1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/dccp.h> 69 #include <linux/sctp.h> 70 #include <net/sctp/structs.h> 71 #include <linux/quota.h> 72 #include <linux/un.h> /* for Unix socket types */ 73 #include <net/af_unix.h> /* for Unix socket types */ 74 #include <linux/parser.h> 75 #include <linux/nfs_mount.h> 76 #include <net/ipv6.h> 77 #include <linux/hugetlb.h> 78 #include <linux/personality.h> 79 #include <linux/audit.h> 80 #include <linux/string.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring.h> 95 96 #include "avc.h" 97 #include "objsec.h" 98 #include "netif.h" 99 #include "netnode.h" 100 #include "netport.h" 101 #include "ibpkey.h" 102 #include "xfrm.h" 103 #include "netlabel.h" 104 #include "audit.h" 105 #include "avc_ss.h" 106 107 struct selinux_state selinux_state; 108 109 /* SECMARK reference count */ 110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 111 112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 113 static int selinux_enforcing_boot __initdata; 114 115 static int __init enforcing_setup(char *str) 116 { 117 unsigned long enforcing; 118 if (!kstrtoul(str, 0, &enforcing)) 119 selinux_enforcing_boot = enforcing ? 1 : 0; 120 return 1; 121 } 122 __setup("enforcing=", enforcing_setup); 123 #else 124 #define selinux_enforcing_boot 1 125 #endif 126 127 int selinux_enabled_boot __initdata = 1; 128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 129 static int __init selinux_enabled_setup(char *str) 130 { 131 unsigned long enabled; 132 if (!kstrtoul(str, 0, &enabled)) 133 selinux_enabled_boot = enabled ? 1 : 0; 134 return 1; 135 } 136 __setup("selinux=", selinux_enabled_setup); 137 #endif 138 139 static int __init checkreqprot_setup(char *str) 140 { 141 unsigned long checkreqprot; 142 143 if (!kstrtoul(str, 0, &checkreqprot)) { 144 if (checkreqprot) 145 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 146 } 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 /** 152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 153 * 154 * Description: 155 * This function checks the SECMARK reference counter to see if any SECMARK 156 * targets are currently configured, if the reference counter is greater than 157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network 159 * policy capability is enabled, SECMARK is always considered enabled. 160 * 161 */ 162 static int selinux_secmark_enabled(void) 163 { 164 return (selinux_policycap_alwaysnetwork() || 165 atomic_read(&selinux_secmark_refcount)); 166 } 167 168 /** 169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 170 * 171 * Description: 172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 173 * (1) if any are enabled or false (0) if neither are enabled. If the 174 * always_check_network policy capability is enabled, peer labeling 175 * is always considered enabled. 176 * 177 */ 178 static int selinux_peerlbl_enabled(void) 179 { 180 return (selinux_policycap_alwaysnetwork() || 181 netlbl_enabled() || selinux_xfrm_enabled()); 182 } 183 184 static int selinux_netcache_avc_callback(u32 event) 185 { 186 if (event == AVC_CALLBACK_RESET) { 187 sel_netif_flush(); 188 sel_netnode_flush(); 189 sel_netport_flush(); 190 synchronize_net(); 191 } 192 return 0; 193 } 194 195 static int selinux_lsm_notifier_avc_callback(u32 event) 196 { 197 if (event == AVC_CALLBACK_RESET) { 198 sel_ib_pkey_flush(); 199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 200 } 201 202 return 0; 203 } 204 205 /* 206 * initialise the security for the init task 207 */ 208 static void cred_init_security(void) 209 { 210 struct task_security_struct *tsec; 211 212 tsec = selinux_cred(unrcu_pointer(current->real_cred)); 213 tsec->osid = tsec->sid = SECINITSID_KERNEL; 214 } 215 216 /* 217 * get the security ID of a set of credentials 218 */ 219 static inline u32 cred_sid(const struct cred *cred) 220 { 221 const struct task_security_struct *tsec; 222 223 tsec = selinux_cred(cred); 224 return tsec->sid; 225 } 226 227 /* 228 * get the objective security ID of a task 229 */ 230 static inline u32 task_sid_obj(const struct task_struct *task) 231 { 232 u32 sid; 233 234 rcu_read_lock(); 235 sid = cred_sid(__task_cred(task)); 236 rcu_read_unlock(); 237 return sid; 238 } 239 240 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 241 242 /* 243 * Try reloading inode security labels that have been marked as invalid. The 244 * @may_sleep parameter indicates when sleeping and thus reloading labels is 245 * allowed; when set to false, returns -ECHILD when the label is 246 * invalid. The @dentry parameter should be set to a dentry of the inode. 247 */ 248 static int __inode_security_revalidate(struct inode *inode, 249 struct dentry *dentry, 250 bool may_sleep) 251 { 252 struct inode_security_struct *isec = selinux_inode(inode); 253 254 might_sleep_if(may_sleep); 255 256 if (selinux_initialized() && 257 isec->initialized != LABEL_INITIALIZED) { 258 if (!may_sleep) 259 return -ECHILD; 260 261 /* 262 * Try reloading the inode security label. This will fail if 263 * @opt_dentry is NULL and no dentry for this inode can be 264 * found; in that case, continue using the old label. 265 */ 266 inode_doinit_with_dentry(inode, dentry); 267 } 268 return 0; 269 } 270 271 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 272 { 273 return selinux_inode(inode); 274 } 275 276 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 277 { 278 int error; 279 280 error = __inode_security_revalidate(inode, NULL, !rcu); 281 if (error) 282 return ERR_PTR(error); 283 return selinux_inode(inode); 284 } 285 286 /* 287 * Get the security label of an inode. 288 */ 289 static struct inode_security_struct *inode_security(struct inode *inode) 290 { 291 __inode_security_revalidate(inode, NULL, true); 292 return selinux_inode(inode); 293 } 294 295 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 296 { 297 struct inode *inode = d_backing_inode(dentry); 298 299 return selinux_inode(inode); 300 } 301 302 /* 303 * Get the security label of a dentry's backing inode. 304 */ 305 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 306 { 307 struct inode *inode = d_backing_inode(dentry); 308 309 __inode_security_revalidate(inode, dentry, true); 310 return selinux_inode(inode); 311 } 312 313 static void inode_free_security(struct inode *inode) 314 { 315 struct inode_security_struct *isec = selinux_inode(inode); 316 struct superblock_security_struct *sbsec; 317 318 if (!isec) 319 return; 320 sbsec = selinux_superblock(inode->i_sb); 321 /* 322 * As not all inode security structures are in a list, we check for 323 * empty list outside of the lock to make sure that we won't waste 324 * time taking a lock doing nothing. 325 * 326 * The list_del_init() function can be safely called more than once. 327 * It should not be possible for this function to be called with 328 * concurrent list_add(), but for better safety against future changes 329 * in the code, we use list_empty_careful() here. 330 */ 331 if (!list_empty_careful(&isec->list)) { 332 spin_lock(&sbsec->isec_lock); 333 list_del_init(&isec->list); 334 spin_unlock(&sbsec->isec_lock); 335 } 336 } 337 338 struct selinux_mnt_opts { 339 u32 fscontext_sid; 340 u32 context_sid; 341 u32 rootcontext_sid; 342 u32 defcontext_sid; 343 }; 344 345 static void selinux_free_mnt_opts(void *mnt_opts) 346 { 347 kfree(mnt_opts); 348 } 349 350 enum { 351 Opt_error = -1, 352 Opt_context = 0, 353 Opt_defcontext = 1, 354 Opt_fscontext = 2, 355 Opt_rootcontext = 3, 356 Opt_seclabel = 4, 357 }; 358 359 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 360 static const struct { 361 const char *name; 362 int len; 363 int opt; 364 bool has_arg; 365 } tokens[] = { 366 A(context, true), 367 A(fscontext, true), 368 A(defcontext, true), 369 A(rootcontext, true), 370 A(seclabel, false), 371 }; 372 #undef A 373 374 static int match_opt_prefix(char *s, int l, char **arg) 375 { 376 int i; 377 378 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 379 size_t len = tokens[i].len; 380 if (len > l || memcmp(s, tokens[i].name, len)) 381 continue; 382 if (tokens[i].has_arg) { 383 if (len == l || s[len] != '=') 384 continue; 385 *arg = s + len + 1; 386 } else if (len != l) 387 continue; 388 return tokens[i].opt; 389 } 390 return Opt_error; 391 } 392 393 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 394 395 static int may_context_mount_sb_relabel(u32 sid, 396 struct superblock_security_struct *sbsec, 397 const struct cred *cred) 398 { 399 const struct task_security_struct *tsec = selinux_cred(cred); 400 int rc; 401 402 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 403 FILESYSTEM__RELABELFROM, NULL); 404 if (rc) 405 return rc; 406 407 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 408 FILESYSTEM__RELABELTO, NULL); 409 return rc; 410 } 411 412 static int may_context_mount_inode_relabel(u32 sid, 413 struct superblock_security_struct *sbsec, 414 const struct cred *cred) 415 { 416 const struct task_security_struct *tsec = selinux_cred(cred); 417 int rc; 418 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 419 FILESYSTEM__RELABELFROM, NULL); 420 if (rc) 421 return rc; 422 423 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 424 FILESYSTEM__ASSOCIATE, NULL); 425 return rc; 426 } 427 428 static int selinux_is_genfs_special_handling(struct super_block *sb) 429 { 430 /* Special handling. Genfs but also in-core setxattr handler */ 431 return !strcmp(sb->s_type->name, "sysfs") || 432 !strcmp(sb->s_type->name, "pstore") || 433 !strcmp(sb->s_type->name, "debugfs") || 434 !strcmp(sb->s_type->name, "tracefs") || 435 !strcmp(sb->s_type->name, "rootfs") || 436 (selinux_policycap_cgroupseclabel() && 437 (!strcmp(sb->s_type->name, "cgroup") || 438 !strcmp(sb->s_type->name, "cgroup2"))); 439 } 440 441 static int selinux_is_sblabel_mnt(struct super_block *sb) 442 { 443 struct superblock_security_struct *sbsec = selinux_superblock(sb); 444 445 /* 446 * IMPORTANT: Double-check logic in this function when adding a new 447 * SECURITY_FS_USE_* definition! 448 */ 449 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 450 451 switch (sbsec->behavior) { 452 case SECURITY_FS_USE_XATTR: 453 case SECURITY_FS_USE_TRANS: 454 case SECURITY_FS_USE_TASK: 455 case SECURITY_FS_USE_NATIVE: 456 return 1; 457 458 case SECURITY_FS_USE_GENFS: 459 return selinux_is_genfs_special_handling(sb); 460 461 /* Never allow relabeling on context mounts */ 462 case SECURITY_FS_USE_MNTPOINT: 463 case SECURITY_FS_USE_NONE: 464 default: 465 return 0; 466 } 467 } 468 469 static int sb_check_xattr_support(struct super_block *sb) 470 { 471 struct superblock_security_struct *sbsec = selinux_superblock(sb); 472 struct dentry *root = sb->s_root; 473 struct inode *root_inode = d_backing_inode(root); 474 u32 sid; 475 int rc; 476 477 /* 478 * Make sure that the xattr handler exists and that no 479 * error other than -ENODATA is returned by getxattr on 480 * the root directory. -ENODATA is ok, as this may be 481 * the first boot of the SELinux kernel before we have 482 * assigned xattr values to the filesystem. 483 */ 484 if (!(root_inode->i_opflags & IOP_XATTR)) { 485 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 486 sb->s_id, sb->s_type->name); 487 goto fallback; 488 } 489 490 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 491 if (rc < 0 && rc != -ENODATA) { 492 if (rc == -EOPNOTSUPP) { 493 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 494 sb->s_id, sb->s_type->name); 495 goto fallback; 496 } else { 497 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 498 sb->s_id, sb->s_type->name, -rc); 499 return rc; 500 } 501 } 502 return 0; 503 504 fallback: 505 /* No xattr support - try to fallback to genfs if possible. */ 506 rc = security_genfs_sid(sb->s_type->name, "/", 507 SECCLASS_DIR, &sid); 508 if (rc) 509 return -EOPNOTSUPP; 510 511 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 512 sb->s_id, sb->s_type->name); 513 sbsec->behavior = SECURITY_FS_USE_GENFS; 514 sbsec->sid = sid; 515 return 0; 516 } 517 518 static int sb_finish_set_opts(struct super_block *sb) 519 { 520 struct superblock_security_struct *sbsec = selinux_superblock(sb); 521 struct dentry *root = sb->s_root; 522 struct inode *root_inode = d_backing_inode(root); 523 int rc = 0; 524 525 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 526 rc = sb_check_xattr_support(sb); 527 if (rc) 528 return rc; 529 } 530 531 sbsec->flags |= SE_SBINITIALIZED; 532 533 /* 534 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 535 * leave the flag untouched because sb_clone_mnt_opts might be handing 536 * us a superblock that needs the flag to be cleared. 537 */ 538 if (selinux_is_sblabel_mnt(sb)) 539 sbsec->flags |= SBLABEL_MNT; 540 else 541 sbsec->flags &= ~SBLABEL_MNT; 542 543 /* Initialize the root inode. */ 544 rc = inode_doinit_with_dentry(root_inode, root); 545 546 /* Initialize any other inodes associated with the superblock, e.g. 547 inodes created prior to initial policy load or inodes created 548 during get_sb by a pseudo filesystem that directly 549 populates itself. */ 550 spin_lock(&sbsec->isec_lock); 551 while (!list_empty(&sbsec->isec_head)) { 552 struct inode_security_struct *isec = 553 list_first_entry(&sbsec->isec_head, 554 struct inode_security_struct, list); 555 struct inode *inode = isec->inode; 556 list_del_init(&isec->list); 557 spin_unlock(&sbsec->isec_lock); 558 inode = igrab(inode); 559 if (inode) { 560 if (!IS_PRIVATE(inode)) 561 inode_doinit_with_dentry(inode, NULL); 562 iput(inode); 563 } 564 spin_lock(&sbsec->isec_lock); 565 } 566 spin_unlock(&sbsec->isec_lock); 567 return rc; 568 } 569 570 static int bad_option(struct superblock_security_struct *sbsec, char flag, 571 u32 old_sid, u32 new_sid) 572 { 573 char mnt_flags = sbsec->flags & SE_MNTMASK; 574 575 /* check if the old mount command had the same options */ 576 if (sbsec->flags & SE_SBINITIALIZED) 577 if (!(sbsec->flags & flag) || 578 (old_sid != new_sid)) 579 return 1; 580 581 /* check if we were passed the same options twice, 582 * aka someone passed context=a,context=b 583 */ 584 if (!(sbsec->flags & SE_SBINITIALIZED)) 585 if (mnt_flags & flag) 586 return 1; 587 return 0; 588 } 589 590 /* 591 * Allow filesystems with binary mount data to explicitly set mount point 592 * labeling information. 593 */ 594 static int selinux_set_mnt_opts(struct super_block *sb, 595 void *mnt_opts, 596 unsigned long kern_flags, 597 unsigned long *set_kern_flags) 598 { 599 const struct cred *cred = current_cred(); 600 struct superblock_security_struct *sbsec = selinux_superblock(sb); 601 struct dentry *root = sb->s_root; 602 struct selinux_mnt_opts *opts = mnt_opts; 603 struct inode_security_struct *root_isec; 604 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 605 u32 defcontext_sid = 0; 606 int rc = 0; 607 608 /* 609 * Specifying internal flags without providing a place to 610 * place the results is not allowed 611 */ 612 if (kern_flags && !set_kern_flags) 613 return -EINVAL; 614 615 mutex_lock(&sbsec->lock); 616 617 if (!selinux_initialized()) { 618 if (!opts) { 619 /* Defer initialization until selinux_complete_init, 620 after the initial policy is loaded and the security 621 server is ready to handle calls. */ 622 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 623 sbsec->flags |= SE_SBNATIVE; 624 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 625 } 626 goto out; 627 } 628 rc = -EINVAL; 629 pr_warn("SELinux: Unable to set superblock options " 630 "before the security server is initialized\n"); 631 goto out; 632 } 633 634 /* 635 * Binary mount data FS will come through this function twice. Once 636 * from an explicit call and once from the generic calls from the vfs. 637 * Since the generic VFS calls will not contain any security mount data 638 * we need to skip the double mount verification. 639 * 640 * This does open a hole in which we will not notice if the first 641 * mount using this sb set explicit options and a second mount using 642 * this sb does not set any security options. (The first options 643 * will be used for both mounts) 644 */ 645 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 646 && !opts) 647 goto out; 648 649 root_isec = backing_inode_security_novalidate(root); 650 651 /* 652 * parse the mount options, check if they are valid sids. 653 * also check if someone is trying to mount the same sb more 654 * than once with different security options. 655 */ 656 if (opts) { 657 if (opts->fscontext_sid) { 658 fscontext_sid = opts->fscontext_sid; 659 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 660 fscontext_sid)) 661 goto out_double_mount; 662 sbsec->flags |= FSCONTEXT_MNT; 663 } 664 if (opts->context_sid) { 665 context_sid = opts->context_sid; 666 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 667 context_sid)) 668 goto out_double_mount; 669 sbsec->flags |= CONTEXT_MNT; 670 } 671 if (opts->rootcontext_sid) { 672 rootcontext_sid = opts->rootcontext_sid; 673 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 674 rootcontext_sid)) 675 goto out_double_mount; 676 sbsec->flags |= ROOTCONTEXT_MNT; 677 } 678 if (opts->defcontext_sid) { 679 defcontext_sid = opts->defcontext_sid; 680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 681 defcontext_sid)) 682 goto out_double_mount; 683 sbsec->flags |= DEFCONTEXT_MNT; 684 } 685 } 686 687 if (sbsec->flags & SE_SBINITIALIZED) { 688 /* previously mounted with options, but not on this attempt? */ 689 if ((sbsec->flags & SE_MNTMASK) && !opts) 690 goto out_double_mount; 691 rc = 0; 692 goto out; 693 } 694 695 if (strcmp(sb->s_type->name, "proc") == 0) 696 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 697 698 if (!strcmp(sb->s_type->name, "debugfs") || 699 !strcmp(sb->s_type->name, "tracefs") || 700 !strcmp(sb->s_type->name, "binder") || 701 !strcmp(sb->s_type->name, "bpf") || 702 !strcmp(sb->s_type->name, "pstore") || 703 !strcmp(sb->s_type->name, "securityfs")) 704 sbsec->flags |= SE_SBGENFS; 705 706 if (!strcmp(sb->s_type->name, "sysfs") || 707 !strcmp(sb->s_type->name, "cgroup") || 708 !strcmp(sb->s_type->name, "cgroup2")) 709 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 710 711 if (!sbsec->behavior) { 712 /* 713 * Determine the labeling behavior to use for this 714 * filesystem type. 715 */ 716 rc = security_fs_use(sb); 717 if (rc) { 718 pr_warn("%s: security_fs_use(%s) returned %d\n", 719 __func__, sb->s_type->name, rc); 720 goto out; 721 } 722 } 723 724 /* 725 * If this is a user namespace mount and the filesystem type is not 726 * explicitly whitelisted, then no contexts are allowed on the command 727 * line and security labels must be ignored. 728 */ 729 if (sb->s_user_ns != &init_user_ns && 730 strcmp(sb->s_type->name, "tmpfs") && 731 strcmp(sb->s_type->name, "ramfs") && 732 strcmp(sb->s_type->name, "devpts") && 733 strcmp(sb->s_type->name, "overlay")) { 734 if (context_sid || fscontext_sid || rootcontext_sid || 735 defcontext_sid) { 736 rc = -EACCES; 737 goto out; 738 } 739 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 740 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 741 rc = security_transition_sid(current_sid(), 742 current_sid(), 743 SECCLASS_FILE, NULL, 744 &sbsec->mntpoint_sid); 745 if (rc) 746 goto out; 747 } 748 goto out_set_opts; 749 } 750 751 /* sets the context of the superblock for the fs being mounted. */ 752 if (fscontext_sid) { 753 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 754 if (rc) 755 goto out; 756 757 sbsec->sid = fscontext_sid; 758 } 759 760 /* 761 * Switch to using mount point labeling behavior. 762 * sets the label used on all file below the mountpoint, and will set 763 * the superblock context if not already set. 764 */ 765 if (sbsec->flags & SE_SBNATIVE) { 766 /* 767 * This means we are initializing a superblock that has been 768 * mounted before the SELinux was initialized and the 769 * filesystem requested native labeling. We had already 770 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 771 * in the original mount attempt, so now we just need to set 772 * the SECURITY_FS_USE_NATIVE behavior. 773 */ 774 sbsec->behavior = SECURITY_FS_USE_NATIVE; 775 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 776 sbsec->behavior = SECURITY_FS_USE_NATIVE; 777 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 778 } 779 780 if (context_sid) { 781 if (!fscontext_sid) { 782 rc = may_context_mount_sb_relabel(context_sid, sbsec, 783 cred); 784 if (rc) 785 goto out; 786 sbsec->sid = context_sid; 787 } else { 788 rc = may_context_mount_inode_relabel(context_sid, sbsec, 789 cred); 790 if (rc) 791 goto out; 792 } 793 if (!rootcontext_sid) 794 rootcontext_sid = context_sid; 795 796 sbsec->mntpoint_sid = context_sid; 797 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 798 } 799 800 if (rootcontext_sid) { 801 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 802 cred); 803 if (rc) 804 goto out; 805 806 root_isec->sid = rootcontext_sid; 807 root_isec->initialized = LABEL_INITIALIZED; 808 } 809 810 if (defcontext_sid) { 811 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 812 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 813 rc = -EINVAL; 814 pr_warn("SELinux: defcontext option is " 815 "invalid for this filesystem type\n"); 816 goto out; 817 } 818 819 if (defcontext_sid != sbsec->def_sid) { 820 rc = may_context_mount_inode_relabel(defcontext_sid, 821 sbsec, cred); 822 if (rc) 823 goto out; 824 } 825 826 sbsec->def_sid = defcontext_sid; 827 } 828 829 out_set_opts: 830 rc = sb_finish_set_opts(sb); 831 out: 832 mutex_unlock(&sbsec->lock); 833 return rc; 834 out_double_mount: 835 rc = -EINVAL; 836 pr_warn("SELinux: mount invalid. Same superblock, different " 837 "security settings for (dev %s, type %s)\n", sb->s_id, 838 sb->s_type->name); 839 goto out; 840 } 841 842 static int selinux_cmp_sb_context(const struct super_block *oldsb, 843 const struct super_block *newsb) 844 { 845 struct superblock_security_struct *old = selinux_superblock(oldsb); 846 struct superblock_security_struct *new = selinux_superblock(newsb); 847 char oldflags = old->flags & SE_MNTMASK; 848 char newflags = new->flags & SE_MNTMASK; 849 850 if (oldflags != newflags) 851 goto mismatch; 852 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 853 goto mismatch; 854 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 855 goto mismatch; 856 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 857 goto mismatch; 858 if (oldflags & ROOTCONTEXT_MNT) { 859 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 860 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 861 if (oldroot->sid != newroot->sid) 862 goto mismatch; 863 } 864 return 0; 865 mismatch: 866 pr_warn("SELinux: mount invalid. Same superblock, " 867 "different security settings for (dev %s, " 868 "type %s)\n", newsb->s_id, newsb->s_type->name); 869 return -EBUSY; 870 } 871 872 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 873 struct super_block *newsb, 874 unsigned long kern_flags, 875 unsigned long *set_kern_flags) 876 { 877 int rc = 0; 878 const struct superblock_security_struct *oldsbsec = 879 selinux_superblock(oldsb); 880 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 881 882 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 883 int set_context = (oldsbsec->flags & CONTEXT_MNT); 884 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 885 886 /* 887 * Specifying internal flags without providing a place to 888 * place the results is not allowed. 889 */ 890 if (kern_flags && !set_kern_flags) 891 return -EINVAL; 892 893 mutex_lock(&newsbsec->lock); 894 895 /* 896 * if the parent was able to be mounted it clearly had no special lsm 897 * mount options. thus we can safely deal with this superblock later 898 */ 899 if (!selinux_initialized()) { 900 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 901 newsbsec->flags |= SE_SBNATIVE; 902 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 903 } 904 goto out; 905 } 906 907 /* how can we clone if the old one wasn't set up?? */ 908 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 909 910 /* if fs is reusing a sb, make sure that the contexts match */ 911 if (newsbsec->flags & SE_SBINITIALIZED) { 912 mutex_unlock(&newsbsec->lock); 913 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 915 return selinux_cmp_sb_context(oldsb, newsb); 916 } 917 918 newsbsec->flags = oldsbsec->flags; 919 920 newsbsec->sid = oldsbsec->sid; 921 newsbsec->def_sid = oldsbsec->def_sid; 922 newsbsec->behavior = oldsbsec->behavior; 923 924 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 925 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 926 rc = security_fs_use(newsb); 927 if (rc) 928 goto out; 929 } 930 931 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 932 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 933 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 934 } 935 936 if (set_context) { 937 u32 sid = oldsbsec->mntpoint_sid; 938 939 if (!set_fscontext) 940 newsbsec->sid = sid; 941 if (!set_rootcontext) { 942 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 943 newisec->sid = sid; 944 } 945 newsbsec->mntpoint_sid = sid; 946 } 947 if (set_rootcontext) { 948 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 949 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 950 951 newisec->sid = oldisec->sid; 952 } 953 954 sb_finish_set_opts(newsb); 955 out: 956 mutex_unlock(&newsbsec->lock); 957 return rc; 958 } 959 960 /* 961 * NOTE: the caller is responsible for freeing the memory even if on error. 