1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 #include <uapi/linux/mount.h> 92 93 #include "avc.h" 94 #include "objsec.h" 95 #include "netif.h" 96 #include "netnode.h" 97 #include "netport.h" 98 #include "ibpkey.h" 99 #include "xfrm.h" 100 #include "netlabel.h" 101 #include "audit.h" 102 #include "avc_ss.h" 103 104 struct selinux_state selinux_state; 105 106 /* SECMARK reference count */ 107 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 108 109 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 110 static int selinux_enforcing_boot; 111 112 static int __init enforcing_setup(char *str) 113 { 114 unsigned long enforcing; 115 if (!kstrtoul(str, 0, &enforcing)) 116 selinux_enforcing_boot = enforcing ? 1 : 0; 117 return 1; 118 } 119 __setup("enforcing=", enforcing_setup); 120 #else 121 #define selinux_enforcing_boot 1 122 #endif 123 124 int selinux_enabled __lsm_ro_after_init = 1; 125 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #endif 135 136 static unsigned int selinux_checkreqprot_boot = 137 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 138 139 static int __init checkreqprot_setup(char *str) 140 { 141 unsigned long checkreqprot; 142 143 if (!kstrtoul(str, 0, &checkreqprot)) 144 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 145 return 1; 146 } 147 __setup("checkreqprot=", checkreqprot_setup); 148 149 static struct kmem_cache *sel_inode_cache; 150 static struct kmem_cache *file_security_cache; 151 152 /** 153 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 154 * 155 * Description: 156 * This function checks the SECMARK reference counter to see if any SECMARK 157 * targets are currently configured, if the reference counter is greater than 158 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 159 * enabled, false (0) if SECMARK is disabled. If the always_check_network 160 * policy capability is enabled, SECMARK is always considered enabled. 161 * 162 */ 163 static int selinux_secmark_enabled(void) 164 { 165 return (selinux_policycap_alwaysnetwork() || 166 atomic_read(&selinux_secmark_refcount)); 167 } 168 169 /** 170 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 171 * 172 * Description: 173 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 174 * (1) if any are enabled or false (0) if neither are enabled. If the 175 * always_check_network policy capability is enabled, peer labeling 176 * is always considered enabled. 177 * 178 */ 179 static int selinux_peerlbl_enabled(void) 180 { 181 return (selinux_policycap_alwaysnetwork() || 182 netlbl_enabled() || selinux_xfrm_enabled()); 183 } 184 185 static int selinux_netcache_avc_callback(u32 event) 186 { 187 if (event == AVC_CALLBACK_RESET) { 188 sel_netif_flush(); 189 sel_netnode_flush(); 190 sel_netport_flush(); 191 synchronize_net(); 192 } 193 return 0; 194 } 195 196 static int selinux_lsm_notifier_avc_callback(u32 event) 197 { 198 if (event == AVC_CALLBACK_RESET) { 199 sel_ib_pkey_flush(); 200 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 201 } 202 203 return 0; 204 } 205 206 /* 207 * initialise the security for the init task 208 */ 209 static void cred_init_security(void) 210 { 211 struct cred *cred = (struct cred *) current->real_cred; 212 struct task_security_struct *tsec; 213 214 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 215 if (!tsec) 216 panic("SELinux: Failed to initialize initial task.