAL) { 1410 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1411 ino, dev, context); 1412 } else { 1413 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1414 __func__, context, -rc, dev, ino); 1415 } 1416 } 1417 kfree(context); 1418 return 0; 1419 } 1420 1421 /* The inode's security attributes must be initialized before first use. */ 1422 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1423 { 1424 struct superblock_security_struct *sbsec = NULL; 1425 struct inode_security_struct *isec = selinux_inode(inode); 1426 u32 task_sid, sid = 0; 1427 u16 sclass; 1428 struct dentry *dentry; 1429 int rc = 0; 1430 1431 if (isec->initialized == LABEL_INITIALIZED) 1432 return 0; 1433 1434 spin_lock(&isec->lock); 1435 if (isec->initialized == LABEL_INITIALIZED) 1436 goto out_unlock; 1437 1438 if (isec->sclass == SECCLASS_FILE) 1439 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1440 1441 sbsec = selinux_superblock(inode->i_sb); 1442 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1443 /* Defer initialization until selinux_complete_init, 1444 after the initial policy is loaded and the security 1445 server is ready to handle calls. */ 1446 spin_lock(&sbsec->isec_lock); 1447 if (list_empty(&isec->list)) 1448 list_add(&isec->list, &sbsec->isec_head); 1449 spin_unlock(&sbsec->isec_lock); 1450 goto out_unlock; 1451 } 1452 1453 sclass = isec->sclass; 1454 task_sid = isec->task_sid; 1455 sid = isec->sid; 1456 isec->initialized = LABEL_PENDING; 1457 spin_unlock(&isec->lock); 1458 1459 switch (sbsec->behavior) { 1460 /* 1461 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1462 * via xattr when called from delayed_superblock_init(). 1463 */ 1464 case SECURITY_FS_USE_NATIVE: 1465 case SECURITY_FS_USE_XATTR: 1466 if (!(inode->i_opflags & IOP_XATTR)) { 1467 sid = sbsec->def_sid; 1468 break; 1469 } 1470 /* Need a dentry, since the xattr API requires one. 1471 Life would be simpler if we could just pass the inode. */ 1472 if (opt_dentry) { 1473 /* Called from d_instantiate or d_splice_alias. */ 1474 dentry = dget(opt_dentry); 1475 } else { 1476 /* 1477 * Called from selinux_complete_init, try to find a dentry. 1478 * Some filesystems really want a connected one, so try 1479 * that first. We could split SECURITY_FS_USE_XATTR in 1480 * two, depending upon that... 1481 */ 1482 dentry = d_find_alias(inode); 1483 if (!dentry) 1484 dentry = d_find_any_alias(inode); 1485 } 1486 if (!dentry) { 1487 /* 1488 * this is can be hit on boot when a file is accessed 1489 * before the policy is loaded. When we load policy we 1490 * may find inodes that have no dentry on the 1491 * sbsec->isec_head list. No reason to complain as these 1492 * will get fixed up the next time we go through 1493 * inode_doinit with a dentry, before these inodes could 1494 * be used again by userspace. 1495 */ 1496 goto out_invalid; 1497 } 1498 1499 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1500 &sid); 1501 dput(dentry); 1502 if (rc) 1503 goto out; 1504 break; 1505 case SECURITY_FS_USE_TASK: 1506 sid = task_sid; 1507 break; 1508 case SECURITY_FS_USE_TRANS: 1509 /* Default to the fs SID. */ 1510 sid = sbsec->sid; 1511 1512 /* Try to obtain a transition SID. */ 1513 rc = security_transition_sid(task_sid, sid, 1514 sclass, NULL, &sid); 1515 if (rc) 1516 goto out; 1517 break; 1518 case SECURITY_FS_USE_MNTPOINT: 1519 sid = sbsec->mntpoint_sid; 1520 break; 1521 default: 1522 /* Default to the fs superblock SID. */ 1523 sid = sbsec->sid; 1524 1525 if ((sbsec->flags & SE_SBGENFS) && 1526 (!S_ISLNK(inode->i_mode) || 1527 selinux_policycap_genfs_seclabel_symlinks())) { 1528 /* We must have a dentry to determine the label on 1529 * procfs inodes */ 1530 if (opt_dentry) { 1531 /* Called from d_instantiate or 1532 * d_splice_alias. */ 1533 dentry = dget(opt_dentry); 1534 } else { 1535 /* Called from selinux_complete_init, try to 1536 * find a dentry. Some filesystems really want 1537 * a connected one, so try that first. 1538 */ 1539 dentry = d_find_alias(inode); 1540 if (!dentry) 1541 dentry = d_find_any_alias(inode); 1542 } 1543 /* 1544 * This can be hit on boot when a file is accessed 1545 * before the policy is loaded. When we load policy we 1546 * may find inodes that have no dentry on the 1547 * sbsec->isec_head list. No reason to complain as 1548 * these will get fixed up the next time we go through 1549 * inode_doinit() with a dentry, before these inodes 1550 * could be used again by userspace. 1551 */ 1552 if (!dentry) 1553 goto out_invalid; 1554 rc = selinux_genfs_get_sid(dentry, sclass, 1555 sbsec->flags, &sid); 1556 if (rc) { 1557 dput(dentry); 1558 goto out; 1559 } 1560 1561 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1562 (inode->i_opflags & IOP_XATTR)) { 1563 rc = inode_doinit_use_xattr(inode, dentry, 1564 sid, &sid); 1565 if (rc) { 1566 dput(dentry); 1567 goto out; 1568 } 1569 } 1570 dput(dentry); 1571 } 1572 break; 1573 } 1574 1575 out: 1576 spin_lock(&isec->lock); 1577 if (isec->initialized == LABEL_PENDING) { 1578 if (rc) { 1579 isec->initialized = LABEL_INVALID; 1580 goto out_unlock; 1581 } 1582 isec->initialized = LABEL_INITIALIZED; 1583 isec->sid = sid; 1584 } 1585 1586 out_unlock: 1587 spin_unlock(&isec->lock); 1588 return rc; 1589 1590 out_invalid: 1591 spin_lock(&isec->lock); 1592 if (isec->initialized == LABEL_PENDING) { 1593 isec->initialized = LABEL_INVALID; 1594 isec->sid = sid; 1595 } 1596 spin_unlock(&isec->lock); 1597 return 0; 1598 } 1599 1600 /* Convert a Linux signal to an access vector. */ 1601 static inline u32 signal_to_av(int sig) 1602 { 1603 u32 perm = 0; 1604 1605 switch (sig) { 1606 case SIGCHLD: 1607 /* Commonly granted from child to parent. */ 1608 perm = PROCESS__SIGCHLD; 1609 break; 1610 case SIGKILL: 1611 /* Cannot be caught or ignored */ 1612 perm = PROCESS__SIGKILL; 1613 break; 1614 case SIGSTOP: 1615 /* Cannot be caught or ignored */ 1616 perm = PROCESS__SIGSTOP; 1617 break; 1618 default: 1619 /* All other signals. */ 1620 perm = PROCESS__SIGNAL; 1621 break; 1622 } 1623 1624 return perm; 1625 } 1626 1627 #if CAP_LAST_CAP > 63 1628 #error Fix SELinux to handle capabilities > 63. 1629 #endif 1630 1631 /* Check whether a task is allowed to use a capability. */ 1632 static int cred_has_capability(const struct cred *cred, 1633 int cap, unsigned int opts, bool initns) 1634 { 1635 struct common_audit_data ad; 1636 struct av_decision avd; 1637 u16 sclass; 1638 u32 sid = cred_sid(cred); 1639 u32 av = CAP_TO_MASK(cap); 1640 int rc; 1641 1642 ad.type = LSM_AUDIT_DATA_CAP; 1643 ad.u.cap = cap; 1644 1645 switch (CAP_TO_INDEX(cap)) { 1646 case 0: 1647 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1648 break; 1649 case 1: 1650 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1651 break; 1652 default: 1653 pr_err("SELinux: out of range capability %d\n", cap); 1654 BUG(); 1655 return -EINVAL; 1656 } 1657 1658 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1659 if (!(opts & CAP_OPT_NOAUDIT)) { 1660 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1661 if (rc2) 1662 return rc2; 1663 } 1664 return rc; 1665 } 1666 1667 /* Check whether a task has a particular permission to an inode. 1668 The 'adp' parameter is optional and allows other audit 1669 data to be passed (e.g. the dentry). */ 1670 static int inode_has_perm(const struct cred *cred, 1671 struct inode *inode, 1672 u32 perms, 1673 struct common_audit_data *adp) 1674 { 1675 struct inode_security_struct *isec; 1676 u32 sid; 1677 1678 if (unlikely(IS_PRIVATE(inode))) 1679 return 0; 1680 1681 sid = cred_sid(cred); 1682 isec = selinux_inode(inode); 1683 1684 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1685 } 1686 1687 /* Same as inode_has_perm, but pass explicit audit data containing 1688 the dentry to help the auditing code to more easily generate the 1689 pathname if needed. */ 1690 static inline int dentry_has_perm(const struct cred *cred, 1691 struct dentry *dentry, 1692 u32 av) 1693 { 1694 struct common_audit_data ad; 1695 struct inode *inode = d_backing_inode(dentry); 1696 struct inode_security_struct *isec = selinux_inode(inode); 1697 1698 ad.type = LSM_AUDIT_DATA_DENTRY; 1699 ad.u.dentry = dentry; 1700 /* check below is racy, but revalidate will recheck with lock held */ 1701 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1702 __inode_security_revalidate(inode, dentry, true); 1703 return inode_has_perm(cred, inode, av, &ad); 1704 } 1705 1706 /* Same as inode_has_perm, but pass explicit audit data containing 1707 the path to help the auditing code to more easily generate the 1708 pathname if needed. */ 1709 static inline int path_has_perm(const struct cred *cred, 1710 const struct path *path, 1711 u32 av) 1712 { 1713 struct common_audit_data ad; 1714 struct inode *inode = d_backing_inode(path->dentry); 1715 struct inode_security_struct *isec = selinux_inode(inode); 1716 1717 ad.type = LSM_AUDIT_DATA_PATH; 1718 ad.u.path = *path; 1719 /* check below is racy, but revalidate will recheck with lock held */ 1720 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1721 __inode_security_revalidate(inode, path->dentry, true); 1722 return inode_has_perm(cred, inode, av, &ad); 1723 } 1724 1725 /* Same as path_has_perm, but uses the inode from the file struct. */ 1726 static inline int file_path_has_perm(const struct cred *cred, 1727 struct file *file, 1728 u32 av) 1729 { 1730 struct common_audit_data ad; 1731 1732 ad.type = LSM_AUDIT_DATA_FILE; 1733 ad.u.file = file; 1734 return inode_has_perm(cred, file_inode(file), av, &ad); 1735 } 1736 1737 #ifdef CONFIG_BPF_SYSCALL 1738 static int bpf_fd_pass(const struct file *file, u32 sid); 1739 #endif 1740 1741 /* Check whether a task can use an open file descriptor to 1742 access an inode in a given way. Check access to the 1743 descriptor itself, and then use dentry_has_perm to 1744 check a particular permission to the file. 1745 Access to the descriptor is implicitly granted if it 1746 has the same SID as the process. If av is zero, then 1747 access to the file is not checked, e.g. for cases 1748 where only the descriptor is affected like seek. */ 1749 static int file_has_perm(const struct cred *cred, 1750 struct file *file, 1751 u32 av) 1752 { 1753 struct file_security_struct *fsec = selinux_file(file); 1754 struct inode *inode = file_inode(file); 1755 struct common_audit_data ad; 1756 u32 sid = cred_sid(cred); 1757 int rc; 1758 1759 ad.type = LSM_AUDIT_DATA_FILE; 1760 ad.u.file = file; 1761 1762 if (sid != fsec->sid) { 1763 rc = avc_has_perm(sid, fsec->sid, 1764 SECCLASS_FD, 1765 FD__USE, 1766 &ad); 1767 if (rc) 1768 goto out; 1769 } 1770 1771 #ifdef CONFIG_BPF_SYSCALL 1772 rc = bpf_fd_pass(file, cred_sid(cred)); 1773 if (rc) 1774 return rc; 1775 #endif 1776 1777 /* av is zero if only checking access to the descriptor. */ 1778 rc = 0; 1779 if (av) 1780 rc = inode_has_perm(cred, inode, av, &ad); 1781 1782 out: 1783 return rc; 1784 } 1785 1786 /* 1787 * Determine the label for an inode that might be unioned. 1788 */ 1789 static int 1790 selinux_determine_inode_label(const struct task_security_struct *tsec, 1791 struct inode *dir, 1792 const struct qstr *name, u16 tclass, 1793 u32 *_new_isid) 1794 { 1795 const struct superblock_security_struct *sbsec = 1796 selinux_superblock(dir->i_sb); 1797 1798 if ((sbsec->flags & SE_SBINITIALIZED) && 1799 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1800 *_new_isid = sbsec->mntpoint_sid; 1801 } else if ((sbsec->flags & SBLABEL_MNT) && 1802 tsec->create_sid) { 1803 *_new_isid = tsec->create_sid; 1804 } else { 1805 const struct inode_security_struct *dsec = inode_security(dir); 1806 return security_transition_sid(tsec->sid, 1807 dsec->sid, tclass, 1808 name, _new_isid); 1809 } 1810 1811 return 0; 1812 } 1813 1814 /* Check whether a task can create a file. */ 1815 static int may_create(struct inode *dir, 1816 struct dentry *dentry, 1817 u16 tclass) 1818 { 1819 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1820 struct inode_security_struct *dsec; 1821 struct superblock_security_struct *sbsec; 1822 u32 sid, newsid; 1823 struct common_audit_data ad; 1824 int rc; 1825 1826 dsec = inode_security(dir); 1827 sbsec = selinux_superblock(dir->i_sb); 1828 1829 sid = tsec->sid; 1830 1831 ad.type = LSM_AUDIT_DATA_DENTRY; 1832 ad.u.dentry = dentry; 1833 1834 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1835 DIR__ADD_NAME | DIR__SEARCH, 1836 &ad); 1837 if (rc) 1838 return rc; 1839 1840 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1841 &newsid); 1842 if (rc) 1843 return rc; 1844 1845 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1846 if (rc) 1847 return rc; 1848 1849 return avc_has_perm(newsid, sbsec->sid, 1850 SECCLASS_FILESYSTEM, 1851 FILESYSTEM__ASSOCIATE, &ad); 1852 } 1853 1854 #define MAY_LINK 0 1855 #define MAY_UNLINK 1 1856 #define MAY_RMDIR 2 1857 1858 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1859 static int may_link(struct inode *dir, 1860 struct dentry *dentry, 1861 int kind) 1862 1863 { 1864 struct inode_security_struct *dsec, *isec; 1865 struct common_audit_data ad; 1866 u32 sid = current_sid(); 1867 u32 av; 1868 int rc; 1869 1870 dsec = inode_security(dir); 1871 isec = backing_inode_security(dentry); 1872 1873 ad.type = LSM_AUDIT_DATA_DENTRY; 1874 ad.u.dentry = dentry; 1875 1876 av = DIR__SEARCH; 1877 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1878 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1879 if (rc) 1880 return rc; 1881 1882 switch (kind) { 1883 case MAY_LINK: 1884 av = FILE__LINK; 1885 break; 1886 case MAY_UNLINK: 1887 av = FILE__UNLINK; 1888 break; 1889 case MAY_RMDIR: 1890 av = DIR__RMDIR; 1891 break; 1892 default: 1893 pr_warn("SELinux: %s: unrecognized kind %d\n", 1894 __func__, kind); 1895 return 0; 1896 } 1897 1898 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1899 return rc; 1900 } 1901 1902 static inline int may_rename(struct inode *old_dir, 1903 struct dentry *old_dentry, 1904 struct inode *new_dir, 1905 struct dentry *new_dentry) 1906 { 1907 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1908 struct common_audit_data ad; 1909 u32 sid = current_sid(); 1910 u32 av; 1911 int old_is_dir, new_is_dir; 1912 int rc; 1913 1914 old_dsec = inode_security(old_dir); 1915 old_isec = backing_inode_security(old_dentry); 1916 old_is_dir = d_is_dir(old_dentry); 1917 new_dsec = inode_security(new_dir); 1918 1919 ad.type = LSM_AUDIT_DATA_DENTRY; 1920 1921 ad.u.dentry = old_dentry; 1922 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1923 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1924 if (rc) 1925 return rc; 1926 rc = avc_has_perm(sid, old_isec->sid, 1927 old_isec->sclass, FILE__RENAME, &ad); 1928 if (rc) 1929 return rc; 1930 if (old_is_dir && new_dir != old_dir) { 1931 rc = avc_has_perm(sid, old_isec->sid, 1932 old_isec->sclass, DIR__REPARENT, &ad); 1933 if (rc) 1934 return rc; 1935 } 1936 1937 ad.u.dentry = new_dentry; 1938 av = DIR__ADD_NAME | DIR__SEARCH; 1939 if (d_is_positive(new_dentry)) 1940 av |= DIR__REMOVE_NAME; 1941 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1942 if (rc) 1943 return rc; 1944 if (d_is_positive(new_dentry)) { 1945 new_isec = backing_inode_security(new_dentry); 1946 new_is_dir = d_is_dir(new_dentry); 1947 rc = avc_has_perm(sid, new_isec->sid, 1948 new_isec->sclass, 1949 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1950 if (rc) 1951 return rc; 1952 } 1953 1954 return 0; 1955 } 1956 1957 /* Check whether a task can perform a filesystem operation. */ 1958 static int superblock_has_perm(const struct cred *cred, 1959 const struct super_block *sb, 1960 u32 perms, 1961 struct common_audit_data *ad) 1962 { 1963 struct superblock_security_struct *sbsec; 1964 u32 sid = cred_sid(cred); 1965 1966 sbsec = selinux_superblock(sb); 1967 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1968 } 1969 1970 /* Convert a Linux mode and permission mask to an access vector. */ 1971 static inline u32 file_mask_to_av(int mode, int mask) 1972 { 1973 u32 av = 0; 1974 1975 if (!S_ISDIR(mode)) { 1976 if (mask & MAY_EXEC) 1977 av |= FILE__EXECUTE; 1978 if (mask & MAY_READ) 1979 av |= FILE__READ; 1980 1981 if (mask & MAY_APPEND) 1982 av |= FILE__APPEND; 1983 else if (mask & MAY_WRITE) 1984 av |= FILE__WRITE; 1985 1986 } else { 1987 if (mask & MAY_EXEC) 1988 av |= DIR__SEARCH; 1989 if (mask & MAY_WRITE) 1990 av |= DIR__WRITE; 1991 if (mask & MAY_READ) 1992 av |= DIR__READ; 1993 } 1994 1995 return av; 1996 } 1997 1998 /* Convert a Linux file to an access vector. */ 1999 static inline u32 file_to_av(const struct file *file) 2000 { 2001 u32 av = 0; 2002 2003 if (file->f_mode & FMODE_READ) 2004 av |= FILE__READ; 2005 if (file->f_mode & FMODE_WRITE) { 2006 if (file->f_flags & O_APPEND) 2007 av |= FILE__APPEND; 2008 else 2009 av |= FILE__WRITE; 2010 } 2011 if (!av) { 2012 /* 2013 * Special file opened with flags 3 for ioctl-only use. 2014 */ 2015 av = FILE__IOCTL; 2016 } 2017 2018 return av; 2019 } 2020 2021 /* 2022 * Convert a file to an access vector and include the correct 2023 * open permission. 2024 */ 2025 static inline u32 open_file_to_av(struct file *file) 2026 { 2027 u32 av = file_to_av(file); 2028 struct inode *inode = file_inode(file); 2029 2030 if (selinux_policycap_openperm() && 2031 inode->i_sb->s_magic != SOCKFS_MAGIC) 2032 av |= FILE__OPEN; 2033 2034 return av; 2035 } 2036 2037 /* Hook functions begin here. */ 2038 2039 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2040 { 2041 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2042 BINDER__SET_CONTEXT_MGR, NULL); 2043 } 2044 2045 static int selinux_binder_transaction(const struct cred *from, 2046 const struct cred *to) 2047 { 2048 u32 mysid = current_sid(); 2049 u32 fromsid = cred_sid(from); 2050 u32 tosid = cred_sid(to); 2051 int rc; 2052 2053 if (mysid != fromsid) { 2054 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2055 BINDER__IMPERSONATE, NULL); 2056 if (rc) 2057 return rc; 2058 } 2059 2060 return avc_has_perm(fromsid, tosid, 2061 SECCLASS_BINDER, BINDER__CALL, NULL); 2062 } 2063 2064 static int selinux_binder_transfer_binder(const struct cred *from, 2065 const struct cred *to) 2066 { 2067 return avc_has_perm(cred_sid(from), cred_sid(to), 2068 SECCLASS_BINDER, BINDER__TRANSFER, 2069 NULL); 2070 } 2071 2072 static int selinux_binder_transfer_file(const struct cred *from, 2073 const struct cred *to, 2074 const struct file *file) 2075 { 2076 u32 sid = cred_sid(to); 2077 struct file_security_struct *fsec = selinux_file(file); 2078 struct dentry *dentry = file->f_path.dentry; 2079 struct inode_security_struct *isec; 2080 struct common_audit_data ad; 2081 int rc; 2082 2083 ad.type = LSM_AUDIT_DATA_PATH; 2084 ad.u.path = file->f_path; 2085 2086 if (sid != fsec->sid) { 2087 rc = avc_has_perm(sid, fsec->sid, 2088 SECCLASS_FD, 2089 FD__USE, 2090 &ad); 2091 if (rc) 2092 return rc; 2093 } 2094 2095 #ifdef CONFIG_BPF_SYSCALL 2096 rc = bpf_fd_pass(file, sid); 2097 if (rc) 2098 return rc; 2099 #endif 2100 2101 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2102 return 0; 2103 2104 isec = backing_inode_security(dentry); 2105 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2106 &ad); 2107 } 2108 2109 static int selinux_ptrace_access_check(struct task_struct *child, 2110 unsigned int mode) 2111 { 2112 u32 sid = current_sid(); 2113 u32 csid = task_sid_obj(child); 2114 2115 if (mode & PTRACE_MODE_READ) 2116 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2117 NULL); 2118 2119 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2120 NULL); 2121 } 2122 2123 static int selinux_ptrace_traceme(struct task_struct *parent) 2124 { 2125 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2126 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2127 } 2128 2129 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2130 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2131 { 2132 return avc_has_perm(current_sid(), task_sid_obj(target), 2133 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2134 } 2135 2136 static int selinux_capset(struct cred *new, const struct cred *old, 2137 const kernel_cap_t *effective, 2138 const kernel_cap_t *inheritable, 2139 const kernel_cap_t *permitted) 2140 { 2141 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2142 PROCESS__SETCAP, NULL); 2143 } 2144 2145 /* 2146 * (This comment used to live with the selinux_task_setuid hook, 2147 * which was removed). 2148 * 2149 * Since setuid only affects the current process, and since the SELinux 2150 * controls are not based on the Linux identity attributes, SELinux does not 2151 * need to control this operation. However, SELinux does control the use of 2152 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2153 */ 2154 2155 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2156 int cap, unsigned int opts) 2157 { 2158 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2159 } 2160 2161 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2162 { 2163 const struct cred *cred = current_cred(); 2164 int rc = 0; 2165 2166 if (!sb) 2167 return 0; 2168 2169 switch (cmds) { 2170 case Q_SYNC: 2171 case Q_QUOTAON: 2172 case Q_QUOTAOFF: 2173 case Q_SETINFO: 2174 case Q_SETQUOTA: 2175 case Q_XQUOTAOFF: 2176 case Q_XQUOTAON: 2177 case Q_XSETQLIM: 2178 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2179 break; 2180 case Q_GETFMT: 2181 case Q_GETINFO: 2182 case Q_GETQUOTA: 2183 case Q_XGETQUOTA: 2184 case Q_XGETQSTAT: 2185 case Q_XGETQSTATV: 2186 case Q_XGETNEXTQUOTA: 2187 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2188 break; 2189 default: 2190 rc = 0; /* let the kernel handle invalid cmds */ 2191 break; 2192 } 2193 return rc; 2194 } 2195 2196 static int selinux_quota_on(struct dentry *dentry) 2197 { 2198 const struct cred *cred = current_cred(); 2199 2200 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2201 } 2202 2203 static int selinux_syslog(int type) 2204 { 2205 switch (type) { 2206 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2207 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2208 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2209 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2210 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2211 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2212 /* Set level of messages printed to console */ 2213 case SYSLOG_ACTION_CONSOLE_LEVEL: 2214 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2215 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2216 NULL); 2217 } 2218 /* All other syslog types */ 2219 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2220 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2221 } 2222 2223 /* 2224 * Check permission for allocating a new virtual mapping. Returns 2225 * 0 if permission is granted, negative error code if not. 2226 * 2227 * Do not audit the selinux permission check, as this is applied to all 2228 * processes that allocate mappings. 