962 */ 963 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 964 { 965 struct selinux_mnt_opts *opts = *mnt_opts; 966 u32 *dst_sid; 967 int rc; 968 969 if (token == Opt_seclabel) 970 /* eaten and completely ignored */ 971 return 0; 972 if (!s) 973 return -EINVAL; 974 975 if (!selinux_initialized()) { 976 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 977 return -EINVAL; 978 } 979 980 if (!opts) { 981 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 982 if (!opts) 983 return -ENOMEM; 984 *mnt_opts = opts; 985 } 986 987 switch (token) { 988 case Opt_context: 989 if (opts->context_sid || opts->defcontext_sid) 990 goto err; 991 dst_sid = &opts->context_sid; 992 break; 993 case Opt_fscontext: 994 if (opts->fscontext_sid) 995 goto err; 996 dst_sid = &opts->fscontext_sid; 997 break; 998 case Opt_rootcontext: 999 if (opts->rootcontext_sid) 1000 goto err; 1001 dst_sid = &opts->rootcontext_sid; 1002 break; 1003 case Opt_defcontext: 1004 if (opts->context_sid || opts->defcontext_sid) 1005 goto err; 1006 dst_sid = &opts->defcontext_sid; 1007 break; 1008 default: 1009 WARN_ON(1); 1010 return -EINVAL; 1011 } 1012 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1013 if (rc) 1014 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1015 s, rc); 1016 return rc; 1017 1018 err: 1019 pr_warn(SEL_MOUNT_FAIL_MSG); 1020 return -EINVAL; 1021 } 1022 1023 static int show_sid(struct seq_file *m, u32 sid) 1024 { 1025 char *context = NULL; 1026 u32 len; 1027 int rc; 1028 1029 rc = security_sid_to_context(sid, &context, &len); 1030 if (!rc) { 1031 bool has_comma = strchr(context, ','); 1032 1033 seq_putc(m, '='); 1034 if (has_comma) 1035 seq_putc(m, '\"'); 1036 seq_escape(m, context, "\"\n\\"); 1037 if (has_comma) 1038 seq_putc(m, '\"'); 1039 } 1040 kfree(context); 1041 return rc; 1042 } 1043 1044 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1045 { 1046 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1047 int rc; 1048 1049 if (!(sbsec->flags & SE_SBINITIALIZED)) 1050 return 0; 1051 1052 if (!selinux_initialized()) 1053 return 0; 1054 1055 if (sbsec->flags & FSCONTEXT_MNT) { 1056 seq_putc(m, ','); 1057 seq_puts(m, FSCONTEXT_STR); 1058 rc = show_sid(m, sbsec->sid); 1059 if (rc) 1060 return rc; 1061 } 1062 if (sbsec->flags & CONTEXT_MNT) { 1063 seq_putc(m, ','); 1064 seq_puts(m, CONTEXT_STR); 1065 rc = show_sid(m, sbsec->mntpoint_sid); 1066 if (rc) 1067 return rc; 1068 } 1069 if (sbsec->flags & DEFCONTEXT_MNT) { 1070 seq_putc(m, ','); 1071 seq_puts(m, DEFCONTEXT_STR); 1072 rc = show_sid(m, sbsec->def_sid); 1073 if (rc) 1074 return rc; 1075 } 1076 if (sbsec->flags & ROOTCONTEXT_MNT) { 1077 struct dentry *root = sb->s_root; 1078 struct inode_security_struct *isec = backing_inode_security(root); 1079 seq_putc(m, ','); 1080 seq_puts(m, ROOTCONTEXT_STR); 1081 rc = show_sid(m, isec->sid); 1082 if (rc) 1083 return rc; 1084 } 1085 if (sbsec->flags & SBLABEL_MNT) { 1086 seq_putc(m, ','); 1087 seq_puts(m, SECLABEL_STR); 1088 } 1089 return 0; 1090 } 1091 1092 static inline u16 inode_mode_to_security_class(umode_t mode) 1093 { 1094 switch (mode & S_IFMT) { 1095 case S_IFSOCK: 1096 return SECCLASS_SOCK_FILE; 1097 case S_IFLNK: 1098 return SECCLASS_LNK_FILE; 1099 case S_IFREG: 1100 return SECCLASS_FILE; 1101 case S_IFBLK: 1102 return SECCLASS_BLK_FILE; 1103 case S_IFDIR: 1104 return SECCLASS_DIR; 1105 case S_IFCHR: 1106 return SECCLASS_CHR_FILE; 1107 case S_IFIFO: 1108 return SECCLASS_FIFO_FILE; 1109 1110 } 1111 1112 return SECCLASS_FILE; 1113 } 1114 1115 static inline int default_protocol_stream(int protocol) 1116 { 1117 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1118 protocol == IPPROTO_MPTCP); 1119 } 1120 1121 static inline int default_protocol_dgram(int protocol) 1122 { 1123 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1124 } 1125 1126 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1127 { 1128 int extsockclass = selinux_policycap_extsockclass(); 1129 1130 switch (family) { 1131 case PF_UNIX: 1132 switch (type) { 1133 case SOCK_STREAM: 1134 case SOCK_SEQPACKET: 1135 return SECCLASS_UNIX_STREAM_SOCKET; 1136 case SOCK_DGRAM: 1137 case SOCK_RAW: 1138 return SECCLASS_UNIX_DGRAM_SOCKET; 1139 } 1140 break; 1141 case PF_INET: 1142 case PF_INET6: 1143 switch (type) { 1144 case SOCK_STREAM: 1145 case SOCK_SEQPACKET: 1146 if (default_protocol_stream(protocol)) 1147 return SECCLASS_TCP_SOCKET; 1148 else if (extsockclass && protocol == IPPROTO_SCTP) 1149 return SECCLASS_SCTP_SOCKET; 1150 else 1151 return SECCLASS_RAWIP_SOCKET; 1152 case SOCK_DGRAM: 1153 if (default_protocol_dgram(protocol)) 1154 return SECCLASS_UDP_SOCKET; 1155 else if (extsockclass && (protocol == IPPROTO_ICMP || 1156 protocol == IPPROTO_ICMPV6)) 1157 return SECCLASS_ICMP_SOCKET; 1158 else 1159 return SECCLASS_RAWIP_SOCKET; 1160 case SOCK_DCCP: 1161 return SECCLASS_DCCP_SOCKET; 1162 default: 1163 return SECCLASS_RAWIP_SOCKET; 1164 } 1165 break; 1166 case PF_NETLINK: 1167 switch (protocol) { 1168 case NETLINK_ROUTE: 1169 return SECCLASS_NETLINK_ROUTE_SOCKET; 1170 case NETLINK_SOCK_DIAG: 1171 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1172 case NETLINK_NFLOG: 1173 return SECCLASS_NETLINK_NFLOG_SOCKET; 1174 case NETLINK_XFRM: 1175 return SECCLASS_NETLINK_XFRM_SOCKET; 1176 case NETLINK_SELINUX: 1177 return SECCLASS_NETLINK_SELINUX_SOCKET; 1178 case NETLINK_ISCSI: 1179 return SECCLASS_NETLINK_ISCSI_SOCKET; 1180 case NETLINK_AUDIT: 1181 return SECCLASS_NETLINK_AUDIT_SOCKET; 1182 case NETLINK_FIB_LOOKUP: 1183 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1184 case NETLINK_CONNECTOR: 1185 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1186 case NETLINK_NETFILTER: 1187 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1188 case NETLINK_DNRTMSG: 1189 return SECCLASS_NETLINK_DNRT_SOCKET; 1190 case NETLINK_KOBJECT_UEVENT: 1191 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1192 case NETLINK_GENERIC: 1193 return SECCLASS_NETLINK_GENERIC_SOCKET; 1194 case NETLINK_SCSITRANSPORT: 1195 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1196 case NETLINK_RDMA: 1197 return SECCLASS_NETLINK_RDMA_SOCKET; 1198 case NETLINK_CRYPTO: 1199 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1200 default: 1201 return SECCLASS_NETLINK_SOCKET; 1202 } 1203 case PF_PACKET: 1204 return SECCLASS_PACKET_SOCKET; 1205 case PF_KEY: 1206 return SECCLASS_KEY_SOCKET; 1207 case PF_APPLETALK: 1208 return SECCLASS_APPLETALK_SOCKET; 1209 } 1210 1211 if (extsockclass) { 1212 switch (family) { 1213 case PF_AX25: 1214 return SECCLASS_AX25_SOCKET; 1215 case PF_IPX: 1216 return SECCLASS_IPX_SOCKET; 1217 case PF_NETROM: 1218 return SECCLASS_NETROM_SOCKET; 1219 case PF_ATMPVC: 1220 return SECCLASS_ATMPVC_SOCKET; 1221 case PF_X25: 1222 return SECCLASS_X25_SOCKET; 1223 case PF_ROSE: 1224 return SECCLASS_ROSE_SOCKET; 1225 case PF_DECnet: 1226 return SECCLASS_DECNET_SOCKET; 1227 case PF_ATMSVC: 1228 return SECCLASS_ATMSVC_SOCKET; 1229 case PF_RDS: 1230 return SECCLASS_RDS_SOCKET; 1231 case PF_IRDA: 1232 return SECCLASS_IRDA_SOCKET; 1233 case PF_PPPOX: 1234 return SECCLASS_PPPOX_SOCKET; 1235 case PF_LLC: 1236 return SECCLASS_LLC_SOCKET; 1237 case PF_CAN: 1238 return SECCLASS_CAN_SOCKET; 1239 case PF_TIPC: 1240 return SECCLASS_TIPC_SOCKET; 1241 case PF_BLUETOOTH: 1242 return SECCLASS_BLUETOOTH_SOCKET; 1243 case PF_IUCV: 1244 return SECCLASS_IUCV_SOCKET; 1245 case PF_RXRPC: 1246 return SECCLASS_RXRPC_SOCKET; 1247 case PF_ISDN: 1248 return SECCLASS_ISDN_SOCKET; 1249 case PF_PHONET: 1250 return SECCLASS_PHONET_SOCKET; 1251 case PF_IEEE802154: 1252 return SECCLASS_IEEE802154_SOCKET; 1253 case PF_CAIF: 1254 return SECCLASS_CAIF_SOCKET; 1255 case PF_ALG: 1256 return SECCLASS_ALG_SOCKET; 1257 case PF_NFC: 1258 return SECCLASS_NFC_SOCKET; 1259 case PF_VSOCK: 1260 return SECCLASS_VSOCK_SOCKET; 1261 case PF_KCM: 1262 return SECCLASS_KCM_SOCKET; 1263 case PF_QIPCRTR: 1264 return SECCLASS_QIPCRTR_SOCKET; 1265 case PF_SMC: 1266 return SECCLASS_SMC_SOCKET; 1267 case PF_XDP: 1268 return SECCLASS_XDP_SOCKET; 1269 case PF_MCTP: 1270 return SECCLASS_MCTP_SOCKET; 1271 #if PF_MAX > 46 1272 #error New address family defined, please update this function. 1273 #endif 1274 } 1275 } 1276 1277 return SECCLASS_SOCKET; 1278 } 1279 1280 static int selinux_genfs_get_sid(struct dentry *dentry, 1281 u16 tclass, 1282 u16 flags, 1283 u32 *sid) 1284 { 1285 int rc; 1286 struct super_block *sb = dentry->d_sb; 1287 char *buffer, *path; 1288 1289 buffer = (char *)__get_free_page(GFP_KERNEL); 1290 if (!buffer) 1291 return -ENOMEM; 1292 1293 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1294 if (IS_ERR(path)) 1295 rc = PTR_ERR(path); 1296 else { 1297 if (flags & SE_SBPROC) { 1298 /* each process gets a /proc/PID/ entry. Strip off the 1299 * PID part to get a valid selinux labeling. 1300 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1301 while (path[1] >= '0' && path[1] <= '9') { 1302 path[1] = '/'; 1303 path++; 1304 } 1305 } 1306 rc = security_genfs_sid(sb->s_type->name, 1307 path, tclass, sid); 1308 if (rc == -ENOENT) { 1309 /* No match in policy, mark as unlabeled. */ 1310 *sid = SECINITSID_UNLABELED; 1311 rc = 0; 1312 } 1313 } 1314 free_page((unsigned long)buffer); 1315 return rc; 1316 } 1317 1318 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1319 u32 def_sid, u32 *sid) 1320 { 1321 #define INITCONTEXTLEN 255 1322 char *context; 1323 unsigned int len; 1324 int rc; 1325 1326 len = INITCONTEXTLEN; 1327 context = kmalloc(len + 1, GFP_NOFS); 1328 if (!context) 1329 return -ENOMEM; 1330 1331 context[len] = '\0'; 1332 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1333 if (rc == -ERANGE) { 1334 kfree(context); 1335 1336 /* Need a larger buffer. Query for the right size. */ 1337 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1338 if (rc < 0) 1339 return rc; 1340 1341 len = rc; 1342 context = kmalloc(len + 1, GFP_NOFS); 1343 if (!context) 1344 return -ENOMEM; 1345 1346 context[len] = '\0'; 1347 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1348 context, len); 1349 } 1350 if (rc < 0) { 1351 kfree(context); 1352 if (rc != -ENODATA) { 1353 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1354 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1355 return rc; 1356 } 1357 *sid = def_sid; 1358 return 0; 1359 } 1360 1361 rc = security_context_to_sid_default(context, rc, sid, 1362 def_sid, GFP_NOFS); 1363 if (rc) { 1364 char *dev = inode->i_sb->s_id; 1365 unsigned long ino = inode->i_ino; 1366 1367 if (rc == -EINVAL) { 1368 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1369 ino, dev, context); 1370 } else { 1371 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1372 __func__, context, -rc, dev, ino); 1373 } 1374 } 1375 kfree(context); 1376 return 0; 1377 } 1378 1379 /* The inode's security attributes must be initialized before first use. */ 1380 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1381 { 1382 struct superblock_security_struct *sbsec = NULL; 1383 struct inode_security_struct *isec = selinux_inode(inode); 1384 u32 task_sid, sid = 0; 1385 u16 sclass; 1386 struct dentry *dentry; 1387 int rc = 0; 1388 1389 if (isec->initialized == LABEL_INITIALIZED) 1390 return 0; 1391 1392 spin_lock(&isec->lock); 1393 if (isec->initialized == LABEL_INITIALIZED) 1394 goto out_unlock; 1395 1396 if (isec->sclass == SECCLASS_FILE) 1397 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1398 1399 sbsec = selinux_superblock(inode->i_sb); 1400 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1401 /* Defer initialization until selinux_complete_init, 1402 after the initial policy is loaded and the security 1403 server is ready to handle calls. */ 1404 spin_lock(&sbsec->isec_lock); 1405 if (list_empty(&isec->list)) 1406 list_add(&isec->list, &sbsec->isec_head); 1407 spin_unlock(&sbsec->isec_lock); 1408 goto out_unlock; 1409 } 1410 1411 sclass = isec->sclass; 1412 task_sid = isec->task_sid; 1413 sid = isec->sid; 1414 isec->initialized = LABEL_PENDING; 1415 spin_unlock(&isec->lock); 1416 1417 switch (sbsec->behavior) { 1418 /* 1419 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1420 * via xattr when called from delayed_superblock_init(). 1421 */ 1422 case SECURITY_FS_USE_NATIVE: 1423 case SECURITY_FS_USE_XATTR: 1424 if (!(inode->i_opflags & IOP_XATTR)) { 1425 sid = sbsec->def_sid; 1426 break; 1427 } 1428 /* Need a dentry, since the xattr API requires one. 1429 Life would be simpler if we could just pass the inode. */ 1430 if (opt_dentry) { 1431 /* Called from d_instantiate or d_splice_alias. */ 1432 dentry = dget(opt_dentry); 1433 } else { 1434 /* 1435 * Called from selinux_complete_init, try to find a dentry. 1436 * Some filesystems really want a connected one, so try 1437 * that first. We could split SECURITY_FS_USE_XATTR in 1438 * two, depending upon that... 1439 */ 1440 dentry = d_find_alias(inode); 1441 if (!dentry) 1442 dentry = d_find_any_alias(inode); 1443 } 1444 if (!dentry) { 1445 /* 1446 * this is can be hit on boot when a file is accessed 1447 * before the policy is loaded. When we load policy we 1448 * may find inodes that have no dentry on the 1449 * sbsec->isec_head list. No reason to complain as these 1450 * will get fixed up the next time we go through 1451 * inode_doinit with a dentry, before these inodes could 1452 * be used again by userspace. 1453 */ 1454 goto out_invalid; 1455 } 1456 1457 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1458 &sid); 1459 dput(dentry); 1460 if (rc) 1461 goto out; 1462 break; 1463 case SECURITY_FS_USE_TASK: 1464 sid = task_sid; 1465 break; 1466 case SECURITY_FS_USE_TRANS: 1467 /* Default to the fs SID. */ 1468 sid = sbsec->sid; 1469 1470 /* Try to obtain a transition SID. */ 1471 rc = security_transition_sid(task_sid, sid, 1472 sclass, NULL, &sid); 1473 if (rc) 1474 goto out; 1475 break; 1476 case SECURITY_FS_USE_MNTPOINT: 1477 sid = sbsec->mntpoint_sid; 1478 break; 1479 default: 1480 /* Default to the fs superblock SID. */ 1481 sid = sbsec->sid; 1482 1483 if ((sbsec->flags & SE_SBGENFS) && 1484 (!S_ISLNK(inode->i_mode) || 1485 selinux_policycap_genfs_seclabel_symlinks())) { 1486 /* We must have a dentry to determine the label on 1487 * procfs inodes */ 1488 if (opt_dentry) { 1489 /* Called from d_instantiate or 1490 * d_splice_alias. */ 1491 dentry = dget(opt_dentry); 1492 } else { 1493 /* Called from selinux_complete_init, try to 1494 * find a dentry. Some filesystems really want 1495 * a connected one, so try that first. 1496 */ 1497 dentry = d_find_alias(inode); 1498 if (!dentry) 1499 dentry = d_find_any_alias(inode); 1500 } 1501 /* 1502 * This can be hit on boot when a file is accessed 1503 * before the policy is loaded. When we load policy we 1504 * may find inodes that have no dentry on the 1505 * sbsec->isec_head list. No reason to complain as 1506 * these will get fixed up the next time we go through 1507 * inode_doinit() with a dentry, before these inodes 1508 * could be used again by userspace. 1509 */ 1510 if (!dentry) 1511 goto out_invalid; 1512 rc = selinux_genfs_get_sid(dentry, sclass, 1513 sbsec->flags, &sid); 1514 if (rc) { 1515 dput(dentry); 1516 goto out; 1517 } 1518 1519 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1520 (inode->i_opflags & IOP_XATTR)) { 1521 rc = inode_doinit_use_xattr(inode, dentry, 1522 sid, &sid); 1523 if (rc) { 1524 dput(dentry); 1525 goto out; 1526 } 1527 } 1528 dput(dentry); 1529 } 1530 break; 1531 } 1532 1533 out: 1534 spin_lock(&isec->lock); 1535 if (isec->initialized == LABEL_PENDING) { 1536 if (rc) { 1537 isec->initialized = LABEL_INVALID; 1538 goto out_unlock; 1539 } 1540 isec->initialized = LABEL_INITIALIZED; 1541 isec->sid = sid; 1542 } 1543 1544 out_unlock: 1545 spin_unlock(&isec->lock); 1546 return rc; 1547 1548 out_invalid: 1549 spin_lock(&isec->lock); 1550 if (isec->initialized == LABEL_PENDING) { 1551 isec->initialized = LABEL_INVALID; 1552 isec->sid = sid; 1553 } 1554 spin_unlock(&isec->lock); 1555 return 0; 1556 } 1557 1558 /* Convert a Linux signal to an access vector. */ 1559 static inline u32 signal_to_av(int sig) 1560 { 1561 u32 perm = 0; 1562 1563 switch (sig) { 1564 case SIGCHLD: 1565 /* Commonly granted from child to parent. */ 1566 perm = PROCESS__SIGCHLD; 1567 break; 1568 case SIGKILL: 1569 /* Cannot be caught or ignored */ 1570 perm = PROCESS__SIGKILL; 1571 break; 1572 case SIGSTOP: 1573 /* Cannot be caught or ignored */ 1574 perm = PROCESS__SIGSTOP; 1575 break; 1576 default: 1577 /* All other signals. */ 1578 perm = PROCESS__SIGNAL; 1579 break; 1580 } 1581 1582 return perm; 1583 } 1584 1585 #if CAP_LAST_CAP > 63 1586 #error Fix SELinux to handle capabilities > 63. 1587 #endif 1588 1589 /* Check whether a task is allowed to use a capability. */ 1590 static int cred_has_capability(const struct cred *cred, 1591 int cap, unsigned int opts, bool initns) 1592 { 1593 struct common_audit_data ad; 1594 struct av_decision avd; 1595 u16 sclass; 1596 u32 sid = cred_sid(cred); 1597 u32 av = CAP_TO_MASK(cap); 1598 int rc; 1599 1600 ad.type = LSM_AUDIT_DATA_CAP; 1601 ad.u.cap = cap; 1602 1603 switch (CAP_TO_INDEX(cap)) { 1604 case 0: 1605 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1606 break; 1607 case 1: 1608 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1609 break; 1610 default: 1611 pr_err("SELinux: out of range capability %d\n", cap); 1612 BUG(); 1613 return -EINVAL; 1614 } 1615 1616 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1617 if (!(opts & CAP_OPT_NOAUDIT)) { 1618 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1619 if (rc2) 1620 return rc2; 1621 } 1622 return rc; 1623 } 1624 1625 /* Check whether a task has a particular permission to an inode. 1626 The 'adp' parameter is optional and allows other audit 1627 data to be passed (e.g. the dentry). */ 1628 static int inode_has_perm(const struct cred *cred, 1629 struct inode *inode, 1630 u32 perms, 1631 struct common_audit_data *adp) 1632 { 1633 struct inode_security_struct *isec; 1634 u32 sid; 1635 1636 validate_creds(cred); 1637 1638 if (unlikely(IS_PRIVATE(inode))) 1639 return 0; 1640 1641 sid = cred_sid(cred); 1642 isec = selinux_inode(inode); 1643 1644 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1645 } 1646 1647 /* Same as inode_has_perm, but pass explicit audit data containing 1648 the dentry to help the auditing code to more easily generate the 1649 pathname if needed. */ 1650 static inline int dentry_has_perm(const struct cred *cred, 1651 struct dentry *dentry, 1652 u32 av) 1653 { 1654 struct inode *inode = d_backing_inode(dentry); 1655 struct common_audit_data ad; 1656 1657 ad.type = LSM_AUDIT_DATA_DENTRY; 1658 ad.u.dentry = dentry; 1659 __inode_security_revalidate(inode, dentry, true); 1660 return inode_has_perm(cred, inode, av, &ad); 1661 } 1662 1663 /* Same as inode_has_perm, but pass explicit audit data containing 1664 the path to help the auditing code to more easily generate the 1665 pathname if needed. */ 1666 static inline int path_has_perm(const struct cred *cred, 1667 const struct path *path, 1668 u32 av) 1669 { 1670 struct inode *inode = d_backing_inode(path->dentry); 1671 struct common_audit_data ad; 1672 1673 ad.type = LSM_AUDIT_DATA_PATH; 1674 ad.u.path = *path; 1675 __inode_security_revalidate(inode, path->dentry, true); 1676 return inode_has_perm(cred, inode, av, &ad); 1677 } 1678 1679 /* Same as path_has_perm, but uses the inode from the file struct. */ 1680 static inline int file_path_has_perm(const struct cred *cred, 1681 struct file *file, 1682 u32 av) 1683 { 1684 struct common_audit_data ad; 1685 1686 ad.type = LSM_AUDIT_DATA_FILE; 1687 ad.u.file = file; 1688 return inode_has_perm(cred, file_inode(file), av, &ad); 1689 } 1690 1691 #ifdef CONFIG_BPF_SYSCALL 1692 static int bpf_fd_pass(struct file *file, u32 sid); 1693 #endif 1694 1695 /* Check whether a task can use an open file descriptor to 1696 access an inode in a given way. Check access to the 1697 descriptor itself, and then use dentry_has_perm to 1698 check a particular permission to the file. 1699 Access to the descriptor is implicitly granted if it 1700 has the same SID as the process. If av is zero, then 1701 access to the file is not checked, e.g. for cases 1702 where only the descriptor is affected like seek. */ 1703 static int file_has_perm(const struct cred *cred, 1704 struct file *file, 1705 u32 av) 1706 { 1707 struct file_security_struct *fsec = selinux_file(file); 1708 struct inode *inode = file_inode(file); 1709 struct common_audit_data ad; 1710 u32 sid = cred_sid(cred); 1711 int rc; 1712 1713 ad.type = LSM_AUDIT_DATA_FILE; 1714 ad.u.file = file; 1715 1716 if (sid != fsec->sid) { 1717 rc = avc_has_perm(sid, fsec->sid, 1718 SECCLASS_FD, 1719 FD__USE, 1720 &ad); 1721 if (rc) 1722 goto out; 1723 } 1724 1725 #ifdef CONFIG_BPF_SYSCALL 1726 rc = bpf_fd_pass(file, cred_sid(cred)); 1727 if (rc) 1728 return rc; 1729 #endif 1730 1731 /* av is zero if only checking access to the descriptor. */ 1732 rc = 0; 1733 if (av) 1734 rc = inode_has_perm(cred, inode, av, &ad); 1735 1736 out: 1737 return rc; 1738 } 1739 1740 /* 1741 * Determine the label for an inode that might be unioned. 1742 */ 1743 static int 1744 selinux_determine_inode_label(const struct task_security_struct *tsec, 1745 struct inode *dir, 1746 const struct qstr *name, u16 tclass, 1747 u32 *_new_isid) 1748 { 1749 const struct superblock_security_struct *sbsec = 1750 selinux_superblock(dir->i_sb); 1751 1752 if ((sbsec->flags & SE_SBINITIALIZED) && 1753 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1754 *_new_isid = sbsec->mntpoint_sid; 1755 } else if ((sbsec->flags & SBLABEL_MNT) && 1756 tsec->create_sid) { 1757 *_new_isid = tsec->create_sid; 1758 } else { 1759 const struct inode_security_struct *dsec = inode_security(dir); 1760 return security_transition_sid(tsec->sid, 1761 dsec->sid, tclass, 1762 name, _new_isid); 1763 } 1764 1765 return 0; 1766 } 1767 1768 /* Check whether a task can create a file. */ 1769 static int may_create(struct inode *dir, 1770 struct dentry *dentry, 1771 u16 tclass) 1772 { 1773 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1774 struct inode_security_struct *dsec; 1775 struct superblock_security_struct *sbsec; 1776 u32 sid, newsid; 1777 struct common_audit_data ad; 1778 int rc; 1779 1780 dsec = inode_security(dir); 1781 sbsec = selinux_superblock(dir->i_sb); 1782 1783 sid = tsec->sid; 1784 1785 ad.type = LSM_AUDIT_DATA_DENTRY; 1786 ad.u.dentry = dentry; 1787 1788 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1789 DIR__ADD_NAME | DIR__SEARCH, 1790 &ad); 1791 if (rc) 1792 return rc; 1793 1794 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1795 &newsid); 1796 if (rc) 1797 return rc; 1798 1799 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1800 if (rc) 1801 return rc; 1802 1803 return avc_has_perm(newsid, sbsec->sid, 1804 SECCLASS_FILESYSTEM, 1805 FILESYSTEM__ASSOCIATE, &ad); 1806 } 1807 1808 #define MAY_LINK 0 1809 #define MAY_UNLINK 1 1810 #define MAY_RMDIR 2 1811 1812 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1813 static int may_link(struct inode *dir, 1814 struct dentry *dentry, 1815 int kind) 1816 1817 { 1818 struct inode_security_struct *dsec, *isec; 1819 struct common_audit_data ad; 1820 u32 sid = current_sid(); 1821 u32 av; 1822 int rc; 1823 1824 dsec = inode_security(dir); 1825 isec = backing_inode_security(dentry); 1826 1827 ad.type = LSM_AUDIT_DATA_DENTRY; 1828 ad.u.dentry = dentry; 1829 1830 av = DIR__SEARCH; 1831 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1832 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1833 if (rc) 1834 return rc; 1835 1836 switch (kind) { 1837 case MAY_LINK: 1838 av = FILE__LINK; 1839 break; 1840 case MAY_UNLINK: 1841 av = FILE__UNLINK; 1842 break; 1843 case MAY_RMDIR: 1844 av = DIR__RMDIR; 1845 break; 1846 default: 1847 pr_warn("SELinux: %s: unrecognized kind %d\n", 1848 __func__, kind); 1849 return 0; 1850 } 1851 1852 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1853 return rc; 1854 } 1855 1856 static inline int may_rename(struct inode *old_dir, 1857 struct dentry *old_dentry, 1858 struct inode *new_dir, 1859 struct dentry *new_dentry) 1860 { 1861 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1862 struct common_audit_data ad; 1863 u32 sid = current_sid(); 1864 u32 av; 1865 int old_is_dir, new_is_dir; 1866 int rc; 1867 1868 old_dsec = inode_security(old_dir); 1869 old_isec = backing_inode_security(old_dentry); 1870 old_is_dir = d_is_dir(old_dentry); 1871 new_dsec = inode_security(new_dir); 1872 1873 ad.type = LSM_AUDIT_DATA_DENTRY; 1874 1875 ad.u.dentry = old_dentry; 1876 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1877 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1878 if (rc) 1879 return rc; 1880 rc = avc_has_perm(sid, old_isec->sid, 1881 old_isec->sclass, FILE__RENAME, &ad); 1882 if (rc) 1883 return rc; 1884 if (old_is_dir && new_dir != old_dir) { 1885 rc = avc_has_perm(sid, old_isec->sid, 1886 old_isec->sclass, DIR__REPARENT, &ad); 1887 if (rc) 1888 return rc; 1889 } 1890 1891 ad.u.dentry = new_dentry; 1892 av = DIR__ADD_NAME | DIR__SEARCH; 1893 if (d_is_positive(new_dentry)) 1894 av |= DIR__REMOVE_NAME; 1895 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1896 if (rc) 1897 return rc; 1898 if (d_is_positive(new_dentry)) { 1899 new_isec = backing_inode_security(new_dentry); 1900 new_is_dir = d_is_dir(new_dentry); 1901 rc = avc_has_perm(sid, new_isec->sid, 1902 new_isec->sclass, 1903 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1904 if (rc) 1905 return rc; 1906 } 1907 1908 return 0; 1909 } 1910 1911 /* Check whether a task can perform a filesystem operation. */ 1912 static int superblock_has_perm(const struct cred *cred, 1913 struct super_block *sb, 1914 u32 perms, 1915 struct common_audit_data *ad) 1916 { 1917 struct superblock_security_struct *sbsec; 1918 u32 sid = cred_sid(cred); 1919 1920 sbsec = selinux_superblock(sb); 1921 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1922 } 1923 1924 /* Convert a Linux mode and permission mask to an access vector. */ 1925 static inline u32 file_mask_to_av(int mode, int mask) 1926 { 1927 u32 av = 0; 1928 1929 if (!S_ISDIR(mode)) { 1930 if (mask & MAY_EXEC) 1931 av |= FILE__EXECUTE; 1932 if (mask & MAY_READ) 1933 av |= FILE__READ; 1934 1935 if (mask & MAY_APPEND) 1936 av |= FILE__APPEND; 1937 else if (mask & MAY_WRITE) 1938 av |= FILE__WRITE; 1939 1940 } else { 1941 if (mask & MAY_EXEC) 1942 av |= DIR__SEARCH; 1943 if (mask & MAY_WRITE) 1944 av |= DIR__WRITE; 1945 if (mask & MAY_READ) 1946 av |= DIR__READ; 1947 } 1948 1949 return av; 1950 } 1951 1952 /* Convert a Linux file to an access vector. */ 1953 static inline u32 file_to_av(struct file *file) 1954 { 1955 u32 av = 0; 1956 1957 if (file->f_mode & FMODE_READ) 1958 av |= FILE__READ; 1959 if (file->f_mode & FMODE_WRITE) { 1960 if (file->f_flags & O_APPEND) 1961 av |= FILE__APPEND; 1962 else 1963 av |= FILE__WRITE; 1964 } 1965 if (!av) { 1966 /* 1967 * Special file opened with flags 3 for ioctl-only use. 1968 */ 1969 av = FILE__IOCTL; 1970 } 1971 1972 return av; 1973 } 1974 1975 /* 1976 * Convert a file to an access vector and include the correct 1977 * open permission. 