\n"); 217 218 tsec->osid = tsec->sid = SECINITSID_KERNEL; 219 cred->security = tsec; 220 } 221 222 /* 223 * get the security ID of a set of credentials 224 */ 225 static inline u32 cred_sid(const struct cred *cred) 226 { 227 const struct task_security_struct *tsec; 228 229 tsec = cred->security; 230 return tsec->sid; 231 } 232 233 /* 234 * get the objective security ID of a task 235 */ 236 static inline u32 task_sid(const struct task_struct *task) 237 { 238 u32 sid; 239 240 rcu_read_lock(); 241 sid = cred_sid(__task_cred(task)); 242 rcu_read_unlock(); 243 return sid; 244 } 245 246 /* Allocate and free functions for each kind of security blob. */ 247 248 static int inode_alloc_security(struct inode *inode) 249 { 250 struct inode_security_struct *isec; 251 u32 sid = current_sid(); 252 253 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 254 if (!isec) 255 return -ENOMEM; 256 257 spin_lock_init(&isec->lock); 258 INIT_LIST_HEAD(&isec->list); 259 isec->inode = inode; 260 isec->sid = SECINITSID_UNLABELED; 261 isec->sclass = SECCLASS_FILE; 262 isec->task_sid = sid; 263 isec->initialized = LABEL_INVALID; 264 inode->i_security = isec; 265 266 return 0; 267 } 268 269 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 270 271 /* 272 * Try reloading inode security labels that have been marked as invalid. The 273 * @may_sleep parameter indicates when sleeping and thus reloading labels is 274 * allowed; when set to false, returns -ECHILD when the label is 275 * invalid. The @dentry parameter should be set to a dentry of the inode. 276 */ 277 static int __inode_security_revalidate(struct inode *inode, 278 struct dentry *dentry, 279 bool may_sleep) 280 { 281 struct inode_security_struct *isec = inode->i_security; 282 283 might_sleep_if(may_sleep); 284 285 if (selinux_state.initialized && 286 isec->initialized != LABEL_INITIALIZED) { 287 if (!may_sleep) 288 return -ECHILD; 289 290 /* 291 * Try reloading the inode security label. This will fail if 292 * @opt_dentry is NULL and no dentry for this inode can be 293 * found; in that case, continue using the old label. 294 */ 295 inode_doinit_with_dentry(inode, dentry); 296 } 297 return 0; 298 } 299 300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 301 { 302 return inode->i_security; 303 } 304 305 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 306 { 307 int error; 308 309 error = __inode_security_revalidate(inode, NULL, !rcu); 310 if (error) 311 return ERR_PTR(error); 312 return inode->i_security; 313 } 314 315 /* 316 * Get the security label of an inode. 317 */ 318 static struct inode_security_struct *inode_security(struct inode *inode) 319 { 320 __inode_security_revalidate(inode, NULL, true); 321 return inode->i_security; 322 } 323 324 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 325 { 326 struct inode *inode = d_backing_inode(dentry); 327 328 return inode->i_security; 329 } 330 331 /* 332 * Get the security label of a dentry's backing inode. 333 */ 334 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 335 { 336 struct inode *inode = d_backing_inode(dentry); 337 338 __inode_security_revalidate(inode, dentry, true); 339 return inode->i_security; 340 } 341 342 static void inode_free_rcu(struct rcu_head *head) 343 { 344 struct inode_security_struct *isec; 345 346 isec = container_of(head, struct inode_security_struct, rcu); 347 kmem_cache_free(sel_inode_cache, isec); 348 } 349 350 static void inode_free_security(struct inode *inode) 351 { 352 struct inode_security_struct *isec = inode->i_security; 353 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 354 355 /* 356 * As not all inode security structures are in a list, we check for 357 * empty list outside of the lock to make sure that we won't waste 358 * time taking a lock doing nothing. 