2229 */ 2230 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2231 { 2232 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2233 CAP_OPT_NOAUDIT, true); 2234 } 2235 2236 /* binprm security operations */ 2237 2238 static u32 ptrace_parent_sid(void) 2239 { 2240 u32 sid = 0; 2241 struct task_struct *tracer; 2242 2243 rcu_read_lock(); 2244 tracer = ptrace_parent(current); 2245 if (tracer) 2246 sid = task_sid_obj(tracer); 2247 rcu_read_unlock(); 2248 2249 return sid; 2250 } 2251 2252 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2253 const struct task_security_struct *old_tsec, 2254 const struct task_security_struct *new_tsec) 2255 { 2256 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2257 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2258 int rc; 2259 u32 av; 2260 2261 if (!nnp && !nosuid) 2262 return 0; /* neither NNP nor nosuid */ 2263 2264 if (new_tsec->sid == old_tsec->sid) 2265 return 0; /* No change in credentials */ 2266 2267 /* 2268 * If the policy enables the nnp_nosuid_transition policy capability, 2269 * then we permit transitions under NNP or nosuid if the 2270 * policy allows the corresponding permission between 2271 * the old and new contexts. 2272 */ 2273 if (selinux_policycap_nnp_nosuid_transition()) { 2274 av = 0; 2275 if (nnp) 2276 av |= PROCESS2__NNP_TRANSITION; 2277 if (nosuid) 2278 av |= PROCESS2__NOSUID_TRANSITION; 2279 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2280 SECCLASS_PROCESS2, av, NULL); 2281 if (!rc) 2282 return 0; 2283 } 2284 2285 /* 2286 * We also permit NNP or nosuid transitions to bounded SIDs, 2287 * i.e. SIDs that are guaranteed to only be allowed a subset 2288 * of the permissions of the current SID. 2289 */ 2290 rc = security_bounded_transition(old_tsec->sid, 2291 new_tsec->sid); 2292 if (!rc) 2293 return 0; 2294 2295 /* 2296 * On failure, preserve the errno values for NNP vs nosuid. 2297 * NNP: Operation not permitted for caller. 2298 * nosuid: Permission denied to file. 2299 */ 2300 if (nnp) 2301 return -EPERM; 2302 return -EACCES; 2303 } 2304 2305 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2306 { 2307 const struct task_security_struct *old_tsec; 2308 struct task_security_struct *new_tsec; 2309 struct inode_security_struct *isec; 2310 struct common_audit_data ad; 2311 struct inode *inode = file_inode(bprm->file); 2312 int rc; 2313 2314 /* SELinux context only depends on initial program or script and not 2315 * the script interpreter */ 2316 2317 old_tsec = selinux_cred(current_cred()); 2318 new_tsec = selinux_cred(bprm->cred); 2319 isec = inode_security(inode); 2320 2321 /* Default to the current task SID. */ 2322 new_tsec->sid = old_tsec->sid; 2323 new_tsec->osid = old_tsec->sid; 2324 2325 /* Reset fs, key, and sock SIDs on execve. */ 2326 new_tsec->create_sid = 0; 2327 new_tsec->keycreate_sid = 0; 2328 new_tsec->sockcreate_sid = 0; 2329 2330 /* 2331 * Before policy is loaded, label any task outside kernel space 2332 * as SECINITSID_INIT, so that any userspace tasks surviving from 2333 * early boot end up with a label different from SECINITSID_KERNEL 2334 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2335 */ 2336 if (!selinux_initialized()) { 2337 new_tsec->sid = SECINITSID_INIT; 2338 /* also clear the exec_sid just in case */ 2339 new_tsec->exec_sid = 0; 2340 return 0; 2341 } 2342 2343 if (old_tsec->exec_sid) { 2344 new_tsec->sid = old_tsec->exec_sid; 2345 /* Reset exec SID on execve. */ 2346 new_tsec->exec_sid = 0; 2347 2348 /* Fail on NNP or nosuid if not an allowed transition. */ 2349 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2350 if (rc) 2351 return rc; 2352 } else { 2353 /* Check for a default transition on this program. */ 2354 rc = security_transition_sid(old_tsec->sid, 2355 isec->sid, SECCLASS_PROCESS, NULL, 2356 &new_tsec->sid); 2357 if (rc) 2358 return rc; 2359 2360 /* 2361 * Fallback to old SID on NNP or nosuid if not an allowed 2362 * transition. 2363 */ 2364 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2365 if (rc) 2366 new_tsec->sid = old_tsec->sid; 2367 } 2368 2369 ad.type = LSM_AUDIT_DATA_FILE; 2370 ad.u.file = bprm->file; 2371 2372 if (new_tsec->sid == old_tsec->sid) { 2373 rc = avc_has_perm(old_tsec->sid, isec->sid, 2374 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2375 if (rc) 2376 return rc; 2377 } else { 2378 /* Check permissions for the transition. */ 2379 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2380 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2381 if (rc) 2382 return rc; 2383 2384 rc = avc_has_perm(new_tsec->sid, isec->sid, 2385 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2386 if (rc) 2387 return rc; 2388 2389 /* Check for shared state */ 2390 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2391 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2392 SECCLASS_PROCESS, PROCESS__SHARE, 2393 NULL); 2394 if (rc) 2395 return -EPERM; 2396 } 2397 2398 /* Make sure that anyone attempting to ptrace over a task that 2399 * changes its SID has the appropriate permit */ 2400 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2401 u32 ptsid = ptrace_parent_sid(); 2402 if (ptsid != 0) { 2403 rc = avc_has_perm(ptsid, new_tsec->sid, 2404 SECCLASS_PROCESS, 2405 PROCESS__PTRACE, NULL); 2406 if (rc) 2407 return -EPERM; 2408 } 2409 } 2410 2411 /* Clear any possibly unsafe personality bits on exec: */ 2412 bprm->per_clear |= PER_CLEAR_ON_SETID; 2413 2414 /* Enable secure mode for SIDs transitions unless 2415 the noatsecure permission is granted between 2416 the two SIDs, i.e. ahp returns 0. */ 2417 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2418 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2419 NULL); 2420 bprm->secureexec |= !!rc; 2421 } 2422 2423 return 0; 2424 } 2425 2426 static int match_file(const void *p, struct file *file, unsigned fd) 2427 { 2428 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2429 } 2430 2431 /* Derived from fs/exec.c:flush_old_files. */ 2432 static inline void flush_unauthorized_files(const struct cred *cred, 2433 struct files_struct *files) 2434 { 2435 struct file *file, *devnull = NULL; 2436 struct tty_struct *tty; 2437 int drop_tty = 0; 2438 unsigned n; 2439 2440 tty = get_current_tty(); 2441 if (tty) { 2442 spin_lock(&tty->files_lock); 2443 if (!list_empty(&tty->tty_files)) { 2444 struct tty_file_private *file_priv; 2445 2446 /* Revalidate access to controlling tty. 2447 Use file_path_has_perm on the tty path directly 2448 rather than using file_has_perm, as this particular 2449 open file may belong to another process and we are 2450 only interested in the inode-based check here. */ 2451 file_priv = list_first_entry(&tty->tty_files, 2452 struct tty_file_private, list); 2453 file = file_priv->file; 2454 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2455 drop_tty = 1; 2456 } 2457 spin_unlock(&tty->files_lock); 2458 tty_kref_put(tty); 2459 } 2460 /* Reset controlling tty. */ 2461 if (drop_tty) 2462 no_tty(); 2463 2464 /* Revalidate access to inherited open files. */ 2465 n = iterate_fd(files, 0, match_file, cred); 2466 if (!n) /* none found? */ 2467 return; 2468 2469 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2470 if (IS_ERR(devnull)) 2471 devnull = NULL; 2472 /* replace all the matching ones with this */ 2473 do { 2474 replace_fd(n - 1, devnull, 0); 2475 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2476 if (devnull) 2477 fput(devnull); 2478 } 2479 2480 /* 2481 * Prepare a process for imminent new credential changes due to exec 2482 */ 2483 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2484 { 2485 struct task_security_struct *new_tsec; 2486 struct rlimit *rlim, *initrlim; 2487 int rc, i; 2488 2489 new_tsec = selinux_cred(bprm->cred); 2490 if (new_tsec->sid == new_tsec->osid) 2491 return; 2492 2493 /* Close files for which the new task SID is not authorized. */ 2494 flush_unauthorized_files(bprm->cred, current->files); 2495 2496 /* Always clear parent death signal on SID transitions. */ 2497 current->pdeath_signal = 0; 2498 2499 /* Check whether the new SID can inherit resource limits from the old 2500 * SID. If not, reset all soft limits to the lower of the current 2501 * task's hard limit and the init task's soft limit. 2502 * 2503 * Note that the setting of hard limits (even to lower them) can be 2504 * controlled by the setrlimit check. The inclusion of the init task's 2505 * soft limit into the computation is to avoid resetting soft limits 2506 * higher than the default soft limit for cases where the default is 2507 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2508 */ 2509 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2510 PROCESS__RLIMITINH, NULL); 2511 if (rc) { 2512 /* protect against do_prlimit() */ 2513 task_lock(current); 2514 for (i = 0; i < RLIM_NLIMITS; i++) { 2515 rlim = current->signal->rlim + i; 2516 initrlim = init_task.signal->rlim + i; 2517 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2518 } 2519 task_unlock(current); 2520 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2521 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2522 } 2523 } 2524 2525 /* 2526 * Clean up the process immediately after the installation of new credentials 2527 * due to exec 2528 */ 2529 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2530 { 2531 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2532 u32 osid, sid; 2533 int rc; 2534 2535 osid = tsec->osid; 2536 sid = tsec->sid; 2537 2538 if (sid == osid) 2539 return; 2540 2541 /* Check whether the new SID can inherit signal state from the old SID. 2542 * If not, clear itimers to avoid subsequent signal generation and 2543 * flush and unblock signals. 2544 * 2545 * This must occur _after_ the task SID has been updated so that any 2546 * kill done after the flush will be checked against the new SID. 2547 */ 2548 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2549 if (rc) { 2550 clear_itimer(); 2551 2552 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2553 if (!fatal_signal_pending(current)) { 2554 flush_sigqueue(¤t->pending); 2555 flush_sigqueue(¤t->signal->shared_pending); 2556 flush_signal_handlers(current, 1); 2557 sigemptyset(¤t->blocked); 2558 recalc_sigpending(); 2559 } 2560 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2561 } 2562 2563 /* Wake up the parent if it is waiting so that it can recheck 2564 * wait permission to the new task SID. */ 2565 read_lock(&tasklist_lock); 2566 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2567 read_unlock(&tasklist_lock); 2568 } 2569 2570 /* superblock security operations */ 2571 2572 static int selinux_sb_alloc_security(struct super_block *sb) 2573 { 2574 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2575 2576 mutex_init(&sbsec->lock); 2577 INIT_LIST_HEAD(&sbsec->isec_head); 2578 spin_lock_init(&sbsec->isec_lock); 2579 sbsec->sid = SECINITSID_UNLABELED; 2580 sbsec->def_sid = SECINITSID_FILE; 2581 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2582 2583 return 0; 2584 } 2585 2586 static inline int opt_len(const char *s) 2587 { 2588 bool open_quote = false; 2589 int len; 2590 char c; 2591 2592 for (len = 0; (c = s[len]) != '\0'; len++) { 2593 if (c == '"') 2594 open_quote = !open_quote; 2595 if (c == ',' && !open_quote) 2596 break; 2597 } 2598 return len; 2599 } 2600 2601 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2602 { 2603 char *from = options; 2604 char *to = options; 2605 bool first = true; 2606 int rc; 2607 2608 while (1) { 2609 int len = opt_len(from); 2610 int token; 2611 char *arg = NULL; 2612 2613 token = match_opt_prefix(from, len, &arg); 2614 2615 if (token != Opt_error) { 2616 char *p, *q; 2617 2618 /* strip quotes */ 2619 if (arg) { 2620 for (p = q = arg; p < from + len; p++) { 2621 char c = *p; 2622 if (c != '"') 2623 *q++ = c; 2624 } 2625 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2626 if (!arg) { 2627 rc = -ENOMEM; 2628 goto free_opt; 2629 } 2630 } 2631 rc = selinux_add_opt(token, arg, mnt_opts); 2632 kfree(arg); 2633 arg = NULL; 2634 if (unlikely(rc)) { 2635 goto free_opt; 2636 } 2637 } else { 2638 if (!first) { // copy with preceding comma 2639 from--; 2640 len++; 2641 } 2642 if (to != from) 2643 memmove(to, from, len); 2644 to += len; 2645 first = false; 2646 } 2647 if (!from[len]) 2648 break; 2649 from += len + 1; 2650 } 2651 *to = '\0'; 2652 return 0; 2653 2654 free_opt: 2655 if (*mnt_opts) { 2656 selinux_free_mnt_opts(*mnt_opts); 2657 *mnt_opts = NULL; 2658 } 2659 return rc; 2660 } 2661 2662 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2663 { 2664 struct selinux_mnt_opts *opts = mnt_opts; 2665 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2666 2667 /* 2668 * Superblock not initialized (i.e. no options) - reject if any 2669 * options specified, otherwise accept. 2670 */ 2671 if (!(sbsec->flags & SE_SBINITIALIZED)) 2672 return opts ? 1 : 0; 2673 2674 /* 2675 * Superblock initialized and no options specified - reject if 2676 * superblock has any options set, otherwise accept. 2677 */ 2678 if (!opts) 2679 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2680 2681 if (opts->fscontext_sid) { 2682 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2683 opts->fscontext_sid)) 2684 return 1; 2685 } 2686 if (opts->context_sid) { 2687 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2688 opts->context_sid)) 2689 return 1; 2690 } 2691 if (opts->rootcontext_sid) { 2692 struct inode_security_struct *root_isec; 2693 2694 root_isec = backing_inode_security(sb->s_root); 2695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2696 opts->rootcontext_sid)) 2697 return 1; 2698 } 2699 if (opts->defcontext_sid) { 2700 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2701 opts->defcontext_sid)) 2702 return 1; 2703 } 2704 return 0; 2705 } 2706 2707 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2708 { 2709 struct selinux_mnt_opts *opts = mnt_opts; 2710 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2711 2712 if (!(sbsec->flags & SE_SBINITIALIZED)) 2713 return 0; 2714 2715 if (!opts) 2716 return 0; 2717 2718 if (opts->fscontext_sid) { 2719 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2720 opts->fscontext_sid)) 2721 goto out_bad_option; 2722 } 2723 if (opts->context_sid) { 2724 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2725 opts->context_sid)) 2726 goto out_bad_option; 2727 } 2728 if (opts->rootcontext_sid) { 2729 struct inode_security_struct *root_isec; 2730 root_isec = backing_inode_security(sb->s_root); 2731 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2732 opts->rootcontext_sid)) 2733 goto out_bad_option; 2734 } 2735 if (opts->defcontext_sid) { 2736 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2737 opts->defcontext_sid)) 2738 goto out_bad_option; 2739 } 2740 return 0; 2741 2742 out_bad_option: 2743 pr_warn("SELinux: unable to change security options " 2744 "during remount (dev %s, type=%s)\n", sb->s_id, 2745 sb->s_type->name); 2746 return -EINVAL; 2747 } 2748 2749 static int selinux_sb_kern_mount(const struct super_block *sb) 2750 { 2751 const struct cred *cred = current_cred(); 2752 struct common_audit_data ad; 2753 2754 ad.type = LSM_AUDIT_DATA_DENTRY; 2755 ad.u.dentry = sb->s_root; 2756 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2757 } 2758 2759 static int selinux_sb_statfs(struct dentry *dentry) 2760 { 2761 const struct cred *cred = current_cred(); 2762 struct common_audit_data ad; 2763 2764 ad.type = LSM_AUDIT_DATA_DENTRY; 2765 ad.u.dentry = dentry->d_sb->s_root; 2766 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2767 } 2768 2769 static int selinux_mount(const char *dev_name, 2770 const struct path *path, 2771 const char *type, 2772 unsigned long flags, 2773 void *data) 2774 { 2775 const struct cred *cred = current_cred(); 2776 2777 if (flags & MS_REMOUNT) 2778 return superblock_has_perm(cred, path->dentry->d_sb, 2779 FILESYSTEM__REMOUNT, NULL); 2780 else 2781 return path_has_perm(cred, path, FILE__MOUNTON); 2782 } 2783 2784 static int selinux_move_mount(const struct path *from_path, 2785 const struct path *to_path) 2786 { 2787 const struct cred *cred = current_cred(); 2788 2789 return path_has_perm(cred, to_path, FILE__MOUNTON); 2790 } 2791 2792 static int selinux_umount(struct vfsmount *mnt, int flags) 2793 { 2794 const struct cred *cred = current_cred(); 2795 2796 return superblock_has_perm(cred, mnt->mnt_sb, 2797 FILESYSTEM__UNMOUNT, NULL); 2798 } 2799 2800 static int selinux_fs_context_submount(struct fs_context *fc, 2801 struct super_block *reference) 2802 { 2803 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2804 struct selinux_mnt_opts *opts; 2805 2806 /* 2807 * Ensure that fc->security remains NULL when no options are set 2808 * as expected by selinux_set_mnt_opts(). 2809 */ 2810 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2811 return 0; 2812 2813 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2814 if (!opts) 2815 return -ENOMEM; 2816 2817 if (sbsec->flags & FSCONTEXT_MNT) 2818 opts->fscontext_sid = sbsec->sid; 2819 if (sbsec->flags & CONTEXT_MNT) 2820 opts->context_sid = sbsec->mntpoint_sid; 2821 if (sbsec->flags & DEFCONTEXT_MNT) 2822 opts->defcontext_sid = sbsec->def_sid; 2823 fc->security = opts; 2824 return 0; 2825 } 2826 2827 static int selinux_fs_context_dup(struct fs_context *fc, 2828 struct fs_context *src_fc) 2829 { 2830 const struct selinux_mnt_opts *src = src_fc->security; 2831 2832 if (!src) 2833 return 0; 2834 2835 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2836 return fc->security ? 0 : -ENOMEM; 2837 } 2838 2839 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2840 fsparam_string(CONTEXT_STR, Opt_context), 2841 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2842 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2843 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2844 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2845 {} 2846 }; 2847 2848 static int selinux_fs_context_parse_param(struct fs_context *fc, 2849 struct fs_parameter *param) 2850 { 2851 struct fs_parse_result result; 2852 int opt; 2853 2854 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2855 if (opt < 0) 2856 return opt; 2857 2858 return selinux_add_opt(opt, param->string, &fc->security); 2859 } 2860 2861 /* inode security operations */ 2862 2863 static int selinux_inode_alloc_security(struct inode *inode) 2864 { 2865 struct inode_security_struct *isec = selinux_inode(inode); 2866 u32 sid = current_sid(); 2867 2868 spin_lock_init(&isec->lock); 2869 INIT_LIST_HEAD(&isec->list); 2870 isec->inode = inode; 2871 isec->sid = SECINITSID_UNLABELED; 2872 isec->sclass = SECCLASS_FILE; 2873 isec->task_sid = sid; 2874 isec->initialized = LABEL_INVALID; 2875 2876 return 0; 2877 } 2878 2879 static void selinux_inode_free_security(struct inode *inode) 2880 { 2881 inode_free_security(inode); 2882 } 2883 2884 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2885 const struct qstr *name, 2886 const char **xattr_name, 2887 struct lsm_context *cp) 2888 { 2889 u32 newsid; 2890 int rc; 2891 2892 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2893 d_inode(dentry->d_parent), name, 2894 inode_mode_to_security_class(mode), 2895 &newsid); 2896 if (rc) 2897 return rc; 2898 2899 if (xattr_name) 2900 *xattr_name = XATTR_NAME_SELINUX; 2901 2902 cp->id = LSM_ID_SELINUX; 2903 return security_sid_to_context(newsid, &cp->context, &cp->len); 2904 } 2905 2906 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2907 struct qstr *name, 2908 const struct cred *old, 2909 struct cred *new) 2910 { 2911 u32 newsid; 2912 int rc; 2913 struct task_security_struct *tsec; 2914 2915 rc = selinux_determine_inode_label(selinux_cred(old), 2916 d_inode(dentry->d_parent), name, 2917 inode_mode_to_security_class(mode), 2918 &newsid); 2919 if (rc) 2920 return rc; 2921 2922 tsec = selinux_cred(new); 2923 tsec->create_sid = newsid; 2924 return 0; 2925 } 2926 2927 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2928 const struct qstr *qstr, 2929 struct xattr *xattrs, int *xattr_count) 2930 { 2931 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2932 struct superblock_security_struct *sbsec; 2933 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2934 u32 newsid, clen; 2935 u16 newsclass; 2936 int rc; 2937 char *context; 2938 2939 sbsec = selinux_superblock(dir->i_sb); 2940 2941 newsid = tsec->create_sid; 2942 newsclass = inode_mode_to_security_class(inode->i_mode); 2943 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); 2944 if (rc) 2945 return rc; 2946 2947 /* Possibly defer initialization to selinux_complete_init. */ 2948 if (sbsec->flags & SE_SBINITIALIZED) { 2949 struct inode_security_struct *isec = selinux_inode(inode); 2950 isec->sclass = newsclass; 2951 isec->sid = newsid; 2952 isec->initialized = LABEL_INITIALIZED; 2953 } 2954 2955 if (!selinux_initialized() || 2956 !(sbsec->flags & SBLABEL_MNT)) 2957 return -EOPNOTSUPP; 2958 2959 if (xattr) { 2960 rc = security_sid_to_context_force(newsid, 2961 &context, &clen); 2962 if (rc) 2963 return rc; 2964 xattr->value = context; 2965 xattr->value_len = clen; 2966 xattr->name = XATTR_SELINUX_SUFFIX; 2967 } 2968 2969 return 0; 2970 } 2971 2972 static int selinux_inode_init_security_anon(struct inode *inode, 2973 const struct qstr *name, 2974 const struct inode *context_inode) 2975 { 2976 u32 sid = current_sid(); 2977 struct common_audit_data ad; 2978 struct inode_security_struct *isec; 2979 int rc; 2980 2981 if (unlikely(!selinux_initialized())) 2982 return 0; 2983 2984 isec = selinux_inode(inode); 2985 2986 /* 2987 * We only get here once per ephemeral inode. The inode has 2988 * been initialized via inode_alloc_security but is otherwise 2989 * untouched. 2990 */ 2991 2992 if (context_inode) { 2993 struct inode_security_struct *context_isec = 2994 selinux_inode(context_inode); 2995 if (context_isec->initialized != LABEL_INITIALIZED) { 2996 pr_err("SELinux: context_inode is not initialized\n"); 2997 return -EACCES; 2998 } 2999 3000 isec->sclass = context_isec->sclass; 3001 isec->sid = context_isec->sid; 3002 } else { 3003 isec->sclass = SECCLASS_ANON_INODE; 3004 rc = security_transition_sid( 3005 sid, sid, 3006 isec->sclass, name, &isec->sid); 3007 if (rc) 3008 return rc; 3009 } 3010 3011 isec->initialized = LABEL_INITIALIZED; 3012 /* 3013 * Now that we've initialized security, check whether we're 3014 * allowed to actually create this type of anonymous inode. 