1978 */ 1979 static inline u32 open_file_to_av(struct file *file) 1980 { 1981 u32 av = file_to_av(file); 1982 struct inode *inode = file_inode(file); 1983 1984 if (selinux_policycap_openperm() && 1985 inode->i_sb->s_magic != SOCKFS_MAGIC) 1986 av |= FILE__OPEN; 1987 1988 return av; 1989 } 1990 1991 /* Hook functions begin here. */ 1992 1993 static int selinux_binder_set_context_mgr(const struct cred *mgr) 1994 { 1995 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 1996 BINDER__SET_CONTEXT_MGR, NULL); 1997 } 1998 1999 static int selinux_binder_transaction(const struct cred *from, 2000 const struct cred *to) 2001 { 2002 u32 mysid = current_sid(); 2003 u32 fromsid = cred_sid(from); 2004 u32 tosid = cred_sid(to); 2005 int rc; 2006 2007 if (mysid != fromsid) { 2008 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2009 BINDER__IMPERSONATE, NULL); 2010 if (rc) 2011 return rc; 2012 } 2013 2014 return avc_has_perm(fromsid, tosid, 2015 SECCLASS_BINDER, BINDER__CALL, NULL); 2016 } 2017 2018 static int selinux_binder_transfer_binder(const struct cred *from, 2019 const struct cred *to) 2020 { 2021 return avc_has_perm(cred_sid(from), cred_sid(to), 2022 SECCLASS_BINDER, BINDER__TRANSFER, 2023 NULL); 2024 } 2025 2026 static int selinux_binder_transfer_file(const struct cred *from, 2027 const struct cred *to, 2028 struct file *file) 2029 { 2030 u32 sid = cred_sid(to); 2031 struct file_security_struct *fsec = selinux_file(file); 2032 struct dentry *dentry = file->f_path.dentry; 2033 struct inode_security_struct *isec; 2034 struct common_audit_data ad; 2035 int rc; 2036 2037 ad.type = LSM_AUDIT_DATA_PATH; 2038 ad.u.path = file->f_path; 2039 2040 if (sid != fsec->sid) { 2041 rc = avc_has_perm(sid, fsec->sid, 2042 SECCLASS_FD, 2043 FD__USE, 2044 &ad); 2045 if (rc) 2046 return rc; 2047 } 2048 2049 #ifdef CONFIG_BPF_SYSCALL 2050 rc = bpf_fd_pass(file, sid); 2051 if (rc) 2052 return rc; 2053 #endif 2054 2055 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2056 return 0; 2057 2058 isec = backing_inode_security(dentry); 2059 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2060 &ad); 2061 } 2062 2063 static int selinux_ptrace_access_check(struct task_struct *child, 2064 unsigned int mode) 2065 { 2066 u32 sid = current_sid(); 2067 u32 csid = task_sid_obj(child); 2068 2069 if (mode & PTRACE_MODE_READ) 2070 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2071 NULL); 2072 2073 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2074 NULL); 2075 } 2076 2077 static int selinux_ptrace_traceme(struct task_struct *parent) 2078 { 2079 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2080 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2081 } 2082 2083 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2084 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2085 { 2086 return avc_has_perm(current_sid(), task_sid_obj(target), 2087 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2088 } 2089 2090 static int selinux_capset(struct cred *new, const struct cred *old, 2091 const kernel_cap_t *effective, 2092 const kernel_cap_t *inheritable, 2093 const kernel_cap_t *permitted) 2094 { 2095 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2096 PROCESS__SETCAP, NULL); 2097 } 2098 2099 /* 2100 * (This comment used to live with the selinux_task_setuid hook, 2101 * which was removed). 2102 * 2103 * Since setuid only affects the current process, and since the SELinux 2104 * controls are not based on the Linux identity attributes, SELinux does not 2105 * need to control this operation. However, SELinux does control the use of 2106 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2107 */ 2108 2109 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2110 int cap, unsigned int opts) 2111 { 2112 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2113 } 2114 2115 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2116 { 2117 const struct cred *cred = current_cred(); 2118 int rc = 0; 2119 2120 if (!sb) 2121 return 0; 2122 2123 switch (cmds) { 2124 case Q_SYNC: 2125 case Q_QUOTAON: 2126 case Q_QUOTAOFF: 2127 case Q_SETINFO: 2128 case Q_SETQUOTA: 2129 case Q_XQUOTAOFF: 2130 case Q_XQUOTAON: 2131 case Q_XSETQLIM: 2132 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2133 break; 2134 case Q_GETFMT: 2135 case Q_GETINFO: 2136 case Q_GETQUOTA: 2137 case Q_XGETQUOTA: 2138 case Q_XGETQSTAT: 2139 case Q_XGETQSTATV: 2140 case Q_XGETNEXTQUOTA: 2141 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2142 break; 2143 default: 2144 rc = 0; /* let the kernel handle invalid cmds */ 2145 break; 2146 } 2147 return rc; 2148 } 2149 2150 static int selinux_quota_on(struct dentry *dentry) 2151 { 2152 const struct cred *cred = current_cred(); 2153 2154 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2155 } 2156 2157 static int selinux_syslog(int type) 2158 { 2159 switch (type) { 2160 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2161 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2162 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2163 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2164 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2165 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2166 /* Set level of messages printed to console */ 2167 case SYSLOG_ACTION_CONSOLE_LEVEL: 2168 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2169 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2170 NULL); 2171 } 2172 /* All other syslog types */ 2173 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2174 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2175 } 2176 2177 /* 2178 * Check that a process has enough memory to allocate a new virtual 2179 * mapping. 0 means there is enough memory for the allocation to 2180 * succeed and -ENOMEM implies there is not. 2181 * 2182 * Do not audit the selinux permission check, as this is applied to all 2183 * processes that allocate mappings. 2184 */ 2185 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2186 { 2187 int rc, cap_sys_admin = 0; 2188 2189 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2190 CAP_OPT_NOAUDIT, true); 2191 if (rc == 0) 2192 cap_sys_admin = 1; 2193 2194 return cap_sys_admin; 2195 } 2196 2197 /* binprm security operations */ 2198 2199 static u32 ptrace_parent_sid(void) 2200 { 2201 u32 sid = 0; 2202 struct task_struct *tracer; 2203 2204 rcu_read_lock(); 2205 tracer = ptrace_parent(current); 2206 if (tracer) 2207 sid = task_sid_obj(tracer); 2208 rcu_read_unlock(); 2209 2210 return sid; 2211 } 2212 2213 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2214 const struct task_security_struct *old_tsec, 2215 const struct task_security_struct *new_tsec) 2216 { 2217 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2218 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2219 int rc; 2220 u32 av; 2221 2222 if (!nnp && !nosuid) 2223 return 0; /* neither NNP nor nosuid */ 2224 2225 if (new_tsec->sid == old_tsec->sid) 2226 return 0; /* No change in credentials */ 2227 2228 /* 2229 * If the policy enables the nnp_nosuid_transition policy capability, 2230 * then we permit transitions under NNP or nosuid if the 2231 * policy allows the corresponding permission between 2232 * the old and new contexts. 2233 */ 2234 if (selinux_policycap_nnp_nosuid_transition()) { 2235 av = 0; 2236 if (nnp) 2237 av |= PROCESS2__NNP_TRANSITION; 2238 if (nosuid) 2239 av |= PROCESS2__NOSUID_TRANSITION; 2240 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2241 SECCLASS_PROCESS2, av, NULL); 2242 if (!rc) 2243 return 0; 2244 } 2245 2246 /* 2247 * We also permit NNP or nosuid transitions to bounded SIDs, 2248 * i.e. SIDs that are guaranteed to only be allowed a subset 2249 * of the permissions of the current SID. 2250 */ 2251 rc = security_bounded_transition(old_tsec->sid, 2252 new_tsec->sid); 2253 if (!rc) 2254 return 0; 2255 2256 /* 2257 * On failure, preserve the errno values for NNP vs nosuid. 2258 * NNP: Operation not permitted for caller. 2259 * nosuid: Permission denied to file. 2260 */ 2261 if (nnp) 2262 return -EPERM; 2263 return -EACCES; 2264 } 2265 2266 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2267 { 2268 const struct task_security_struct *old_tsec; 2269 struct task_security_struct *new_tsec; 2270 struct inode_security_struct *isec; 2271 struct common_audit_data ad; 2272 struct inode *inode = file_inode(bprm->file); 2273 int rc; 2274 2275 /* SELinux context only depends on initial program or script and not 2276 * the script interpreter */ 2277 2278 old_tsec = selinux_cred(current_cred()); 2279 new_tsec = selinux_cred(bprm->cred); 2280 isec = inode_security(inode); 2281 2282 /* Default to the current task SID. */ 2283 new_tsec->sid = old_tsec->sid; 2284 new_tsec->osid = old_tsec->sid; 2285 2286 /* Reset fs, key, and sock SIDs on execve. */ 2287 new_tsec->create_sid = 0; 2288 new_tsec->keycreate_sid = 0; 2289 new_tsec->sockcreate_sid = 0; 2290 2291 /* 2292 * Before policy is loaded, label any task outside kernel space 2293 * as SECINITSID_INIT, so that any userspace tasks surviving from 2294 * early boot end up with a label different from SECINITSID_KERNEL 2295 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2296 */ 2297 if (!selinux_initialized()) { 2298 new_tsec->sid = SECINITSID_INIT; 2299 /* also clear the exec_sid just in case */ 2300 new_tsec->exec_sid = 0; 2301 return 0; 2302 } 2303 2304 if (old_tsec->exec_sid) { 2305 new_tsec->sid = old_tsec->exec_sid; 2306 /* Reset exec SID on execve. */ 2307 new_tsec->exec_sid = 0; 2308 2309 /* Fail on NNP or nosuid if not an allowed transition. */ 2310 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2311 if (rc) 2312 return rc; 2313 } else { 2314 /* Check for a default transition on this program. */ 2315 rc = security_transition_sid(old_tsec->sid, 2316 isec->sid, SECCLASS_PROCESS, NULL, 2317 &new_tsec->sid); 2318 if (rc) 2319 return rc; 2320 2321 /* 2322 * Fallback to old SID on NNP or nosuid if not an allowed 2323 * transition. 2324 */ 2325 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2326 if (rc) 2327 new_tsec->sid = old_tsec->sid; 2328 } 2329 2330 ad.type = LSM_AUDIT_DATA_FILE; 2331 ad.u.file = bprm->file; 2332 2333 if (new_tsec->sid == old_tsec->sid) { 2334 rc = avc_has_perm(old_tsec->sid, isec->sid, 2335 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2336 if (rc) 2337 return rc; 2338 } else { 2339 /* Check permissions for the transition. */ 2340 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2341 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2342 if (rc) 2343 return rc; 2344 2345 rc = avc_has_perm(new_tsec->sid, isec->sid, 2346 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2347 if (rc) 2348 return rc; 2349 2350 /* Check for shared state */ 2351 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2352 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2353 SECCLASS_PROCESS, PROCESS__SHARE, 2354 NULL); 2355 if (rc) 2356 return -EPERM; 2357 } 2358 2359 /* Make sure that anyone attempting to ptrace over a task that 2360 * changes its SID has the appropriate permit */ 2361 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2362 u32 ptsid = ptrace_parent_sid(); 2363 if (ptsid != 0) { 2364 rc = avc_has_perm(ptsid, new_tsec->sid, 2365 SECCLASS_PROCESS, 2366 PROCESS__PTRACE, NULL); 2367 if (rc) 2368 return -EPERM; 2369 } 2370 } 2371 2372 /* Clear any possibly unsafe personality bits on exec: */ 2373 bprm->per_clear |= PER_CLEAR_ON_SETID; 2374 2375 /* Enable secure mode for SIDs transitions unless 2376 the noatsecure permission is granted between 2377 the two SIDs, i.e. ahp returns 0. */ 2378 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2379 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2380 NULL); 2381 bprm->secureexec |= !!rc; 2382 } 2383 2384 return 0; 2385 } 2386 2387 static int match_file(const void *p, struct file *file, unsigned fd) 2388 { 2389 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2390 } 2391 2392 /* Derived from fs/exec.c:flush_old_files. */ 2393 static inline void flush_unauthorized_files(const struct cred *cred, 2394 struct files_struct *files) 2395 { 2396 struct file *file, *devnull = NULL; 2397 struct tty_struct *tty; 2398 int drop_tty = 0; 2399 unsigned n; 2400 2401 tty = get_current_tty(); 2402 if (tty) { 2403 spin_lock(&tty->files_lock); 2404 if (!list_empty(&tty->tty_files)) { 2405 struct tty_file_private *file_priv; 2406 2407 /* Revalidate access to controlling tty. 2408 Use file_path_has_perm on the tty path directly 2409 rather than using file_has_perm, as this particular 2410 open file may belong to another process and we are 2411 only interested in the inode-based check here. */ 2412 file_priv = list_first_entry(&tty->tty_files, 2413 struct tty_file_private, list); 2414 file = file_priv->file; 2415 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2416 drop_tty = 1; 2417 } 2418 spin_unlock(&tty->files_lock); 2419 tty_kref_put(tty); 2420 } 2421 /* Reset controlling tty. */ 2422 if (drop_tty) 2423 no_tty(); 2424 2425 /* Revalidate access to inherited open files. */ 2426 n = iterate_fd(files, 0, match_file, cred); 2427 if (!n) /* none found? */ 2428 return; 2429 2430 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2431 if (IS_ERR(devnull)) 2432 devnull = NULL; 2433 /* replace all the matching ones with this */ 2434 do { 2435 replace_fd(n - 1, devnull, 0); 2436 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2437 if (devnull) 2438 fput(devnull); 2439 } 2440 2441 /* 2442 * Prepare a process for imminent new credential changes due to exec 2443 */ 2444 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2445 { 2446 struct task_security_struct *new_tsec; 2447 struct rlimit *rlim, *initrlim; 2448 int rc, i; 2449 2450 new_tsec = selinux_cred(bprm->cred); 2451 if (new_tsec->sid == new_tsec->osid) 2452 return; 2453 2454 /* Close files for which the new task SID is not authorized. */ 2455 flush_unauthorized_files(bprm->cred, current->files); 2456 2457 /* Always clear parent death signal on SID transitions. */ 2458 current->pdeath_signal = 0; 2459 2460 /* Check whether the new SID can inherit resource limits from the old 2461 * SID. If not, reset all soft limits to the lower of the current 2462 * task's hard limit and the init task's soft limit. 2463 * 2464 * Note that the setting of hard limits (even to lower them) can be 2465 * controlled by the setrlimit check. The inclusion of the init task's 2466 * soft limit into the computation is to avoid resetting soft limits 2467 * higher than the default soft limit for cases where the default is 2468 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2469 */ 2470 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2471 PROCESS__RLIMITINH, NULL); 2472 if (rc) { 2473 /* protect against do_prlimit() */ 2474 task_lock(current); 2475 for (i = 0; i < RLIM_NLIMITS; i++) { 2476 rlim = current->signal->rlim + i; 2477 initrlim = init_task.signal->rlim + i; 2478 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2479 } 2480 task_unlock(current); 2481 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2482 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2483 } 2484 } 2485 2486 /* 2487 * Clean up the process immediately after the installation of new credentials 2488 * due to exec 2489 */ 2490 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2491 { 2492 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2493 u32 osid, sid; 2494 int rc; 2495 2496 osid = tsec->osid; 2497 sid = tsec->sid; 2498 2499 if (sid == osid) 2500 return; 2501 2502 /* Check whether the new SID can inherit signal state from the old SID. 2503 * If not, clear itimers to avoid subsequent signal generation and 2504 * flush and unblock signals. 2505 * 2506 * This must occur _after_ the task SID has been updated so that any 2507 * kill done after the flush will be checked against the new SID. 2508 */ 2509 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2510 if (rc) { 2511 clear_itimer(); 2512 2513 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2514 if (!fatal_signal_pending(current)) { 2515 flush_sigqueue(¤t->pending); 2516 flush_sigqueue(¤t->signal->shared_pending); 2517 flush_signal_handlers(current, 1); 2518 sigemptyset(¤t->blocked); 2519 recalc_sigpending(); 2520 } 2521 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2522 } 2523 2524 /* Wake up the parent if it is waiting so that it can recheck 2525 * wait permission to the new task SID. */ 2526 read_lock(&tasklist_lock); 2527 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2528 read_unlock(&tasklist_lock); 2529 } 2530 2531 /* superblock security operations */ 2532 2533 static int selinux_sb_alloc_security(struct super_block *sb) 2534 { 2535 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2536 2537 mutex_init(&sbsec->lock); 2538 INIT_LIST_HEAD(&sbsec->isec_head); 2539 spin_lock_init(&sbsec->isec_lock); 2540 sbsec->sid = SECINITSID_UNLABELED; 2541 sbsec->def_sid = SECINITSID_FILE; 2542 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2543 2544 return 0; 2545 } 2546 2547 static inline int opt_len(const char *s) 2548 { 2549 bool open_quote = false; 2550 int len; 2551 char c; 2552 2553 for (len = 0; (c = s[len]) != '\0'; len++) { 2554 if (c == '"') 2555 open_quote = !open_quote; 2556 if (c == ',' && !open_quote) 2557 break; 2558 } 2559 return len; 2560 } 2561 2562 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2563 { 2564 char *from = options; 2565 char *to = options; 2566 bool first = true; 2567 int rc; 2568 2569 while (1) { 2570 int len = opt_len(from); 2571 int token; 2572 char *arg = NULL; 2573 2574 token = match_opt_prefix(from, len, &arg); 2575 2576 if (token != Opt_error) { 2577 char *p, *q; 2578 2579 /* strip quotes */ 2580 if (arg) { 2581 for (p = q = arg; p < from + len; p++) { 2582 char c = *p; 2583 if (c != '"') 2584 *q++ = c; 2585 } 2586 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2587 if (!arg) { 2588 rc = -ENOMEM; 2589 goto free_opt; 2590 } 2591 } 2592 rc = selinux_add_opt(token, arg, mnt_opts); 2593 kfree(arg); 2594 arg = NULL; 2595 if (unlikely(rc)) { 2596 goto free_opt; 2597 } 2598 } else { 2599 if (!first) { // copy with preceding comma 2600 from--; 2601 len++; 2602 } 2603 if (to != from) 2604 memmove(to, from, len); 2605 to += len; 2606 first = false; 2607 } 2608 if (!from[len]) 2609 break; 2610 from += len + 1; 2611 } 2612 *to = '\0'; 2613 return 0; 2614 2615 free_opt: 2616 if (*mnt_opts) { 2617 selinux_free_mnt_opts(*mnt_opts); 2618 *mnt_opts = NULL; 2619 } 2620 return rc; 2621 } 2622 2623 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2624 { 2625 struct selinux_mnt_opts *opts = mnt_opts; 2626 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2627 2628 /* 2629 * Superblock not initialized (i.e. no options) - reject if any 2630 * options specified, otherwise accept. 2631 */ 2632 if (!(sbsec->flags & SE_SBINITIALIZED)) 2633 return opts ? 1 : 0; 2634 2635 /* 2636 * Superblock initialized and no options specified - reject if 2637 * superblock has any options set, otherwise accept. 2638 */ 2639 if (!opts) 2640 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2641 2642 if (opts->fscontext_sid) { 2643 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2644 opts->fscontext_sid)) 2645 return 1; 2646 } 2647 if (opts->context_sid) { 2648 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2649 opts->context_sid)) 2650 return 1; 2651 } 2652 if (opts->rootcontext_sid) { 2653 struct inode_security_struct *root_isec; 2654 2655 root_isec = backing_inode_security(sb->s_root); 2656 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2657 opts->rootcontext_sid)) 2658 return 1; 2659 } 2660 if (opts->defcontext_sid) { 2661 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2662 opts->defcontext_sid)) 2663 return 1; 2664 } 2665 return 0; 2666 } 2667 2668 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2669 { 2670 struct selinux_mnt_opts *opts = mnt_opts; 2671 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2672 2673 if (!(sbsec->flags & SE_SBINITIALIZED)) 2674 return 0; 2675 2676 if (!opts) 2677 return 0; 2678 2679 if (opts->fscontext_sid) { 2680 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2681 opts->fscontext_sid)) 2682 goto out_bad_option; 2683 } 2684 if (opts->context_sid) { 2685 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2686 opts->context_sid)) 2687 goto out_bad_option; 2688 } 2689 if (opts->rootcontext_sid) { 2690 struct inode_security_struct *root_isec; 2691 root_isec = backing_inode_security(sb->s_root); 2692 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2693 opts->rootcontext_sid)) 2694 goto out_bad_option; 2695 } 2696 if (opts->defcontext_sid) { 2697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2698 opts->defcontext_sid)) 2699 goto out_bad_option; 2700 } 2701 return 0; 2702 2703 out_bad_option: 2704 pr_warn("SELinux: unable to change security options " 2705 "during remount (dev %s, type=%s)\n", sb->s_id, 2706 sb->s_type->name); 2707 return -EINVAL; 2708 } 2709 2710 static int selinux_sb_kern_mount(struct super_block *sb) 2711 { 2712 const struct cred *cred = current_cred(); 2713 struct common_audit_data ad; 2714 2715 ad.type = LSM_AUDIT_DATA_DENTRY; 2716 ad.u.dentry = sb->s_root; 2717 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2718 } 2719 2720 static int selinux_sb_statfs(struct dentry *dentry) 2721 { 2722 const struct cred *cred = current_cred(); 2723 struct common_audit_data ad; 2724 2725 ad.type = LSM_AUDIT_DATA_DENTRY; 2726 ad.u.dentry = dentry->d_sb->s_root; 2727 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2728 } 2729 2730 static int selinux_mount(const char *dev_name, 2731 const struct path *path, 2732 const char *type, 2733 unsigned long flags, 2734 void *data) 2735 { 2736 const struct cred *cred = current_cred(); 2737 2738 if (flags & MS_REMOUNT) 2739 return superblock_has_perm(cred, path->dentry->d_sb, 2740 FILESYSTEM__REMOUNT, NULL); 2741 else 2742 return path_has_perm(cred, path, FILE__MOUNTON); 2743 } 2744 2745 static int selinux_move_mount(const struct path *from_path, 2746 const struct path *to_path) 2747 { 2748 const struct cred *cred = current_cred(); 2749 2750 return path_has_perm(cred, to_path, FILE__MOUNTON); 2751 } 2752 2753 static int selinux_umount(struct vfsmount *mnt, int flags) 2754 { 2755 const struct cred *cred = current_cred(); 2756 2757 return superblock_has_perm(cred, mnt->mnt_sb, 2758 FILESYSTEM__UNMOUNT, NULL); 2759 } 2760 2761 static int selinux_fs_context_dup(struct fs_context *fc, 2762 struct fs_context *src_fc) 2763 { 2764 const struct selinux_mnt_opts *src = src_fc->security; 2765 2766 if (!src) 2767 return 0; 2768 2769 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2770 return fc->security ? 0 : -ENOMEM; 2771 } 2772 2773 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2774 fsparam_string(CONTEXT_STR, Opt_context), 2775 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2776 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2777 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2778 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2779 {} 2780 }; 2781 2782 static int selinux_fs_context_parse_param(struct fs_context *fc, 2783 struct fs_parameter *param) 2784 { 2785 struct fs_parse_result result; 2786 int opt; 2787 2788 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2789 if (opt < 0) 2790 return opt; 2791 2792 return selinux_add_opt(opt, param->string, &fc->security); 2793 } 2794 2795 /* inode security operations */ 2796 2797 static int selinux_inode_alloc_security(struct inode *inode) 2798 { 2799 struct inode_security_struct *isec = selinux_inode(inode); 2800 u32 sid = current_sid(); 2801 2802 spin_lock_init(&isec->lock); 2803 INIT_LIST_HEAD(&isec->list); 2804 isec->inode = inode; 2805 isec->sid = SECINITSID_UNLABELED; 2806 isec->sclass = SECCLASS_FILE; 2807 isec->task_sid = sid; 2808 isec->initialized = LABEL_INVALID; 2809 2810 return 0; 2811 } 2812 2813 static void selinux_inode_free_security(struct inode *inode) 2814 { 2815 inode_free_security(inode); 2816 } 2817 2818 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2819 const struct qstr *name, 2820 const char **xattr_name, void **ctx, 2821 u32 *ctxlen) 2822 { 2823 u32 newsid; 2824 int rc; 2825 2826 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2827 d_inode(dentry->d_parent), name, 2828 inode_mode_to_security_class(mode), 2829 &newsid); 2830 if (rc) 2831 return rc; 2832 2833 if (xattr_name) 2834 *xattr_name = XATTR_NAME_SELINUX; 2835 2836 return security_sid_to_context(newsid, (char **)ctx, 2837 ctxlen); 2838 } 2839 2840 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2841 struct qstr *name, 2842 const struct cred *old, 2843 struct cred *new) 2844 { 2845 u32 newsid; 2846 int rc; 2847 struct task_security_struct *tsec; 2848 2849 rc = selinux_determine_inode_label(selinux_cred(old), 2850 d_inode(dentry->d_parent), name, 2851 inode_mode_to_security_class(mode), 2852 &newsid); 2853 if (rc) 2854 return rc; 2855 2856 tsec = selinux_cred(new); 2857 tsec->create_sid = newsid; 2858 return 0; 2859 } 2860 2861 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2862 const struct qstr *qstr, 2863 const char **name, 2864 void **value, size_t *len) 2865 { 2866 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2867 struct superblock_security_struct *sbsec; 2868 u32 newsid, clen; 2869 int rc; 2870 char *context; 2871 2872 sbsec = selinux_superblock(dir->i_sb); 2873 2874 newsid = tsec->create_sid; 2875 2876 rc = selinux_determine_inode_label(tsec, dir, qstr, 2877 inode_mode_to_security_class(inode->i_mode), 2878 &newsid); 2879 if (rc) 2880 return rc; 2881 2882 /* Possibly defer initialization to selinux_complete_init. */ 2883 if (sbsec->flags & SE_SBINITIALIZED) { 2884 struct inode_security_struct *isec = selinux_inode(inode); 2885 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2886 isec->sid = newsid; 2887 isec->initialized = LABEL_INITIALIZED; 2888 } 2889 2890 if (!selinux_initialized() || 2891 !