359 * 360 * The list_del_init() function can be safely called more than once. 361 * It should not be possible for this function to be called with 362 * concurrent list_add(), but for better safety against future changes 363 * in the code, we use list_empty_careful() here. 364 */ 365 if (!list_empty_careful(&isec->list)) { 366 spin_lock(&sbsec->isec_lock); 367 list_del_init(&isec->list); 368 spin_unlock(&sbsec->isec_lock); 369 } 370 371 /* 372 * The inode may still be referenced in a path walk and 373 * a call to selinux_inode_permission() can be made 374 * after inode_free_security() is called. Ideally, the VFS 375 * wouldn't do this, but fixing that is a much harder 376 * job. For now, simply free the i_security via RCU, and 377 * leave the current inode->i_security pointer intact. 378 * The inode will be freed after the RCU grace period too. 379 */ 380 call_rcu(&isec->rcu, inode_free_rcu); 381 } 382 383 static int file_alloc_security(struct file *file) 384 { 385 struct file_security_struct *fsec; 386 u32 sid = current_sid(); 387 388 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 389 if (!fsec) 390 return -ENOMEM; 391 392 fsec->sid = sid; 393 fsec->fown_sid = sid; 394 file->f_security = fsec; 395 396 return 0; 397 } 398 399 static void file_free_security(struct file *file) 400 { 401 struct file_security_struct *fsec = file->f_security; 402 file->f_security = NULL; 403 kmem_cache_free(file_security_cache, fsec); 404 } 405 406 static int superblock_alloc_security(struct super_block *sb) 407 { 408 struct superblock_security_struct *sbsec; 409 410 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 411 if (!sbsec) 412 return -ENOMEM; 413 414 mutex_init(&sbsec->lock); 415 INIT_LIST_HEAD(&sbsec->isec_head); 416 spin_lock_init(&sbsec->isec_lock); 417 sbsec->sb = sb; 418 sbsec->sid = SECINITSID_UNLABELED; 419 sbsec->def_sid = SECINITSID_FILE; 420 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 421 sb->s_security = sbsec; 422 423 return 0; 424 } 425 426 static void superblock_free_security(struct super_block *sb) 427 { 428 struct superblock_security_struct *sbsec = sb->s_security; 429 sb->s_security = NULL; 430 kfree(sbsec); 431 } 432 433 struct selinux_mnt_opts { 434 const char *fscontext, *context, *rootcontext, *defcontext; 435 }; 436 437 static void selinux_free_mnt_opts(void *mnt_opts) 438 { 439 struct selinux_mnt_opts *opts = mnt_opts; 440 kfree(opts->fscontext); 441 kfree(opts->context); 442 kfree(opts->rootcontext); 443 kfree(opts->defcontext); 444 kfree(opts); 445 } 446 447 static inline int inode_doinit(struct inode *inode) 448 { 449 return inode_doinit_with_dentry(inode, NULL); 450 } 451 452 enum { 453 Opt_error = -1, 454 Opt_context = 1, 455 Opt_fscontext = 2, 456 Opt_defcontext = 3, 457 Opt_rootcontext = 4, 458 Opt_seclabel = 5, 459 }; 460 461 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 462 static struct { 463 const char *name; 464 int len; 465 int opt; 466 bool has_arg; 467 } tokens[] = { 468 A(context, true), 469 A(fscontext, true), 470 A(defcontext, true), 471 A(rootcontext, true), 472 A(seclabel, false), 473 }; 474 #undef A 475 476 static int match_opt_prefix(char *s, int l, char **arg) 477 { 478 int i; 479 480 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 481 size_t len = tokens[i].len; 482 if (len > l || memcmp(s, tokens[i].name, len)) 483 continue; 484 if (tokens[i].has_arg) { 485 if (len == l || s[len] != '=') 486 continue; 487 *arg = s + len + 1; 488 } else if (len != l) 489 continue; 490 return tokens[i].opt; 491 } 492 return Opt_error; 493 } 494 495 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 496 497 static int may_context_mount_sb_relabel(u32 sid, 498 struct superblock_security_struct *sbsec, 499 const struct cred *cred) 500 { 501 const struct task_security_struct *tsec = cred->security; 502 int rc; 503 504 rc = avc_has_perm(&selinux_state, 505 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 506 FILESYSTEM__RELABELFROM, NULL); 507 if (rc) 508 return