3015 */ 3016 3017 ad.type = LSM_AUDIT_DATA_ANONINODE; 3018 ad.u.anonclass = name ? (const char *)name->name : "?"; 3019 3020 return avc_has_perm(sid, 3021 isec->sid, 3022 isec->sclass, 3023 FILE__CREATE, 3024 &ad); 3025 } 3026 3027 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3028 { 3029 return may_create(dir, dentry, SECCLASS_FILE); 3030 } 3031 3032 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3033 { 3034 return may_link(dir, old_dentry, MAY_LINK); 3035 } 3036 3037 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3038 { 3039 return may_link(dir, dentry, MAY_UNLINK); 3040 } 3041 3042 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3043 { 3044 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3045 } 3046 3047 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3048 { 3049 return may_create(dir, dentry, SECCLASS_DIR); 3050 } 3051 3052 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3053 { 3054 return may_link(dir, dentry, MAY_RMDIR); 3055 } 3056 3057 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3058 { 3059 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3060 } 3061 3062 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3063 struct inode *new_inode, struct dentry *new_dentry) 3064 { 3065 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3066 } 3067 3068 static int selinux_inode_readlink(struct dentry *dentry) 3069 { 3070 const struct cred *cred = current_cred(); 3071 3072 return dentry_has_perm(cred, dentry, FILE__READ); 3073 } 3074 3075 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3076 bool rcu) 3077 { 3078 struct common_audit_data ad; 3079 struct inode_security_struct *isec; 3080 u32 sid = current_sid(); 3081 3082 ad.type = LSM_AUDIT_DATA_DENTRY; 3083 ad.u.dentry = dentry; 3084 isec = inode_security_rcu(inode, rcu); 3085 if (IS_ERR(isec)) 3086 return PTR_ERR(isec); 3087 3088 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3089 } 3090 3091 static noinline int audit_inode_permission(struct inode *inode, 3092 u32 perms, u32 audited, u32 denied, 3093 int result) 3094 { 3095 struct common_audit_data ad; 3096 struct inode_security_struct *isec = selinux_inode(inode); 3097 3098 ad.type = LSM_AUDIT_DATA_INODE; 3099 ad.u.inode = inode; 3100 3101 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3102 audited, denied, result, &ad); 3103 } 3104 3105 /** 3106 * task_avdcache_reset - Reset the task's AVD cache 3107 * @tsec: the task's security state 3108 * 3109 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3110 * and task's info. 3111 */ 3112 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3113 { 3114 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3115 tsec->avdcache.sid = tsec->sid; 3116 tsec->avdcache.seqno = avc_policy_seqno(); 3117 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3118 } 3119 3120 /** 3121 * task_avdcache_search - Search the task's AVD cache 3122 * @tsec: the task's security state 3123 * @isec: the inode to search for in the cache 3124 * @avdc: matching avd cache entry returned to the caller 3125 * 3126 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3127 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3128 */ 3129 static inline int task_avdcache_search(struct task_security_struct *tsec, 3130 struct inode_security_struct *isec, 3131 struct avdc_entry **avdc) 3132 { 3133 int orig, iter; 3134 3135 /* focused on path walk optimization, only cache directories */ 3136 if (isec->sclass != SECCLASS_DIR) 3137 return -ENOENT; 3138 3139 if (unlikely(tsec->sid != tsec->avdcache.sid || 3140 tsec->avdcache.seqno != avc_policy_seqno())) { 3141 task_avdcache_reset(tsec); 3142 return -ENOENT; 3143 } 3144 3145 orig = iter = tsec->avdcache.dir_spot; 3146 do { 3147 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3148 /* cache hit */ 3149 tsec->avdcache.dir_spot = iter; 3150 *avdc = &tsec->avdcache.dir[iter]; 3151 return 0; 3152 } 3153 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3154 } while (iter != orig); 3155 3156 return -ENOENT; 3157 } 3158 3159 /** 3160 * task_avdcache_update - Update the task's AVD cache 3161 * @tsec: the task's security state 3162 * @isec: the inode associated with the cache entry 3163 * @avd: the AVD to cache 3164 * @audited: the permission audit bitmask to cache 3165 * 3166 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3167 * with @isec. 3168 */ 3169 static inline void task_avdcache_update(struct task_security_struct *tsec, 3170 struct inode_security_struct *isec, 3171 struct av_decision *avd, 3172 u32 audited) 3173 { 3174 int spot; 3175 3176 /* focused on path walk optimization, only cache directories */ 3177 if (isec->sclass != SECCLASS_DIR) 3178 return; 3179 3180 /* update cache */ 3181 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3182 tsec->avdcache.dir_spot = spot; 3183 tsec->avdcache.dir[spot].isid = isec->sid; 3184 tsec->avdcache.dir[spot].audited = audited; 3185 tsec->avdcache.dir[spot].allowed = avd->allowed; 3186 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3187 } 3188 3189 /** 3190 * selinux_inode_permission - Check if the current task can access an inode 3191 * @inode: the inode that is being accessed 3192 * @requested: the accesses being requested 3193 * 3194 * Check if the current task is allowed to access @inode according to 3195 * @requested. Returns 0 if allowed, negative values otherwise. 3196 */ 3197 static int selinux_inode_permission(struct inode *inode, int requested) 3198 { 3199 int mask; 3200 u32 perms; 3201 struct task_security_struct *tsec; 3202 struct inode_security_struct *isec; 3203 struct avdc_entry *avdc; 3204 int rc, rc2; 3205 u32 audited, denied; 3206 3207 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3208 3209 /* No permission to check. Existence test. */ 3210 if (!mask) 3211 return 0; 3212 3213 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3214 if (IS_ERR(isec)) 3215 return PTR_ERR(isec); 3216 tsec = selinux_cred(current_cred()); 3217 perms = file_mask_to_av(inode->i_mode, mask); 3218 3219 rc = task_avdcache_search(tsec, isec, &avdc); 3220 if (likely(!rc)) { 3221 /* Cache hit. */ 3222 audited = perms & avdc->audited; 3223 denied = perms & ~avdc->allowed; 3224 if (unlikely(denied && enforcing_enabled() && 3225 !avdc->permissive)) 3226 rc = -EACCES; 3227 } else { 3228 struct av_decision avd; 3229 3230 /* Cache miss. */ 3231 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, 3232 perms, 0, &avd); 3233 audited = avc_audit_required(perms, &avd, rc, 3234 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3235 &denied); 3236 task_avdcache_update(tsec, isec, &avd, audited); 3237 } 3238 3239 if (likely(!audited)) 3240 return rc; 3241 3242 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3243 if (rc2) 3244 return rc2; 3245 3246 return rc; 3247 } 3248 3249 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3250 struct iattr *iattr) 3251 { 3252 const struct cred *cred = current_cred(); 3253 struct inode *inode = d_backing_inode(dentry); 3254 unsigned int ia_valid = iattr->ia_valid; 3255 u32 av = FILE__WRITE; 3256 3257 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3258 if (ia_valid & ATTR_FORCE) { 3259 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3260 ATTR_FORCE); 3261 if (!ia_valid) 3262 return 0; 3263 } 3264 3265 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3266 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3267 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3268 3269 if (selinux_policycap_openperm() && 3270 inode->i_sb->s_magic != SOCKFS_MAGIC && 3271 (ia_valid & ATTR_SIZE) && 3272 !(ia_valid & ATTR_FILE)) 3273 av |= FILE__OPEN; 3274 3275 return dentry_has_perm(cred, dentry, av); 3276 } 3277 3278 static int selinux_inode_getattr(const struct path *path) 3279 { 3280 return path_has_perm(current_cred(), path, FILE__GETATTR); 3281 } 3282 3283 static bool has_cap_mac_admin(bool audit) 3284 { 3285 const struct cred *cred = current_cred(); 3286 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3287 3288 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3289 return false; 3290 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3291 return false; 3292 return true; 3293 } 3294 3295 /** 3296 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3297 * @name: name of the xattr 3298 * 3299 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3300 * named @name; the LSM layer should avoid enforcing any traditional 3301 * capability based access controls on this xattr. Returns 0 to indicate that 3302 * SELinux does not "own" the access control rights to xattrs named @name and is 3303 * deferring to the LSM layer for further access controls, including capability 3304 * based controls. 3305 */ 3306 static int selinux_inode_xattr_skipcap(const char *name) 3307 { 3308 /* require capability check if not a selinux xattr */ 3309 return !strcmp(name, XATTR_NAME_SELINUX); 3310 } 3311 3312 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3313 struct dentry *dentry, const char *name, 3314 const void *value, size_t size, int flags) 3315 { 3316 struct inode *inode = d_backing_inode(dentry); 3317 struct inode_security_struct *isec; 3318 struct superblock_security_struct *sbsec; 3319 struct common_audit_data ad; 3320 u32 newsid, sid = current_sid(); 3321 int rc = 0; 3322 3323 /* if not a selinux xattr, only check the ordinary setattr perm */ 3324 if (strcmp(name, XATTR_NAME_SELINUX)) 3325 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3326 3327 if (!selinux_initialized()) 3328 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3329 3330 sbsec = selinux_superblock(inode->i_sb); 3331 if (!(sbsec->flags & SBLABEL_MNT)) 3332 return -EOPNOTSUPP; 3333 3334 if (!inode_owner_or_capable(idmap, inode)) 3335 return -EPERM; 3336 3337 ad.type = LSM_AUDIT_DATA_DENTRY; 3338 ad.u.dentry = dentry; 3339 3340 isec = backing_inode_security(dentry); 3341 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3342 FILE__RELABELFROM, &ad); 3343 if (rc) 3344 return rc; 3345 3346 rc = security_context_to_sid(value, size, &newsid, 3347 GFP_KERNEL); 3348 if (rc == -EINVAL) { 3349 if (!has_cap_mac_admin(true)) { 3350 struct audit_buffer *ab; 3351 size_t audit_size; 3352 3353 /* We strip a nul only if it is at the end, otherwise the 3354 * context contains a nul and we should audit that */ 3355 if (value) { 3356 const char *str = value; 3357 3358 if (str[size - 1] == '\0') 3359 audit_size = size - 1; 3360 else 3361 audit_size = size; 3362 } else { 3363 audit_size = 0; 3364 } 3365 ab = audit_log_start(audit_context(), 3366 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3367 if (!ab) 3368 return rc; 3369 audit_log_format(ab, "op=setxattr invalid_context="); 3370 audit_log_n_untrustedstring(ab, value, audit_size); 3371 audit_log_end(ab); 3372 3373 return rc; 3374 } 3375 rc = security_context_to_sid_force(value, 3376 size, &newsid); 3377 } 3378 if (rc) 3379 return rc; 3380 3381 rc = avc_has_perm(sid, newsid, isec->sclass, 3382 FILE__RELABELTO, &ad); 3383 if (rc) 3384 return rc; 3385 3386 rc = security_validate_transition(isec->sid, newsid, 3387 sid, isec->sclass); 3388 if (rc) 3389 return rc; 3390 3391 return avc_has_perm(newsid, 3392 sbsec->sid, 3393 SECCLASS_FILESYSTEM, 3394 FILESYSTEM__ASSOCIATE, 3395 &ad); 3396 } 3397 3398 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3399 struct dentry *dentry, const char *acl_name, 3400 struct posix_acl *kacl) 3401 { 3402 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3403 } 3404 3405 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3406 struct dentry *dentry, const char *acl_name) 3407 { 3408 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3409 } 3410 3411 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3412 struct dentry *dentry, const char *acl_name) 3413 { 3414 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3415 } 3416 3417 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3418 const void *value, size_t size, 3419 int flags) 3420 { 3421 struct inode *inode = d_backing_inode(dentry); 3422 struct inode_security_struct *isec; 3423 u32 newsid; 3424 int rc; 3425 3426 if (strcmp(name, XATTR_NAME_SELINUX)) { 3427 /* Not an attribute we recognize, so nothing to do. */ 3428 return; 3429 } 3430 3431 if (!selinux_initialized()) { 3432 /* If we haven't even been initialized, then we can't validate 3433 * against a policy, so leave the label as invalid. It may 3434 * resolve to a valid label on the next revalidation try if 3435 * we've since initialized. 3436 */ 3437 return; 3438 } 3439 3440 rc = security_context_to_sid_force(value, size, 3441 &newsid); 3442 if (rc) { 3443 pr_err("SELinux: unable to map context to SID" 3444 "for (%s, %lu), rc=%d\n", 3445 inode->i_sb->s_id, inode->i_ino, -rc); 3446 return; 3447 } 3448 3449 isec = backing_inode_security(dentry); 3450 spin_lock(&isec->lock); 3451 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3452 isec->sid = newsid; 3453 isec->initialized = LABEL_INITIALIZED; 3454 spin_unlock(&isec->lock); 3455 } 3456 3457 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3458 { 3459 const struct cred *cred = current_cred(); 3460 3461 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3462 } 3463 3464 static int selinux_inode_listxattr(struct dentry *dentry) 3465 { 3466 const struct cred *cred = current_cred(); 3467 3468 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3469 } 3470 3471 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3472 struct dentry *dentry, const char *name) 3473 { 3474 /* if not a selinux xattr, only check the ordinary setattr perm */ 3475 if (strcmp(name, XATTR_NAME_SELINUX)) 3476 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3477 3478 if (!selinux_initialized()) 3479 return 0; 3480 3481 /* No one is allowed to remove a SELinux security label. 3482 You can change the label, but all data must be labeled. */ 3483 return -EACCES; 3484 } 3485 3486 static int selinux_path_notify(const struct path *path, u64 mask, 3487 unsigned int obj_type) 3488 { 3489 int ret; 3490 u32 perm; 3491 3492 struct common_audit_data ad; 3493 3494 ad.type = LSM_AUDIT_DATA_PATH; 3495 ad.u.path = *path; 3496 3497 /* 3498 * Set permission needed based on the type of mark being set. 3499 * Performs an additional check for sb watches. 3500 */ 3501 switch (obj_type) { 3502 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3503 perm = FILE__WATCH_MOUNT; 3504 break; 3505 case FSNOTIFY_OBJ_TYPE_SB: 3506 perm = FILE__WATCH_SB; 3507 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3508 FILESYSTEM__WATCH, &ad); 3509 if (ret) 3510 return ret; 3511 break; 3512 case FSNOTIFY_OBJ_TYPE_INODE: 3513 perm = FILE__WATCH; 3514 break; 3515 case FSNOTIFY_OBJ_TYPE_MNTNS: 3516 perm = FILE__WATCH_MOUNTNS; 3517 break; 3518 default: 3519 return -EINVAL; 3520 } 3521 3522 /* blocking watches require the file:watch_with_perm permission */ 3523 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3524 perm |= FILE__WATCH_WITH_PERM; 3525 3526 /* watches on read-like events need the file:watch_reads permission */ 3527 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3528 FS_CLOSE_NOWRITE)) 3529 perm |= FILE__WATCH_READS; 3530 3531 return path_has_perm(current_cred(), path, perm); 3532 } 3533 3534 /* 3535 * Copy the inode security context value to the user. 3536 * 3537 * Permission check is handled by selinux_inode_getxattr hook. 3538 */ 3539 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3540 struct inode *inode, const char *name, 3541 void **buffer, bool alloc) 3542 { 3543 u32 size; 3544 int error; 3545 char *context = NULL; 3546 struct inode_security_struct *isec; 3547 3548 /* 3549 * If we're not initialized yet, then we can't validate contexts, so 3550 * just let vfs_getxattr fall back to using the on-disk xattr. 3551 */ 3552 if (!selinux_initialized() || 3553 strcmp(name, XATTR_SELINUX_SUFFIX)) 3554 return -EOPNOTSUPP; 3555 3556 /* 3557 * If the caller has CAP_MAC_ADMIN, then get the raw context 3558 * value even if it is not defined by current policy; otherwise, 3559 * use the in-core value under current policy. 3560 * Use the non-auditing forms of the permission checks since 3561 * getxattr may be called by unprivileged processes commonly 3562 * and lack of permission just means that we fall back to the 3563 * in-core context value, not a denial. 3564 */ 3565 isec = inode_security(inode); 3566 if (has_cap_mac_admin(false)) 3567 error = security_sid_to_context_force(isec->sid, &context, 3568 &size); 3569 else 3570 error = security_sid_to_context(isec->sid, 3571 &context, &size); 3572 if (error) 3573 return error; 3574 error = size; 3575 if (alloc) { 3576 *buffer = context; 3577 goto out_nofree; 3578 } 3579 kfree(context); 3580 out_nofree: 3581 return error; 3582 } 3583 3584 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3585 const void *value, size_t size, int flags) 3586 { 3587 struct inode_security_struct *isec = inode_security_novalidate(inode); 3588 struct superblock_security_struct *sbsec; 3589 u32 newsid; 3590 int rc; 3591 3592 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3593 return -EOPNOTSUPP; 3594 3595 sbsec = selinux_superblock(inode->i_sb); 3596 if (!(sbsec->flags & SBLABEL_MNT)) 3597 return -EOPNOTSUPP; 3598 3599 if (!value || !size) 3600 return -EACCES; 3601 3602 rc = security_context_to_sid(value, size, &newsid, 3603 GFP_KERNEL); 3604 if (rc) 3605 return rc; 3606 3607 spin_lock(&isec->lock); 3608 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3609 isec->sid = newsid; 3610 isec->initialized = LABEL_INITIALIZED; 3611 spin_unlock(&isec->lock); 3612 return 0; 3613 } 3614 3615 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3616 { 3617 const int len = sizeof(XATTR_NAME_SELINUX); 3618 3619 if (!selinux_initialized()) 3620 return 0; 3621 3622 if (buffer && len <= buffer_size) 3623 memcpy(buffer, XATTR_NAME_SELINUX, len); 3624 return len; 3625 } 3626 3627 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3628 { 3629 struct inode_security_struct *isec = inode_security_novalidate(inode); 3630 3631 prop->selinux.secid = isec->sid; 3632 } 3633 3634 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3635 { 3636 struct lsm_prop prop; 3637 struct task_security_struct *tsec; 3638 struct cred *new_creds = *new; 3639 3640 if (new_creds == NULL) { 3641 new_creds = prepare_creds(); 3642 if (!new_creds) 3643 return -ENOMEM; 3644 } 3645 3646 tsec = selinux_cred(new_creds); 3647 /* Get label from overlay inode and set it in create_sid */ 3648 selinux_inode_getlsmprop(d_inode(src), &prop); 3649 tsec->create_sid = prop.selinux.secid; 3650 *new = new_creds; 3651 return 0; 3652 } 3653 3654 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3655 { 3656 /* The copy_up hook above sets the initial context on an inode, but we 3657 * don't then want to overwrite it by blindly copying all the lower 3658 * xattrs up. Instead, filter out SELinux-related xattrs following 3659 * policy load. 3660 */ 3661 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3662 return -ECANCELED; /* Discard */ 3663 /* 3664 * Any other attribute apart from SELINUX is not claimed, supported 3665 * by selinux. 3666 */ 3667 return -EOPNOTSUPP; 3668 } 3669 3670 /* kernfs node operations */ 3671 3672 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3673 struct kernfs_node *kn) 3674 { 3675 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3676 u32 parent_sid, newsid, clen; 3677 int rc; 3678 char *context; 3679 3680 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3681 if (rc == -ENODATA) 3682 return 0; 3683 else if (rc < 0) 3684 return rc; 3685 3686 clen = (u32)rc; 3687 context = kmalloc(clen, GFP_KERNEL); 3688 if (!context) 3689 return -ENOMEM; 3690 3691 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3692 if (rc < 0) { 3693 kfree(context); 3694 return rc; 3695 } 3696 3697 rc = security_context_to_sid(context, clen, &parent_sid, 3698 GFP_KERNEL); 3699 kfree(context); 3700 if (rc) 3701 return rc; 3702 3703 if (tsec->create_sid) { 3704 newsid = tsec->create_sid; 3705 } else { 3706 u16 secclass = inode_mode_to_security_class(kn->mode); 3707 const char *kn_name; 3708 struct qstr q; 3709 3710 /* kn is fresh, can't be renamed, name goes not away */ 3711 kn_name = rcu_dereference_check(kn->name, true); 3712 q.name = kn_name; 3713 q.hash_len = hashlen_string(kn_dir, kn_name); 3714 3715 rc = security_transition_sid(tsec->sid, 3716 parent_sid, secclass, &q, 3717 &newsid); 3718 if (rc) 3719 return rc; 3720 } 3721 3722 rc = security_sid_to_context_force(newsid, 3723 &context, &clen); 3724 if (rc) 3725 return rc; 3726 3727 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3728 XATTR_CREATE); 3729 kfree(context); 3730 return rc; 3731 } 3732 3733 3734 /* file security operations */ 3735 3736 static int selinux_revalidate_file_permission(struct file *file, int mask) 3737 { 3738 const struct cred *cred = current_cred(); 3739 struct inode *inode = file_inode(file); 3740 3741 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3742 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3743 mask |= MAY_APPEND; 3744 3745 return file_has_perm(cred, file, 3746 file_mask_to_av(inode->i_mode, mask)); 3747 } 3748 3749 static int selinux_file_permission(struct file *file, int mask) 3750 { 3751 struct inode *inode = file_inode(file); 3752 struct file_security_struct *fsec = selinux_file(file); 3753 struct inode_security_struct *isec; 3754 u32 sid = current_sid(); 3755 3756 if (!mask) 3757 /* No permission to check. Existence test. */ 3758 return 0; 3759 3760 isec = inode_security(inode); 3761 if (sid == fsec->sid && fsec->isid == isec->sid && 3762 fsec->pseqno == avc_policy_seqno()) 3763 /* No change since file_open check. */ 3764 return 0; 3765 3766 return selinux_revalidate_file_permission(file, mask); 3767 } 3768 3769 static int selinux_file_alloc_security(struct file *file) 3770 { 3771 struct file_security_struct *fsec = selinux_file(file); 3772 u32 sid = current_sid(); 3773 3774 fsec->sid = sid; 3775 fsec->fown_sid = sid; 3776 3777 return 0; 3778 } 3779 3780 /* 3781 * Check whether a task has the ioctl permission and cmd 3782 * operation to an inode. 3783 */ 3784 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3785 u32 requested, u16 cmd) 3786 { 3787 struct common_audit_data ad; 3788 struct file_security_struct *fsec = selinux_file(file); 3789 struct inode *inode = file_inode(file); 3790 struct inode_security_struct *isec; 3791 struct lsm_ioctlop_audit ioctl; 3792 u32 ssid = cred_sid(cred); 3793 int rc; 3794 u8 driver = cmd >> 8; 3795 u8 xperm = cmd & 0xff; 3796 3797 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3798 ad.u.op = &ioctl; 3799 ad.u.op->cmd = cmd; 3800 ad.u.op->path = file->f_path; 3801 3802 if (ssid != fsec->sid) { 3803 rc = avc_has_perm(ssid, fsec->sid, 3804 SECCLASS_FD, 3805 FD__USE, 3806 &ad); 3807 if (rc) 3808 goto out; 3809 } 3810 3811 if (unlikely(IS_PRIVATE(inode))) 3812 return 0; 3813 3814 isec = inode_security(inode); 3815 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3816 driver, AVC_EXT_IOCTL, xperm, &ad); 3817 out: 3818 return rc; 3819 } 3820 3821 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3822 unsigned long arg) 3823 { 3824 const struct cred *cred = current_cred(); 3825 int error = 0; 3826 3827 switch (cmd) { 3828 case FIONREAD: 3829 case FIBMAP: 3830 case FIGETBSZ: 3831 case FS_IOC_GETFLAGS: 3832 case FS_IOC_GETVERSION: 3833 error = file_has_perm(cred, file, FILE__GETATTR); 3834 break; 3835 3836 case FS_IOC_SETFLAGS: 3837 case FS_IOC_SETVERSION: 3838 error = file_has_perm(cred, file, FILE__SETATTR); 3839 break; 3840 3841 /* sys_ioctl() checks */ 3842 case FIONBIO: 3843 case FIOASYNC: 3844 error = file_has_perm(cred, file, 0); 3845 break; 3846 3847 case KDSKBENT: 3848 case KDSKBSENT: 3849 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3850 CAP_OPT_NONE, true); 3851 break; 3852 3853 case FIOCLEX: 3854 case FIONCLEX: 3855 if (!selinux_policycap_ioctl_skip_cloexec()) 3856 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3857 break; 3858 3859 /* default case assumes that the command will go 3860 * to the file's ioctl() function. 