(sbsec->flags & SBLABEL_MNT)) 2892 return -EOPNOTSUPP; 2893 2894 if (name) 2895 *name = XATTR_SELINUX_SUFFIX; 2896 2897 if (value && len) { 2898 rc = security_sid_to_context_force(newsid, 2899 &context, &clen); 2900 if (rc) 2901 return rc; 2902 *value = context; 2903 *len = clen; 2904 } 2905 2906 return 0; 2907 } 2908 2909 static int selinux_inode_init_security_anon(struct inode *inode, 2910 const struct qstr *name, 2911 const struct inode *context_inode) 2912 { 2913 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2914 struct common_audit_data ad; 2915 struct inode_security_struct *isec; 2916 int rc; 2917 2918 if (unlikely(!selinux_initialized())) 2919 return 0; 2920 2921 isec = selinux_inode(inode); 2922 2923 /* 2924 * We only get here once per ephemeral inode. The inode has 2925 * been initialized via inode_alloc_security but is otherwise 2926 * untouched. 2927 */ 2928 2929 if (context_inode) { 2930 struct inode_security_struct *context_isec = 2931 selinux_inode(context_inode); 2932 if (context_isec->initialized != LABEL_INITIALIZED) { 2933 pr_err("SELinux: context_inode is not initialized"); 2934 return -EACCES; 2935 } 2936 2937 isec->sclass = context_isec->sclass; 2938 isec->sid = context_isec->sid; 2939 } else { 2940 isec->sclass = SECCLASS_ANON_INODE; 2941 rc = security_transition_sid( 2942 tsec->sid, tsec->sid, 2943 isec->sclass, name, &isec->sid); 2944 if (rc) 2945 return rc; 2946 } 2947 2948 isec->initialized = LABEL_INITIALIZED; 2949 /* 2950 * Now that we've initialized security, check whether we're 2951 * allowed to actually create this type of anonymous inode. 2952 */ 2953 2954 ad.type = LSM_AUDIT_DATA_ANONINODE; 2955 ad.u.anonclass = name ? (const char *)name->name : "?"; 2956 2957 return avc_has_perm(tsec->sid, 2958 isec->sid, 2959 isec->sclass, 2960 FILE__CREATE, 2961 &ad); 2962 } 2963 2964 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2965 { 2966 return may_create(dir, dentry, SECCLASS_FILE); 2967 } 2968 2969 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2970 { 2971 return may_link(dir, old_dentry, MAY_LINK); 2972 } 2973 2974 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2975 { 2976 return may_link(dir, dentry, MAY_UNLINK); 2977 } 2978 2979 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2980 { 2981 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2982 } 2983 2984 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2985 { 2986 return may_create(dir, dentry, SECCLASS_DIR); 2987 } 2988 2989 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2990 { 2991 return may_link(dir, dentry, MAY_RMDIR); 2992 } 2993 2994 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2995 { 2996 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2997 } 2998 2999 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3000 struct inode *new_inode, struct dentry *new_dentry) 3001 { 3002 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3003 } 3004 3005 static int selinux_inode_readlink(struct dentry *dentry) 3006 { 3007 const struct cred *cred = current_cred(); 3008 3009 return dentry_has_perm(cred, dentry, FILE__READ); 3010 } 3011 3012 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3013 bool rcu) 3014 { 3015 const struct cred *cred = current_cred(); 3016 struct common_audit_data ad; 3017 struct inode_security_struct *isec; 3018 u32 sid; 3019 3020 validate_creds(cred); 3021 3022 ad.type = LSM_AUDIT_DATA_DENTRY; 3023 ad.u.dentry = dentry; 3024 sid = cred_sid(cred); 3025 isec = inode_security_rcu(inode, rcu); 3026 if (IS_ERR(isec)) 3027 return PTR_ERR(isec); 3028 3029 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3030 } 3031 3032 static noinline int audit_inode_permission(struct inode *inode, 3033 u32 perms, u32 audited, u32 denied, 3034 int result) 3035 { 3036 struct common_audit_data ad; 3037 struct inode_security_struct *isec = selinux_inode(inode); 3038 3039 ad.type = LSM_AUDIT_DATA_INODE; 3040 ad.u.inode = inode; 3041 3042 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3043 audited, denied, result, &ad); 3044 } 3045 3046 static int selinux_inode_permission(struct inode *inode, int mask) 3047 { 3048 const struct cred *cred = current_cred(); 3049 u32 perms; 3050 bool from_access; 3051 bool no_block = mask & MAY_NOT_BLOCK; 3052 struct inode_security_struct *isec; 3053 u32 sid; 3054 struct av_decision avd; 3055 int rc, rc2; 3056 u32 audited, denied; 3057 3058 from_access = mask & MAY_ACCESS; 3059 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3060 3061 /* No permission to check. Existence test. */ 3062 if (!mask) 3063 return 0; 3064 3065 validate_creds(cred); 3066 3067 if (unlikely(IS_PRIVATE(inode))) 3068 return 0; 3069 3070 perms = file_mask_to_av(inode->i_mode, mask); 3071 3072 sid = cred_sid(cred); 3073 isec = inode_security_rcu(inode, no_block); 3074 if (IS_ERR(isec)) 3075 return PTR_ERR(isec); 3076 3077 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, 3078 &avd); 3079 audited = avc_audit_required(perms, &avd, rc, 3080 from_access ? FILE__AUDIT_ACCESS : 0, 3081 &denied); 3082 if (likely(!audited)) 3083 return rc; 3084 3085 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3086 if (rc2) 3087 return rc2; 3088 return rc; 3089 } 3090 3091 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3092 { 3093 const struct cred *cred = current_cred(); 3094 struct inode *inode = d_backing_inode(dentry); 3095 unsigned int ia_valid = iattr->ia_valid; 3096 __u32 av = FILE__WRITE; 3097 3098 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3099 if (ia_valid & ATTR_FORCE) { 3100 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3101 ATTR_FORCE); 3102 if (!ia_valid) 3103 return 0; 3104 } 3105 3106 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3107 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3108 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3109 3110 if (selinux_policycap_openperm() && 3111 inode->i_sb->s_magic != SOCKFS_MAGIC && 3112 (ia_valid & ATTR_SIZE) && 3113 !(ia_valid & ATTR_FILE)) 3114 av |= FILE__OPEN; 3115 3116 return dentry_has_perm(cred, dentry, av); 3117 } 3118 3119 static int selinux_inode_getattr(const struct path *path) 3120 { 3121 return path_has_perm(current_cred(), path, FILE__GETATTR); 3122 } 3123 3124 static bool has_cap_mac_admin(bool audit) 3125 { 3126 const struct cred *cred = current_cred(); 3127 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3128 3129 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3130 return false; 3131 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3132 return false; 3133 return true; 3134 } 3135 3136 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3137 struct dentry *dentry, const char *name, 3138 const void *value, size_t size, int flags) 3139 { 3140 struct inode *inode = d_backing_inode(dentry); 3141 struct inode_security_struct *isec; 3142 struct superblock_security_struct *sbsec; 3143 struct common_audit_data ad; 3144 u32 newsid, sid = current_sid(); 3145 int rc = 0; 3146 3147 if (strcmp(name, XATTR_NAME_SELINUX)) { 3148 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3149 if (rc) 3150 return rc; 3151 3152 /* Not an attribute we recognize, so just check the 3153 ordinary setattr permission. */ 3154 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3155 } 3156 3157 if (!selinux_initialized()) 3158 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3159 3160 sbsec = selinux_superblock(inode->i_sb); 3161 if (!(sbsec->flags & SBLABEL_MNT)) 3162 return -EOPNOTSUPP; 3163 3164 if (!inode_owner_or_capable(idmap, inode)) 3165 return -EPERM; 3166 3167 ad.type = LSM_AUDIT_DATA_DENTRY; 3168 ad.u.dentry = dentry; 3169 3170 isec = backing_inode_security(dentry); 3171 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3172 FILE__RELABELFROM, &ad); 3173 if (rc) 3174 return rc; 3175 3176 rc = security_context_to_sid(value, size, &newsid, 3177 GFP_KERNEL); 3178 if (rc == -EINVAL) { 3179 if (!has_cap_mac_admin(true)) { 3180 struct audit_buffer *ab; 3181 size_t audit_size; 3182 3183 /* We strip a nul only if it is at the end, otherwise the 3184 * context contains a nul and we should audit that */ 3185 if (value) { 3186 const char *str = value; 3187 3188 if (str[size - 1] == '\0') 3189 audit_size = size - 1; 3190 else 3191 audit_size = size; 3192 } else { 3193 audit_size = 0; 3194 } 3195 ab = audit_log_start(audit_context(), 3196 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3197 if (!ab) 3198 return rc; 3199 audit_log_format(ab, "op=setxattr invalid_context="); 3200 audit_log_n_untrustedstring(ab, value, audit_size); 3201 audit_log_end(ab); 3202 3203 return rc; 3204 } 3205 rc = security_context_to_sid_force(value, 3206 size, &newsid); 3207 } 3208 if (rc) 3209 return rc; 3210 3211 rc = avc_has_perm(sid, newsid, isec->sclass, 3212 FILE__RELABELTO, &ad); 3213 if (rc) 3214 return rc; 3215 3216 rc = security_validate_transition(isec->sid, newsid, 3217 sid, isec->sclass); 3218 if (rc) 3219 return rc; 3220 3221 return avc_has_perm(newsid, 3222 sbsec->sid, 3223 SECCLASS_FILESYSTEM, 3224 FILESYSTEM__ASSOCIATE, 3225 &ad); 3226 } 3227 3228 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3229 struct dentry *dentry, const char *acl_name, 3230 struct posix_acl *kacl) 3231 { 3232 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3233 } 3234 3235 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3236 struct dentry *dentry, const char *acl_name) 3237 { 3238 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3239 } 3240 3241 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3242 struct dentry *dentry, const char *acl_name) 3243 { 3244 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3245 } 3246 3247 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3248 const void *value, size_t size, 3249 int flags) 3250 { 3251 struct inode *inode = d_backing_inode(dentry); 3252 struct inode_security_struct *isec; 3253 u32 newsid; 3254 int rc; 3255 3256 if (strcmp(name, XATTR_NAME_SELINUX)) { 3257 /* Not an attribute we recognize, so nothing to do. */ 3258 return; 3259 } 3260 3261 if (!selinux_initialized()) { 3262 /* If we haven't even been initialized, then we can't validate 3263 * against a policy, so leave the label as invalid. It may 3264 * resolve to a valid label on the next revalidation try if 3265 * we've since initialized. 3266 */ 3267 return; 3268 } 3269 3270 rc = security_context_to_sid_force(value, size, 3271 &newsid); 3272 if (rc) { 3273 pr_err("SELinux: unable to map context to SID" 3274 "for (%s, %lu), rc=%d\n", 3275 inode->i_sb->s_id, inode->i_ino, -rc); 3276 return; 3277 } 3278 3279 isec = backing_inode_security(dentry); 3280 spin_lock(&isec->lock); 3281 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3282 isec->sid = newsid; 3283 isec->initialized = LABEL_INITIALIZED; 3284 spin_unlock(&isec->lock); 3285 } 3286 3287 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3288 { 3289 const struct cred *cred = current_cred(); 3290 3291 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3292 } 3293 3294 static int selinux_inode_listxattr(struct dentry *dentry) 3295 { 3296 const struct cred *cred = current_cred(); 3297 3298 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3299 } 3300 3301 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3302 struct dentry *dentry, const char *name) 3303 { 3304 if (strcmp(name, XATTR_NAME_SELINUX)) { 3305 int rc = cap_inode_removexattr(idmap, dentry, name); 3306 if (rc) 3307 return rc; 3308 3309 /* Not an attribute we recognize, so just check the 3310 ordinary setattr permission. */ 3311 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3312 } 3313 3314 if (!selinux_initialized()) 3315 return 0; 3316 3317 /* No one is allowed to remove a SELinux security label. 3318 You can change the label, but all data must be labeled. */ 3319 return -EACCES; 3320 } 3321 3322 static int selinux_path_notify(const struct path *path, u64 mask, 3323 unsigned int obj_type) 3324 { 3325 int ret; 3326 u32 perm; 3327 3328 struct common_audit_data ad; 3329 3330 ad.type = LSM_AUDIT_DATA_PATH; 3331 ad.u.path = *path; 3332 3333 /* 3334 * Set permission needed based on the type of mark being set. 3335 * Performs an additional check for sb watches. 3336 */ 3337 switch (obj_type) { 3338 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3339 perm = FILE__WATCH_MOUNT; 3340 break; 3341 case FSNOTIFY_OBJ_TYPE_SB: 3342 perm = FILE__WATCH_SB; 3343 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3344 FILESYSTEM__WATCH, &ad); 3345 if (ret) 3346 return ret; 3347 break; 3348 case FSNOTIFY_OBJ_TYPE_INODE: 3349 perm = FILE__WATCH; 3350 break; 3351 default: 3352 return -EINVAL; 3353 } 3354 3355 /* blocking watches require the file:watch_with_perm permission */ 3356 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3357 perm |= FILE__WATCH_WITH_PERM; 3358 3359 /* watches on read-like events need the file:watch_reads permission */ 3360 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3361 perm |= FILE__WATCH_READS; 3362 3363 return path_has_perm(current_cred(), path, perm); 3364 } 3365 3366 /* 3367 * Copy the inode security context value to the user. 3368 * 3369 * Permission check is handled by selinux_inode_getxattr hook. 3370 */ 3371 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3372 struct inode *inode, const char *name, 3373 void **buffer, bool alloc) 3374 { 3375 u32 size; 3376 int error; 3377 char *context = NULL; 3378 struct inode_security_struct *isec; 3379 3380 /* 3381 * If we're not initialized yet, then we can't validate contexts, so 3382 * just let vfs_getxattr fall back to using the on-disk xattr. 3383 */ 3384 if (!selinux_initialized() || 3385 strcmp(name, XATTR_SELINUX_SUFFIX)) 3386 return -EOPNOTSUPP; 3387 3388 /* 3389 * If the caller has CAP_MAC_ADMIN, then get the raw context 3390 * value even if it is not defined by current policy; otherwise, 3391 * use the in-core value under current policy. 3392 * Use the non-auditing forms of the permission checks since 3393 * getxattr may be called by unprivileged processes commonly 3394 * and lack of permission just means that we fall back to the 3395 * in-core context value, not a denial. 3396 */ 3397 isec = inode_security(inode); 3398 if (has_cap_mac_admin(false)) 3399 error = security_sid_to_context_force(isec->sid, &context, 3400 &size); 3401 else 3402 error = security_sid_to_context(isec->sid, 3403 &context, &size); 3404 if (error) 3405 return error; 3406 error = size; 3407 if (alloc) { 3408 *buffer = context; 3409 goto out_nofree; 3410 } 3411 kfree(context); 3412 out_nofree: 3413 return error; 3414 } 3415 3416 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3417 const void *value, size_t size, int flags) 3418 { 3419 struct inode_security_struct *isec = inode_security_novalidate(inode); 3420 struct superblock_security_struct *sbsec; 3421 u32 newsid; 3422 int rc; 3423 3424 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3425 return -EOPNOTSUPP; 3426 3427 sbsec = selinux_superblock(inode->i_sb); 3428 if (!(sbsec->flags & SBLABEL_MNT)) 3429 return -EOPNOTSUPP; 3430 3431 if (!value || !size) 3432 return -EACCES; 3433 3434 rc = security_context_to_sid(value, size, &newsid, 3435 GFP_KERNEL); 3436 if (rc) 3437 return rc; 3438 3439 spin_lock(&isec->lock); 3440 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3441 isec->sid = newsid; 3442 isec->initialized = LABEL_INITIALIZED; 3443 spin_unlock(&isec->lock); 3444 return 0; 3445 } 3446 3447 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3448 { 3449 const int len = sizeof(XATTR_NAME_SELINUX); 3450 3451 if (!selinux_initialized()) 3452 return 0; 3453 3454 if (buffer && len <= buffer_size) 3455 memcpy(buffer, XATTR_NAME_SELINUX, len); 3456 return len; 3457 } 3458 3459 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3460 { 3461 struct inode_security_struct *isec = inode_security_novalidate(inode); 3462 *secid = isec->sid; 3463 } 3464 3465 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3466 { 3467 u32 sid; 3468 struct task_security_struct *tsec; 3469 struct cred *new_creds = *new; 3470 3471 if (new_creds == NULL) { 3472 new_creds = prepare_creds(); 3473 if (!new_creds) 3474 return -ENOMEM; 3475 } 3476 3477 tsec = selinux_cred(new_creds); 3478 /* Get label from overlay inode and set it in create_sid */ 3479 selinux_inode_getsecid(d_inode(src), &sid); 3480 tsec->create_sid = sid; 3481 *new = new_creds; 3482 return 0; 3483 } 3484 3485 static int selinux_inode_copy_up_xattr(const char *name) 3486 { 3487 /* The copy_up hook above sets the initial context on an inode, but we 3488 * don't then want to overwrite it by blindly copying all the lower 3489 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3490 */ 3491 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3492 return 1; /* Discard */ 3493 /* 3494 * Any other attribute apart from SELINUX is not claimed, supported 3495 * by selinux. 3496 */ 3497 return -EOPNOTSUPP; 3498 } 3499 3500 /* kernfs node operations */ 3501 3502 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3503 struct kernfs_node *kn) 3504 { 3505 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3506 u32 parent_sid, newsid, clen; 3507 int rc; 3508 char *context; 3509 3510 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3511 if (rc == -ENODATA) 3512 return 0; 3513 else if (rc < 0) 3514 return rc; 3515 3516 clen = (u32)rc; 3517 context = kmalloc(clen, GFP_KERNEL); 3518 if (!context) 3519 return -ENOMEM; 3520 3521 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3522 if (rc < 0) { 3523 kfree(context); 3524 return rc; 3525 } 3526 3527 rc = security_context_to_sid(context, clen, &parent_sid, 3528 GFP_KERNEL); 3529 kfree(context); 3530 if (rc) 3531 return rc; 3532 3533 if (tsec->create_sid) { 3534 newsid = tsec->create_sid; 3535 } else { 3536 u16 secclass = inode_mode_to_security_class(kn->mode); 3537 struct qstr q; 3538 3539 q.name = kn->name; 3540 q.hash_len = hashlen_string(kn_dir, kn->name); 3541 3542 rc = security_transition_sid(tsec->sid, 3543 parent_sid, secclass, &q, 3544 &newsid); 3545 if (rc) 3546 return rc; 3547 } 3548 3549 rc = security_sid_to_context_force(newsid, 3550 &context, &clen); 3551 if (rc) 3552 return rc; 3553 3554 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3555 XATTR_CREATE); 3556 kfree(context); 3557 return rc; 3558 } 3559 3560 3561 /* file security operations */ 3562 3563 static int selinux_revalidate_file_permission(struct file *file, int mask) 3564 { 3565 const struct cred *cred = current_cred(); 3566 struct inode *inode = file_inode(file); 3567 3568 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3569 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3570 mask |= MAY_APPEND; 3571 3572 return file_has_perm(cred, file, 3573 file_mask_to_av(inode->i_mode, mask)); 3574 } 3575 3576 static int selinux_file_permission(struct file *file, int mask) 3577 { 3578 struct inode *inode = file_inode(file); 3579 struct file_security_struct *fsec = selinux_file(file); 3580 struct inode_security_struct *isec; 3581 u32 sid = current_sid(); 3582 3583 if (!mask) 3584 /* No permission to check. Existence test. */ 3585 return 0; 3586 3587 isec = inode_security(inode); 3588 if (sid == fsec->sid && fsec->isid == isec->sid && 3589 fsec->pseqno == avc_policy_seqno()) 3590 /* No change since file_open check. */ 3591 return 0; 3592 3593 return selinux_revalidate_file_permission(file, mask); 3594 } 3595 3596 static int selinux_file_alloc_security(struct file *file) 3597 { 3598 struct file_security_struct *fsec = selinux_file(file); 3599 u32 sid = current_sid(); 3600 3601 fsec->sid = sid; 3602 fsec->fown_sid = sid; 3603 3604 return 0; 3605 } 3606 3607 /* 3608 * Check whether a task has the ioctl permission and cmd 3609 * operation to an inode. 3610 */ 3611 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3612 u32 requested, u16 cmd) 3613 { 3614 struct common_audit_data ad; 3615 struct file_security_struct *fsec = selinux_file(file); 3616 struct inode *inode = file_inode(file); 3617 struct inode_security_struct *isec; 3618 struct lsm_ioctlop_audit ioctl; 3619 u32 ssid = cred_sid(cred); 3620 int rc; 3621 u8 driver = cmd >> 8; 3622 u8 xperm = cmd & 0xff; 3623 3624 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3625 ad.u.op = &ioctl; 3626 ad.u.op->cmd = cmd; 3627 ad.u.op->path = file->f_path; 3628 3629 if (ssid != fsec->sid) { 3630 rc = avc_has_perm(ssid, fsec->sid, 3631 SECCLASS_FD, 3632 FD__USE, 3633 &ad); 3634 if (rc) 3635 goto out; 3636 } 3637 3638 if (unlikely(IS_PRIVATE(inode))) 3639 return 0; 3640 3641 isec = inode_security(inode); 3642 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3643 requested, driver, xperm, &ad); 3644 out: 3645 return rc; 3646 } 3647 3648 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3649 unsigned long arg) 3650 { 3651 const struct cred *cred = current_cred(); 3652 int error = 0; 3653 3654 switch (cmd) { 3655 case FIONREAD: 3656 case FIBMAP: 3657 case FIGETBSZ: 3658 case FS_IOC_GETFLAGS: 3659 case FS_IOC_GETVERSION: 3660 error = file_has_perm(cred, file, FILE__GETATTR); 3661 break; 3662 3663 case FS_IOC_SETFLAGS: 3664 case FS_IOC_SETVERSION: 3665 error = file_has_perm(cred, file, FILE__SETATTR); 3666 break; 3667 3668 /* sys_ioctl() checks */ 3669 case FIONBIO: 3670 case FIOASYNC: 3671 error = file_has_perm(cred, file, 0); 3672 break; 3673 3674 case KDSKBENT: 3675 case KDSKBSENT: 3676 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3677 CAP_OPT_NONE, true); 3678 break; 3679 3680 case FIOCLEX: 3681 case FIONCLEX: 3682 if (!selinux_policycap_ioctl_skip_cloexec()) 3683 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3684 break; 3685 3686 /* default case assumes that the command will go 3687 * to the file's ioctl() function. 3688 */ 3689 default: 3690 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3691 } 3692 return error; 3693 } 3694 3695 static int default_noexec __ro_after_init; 3696 3697 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3698 { 3699 const struct cred *cred = current_cred(); 3700 u32 sid = cred_sid(cred); 3701 int rc = 0; 3702 3703 if (default_noexec && 3704 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3705 (!shared && (prot & PROT_WRITE)))) { 3706 /* 3707 * We are making executable an anonymous mapping or a 3708 * private file mapping that will also be writable. 3709 * This has an additional check. 3710 */ 3711 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3712 PROCESS__EXECMEM, NULL); 3713 if (rc) 3714 goto error; 3715 } 3716 3717 if (file) { 3718 /* read access is always possible with a mapping */ 3719 u32 av = FILE__READ; 3720 3721 /* write access only matters if the mapping is shared */ 3722 if (shared && (prot & PROT_WRITE)) 3723 av |= FILE__WRITE; 3724 3725 if (prot & PROT_EXEC) 3726 av |= FILE__EXECUTE; 3727 3728 return file_has_perm(cred, file, av); 3729 } 3730 3731 error: 3732 return rc; 3733 } 3734 3735 static int selinux_mmap_addr(unsigned long addr) 3736 { 3737 int rc = 0; 3738 3739 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3740 u32 sid = current_sid(); 3741 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3742 MEMPROTECT__MMAP_ZERO, NULL); 3743 } 3744 3745 return rc; 3746 } 3747 3748 static int selinux_mmap_file(struct file *file, 3749 unsigned long reqprot __always_unused, 3750 unsigned long prot, unsigned long flags) 3751 { 3752 struct common_audit_data ad; 3753 int rc; 3754 3755 if (file) { 3756 ad.type = LSM_AUDIT_DATA_FILE; 3757 ad.u.file = file; 3758 rc = inode_has_perm(current_cred(), file_inode(file), 3759 FILE__MAP, &ad); 3760 if (rc) 3761 return rc; 3762 } 3763 3764 return file_map_prot_check(file, prot, 3765 (flags & MAP_TYPE) == MAP_SHARED); 3766 } 3767 3768 static int selinux_file_mprotect(struct vm_area_struct *vma, 3769 unsigned long reqprot __always_unused, 3770 unsigned long prot) 3771 { 3772 const struct cred *cred = current_cred(); 3773 u32 sid = cred_sid(cred); 3774 3775 if (default_noexec && 3776 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3777 int rc = 0; 3778 if (vma->vm_start >= vma->vm_mm->start_brk && 3779 vma->vm_end <= vma->vm_mm->brk) { 3780 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3781 PROCESS__EXECHEAP, NULL); 3782 } else if (!vma->vm_file && 3783 ((vma->vm_start <= vma->vm_mm->start_stack && 3784 vma->vm_end >= vma->vm_mm->start_stack) || 3785 vma_is_stack_for_current(vma))) { 3786 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3787 PROCESS__EXECSTACK, NULL); 3788 } else if (vma->vm_file && vma->anon_vma) { 3789 /* 3790 * We are making executable a file mapping that has 3791 * had some COW done. Since pages might have been 3792 * written, check ability to execute the possibly 3793 * modified content. This typically should only 3794 * occur for text relocations. 