rc; 509 510 rc = avc_has_perm(&selinux_state, 511 tsec->sid, sid, SECCLASS_FILESYSTEM, 512 FILESYSTEM__RELABELTO, NULL); 513 return rc; 514 } 515 516 static int may_context_mount_inode_relabel(u32 sid, 517 struct superblock_security_struct *sbsec, 518 const struct cred *cred) 519 { 520 const struct task_security_struct *tsec = cred->security; 521 int rc; 522 rc = avc_has_perm(&selinux_state, 523 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 524 FILESYSTEM__RELABELFROM, NULL); 525 if (rc) 526 return rc; 527 528 rc = avc_has_perm(&selinux_state, 529 sid, sbsec->sid, SECCLASS_FILESYSTEM, 530 FILESYSTEM__ASSOCIATE, NULL); 531 return rc; 532 } 533 534 static int selinux_is_sblabel_mnt(struct super_block *sb) 535 { 536 struct superblock_security_struct *sbsec = sb->s_security; 537 538 return sbsec->behavior == SECURITY_FS_USE_XATTR || 539 sbsec->behavior == SECURITY_FS_USE_TRANS || 540 sbsec->behavior == SECURITY_FS_USE_TASK || 541 sbsec->behavior == SECURITY_FS_USE_NATIVE || 542 /* Special handling. Genfs but also in-core setxattr handler */ 543 !strcmp(sb->s_type->name, "sysfs") || 544 !strcmp(sb->s_type->name, "pstore") || 545 !strcmp(sb->s_type->name, "debugfs") || 546 !strcmp(sb->s_type->name, "tracefs") || 547 !strcmp(sb->s_type->name, "rootfs") || 548 (selinux_policycap_cgroupseclabel() && 549 (!strcmp(sb->s_type->name, "cgroup") || 550 !strcmp(sb->s_type->name, "cgroup2"))); 551 } 552 553 static int sb_finish_set_opts(struct super_block *sb) 554 { 555 struct superblock_security_struct *sbsec = sb->s_security; 556 struct dentry *root = sb->s_root; 557 struct inode *root_inode = d_backing_inode(root); 558 int rc = 0; 559 560 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 561 /* Make sure that the xattr handler exists and that no 562 error other than -ENODATA is returned by getxattr on 563 the root directory. -ENODATA is ok, as this may be 564 the first boot of the SELinux kernel before we have 565 assigned xattr values to the filesystem. */ 566 if (!(root_inode->i_opflags & IOP_XATTR)) { 567 pr_warn("SELinux: (dev %s, type %s) has no " 568 "xattr support\n", sb->s_id, sb->s_type->name); 569 rc = -EOPNOTSUPP; 570 goto out; 571 } 572 573 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 574 if (rc < 0 && rc != -ENODATA) { 575 if (rc == -EOPNOTSUPP) 576 pr_warn("SELinux: (dev %s, type " 577 "%s) has no security xattr handler\n", 578 sb->s_id, sb->s_type->name); 579 else 580 pr_warn("SELinux: (dev %s, type " 581 "%s) getxattr errno %d\n", sb->s_id, 582 sb->s_type->name, -rc); 583 goto out; 584 } 585 } 586 587 sbsec->flags |= SE_SBINITIALIZED; 588 589 /* 590 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 591 * leave the flag untouched because sb_clone_mnt_opts might be handing 592 * us a superblock that needs the flag to be cleared. 593 */ 594 if (selinux_is_sblabel_mnt(sb)) 595 sbsec->flags |= SBLABEL_MNT; 596 else 597 sbsec->flags &= ~SBLABEL_MNT; 598 599 /* Initialize the root inode. */ 600 rc = inode_doinit_with_dentry(root_inode, root); 601 602 /* Initialize any other inodes associated with the superblock, e.g. 603 inodes created prior to initial policy load or inodes created 604 during get_sb by a pseudo filesystem that directly 605 populates itself. */ 606 spin_lock(&sbsec->isec_lock); 607 while (!list_empty(&sbsec->isec_head)) { 608 struct inode_security_struct *isec = 609 list_first_entry(&sbsec->isec_head, 610 struct inode_security_struct, list); 611 struct inode *inode = isec->inode; 612 list_del_init(&isec->list); 613 spin_unlock(&sbsec->isec_lock); 614 inode = igrab(inode); 615 if (inode) { 616 if (!IS_PRIVATE(inode)) 617 inode_doinit(inode); 618 iput(inode); 619 } 620 spin_lock(&sbsec->isec_lock); 621 } 622 spin_unlock(&sbsec->isec_lock); 623 out: 624 return rc; 625 } 626 627 static int bad_option(struct superblock_security_struct *sbsec, char flag, 628 u32 old_sid, u32 new_sid) 629 { 630 char mnt_flags = sbsec->flags & SE_MNTMASK; 631 632 /* check if the old mount command had the same options */ 633 if (sbsec->flags & SE_SBINITIALIZED) 634 if (!