3861 */ 3862 default: 3863 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3864 } 3865 return error; 3866 } 3867 3868 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3869 unsigned long arg) 3870 { 3871 /* 3872 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3873 * make sure we don't compare 32-bit flags to 64-bit flags. 3874 */ 3875 switch (cmd) { 3876 case FS_IOC32_GETFLAGS: 3877 cmd = FS_IOC_GETFLAGS; 3878 break; 3879 case FS_IOC32_SETFLAGS: 3880 cmd = FS_IOC_SETFLAGS; 3881 break; 3882 case FS_IOC32_GETVERSION: 3883 cmd = FS_IOC_GETVERSION; 3884 break; 3885 case FS_IOC32_SETVERSION: 3886 cmd = FS_IOC_SETVERSION; 3887 break; 3888 default: 3889 break; 3890 } 3891 3892 return selinux_file_ioctl(file, cmd, arg); 3893 } 3894 3895 static int default_noexec __ro_after_init; 3896 3897 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3898 { 3899 const struct cred *cred = current_cred(); 3900 u32 sid = cred_sid(cred); 3901 int rc = 0; 3902 3903 if (default_noexec && 3904 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3905 (!shared && (prot & PROT_WRITE)))) { 3906 /* 3907 * We are making executable an anonymous mapping or a 3908 * private file mapping that will also be writable. 3909 * This has an additional check. 3910 */ 3911 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3912 PROCESS__EXECMEM, NULL); 3913 if (rc) 3914 goto error; 3915 } 3916 3917 if (file) { 3918 /* read access is always possible with a mapping */ 3919 u32 av = FILE__READ; 3920 3921 /* write access only matters if the mapping is shared */ 3922 if (shared && (prot & PROT_WRITE)) 3923 av |= FILE__WRITE; 3924 3925 if (prot & PROT_EXEC) 3926 av |= FILE__EXECUTE; 3927 3928 return file_has_perm(cred, file, av); 3929 } 3930 3931 error: 3932 return rc; 3933 } 3934 3935 static int selinux_mmap_addr(unsigned long addr) 3936 { 3937 int rc = 0; 3938 3939 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3940 u32 sid = current_sid(); 3941 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3942 MEMPROTECT__MMAP_ZERO, NULL); 3943 } 3944 3945 return rc; 3946 } 3947 3948 static int selinux_mmap_file(struct file *file, 3949 unsigned long reqprot __always_unused, 3950 unsigned long prot, unsigned long flags) 3951 { 3952 struct common_audit_data ad; 3953 int rc; 3954 3955 if (file) { 3956 ad.type = LSM_AUDIT_DATA_FILE; 3957 ad.u.file = file; 3958 rc = inode_has_perm(current_cred(), file_inode(file), 3959 FILE__MAP, &ad); 3960 if (rc) 3961 return rc; 3962 } 3963 3964 return file_map_prot_check(file, prot, 3965 (flags & MAP_TYPE) == MAP_SHARED); 3966 } 3967 3968 static int selinux_file_mprotect(struct vm_area_struct *vma, 3969 unsigned long reqprot __always_unused, 3970 unsigned long prot) 3971 { 3972 const struct cred *cred = current_cred(); 3973 u32 sid = cred_sid(cred); 3974 3975 if (default_noexec && 3976 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3977 int rc = 0; 3978 /* 3979 * We don't use the vma_is_initial_heap() helper as it has 3980 * a history of problems and is currently broken on systems 3981 * where there is no heap, e.g. brk == start_brk. Before 3982 * replacing the conditional below with vma_is_initial_heap(), 3983 * or something similar, please ensure that the logic is the 3984 * same as what we have below or you have tested every possible 3985 * corner case you can think to test. 3986 */ 3987 if (vma->vm_start >= vma->vm_mm->start_brk && 3988 vma->vm_end <= vma->vm_mm->brk) { 3989 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3990 PROCESS__EXECHEAP, NULL); 3991 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 3992 vma_is_stack_for_current(vma))) { 3993 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3994 PROCESS__EXECSTACK, NULL); 3995 } else if (vma->vm_file && vma->anon_vma) { 3996 /* 3997 * We are making executable a file mapping that has 3998 * had some COW done. Since pages might have been 3999 * written, check ability to execute the possibly 4000 * modified content. This typically should only 4001 * occur for text relocations. 4002 */ 4003 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4004 } 4005 if (rc) 4006 return rc; 4007 } 4008 4009 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4010 } 4011 4012 static int selinux_file_lock(struct file *file, unsigned int cmd) 4013 { 4014 const struct cred *cred = current_cred(); 4015 4016 return file_has_perm(cred, file, FILE__LOCK); 4017 } 4018 4019 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4020 unsigned long arg) 4021 { 4022 const struct cred *cred = current_cred(); 4023 int err = 0; 4024 4025 switch (cmd) { 4026 case F_SETFL: 4027 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4028 err = file_has_perm(cred, file, FILE__WRITE); 4029 break; 4030 } 4031 fallthrough; 4032 case F_SETOWN: 4033 case F_SETSIG: 4034 case F_GETFL: 4035 case F_GETOWN: 4036 case F_GETSIG: 4037 case F_GETOWNER_UIDS: 4038 /* Just check FD__USE permission */ 4039 err = file_has_perm(cred, file, 0); 4040 break; 4041 case F_GETLK: 4042 case F_SETLK: 4043 case F_SETLKW: 4044 case F_OFD_GETLK: 4045 case F_OFD_SETLK: 4046 case F_OFD_SETLKW: 4047 #if BITS_PER_LONG == 32 4048 case F_GETLK64: 4049 case F_SETLK64: 4050 case F_SETLKW64: 4051 #endif 4052 err = file_has_perm(cred, file, FILE__LOCK); 4053 break; 4054 } 4055 4056 return err; 4057 } 4058 4059 static void selinux_file_set_fowner(struct file *file) 4060 { 4061 struct file_security_struct *fsec; 4062 4063 fsec = selinux_file(file); 4064 fsec->fown_sid = current_sid(); 4065 } 4066 4067 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4068 struct fown_struct *fown, int signum) 4069 { 4070 struct file *file; 4071 u32 sid = task_sid_obj(tsk); 4072 u32 perm; 4073 struct file_security_struct *fsec; 4074 4075 /* struct fown_struct is never outside the context of a struct file */ 4076 file = fown->file; 4077 4078 fsec = selinux_file(file); 4079 4080 if (!signum) 4081 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4082 else 4083 perm = signal_to_av(signum); 4084 4085 return avc_has_perm(fsec->fown_sid, sid, 4086 SECCLASS_PROCESS, perm, NULL); 4087 } 4088 4089 static int selinux_file_receive(struct file *file) 4090 { 4091 const struct cred *cred = current_cred(); 4092 4093 return file_has_perm(cred, file, file_to_av(file)); 4094 } 4095 4096 static int selinux_file_open(struct file *file) 4097 { 4098 struct file_security_struct *fsec; 4099 struct inode_security_struct *isec; 4100 4101 fsec = selinux_file(file); 4102 isec = inode_security(file_inode(file)); 4103 /* 4104 * Save inode label and policy sequence number 4105 * at open-time so that selinux_file_permission 4106 * can determine whether revalidation is necessary. 4107 * Task label is already saved in the file security 4108 * struct as its SID. 4109 */ 4110 fsec->isid = isec->sid; 4111 fsec->pseqno = avc_policy_seqno(); 4112 /* 4113 * Since the inode label or policy seqno may have changed 4114 * between the selinux_inode_permission check and the saving 4115 * of state above, recheck that access is still permitted. 4116 * Otherwise, access might never be revalidated against the 4117 * new inode label or new policy. 4118 * This check is not redundant - do not remove. 4119 */ 4120 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4121 } 4122 4123 /* task security operations */ 4124 4125 static int selinux_task_alloc(struct task_struct *task, 4126 unsigned long clone_flags) 4127 { 4128 u32 sid = current_sid(); 4129 4130 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4131 } 4132 4133 /* 4134 * prepare a new set of credentials for modification 4135 */ 4136 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4137 gfp_t gfp) 4138 { 4139 const struct task_security_struct *old_tsec = selinux_cred(old); 4140 struct task_security_struct *tsec = selinux_cred(new); 4141 4142 *tsec = *old_tsec; 4143 return 0; 4144 } 4145 4146 /* 4147 * transfer the SELinux data to a blank set of creds 4148 */ 4149 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4150 { 4151 const struct task_security_struct *old_tsec = selinux_cred(old); 4152 struct task_security_struct *tsec = selinux_cred(new); 4153 4154 *tsec = *old_tsec; 4155 } 4156 4157 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4158 { 4159 *secid = cred_sid(c); 4160 } 4161 4162 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4163 { 4164 prop->selinux.secid = cred_sid(c); 4165 } 4166 4167 /* 4168 * set the security data for a kernel service 4169 * - all the creation contexts are set to unlabelled 4170 */ 4171 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4172 { 4173 struct task_security_struct *tsec = selinux_cred(new); 4174 u32 sid = current_sid(); 4175 int ret; 4176 4177 ret = avc_has_perm(sid, secid, 4178 SECCLASS_KERNEL_SERVICE, 4179 KERNEL_SERVICE__USE_AS_OVERRIDE, 4180 NULL); 4181 if (ret == 0) { 4182 tsec->sid = secid; 4183 tsec->create_sid = 0; 4184 tsec->keycreate_sid = 0; 4185 tsec->sockcreate_sid = 0; 4186 } 4187 return ret; 4188 } 4189 4190 /* 4191 * set the file creation context in a security record to the same as the 4192 * objective context of the specified inode 4193 */ 4194 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4195 { 4196 struct inode_security_struct *isec = inode_security(inode); 4197 struct task_security_struct *tsec = selinux_cred(new); 4198 u32 sid = current_sid(); 4199 int ret; 4200 4201 ret = avc_has_perm(sid, isec->sid, 4202 SECCLASS_KERNEL_SERVICE, 4203 KERNEL_SERVICE__CREATE_FILES_AS, 4204 NULL); 4205 4206 if (ret == 0) 4207 tsec->create_sid = isec->sid; 4208 return ret; 4209 } 4210 4211 static int selinux_kernel_module_request(char *kmod_name) 4212 { 4213 struct common_audit_data ad; 4214 4215 ad.type = LSM_AUDIT_DATA_KMOD; 4216 ad.u.kmod_name = kmod_name; 4217 4218 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4219 SYSTEM__MODULE_REQUEST, &ad); 4220 } 4221 4222 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4223 { 4224 struct common_audit_data ad; 4225 struct inode_security_struct *isec; 4226 struct file_security_struct *fsec; 4227 u32 sid = current_sid(); 4228 int rc; 4229 4230 if (file == NULL) 4231 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4232 4233 ad.type = LSM_AUDIT_DATA_FILE; 4234 ad.u.file = file; 4235 4236 fsec = selinux_file(file); 4237 if (sid != fsec->sid) { 4238 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4239 if (rc) 4240 return rc; 4241 } 4242 4243 isec = inode_security(file_inode(file)); 4244 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4245 } 4246 4247 static int selinux_kernel_read_file(struct file *file, 4248 enum kernel_read_file_id id, 4249 bool contents) 4250 { 4251 int rc = 0; 4252 4253 BUILD_BUG_ON_MSG(READING_MAX_ID > 7, 4254 "New kernel_read_file_id introduced; update SELinux!"); 4255 4256 switch (id) { 4257 case READING_FIRMWARE: 4258 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4259 break; 4260 case READING_MODULE: 4261 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4262 break; 4263 case READING_KEXEC_IMAGE: 4264 rc = selinux_kernel_load_from_file(file, 4265 SYSTEM__KEXEC_IMAGE_LOAD); 4266 break; 4267 case READING_KEXEC_INITRAMFS: 4268 rc = selinux_kernel_load_from_file(file, 4269 SYSTEM__KEXEC_INITRAMFS_LOAD); 4270 break; 4271 case READING_POLICY: 4272 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4273 break; 4274 case READING_X509_CERTIFICATE: 4275 rc = selinux_kernel_load_from_file(file, 4276 SYSTEM__X509_CERTIFICATE_LOAD); 4277 break; 4278 default: 4279 break; 4280 } 4281 4282 return rc; 4283 } 4284 4285 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4286 { 4287 int rc = 0; 4288 4289 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7, 4290 "New kernel_load_data_id introduced; update SELinux!"); 4291 4292 switch (id) { 4293 case LOADING_FIRMWARE: 4294 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4295 break; 4296 case LOADING_MODULE: 4297 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4298 break; 4299 case LOADING_KEXEC_IMAGE: 4300 rc = selinux_kernel_load_from_file(NULL, 4301 SYSTEM__KEXEC_IMAGE_LOAD); 4302 break; 4303 case LOADING_KEXEC_INITRAMFS: 4304 rc = selinux_kernel_load_from_file(NULL, 4305 SYSTEM__KEXEC_INITRAMFS_LOAD); 4306 break; 4307 case LOADING_POLICY: 4308 rc = selinux_kernel_load_from_file(NULL, 4309 SYSTEM__POLICY_LOAD); 4310 break; 4311 case LOADING_X509_CERTIFICATE: 4312 rc = selinux_kernel_load_from_file(NULL, 4313 SYSTEM__X509_CERTIFICATE_LOAD); 4314 break; 4315 default: 4316 break; 4317 } 4318 4319 return rc; 4320 } 4321 4322 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4323 { 4324 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4325 PROCESS__SETPGID, NULL); 4326 } 4327 4328 static int selinux_task_getpgid(struct task_struct *p) 4329 { 4330 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4331 PROCESS__GETPGID, NULL); 4332 } 4333 4334 static int selinux_task_getsid(struct task_struct *p) 4335 { 4336 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4337 PROCESS__GETSESSION, NULL); 4338 } 4339 4340 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4341 { 4342 prop->selinux.secid = current_sid(); 4343 } 4344 4345 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4346 struct lsm_prop *prop) 4347 { 4348 prop->selinux.secid = task_sid_obj(p); 4349 } 4350 4351 static int selinux_task_setnice(struct task_struct *p, int nice) 4352 { 4353 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4354 PROCESS__SETSCHED, NULL); 4355 } 4356 4357 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4358 { 4359 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4360 PROCESS__SETSCHED, NULL); 4361 } 4362 4363 static int selinux_task_getioprio(struct task_struct *p) 4364 { 4365 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4366 PROCESS__GETSCHED, NULL); 4367 } 4368 4369 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4370 unsigned int flags) 4371 { 4372 u32 av = 0; 4373 4374 if (!flags) 4375 return 0; 4376 if (flags & LSM_PRLIMIT_WRITE) 4377 av |= PROCESS__SETRLIMIT; 4378 if (flags & LSM_PRLIMIT_READ) 4379 av |= PROCESS__GETRLIMIT; 4380 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4381 SECCLASS_PROCESS, av, NULL); 4382 } 4383 4384 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4385 struct rlimit *new_rlim) 4386 { 4387 struct rlimit *old_rlim = p->signal->rlim + resource; 4388 4389 /* Control the ability to change the hard limit (whether 4390 lowering or raising it), so that the hard limit can 4391 later be used as a safe reset point for the soft limit 4392 upon context transitions. See selinux_bprm_committing_creds. */ 4393 if (old_rlim->rlim_max != new_rlim->rlim_max) 4394 return avc_has_perm(current_sid(), task_sid_obj(p), 4395 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4396 4397 return 0; 4398 } 4399 4400 static int selinux_task_setscheduler(struct task_struct *p) 4401 { 4402 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4403 PROCESS__SETSCHED, NULL); 4404 } 4405 4406 static int selinux_task_getscheduler(struct task_struct *p) 4407 { 4408 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4409 PROCESS__GETSCHED, NULL); 4410 } 4411 4412 static int selinux_task_movememory(struct task_struct *p) 4413 { 4414 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4415 PROCESS__SETSCHED, NULL); 4416 } 4417 4418 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4419 int sig, const struct cred *cred) 4420 { 4421 u32 secid; 4422 u32 perm; 4423 4424 if (!sig) 4425 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4426 else 4427 perm = signal_to_av(sig); 4428 if (!cred) 4429 secid = current_sid(); 4430 else 4431 secid = cred_sid(cred); 4432 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4433 } 4434 4435 static void selinux_task_to_inode(struct task_struct *p, 4436 struct inode *inode) 4437 { 4438 struct inode_security_struct *isec = selinux_inode(inode); 4439 u32 sid = task_sid_obj(p); 4440 4441 spin_lock(&isec->lock); 4442 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4443 isec->sid = sid; 4444 isec->initialized = LABEL_INITIALIZED; 4445 spin_unlock(&isec->lock); 4446 } 4447 4448 static int selinux_userns_create(const struct cred *cred) 4449 { 4450 u32 sid = current_sid(); 4451 4452 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4453 USER_NAMESPACE__CREATE, NULL); 4454 } 4455 4456 /* Returns error only if unable to parse addresses */ 4457 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4458 struct common_audit_data *ad, u8 *proto) 4459 { 4460 int offset, ihlen, ret = -EINVAL; 4461 struct iphdr _iph, *ih; 4462 4463 offset = skb_network_offset(skb); 4464 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4465 if (ih == NULL) 4466 goto out; 4467 4468 ihlen = ih->ihl * 4; 4469 if (ihlen < sizeof(_iph)) 4470 goto out; 4471 4472 ad->u.net->v4info.saddr = ih->saddr; 4473 ad->u.net->v4info.daddr = ih->daddr; 4474 ret = 0; 4475 4476 if (proto) 4477 *proto = ih->protocol; 4478 4479 switch (ih->protocol) { 4480 case IPPROTO_TCP: { 4481 struct tcphdr _tcph, *th; 4482 4483 if (ntohs(ih->frag_off) & IP_OFFSET) 4484 break; 4485 4486 offset += ihlen; 4487 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4488 if (th == NULL) 4489 break; 4490 4491 ad->u.net->sport = th->source; 4492 ad->u.net->dport = th->dest; 4493 break; 4494 } 4495 4496 case IPPROTO_UDP: { 4497 struct udphdr _udph, *uh; 4498 4499 if (ntohs(ih->frag_off) & IP_OFFSET) 4500 break; 4501 4502 offset += ihlen; 4503 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4504 if (uh == NULL) 4505 break; 4506 4507 ad->u.net->sport = uh->source; 4508 ad->u.net->dport = uh->dest; 4509 break; 4510 } 4511 4512 case IPPROTO_DCCP: { 4513 struct dccp_hdr _dccph, *dh; 4514 4515 if (ntohs(ih->frag_off) & IP_OFFSET) 4516 break; 4517 4518 offset += ihlen; 4519 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4520 if (dh == NULL) 4521 break; 4522 4523 ad->u.net->sport = dh->dccph_sport; 4524 ad->u.net->dport = dh->dccph_dport; 4525 break; 4526 } 4527 4528 #if IS_ENABLED(CONFIG_IP_SCTP) 4529 case IPPROTO_SCTP: { 4530 struct sctphdr _sctph, *sh; 4531 4532 if (ntohs(ih->frag_off) & IP_OFFSET) 4533 break; 4534 4535 offset += ihlen; 4536 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4537 if (sh == NULL) 4538 break; 4539 4540 ad->u.net->sport = sh->source; 4541 ad->u.net->dport = sh->dest; 4542 break; 4543 } 4544 #endif 4545 default: 4546 break; 4547 } 4548 out: 4549 return ret; 4550 } 4551 4552 #if IS_ENABLED(CONFIG_IPV6) 4553 4554 /* Returns error only if unable to parse addresses */ 4555 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4556 struct common_audit_data *ad, u8 *proto) 4557 { 4558 u8 nexthdr; 4559 int ret = -EINVAL, offset; 4560 struct ipv6hdr _ipv6h, *ip6; 4561 __be16 frag_off; 4562 4563 offset = skb_network_offset(skb); 4564 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4565 if (ip6 == NULL) 4566 goto out; 4567 4568 ad->u.net->v6info.saddr = ip6->saddr; 4569 ad->u.net->v6info.daddr = ip6->daddr; 4570 ret = 0; 4571 4572 nexthdr = ip6->nexthdr; 4573 offset += sizeof(_ipv6h); 4574 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4575 if (offset < 0) 4576 goto out; 4577 4578 if (proto) 4579 *proto = nexthdr; 4580 4581 switch (nexthdr) { 4582 case IPPROTO_TCP: { 4583 struct tcphdr _tcph, *th; 4584 4585 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4586 if (th == NULL) 4587 break; 4588 4589 ad->u.net->sport = th->source; 4590 ad->u.net->dport = th->dest; 4591 break; 4592 } 4593 4594 case IPPROTO_UDP: { 4595 struct udphdr _udph, *uh; 4596 4597 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4598 if (uh == NULL) 4599 break; 4600 4601 ad->u.net->sport = uh->source; 4602 ad->u.net->dport = uh->dest; 4603 break; 4604 } 4605 4606 case IPPROTO_DCCP: { 4607 struct dccp_hdr _dccph, *dh; 4608 4609 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4610 if (dh == NULL) 4611 break; 4612 4613 ad->u.net->sport = dh->dccph_sport; 4614 ad->u.net->dport = dh->dccph_dport; 4615 break; 4616 } 4617 4618 #if IS_ENABLED(CONFIG_IP_SCTP) 4619 case IPPROTO_SCTP: { 4620 struct sctphdr _sctph, *sh; 4621 4622 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4623 if (sh == NULL) 4624 break; 4625 4626 ad->u.net->sport = sh->source; 4627 ad->u.net->dport = sh->dest; 4628 break; 4629 } 4630 #endif 4631 /* includes fragments */ 4632 default: 4633 break; 4634 } 4635 out: 4636 return ret; 4637 } 4638 4639 #endif /* IPV6 */ 4640 4641 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4642 char **_addrp, int src, u8 *proto) 4643 { 4644 char *addrp; 4645 int ret; 4646 4647 switch (ad->u.net->family) { 4648 case PF_INET: 4649 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4650 if (ret) 4651 goto parse_error; 4652 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4653 &ad->u.net->v4info.daddr); 4654 goto okay; 4655 4656 #if IS_ENABLED(CONFIG_IPV6) 4657 case PF_INET6: 4658 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4659 if (ret) 4660 goto parse_error; 4661 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4662 &ad->u.net->v6info.daddr); 4663 goto okay; 4664 #endif /* IPV6 */ 4665 default: 4666 addrp = NULL; 4667 goto okay; 4668 } 4669 4670 parse_error: 4671 pr_warn( 4672 "SELinux: failure in selinux_parse_skb()," 4673 " unable to parse packet\n"); 4674 return ret; 4675 4676 okay: 4677 if (_addrp) 4678 *_addrp = addrp; 4679 return 0; 4680 } 4681 4682 /** 4683 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4684 * @skb: the packet 4685 * @family: protocol family 4686 * @sid: the packet's peer label SID 4687 * 4688 * Description: 4689 * Check the various different forms of network peer labeling and determine 4690 * the peer label/SID for the packet; most of the magic actually occurs in 4691 * the security server function security_net_peersid_cmp(). The function 4692 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4693 * or -EACCES if @sid is invalid due to inconsistencies with the different 4694 * peer labels. 