3795 */ 3796 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3797 } 3798 if (rc) 3799 return rc; 3800 } 3801 3802 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3803 } 3804 3805 static int selinux_file_lock(struct file *file, unsigned int cmd) 3806 { 3807 const struct cred *cred = current_cred(); 3808 3809 return file_has_perm(cred, file, FILE__LOCK); 3810 } 3811 3812 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3813 unsigned long arg) 3814 { 3815 const struct cred *cred = current_cred(); 3816 int err = 0; 3817 3818 switch (cmd) { 3819 case F_SETFL: 3820 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3821 err = file_has_perm(cred, file, FILE__WRITE); 3822 break; 3823 } 3824 fallthrough; 3825 case F_SETOWN: 3826 case F_SETSIG: 3827 case F_GETFL: 3828 case F_GETOWN: 3829 case F_GETSIG: 3830 case F_GETOWNER_UIDS: 3831 /* Just check FD__USE permission */ 3832 err = file_has_perm(cred, file, 0); 3833 break; 3834 case F_GETLK: 3835 case F_SETLK: 3836 case F_SETLKW: 3837 case F_OFD_GETLK: 3838 case F_OFD_SETLK: 3839 case F_OFD_SETLKW: 3840 #if BITS_PER_LONG == 32 3841 case F_GETLK64: 3842 case F_SETLK64: 3843 case F_SETLKW64: 3844 #endif 3845 err = file_has_perm(cred, file, FILE__LOCK); 3846 break; 3847 } 3848 3849 return err; 3850 } 3851 3852 static void selinux_file_set_fowner(struct file *file) 3853 { 3854 struct file_security_struct *fsec; 3855 3856 fsec = selinux_file(file); 3857 fsec->fown_sid = current_sid(); 3858 } 3859 3860 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3861 struct fown_struct *fown, int signum) 3862 { 3863 struct file *file; 3864 u32 sid = task_sid_obj(tsk); 3865 u32 perm; 3866 struct file_security_struct *fsec; 3867 3868 /* struct fown_struct is never outside the context of a struct file */ 3869 file = container_of(fown, struct file, f_owner); 3870 3871 fsec = selinux_file(file); 3872 3873 if (!signum) 3874 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3875 else 3876 perm = signal_to_av(signum); 3877 3878 return avc_has_perm(fsec->fown_sid, sid, 3879 SECCLASS_PROCESS, perm, NULL); 3880 } 3881 3882 static int selinux_file_receive(struct file *file) 3883 { 3884 const struct cred *cred = current_cred(); 3885 3886 return file_has_perm(cred, file, file_to_av(file)); 3887 } 3888 3889 static int selinux_file_open(struct file *file) 3890 { 3891 struct file_security_struct *fsec; 3892 struct inode_security_struct *isec; 3893 3894 fsec = selinux_file(file); 3895 isec = inode_security(file_inode(file)); 3896 /* 3897 * Save inode label and policy sequence number 3898 * at open-time so that selinux_file_permission 3899 * can determine whether revalidation is necessary. 3900 * Task label is already saved in the file security 3901 * struct as its SID. 3902 */ 3903 fsec->isid = isec->sid; 3904 fsec->pseqno = avc_policy_seqno(); 3905 /* 3906 * Since the inode label or policy seqno may have changed 3907 * between the selinux_inode_permission check and the saving 3908 * of state above, recheck that access is still permitted. 3909 * Otherwise, access might never be revalidated against the 3910 * new inode label or new policy. 3911 * This check is not redundant - do not remove. 3912 */ 3913 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3914 } 3915 3916 /* task security operations */ 3917 3918 static int selinux_task_alloc(struct task_struct *task, 3919 unsigned long clone_flags) 3920 { 3921 u32 sid = current_sid(); 3922 3923 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3924 } 3925 3926 /* 3927 * prepare a new set of credentials for modification 3928 */ 3929 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3930 gfp_t gfp) 3931 { 3932 const struct task_security_struct *old_tsec = selinux_cred(old); 3933 struct task_security_struct *tsec = selinux_cred(new); 3934 3935 *tsec = *old_tsec; 3936 return 0; 3937 } 3938 3939 /* 3940 * transfer the SELinux data to a blank set of creds 3941 */ 3942 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3943 { 3944 const struct task_security_struct *old_tsec = selinux_cred(old); 3945 struct task_security_struct *tsec = selinux_cred(new); 3946 3947 *tsec = *old_tsec; 3948 } 3949 3950 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3951 { 3952 *secid = cred_sid(c); 3953 } 3954 3955 /* 3956 * set the security data for a kernel service 3957 * - all the creation contexts are set to unlabelled 3958 */ 3959 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3960 { 3961 struct task_security_struct *tsec = selinux_cred(new); 3962 u32 sid = current_sid(); 3963 int ret; 3964 3965 ret = avc_has_perm(sid, secid, 3966 SECCLASS_KERNEL_SERVICE, 3967 KERNEL_SERVICE__USE_AS_OVERRIDE, 3968 NULL); 3969 if (ret == 0) { 3970 tsec->sid = secid; 3971 tsec->create_sid = 0; 3972 tsec->keycreate_sid = 0; 3973 tsec->sockcreate_sid = 0; 3974 } 3975 return ret; 3976 } 3977 3978 /* 3979 * set the file creation context in a security record to the same as the 3980 * objective context of the specified inode 3981 */ 3982 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3983 { 3984 struct inode_security_struct *isec = inode_security(inode); 3985 struct task_security_struct *tsec = selinux_cred(new); 3986 u32 sid = current_sid(); 3987 int ret; 3988 3989 ret = avc_has_perm(sid, isec->sid, 3990 SECCLASS_KERNEL_SERVICE, 3991 KERNEL_SERVICE__CREATE_FILES_AS, 3992 NULL); 3993 3994 if (ret == 0) 3995 tsec->create_sid = isec->sid; 3996 return ret; 3997 } 3998 3999 static int selinux_kernel_module_request(char *kmod_name) 4000 { 4001 struct common_audit_data ad; 4002 4003 ad.type = LSM_AUDIT_DATA_KMOD; 4004 ad.u.kmod_name = kmod_name; 4005 4006 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4007 SYSTEM__MODULE_REQUEST, &ad); 4008 } 4009 4010 static int selinux_kernel_module_from_file(struct file *file) 4011 { 4012 struct common_audit_data ad; 4013 struct inode_security_struct *isec; 4014 struct file_security_struct *fsec; 4015 u32 sid = current_sid(); 4016 int rc; 4017 4018 /* init_module */ 4019 if (file == NULL) 4020 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4021 SYSTEM__MODULE_LOAD, NULL); 4022 4023 /* finit_module */ 4024 4025 ad.type = LSM_AUDIT_DATA_FILE; 4026 ad.u.file = file; 4027 4028 fsec = selinux_file(file); 4029 if (sid != fsec->sid) { 4030 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4031 if (rc) 4032 return rc; 4033 } 4034 4035 isec = inode_security(file_inode(file)); 4036 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4037 SYSTEM__MODULE_LOAD, &ad); 4038 } 4039 4040 static int selinux_kernel_read_file(struct file *file, 4041 enum kernel_read_file_id id, 4042 bool contents) 4043 { 4044 int rc = 0; 4045 4046 switch (id) { 4047 case READING_MODULE: 4048 rc = selinux_kernel_module_from_file(contents ? file : NULL); 4049 break; 4050 default: 4051 break; 4052 } 4053 4054 return rc; 4055 } 4056 4057 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4058 { 4059 int rc = 0; 4060 4061 switch (id) { 4062 case LOADING_MODULE: 4063 rc = selinux_kernel_module_from_file(NULL); 4064 break; 4065 default: 4066 break; 4067 } 4068 4069 return rc; 4070 } 4071 4072 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4073 { 4074 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4075 PROCESS__SETPGID, NULL); 4076 } 4077 4078 static int selinux_task_getpgid(struct task_struct *p) 4079 { 4080 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4081 PROCESS__GETPGID, NULL); 4082 } 4083 4084 static int selinux_task_getsid(struct task_struct *p) 4085 { 4086 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4087 PROCESS__GETSESSION, NULL); 4088 } 4089 4090 static void selinux_current_getsecid_subj(u32 *secid) 4091 { 4092 *secid = current_sid(); 4093 } 4094 4095 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4096 { 4097 *secid = task_sid_obj(p); 4098 } 4099 4100 static int selinux_task_setnice(struct task_struct *p, int nice) 4101 { 4102 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4103 PROCESS__SETSCHED, NULL); 4104 } 4105 4106 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4107 { 4108 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4109 PROCESS__SETSCHED, NULL); 4110 } 4111 4112 static int selinux_task_getioprio(struct task_struct *p) 4113 { 4114 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4115 PROCESS__GETSCHED, NULL); 4116 } 4117 4118 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4119 unsigned int flags) 4120 { 4121 u32 av = 0; 4122 4123 if (!flags) 4124 return 0; 4125 if (flags & LSM_PRLIMIT_WRITE) 4126 av |= PROCESS__SETRLIMIT; 4127 if (flags & LSM_PRLIMIT_READ) 4128 av |= PROCESS__GETRLIMIT; 4129 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4130 SECCLASS_PROCESS, av, NULL); 4131 } 4132 4133 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4134 struct rlimit *new_rlim) 4135 { 4136 struct rlimit *old_rlim = p->signal->rlim + resource; 4137 4138 /* Control the ability to change the hard limit (whether 4139 lowering or raising it), so that the hard limit can 4140 later be used as a safe reset point for the soft limit 4141 upon context transitions. See selinux_bprm_committing_creds. */ 4142 if (old_rlim->rlim_max != new_rlim->rlim_max) 4143 return avc_has_perm(current_sid(), task_sid_obj(p), 4144 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4145 4146 return 0; 4147 } 4148 4149 static int selinux_task_setscheduler(struct task_struct *p) 4150 { 4151 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4152 PROCESS__SETSCHED, NULL); 4153 } 4154 4155 static int selinux_task_getscheduler(struct task_struct *p) 4156 { 4157 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4158 PROCESS__GETSCHED, NULL); 4159 } 4160 4161 static int selinux_task_movememory(struct task_struct *p) 4162 { 4163 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4164 PROCESS__SETSCHED, NULL); 4165 } 4166 4167 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4168 int sig, const struct cred *cred) 4169 { 4170 u32 secid; 4171 u32 perm; 4172 4173 if (!sig) 4174 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4175 else 4176 perm = signal_to_av(sig); 4177 if (!cred) 4178 secid = current_sid(); 4179 else 4180 secid = cred_sid(cred); 4181 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4182 } 4183 4184 static void selinux_task_to_inode(struct task_struct *p, 4185 struct inode *inode) 4186 { 4187 struct inode_security_struct *isec = selinux_inode(inode); 4188 u32 sid = task_sid_obj(p); 4189 4190 spin_lock(&isec->lock); 4191 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4192 isec->sid = sid; 4193 isec->initialized = LABEL_INITIALIZED; 4194 spin_unlock(&isec->lock); 4195 } 4196 4197 static int selinux_userns_create(const struct cred *cred) 4198 { 4199 u32 sid = current_sid(); 4200 4201 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4202 USER_NAMESPACE__CREATE, NULL); 4203 } 4204 4205 /* Returns error only if unable to parse addresses */ 4206 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4207 struct common_audit_data *ad, u8 *proto) 4208 { 4209 int offset, ihlen, ret = -EINVAL; 4210 struct iphdr _iph, *ih; 4211 4212 offset = skb_network_offset(skb); 4213 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4214 if (ih == NULL) 4215 goto out; 4216 4217 ihlen = ih->ihl * 4; 4218 if (ihlen < sizeof(_iph)) 4219 goto out; 4220 4221 ad->u.net->v4info.saddr = ih->saddr; 4222 ad->u.net->v4info.daddr = ih->daddr; 4223 ret = 0; 4224 4225 if (proto) 4226 *proto = ih->protocol; 4227 4228 switch (ih->protocol) { 4229 case IPPROTO_TCP: { 4230 struct tcphdr _tcph, *th; 4231 4232 if (ntohs(ih->frag_off) & IP_OFFSET) 4233 break; 4234 4235 offset += ihlen; 4236 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4237 if (th == NULL) 4238 break; 4239 4240 ad->u.net->sport = th->source; 4241 ad->u.net->dport = th->dest; 4242 break; 4243 } 4244 4245 case IPPROTO_UDP: { 4246 struct udphdr _udph, *uh; 4247 4248 if (ntohs(ih->frag_off) & IP_OFFSET) 4249 break; 4250 4251 offset += ihlen; 4252 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4253 if (uh == NULL) 4254 break; 4255 4256 ad->u.net->sport = uh->source; 4257 ad->u.net->dport = uh->dest; 4258 break; 4259 } 4260 4261 case IPPROTO_DCCP: { 4262 struct dccp_hdr _dccph, *dh; 4263 4264 if (ntohs(ih->frag_off) & IP_OFFSET) 4265 break; 4266 4267 offset += ihlen; 4268 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4269 if (dh == NULL) 4270 break; 4271 4272 ad->u.net->sport = dh->dccph_sport; 4273 ad->u.net->dport = dh->dccph_dport; 4274 break; 4275 } 4276 4277 #if IS_ENABLED(CONFIG_IP_SCTP) 4278 case IPPROTO_SCTP: { 4279 struct sctphdr _sctph, *sh; 4280 4281 if (ntohs(ih->frag_off) & IP_OFFSET) 4282 break; 4283 4284 offset += ihlen; 4285 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4286 if (sh == NULL) 4287 break; 4288 4289 ad->u.net->sport = sh->source; 4290 ad->u.net->dport = sh->dest; 4291 break; 4292 } 4293 #endif 4294 default: 4295 break; 4296 } 4297 out: 4298 return ret; 4299 } 4300 4301 #if IS_ENABLED(CONFIG_IPV6) 4302 4303 /* Returns error only if unable to parse addresses */ 4304 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4305 struct common_audit_data *ad, u8 *proto) 4306 { 4307 u8 nexthdr; 4308 int ret = -EINVAL, offset; 4309 struct ipv6hdr _ipv6h, *ip6; 4310 __be16 frag_off; 4311 4312 offset = skb_network_offset(skb); 4313 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4314 if (ip6 == NULL) 4315 goto out; 4316 4317 ad->u.net->v6info.saddr = ip6->saddr; 4318 ad->u.net->v6info.daddr = ip6->daddr; 4319 ret = 0; 4320 4321 nexthdr = ip6->nexthdr; 4322 offset += sizeof(_ipv6h); 4323 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4324 if (offset < 0) 4325 goto out; 4326 4327 if (proto) 4328 *proto = nexthdr; 4329 4330 switch (nexthdr) { 4331 case IPPROTO_TCP: { 4332 struct tcphdr _tcph, *th; 4333 4334 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4335 if (th == NULL) 4336 break; 4337 4338 ad->u.net->sport = th->source; 4339 ad->u.net->dport = th->dest; 4340 break; 4341 } 4342 4343 case IPPROTO_UDP: { 4344 struct udphdr _udph, *uh; 4345 4346 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4347 if (uh == NULL) 4348 break; 4349 4350 ad->u.net->sport = uh->source; 4351 ad->u.net->dport = uh->dest; 4352 break; 4353 } 4354 4355 case IPPROTO_DCCP: { 4356 struct dccp_hdr _dccph, *dh; 4357 4358 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4359 if (dh == NULL) 4360 break; 4361 4362 ad->u.net->sport = dh->dccph_sport; 4363 ad->u.net->dport = dh->dccph_dport; 4364 break; 4365 } 4366 4367 #if IS_ENABLED(CONFIG_IP_SCTP) 4368 case IPPROTO_SCTP: { 4369 struct sctphdr _sctph, *sh; 4370 4371 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4372 if (sh == NULL) 4373 break; 4374 4375 ad->u.net->sport = sh->source; 4376 ad->u.net->dport = sh->dest; 4377 break; 4378 } 4379 #endif 4380 /* includes fragments */ 4381 default: 4382 break; 4383 } 4384 out: 4385 return ret; 4386 } 4387 4388 #endif /* IPV6 */ 4389 4390 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4391 char **_addrp, int src, u8 *proto) 4392 { 4393 char *addrp; 4394 int ret; 4395 4396 switch (ad->u.net->family) { 4397 case PF_INET: 4398 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4399 if (ret) 4400 goto parse_error; 4401 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4402 &ad->u.net->v4info.daddr); 4403 goto okay; 4404 4405 #if IS_ENABLED(CONFIG_IPV6) 4406 case PF_INET6: 4407 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4408 if (ret) 4409 goto parse_error; 4410 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4411 &ad->u.net->v6info.daddr); 4412 goto okay; 4413 #endif /* IPV6 */ 4414 default: 4415 addrp = NULL; 4416 goto okay; 4417 } 4418 4419 parse_error: 4420 pr_warn( 4421 "SELinux: failure in selinux_parse_skb()," 4422 " unable to parse packet\n"); 4423 return ret; 4424 4425 okay: 4426 if (_addrp) 4427 *_addrp = addrp; 4428 return 0; 4429 } 4430 4431 /** 4432 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4433 * @skb: the packet 4434 * @family: protocol family 4435 * @sid: the packet's peer label SID 4436 * 4437 * Description: 4438 * Check the various different forms of network peer labeling and determine 4439 * the peer label/SID for the packet; most of the magic actually occurs in 4440 * the security server function security_net_peersid_cmp(). The function 4441 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4442 * or -EACCES if @sid is invalid due to inconsistencies with the different 4443 * peer labels. 4444 * 4445 */ 4446 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4447 { 4448 int err; 4449 u32 xfrm_sid; 4450 u32 nlbl_sid; 4451 u32 nlbl_type; 4452 4453 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4454 if (unlikely(err)) 4455 return -EACCES; 4456 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4457 if (unlikely(err)) 4458 return -EACCES; 4459 4460 err = security_net_peersid_resolve(nlbl_sid, 4461 nlbl_type, xfrm_sid, sid); 4462 if (unlikely(err)) { 4463 pr_warn( 4464 "SELinux: failure in selinux_skb_peerlbl_sid()," 4465 " unable to determine packet's peer label\n"); 4466 return -EACCES; 4467 } 4468 4469 return 0; 4470 } 4471 4472 /** 4473 * selinux_conn_sid - Determine the child socket label for a connection 4474 * @sk_sid: the parent socket's SID 4475 * @skb_sid: the packet's SID 4476 * @conn_sid: the resulting connection SID 4477 * 4478 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4479 * combined with the MLS information from @skb_sid in order to create 4480 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4481 * of @sk_sid. Returns zero on success, negative values on failure. 4482 * 4483 */ 4484 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4485 { 4486 int err = 0; 4487 4488 if (skb_sid != SECSID_NULL) 4489 err = security_sid_mls_copy(sk_sid, skb_sid, 4490 conn_sid); 4491 else 4492 *conn_sid = sk_sid; 4493 4494 return err; 4495 } 4496 4497 /* socket security operations */ 4498 4499 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4500 u16 secclass, u32 *socksid) 4501 { 4502 if (tsec->sockcreate_sid > SECSID_NULL) { 4503 *socksid = tsec->sockcreate_sid; 4504 return 0; 4505 } 4506 4507 return security_transition_sid(tsec->sid, tsec->sid, 4508 secclass, NULL, socksid); 4509 } 4510 4511 static int sock_has_perm(struct sock *sk, u32 perms) 4512 { 4513 struct sk_security_struct *sksec = sk->sk_security; 4514 struct common_audit_data ad; 4515 struct lsm_network_audit net = {0,}; 4516 4517 if (sksec->sid == SECINITSID_KERNEL) 4518 return 0; 4519 4520 /* 4521 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4522 * inherited the kernel context from early boot used to be skipped 4523 * here, so preserve that behavior unless the capability is set. 4524 * 4525 * By setting the capability the policy signals that it is ready 4526 * for this quirk to be fixed. Note that sockets created by a kernel 4527 * thread or a usermode helper executed without a transition will 4528 * still be skipped in this check regardless of the policycap 4529 * setting. 4530 */ 4531 if (!selinux_policycap_userspace_initial_context() && 4532 sksec->sid == SECINITSID_INIT) 4533 return 0; 4534 4535 ad.type = LSM_AUDIT_DATA_NET; 4536 ad.u.net = &net; 4537 ad.u.net->sk = sk; 4538 4539 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4540 &ad); 4541 } 4542 4543 static int selinux_socket_create(int family, int type, 4544 int protocol, int kern) 4545 { 4546 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4547 u32 newsid; 4548 u16 secclass; 4549 int rc; 4550 4551 if (kern) 4552 return 0; 4553 4554 secclass = socket_type_to_security_class(family, type, protocol); 4555 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4556 if (rc) 4557 return rc; 4558 4559 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4560 } 4561 4562 static int selinux_socket_post_create(struct socket *sock, int family, 4563 int type, int protocol, int kern) 4564 { 4565 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4566 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4567 struct sk_security_struct *sksec; 4568 u16 sclass = socket_type_to_security_class(family, type, protocol); 4569 u32 sid = SECINITSID_KERNEL; 4570 int err = 0; 4571 4572 if (!kern) { 4573 err = socket_sockcreate_sid(tsec, sclass, &sid); 4574 if (err) 4575 return err; 4576 } 4577 4578 isec->sclass = sclass; 4579 isec->sid = sid; 4580 isec->initialized = LABEL_INITIALIZED; 4581 4582 if (sock->sk) { 4583 sksec = sock->sk->sk_security; 4584 sksec->sclass = sclass; 4585 sksec->sid = sid; 4586 /* Allows detection of the first association on this socket */ 4587 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4588 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4589 4590 err = selinux_netlbl_socket_post_create(sock->sk, family); 4591 } 4592 4593 return err; 4594 } 4595 4596 static int selinux_socket_socketpair(struct socket *socka, 4597 struct socket *sockb) 4598 { 4599 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4600 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4601 4602 sksec_a->peer_sid = sksec_b->sid; 4603 sksec_b->peer_sid = sksec_a->sid; 4604 4605 return 0; 4606 } 4607 4608 /* Range of port numbers used to automatically bind. 4609 Need to determine whether we should perform a name_bind 4610 permission check between the socket and the port number. */ 4611 4612 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4613 { 4614 struct sock *sk = sock->sk; 4615 struct sk_security_struct *sksec = sk->sk_security; 4616 u16 family; 4617 int err; 4618 4619 err = sock_has_perm(sk, SOCKET__BIND); 4620 if (err) 4621 goto out; 4622 4623 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4624 family = sk->sk_family; 4625 if (family == PF_INET || family == PF_INET6) { 4626 char *addrp; 4627 struct common_audit_data ad; 4628 struct lsm_network_audit net = {0,}; 4629 struct sockaddr_in *addr4 = NULL; 4630 struct sockaddr_in6 *addr6 = NULL; 4631 u16 family_sa; 4632 unsigned short snum; 4633 u32 sid, node_perm; 4634 4635 /* 4636 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4637 * that validates multiple binding addresses. Because of this 4638 * need to check address->sa_family as it is possible to have 4639 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4640 */ 4641 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4642 return -EINVAL; 4643 family_sa = address->sa_family; 4644 switch (family_sa) { 4645 case AF_UNSPEC: 4646 case AF_INET: 4647 if (addrlen < sizeof(struct sockaddr_in)) 4648 return -EINVAL; 4649 addr4 = (struct sockaddr_in *)address; 4650 if (family_sa == AF_UNSPEC) { 4651 /* see __inet_bind(), we only want to allow 4652 * AF_UNSPEC if the address is INADDR_ANY 4653 */ 4654 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4655 goto err_af; 4656 family_sa = AF_INET; 4657 } 4658 snum = ntohs(addr4->sin_port); 4659 addrp = (char *)&addr4->sin_addr.s_addr; 4660 break; 4661 case AF_INET6: 4662 if (addrlen < SIN6_LEN_RFC2133) 4663 return -EINVAL; 4664 addr6 = (struct sockaddr_in6 *)address; 4665 snum = ntohs(addr6->sin6_port); 4666 addrp = (char *)&addr6->sin6_addr.s6_addr; 4667 break; 4668 default: 4669 goto err_af; 4670 } 4671 4672 ad.type = LSM_AUDIT_DATA_NET; 4673 ad.u.net = &net; 4674 ad.u.net->sport = htons(snum); 4675 ad.u.net->family = family_sa; 4676 4677 if (snum) { 4678 int low, high; 4679 4680 inet_get_local_port_range(sock_net(sk), &low, &high); 4681 4682 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4683 snum < low || snum > high) { 4684 err = sel_netport_sid(sk->sk_protocol, 4685 snum, &sid); 4686 if (err) 4687 goto out; 4688 err = avc_has_perm(sksec->sid, sid, 4689 sksec->sclass, 4690 SOCKET__NAME_BIND, &ad); 4691 if (err) 4692 goto out; 4693 } 4694 } 4695 4696 switch (sksec->sclass) { 4697 case SECCLASS_TCP_SOCKET: 4698 node_perm = TCP_SOCKET__NODE_BIND; 4699 break; 4700 4701 case SECCLASS_UDP_SOCKET: 4702 node_perm = UDP_SOCKET__NODE_BIND; 4703 break; 4704 4705 case SECCLASS_DCCP_SOCKET: 4706 node_perm = DCCP_SOCKET__NODE_BIND; 4707 break; 4708 4709 case SECCLASS_SCTP_SOCKET: 4710 node_perm = SCTP_SOCKET__NODE_BIND; 4711 break; 4712 4713 default: 4714 node_perm = RAWIP_SOCKET__NODE_BIND; 4715 break; 4716 } 4717 4718 err = sel_netnode_sid(addrp, family_sa, &sid); 4719 if (err) 4720 goto out; 4721 4722 if (family_sa == AF_INET) 4723 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4724 else 4725 ad.u.net->v6info.saddr = addr6->sin6_addr; 4726 4727 err = avc_has_perm(sksec->sid, sid, 4728 sksec->sclass, node_perm, &ad); 4729 if (err) 4730 goto out; 4731 } 4732 out: 4733 return err; 4734 err_af: 4735 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4736 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4737 return -EINVAL; 4738 return -EAFNOSUPPORT; 4739 } 4740 4741 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4742 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4743 */ 4744 static int selinux_socket_connect_helper(struct socket *sock, 4745 struct sockaddr *address, int addrlen) 4746 { 4747 struct sock *sk = sock->sk; 4748 struct sk_security_struct *sksec = sk->sk_security; 4749 int err; 4750 4751 err = sock_has_perm(sk, SOCKET__CONNECT); 4752 if (err) 4753 return err; 4754 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4755 return -EINVAL; 4756 4757 /* connect(AF_UNSPEC) has special handling, as it is a documented 4758 * way to disconnect the socket 4759 */ 4760 if (address->sa_family == AF_UNSPEC) 4761 return 0; 4762 4763 /* 4764 * If a TCP, DCCP or SCTP socket, check name_connect permission 4765 * for the port. 4766 */ 4767 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4768 sksec->sclass == SECCLASS_DCCP_SOCKET || 4769 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4770 struct common_audit_data ad; 4771 struct lsm_network_audit net = {0,}; 4772 struct sockaddr_in *addr4 = NULL; 4773 struct sockaddr_in6 *addr6 = NULL; 4774 unsigned short snum; 4775 u32 sid, perm; 4776 4777 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4778 * that validates multiple connect addresses. Because of this 4779 * need to check address->sa_family as it is possible to have 4780 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4781 */ 4782 switch (address->sa_family) { 4783 case AF_INET: 4784 addr4 = (struct sockaddr_in *)address; 4785 if (addrlen < sizeof(struct sockaddr_in)) 4786 return -EINVAL; 4787 snum = ntohs(addr4->sin_port); 4788 break; 4789 case AF_INET6: 4790 addr6 = (struct sockaddr_in6 *)address; 4791 if (addrlen < SIN6_LEN_RFC2133) 4792 return -EINVAL; 4793 snum = ntohs(addr6->sin6_port); 4794 break; 4795 default: 4796 /* Note that SCTP services expect -EINVAL, whereas 4797 * others expect -EAFNOSUPPORT. 