(sbsec->flags & flag) || 635 (old_sid != new_sid)) 636 return 1; 637 638 /* check if we were passed the same options twice, 639 * aka someone passed context=a,context=b 640 */ 641 if (!(sbsec->flags & SE_SBINITIALIZED)) 642 if (mnt_flags & flag) 643 return 1; 644 return 0; 645 } 646 647 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 648 { 649 int rc = security_context_str_to_sid(&selinux_state, s, 650 sid, GFP_KERNEL); 651 if (rc) 652 pr_warn("SELinux: security_context_str_to_sid" 653 "(%s) failed for (dev %s, type %s) errno=%d\n", 654 s, sb->s_id, sb->s_type->name, rc); 655 return rc; 656 } 657 658 /* 659 * Allow filesystems with binary mount data to explicitly set mount point 660 * labeling information. 661 */ 662 static int selinux_set_mnt_opts(struct super_block *sb, 663 void *mnt_opts, 664 unsigned long kern_flags, 665 unsigned long *set_kern_flags) 666 { 667 const struct cred *cred = current_cred(); 668 struct superblock_security_struct *sbsec = sb->s_security; 669 struct dentry *root = sbsec->sb->s_root; 670 struct selinux_mnt_opts *opts = mnt_opts; 671 struct inode_security_struct *root_isec; 672 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 673 u32 defcontext_sid = 0; 674 int rc = 0; 675 676 mutex_lock(&sbsec->lock); 677 678 if (!selinux_state.initialized) { 679 if (!opts) { 680 /* Defer initialization until selinux_complete_init, 681 after the initial policy is loaded and the security 682 server is ready to handle calls. */ 683 goto out; 684 } 685 rc = -EINVAL; 686 pr_warn("SELinux: Unable to set superblock options " 687 "before the security server is initialized\n"); 688 goto out; 689 } 690 if (kern_flags && !set_kern_flags) { 691 /* Specifying internal flags without providing a place to 692 * place the results is not allowed */ 693 rc = -EINVAL; 694 goto out; 695 } 696 697 /* 698 * Binary mount data FS will come through this function twice. Once 699 * from an explicit call and once from the generic calls from the vfs. 700 * Since the generic VFS calls will not contain any security mount data 701 * we need to skip the double mount verification. 702 * 703 * This does open a hole in which we will not notice if the first 704 * mount using this sb set explict options and a second mount using 705 * this sb does not set any security options. (The first options 706 * will be used for both mounts) 707 */ 708 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 709 && !opts) 710 goto out; 711 712 root_isec = backing_inode_security_novalidate(root); 713 714 /* 715 * parse the mount options, check if they are valid sids. 716 * also check if someone is trying to mount the same sb more 717 * than once with different security options. 718 */ 719 if (opts) { 720 if (opts->fscontext) { 721 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 722 if (rc) 723 goto out; 724 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 725 fscontext_sid)) 726 goto out_double_mount; 727 sbsec->flags |= FSCONTEXT_MNT; 728 } 729 if (opts->context) { 730 rc = parse_sid(sb, opts->context, &context_sid); 731 if (rc) 732 goto out; 733 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 734 context_sid)) 735 goto out_double_mount; 736 sbsec->flags |= CONTEXT_MNT; 737 } 738 if (opts->rootcontext) { 739 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 740 if (rc) 741 goto out; 742 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 