4695 * 4696 */ 4697 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4698 { 4699 int err; 4700 u32 xfrm_sid; 4701 u32 nlbl_sid; 4702 u32 nlbl_type; 4703 4704 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4705 if (unlikely(err)) 4706 return -EACCES; 4707 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4708 if (unlikely(err)) 4709 return -EACCES; 4710 4711 err = security_net_peersid_resolve(nlbl_sid, 4712 nlbl_type, xfrm_sid, sid); 4713 if (unlikely(err)) { 4714 pr_warn( 4715 "SELinux: failure in selinux_skb_peerlbl_sid()," 4716 " unable to determine packet's peer label\n"); 4717 return -EACCES; 4718 } 4719 4720 return 0; 4721 } 4722 4723 /** 4724 * selinux_conn_sid - Determine the child socket label for a connection 4725 * @sk_sid: the parent socket's SID 4726 * @skb_sid: the packet's SID 4727 * @conn_sid: the resulting connection SID 4728 * 4729 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4730 * combined with the MLS information from @skb_sid in order to create 4731 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4732 * of @sk_sid. Returns zero on success, negative values on failure. 4733 * 4734 */ 4735 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4736 { 4737 int err = 0; 4738 4739 if (skb_sid != SECSID_NULL) 4740 err = security_sid_mls_copy(sk_sid, skb_sid, 4741 conn_sid); 4742 else 4743 *conn_sid = sk_sid; 4744 4745 return err; 4746 } 4747 4748 /* socket security operations */ 4749 4750 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4751 u16 secclass, u32 *socksid) 4752 { 4753 if (tsec->sockcreate_sid > SECSID_NULL) { 4754 *socksid = tsec->sockcreate_sid; 4755 return 0; 4756 } 4757 4758 return security_transition_sid(tsec->sid, tsec->sid, 4759 secclass, NULL, socksid); 4760 } 4761 4762 static bool sock_skip_has_perm(u32 sid) 4763 { 4764 if (sid == SECINITSID_KERNEL) 4765 return true; 4766 4767 /* 4768 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4769 * inherited the kernel context from early boot used to be skipped 4770 * here, so preserve that behavior unless the capability is set. 4771 * 4772 * By setting the capability the policy signals that it is ready 4773 * for this quirk to be fixed. Note that sockets created by a kernel 4774 * thread or a usermode helper executed without a transition will 4775 * still be skipped in this check regardless of the policycap 4776 * setting. 4777 */ 4778 if (!selinux_policycap_userspace_initial_context() && 4779 sid == SECINITSID_INIT) 4780 return true; 4781 return false; 4782 } 4783 4784 4785 static int sock_has_perm(struct sock *sk, u32 perms) 4786 { 4787 struct sk_security_struct *sksec = sk->sk_security; 4788 struct common_audit_data ad; 4789 struct lsm_network_audit net; 4790 4791 if (sock_skip_has_perm(sksec->sid)) 4792 return 0; 4793 4794 ad_net_init_from_sk(&ad, &net, sk); 4795 4796 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4797 &ad); 4798 } 4799 4800 static int selinux_socket_create(int family, int type, 4801 int protocol, int kern) 4802 { 4803 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4804 u32 newsid; 4805 u16 secclass; 4806 int rc; 4807 4808 if (kern) 4809 return 0; 4810 4811 secclass = socket_type_to_security_class(family, type, protocol); 4812 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4813 if (rc) 4814 return rc; 4815 4816 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4817 } 4818 4819 static int selinux_socket_post_create(struct socket *sock, int family, 4820 int type, int protocol, int kern) 4821 { 4822 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4823 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4824 struct sk_security_struct *sksec; 4825 u16 sclass = socket_type_to_security_class(family, type, protocol); 4826 u32 sid = SECINITSID_KERNEL; 4827 int err = 0; 4828 4829 if (!kern) { 4830 err = socket_sockcreate_sid(tsec, sclass, &sid); 4831 if (err) 4832 return err; 4833 } 4834 4835 isec->sclass = sclass; 4836 isec->sid = sid; 4837 isec->initialized = LABEL_INITIALIZED; 4838 4839 if (sock->sk) { 4840 sksec = selinux_sock(sock->sk); 4841 sksec->sclass = sclass; 4842 sksec->sid = sid; 4843 /* Allows detection of the first association on this socket */ 4844 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4845 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4846 4847 err = selinux_netlbl_socket_post_create(sock->sk, family); 4848 } 4849 4850 return err; 4851 } 4852 4853 static int selinux_socket_socketpair(struct socket *socka, 4854 struct socket *sockb) 4855 { 4856 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4857 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4858 4859 sksec_a->peer_sid = sksec_b->sid; 4860 sksec_b->peer_sid = sksec_a->sid; 4861 4862 return 0; 4863 } 4864 4865 /* Range of port numbers used to automatically bind. 4866 Need to determine whether we should perform a name_bind 4867 permission check between the socket and the port number. */ 4868 4869 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4870 { 4871 struct sock *sk = sock->sk; 4872 struct sk_security_struct *sksec = selinux_sock(sk); 4873 u16 family; 4874 int err; 4875 4876 err = sock_has_perm(sk, SOCKET__BIND); 4877 if (err) 4878 goto out; 4879 4880 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4881 family = sk->sk_family; 4882 if (family == PF_INET || family == PF_INET6) { 4883 char *addrp; 4884 struct common_audit_data ad; 4885 struct lsm_network_audit net = {0,}; 4886 struct sockaddr_in *addr4 = NULL; 4887 struct sockaddr_in6 *addr6 = NULL; 4888 u16 family_sa; 4889 unsigned short snum; 4890 u32 sid, node_perm; 4891 4892 /* 4893 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4894 * that validates multiple binding addresses. Because of this 4895 * need to check address->sa_family as it is possible to have 4896 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4897 */ 4898 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4899 return -EINVAL; 4900 family_sa = address->sa_family; 4901 switch (family_sa) { 4902 case AF_UNSPEC: 4903 case AF_INET: 4904 if (addrlen < sizeof(struct sockaddr_in)) 4905 return -EINVAL; 4906 addr4 = (struct sockaddr_in *)address; 4907 if (family_sa == AF_UNSPEC) { 4908 if (family == PF_INET6) { 4909 /* Length check from inet6_bind_sk() */ 4910 if (addrlen < SIN6_LEN_RFC2133) 4911 return -EINVAL; 4912 /* Family check from __inet6_bind() */ 4913 goto err_af; 4914 } 4915 /* see __inet_bind(), we only want to allow 4916 * AF_UNSPEC if the address is INADDR_ANY 4917 */ 4918 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4919 goto err_af; 4920 family_sa = AF_INET; 4921 } 4922 snum = ntohs(addr4->sin_port); 4923 addrp = (char *)&addr4->sin_addr.s_addr; 4924 break; 4925 case AF_INET6: 4926 if (addrlen < SIN6_LEN_RFC2133) 4927 return -EINVAL; 4928 addr6 = (struct sockaddr_in6 *)address; 4929 snum = ntohs(addr6->sin6_port); 4930 addrp = (char *)&addr6->sin6_addr.s6_addr; 4931 break; 4932 default: 4933 goto err_af; 4934 } 4935 4936 ad.type = LSM_AUDIT_DATA_NET; 4937 ad.u.net = &net; 4938 ad.u.net->sport = htons(snum); 4939 ad.u.net->family = family_sa; 4940 4941 if (snum) { 4942 int low, high; 4943 4944 inet_get_local_port_range(sock_net(sk), &low, &high); 4945 4946 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4947 snum < low || snum > high) { 4948 err = sel_netport_sid(sk->sk_protocol, 4949 snum, &sid); 4950 if (err) 4951 goto out; 4952 err = avc_has_perm(sksec->sid, sid, 4953 sksec->sclass, 4954 SOCKET__NAME_BIND, &ad); 4955 if (err) 4956 goto out; 4957 } 4958 } 4959 4960 switch (sksec->sclass) { 4961 case SECCLASS_TCP_SOCKET: 4962 node_perm = TCP_SOCKET__NODE_BIND; 4963 break; 4964 4965 case SECCLASS_UDP_SOCKET: 4966 node_perm = UDP_SOCKET__NODE_BIND; 4967 break; 4968 4969 case SECCLASS_DCCP_SOCKET: 4970 node_perm = DCCP_SOCKET__NODE_BIND; 4971 break; 4972 4973 case SECCLASS_SCTP_SOCKET: 4974 node_perm = SCTP_SOCKET__NODE_BIND; 4975 break; 4976 4977 default: 4978 node_perm = RAWIP_SOCKET__NODE_BIND; 4979 break; 4980 } 4981 4982 err = sel_netnode_sid(addrp, family_sa, &sid); 4983 if (err) 4984 goto out; 4985 4986 if (family_sa == AF_INET) 4987 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4988 else 4989 ad.u.net->v6info.saddr = addr6->sin6_addr; 4990 4991 err = avc_has_perm(sksec->sid, sid, 4992 sksec->sclass, node_perm, &ad); 4993 if (err) 4994 goto out; 4995 } 4996 out: 4997 return err; 4998 err_af: 4999 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 5000 if (sk->sk_protocol == IPPROTO_SCTP) 5001 return -EINVAL; 5002 return -EAFNOSUPPORT; 5003 } 5004 5005 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 5006 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 5007 */ 5008 static int selinux_socket_connect_helper(struct socket *sock, 5009 struct sockaddr *address, int addrlen) 5010 { 5011 struct sock *sk = sock->sk; 5012 struct sk_security_struct *sksec = selinux_sock(sk); 5013 int err; 5014 5015 err = sock_has_perm(sk, SOCKET__CONNECT); 5016 if (err) 5017 return err; 5018 if (addrlen < offsetofend(struct sockaddr, sa_family)) 5019 return -EINVAL; 5020 5021 /* connect(AF_UNSPEC) has special handling, as it is a documented 5022 * way to disconnect the socket 5023 */ 5024 if (address->sa_family == AF_UNSPEC) 5025 return 0; 5026 5027 /* 5028 * If a TCP, DCCP or SCTP socket, check name_connect permission 5029 * for the port. 5030 */ 5031 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5032 sksec->sclass == SECCLASS_DCCP_SOCKET || 5033 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5034 struct common_audit_data ad; 5035 struct lsm_network_audit net = {0,}; 5036 struct sockaddr_in *addr4 = NULL; 5037 struct sockaddr_in6 *addr6 = NULL; 5038 unsigned short snum; 5039 u32 sid, perm; 5040 5041 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5042 * that validates multiple connect addresses. Because of this 5043 * need to check address->sa_family as it is possible to have 5044 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5045 */ 5046 switch (address->sa_family) { 5047 case AF_INET: 5048 addr4 = (struct sockaddr_in *)address; 5049 if (addrlen < sizeof(struct sockaddr_in)) 5050 return -EINVAL; 5051 snum = ntohs(addr4->sin_port); 5052 break; 5053 case AF_INET6: 5054 addr6 = (struct sockaddr_in6 *)address; 5055 if (addrlen < SIN6_LEN_RFC2133) 5056 return -EINVAL; 5057 snum = ntohs(addr6->sin6_port); 5058 break; 5059 default: 5060 /* Note that SCTP services expect -EINVAL, whereas 5061 * others expect -EAFNOSUPPORT. 5062 */ 5063 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5064 return -EINVAL; 5065 else 5066 return -EAFNOSUPPORT; 5067 } 5068 5069 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5070 if (err) 5071 return err; 5072 5073 switch (sksec->sclass) { 5074 case SECCLASS_TCP_SOCKET: 5075 perm = TCP_SOCKET__NAME_CONNECT; 5076 break; 5077 case SECCLASS_DCCP_SOCKET: 5078 perm = DCCP_SOCKET__NAME_CONNECT; 5079 break; 5080 case SECCLASS_SCTP_SOCKET: 5081 perm = SCTP_SOCKET__NAME_CONNECT; 5082 break; 5083 } 5084 5085 ad.type = LSM_AUDIT_DATA_NET; 5086 ad.u.net = &net; 5087 ad.u.net->dport = htons(snum); 5088 ad.u.net->family = address->sa_family; 5089 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5090 if (err) 5091 return err; 5092 } 5093 5094 return 0; 5095 } 5096 5097 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5098 static int selinux_socket_connect(struct socket *sock, 5099 struct sockaddr *address, int addrlen) 5100 { 5101 int err; 5102 struct sock *sk = sock->sk; 5103 5104 err = selinux_socket_connect_helper(sock, address, addrlen); 5105 if (err) 5106 return err; 5107 5108 return selinux_netlbl_socket_connect(sk, address); 5109 } 5110 5111 static int selinux_socket_listen(struct socket *sock, int backlog) 5112 { 5113 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5114 } 5115 5116 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5117 { 5118 int err; 5119 struct inode_security_struct *isec; 5120 struct inode_security_struct *newisec; 5121 u16 sclass; 5122 u32 sid; 5123 5124 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5125 if (err) 5126 return err; 5127 5128 isec = inode_security_novalidate(SOCK_INODE(sock)); 5129 spin_lock(&isec->lock); 5130 sclass = isec->sclass; 5131 sid = isec->sid; 5132 spin_unlock(&isec->lock); 5133 5134 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5135 newisec->sclass = sclass; 5136 newisec->sid = sid; 5137 newisec->initialized = LABEL_INITIALIZED; 5138 5139 return 0; 5140 } 5141 5142 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5143 int size) 5144 { 5145 return sock_has_perm(sock->sk, SOCKET__WRITE); 5146 } 5147 5148 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5149 int size, int flags) 5150 { 5151 return sock_has_perm(sock->sk, SOCKET__READ); 5152 } 5153 5154 static int selinux_socket_getsockname(struct socket *sock) 5155 { 5156 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5157 } 5158 5159 static int selinux_socket_getpeername(struct socket *sock) 5160 { 5161 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5162 } 5163 5164 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5165 { 5166 int err; 5167 5168 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5169 if (err) 5170 return err; 5171 5172 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5173 } 5174 5175 static int selinux_socket_getsockopt(struct socket *sock, int level, 5176 int optname) 5177 { 5178 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5179 } 5180 5181 static int selinux_socket_shutdown(struct socket *sock, int how) 5182 { 5183 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5184 } 5185 5186 static int selinux_socket_unix_stream_connect(struct sock *sock, 5187 struct sock *other, 5188 struct sock *newsk) 5189 { 5190 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5191 struct sk_security_struct *sksec_other = selinux_sock(other); 5192 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5193 struct common_audit_data ad; 5194 struct lsm_network_audit net; 5195 int err; 5196 5197 ad_net_init_from_sk(&ad, &net, other); 5198 5199 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5200 sksec_other->sclass, 5201 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5202 if (err) 5203 return err; 5204 5205 /* server child socket */ 5206 sksec_new->peer_sid = sksec_sock->sid; 5207 err = security_sid_mls_copy(sksec_other->sid, 5208 sksec_sock->sid, &sksec_new->sid); 5209 if (err) 5210 return err; 5211 5212 /* connecting socket */ 5213 sksec_sock->peer_sid = sksec_new->sid; 5214 5215 return 0; 5216 } 5217 5218 static int selinux_socket_unix_may_send(struct socket *sock, 5219 struct socket *other) 5220 { 5221 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5222 struct sk_security_struct *osec = selinux_sock(other->sk); 5223 struct common_audit_data ad; 5224 struct lsm_network_audit net; 5225 5226 ad_net_init_from_sk(&ad, &net, other->sk); 5227 5228 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5229 &ad); 5230 } 5231 5232 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5233 char *addrp, u16 family, u32 peer_sid, 5234 struct common_audit_data *ad) 5235 { 5236 int err; 5237 u32 if_sid; 5238 u32 node_sid; 5239 5240 err = sel_netif_sid(ns, ifindex, &if_sid); 5241 if (err) 5242 return err; 5243 err = avc_has_perm(peer_sid, if_sid, 5244 SECCLASS_NETIF, NETIF__INGRESS, ad); 5245 if (err) 5246 return err; 5247 5248 err = sel_netnode_sid(addrp, family, &node_sid); 5249 if (err) 5250 return err; 5251 return avc_has_perm(peer_sid, node_sid, 5252 SECCLASS_NODE, NODE__RECVFROM, ad); 5253 } 5254 5255 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5256 u16 family) 5257 { 5258 int err = 0; 5259 struct sk_security_struct *sksec = selinux_sock(sk); 5260 u32 sk_sid = sksec->sid; 5261 struct common_audit_data ad; 5262 struct lsm_network_audit net; 5263 char *addrp; 5264 5265 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5266 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5267 if (err) 5268 return err; 5269 5270 if (selinux_secmark_enabled()) { 5271 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5272 PACKET__RECV, &ad); 5273 if (err) 5274 return err; 5275 } 5276 5277 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5278 if (err) 5279 return err; 5280 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5281 5282 return err; 5283 } 5284 5285 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5286 { 5287 int err, peerlbl_active, secmark_active; 5288 struct sk_security_struct *sksec = selinux_sock(sk); 5289 u16 family = sk->sk_family; 5290 u32 sk_sid = sksec->sid; 5291 struct common_audit_data ad; 5292 struct lsm_network_audit net; 5293 char *addrp; 5294 5295 if (family != PF_INET && family != PF_INET6) 5296 return 0; 5297 5298 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5299 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5300 family = PF_INET; 5301 5302 /* If any sort of compatibility mode is enabled then handoff processing 5303 * to the selinux_sock_rcv_skb_compat() function to deal with the 5304 * special handling. We do this in an attempt to keep this function 5305 * as fast and as clean as possible. */ 5306 if (!selinux_policycap_netpeer()) 5307 return selinux_sock_rcv_skb_compat(sk, skb, family); 5308 5309 secmark_active = selinux_secmark_enabled(); 5310 peerlbl_active = selinux_peerlbl_enabled(); 5311 if (!secmark_active && !peerlbl_active) 5312 return 0; 5313 5314 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5315 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5316 if (err) 5317 return err; 5318 5319 if (peerlbl_active) { 5320 u32 peer_sid; 5321 5322 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5323 if (err) 5324 return err; 5325 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5326 addrp, family, peer_sid, &ad); 5327 if (err) { 5328 selinux_netlbl_err(skb, family, err, 0); 5329 return err; 5330 } 5331 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5332 PEER__RECV, &ad); 5333 if (err) { 5334 selinux_netlbl_err(skb, family, err, 0); 5335 return err; 5336 } 5337 } 5338 5339 if (secmark_active) { 5340 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5341 PACKET__RECV, &ad); 5342 if (err) 5343 return err; 5344 } 5345 5346 return err; 5347 } 5348 5349 static int selinux_socket_getpeersec_stream(struct socket *sock, 5350 sockptr_t optval, sockptr_t optlen, 5351 unsigned int len) 5352 { 5353 int err = 0; 5354 char *scontext = NULL; 5355 u32 scontext_len; 5356 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5357 u32 peer_sid = SECSID_NULL; 5358 5359 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5360 sksec->sclass == SECCLASS_TCP_SOCKET || 5361 sksec->sclass == SECCLASS_SCTP_SOCKET) 5362 peer_sid = sksec->peer_sid; 5363 if (peer_sid == SECSID_NULL) 5364 return -ENOPROTOOPT; 5365 5366 err = security_sid_to_context(peer_sid, &scontext, 5367 &scontext_len); 5368 if (err) 5369 return err; 5370 if (scontext_len > len) { 5371 err = -ERANGE; 5372 goto out_len; 5373 } 5374 5375 if (copy_to_sockptr(optval, scontext, scontext_len)) 5376 err = -EFAULT; 5377 out_len: 5378 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5379 err = -EFAULT; 5380 kfree(scontext); 5381 return err; 5382 } 5383 5384 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5385 struct sk_buff *skb, u32 *secid) 5386 { 5387 u32 peer_secid = SECSID_NULL; 5388 u16 family; 5389 5390 if (skb && skb->protocol == htons(ETH_P_IP)) 5391 family = PF_INET; 5392 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5393 family = PF_INET6; 5394 else if (sock) 5395 family = sock->sk->sk_family; 5396 else { 5397 *secid = SECSID_NULL; 5398 return -EINVAL; 5399 } 5400 5401 if (sock && family == PF_UNIX) { 5402 struct inode_security_struct *isec; 5403 isec = inode_security_novalidate(SOCK_INODE(sock)); 5404 peer_secid = isec->sid; 5405 } else if (skb) 5406 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5407 5408 *secid = peer_secid; 5409 if (peer_secid == SECSID_NULL) 5410 return -ENOPROTOOPT; 5411 return 0; 5412 } 5413 5414 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5415 { 5416 struct sk_security_struct *sksec = selinux_sock(sk); 5417 5418 sksec->peer_sid = SECINITSID_UNLABELED; 5419 sksec->sid = SECINITSID_UNLABELED; 5420 sksec->sclass = SECCLASS_SOCKET; 5421 selinux_netlbl_sk_security_reset(sksec); 5422 5423 return 0; 5424 } 5425 5426 static void selinux_sk_free_security(struct sock *sk) 5427 { 5428 struct sk_security_struct *sksec = selinux_sock(sk); 5429 5430 selinux_netlbl_sk_security_free(sksec); 5431 } 5432 5433 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5434 { 5435 struct sk_security_struct *sksec = selinux_sock(sk); 5436 struct sk_security_struct *newsksec = selinux_sock(newsk); 5437 5438 newsksec->sid = sksec->sid; 5439 newsksec->peer_sid = sksec->peer_sid; 5440 newsksec->sclass = sksec->sclass; 5441 5442 selinux_netlbl_sk_security_reset(newsksec); 5443 } 5444 5445 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5446 { 5447 if (!sk) 5448 *secid = SECINITSID_ANY_SOCKET; 5449 else { 5450 const struct sk_security_struct *sksec = selinux_sock(sk); 5451 5452 *secid = sksec->sid; 5453 } 5454 } 5455 5456 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5457 { 5458 struct inode_security_struct *isec = 5459 inode_security_novalidate(SOCK_INODE(parent)); 5460 struct sk_security_struct *sksec = selinux_sock(sk); 5461 5462 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5463 sk->sk_family == PF_UNIX) 5464 isec->sid = sksec->sid; 5465 sksec->sclass = isec->sclass; 5466 } 5467 5468 /* 5469 * Determines peer_secid for the asoc and updates socket's peer label 5470 * if it's the first association on the socket. 5471 */ 5472 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5473 struct sk_buff *skb) 5474 { 5475 struct sock *sk = asoc->base.sk; 5476 u16 family = sk->sk_family; 5477 struct sk_security_struct *sksec = selinux_sock(sk); 5478 struct common_audit_data ad; 5479 struct lsm_network_audit net; 5480 int err; 5481 5482 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5483 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5484 family = PF_INET; 5485 5486 if (selinux_peerlbl_enabled()) { 5487 asoc->peer_secid = SECSID_NULL; 5488 5489 /* This will return peer_sid = SECSID_NULL if there are 5490 * no peer labels, see security_net_peersid_resolve(). 5491 */ 5492 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5493 if (err) 5494 return err; 5495 5496 if (asoc->peer_secid == SECSID_NULL) 5497 asoc->peer_secid = SECINITSID_UNLABELED; 5498 } else { 5499 asoc->peer_secid = SECINITSID_UNLABELED; 5500 } 5501 5502 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5503 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5504 5505 /* Here as first association on socket. As the peer SID 5506 * was allowed by peer recv (and the netif/node checks), 5507 * then it is approved by policy and used as the primary 5508 * peer SID for getpeercon(3). 5509 */ 5510 sksec->peer_sid = asoc->peer_secid; 5511 } else if (sksec->peer_sid != asoc->peer_secid) { 5512 /* Other association peer SIDs are checked to enforce 5513 * consistency among the peer SIDs. 5514 */ 5515 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5516 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5517 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5518 &ad); 5519 if (err) 5520 return err; 5521 } 5522 return 0; 5523 } 5524 5525 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5526 * happens on an incoming connect(2), sctp_connectx(3) or 5527 * sctp_sendmsg(3) (with no association already present). 