4798 */ 4799 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4800 return -EINVAL; 4801 else 4802 return -EAFNOSUPPORT; 4803 } 4804 4805 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4806 if (err) 4807 return err; 4808 4809 switch (sksec->sclass) { 4810 case SECCLASS_TCP_SOCKET: 4811 perm = TCP_SOCKET__NAME_CONNECT; 4812 break; 4813 case SECCLASS_DCCP_SOCKET: 4814 perm = DCCP_SOCKET__NAME_CONNECT; 4815 break; 4816 case SECCLASS_SCTP_SOCKET: 4817 perm = SCTP_SOCKET__NAME_CONNECT; 4818 break; 4819 } 4820 4821 ad.type = LSM_AUDIT_DATA_NET; 4822 ad.u.net = &net; 4823 ad.u.net->dport = htons(snum); 4824 ad.u.net->family = address->sa_family; 4825 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4826 if (err) 4827 return err; 4828 } 4829 4830 return 0; 4831 } 4832 4833 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4834 static int selinux_socket_connect(struct socket *sock, 4835 struct sockaddr *address, int addrlen) 4836 { 4837 int err; 4838 struct sock *sk = sock->sk; 4839 4840 err = selinux_socket_connect_helper(sock, address, addrlen); 4841 if (err) 4842 return err; 4843 4844 return selinux_netlbl_socket_connect(sk, address); 4845 } 4846 4847 static int selinux_socket_listen(struct socket *sock, int backlog) 4848 { 4849 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4850 } 4851 4852 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4853 { 4854 int err; 4855 struct inode_security_struct *isec; 4856 struct inode_security_struct *newisec; 4857 u16 sclass; 4858 u32 sid; 4859 4860 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4861 if (err) 4862 return err; 4863 4864 isec = inode_security_novalidate(SOCK_INODE(sock)); 4865 spin_lock(&isec->lock); 4866 sclass = isec->sclass; 4867 sid = isec->sid; 4868 spin_unlock(&isec->lock); 4869 4870 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4871 newisec->sclass = sclass; 4872 newisec->sid = sid; 4873 newisec->initialized = LABEL_INITIALIZED; 4874 4875 return 0; 4876 } 4877 4878 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4879 int size) 4880 { 4881 return sock_has_perm(sock->sk, SOCKET__WRITE); 4882 } 4883 4884 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4885 int size, int flags) 4886 { 4887 return sock_has_perm(sock->sk, SOCKET__READ); 4888 } 4889 4890 static int selinux_socket_getsockname(struct socket *sock) 4891 { 4892 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4893 } 4894 4895 static int selinux_socket_getpeername(struct socket *sock) 4896 { 4897 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4898 } 4899 4900 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4901 { 4902 int err; 4903 4904 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4905 if (err) 4906 return err; 4907 4908 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4909 } 4910 4911 static int selinux_socket_getsockopt(struct socket *sock, int level, 4912 int optname) 4913 { 4914 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4915 } 4916 4917 static int selinux_socket_shutdown(struct socket *sock, int how) 4918 { 4919 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4920 } 4921 4922 static int selinux_socket_unix_stream_connect(struct sock *sock, 4923 struct sock *other, 4924 struct sock *newsk) 4925 { 4926 struct sk_security_struct *sksec_sock = sock->sk_security; 4927 struct sk_security_struct *sksec_other = other->sk_security; 4928 struct sk_security_struct *sksec_new = newsk->sk_security; 4929 struct common_audit_data ad; 4930 struct lsm_network_audit net = {0,}; 4931 int err; 4932 4933 ad.type = LSM_AUDIT_DATA_NET; 4934 ad.u.net = &net; 4935 ad.u.net->sk = other; 4936 4937 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4938 sksec_other->sclass, 4939 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4940 if (err) 4941 return err; 4942 4943 /* server child socket */ 4944 sksec_new->peer_sid = sksec_sock->sid; 4945 err = security_sid_mls_copy(sksec_other->sid, 4946 sksec_sock->sid, &sksec_new->sid); 4947 if (err) 4948 return err; 4949 4950 /* connecting socket */ 4951 sksec_sock->peer_sid = sksec_new->sid; 4952 4953 return 0; 4954 } 4955 4956 static int selinux_socket_unix_may_send(struct socket *sock, 4957 struct socket *other) 4958 { 4959 struct sk_security_struct *ssec = sock->sk->sk_security; 4960 struct sk_security_struct *osec = other->sk->sk_security; 4961 struct common_audit_data ad; 4962 struct lsm_network_audit net = {0,}; 4963 4964 ad.type = LSM_AUDIT_DATA_NET; 4965 ad.u.net = &net; 4966 ad.u.net->sk = other->sk; 4967 4968 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4969 &ad); 4970 } 4971 4972 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4973 char *addrp, u16 family, u32 peer_sid, 4974 struct common_audit_data *ad) 4975 { 4976 int err; 4977 u32 if_sid; 4978 u32 node_sid; 4979 4980 err = sel_netif_sid(ns, ifindex, &if_sid); 4981 if (err) 4982 return err; 4983 err = avc_has_perm(peer_sid, if_sid, 4984 SECCLASS_NETIF, NETIF__INGRESS, ad); 4985 if (err) 4986 return err; 4987 4988 err = sel_netnode_sid(addrp, family, &node_sid); 4989 if (err) 4990 return err; 4991 return avc_has_perm(peer_sid, node_sid, 4992 SECCLASS_NODE, NODE__RECVFROM, ad); 4993 } 4994 4995 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4996 u16 family) 4997 { 4998 int err = 0; 4999 struct sk_security_struct *sksec = sk->sk_security; 5000 u32 sk_sid = sksec->sid; 5001 struct common_audit_data ad; 5002 struct lsm_network_audit net = {0,}; 5003 char *addrp; 5004 5005 ad.type = LSM_AUDIT_DATA_NET; 5006 ad.u.net = &net; 5007 ad.u.net->netif = skb->skb_iif; 5008 ad.u.net->family = family; 5009 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5010 if (err) 5011 return err; 5012 5013 if (selinux_secmark_enabled()) { 5014 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5015 PACKET__RECV, &ad); 5016 if (err) 5017 return err; 5018 } 5019 5020 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5021 if (err) 5022 return err; 5023 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5024 5025 return err; 5026 } 5027 5028 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5029 { 5030 int err; 5031 struct sk_security_struct *sksec = sk->sk_security; 5032 u16 family = sk->sk_family; 5033 u32 sk_sid = sksec->sid; 5034 struct common_audit_data ad; 5035 struct lsm_network_audit net = {0,}; 5036 char *addrp; 5037 u8 secmark_active; 5038 u8 peerlbl_active; 5039 5040 if (family != PF_INET && family != PF_INET6) 5041 return 0; 5042 5043 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5044 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5045 family = PF_INET; 5046 5047 /* If any sort of compatibility mode is enabled then handoff processing 5048 * to the selinux_sock_rcv_skb_compat() function to deal with the 5049 * special handling. We do this in an attempt to keep this function 5050 * as fast and as clean as possible. */ 5051 if (!selinux_policycap_netpeer()) 5052 return selinux_sock_rcv_skb_compat(sk, skb, family); 5053 5054 secmark_active = selinux_secmark_enabled(); 5055 peerlbl_active = selinux_peerlbl_enabled(); 5056 if (!secmark_active && !peerlbl_active) 5057 return 0; 5058 5059 ad.type = LSM_AUDIT_DATA_NET; 5060 ad.u.net = &net; 5061 ad.u.net->netif = skb->skb_iif; 5062 ad.u.net->family = family; 5063 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5064 if (err) 5065 return err; 5066 5067 if (peerlbl_active) { 5068 u32 peer_sid; 5069 5070 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5071 if (err) 5072 return err; 5073 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5074 addrp, family, peer_sid, &ad); 5075 if (err) { 5076 selinux_netlbl_err(skb, family, err, 0); 5077 return err; 5078 } 5079 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5080 PEER__RECV, &ad); 5081 if (err) { 5082 selinux_netlbl_err(skb, family, err, 0); 5083 return err; 5084 } 5085 } 5086 5087 if (secmark_active) { 5088 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5089 PACKET__RECV, &ad); 5090 if (err) 5091 return err; 5092 } 5093 5094 return err; 5095 } 5096 5097 static int selinux_socket_getpeersec_stream(struct socket *sock, 5098 sockptr_t optval, sockptr_t optlen, 5099 unsigned int len) 5100 { 5101 int err = 0; 5102 char *scontext = NULL; 5103 u32 scontext_len; 5104 struct sk_security_struct *sksec = sock->sk->sk_security; 5105 u32 peer_sid = SECSID_NULL; 5106 5107 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5108 sksec->sclass == SECCLASS_TCP_SOCKET || 5109 sksec->sclass == SECCLASS_SCTP_SOCKET) 5110 peer_sid = sksec->peer_sid; 5111 if (peer_sid == SECSID_NULL) 5112 return -ENOPROTOOPT; 5113 5114 err = security_sid_to_context(peer_sid, &scontext, 5115 &scontext_len); 5116 if (err) 5117 return err; 5118 if (scontext_len > len) { 5119 err = -ERANGE; 5120 goto out_len; 5121 } 5122 5123 if (copy_to_sockptr(optval, scontext, scontext_len)) 5124 err = -EFAULT; 5125 out_len: 5126 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5127 err = -EFAULT; 5128 kfree(scontext); 5129 return err; 5130 } 5131 5132 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5133 { 5134 u32 peer_secid = SECSID_NULL; 5135 u16 family; 5136 struct inode_security_struct *isec; 5137 5138 if (skb && skb->protocol == htons(ETH_P_IP)) 5139 family = PF_INET; 5140 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5141 family = PF_INET6; 5142 else if (sock) 5143 family = sock->sk->sk_family; 5144 else 5145 goto out; 5146 5147 if (sock && family == PF_UNIX) { 5148 isec = inode_security_novalidate(SOCK_INODE(sock)); 5149 peer_secid = isec->sid; 5150 } else if (skb) 5151 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5152 5153 out: 5154 *secid = peer_secid; 5155 if (peer_secid == SECSID_NULL) 5156 return -EINVAL; 5157 return 0; 5158 } 5159 5160 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5161 { 5162 struct sk_security_struct *sksec; 5163 5164 sksec = kzalloc(sizeof(*sksec), priority); 5165 if (!sksec) 5166 return -ENOMEM; 5167 5168 sksec->peer_sid = SECINITSID_UNLABELED; 5169 sksec->sid = SECINITSID_UNLABELED; 5170 sksec->sclass = SECCLASS_SOCKET; 5171 selinux_netlbl_sk_security_reset(sksec); 5172 sk->sk_security = sksec; 5173 5174 return 0; 5175 } 5176 5177 static void selinux_sk_free_security(struct sock *sk) 5178 { 5179 struct sk_security_struct *sksec = sk->sk_security; 5180 5181 sk->sk_security = NULL; 5182 selinux_netlbl_sk_security_free(sksec); 5183 kfree(sksec); 5184 } 5185 5186 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5187 { 5188 struct sk_security_struct *sksec = sk->sk_security; 5189 struct sk_security_struct *newsksec = newsk->sk_security; 5190 5191 newsksec->sid = sksec->sid; 5192 newsksec->peer_sid = sksec->peer_sid; 5193 newsksec->sclass = sksec->sclass; 5194 5195 selinux_netlbl_sk_security_reset(newsksec); 5196 } 5197 5198 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5199 { 5200 if (!sk) 5201 *secid = SECINITSID_ANY_SOCKET; 5202 else { 5203 struct sk_security_struct *sksec = sk->sk_security; 5204 5205 *secid = sksec->sid; 5206 } 5207 } 5208 5209 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5210 { 5211 struct inode_security_struct *isec = 5212 inode_security_novalidate(SOCK_INODE(parent)); 5213 struct sk_security_struct *sksec = sk->sk_security; 5214 5215 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5216 sk->sk_family == PF_UNIX) 5217 isec->sid = sksec->sid; 5218 sksec->sclass = isec->sclass; 5219 } 5220 5221 /* 5222 * Determines peer_secid for the asoc and updates socket's peer label 5223 * if it's the first association on the socket. 5224 */ 5225 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5226 struct sk_buff *skb) 5227 { 5228 struct sock *sk = asoc->base.sk; 5229 u16 family = sk->sk_family; 5230 struct sk_security_struct *sksec = sk->sk_security; 5231 struct common_audit_data ad; 5232 struct lsm_network_audit net = {0,}; 5233 int err; 5234 5235 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5236 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5237 family = PF_INET; 5238 5239 if (selinux_peerlbl_enabled()) { 5240 asoc->peer_secid = SECSID_NULL; 5241 5242 /* This will return peer_sid = SECSID_NULL if there are 5243 * no peer labels, see security_net_peersid_resolve(). 5244 */ 5245 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5246 if (err) 5247 return err; 5248 5249 if (asoc->peer_secid == SECSID_NULL) 5250 asoc->peer_secid = SECINITSID_UNLABELED; 5251 } else { 5252 asoc->peer_secid = SECINITSID_UNLABELED; 5253 } 5254 5255 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5256 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5257 5258 /* Here as first association on socket. As the peer SID 5259 * was allowed by peer recv (and the netif/node checks), 5260 * then it is approved by policy and used as the primary 5261 * peer SID for getpeercon(3). 5262 */ 5263 sksec->peer_sid = asoc->peer_secid; 5264 } else if (sksec->peer_sid != asoc->peer_secid) { 5265 /* Other association peer SIDs are checked to enforce 5266 * consistency among the peer SIDs. 5267 */ 5268 ad.type = LSM_AUDIT_DATA_NET; 5269 ad.u.net = &net; 5270 ad.u.net->sk = asoc->base.sk; 5271 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5272 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5273 &ad); 5274 if (err) 5275 return err; 5276 } 5277 return 0; 5278 } 5279 5280 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5281 * happens on an incoming connect(2), sctp_connectx(3) or 5282 * sctp_sendmsg(3) (with no association already present). 5283 */ 5284 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5285 struct sk_buff *skb) 5286 { 5287 struct sk_security_struct *sksec = asoc->base.sk->sk_security; 5288 u32 conn_sid; 5289 int err; 5290 5291 if (!selinux_policycap_extsockclass()) 5292 return 0; 5293 5294 err = selinux_sctp_process_new_assoc(asoc, skb); 5295 if (err) 5296 return err; 5297 5298 /* Compute the MLS component for the connection and store 5299 * the information in asoc. This will be used by SCTP TCP type 5300 * sockets and peeled off connections as they cause a new 5301 * socket to be generated. selinux_sctp_sk_clone() will then 5302 * plug this into the new socket. 5303 */ 5304 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5305 if (err) 5306 return err; 5307 5308 asoc->secid = conn_sid; 5309 5310 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5311 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5312 } 5313 5314 /* Called when SCTP receives a COOKIE ACK chunk as the final 5315 * response to an association request (initited by us). 5316 */ 5317 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5318 struct sk_buff *skb) 5319 { 5320 struct sk_security_struct *sksec = asoc->base.sk->sk_security; 5321 5322 if (!selinux_policycap_extsockclass()) 5323 return 0; 5324 5325 /* Inherit secid from the parent socket - this will be picked up 5326 * by selinux_sctp_sk_clone() if the association gets peeled off 5327 * into a new socket. 5328 */ 5329 asoc->secid = sksec->sid; 5330 5331 return selinux_sctp_process_new_assoc(asoc, skb); 5332 } 5333 5334 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5335 * based on their @optname. 5336 */ 5337 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5338 struct sockaddr *address, 5339 int addrlen) 5340 { 5341 int len, err = 0, walk_size = 0; 5342 void *addr_buf; 5343 struct sockaddr *addr; 5344 struct socket *sock; 5345 5346 if (!selinux_policycap_extsockclass()) 5347 return 0; 5348 5349 /* Process one or more addresses that may be IPv4 or IPv6 */ 5350 sock = sk->sk_socket; 5351 addr_buf = address; 5352 5353 while (walk_size < addrlen) { 5354 if (walk_size + sizeof(sa_family_t) > addrlen) 5355 return -EINVAL; 5356 5357 addr = addr_buf; 5358 switch (addr->sa_family) { 5359 case AF_UNSPEC: 5360 case AF_INET: 5361 len = sizeof(struct sockaddr_in); 5362 break; 5363 case AF_INET6: 5364 len = sizeof(struct sockaddr_in6); 5365 break; 5366 default: 5367 return -EINVAL; 5368 } 5369 5370 if (walk_size + len > addrlen) 5371 return -EINVAL; 5372 5373 err = -EINVAL; 5374 switch (optname) { 5375 /* Bind checks */ 5376 case SCTP_PRIMARY_ADDR: 5377 case SCTP_SET_PEER_PRIMARY_ADDR: 5378 case SCTP_SOCKOPT_BINDX_ADD: 5379 err = selinux_socket_bind(sock, addr, len); 5380 break; 5381 /* Connect checks */ 5382 case SCTP_SOCKOPT_CONNECTX: 5383 case SCTP_PARAM_SET_PRIMARY: 5384 case SCTP_PARAM_ADD_IP: 5385 case SCTP_SENDMSG_CONNECT: 5386 err = selinux_socket_connect_helper(sock, addr, len); 5387 if (err) 5388 return err; 5389 5390 /* As selinux_sctp_bind_connect() is called by the 5391 * SCTP protocol layer, the socket is already locked, 5392 * therefore selinux_netlbl_socket_connect_locked() 5393 * is called here. The situations handled are: 5394 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5395 * whenever a new IP address is added or when a new 5396 * primary address is selected. 5397 * Note that an SCTP connect(2) call happens before 5398 * the SCTP protocol layer and is handled via 5399 * selinux_socket_connect(). 5400 */ 5401 err = selinux_netlbl_socket_connect_locked(sk, addr); 5402 break; 5403 } 5404 5405 if (err) 5406 return err; 5407 5408 addr_buf += len; 5409 walk_size += len; 5410 } 5411 5412 return 0; 5413 } 5414 5415 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5416 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5417 struct sock *newsk) 5418 { 5419 struct sk_security_struct *sksec = sk->sk_security; 5420 struct sk_security_struct *newsksec = newsk->sk_security; 5421 5422 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5423 * the non-sctp clone version. 5424 */ 5425 if (!selinux_policycap_extsockclass()) 5426 return selinux_sk_clone_security(sk, newsk); 5427 5428 newsksec->sid = asoc->secid; 5429 newsksec->peer_sid = asoc->peer_secid; 5430 newsksec->sclass = sksec->sclass; 5431 selinux_netlbl_sctp_sk_clone(sk, newsk); 5432 } 5433 5434 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5435 { 5436 struct sk_security_struct *ssksec = ssk->sk_security; 5437 struct sk_security_struct *sksec = sk->sk_security; 5438 5439 ssksec->sclass = sksec->sclass; 5440 ssksec->sid = sksec->sid; 5441 5442 /* replace the existing subflow label deleting the existing one 5443 * and re-recreating a new label using the updated context 5444 */ 5445 selinux_netlbl_sk_security_free(ssksec); 5446 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5447 } 5448 5449 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5450 struct request_sock *req) 5451 { 5452 struct sk_security_struct *sksec = sk->sk_security; 5453 int err; 5454 u16 family = req->rsk_ops->family; 5455 u32 connsid; 5456 u32 peersid; 5457 5458 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5459 if (err) 5460 return err; 5461 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5462 if (err) 5463 return err; 5464 req->secid = connsid; 5465 req->peer_secid = peersid; 5466 5467 return selinux_netlbl_inet_conn_request(req, family); 5468 } 5469 5470 static void selinux_inet_csk_clone(struct sock *newsk, 5471 const struct request_sock *req) 5472 { 5473 struct sk_security_struct *newsksec = newsk->sk_security; 5474 5475 newsksec->sid = req->secid; 5476 newsksec->peer_sid = req->peer_secid; 5477 /* NOTE: Ideally, we should also get the isec->sid for the 5478 new socket in sync, but we don't have the isec available yet. 5479 So we will wait until sock_graft to do it, by which 5480 time it will have been created and available. */ 5481 5482 /* We don't need to take any sort of lock here as we are the only 5483 * thread with access to newsksec */ 5484 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5485 } 5486 5487 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5488 { 5489 u16 family = sk->sk_family; 5490 struct sk_security_struct *sksec = sk->sk_security; 5491 5492 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5493 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5494 family = PF_INET; 5495 5496 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5497 } 5498 5499 static int selinux_secmark_relabel_packet(u32 sid) 5500 { 5501 const struct task_security_struct *__tsec; 5502 u32 tsid; 5503 5504 __tsec = selinux_cred(current_cred()); 5505 tsid = __tsec->sid; 5506 5507 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5508 NULL); 5509 } 5510 5511 static void selinux_secmark_refcount_inc(void) 5512 { 5513 atomic_inc(&selinux_secmark_refcount); 5514 } 5515 5516 static void selinux_secmark_refcount_dec(void) 5517 { 5518 atomic_dec(&selinux_secmark_refcount); 5519 } 5520 5521 static void selinux_req_classify_flow(const struct request_sock *req, 5522 struct flowi_common *flic) 5523 { 5524 flic->flowic_secid = req->secid; 5525 } 5526 5527 static int selinux_tun_dev_alloc_security(void **security) 5528 { 5529 struct tun_security_struct *tunsec; 5530 5531 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5532 if (!tunsec) 5533 return -ENOMEM; 5534 tunsec->sid = current_sid(); 5535 5536 *security = tunsec; 5537 return 0; 5538 } 5539 5540 static void selinux_tun_dev_free_security(void *security) 5541 { 5542 kfree(security); 5543 } 5544 5545 static int selinux_tun_dev_create(void) 5546 { 5547 u32 sid = current_sid(); 5548 5549 /* we aren't taking into account the "sockcreate" SID since the socket 5550 * that is being created here is not a socket in the traditional sense, 5551 * instead it is a private sock, accessible only to the kernel, and 5552 * representing a wide range of network traffic spanning multiple 5553 * connections unlike traditional sockets - check the TUN driver to 5554 * get a better understanding of why this socket is special */ 5555 5556 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5557 NULL); 5558 } 5559 5560 static int selinux_tun_dev_attach_queue(void *security) 5561 { 5562 struct tun_security_struct *tunsec = security; 5563 5564 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5565 TUN_SOCKET__ATTACH_QUEUE, NULL); 5566 } 5567 5568 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5569 { 5570 struct tun_security_struct *tunsec = security; 5571 struct sk_security_struct *sksec = sk->sk_security; 5572 5573 /* we don't currently perform any NetLabel based labeling here and it 5574 * isn't clear that we would want to do so anyway; while we could apply 5575 * labeling without the support of the TUN user the resulting labeled 5576 * traffic from the other end of the connection would almost certainly 5577 * cause confusion to the TUN user that had no idea network labeling 5578 * protocols were being used */ 5579 5580 sksec->sid = tunsec->sid; 5581 sksec->sclass = SECCLASS_TUN_SOCKET; 5582 5583 return 0; 5584 } 5585 5586 static int selinux_tun_dev_open(void *security) 5587 { 5588 struct tun_security_struct *tunsec = security; 5589 u32 sid = current_sid(); 5590 int err; 5591 5592 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5593 TUN_SOCKET__RELABELFROM, NULL); 5594 if (err) 5595 return err; 5596 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5597 TUN_SOCKET__RELABELTO, NULL); 5598 if (err) 5599 return err; 5600 tunsec->sid = sid; 5601 5602 return 0; 5603 } 5604 5605 #ifdef CONFIG_NETFILTER 5606 5607 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5608 const struct nf_hook_state *state) 5609 { 5610 int ifindex; 5611 u16 family; 5612 char *addrp; 5613 u32 peer_sid; 5614 struct common_audit_data ad; 5615 struct lsm_network_audit net = {0,}; 5616 int secmark_active, peerlbl_active; 5617 5618 if (!selinux_policycap_netpeer()) 5619 return NF_ACCEPT; 5620 5621 secmark_active = selinux_secmark_enabled(); 5622 peerlbl_active = selinux_peerlbl_enabled(); 5623 if (!secmark_active && !peerlbl_active) 5624 return NF_ACCEPT; 5625 5626 family = state->pf; 5627 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5628 return NF_DROP; 5629 5630 ifindex = state->in->ifindex; 5631 ad.type = LSM_AUDIT_DATA_NET; 5632 ad.u.net = &net; 5633 ad.u.net->netif = ifindex; 5634 ad.u.net->family = family; 5635 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5636 return NF_DROP; 5637 5638 if (peerlbl_active) { 5639 int err; 5640 5641 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5642 addrp, family, peer_sid, &ad); 5643 if (err) { 5644 selinux_netlbl_err(skb, family, err, 1); 5645 return NF_DROP; 5646 } 5647 } 5648 5649 if (secmark_active) 5650 if (avc_has_perm(peer_sid, skb->secmark, 5651 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5652 return NF_DROP; 5653 5654 if (netlbl_enabled()) 5655 /* we do this in the FORWARD path and not the POST_ROUTING 5656 * path because we want to make sure we apply the necessary 5657 * labeling before IPsec is applied so we can leverage AH 5658 * protection */ 5659 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5660 return NF_DROP; 5661 5662 return NF_ACCEPT; 5663 } 5664 5665 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5666 const struct nf_hook_state *state) 5667 { 5668 struct sock *sk; 5669 u32 sid; 5670 5671 if (!netlbl_enabled()) 5672 return NF_ACCEPT; 5673 5674 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5675 * because we want to make sure we apply the necessary labeling 5676 * before IPsec is applied so we can leverage AH protection */ 5677 sk = skb->sk; 5678 if (sk) { 5679 struct sk_security_struct *sksec; 5680 5681 if (sk_listener(sk)) 5682 /* if the socket is the listening state then this 5683 * packet is a SYN-ACK packet which means it needs to 5684 * be labeled based on the connection/request_sock and 5685 * not the parent socket. unfortunately, we can't 5686 * lookup the request_sock yet as it isn't queued on 5687 * the parent socket until after the SYN-ACK is sent. 5688 * the "solution" is to simply pass the packet as-is 5689 * as any IP option based labeling should be copied 5690 * from the initial connection request (in the IP 5691 * layer). it is far from ideal, but until we get a 5692 * security label in the packet itself this is the 5693 * best we can do. */ 5694 return NF_ACCEPT; 5695 5696 /* standard practice, label using the parent socket */ 5697 sksec = sk->sk_security; 5698 sid = sksec->sid; 5699 } else 5700 sid = SECINITSID_KERNEL; 5701 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5702 return NF_DROP; 5703 5704 return NF_ACCEPT; 5705 } 5706 5707 5708 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5709 const struct nf_hook_state *state) 5710 { 5711 struct sock *sk; 5712 struct sk_security_struct *sksec; 5713 struct common_audit_data ad; 5714 struct lsm_network_audit net = {0,}; 5715 u8 proto = 0; 5716 5717 sk = skb_to_full_sk(skb); 5718 if (sk == NULL) 5719 return NF_ACCEPT; 5720 sksec = sk->sk_security; 5721 5722 ad.type = LSM_AUDIT_DATA_NET; 5723 ad.u.net = &net; 5724 ad.u.net->netif = state->out->ifindex; 5725 ad.u.net->family = state->pf; 5726 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5727 return NF_DROP; 5728 5729 if (selinux_secmark_enabled()) 5730 if (avc_has_perm(sksec->sid, skb->secmark, 5731 SECCLASS_PACKET, PACKET__SEND, &ad)) 5732 return NF_DROP_ERR(-ECONNREFUSED); 5733 5734 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5735 return NF_DROP_ERR(-ECONNREFUSED); 5736 5737 return NF_ACCEPT; 5738 } 5739 5740 static unsigned int selinux_ip_postroute(void *priv, 5741 struct sk_buff *skb, 5742 const struct nf_hook_state *state) 5743 { 5744 u16 family; 5745 u32 secmark_perm; 5746 u32 peer_sid; 5747 int ifindex; 5748 struct sock *sk; 5749 struct common_audit_data ad; 5750 struct lsm_network_audit net = {0,}; 5751 char *addrp; 5752 int secmark_active, peerlbl_active; 5753 5754 /* If any sort of compatibility mode is enabled then handoff processing 5755 * to the selinux_ip_postroute_compat() function to deal with the 5756 * special handling. We do this in an attempt to keep this function 5757 * as fast and as clean as possible. */ 5758 if (!selinux_policycap_netpeer()) 5759 return selinux_ip_postroute_compat(skb, state); 5760 5761 secmark_active = selinux_secmark_enabled(); 5762 peerlbl_active = selinux_peerlbl_enabled(); 5763 if (!secmark_active && !peerlbl_active) 5764 return NF_ACCEPT; 5765 5766 sk = skb_to_full_sk(skb); 5767 5768 #ifdef CONFIG_XFRM 5769 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5770 * packet transformation so allow the packet to pass without any checks 5771 * since we'll have another chance to perform access control checks 5772 * when the packet is on it's final way out. 5773 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5774 * is NULL, in this case go ahead and apply access control. 