5528 */ 5529 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5530 struct sk_buff *skb) 5531 { 5532 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5533 u32 conn_sid; 5534 int err; 5535 5536 if (!selinux_policycap_extsockclass()) 5537 return 0; 5538 5539 err = selinux_sctp_process_new_assoc(asoc, skb); 5540 if (err) 5541 return err; 5542 5543 /* Compute the MLS component for the connection and store 5544 * the information in asoc. This will be used by SCTP TCP type 5545 * sockets and peeled off connections as they cause a new 5546 * socket to be generated. selinux_sctp_sk_clone() will then 5547 * plug this into the new socket. 5548 */ 5549 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5550 if (err) 5551 return err; 5552 5553 asoc->secid = conn_sid; 5554 5555 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5556 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5557 } 5558 5559 /* Called when SCTP receives a COOKIE ACK chunk as the final 5560 * response to an association request (initited by us). 5561 */ 5562 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5563 struct sk_buff *skb) 5564 { 5565 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5566 5567 if (!selinux_policycap_extsockclass()) 5568 return 0; 5569 5570 /* Inherit secid from the parent socket - this will be picked up 5571 * by selinux_sctp_sk_clone() if the association gets peeled off 5572 * into a new socket. 5573 */ 5574 asoc->secid = sksec->sid; 5575 5576 return selinux_sctp_process_new_assoc(asoc, skb); 5577 } 5578 5579 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5580 * based on their @optname. 5581 */ 5582 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5583 struct sockaddr *address, 5584 int addrlen) 5585 { 5586 int len, err = 0, walk_size = 0; 5587 void *addr_buf; 5588 struct sockaddr *addr; 5589 struct socket *sock; 5590 5591 if (!selinux_policycap_extsockclass()) 5592 return 0; 5593 5594 /* Process one or more addresses that may be IPv4 or IPv6 */ 5595 sock = sk->sk_socket; 5596 addr_buf = address; 5597 5598 while (walk_size < addrlen) { 5599 if (walk_size + sizeof(sa_family_t) > addrlen) 5600 return -EINVAL; 5601 5602 addr = addr_buf; 5603 switch (addr->sa_family) { 5604 case AF_UNSPEC: 5605 case AF_INET: 5606 len = sizeof(struct sockaddr_in); 5607 break; 5608 case AF_INET6: 5609 len = sizeof(struct sockaddr_in6); 5610 break; 5611 default: 5612 return -EINVAL; 5613 } 5614 5615 if (walk_size + len > addrlen) 5616 return -EINVAL; 5617 5618 err = -EINVAL; 5619 switch (optname) { 5620 /* Bind checks */ 5621 case SCTP_PRIMARY_ADDR: 5622 case SCTP_SET_PEER_PRIMARY_ADDR: 5623 case SCTP_SOCKOPT_BINDX_ADD: 5624 err = selinux_socket_bind(sock, addr, len); 5625 break; 5626 /* Connect checks */ 5627 case SCTP_SOCKOPT_CONNECTX: 5628 case SCTP_PARAM_SET_PRIMARY: 5629 case SCTP_PARAM_ADD_IP: 5630 case SCTP_SENDMSG_CONNECT: 5631 err = selinux_socket_connect_helper(sock, addr, len); 5632 if (err) 5633 return err; 5634 5635 /* As selinux_sctp_bind_connect() is called by the 5636 * SCTP protocol layer, the socket is already locked, 5637 * therefore selinux_netlbl_socket_connect_locked() 5638 * is called here. The situations handled are: 5639 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5640 * whenever a new IP address is added or when a new 5641 * primary address is selected. 5642 * Note that an SCTP connect(2) call happens before 5643 * the SCTP protocol layer and is handled via 5644 * selinux_socket_connect(). 5645 */ 5646 err = selinux_netlbl_socket_connect_locked(sk, addr); 5647 break; 5648 } 5649 5650 if (err) 5651 return err; 5652 5653 addr_buf += len; 5654 walk_size += len; 5655 } 5656 5657 return 0; 5658 } 5659 5660 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5661 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5662 struct sock *newsk) 5663 { 5664 struct sk_security_struct *sksec = selinux_sock(sk); 5665 struct sk_security_struct *newsksec = selinux_sock(newsk); 5666 5667 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5668 * the non-sctp clone version. 5669 */ 5670 if (!selinux_policycap_extsockclass()) 5671 return selinux_sk_clone_security(sk, newsk); 5672 5673 newsksec->sid = asoc->secid; 5674 newsksec->peer_sid = asoc->peer_secid; 5675 newsksec->sclass = sksec->sclass; 5676 selinux_netlbl_sctp_sk_clone(sk, newsk); 5677 } 5678 5679 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5680 { 5681 struct sk_security_struct *ssksec = selinux_sock(ssk); 5682 struct sk_security_struct *sksec = selinux_sock(sk); 5683 5684 ssksec->sclass = sksec->sclass; 5685 ssksec->sid = sksec->sid; 5686 5687 /* replace the existing subflow label deleting the existing one 5688 * and re-recreating a new label using the updated context 5689 */ 5690 selinux_netlbl_sk_security_free(ssksec); 5691 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5692 } 5693 5694 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5695 struct request_sock *req) 5696 { 5697 struct sk_security_struct *sksec = selinux_sock(sk); 5698 int err; 5699 u16 family = req->rsk_ops->family; 5700 u32 connsid; 5701 u32 peersid; 5702 5703 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5704 if (err) 5705 return err; 5706 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5707 if (err) 5708 return err; 5709 req->secid = connsid; 5710 req->peer_secid = peersid; 5711 5712 return selinux_netlbl_inet_conn_request(req, family); 5713 } 5714 5715 static void selinux_inet_csk_clone(struct sock *newsk, 5716 const struct request_sock *req) 5717 { 5718 struct sk_security_struct *newsksec = selinux_sock(newsk); 5719 5720 newsksec->sid = req->secid; 5721 newsksec->peer_sid = req->peer_secid; 5722 /* NOTE: Ideally, we should also get the isec->sid for the 5723 new socket in sync, but we don't have the isec available yet. 5724 So we will wait until sock_graft to do it, by which 5725 time it will have been created and available. */ 5726 5727 /* We don't need to take any sort of lock here as we are the only 5728 * thread with access to newsksec */ 5729 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5730 } 5731 5732 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5733 { 5734 u16 family = sk->sk_family; 5735 struct sk_security_struct *sksec = selinux_sock(sk); 5736 5737 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5738 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5739 family = PF_INET; 5740 5741 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5742 } 5743 5744 static int selinux_secmark_relabel_packet(u32 sid) 5745 { 5746 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5747 NULL); 5748 } 5749 5750 static void selinux_secmark_refcount_inc(void) 5751 { 5752 atomic_inc(&selinux_secmark_refcount); 5753 } 5754 5755 static void selinux_secmark_refcount_dec(void) 5756 { 5757 atomic_dec(&selinux_secmark_refcount); 5758 } 5759 5760 static void selinux_req_classify_flow(const struct request_sock *req, 5761 struct flowi_common *flic) 5762 { 5763 flic->flowic_secid = req->secid; 5764 } 5765 5766 static int selinux_tun_dev_alloc_security(void *security) 5767 { 5768 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5769 5770 tunsec->sid = current_sid(); 5771 return 0; 5772 } 5773 5774 static int selinux_tun_dev_create(void) 5775 { 5776 u32 sid = current_sid(); 5777 5778 /* we aren't taking into account the "sockcreate" SID since the socket 5779 * that is being created here is not a socket in the traditional sense, 5780 * instead it is a private sock, accessible only to the kernel, and 5781 * representing a wide range of network traffic spanning multiple 5782 * connections unlike traditional sockets - check the TUN driver to 5783 * get a better understanding of why this socket is special */ 5784 5785 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5786 NULL); 5787 } 5788 5789 static int selinux_tun_dev_attach_queue(void *security) 5790 { 5791 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5792 5793 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5794 TUN_SOCKET__ATTACH_QUEUE, NULL); 5795 } 5796 5797 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5798 { 5799 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5800 struct sk_security_struct *sksec = selinux_sock(sk); 5801 5802 /* we don't currently perform any NetLabel based labeling here and it 5803 * isn't clear that we would want to do so anyway; while we could apply 5804 * labeling without the support of the TUN user the resulting labeled 5805 * traffic from the other end of the connection would almost certainly 5806 * cause confusion to the TUN user that had no idea network labeling 5807 * protocols were being used */ 5808 5809 sksec->sid = tunsec->sid; 5810 sksec->sclass = SECCLASS_TUN_SOCKET; 5811 5812 return 0; 5813 } 5814 5815 static int selinux_tun_dev_open(void *security) 5816 { 5817 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5818 u32 sid = current_sid(); 5819 int err; 5820 5821 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5822 TUN_SOCKET__RELABELFROM, NULL); 5823 if (err) 5824 return err; 5825 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5826 TUN_SOCKET__RELABELTO, NULL); 5827 if (err) 5828 return err; 5829 tunsec->sid = sid; 5830 5831 return 0; 5832 } 5833 5834 #ifdef CONFIG_NETFILTER 5835 5836 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5837 const struct nf_hook_state *state) 5838 { 5839 int ifindex; 5840 u16 family; 5841 char *addrp; 5842 u32 peer_sid; 5843 struct common_audit_data ad; 5844 struct lsm_network_audit net; 5845 int secmark_active, peerlbl_active; 5846 5847 if (!selinux_policycap_netpeer()) 5848 return NF_ACCEPT; 5849 5850 secmark_active = selinux_secmark_enabled(); 5851 peerlbl_active = selinux_peerlbl_enabled(); 5852 if (!secmark_active && !peerlbl_active) 5853 return NF_ACCEPT; 5854 5855 family = state->pf; 5856 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5857 return NF_DROP; 5858 5859 ifindex = state->in->ifindex; 5860 ad_net_init_from_iif(&ad, &net, ifindex, family); 5861 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5862 return NF_DROP; 5863 5864 if (peerlbl_active) { 5865 int err; 5866 5867 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5868 addrp, family, peer_sid, &ad); 5869 if (err) { 5870 selinux_netlbl_err(skb, family, err, 1); 5871 return NF_DROP; 5872 } 5873 } 5874 5875 if (secmark_active) 5876 if (avc_has_perm(peer_sid, skb->secmark, 5877 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5878 return NF_DROP; 5879 5880 if (netlbl_enabled()) 5881 /* we do this in the FORWARD path and not the POST_ROUTING 5882 * path because we want to make sure we apply the necessary 5883 * labeling before IPsec is applied so we can leverage AH 5884 * protection */ 5885 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5886 return NF_DROP; 5887 5888 return NF_ACCEPT; 5889 } 5890 5891 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5892 const struct nf_hook_state *state) 5893 { 5894 struct sock *sk; 5895 u32 sid; 5896 5897 if (!netlbl_enabled()) 5898 return NF_ACCEPT; 5899 5900 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5901 * because we want to make sure we apply the necessary labeling 5902 * before IPsec is applied so we can leverage AH protection */ 5903 sk = sk_to_full_sk(skb->sk); 5904 if (sk) { 5905 struct sk_security_struct *sksec; 5906 5907 if (sk_listener(sk)) 5908 /* if the socket is the listening state then this 5909 * packet is a SYN-ACK packet which means it needs to 5910 * be labeled based on the connection/request_sock and 5911 * not the parent socket. unfortunately, we can't 5912 * lookup the request_sock yet as it isn't queued on 5913 * the parent socket until after the SYN-ACK is sent. 5914 * the "solution" is to simply pass the packet as-is 5915 * as any IP option based labeling should be copied 5916 * from the initial connection request (in the IP 5917 * layer). it is far from ideal, but until we get a 5918 * security label in the packet itself this is the 5919 * best we can do. */ 5920 return NF_ACCEPT; 5921 5922 /* standard practice, label using the parent socket */ 5923 sksec = selinux_sock(sk); 5924 sid = sksec->sid; 5925 } else 5926 sid = SECINITSID_KERNEL; 5927 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5928 return NF_DROP; 5929 5930 return NF_ACCEPT; 5931 } 5932 5933 5934 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5935 const struct nf_hook_state *state) 5936 { 5937 struct sock *sk; 5938 struct sk_security_struct *sksec; 5939 struct common_audit_data ad; 5940 struct lsm_network_audit net; 5941 u8 proto = 0; 5942 5943 sk = skb_to_full_sk(skb); 5944 if (sk == NULL) 5945 return NF_ACCEPT; 5946 sksec = selinux_sock(sk); 5947 5948 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5949 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5950 return NF_DROP; 5951 5952 if (selinux_secmark_enabled()) 5953 if (avc_has_perm(sksec->sid, skb->secmark, 5954 SECCLASS_PACKET, PACKET__SEND, &ad)) 5955 return NF_DROP_ERR(-ECONNREFUSED); 5956 5957 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5958 return NF_DROP_ERR(-ECONNREFUSED); 5959 5960 return NF_ACCEPT; 5961 } 5962 5963 static unsigned int selinux_ip_postroute(void *priv, 5964 struct sk_buff *skb, 5965 const struct nf_hook_state *state) 5966 { 5967 u16 family; 5968 u32 secmark_perm; 5969 u32 peer_sid; 5970 int ifindex; 5971 struct sock *sk; 5972 struct common_audit_data ad; 5973 struct lsm_network_audit net; 5974 char *addrp; 5975 int secmark_active, peerlbl_active; 5976 5977 /* If any sort of compatibility mode is enabled then handoff processing 5978 * to the selinux_ip_postroute_compat() function to deal with the 5979 * special handling. We do this in an attempt to keep this function 5980 * as fast and as clean as possible. */ 5981 if (!selinux_policycap_netpeer()) 5982 return selinux_ip_postroute_compat(skb, state); 5983 5984 secmark_active = selinux_secmark_enabled(); 5985 peerlbl_active = selinux_peerlbl_enabled(); 5986 if (!secmark_active && !peerlbl_active) 5987 return NF_ACCEPT; 5988 5989 sk = skb_to_full_sk(skb); 5990 5991 #ifdef CONFIG_XFRM 5992 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5993 * packet transformation so allow the packet to pass without any checks 5994 * since we'll have another chance to perform access control checks 5995 * when the packet is on it's final way out. 5996 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5997 * is NULL, in this case go ahead and apply access control. 5998 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5999 * TCP listening state we cannot wait until the XFRM processing 6000 * is done as we will miss out on the SA label if we do; 6001 * unfortunately, this means more work, but it is only once per 6002 * connection. */ 6003 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 6004 !(sk && sk_listener(sk))) 6005 return NF_ACCEPT; 6006 #endif 6007 6008 family = state->pf; 6009 if (sk == NULL) { 6010 /* Without an associated socket the packet is either coming 6011 * from the kernel or it is being forwarded; check the packet 6012 * to determine which and if the packet is being forwarded 6013 * query the packet directly to determine the security label. */ 6014 if (skb->skb_iif) { 6015 secmark_perm = PACKET__FORWARD_OUT; 6016 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 6017 return NF_DROP; 6018 } else { 6019 secmark_perm = PACKET__SEND; 6020 peer_sid = SECINITSID_KERNEL; 6021 } 6022 } else if (sk_listener(sk)) { 6023 /* Locally generated packet but the associated socket is in the 6024 * listening state which means this is a SYN-ACK packet. In 6025 * this particular case the correct security label is assigned 6026 * to the connection/request_sock but unfortunately we can't 6027 * query the request_sock as it isn't queued on the parent 6028 * socket until after the SYN-ACK packet is sent; the only 6029 * viable choice is to regenerate the label like we do in 6030 * selinux_inet_conn_request(). See also selinux_ip_output() 6031 * for similar problems. */ 6032 u32 skb_sid; 6033 struct sk_security_struct *sksec; 6034 6035 sksec = selinux_sock(sk); 6036 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6037 return NF_DROP; 6038 /* At this point, if the returned skb peerlbl is SECSID_NULL 6039 * and the packet has been through at least one XFRM 6040 * transformation then we must be dealing with the "final" 6041 * form of labeled IPsec packet; since we've already applied 6042 * all of our access controls on this packet we can safely 6043 * pass the packet. */ 6044 if (skb_sid == SECSID_NULL) { 6045 switch (family) { 6046 case PF_INET: 6047 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6048 return NF_ACCEPT; 6049 break; 6050 case PF_INET6: 6051 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6052 return NF_ACCEPT; 6053 break; 6054 default: 6055 return NF_DROP_ERR(-ECONNREFUSED); 6056 } 6057 } 6058 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6059 return NF_DROP; 6060 secmark_perm = PACKET__SEND; 6061 } else { 6062 /* Locally generated packet, fetch the security label from the 6063 * associated socket. */ 6064 struct sk_security_struct *sksec = selinux_sock(sk); 6065 peer_sid = sksec->sid; 6066 secmark_perm = PACKET__SEND; 6067 } 6068 6069 ifindex = state->out->ifindex; 6070 ad_net_init_from_iif(&ad, &net, ifindex, family); 6071 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6072 return NF_DROP; 6073 6074 if (secmark_active) 6075 if (avc_has_perm(peer_sid, skb->secmark, 6076 SECCLASS_PACKET, secmark_perm, &ad)) 6077 return NF_DROP_ERR(-ECONNREFUSED); 6078 6079 if (peerlbl_active) { 6080 u32 if_sid; 6081 u32 node_sid; 6082 6083 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6084 return NF_DROP; 6085 if (avc_has_perm(peer_sid, if_sid, 6086 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6087 return NF_DROP_ERR(-ECONNREFUSED); 6088 6089 if (sel_netnode_sid(addrp, family, &node_sid)) 6090 return NF_DROP; 6091 if (avc_has_perm(peer_sid, node_sid, 6092 SECCLASS_NODE, NODE__SENDTO, &ad)) 6093 return NF_DROP_ERR(-ECONNREFUSED); 6094 } 6095 6096 return NF_ACCEPT; 6097 } 6098 #endif /* CONFIG_NETFILTER */ 6099 6100 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6101 { 6102 struct sk_security_struct *sksec = sk->sk_security; 6103 struct common_audit_data ad; 6104 u8 driver; 6105 u8 xperm; 6106 6107 if (sock_skip_has_perm(sksec->sid)) 6108 return 0; 6109 6110 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6111 ad.u.nlmsg_type = nlmsg_type; 6112 6113 driver = nlmsg_type >> 8; 6114 xperm = nlmsg_type & 0xff; 6115 6116 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6117 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6118 } 6119 6120 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6121 { 6122 int rc = 0; 6123 unsigned int msg_len; 6124 unsigned int data_len = skb->len; 6125 unsigned char *data = skb->data; 6126 struct nlmsghdr *nlh; 6127 struct sk_security_struct *sksec = selinux_sock(sk); 6128 u16 sclass = sksec->sclass; 6129 u32 perm; 6130 6131 while (data_len >= nlmsg_total_size(0)) { 6132 nlh = (struct nlmsghdr *)data; 6133 6134 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6135 * users which means we can't reject skb's with bogus 6136 * length fields; our solution is to follow what 6137 * netlink_rcv_skb() does and simply skip processing at 6138 * messages with length fields that are clearly junk 6139 */ 6140 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6141 return 0; 6142 6143 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6144 if (rc == 0) { 6145 if (selinux_policycap_netlink_xperm()) { 6146 rc = nlmsg_sock_has_extended_perms( 6147 sk, perm, nlh->nlmsg_type); 6148 } else { 6149 rc = sock_has_perm(sk, perm); 6150 } 6151 if (rc) 6152 return rc; 6153 } else if (rc == -EINVAL) { 6154 /* -EINVAL is a missing msg/perm mapping */ 6155 pr_warn_ratelimited("SELinux: unrecognized netlink" 6156 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6157 " pid=%d comm=%s\n", 6158 sk->sk_protocol, nlh->nlmsg_type, 6159 secclass_map[sclass - 1].name, 6160 task_pid_nr(current), current->comm); 6161 if (enforcing_enabled() && 6162 !security_get_allow_unknown()) 6163 return rc; 6164 rc = 0; 6165 } else if (rc == -ENOENT) { 6166 /* -ENOENT is a missing socket/class mapping, ignore */ 6167 rc = 0; 6168 } else { 6169 return rc; 6170 } 6171 6172 /* move to the next message after applying netlink padding */ 6173 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6174 if (msg_len >= data_len) 6175 return 0; 6176 data_len -= msg_len; 6177 data += msg_len; 6178 } 6179 6180 return rc; 6181 } 6182 6183 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6184 { 6185 isec->sclass = sclass; 6186 isec->sid = current_sid(); 6187 } 6188 6189 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6190 u32 perms) 6191 { 6192 struct ipc_security_struct *isec; 6193 struct common_audit_data ad; 6194 u32 sid = current_sid(); 6195 6196 isec = selinux_ipc(ipc_perms); 6197 6198 ad.type = LSM_AUDIT_DATA_IPC; 6199 ad.u.ipc_id = ipc_perms->key; 6200 6201 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6202 } 6203 6204 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6205 { 6206 struct msg_security_struct *msec; 6207 6208 msec = selinux_msg_msg(msg); 6209 msec->sid = SECINITSID_UNLABELED; 6210 6211 return 0; 6212 } 6213 6214 /* message queue security operations */ 6215 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6216 { 6217 struct ipc_security_struct *isec; 6218 struct common_audit_data ad; 6219 u32 sid = current_sid(); 6220 6221 isec = selinux_ipc(msq); 6222 ipc_init_security(isec, SECCLASS_MSGQ); 6223 6224 ad.type = LSM_AUDIT_DATA_IPC; 6225 ad.u.ipc_id = msq->key; 6226 6227 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6228 MSGQ__CREATE, &ad); 6229 } 6230 6231 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6232 { 6233 struct ipc_security_struct *isec; 6234 struct common_audit_data ad; 6235 u32 sid = current_sid(); 6236 6237 isec = selinux_ipc(msq); 6238 6239 ad.type = LSM_AUDIT_DATA_IPC; 6240 ad.u.ipc_id = msq->key; 6241 6242 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6243 MSGQ__ASSOCIATE, &ad); 6244 } 6245 6246 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6247 { 6248 u32 perms; 6249 6250 switch (cmd) { 6251 case IPC_INFO: 6252 case MSG_INFO: 6253 /* No specific object, just general system-wide information. */ 6254 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6255 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6256 case IPC_STAT: 6257 case MSG_STAT: 6258 case MSG_STAT_ANY: 6259 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6260 break; 6261 case IPC_SET: 6262 perms = MSGQ__SETATTR; 6263 break; 6264 case IPC_RMID: 6265 perms = MSGQ__DESTROY; 6266 break; 6267 default: 6268 return 0; 6269 } 6270 6271 return ipc_has_perm(msq, perms); 6272 } 6273 6274 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6275 { 6276 struct ipc_security_struct *isec; 6277 struct msg_security_struct *msec; 6278 struct common_audit_data ad; 6279 u32 sid = current_sid(); 6280 int rc; 6281 6282 isec = selinux_ipc(msq); 6283 msec = selinux_msg_msg(msg); 6284 6285 /* 6286 * First time through, need to assign label to the message 6287 */ 6288 if (msec->sid == SECINITSID_UNLABELED) { 6289 /* 6290 * Compute new sid based on current process and 6291 * message queue this message will be stored in 6292 */ 6293 rc = security_transition_sid(sid, isec->sid, 6294 SECCLASS_MSG, NULL, &msec->sid); 6295 if (rc) 6296 return rc; 6297 } 6298 6299 ad.type = LSM_AUDIT_DATA_IPC; 6300 ad.u.ipc_id = msq->key; 6301 6302 /* Can this process write to the queue? */ 6303 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6304 MSGQ__WRITE, &ad); 6305 if (!rc) 6306 /* Can this process send the message */ 6307 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6308 MSG__SEND, &ad); 6309 if (!rc) 6310 /* Can the message be put in the queue? */ 6311 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6312 MSGQ__ENQUEUE, &ad); 6313 6314 return rc; 6315 } 6316 6317 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6318 struct task_struct *target, 6319 long type, int mode) 6320 { 6321 struct ipc_security_struct *isec; 6322 struct msg_security_struct *msec; 6323 struct common_audit_data ad; 6324 u32 sid = task_sid_obj(target); 6325 int rc; 6326 6327 isec = selinux_ipc(msq); 6328 msec = selinux_msg_msg(msg); 6329 6330 ad.type = LSM_AUDIT_DATA_IPC; 6331 ad.u.ipc_id = msq->key; 6332 6333 rc = avc_has_perm(sid, isec->sid, 6334 SECCLASS_MSGQ, MSGQ__READ, &ad); 6335 if (!rc) 6336 rc = avc_has_perm(sid, msec->sid, 6337 SECCLASS_MSG, MSG__RECEIVE, &ad); 6338 return rc; 6339 } 6340 6341 /* Shared Memory security operations */ 6342 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6343 { 6344 struct ipc_security_struct *isec; 6345 struct common_audit_data ad; 6346 u32 sid = current_sid(); 6347 6348 isec = selinux_ipc(shp); 6349 ipc_init_security(isec, SECCLASS_SHM); 6350 6351 ad.type = LSM_AUDIT_DATA_IPC; 6352 ad.u.ipc_id = shp->key; 6353 6354 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6355 SHM__CREATE, &ad); 6356 } 6357 6358 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6359 { 6360 struct ipc_security_struct *isec; 6361 struct common_audit_data ad; 6362 u32 sid = current_sid(); 6363 6364 isec = selinux_ipc(shp); 6365 6366 ad.type = LSM_AUDIT_DATA_IPC; 6367 ad.u.ipc_id = shp->key; 6368 6369 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6370 SHM__ASSOCIATE, &ad); 6371 } 6372 6373 /* Note, at this point, shp is locked down */ 6374 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6375 { 6376 u32 perms; 6377 6378 switch (cmd) { 6379 case IPC_INFO: 6380 case SHM_INFO: 6381 /* No specific object, just general system-wide information. */ 6382 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6383 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6384 case IPC_STAT: 6385 case SHM_STAT: 6386 case SHM_STAT_ANY: 6387 perms = SHM__GETATTR | SHM__ASSOCIATE; 6388 break; 6389 case IPC_SET: 6390 perms = SHM__SETATTR; 6391 break; 6392 case SHM_LOCK: 6393 case SHM_UNLOCK: 6394 perms = SHM__LOCK; 6395 break; 6396 case IPC_RMID: 6397 perms = SHM__DESTROY; 6398 break; 6399 default: 6400 return 0; 6401 } 6402 6403 return ipc_has_perm(shp, perms); 6404 } 6405 6406 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6407 char __user *shmaddr, int shmflg) 6408 { 6409 u32 perms; 6410 6411 if (shmflg & SHM_RDONLY) 6412 perms = SHM__READ; 6413 else 6414 perms = SHM__READ | SHM__WRITE; 6415 6416 return ipc_has_perm(shp, perms); 6417 } 6418 6419 /* Semaphore security operations */ 6420 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6421 { 6422 struct ipc_security_struct *isec; 6423 struct common_audit_data ad; 6424 u32 sid = current_sid(); 6425 6426 isec = selinux_ipc(sma); 6427 ipc_init_security(isec, SECCLASS_SEM); 6428 6429 ad.type = LSM_AUDIT_DATA_IPC; 6430 ad.u.ipc_id = sma->key; 6431 6432 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6433 SEM__CREATE, &ad); 6434 } 6435 6436 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6437 { 6438 struct ipc_security_struct *isec; 6439 struct common_audit_data ad; 6440 u32 sid = current_sid(); 6441 6442 isec = selinux_ipc(sma); 6443 6444 ad.type = LSM_AUDIT_DATA_IPC; 6445 ad.u.ipc_id = sma->key; 6446 6447 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6448 SEM__ASSOCIATE, &ad); 6449 } 6450 6451 /* Note, at this point, sma is locked down */ 6452 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6453 { 6454 int err; 6455 u32 perms; 6456 6457 switch (cmd) { 6458 case IPC_INFO: 6459 case SEM_INFO: 6460 /* No specific object, just general system-wide information. */ 6461 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6462 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6463 case GETPID: 6464 case GETNCNT: 6465 case GETZCNT: 6466 perms = SEM__GETATTR; 6467 break; 6468 case GETVAL: 6469 case GETALL: 6470 perms = SEM__READ; 6471 break; 6472 case SETVAL: 6473 case SETALL: 6474 perms = SEM__WRITE; 6475 break; 6476 case IPC_RMID: 6477 perms = SEM__DESTROY; 6478 break; 6479 case IPC_SET: 6480 perms = SEM__SETATTR; 6481 break; 6482 case IPC_STAT: 6483 case SEM_STAT: 6484 case SEM_STAT_ANY: 6485 perms = SEM__GETATTR | SEM__ASSOCIATE; 6486 break; 6487 default: 6488 return 0; 6489 } 6490 6491 err = ipc_has_perm(sma, perms); 6492 return err; 6493 } 6494 6495 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6496 struct sembuf *sops, unsigned nsops, int alter) 6497 { 6498 u32 perms; 6499 6500 if (alter) 6501 perms = SEM__READ | SEM__WRITE; 6502 else 6503 perms = SEM__READ; 6504 6505 return ipc_has_perm(sma, perms); 6506 } 6507 6508 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6509 { 6510 u32 av = 0; 6511 6512 av = 0; 6513 if (flag & S_IRUGO) 6514 av |= IPC__UNIX_READ; 6515 if (flag & S_IWUGO) 6516 av |= IPC__UNIX_WRITE; 6517 6518 if (av == 0) 6519 return 0; 6520 6521 return ipc_has_perm(ipcp, av); 6522 } 6523 6524 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6525 struct lsm_prop *prop) 6526 { 6527 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6528 prop->selinux.secid = isec->sid; 6529 } 6530 6531 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6532 { 6533 if (inode) 6534 inode_doinit_with_dentry(inode, dentry); 6535 } 6536 6537 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6538 char **value) 6539 { 6540 const struct task_security_struct *tsec; 6541 int error; 6542 u32 sid; 6543 u32 len; 6544 6545 rcu_read_lock(); 6546 tsec = selinux_cred(__task_cred(p)); 6547 if (p != current) { 6548 error = avc_has_perm(current_sid(), tsec->sid, 6549 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6550 if (error) 6551 goto err_unlock; 6552 } 6553 switch (attr) { 6554 case LSM_ATTR_CURRENT: 6555 sid = tsec->sid; 6556 break; 6557 case LSM_ATTR_PREV: 6558 sid = tsec->osid; 6559 break; 6560 case LSM_ATTR_EXEC: 6561 sid = tsec->exec_sid; 6562 break; 6563 case LSM_ATTR_FSCREATE: 6564 sid = tsec->create_sid; 6565 break; 6566 case LSM_ATTR_KEYCREATE: 6567 sid = tsec->keycreate_sid; 6568 break; 6569 case LSM_ATTR_SOCKCREATE: 6570 sid = tsec->sockcreate_sid; 6571 break; 6572 default: 6573 error = -EOPNOTSUPP; 6574 goto err_unlock; 6575 } 6576 rcu_read_unlock(); 6577 6578 if (sid == SECSID_NULL) { 6579 *value = NULL; 6580 return 0; 6581 } 6582 6583 error = security_sid_to_context(sid, value, &len); 6584 if (error) 6585 return error; 6586 return len; 6587 6588 err_unlock: 6589 rcu_read_unlock(); 6590 return error; 6591 } 6592 6593 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6594 { 6595 struct task_security_struct *tsec; 6596 struct cred *new; 6597 u32 mysid = current_sid(), sid = 0, ptsid; 6598 int error; 6599 char *str = value; 6600 6601 /* 6602 * Basic control over ability to set these attributes at all. 6603 */ 6604 switch (attr) { 6605 case LSM_ATTR_EXEC: 6606 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6607 PROCESS__SETEXEC, NULL); 6608 break; 6609 case LSM_ATTR_FSCREATE: 6610 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6611 PROCESS__SETFSCREATE, NULL); 6612 break; 6613 case LSM_ATTR_KEYCREATE: 6614 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6615 PROCESS__SETKEYCREATE, NULL); 6616 break; 6617 case LSM_ATTR_SOCKCREATE: 6618 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6619 PROCESS__SETSOCKCREATE, NULL); 6620 break; 6621 case LSM_ATTR_CURRENT: 6622 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6623 PROCESS__SETCURRENT, NULL); 6624 break; 6625 default: 6626 error = -EOPNOTSUPP; 6627 break; 6628 } 6629 if (error) 6630 return error; 6631 6632 /* Obtain a SID for the context, if one was specified. */ 6633 if (size && str[0] && str[0] != '\n') { 6634 if (str[size-1] == '\n') { 6635 str[size-1] = 0; 6636 size--; 6637 } 6638 error = security_context_to_sid(value, size, 6639 &sid, GFP_KERNEL); 6640 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6641 if (!has_cap_mac_admin(true)) { 6642 struct audit_buffer *ab; 6643 size_t audit_size; 6644 6645 /* We strip a nul only if it is at the end, 6646 * otherwise the context contains a nul and 6647 * we should audit that */ 6648 if (str[size - 1] == '\0') 6649 audit_size = size - 1; 6650 else 6651 audit_size = size; 6652 ab = audit_log_start(audit_context(), 6653 GFP_ATOMIC, 6654 AUDIT_SELINUX_ERR); 6655 if (!ab) 6656 return error; 6657 audit_log_format(ab, "op=fscreate invalid_context="); 6658 audit_log_n_untrustedstring(ab, value, 6659 audit_size); 6660 audit_log_end(ab); 6661 6662 return error; 6663 } 6664 error = security_context_to_sid_force(value, size, 6665 &sid); 6666 } 6667 if (error) 6668 return error; 6669 } 6670 6671 new = prepare_creds(); 6672 if (!new) 6673 return -ENOMEM; 6674 6675 /* Permission checking based on the specified context is 6676 performed during the actual operation (execve, 6677 open/mkdir/...), when we know the full context of the 6678 operation. See selinux_bprm_creds_for_exec for the execve 6679 checks and may_create for the file creation checks. The 6680 operation will then fail if the context is not permitted. */ 6681 tsec = selinux_cred(new); 6682 if (attr == LSM_ATTR_EXEC) { 6683 tsec->exec_sid = sid; 6684 } else if (attr == LSM_ATTR_FSCREATE) { 6685 tsec->create_sid = sid; 6686 } else if (attr == LSM_ATTR_KEYCREATE) { 6687 if (sid) { 6688 error = avc_has_perm(mysid, sid, 6689 SECCLASS_KEY, KEY__CREATE, NULL); 6690 if (error) 6691 goto abort_change; 6692 } 6693 tsec->keycreate_sid = sid; 6694 } else if (attr == LSM_ATTR_SOCKCREATE) { 6695 tsec->sockcreate_sid = sid; 6696 } else if (attr == LSM_ATTR_CURRENT) { 6697 error = -EINVAL; 6698 if (sid == 0) 6699 goto abort_change; 6700 6701 if (!current_is_single_threaded()) { 6702 error = security_bounded_transition(tsec->sid, sid); 6703 if (error) 6704 goto abort_change; 6705 } 6706 6707 /* Check permissions for the transition. */ 6708 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6709 PROCESS__DYNTRANSITION, NULL); 6710 if (error) 6711 goto abort_change; 6712 6713 /* Check for ptracing, and update the task SID if ok. 6714 Otherwise, leave SID unchanged and fail. */ 6715 ptsid = ptrace_parent_sid(); 6716 if (ptsid != 0) { 6717 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6718 PROCESS__PTRACE, NULL); 6719 if (error) 6720 goto abort_change; 6721 } 6722 6723 tsec->sid = sid; 6724 } else { 6725 error = -EINVAL; 6726 goto abort_change; 6727 } 6728 6729 commit_creds(new); 6730 return size; 6731 6732 abort_change: 6733 abort_creds(new); 6734 return error; 6735 } 6736 6737 /** 6738 * selinux_getselfattr - Get SELinux current task attributes 6739 * @attr: the requested attribute 6740 * @ctx: buffer to receive the result 6741 * @size: buffer size (input), buffer size used (output) 6742 * @flags: unused 6743 * 6744 * Fill the passed user space @ctx with the details of the requested 6745 * attribute. 6746 * 6747 * Returns the number of attributes on success, an error code otherwise. 6748 * There will only ever be one attribute. 6749 */ 6750 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6751 u32 *size, u32 flags) 6752 { 6753 int rc; 6754 char *val = NULL; 6755 int val_len; 6756 6757 val_len = selinux_lsm_getattr(attr, current, &val); 6758 if (val_len < 0) 6759 return val_len; 6760 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6761 kfree(val); 6762 return (!rc ? 1 : rc); 6763 } 6764 6765 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6766 u32 size, u32 flags) 6767 { 6768 int rc; 6769 6770 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6771 if (rc > 0) 6772 return 0; 6773 return rc; 6774 } 6775 6776 static int selinux_getprocattr(struct task_struct *p, 6777 const char *name, char **value) 6778 { 6779 unsigned int attr = lsm_name_to_attr(name); 6780 int rc; 6781 6782 if (attr) { 6783 rc = selinux_lsm_getattr(attr, p, value); 6784 if (rc != -EOPNOTSUPP) 6785 return rc; 6786 } 6787 6788 return -EINVAL; 6789 } 6790 6791 static int selinux_setprocattr(const char *name, void *value, size_t size) 6792 { 6793 int attr = lsm_name_to_attr(name); 6794 6795 if (attr) 6796 return selinux_lsm_setattr(attr, value, size); 6797 return -EINVAL; 6798 } 6799 6800 static int selinux_ismaclabel(const char *name) 6801 { 6802 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6803 } 6804 6805 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6806 { 6807 u32 seclen; 6808 int ret; 6809 6810 if (cp) { 6811 cp->id = LSM_ID_SELINUX; 6812 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6813 if (ret < 0) 6814 return ret; 6815 return cp->len; 6816 } 6817 ret = security_sid_to_context(secid, NULL, &seclen); 6818 if (ret < 0) 6819 return ret; 6820 return seclen; 6821 } 6822 6823 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6824 struct lsm_context *cp) 6825 { 6826 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6827 } 6828 6829 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6830 { 6831 return security_context_to_sid(secdata, seclen, 6832 secid, GFP_KERNEL); 6833 } 6834 6835 static void selinux_release_secctx(struct lsm_context *cp) 6836 { 6837 if (cp->id == LSM_ID_SELINUX) { 6838 kfree(cp->context); 6839 cp->context = NULL; 6840 cp->id = LSM_ID_UNDEF; 6841 } 6842 } 6843 6844 static void selinux_inode_invalidate_secctx(struct inode *inode) 6845 { 6846 struct inode_security_struct *isec = selinux_inode(inode); 6847 6848 spin_lock(&isec->lock); 6849 isec->initialized = LABEL_INVALID; 6850 spin_unlock(&isec->lock); 6851 } 6852 6853 /* 6854 * called with inode->i_mutex locked 6855 */ 6856 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6857 { 6858 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6859 ctx, ctxlen, 0); 6860 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6861 return rc == -EOPNOTSUPP ? 0 : rc; 6862 } 6863 6864 /* 6865 * called with inode->i_mutex locked 6866 */ 6867 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6868 { 6869 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6870 ctx, ctxlen, 0, NULL); 6871 } 6872 6873 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6874 { 6875 int len; 6876 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6877 XATTR_SELINUX_SUFFIX, 6878 (void **)&cp->context, true); 6879 if (len < 0) 6880 return len; 6881 cp->len = len; 6882 cp->id = LSM_ID_SELINUX; 6883 return 0; 6884 } 6885 #ifdef CONFIG_KEYS 6886 6887 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6888 unsigned long flags) 6889 { 6890 const struct task_security_struct *tsec; 6891 struct key_security_struct *ksec = selinux_key(k); 6892 6893 tsec = selinux_cred(cred); 6894 if (tsec->keycreate_sid) 6895 ksec->sid = tsec->keycreate_sid; 6896 else 6897 ksec->sid = tsec->sid; 6898 6899 return 0; 6900 } 6901 6902 static int selinux_key_permission(key_ref_t key_ref, 6903 const struct cred *cred, 6904 enum key_need_perm need_perm) 6905 { 6906 struct key *key; 6907 struct key_security_struct *ksec; 6908 u32 perm, sid; 6909 6910 switch (need_perm) { 6911 case KEY_NEED_VIEW: 6912 perm = KEY__VIEW; 6913 break; 6914 case KEY_NEED_READ: 6915 perm = KEY__READ; 6916 break; 6917 case KEY_NEED_WRITE: 6918 perm = KEY__WRITE; 6919 break; 6920 case KEY_NEED_SEARCH: 6921 perm = KEY__SEARCH; 6922 break; 6923 case KEY_NEED_LINK: 6924 perm = KEY__LINK; 6925 break; 6926 case KEY_NEED_SETATTR: 6927 perm = KEY__SETATTR; 6928 break; 6929 case KEY_NEED_UNLINK: 6930 case KEY_SYSADMIN_OVERRIDE: 6931 case KEY_AUTHTOKEN_OVERRIDE: 6932 case KEY_DEFER_PERM_CHECK: 6933 return 0; 6934 default: 6935 WARN_ON(1); 6936 return -EPERM; 6937 6938 } 6939 6940 sid = cred_sid(cred); 6941 key = key_ref_to_ptr(key_ref); 6942 ksec = selinux_key(key); 6943 6944 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6945 } 6946 6947 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6948 { 6949 struct key_security_struct *ksec = selinux_key(key); 6950 char *context = NULL; 6951 unsigned len; 6952 int rc; 6953 6954 rc = security_sid_to_context(ksec->sid, 6955 &context, &len); 6956 if (!rc) 6957 rc = len; 6958 *_buffer = context; 6959 return rc; 6960 } 6961 6962 #ifdef CONFIG_KEY_NOTIFICATIONS 6963 static int selinux_watch_key(struct key *key) 6964 { 6965 struct key_security_struct *ksec = selinux_key(key); 6966 u32 sid = current_sid(); 6967 6968 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6969 } 6970 #endif 6971 #endif 6972 6973 #ifdef CONFIG_SECURITY_INFINIBAND 6974 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6975 { 6976 struct common_audit_data ad; 6977 int err; 6978 u32 sid = 0; 6979 struct ib_security_struct *sec = ib_sec; 6980 struct lsm_ibpkey_audit ibpkey; 6981 6982 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6983 if (err) 6984 return err; 6985 6986 ad.type = LSM_AUDIT_DATA_IBPKEY; 6987 ibpkey.subnet_prefix = subnet_prefix; 6988 ibpkey.pkey = pkey_val; 6989 ad.u.ibpkey = &ibpkey; 6990 return avc_has_perm(sec->sid, sid, 6991 SECCLASS_INFINIBAND_PKEY, 6992 INFINIBAND_PKEY__ACCESS, &ad); 6993 } 6994 6995 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6996 u8 port_num) 6997 { 6998 struct common_audit_data ad; 6999 int err; 7000 u32 sid = 0; 7001 struct ib_security_struct *sec = ib_sec; 7002 struct lsm_ibendport_audit ibendport; 7003 7004 err = security_ib_endport_sid(dev_name, port_num, 7005 &sid); 7006 7007 if (err) 7008 return err; 7009 7010 ad.type = LSM_AUDIT_DATA_IBENDPORT; 7011 ibendport.dev_name = dev_name; 7012 ibendport.port = port_num; 7013 ad.u.ibendport = &ibendport; 7014 return avc_has_perm(sec->sid, sid, 7015 SECCLASS_INFINIBAND_ENDPORT, 7016 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 7017 } 7018 7019 static int selinux_ib_alloc_security(void *ib_sec) 7020 { 7021 struct ib_security_struct *sec = selinux_ib(ib_sec); 7022 7023 sec->sid = current_sid(); 7024 return 0; 7025 } 7026 #endif 7027 7028 #ifdef CONFIG_BPF_SYSCALL 7029 static int selinux_bpf(int cmd, union bpf_attr *attr, 7030 unsigned int size, bool kernel) 7031 { 7032 u32 sid = current_sid(); 7033 int ret; 7034 7035 switch (cmd) { 7036 case BPF_MAP_CREATE: 7037 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7038 NULL); 7039 break; 7040 case BPF_PROG_LOAD: 7041 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7042 NULL); 7043 break; 7044 default: 7045 ret = 0; 7046 break; 7047 } 7048 7049 return ret; 7050 } 7051 7052 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7053 { 7054 u32 av = 0; 7055 7056 if (fmode & FMODE_READ) 7057 av |= BPF__MAP_READ; 7058 if (fmode & FMODE_WRITE) 7059 av |= BPF__MAP_WRITE; 7060 return av; 7061 } 7062 7063 /* This function will check the file pass through unix socket or binder to see 7064 * if it is a bpf related object. And apply corresponding checks on the bpf 7065 * object based on the type. The bpf maps and programs, not like other files and 7066 * socket, are using a shared anonymous inode inside the kernel as their inode. 7067 * So checking that inode cannot identify if the process have privilege to 7068 * access the bpf object and that's why we have to add this additional check in 7069 * selinux_file_receive and selinux_binder_transfer_files. 