5775 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5776 * TCP listening state we cannot wait until the XFRM processing 5777 * is done as we will miss out on the SA label if we do; 5778 * unfortunately, this means more work, but it is only once per 5779 * connection. */ 5780 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5781 !(sk && sk_listener(sk))) 5782 return NF_ACCEPT; 5783 #endif 5784 5785 family = state->pf; 5786 if (sk == NULL) { 5787 /* Without an associated socket the packet is either coming 5788 * from the kernel or it is being forwarded; check the packet 5789 * to determine which and if the packet is being forwarded 5790 * query the packet directly to determine the security label. */ 5791 if (skb->skb_iif) { 5792 secmark_perm = PACKET__FORWARD_OUT; 5793 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5794 return NF_DROP; 5795 } else { 5796 secmark_perm = PACKET__SEND; 5797 peer_sid = SECINITSID_KERNEL; 5798 } 5799 } else if (sk_listener(sk)) { 5800 /* Locally generated packet but the associated socket is in the 5801 * listening state which means this is a SYN-ACK packet. In 5802 * this particular case the correct security label is assigned 5803 * to the connection/request_sock but unfortunately we can't 5804 * query the request_sock as it isn't queued on the parent 5805 * socket until after the SYN-ACK packet is sent; the only 5806 * viable choice is to regenerate the label like we do in 5807 * selinux_inet_conn_request(). See also selinux_ip_output() 5808 * for similar problems. */ 5809 u32 skb_sid; 5810 struct sk_security_struct *sksec; 5811 5812 sksec = sk->sk_security; 5813 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5814 return NF_DROP; 5815 /* At this point, if the returned skb peerlbl is SECSID_NULL 5816 * and the packet has been through at least one XFRM 5817 * transformation then we must be dealing with the "final" 5818 * form of labeled IPsec packet; since we've already applied 5819 * all of our access controls on this packet we can safely 5820 * pass the packet. */ 5821 if (skb_sid == SECSID_NULL) { 5822 switch (family) { 5823 case PF_INET: 5824 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5825 return NF_ACCEPT; 5826 break; 5827 case PF_INET6: 5828 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5829 return NF_ACCEPT; 5830 break; 5831 default: 5832 return NF_DROP_ERR(-ECONNREFUSED); 5833 } 5834 } 5835 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5836 return NF_DROP; 5837 secmark_perm = PACKET__SEND; 5838 } else { 5839 /* Locally generated packet, fetch the security label from the 5840 * associated socket. */ 5841 struct sk_security_struct *sksec = sk->sk_security; 5842 peer_sid = sksec->sid; 5843 secmark_perm = PACKET__SEND; 5844 } 5845 5846 ifindex = state->out->ifindex; 5847 ad.type = LSM_AUDIT_DATA_NET; 5848 ad.u.net = &net; 5849 ad.u.net->netif = ifindex; 5850 ad.u.net->family = family; 5851 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5852 return NF_DROP; 5853 5854 if (secmark_active) 5855 if (avc_has_perm(peer_sid, skb->secmark, 5856 SECCLASS_PACKET, secmark_perm, &ad)) 5857 return NF_DROP_ERR(-ECONNREFUSED); 5858 5859 if (peerlbl_active) { 5860 u32 if_sid; 5861 u32 node_sid; 5862 5863 if (sel_netif_sid(state->net, ifindex, &if_sid)) 5864 return NF_DROP; 5865 if (avc_has_perm(peer_sid, if_sid, 5866 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5867 return NF_DROP_ERR(-ECONNREFUSED); 5868 5869 if (sel_netnode_sid(addrp, family, &node_sid)) 5870 return NF_DROP; 5871 if (avc_has_perm(peer_sid, node_sid, 5872 SECCLASS_NODE, NODE__SENDTO, &ad)) 5873 return NF_DROP_ERR(-ECONNREFUSED); 5874 } 5875 5876 return NF_ACCEPT; 5877 } 5878 #endif /* CONFIG_NETFILTER */ 5879 5880 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5881 { 5882 int rc = 0; 5883 unsigned int msg_len; 5884 unsigned int data_len = skb->len; 5885 unsigned char *data = skb->data; 5886 struct nlmsghdr *nlh; 5887 struct sk_security_struct *sksec = sk->sk_security; 5888 u16 sclass = sksec->sclass; 5889 u32 perm; 5890 5891 while (data_len >= nlmsg_total_size(0)) { 5892 nlh = (struct nlmsghdr *)data; 5893 5894 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 5895 * users which means we can't reject skb's with bogus 5896 * length fields; our solution is to follow what 5897 * netlink_rcv_skb() does and simply skip processing at 5898 * messages with length fields that are clearly junk 5899 */ 5900 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 5901 return 0; 5902 5903 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 5904 if (rc == 0) { 5905 rc = sock_has_perm(sk, perm); 5906 if (rc) 5907 return rc; 5908 } else if (rc == -EINVAL) { 5909 /* -EINVAL is a missing msg/perm mapping */ 5910 pr_warn_ratelimited("SELinux: unrecognized netlink" 5911 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5912 " pid=%d comm=%s\n", 5913 sk->sk_protocol, nlh->nlmsg_type, 5914 secclass_map[sclass - 1].name, 5915 task_pid_nr(current), current->comm); 5916 if (enforcing_enabled() && 5917 !security_get_allow_unknown()) 5918 return rc; 5919 rc = 0; 5920 } else if (rc == -ENOENT) { 5921 /* -ENOENT is a missing socket/class mapping, ignore */ 5922 rc = 0; 5923 } else { 5924 return rc; 5925 } 5926 5927 /* move to the next message after applying netlink padding */ 5928 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 5929 if (msg_len >= data_len) 5930 return 0; 5931 data_len -= msg_len; 5932 data += msg_len; 5933 } 5934 5935 return rc; 5936 } 5937 5938 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 5939 { 5940 isec->sclass = sclass; 5941 isec->sid = current_sid(); 5942 } 5943 5944 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5945 u32 perms) 5946 { 5947 struct ipc_security_struct *isec; 5948 struct common_audit_data ad; 5949 u32 sid = current_sid(); 5950 5951 isec = selinux_ipc(ipc_perms); 5952 5953 ad.type = LSM_AUDIT_DATA_IPC; 5954 ad.u.ipc_id = ipc_perms->key; 5955 5956 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5957 } 5958 5959 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5960 { 5961 struct msg_security_struct *msec; 5962 5963 msec = selinux_msg_msg(msg); 5964 msec->sid = SECINITSID_UNLABELED; 5965 5966 return 0; 5967 } 5968 5969 /* message queue security operations */ 5970 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5971 { 5972 struct ipc_security_struct *isec; 5973 struct common_audit_data ad; 5974 u32 sid = current_sid(); 5975 5976 isec = selinux_ipc(msq); 5977 ipc_init_security(isec, SECCLASS_MSGQ); 5978 5979 ad.type = LSM_AUDIT_DATA_IPC; 5980 ad.u.ipc_id = msq->key; 5981 5982 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5983 MSGQ__CREATE, &ad); 5984 } 5985 5986 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5987 { 5988 struct ipc_security_struct *isec; 5989 struct common_audit_data ad; 5990 u32 sid = current_sid(); 5991 5992 isec = selinux_ipc(msq); 5993 5994 ad.type = LSM_AUDIT_DATA_IPC; 5995 ad.u.ipc_id = msq->key; 5996 5997 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5998 MSGQ__ASSOCIATE, &ad); 5999 } 6000 6001 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6002 { 6003 int err; 6004 int perms; 6005 6006 switch (cmd) { 6007 case IPC_INFO: 6008 case MSG_INFO: 6009 /* No specific object, just general system-wide information. */ 6010 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6011 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6012 case IPC_STAT: 6013 case MSG_STAT: 6014 case MSG_STAT_ANY: 6015 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6016 break; 6017 case IPC_SET: 6018 perms = MSGQ__SETATTR; 6019 break; 6020 case IPC_RMID: 6021 perms = MSGQ__DESTROY; 6022 break; 6023 default: 6024 return 0; 6025 } 6026 6027 err = ipc_has_perm(msq, perms); 6028 return err; 6029 } 6030 6031 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6032 { 6033 struct ipc_security_struct *isec; 6034 struct msg_security_struct *msec; 6035 struct common_audit_data ad; 6036 u32 sid = current_sid(); 6037 int rc; 6038 6039 isec = selinux_ipc(msq); 6040 msec = selinux_msg_msg(msg); 6041 6042 /* 6043 * First time through, need to assign label to the message 6044 */ 6045 if (msec->sid == SECINITSID_UNLABELED) { 6046 /* 6047 * Compute new sid based on current process and 6048 * message queue this message will be stored in 6049 */ 6050 rc = security_transition_sid(sid, isec->sid, 6051 SECCLASS_MSG, NULL, &msec->sid); 6052 if (rc) 6053 return rc; 6054 } 6055 6056 ad.type = LSM_AUDIT_DATA_IPC; 6057 ad.u.ipc_id = msq->key; 6058 6059 /* Can this process write to the queue? */ 6060 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6061 MSGQ__WRITE, &ad); 6062 if (!rc) 6063 /* Can this process send the message */ 6064 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6065 MSG__SEND, &ad); 6066 if (!rc) 6067 /* Can the message be put in the queue? */ 6068 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6069 MSGQ__ENQUEUE, &ad); 6070 6071 return rc; 6072 } 6073 6074 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6075 struct task_struct *target, 6076 long type, int mode) 6077 { 6078 struct ipc_security_struct *isec; 6079 struct msg_security_struct *msec; 6080 struct common_audit_data ad; 6081 u32 sid = task_sid_obj(target); 6082 int rc; 6083 6084 isec = selinux_ipc(msq); 6085 msec = selinux_msg_msg(msg); 6086 6087 ad.type = LSM_AUDIT_DATA_IPC; 6088 ad.u.ipc_id = msq->key; 6089 6090 rc = avc_has_perm(sid, isec->sid, 6091 SECCLASS_MSGQ, MSGQ__READ, &ad); 6092 if (!rc) 6093 rc = avc_has_perm(sid, msec->sid, 6094 SECCLASS_MSG, MSG__RECEIVE, &ad); 6095 return rc; 6096 } 6097 6098 /* Shared Memory security operations */ 6099 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6100 { 6101 struct ipc_security_struct *isec; 6102 struct common_audit_data ad; 6103 u32 sid = current_sid(); 6104 6105 isec = selinux_ipc(shp); 6106 ipc_init_security(isec, SECCLASS_SHM); 6107 6108 ad.type = LSM_AUDIT_DATA_IPC; 6109 ad.u.ipc_id = shp->key; 6110 6111 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6112 SHM__CREATE, &ad); 6113 } 6114 6115 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6116 { 6117 struct ipc_security_struct *isec; 6118 struct common_audit_data ad; 6119 u32 sid = current_sid(); 6120 6121 isec = selinux_ipc(shp); 6122 6123 ad.type = LSM_AUDIT_DATA_IPC; 6124 ad.u.ipc_id = shp->key; 6125 6126 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6127 SHM__ASSOCIATE, &ad); 6128 } 6129 6130 /* Note, at this point, shp is locked down */ 6131 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6132 { 6133 int perms; 6134 int err; 6135 6136 switch (cmd) { 6137 case IPC_INFO: 6138 case SHM_INFO: 6139 /* No specific object, just general system-wide information. */ 6140 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6141 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6142 case IPC_STAT: 6143 case SHM_STAT: 6144 case SHM_STAT_ANY: 6145 perms = SHM__GETATTR | SHM__ASSOCIATE; 6146 break; 6147 case IPC_SET: 6148 perms = SHM__SETATTR; 6149 break; 6150 case SHM_LOCK: 6151 case SHM_UNLOCK: 6152 perms = SHM__LOCK; 6153 break; 6154 case IPC_RMID: 6155 perms = SHM__DESTROY; 6156 break; 6157 default: 6158 return 0; 6159 } 6160 6161 err = ipc_has_perm(shp, perms); 6162 return err; 6163 } 6164 6165 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6166 char __user *shmaddr, int shmflg) 6167 { 6168 u32 perms; 6169 6170 if (shmflg & SHM_RDONLY) 6171 perms = SHM__READ; 6172 else 6173 perms = SHM__READ | SHM__WRITE; 6174 6175 return ipc_has_perm(shp, perms); 6176 } 6177 6178 /* Semaphore security operations */ 6179 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6180 { 6181 struct ipc_security_struct *isec; 6182 struct common_audit_data ad; 6183 u32 sid = current_sid(); 6184 6185 isec = selinux_ipc(sma); 6186 ipc_init_security(isec, SECCLASS_SEM); 6187 6188 ad.type = LSM_AUDIT_DATA_IPC; 6189 ad.u.ipc_id = sma->key; 6190 6191 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6192 SEM__CREATE, &ad); 6193 } 6194 6195 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6196 { 6197 struct ipc_security_struct *isec; 6198 struct common_audit_data ad; 6199 u32 sid = current_sid(); 6200 6201 isec = selinux_ipc(sma); 6202 6203 ad.type = LSM_AUDIT_DATA_IPC; 6204 ad.u.ipc_id = sma->key; 6205 6206 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6207 SEM__ASSOCIATE, &ad); 6208 } 6209 6210 /* Note, at this point, sma is locked down */ 6211 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6212 { 6213 int err; 6214 u32 perms; 6215 6216 switch (cmd) { 6217 case IPC_INFO: 6218 case SEM_INFO: 6219 /* No specific object, just general system-wide information. */ 6220 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6221 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6222 case GETPID: 6223 case GETNCNT: 6224 case GETZCNT: 6225 perms = SEM__GETATTR; 6226 break; 6227 case GETVAL: 6228 case GETALL: 6229 perms = SEM__READ; 6230 break; 6231 case SETVAL: 6232 case SETALL: 6233 perms = SEM__WRITE; 6234 break; 6235 case IPC_RMID: 6236 perms = SEM__DESTROY; 6237 break; 6238 case IPC_SET: 6239 perms = SEM__SETATTR; 6240 break; 6241 case IPC_STAT: 6242 case SEM_STAT: 6243 case SEM_STAT_ANY: 6244 perms = SEM__GETATTR | SEM__ASSOCIATE; 6245 break; 6246 default: 6247 return 0; 6248 } 6249 6250 err = ipc_has_perm(sma, perms); 6251 return err; 6252 } 6253 6254 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6255 struct sembuf *sops, unsigned nsops, int alter) 6256 { 6257 u32 perms; 6258 6259 if (alter) 6260 perms = SEM__READ | SEM__WRITE; 6261 else 6262 perms = SEM__READ; 6263 6264 return ipc_has_perm(sma, perms); 6265 } 6266 6267 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6268 { 6269 u32 av = 0; 6270 6271 av = 0; 6272 if (flag & S_IRUGO) 6273 av |= IPC__UNIX_READ; 6274 if (flag & S_IWUGO) 6275 av |= IPC__UNIX_WRITE; 6276 6277 if (av == 0) 6278 return 0; 6279 6280 return ipc_has_perm(ipcp, av); 6281 } 6282 6283 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6284 { 6285 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6286 *secid = isec->sid; 6287 } 6288 6289 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6290 { 6291 if (inode) 6292 inode_doinit_with_dentry(inode, dentry); 6293 } 6294 6295 static int selinux_getprocattr(struct task_struct *p, 6296 const char *name, char **value) 6297 { 6298 const struct task_security_struct *__tsec; 6299 u32 sid; 6300 int error; 6301 unsigned len; 6302 6303 rcu_read_lock(); 6304 __tsec = selinux_cred(__task_cred(p)); 6305 6306 if (current != p) { 6307 error = avc_has_perm(current_sid(), __tsec->sid, 6308 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6309 if (error) 6310 goto bad; 6311 } 6312 6313 if (!strcmp(name, "current")) 6314 sid = __tsec->sid; 6315 else if (!strcmp(name, "prev")) 6316 sid = __tsec->osid; 6317 else if (!strcmp(name, "exec")) 6318 sid = __tsec->exec_sid; 6319 else if (!strcmp(name, "fscreate")) 6320 sid = __tsec->create_sid; 6321 else if (!strcmp(name, "keycreate")) 6322 sid = __tsec->keycreate_sid; 6323 else if (!strcmp(name, "sockcreate")) 6324 sid = __tsec->sockcreate_sid; 6325 else { 6326 error = -EINVAL; 6327 goto bad; 6328 } 6329 rcu_read_unlock(); 6330 6331 if (!sid) 6332 return 0; 6333 6334 error = security_sid_to_context(sid, value, &len); 6335 if (error) 6336 return error; 6337 return len; 6338 6339 bad: 6340 rcu_read_unlock(); 6341 return error; 6342 } 6343 6344 static int selinux_setprocattr(const char *name, void *value, size_t size) 6345 { 6346 struct task_security_struct *tsec; 6347 struct cred *new; 6348 u32 mysid = current_sid(), sid = 0, ptsid; 6349 int error; 6350 char *str = value; 6351 6352 /* 6353 * Basic control over ability to set these attributes at all. 6354 */ 6355 if (!strcmp(name, "exec")) 6356 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6357 PROCESS__SETEXEC, NULL); 6358 else if (!strcmp(name, "fscreate")) 6359 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6360 PROCESS__SETFSCREATE, NULL); 6361 else if (!strcmp(name, "keycreate")) 6362 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6363 PROCESS__SETKEYCREATE, NULL); 6364 else if (!strcmp(name, "sockcreate")) 6365 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6366 PROCESS__SETSOCKCREATE, NULL); 6367 else if (!strcmp(name, "current")) 6368 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6369 PROCESS__SETCURRENT, NULL); 6370 else 6371 error = -EINVAL; 6372 if (error) 6373 return error; 6374 6375 /* Obtain a SID for the context, if one was specified. */ 6376 if (size && str[0] && str[0] != '\n') { 6377 if (str[size-1] == '\n') { 6378 str[size-1] = 0; 6379 size--; 6380 } 6381 error = security_context_to_sid(value, size, 6382 &sid, GFP_KERNEL); 6383 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6384 if (!has_cap_mac_admin(true)) { 6385 struct audit_buffer *ab; 6386 size_t audit_size; 6387 6388 /* We strip a nul only if it is at the end, otherwise the 6389 * context contains a nul and we should audit that */ 6390 if (str[size - 1] == '\0') 6391 audit_size = size - 1; 6392 else 6393 audit_size = size; 6394 ab = audit_log_start(audit_context(), 6395 GFP_ATOMIC, 6396 AUDIT_SELINUX_ERR); 6397 if (!ab) 6398 return error; 6399 audit_log_format(ab, "op=fscreate invalid_context="); 6400 audit_log_n_untrustedstring(ab, value, audit_size); 6401 audit_log_end(ab); 6402 6403 return error; 6404 } 6405 error = security_context_to_sid_force(value, size, 6406 &sid); 6407 } 6408 if (error) 6409 return error; 6410 } 6411 6412 new = prepare_creds(); 6413 if (!new) 6414 return -ENOMEM; 6415 6416 /* Permission checking based on the specified context is 6417 performed during the actual operation (execve, 6418 open/mkdir/...), when we know the full context of the 6419 operation. See selinux_bprm_creds_for_exec for the execve 6420 checks and may_create for the file creation checks. The 6421 operation will then fail if the context is not permitted. */ 6422 tsec = selinux_cred(new); 6423 if (!strcmp(name, "exec")) { 6424 tsec->exec_sid = sid; 6425 } else if (!strcmp(name, "fscreate")) { 6426 tsec->create_sid = sid; 6427 } else if (!strcmp(name, "keycreate")) { 6428 if (sid) { 6429 error = avc_has_perm(mysid, sid, 6430 SECCLASS_KEY, KEY__CREATE, NULL); 6431 if (error) 6432 goto abort_change; 6433 } 6434 tsec->keycreate_sid = sid; 6435 } else if (!strcmp(name, "sockcreate")) { 6436 tsec->sockcreate_sid = sid; 6437 } else if (!strcmp(name, "current")) { 6438 error = -EINVAL; 6439 if (sid == 0) 6440 goto abort_change; 6441 6442 /* Only allow single threaded processes to change context */ 6443 if (!current_is_single_threaded()) { 6444 error = security_bounded_transition(tsec->sid, sid); 6445 if (error) 6446 goto abort_change; 6447 } 6448 6449 /* Check permissions for the transition. */ 6450 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6451 PROCESS__DYNTRANSITION, NULL); 6452 if (error) 6453 goto abort_change; 6454 6455 /* Check for ptracing, and update the task SID if ok. 6456 Otherwise, leave SID unchanged and fail. */ 6457 ptsid = ptrace_parent_sid(); 6458 if (ptsid != 0) { 6459 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6460 PROCESS__PTRACE, NULL); 6461 if (error) 6462 goto abort_change; 6463 } 6464 6465 tsec->sid = sid; 6466 } else { 6467 error = -EINVAL; 6468 goto abort_change; 6469 } 6470 6471 commit_creds(new); 6472 return size; 6473 6474 abort_change: 6475 abort_creds(new); 6476 return error; 6477 } 6478 6479 static int selinux_ismaclabel(const char *name) 6480 { 6481 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6482 } 6483 6484 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6485 { 6486 return security_sid_to_context(secid, 6487 secdata, seclen); 6488 } 6489 6490 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6491 { 6492 return security_context_to_sid(secdata, seclen, 6493 secid, GFP_KERNEL); 6494 } 6495 6496 static void selinux_release_secctx(char *secdata, u32 seclen) 6497 { 6498 kfree(secdata); 6499 } 6500 6501 static void selinux_inode_invalidate_secctx(struct inode *inode) 6502 { 6503 struct inode_security_struct *isec = selinux_inode(inode); 6504 6505 spin_lock(&isec->lock); 6506 isec->initialized = LABEL_INVALID; 6507 spin_unlock(&isec->lock); 6508 } 6509 6510 /* 6511 * called with inode->i_mutex locked 6512 */ 6513 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6514 { 6515 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6516 ctx, ctxlen, 0); 6517 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6518 return rc == -EOPNOTSUPP ? 0 : rc; 6519 } 6520 6521 /* 6522 * called with inode->i_mutex locked 6523 */ 6524 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6525 { 6526 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6527 ctx, ctxlen, 0); 6528 } 6529 6530 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6531 { 6532 int len = 0; 6533 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6534 XATTR_SELINUX_SUFFIX, ctx, true); 6535 if (len < 0) 6536 return len; 6537 *ctxlen = len; 6538 return 0; 6539 } 6540 #ifdef CONFIG_KEYS 6541 6542 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6543 unsigned long flags) 6544 { 6545 const struct task_security_struct *tsec; 6546 struct key_security_struct *ksec; 6547 6548 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6549 if (!ksec) 6550 return -ENOMEM; 6551 6552 tsec = selinux_cred(cred); 6553 if (tsec->keycreate_sid) 6554 ksec->sid = tsec->keycreate_sid; 6555 else 6556 ksec->sid = tsec->sid; 6557 6558 k->security = ksec; 6559 return 0; 6560 } 6561 6562 static void selinux_key_free(struct key *k) 6563 { 6564 struct key_security_struct *ksec = k->security; 6565 6566 k->security = NULL; 6567 kfree(ksec); 6568 } 6569 6570 static int selinux_key_permission(key_ref_t key_ref, 6571 const struct cred *cred, 6572 enum key_need_perm need_perm) 6573 { 6574 struct key *key; 6575 struct key_security_struct *ksec; 6576 u32 perm, sid; 6577 6578 switch (need_perm) { 6579 case KEY_NEED_VIEW: 6580 perm = KEY__VIEW; 6581 break; 6582 case KEY_NEED_READ: 6583 perm = KEY__READ; 6584 break; 6585 case KEY_NEED_WRITE: 6586 perm = KEY__WRITE; 6587 break; 6588 case KEY_NEED_SEARCH: 6589 perm = KEY__SEARCH; 6590 break; 6591 case KEY_NEED_LINK: 6592 perm = KEY__LINK; 6593 break; 6594 case KEY_NEED_SETATTR: 6595 perm = KEY__SETATTR; 6596 break; 6597 case KEY_NEED_UNLINK: 6598 case KEY_SYSADMIN_OVERRIDE: 6599 case KEY_AUTHTOKEN_OVERRIDE: 6600 case KEY_DEFER_PERM_CHECK: 6601 return 0; 6602 default: 6603 WARN_ON(1); 6604 return -EPERM; 6605 6606 } 6607 6608 sid = cred_sid(cred); 6609 key = key_ref_to_ptr(key_ref); 6610 ksec = key->security; 6611 6612 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6613 } 6614 6615 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6616 { 6617 struct key_security_struct *ksec = key->security; 6618 char *context = NULL; 6619 unsigned len; 6620 int rc; 6621 6622 rc = security_sid_to_context(ksec->sid, 6623 &context, &len); 6624 if (!rc) 6625 rc = len; 6626 *_buffer = context; 6627 return rc; 6628 } 6629 6630 #ifdef CONFIG_KEY_NOTIFICATIONS 6631 static int selinux_watch_key(struct key *key) 6632 { 6633 struct key_security_struct *ksec = key->security; 6634 u32 sid = current_sid(); 6635 6636 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6637 } 6638 #endif 6639 #endif 6640 6641 #ifdef CONFIG_SECURITY_INFINIBAND 6642 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6643 { 6644 struct common_audit_data ad; 6645 int err; 6646 u32 sid = 0; 6647 struct ib_security_struct *sec = ib_sec; 6648 struct lsm_ibpkey_audit ibpkey; 6649 6650 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6651 if (err) 6652 return err; 6653 6654 ad.type = LSM_AUDIT_DATA_IBPKEY; 6655 ibpkey.subnet_prefix = subnet_prefix; 6656 ibpkey.pkey = pkey_val; 6657 ad.u.ibpkey = &ibpkey; 6658 return avc_has_perm(sec->sid, sid, 6659 SECCLASS_INFINIBAND_PKEY, 6660 INFINIBAND_PKEY__ACCESS, &ad); 6661 } 6662 6663 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6664 u8 port_num) 6665 { 6666 struct common_audit_data ad; 6667 int err; 6668 u32 sid = 0; 6669 struct ib_security_struct *sec = ib_sec; 6670 struct lsm_ibendport_audit ibendport; 6671 6672 err = security_ib_endport_sid(dev_name, port_num, 6673 &sid); 6674 6675 if (err) 6676 return err; 6677 6678 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6679 ibendport.dev_name = dev_name; 6680 ibendport.port = port_num; 6681 ad.u.ibendport = &ibendport; 6682 return avc_has_perm(sec->sid, sid, 6683 SECCLASS_INFINIBAND_ENDPORT, 6684 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6685 } 6686 6687 static int selinux_ib_alloc_security(void **ib_sec) 6688 { 6689 struct ib_security_struct *sec; 6690 6691 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6692 if (!sec) 6693 return -ENOMEM; 6694 sec->sid = current_sid(); 6695 6696 *ib_sec = sec; 6697 return 0; 6698 } 6699 6700 static void selinux_ib_free_security(void *ib_sec) 6701 { 6702 kfree(ib_sec); 6703 } 6704 #endif 6705 6706 #ifdef CONFIG_BPF_SYSCALL 6707 static int selinux_bpf(int cmd, union bpf_attr *attr, 6708 unsigned int size) 6709 { 6710 u32 sid = current_sid(); 6711 int ret; 6712 6713 switch (cmd) { 6714 case BPF_MAP_CREATE: 6715 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6716 NULL); 6717 break; 6718 case BPF_PROG_LOAD: 6719 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6720 NULL); 6721 break; 6722 default: 6723 ret = 0; 6724 break; 6725 } 6726 6727 return ret; 6728 } 6729 6730 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6731 { 6732 u32 av = 0; 6733 6734 if (fmode & FMODE_READ) 6735 av |= BPF__MAP_READ; 6736 if (fmode & FMODE_WRITE) 6737 av |= BPF__MAP_WRITE; 6738 return av; 6739 } 6740 6741 /* This function will check the file pass through unix socket or binder to see 6742 * if it is a bpf related object. And apply corresponding checks on the bpf 6743 * object based on the type. The bpf maps and programs, not like other files and 6744 * socket, are using a shared anonymous inode inside the kernel as their inode. 6745 * So checking that inode cannot identify if the process have privilege to 6746 * access the bpf object and that's why we have to add this additional check in 6747 * selinux_file_receive and selinux_binder_transfer_files. 6748 */ 6749 static int bpf_fd_pass(struct file *file, u32 sid) 6750 { 6751 struct bpf_security_struct *bpfsec; 6752 struct bpf_prog *prog; 6753 struct bpf_map *map; 6754 int ret; 6755 6756 if (file->f_op == &bpf_map_fops) { 6757 map = file->private_data; 6758 bpfsec = map->security; 6759 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6760 bpf_map_fmode_to_av(file->f_mode), NULL); 6761 if (ret) 6762 return ret; 6763 } else if (file->f_op == &bpf_prog_fops) { 6764 prog = file->private_data; 6765 bpfsec = prog->aux->security; 6766 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6767 BPF__PROG_RUN, NULL); 6768 if (ret) 6769 return ret; 6770 } 6771 return 0; 6772 } 6773 6774 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6775 { 6776 u32 sid = current_sid(); 6777 struct bpf_security_struct *bpfsec; 6778 6779 bpfsec = map->security; 6780 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6781 bpf_map_fmode_to_av(fmode), NULL); 6782 } 6783 6784 static int selinux_bpf_prog(struct bpf_prog *prog) 6785 { 6786 u32 sid = current_sid(); 6787 struct bpf_security_struct *bpfsec; 6788 6789 bpfsec = prog->aux->security; 6790 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6791 BPF__PROG_RUN, NULL); 6792 } 6793 6794 static int selinux_bpf_map_alloc(struct bpf_map *map) 6795 { 6796 struct bpf_security_struct *bpfsec; 6797 6798 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6799 if (!bpfsec) 6800 return -ENOMEM; 6801 6802 bpfsec->sid = current_sid(); 6803 map->security = bpfsec; 6804 6805 return 0; 6806 } 6807 6808 static void selinux_bpf_map_free(struct bpf_map *map) 6809 { 6810 struct bpf_security_struct *bpfsec = map->security; 6811 6812 map->security = NULL; 6813 kfree(bpfsec); 6814 } 6815 6816 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6817 { 6818 struct bpf_security_struct *bpfsec; 6819 6820 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6821 if (!bpfsec) 6822 return -ENOMEM; 6823 6824 bpfsec->sid = current_sid(); 6825 aux->security = bpfsec; 6826 6827 return 0; 6828 } 6829 6830 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6831 { 6832 struct bpf_security_struct *bpfsec = aux->security; 6833 6834 aux->security = NULL; 6835 kfree(bpfsec); 6836 } 6837 #endif 6838 6839 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 6840 .lbs_cred = sizeof(struct task_security_struct), 6841 .lbs_file = sizeof(struct file_security_struct), 6842 .lbs_inode = sizeof(struct inode_security_struct), 6843 .lbs_ipc = sizeof(struct ipc_security_struct), 6844 .lbs_msg_msg = sizeof(struct msg_security_struct), 6845 .lbs_superblock = sizeof(struct superblock_security_struct), 6846 }; 6847 6848 #ifdef CONFIG_PERF_EVENTS 6849 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6850 { 6851 u32 requested, sid = current_sid(); 6852 6853 if (type == PERF_SECURITY_OPEN) 6854 requested = PERF_EVENT__OPEN; 6855 else if (type == PERF_SECURITY_CPU) 6856 requested = PERF_EVENT__CPU; 6857 else if (type == PERF_SECURITY_KERNEL) 6858 requested = PERF_EVENT__KERNEL; 6859 else if (type == PERF_SECURITY_TRACEPOINT) 6860 requested = PERF_EVENT__TRACEPOINT; 6861 else 6862 return -EINVAL; 6863 6864 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 6865 requested, NULL); 6866 } 6867 6868 static int selinux_perf_event_alloc(struct perf_event *event) 6869 { 6870 struct perf_event_security_struct *perfsec; 6871 6872 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 6873 if (!perfsec) 6874 return -ENOMEM; 6875 6876 perfsec->sid = current_sid(); 6877 event->security = perfsec; 6878 6879 return 0; 6880 } 6881 6882 static void selinux_perf_event_free(struct perf_event *event) 6883 { 6884 struct perf_event_security_struct *perfsec = event->security; 6885 6886 event->security = NULL; 6887 kfree(perfsec); 6888 } 6889 6890 static int selinux_perf_event_read(struct perf_event *event) 6891 { 6892 struct perf_event_security_struct *perfsec = event->security; 6893 u32 sid = current_sid(); 6894 6895 return avc_has_perm(sid, perfsec->sid, 6896 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 6897 } 6898 6899 static int selinux_perf_event_write(struct perf_event *event) 6900 { 6901 struct perf_event_security_struct *perfsec = event->security; 6902 u32 sid = current_sid(); 6903 6904 return avc_has_perm(sid, perfsec->sid, 6905 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 6906 } 6907 #endif 6908 6909 #ifdef CONFIG_IO_URING 6910 /** 6911 * selinux_uring_override_creds - check the requested cred override 6912 * @new: the target creds 6913 * 6914 * Check to see if the current task is allowed to override it's credentials 6915 * to service an io_uring operation. 6916 */ 6917 static int selinux_uring_override_creds(const struct cred *new) 6918 { 6919 return avc_has_perm(current_sid(), cred_sid(new), 6920 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 6921 } 6922 6923 /** 6924 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 6925 * 6926 * Check to see if the current task is allowed to create a new io_uring 6927 * kernel polling thread. 6928 */ 6929 static int selinux_uring_sqpoll(void) 6930 { 6931 int sid = current_sid(); 6932 6933 return avc_has_perm(sid, sid, 6934 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 6935 } 6936 6937 /** 6938 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 6939 * @ioucmd: the io_uring command structure 6940 * 6941 * Check to see if the current domain is allowed to execute an 6942 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 6943 * 6944 */ 6945 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 6946 { 6947 struct file *file = ioucmd->file; 6948 struct inode *inode = file_inode(file); 6949 struct inode_security_struct *isec = selinux_inode(inode); 6950 struct common_audit_data ad; 6951 6952 ad.type = LSM_AUDIT_DATA_FILE; 6953 ad.u.file = file; 6954 6955 return avc_has_perm(current_sid(), isec->sid, 6956 SECCLASS_IO_URING, IO_URING__CMD, &ad); 6957 } 6958 #endif /* CONFIG_IO_URING */ 6959 6960 /* 6961 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 6962 * 1. any hooks that don't belong to (2.) or (3.) below, 6963 * 2. hooks that both access structures allocated by other hooks, and allocate 6964 * structures that can be later accessed by other hooks (mostly "cloning" 6965 * hooks), 6966 * 3. hooks that only allocate structures that can be later accessed by other 6967 * hooks ("allocating" hooks). 6968 * 6969 * Please follow block comment delimiters in the list to keep this order. 6970 * 6971 * This ordering is needed for SELinux runtime disable to work at least somewhat 6972 * safely. Breaking the ordering rules above might lead to NULL pointer derefs 6973 * when disabling SELinux at runtime. 6974 */ 6975 static struct security_hook_list selinux_hooks[] __ro_after_init = { 6976 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6977 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6978 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6979 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6980 6981 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6982 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6983 LSM_HOOK_INIT(capget, selinux_capget), 6984 LSM_HOOK_INIT(capset, selinux_capset), 6985 LSM_HOOK_INIT(capable, selinux_capable), 6986 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6987 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6988 LSM_HOOK_INIT(syslog, selinux_syslog), 6989 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6990 6991 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6992 6993 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 6994 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6995 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6996 6997 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6998 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 6999 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7000 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7001 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7002 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7003 LSM_HOOK_INIT(sb_mount, selinux_mount), 7004 LSM_HOOK_INIT(sb_umount, selinux_umount), 7005 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7006 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7007 7008 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7009 7010 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7011 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7012 7013 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7014 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7015 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7016 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7017 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7018 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7019 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7020 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7021 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7022 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7023 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7024 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7025 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7026 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7027 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7028 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7029 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7030 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7031 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7032 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7033 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7034 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7035 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7036 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7037 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7038 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7039 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7040 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 7041 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7042 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7043 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7044 7045 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7046 7047 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7048 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7049 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7050 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7051 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7052 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7053 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7054 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7055 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7056 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7057 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7058 7059 LSM_HOOK_INIT(file_open, selinux_file_open), 7060 7061 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7062 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7063 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7064 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7065 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7066 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7067 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7068 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7069 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7070 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7071 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7072 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7073 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj), 7074 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7075 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7076 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7077 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7078 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7079 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7080 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7081 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7082 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7083 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7084 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7085 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7086 7087 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7088 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7089 7090 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7091 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7092 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7093 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7094 7095 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7096 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7097 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7098 7099 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7100 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7101 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7102 7103 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7104 7105 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7106 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7107 7108 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7109 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7110 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7111 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7112 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7113 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7114 7115 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7116 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7117 7118 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7119 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7120 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7121 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7122 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7123 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7124 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7125 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7126 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7127 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7128 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7129 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7130 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7131 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7132 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7133 LSM_HOOK_INIT(socket_getpeersec_stream, 7134 selinux_socket_getpeersec_stream), 7135 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7136 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7137 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7138 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7139 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7140 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7141 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7142 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7143 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7144 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7145 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7146 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7147 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7148 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7149 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7150 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7151 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7152 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7153 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7154 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7155 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7156 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7157 #ifdef CONFIG_SECURITY_INFINIBAND 7158 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7159 LSM_HOOK_INIT(ib_endport_manage_subnet, 7160 selinux_ib_endport_manage_subnet), 7161 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7162 #endif 7163 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7164 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7165 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7166 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7167 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7168 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7169 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7170 selinux_xfrm_state_pol_flow_match), 7171 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7172 #endif 7173 7174 #ifdef CONFIG_KEYS 7175 LSM_HOOK_INIT(key_free, selinux_key_free), 7176 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7177 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7178 #ifdef CONFIG_KEY_NOTIFICATIONS 7179 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7180 #endif 7181 #endif 7182 7183 #ifdef CONFIG_AUDIT 7184 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7185 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7186 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7187 #endif 7188 7189 #ifdef CONFIG_BPF_SYSCALL 7190 LSM_HOOK_INIT(bpf, selinux_bpf), 7191 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7192 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7193 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7194 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7195 #endif 7196 7197 #ifdef CONFIG_PERF_EVENTS 7198 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7199 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7200 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7201 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7202 #endif 7203 7204 #ifdef CONFIG_IO_URING 7205 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7206 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7207 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7208 #endif 7209 7210 /* 7211 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7212 */ 7213 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7214 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7215 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7216 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7217 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7218 #endif 7219 7220 /* 7221 * PUT "ALLOCATING" HOOKS HERE 7222 */ 7223 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7224 LSM_HOOK_INIT(msg_queue_alloc_security, 7225 selinux_msg_queue_alloc_security), 7226 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7227 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7228 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7229 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7230 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7231 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7232 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7233 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7234 #ifdef CONFIG_SECURITY_INFINIBAND 7235 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7236 #endif 7237 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7238 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7239 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7240 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7241 selinux_xfrm_state_alloc_acquire), 7242 #endif 7243 #ifdef CONFIG_KEYS 7244 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7245 #endif 7246 #ifdef CONFIG_AUDIT 7247 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7248 #endif 7249 #ifdef CONFIG_BPF_SYSCALL 7250 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7251 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7252 #endif 7253 #ifdef CONFIG_PERF_EVENTS 7254 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7255 #endif 7256 }; 7257 7258 static __init int selinux_init(void) 7259 { 7260 pr_info("SELinux: Initializing.\n"); 7261 7262 memset(&selinux_state, 0, sizeof(selinux_state)); 7263 enforcing_set(selinux_enforcing_boot); 7264 selinux_avc_init(); 7265 mutex_init(&selinux_state.status_lock); 7266 mutex_init(&selinux_state.policy_mutex); 7267 7268 /* Set the security state for the initial task. */ 7269 cred_init_security(); 7270 7271 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7272 7273 avc_init(); 7274 7275 avtab_cache_init(); 7276 7277 ebitmap_cache_init(); 7278 7279 hashtab_cache_init(); 7280 7281 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7282 7283 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7284 panic("SELinux: Unable to register AVC netcache callback\n"); 7285 7286 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7287 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7288 7289 if (selinux_enforcing_boot) 7290 pr_debug("SELinux: Starting in enforcing mode\n"); 7291 else 7292 pr_debug("SELinux: Starting in permissive mode\n"); 7293 7294 fs_validate_description("selinux", selinux_fs_parameters); 7295 7296 return 0; 7297 } 7298 7299 static void delayed_superblock_init(struct super_block *sb, void *unused) 7300 { 7301 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7302 } 7303 7304 void selinux_complete_init(void) 7305 { 7306 pr_debug("SELinux: Completing initialization.\n"); 7307 7308 /* Set up any superblocks initialized prior to the policy load. */ 7309 pr_debug("SELinux: Setting up existing superblocks.\n"); 7310 iterate_supers(delayed_superblock_init, NULL); 7311 } 7312 7313 /* SELinux requires early initialization in order to label 7314 all processes and objects when they are created. */ 7315 DEFINE_LSM(selinux) = { 7316 .name = "selinux", 7317 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7318 .enabled = &selinux_enabled_boot, 7319 .blobs = &selinux_blob_sizes, 7320 .init = selinux_init, 7321 }; 7322 7323 #if defined(CONFIG_NETFILTER) 7324 static const struct nf_hook_ops selinux_nf_ops[] = { 7325 { 7326 .hook = selinux_ip_postroute, 7327 .pf = NFPROTO_IPV4, 7328 .hooknum = NF_INET_POST_ROUTING, 7329 .priority = NF_IP_PRI_SELINUX_LAST, 7330 }, 7331 { 7332 .hook = selinux_ip_forward, 7333 .pf = NFPROTO_IPV4, 7334 .hooknum = NF_INET_FORWARD, 7335 .priority = NF_IP_PRI_SELINUX_FIRST, 7336 }, 7337 { 7338 .hook = selinux_ip_output, 7339 .pf = NFPROTO_IPV4, 7340 .hooknum = NF_INET_LOCAL_OUT, 7341 .priority = NF_IP_PRI_SELINUX_FIRST, 7342 }, 7343 #if IS_ENABLED(CONFIG_IPV6) 7344 { 7345 .hook = selinux_ip_postroute, 7346 .pf = NFPROTO_IPV6, 7347 .hooknum = NF_INET_POST_ROUTING, 7348 .priority = NF_IP6_PRI_SELINUX_LAST, 7349 }, 7350 { 7351 .hook = selinux_ip_forward, 7352 .pf = NFPROTO_IPV6, 7353 .hooknum = NF_INET_FORWARD, 7354 .priority = NF_IP6_PRI_SELINUX_FIRST, 7355 }, 7356 { 7357 .hook = selinux_ip_output, 7358 .pf = NFPROTO_IPV6, 7359 .hooknum = NF_INET_LOCAL_OUT, 7360 .priority = NF_IP6_PRI_SELINUX_FIRST, 7361 }, 7362 #endif /* IPV6 */ 7363 }; 7364 7365 static int __net_init selinux_nf_register(struct net *net) 7366 { 7367 return nf_register_net_hooks(net, selinux_nf_ops, 7368 ARRAY_SIZE(selinux_nf_ops)); 7369 } 7370 7371 static void __net_exit selinux_nf_unregister(struct net *net) 7372 { 7373 nf_unregister_net_hooks(net, selinux_nf_ops, 7374 ARRAY_SIZE(selinux_nf_ops)); 7375 } 7376 7377 static struct pernet_operations selinux_net_ops = { 7378 .init = selinux_nf_register, 7379 .exit = selinux_nf_unregister, 7380 }; 7381 7382 static int __init selinux_nf_ip_init(void) 7383 { 7384 int err; 7385 7386 if (!selinux_enabled_boot) 7387 return 0; 7388 7389 pr_debug("SELinux: Registering netfilter hooks\n"); 7390 7391 err = register_pernet_subsys(&selinux_net_ops); 7392 if (err) 7393 panic("SELinux: register_pernet_subsys: error %d\n", err); 7394 7395 return 0; 7396 } 7397 __initcall(selinux_nf_ip_init); 7398 #endif /* CONFIG_NETFILTER */ 7399