7070 */ 7071 static int bpf_fd_pass(const struct file *file, u32 sid) 7072 { 7073 struct bpf_security_struct *bpfsec; 7074 struct bpf_prog *prog; 7075 struct bpf_map *map; 7076 int ret; 7077 7078 if (file->f_op == &bpf_map_fops) { 7079 map = file->private_data; 7080 bpfsec = map->security; 7081 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7082 bpf_map_fmode_to_av(file->f_mode), NULL); 7083 if (ret) 7084 return ret; 7085 } else if (file->f_op == &bpf_prog_fops) { 7086 prog = file->private_data; 7087 bpfsec = prog->aux->security; 7088 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7089 BPF__PROG_RUN, NULL); 7090 if (ret) 7091 return ret; 7092 } 7093 return 0; 7094 } 7095 7096 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7097 { 7098 u32 sid = current_sid(); 7099 struct bpf_security_struct *bpfsec; 7100 7101 bpfsec = map->security; 7102 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7103 bpf_map_fmode_to_av(fmode), NULL); 7104 } 7105 7106 static int selinux_bpf_prog(struct bpf_prog *prog) 7107 { 7108 u32 sid = current_sid(); 7109 struct bpf_security_struct *bpfsec; 7110 7111 bpfsec = prog->aux->security; 7112 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7113 BPF__PROG_RUN, NULL); 7114 } 7115 7116 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7117 struct bpf_token *token, bool kernel) 7118 { 7119 struct bpf_security_struct *bpfsec; 7120 7121 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7122 if (!bpfsec) 7123 return -ENOMEM; 7124 7125 bpfsec->sid = current_sid(); 7126 map->security = bpfsec; 7127 7128 return 0; 7129 } 7130 7131 static void selinux_bpf_map_free(struct bpf_map *map) 7132 { 7133 struct bpf_security_struct *bpfsec = map->security; 7134 7135 map->security = NULL; 7136 kfree(bpfsec); 7137 } 7138 7139 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7140 struct bpf_token *token, bool kernel) 7141 { 7142 struct bpf_security_struct *bpfsec; 7143 7144 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7145 if (!bpfsec) 7146 return -ENOMEM; 7147 7148 bpfsec->sid = current_sid(); 7149 prog->aux->security = bpfsec; 7150 7151 return 0; 7152 } 7153 7154 static void selinux_bpf_prog_free(struct bpf_prog *prog) 7155 { 7156 struct bpf_security_struct *bpfsec = prog->aux->security; 7157 7158 prog->aux->security = NULL; 7159 kfree(bpfsec); 7160 } 7161 7162 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 7163 const struct path *path) 7164 { 7165 struct bpf_security_struct *bpfsec; 7166 7167 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7168 if (!bpfsec) 7169 return -ENOMEM; 7170 7171 bpfsec->sid = current_sid(); 7172 token->security = bpfsec; 7173 7174 return 0; 7175 } 7176 7177 static void selinux_bpf_token_free(struct bpf_token *token) 7178 { 7179 struct bpf_security_struct *bpfsec = token->security; 7180 7181 token->security = NULL; 7182 kfree(bpfsec); 7183 } 7184 #endif 7185 7186 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7187 .lbs_cred = sizeof(struct task_security_struct), 7188 .lbs_file = sizeof(struct file_security_struct), 7189 .lbs_inode = sizeof(struct inode_security_struct), 7190 .lbs_ipc = sizeof(struct ipc_security_struct), 7191 .lbs_key = sizeof(struct key_security_struct), 7192 .lbs_msg_msg = sizeof(struct msg_security_struct), 7193 #ifdef CONFIG_PERF_EVENTS 7194 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7195 #endif 7196 .lbs_sock = sizeof(struct sk_security_struct), 7197 .lbs_superblock = sizeof(struct superblock_security_struct), 7198 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7199 .lbs_tun_dev = sizeof(struct tun_security_struct), 7200 .lbs_ib = sizeof(struct ib_security_struct), 7201 }; 7202 7203 #ifdef CONFIG_PERF_EVENTS 7204 static int selinux_perf_event_open(int type) 7205 { 7206 u32 requested, sid = current_sid(); 7207 7208 if (type == PERF_SECURITY_OPEN) 7209 requested = PERF_EVENT__OPEN; 7210 else if (type == PERF_SECURITY_CPU) 7211 requested = PERF_EVENT__CPU; 7212 else if (type == PERF_SECURITY_KERNEL) 7213 requested = PERF_EVENT__KERNEL; 7214 else if (type == PERF_SECURITY_TRACEPOINT) 7215 requested = PERF_EVENT__TRACEPOINT; 7216 else 7217 return -EINVAL; 7218 7219 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7220 requested, NULL); 7221 } 7222 7223 static int selinux_perf_event_alloc(struct perf_event *event) 7224 { 7225 struct perf_event_security_struct *perfsec; 7226 7227 perfsec = selinux_perf_event(event->security); 7228 perfsec->sid = current_sid(); 7229 7230 return 0; 7231 } 7232 7233 static int selinux_perf_event_read(struct perf_event *event) 7234 { 7235 struct perf_event_security_struct *perfsec = event->security; 7236 u32 sid = current_sid(); 7237 7238 return avc_has_perm(sid, perfsec->sid, 7239 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7240 } 7241 7242 static int selinux_perf_event_write(struct perf_event *event) 7243 { 7244 struct perf_event_security_struct *perfsec = event->security; 7245 u32 sid = current_sid(); 7246 7247 return avc_has_perm(sid, perfsec->sid, 7248 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7249 } 7250 #endif 7251 7252 #ifdef CONFIG_IO_URING 7253 /** 7254 * selinux_uring_override_creds - check the requested cred override 7255 * @new: the target creds 7256 * 7257 * Check to see if the current task is allowed to override it's credentials 7258 * to service an io_uring operation. 7259 */ 7260 static int selinux_uring_override_creds(const struct cred *new) 7261 { 7262 return avc_has_perm(current_sid(), cred_sid(new), 7263 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7264 } 7265 7266 /** 7267 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7268 * 7269 * Check to see if the current task is allowed to create a new io_uring 7270 * kernel polling thread. 7271 */ 7272 static int selinux_uring_sqpoll(void) 7273 { 7274 u32 sid = current_sid(); 7275 7276 return avc_has_perm(sid, sid, 7277 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7278 } 7279 7280 /** 7281 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7282 * @ioucmd: the io_uring command structure 7283 * 7284 * Check to see if the current domain is allowed to execute an 7285 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7286 * 7287 */ 7288 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7289 { 7290 struct file *file = ioucmd->file; 7291 struct inode *inode = file_inode(file); 7292 struct inode_security_struct *isec = selinux_inode(inode); 7293 struct common_audit_data ad; 7294 7295 ad.type = LSM_AUDIT_DATA_FILE; 7296 ad.u.file = file; 7297 7298 return avc_has_perm(current_sid(), isec->sid, 7299 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7300 } 7301 7302 /** 7303 * selinux_uring_allowed - check if io_uring_setup() can be called 7304 * 7305 * Check to see if the current task is allowed to call io_uring_setup(). 7306 */ 7307 static int selinux_uring_allowed(void) 7308 { 7309 u32 sid = current_sid(); 7310 7311 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7312 NULL); 7313 } 7314 #endif /* CONFIG_IO_URING */ 7315 7316 static const struct lsm_id selinux_lsmid = { 7317 .name = "selinux", 7318 .id = LSM_ID_SELINUX, 7319 }; 7320 7321 /* 7322 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7323 * 1. any hooks that don't belong to (2.) or (3.) below, 7324 * 2. hooks that both access structures allocated by other hooks, and allocate 7325 * structures that can be later accessed by other hooks (mostly "cloning" 7326 * hooks), 7327 * 3. hooks that only allocate structures that can be later accessed by other 7328 * hooks ("allocating" hooks). 7329 * 7330 * Please follow block comment delimiters in the list to keep this order. 7331 */ 7332 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7333 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7334 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7335 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7336 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7337 7338 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7339 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7340 LSM_HOOK_INIT(capget, selinux_capget), 7341 LSM_HOOK_INIT(capset, selinux_capset), 7342 LSM_HOOK_INIT(capable, selinux_capable), 7343 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7344 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7345 LSM_HOOK_INIT(syslog, selinux_syslog), 7346 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7347 7348 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7349 7350 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7351 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7352 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7353 7354 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7355 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7356 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7357 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7358 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7359 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7360 LSM_HOOK_INIT(sb_mount, selinux_mount), 7361 LSM_HOOK_INIT(sb_umount, selinux_umount), 7362 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7363 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7364 7365 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7366 7367 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7368 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7369 7370 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7371 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7372 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7373 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7374 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7375 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7376 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7377 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7378 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7379 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7380 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7381 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7382 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7383 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7384 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7385 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7386 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7387 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7388 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7389 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7390 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7391 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7392 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7393 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7394 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7395 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7396 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7397 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7398 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7399 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7400 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7401 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7402 7403 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7404 7405 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7406 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7407 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7408 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7409 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7410 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7411 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7412 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7413 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7414 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7415 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7416 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7417 7418 LSM_HOOK_INIT(file_open, selinux_file_open), 7419 7420 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7421 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7422 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7423 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7424 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7425 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7426 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7427 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7428 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7429 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7430 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7431 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7432 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7433 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7434 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7435 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7436 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7437 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7438 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7439 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7440 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7441 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7442 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7443 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7444 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7445 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7446 7447 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7448 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7449 7450 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7451 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7452 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7453 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7454 7455 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7456 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7457 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7458 7459 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7460 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7461 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7462 7463 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7464 7465 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7466 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7467 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7468 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7469 7470 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7471 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7472 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7473 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7474 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7475 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7476 7477 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7478 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7479 7480 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7481 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7482 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7483 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7484 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7485 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7486 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7487 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7488 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7489 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7490 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7491 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7492 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7493 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7494 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7495 LSM_HOOK_INIT(socket_getpeersec_stream, 7496 selinux_socket_getpeersec_stream), 7497 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7498 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7499 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7500 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7501 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7502 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7503 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7504 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7505 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7506 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7507 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7508 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7509 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7510 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7511 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7512 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7513 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7514 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7515 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7516 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7517 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7518 #ifdef CONFIG_SECURITY_INFINIBAND 7519 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7520 LSM_HOOK_INIT(ib_endport_manage_subnet, 7521 selinux_ib_endport_manage_subnet), 7522 #endif 7523 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7524 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7525 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7526 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7527 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7528 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7529 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7530 selinux_xfrm_state_pol_flow_match), 7531 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7532 #endif 7533 7534 #ifdef CONFIG_KEYS 7535 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7536 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7537 #ifdef CONFIG_KEY_NOTIFICATIONS 7538 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7539 #endif 7540 #endif 7541 7542 #ifdef CONFIG_AUDIT 7543 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7544 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7545 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7546 #endif 7547 7548 #ifdef CONFIG_BPF_SYSCALL 7549 LSM_HOOK_INIT(bpf, selinux_bpf), 7550 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7551 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7552 LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), 7553 LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), 7554 LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free), 7555 #endif 7556 7557 #ifdef CONFIG_PERF_EVENTS 7558 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7559 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7560 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7561 #endif 7562 7563 #ifdef CONFIG_IO_URING 7564 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7565 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7566 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7567 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7568 #endif 7569 7570 /* 7571 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7572 */ 7573 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7574 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7575 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7576 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7577 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7578 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7579 #endif 7580 7581 /* 7582 * PUT "ALLOCATING" HOOKS HERE 7583 */ 7584 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7585 LSM_HOOK_INIT(msg_queue_alloc_security, 7586 selinux_msg_queue_alloc_security), 7587 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7588 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7589 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7590 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7591 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7592 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7593 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7594 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7595 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7596 #ifdef CONFIG_SECURITY_INFINIBAND 7597 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7598 #endif 7599 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7600 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7601 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7602 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7603 selinux_xfrm_state_alloc_acquire), 7604 #endif 7605 #ifdef CONFIG_KEYS 7606 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7607 #endif 7608 #ifdef CONFIG_AUDIT 7609 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7610 #endif 7611 #ifdef CONFIG_BPF_SYSCALL 7612 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7613 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7614 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7615 #endif 7616 #ifdef CONFIG_PERF_EVENTS 7617 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7618 #endif 7619 }; 7620 7621 static __init int selinux_init(void) 7622 { 7623 pr_info("SELinux: Initializing.\n"); 7624 7625 memset(&selinux_state, 0, sizeof(selinux_state)); 7626 enforcing_set(selinux_enforcing_boot); 7627 selinux_avc_init(); 7628 mutex_init(&selinux_state.status_lock); 7629 mutex_init(&selinux_state.policy_mutex); 7630 7631 /* Set the security state for the initial task. */ 7632 cred_init_security(); 7633 7634 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7635 if (!default_noexec) 7636 pr_notice("SELinux: virtual memory is executable by default\n"); 7637 7638 avc_init(); 7639 7640 avtab_cache_init(); 7641 7642 ebitmap_cache_init(); 7643 7644 hashtab_cache_init(); 7645 7646 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7647 &selinux_lsmid); 7648 7649 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7650 panic("SELinux: Unable to register AVC netcache callback\n"); 7651 7652 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7653 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7654 7655 if (selinux_enforcing_boot) 7656 pr_debug("SELinux: Starting in enforcing mode\n"); 7657 else 7658 pr_debug("SELinux: Starting in permissive mode\n"); 7659 7660 fs_validate_description("selinux", selinux_fs_parameters); 7661 7662 return 0; 7663 } 7664 7665 static void delayed_superblock_init(struct super_block *sb, void *unused) 7666 { 7667 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7668 } 7669 7670 void selinux_complete_init(void) 7671 { 7672 pr_debug("SELinux: Completing initialization.\n"); 7673 7674 /* Set up any superblocks initialized prior to the policy load. */ 7675 pr_debug("SELinux: Setting up existing superblocks.\n"); 7676 iterate_supers(delayed_superblock_init, NULL); 7677 } 7678 7679 /* SELinux requires early initialization in order to label 7680 all processes and objects when they are created. */ 7681 DEFINE_LSM(selinux) = { 7682 .name = "selinux", 7683 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7684 .enabled = &selinux_enabled_boot, 7685 .blobs = &selinux_blob_sizes, 7686 .init = selinux_init, 7687 }; 7688 7689 #if defined(CONFIG_NETFILTER) 7690 static const struct nf_hook_ops selinux_nf_ops[] = { 7691 { 7692 .hook = selinux_ip_postroute, 7693 .pf = NFPROTO_IPV4, 7694 .hooknum = NF_INET_POST_ROUTING, 7695 .priority = NF_IP_PRI_SELINUX_LAST, 7696 }, 7697 { 7698 .hook = selinux_ip_forward, 7699 .pf = NFPROTO_IPV4, 7700 .hooknum = NF_INET_FORWARD, 7701 .priority = NF_IP_PRI_SELINUX_FIRST, 7702 }, 7703 { 7704 .hook = selinux_ip_output, 7705 .pf = NFPROTO_IPV4, 7706 .hooknum = NF_INET_LOCAL_OUT, 7707 .priority = NF_IP_PRI_SELINUX_FIRST, 7708 }, 7709 #if IS_ENABLED(CONFIG_IPV6) 7710 { 7711 .hook = selinux_ip_postroute, 7712 .pf = NFPROTO_IPV6, 7713 .hooknum = NF_INET_POST_ROUTING, 7714 .priority = NF_IP6_PRI_SELINUX_LAST, 7715 }, 7716 { 7717 .hook = selinux_ip_forward, 7718 .pf = NFPROTO_IPV6, 7719 .hooknum = NF_INET_FORWARD, 7720 .priority = NF_IP6_PRI_SELINUX_FIRST, 7721 }, 7722 { 7723 .hook = selinux_ip_output, 7724 .pf = NFPROTO_IPV6, 7725 .hooknum = NF_INET_LOCAL_OUT, 7726 .priority = NF_IP6_PRI_SELINUX_FIRST, 7727 }, 7728 #endif /* IPV6 */ 7729 }; 7730 7731 static int __net_init selinux_nf_register(struct net *net) 7732 { 7733 return nf_register_net_hooks(net, selinux_nf_ops, 7734 ARRAY_SIZE(selinux_nf_ops)); 7735 } 7736 7737 static void __net_exit selinux_nf_unregister(struct net *net) 7738 { 7739 nf_unregister_net_hooks(net, selinux_nf_ops, 7740 ARRAY_SIZE(selinux_nf_ops)); 7741 } 7742 7743 static struct pernet_operations selinux_net_ops = { 7744 .init = selinux_nf_register, 7745 .exit = selinux_nf_unregister, 7746 }; 7747 7748 static int __init selinux_nf_ip_init(void) 7749 { 7750 int err; 7751 7752 if (!selinux_enabled_boot) 7753 return 0; 7754 7755 pr_debug("SELinux: Registering netfilter hooks\n"); 7756 7757 err = register_pernet_subsys(&selinux_net_ops); 7758 if (err) 7759 panic("SELinux: register_pernet_subsys: error %d\n", err); 7760 7761 return 0; 7762 } 7763 __initcall(selinux_nf_ip_init); 7764 #endif /* CONFIG_NETFILTER */ 7765