743 rootcontext_sid)) 744 goto out_double_mount; 745 sbsec->flags |= ROOTCONTEXT_MNT; 746 } 747 if (opts->defcontext) { 748 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 749 if (rc) 750 goto out; 751 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 752 defcontext_sid)) 753 goto out_double_mount; 754 sbsec->flags |= DEFCONTEXT_MNT; 755 } 756 } 757 758 if (sbsec->flags & SE_SBINITIALIZED) { 759 /* previously mounted with options, but not on this attempt? */ 760 if ((sbsec->flags & SE_MNTMASK) && !opts) 761 goto out_double_mount; 762 rc = 0; 763 goto out; 764 } 765 766 if (strcmp(sb->s_type->name, "proc") == 0) 767 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 768 769 if (!strcmp(sb->s_type->name, "debugfs") || 770 !strcmp(sb->s_type->name, "tracefs") || 771 !strcmp(sb->s_type->name, "sysfs") || 772 !strcmp(sb->s_type->name, "pstore") || 773 !strcmp(sb->s_type->name, "cgroup") || 774 !strcmp(sb->s_type->name, "cgroup2")) 775 sbsec->flags |= SE_SBGENFS; 776 777 if (!sbsec->behavior) { 778 /* 779 * Determine the labeling behavior to use for this 780 * filesystem type. 781 */ 782 rc = security_fs_use(&selinux_state, sb); 783 if (rc) { 784 pr_warn("%s: security_fs_use(%s) returned %d\n", 785 __func__, sb->s_type->name, rc); 786 goto out; 787 } 788 } 789 790 /* 791 * If this is a user namespace mount and the filesystem type is not 792 * explicitly whitelisted, then no contexts are allowed on the command 793 * line and security labels must be ignored. 794 */ 795 if (sb->s_user_ns != &init_user_ns && 796 strcmp(sb->s_type->name, "tmpfs") && 797 strcmp(sb->s_type->name, "ramfs") && 798 strcmp(sb->s_type->name, "devpts")) { 799 if (context_sid || fscontext_sid || rootcontext_sid || 800 defcontext_sid) { 801 rc = -EACCES; 802 goto out; 803 } 804 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 805 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 806 rc = security_transition_sid(&selinux_state, 807 current_sid(), 808 current_sid(), 809 SECCLASS_FILE, NULL, 810 &sbsec->mntpoint_sid); 811 if (rc) 812 goto out; 813 } 814 goto out_set_opts; 815 } 816 817 /* sets the context of the superblock for the fs being mounted. */ 818 if (fscontext_sid) { 819 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 820 if (rc) 821 goto out; 822 823 sbsec->sid = fscontext_sid; 824 } 825 826 /* 827 * Switch to using mount point labeling behavior. 828 * sets the label used on all file below the mountpoint, and will set 829 * the superblock context if not already set. 830 */ 831 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 832 sbsec->behavior = SECURITY_FS_USE_NATIVE; 833 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 834 } 835 836 if (context_sid) { 837 if (!fscontext_sid) { 838 rc = may_context_mount_sb_relabel(context_sid, sbsec, 839 cred); 840 if (rc) 841 goto out; 842 sbsec->sid = context_sid; 843 } else { 844 rc = may_context_mount_inode_relabel(context_sid, sbsec, 845 cred); 846 if (rc) 847 goto out; 848 } 849 if (!rootcontext_sid) 850 rootcontext_sid = context_sid; 851 852 sbsec->mntpoint_sid = context_sid; 853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 854 } 855 856 if (rootcontext_sid) { 857 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 858 cred); 859 if (rc) 860 goto out; 861 862 root_isec->sid = rootcontext_sid; 863 root_isec->initialized = LABEL_INITIALIZED; 864 } 865 866 if (defcontext_sid) { 867 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 868 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 869 rc = -EINVAL; 870 pr_warn("SELinux: defcontext option is " 871 "invalid for this filesystem type\n"); 872 goto out; 873 } 874 875 if (defcontext_sid != sbsec->def_sid) { 876 rc = may_context_mount_inode_relabel(defcontext_sid, 877 sbsec, cred); 878 if (rc) 879 goto out; 880 } 881 882 sbsec->def_sid = defcontext_sid; 883 } 884 885 out_set_opts: 886 rc = sb_finish_set_opts(sb); 887 out: 888 mutex_unlock(&sbsec->lock); 889 return rc; 890 out_double_mount: 891 rc = -EINVAL; 892 pr_warn("SELinux: mount invalid. Same superblock, different " 893 "security settings for (dev %s, type %s)\n", sb->s_id, 894 sb->s_type->name); 895 goto out; 896 } 897 898 static int selinux_cmp_sb_context(const struct super_block *oldsb, 899 const struct super_block *newsb) 900 { 901 struct superblock_security_struct *old = oldsb->s_security; 902 struct superblock_security_struct *new = newsb->s_security; 903 char oldflags = old->flags & SE_MNTMASK; 904 char newflags = new->flags & SE_MNTMASK; 905 906 if (oldflags != newflags) 907 goto mismatch; 908 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 909 goto mismatch; 910 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 911 goto mismatch; 912 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 913 goto mismatch; 914 if (oldflags & ROOTCONTEXT_MNT) { 915 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 916 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 917 if (oldroot->sid != newroot->sid) 918 goto mismatch; 919 } 920 return 0; 921 mismatch: 922 pr_warn("SELinux: mount invalid. Same superblock, " 923 "different security settings for (dev %s, " 924 "type %s)\n", newsb->s_id, newsb->s_type->name); 925 return -EBUSY; 926 } 927 928 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 929 struct super_block *newsb, 930 unsigned long kern_flags, 931 unsigned long *set_kern_flags) 932 { 933 int rc = 0; 934 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 935 struct superblock_security_struct *newsbsec = newsb->s_security; 936 937 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 938 int set_context = (oldsbsec->flags & CONTEXT_MNT); 939 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 940 941 /* 942 * if the parent was able to be mounted it clearly had no special lsm 943 * mount options. thus we can safely deal with this superblock later 944 */ 945 if (!selinux_state.initialized) 946 return 0; 947 948 /* 949 * Specifying internal flags without providing a place to 950 * place the results is not allowed. 951 */ 952 if (kern_flags && !set_kern_flags) 953 return -EINVAL; 954 955 /* how can we clone if the old one wasn't set up?? */ 956 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 957 958 /* if fs is reusing a sb, make sure that the contexts match */ 959 if (newsbsec->flags & SE_SBINITIALIZED) 960 return selinux_cmp_sb_context(oldsb, newsb); 961 962 mutex_lock(&newsbsec->lock); 963 964 newsbsec->flags = oldsbsec->flags; 965 966 newsbsec->sid = oldsbsec->sid; 967 newsbsec->def_sid = oldsbsec->def_sid; 968 newsbsec->behavior = oldsbsec->behavior; 969 970 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 971 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 972 rc = security_fs_use(&selinux_state, newsb); 973 if (rc) 974 goto out; 975 } 976 977 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 978 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 979 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 980 } 981 982 if (set_context) { 983 u32 sid = oldsbsec->mntpoint_sid; 984 985 if (!set_fscontext) 986 newsbsec->sid = sid; 987 if (!set_rootcontext) { 988 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 989 newisec->sid = sid; 990 } 991 newsbsec->mntpoint_sid = sid; 992 } 993 if (set_rootcontext) { 994 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 995 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 996 997 newisec->sid = oldisec->sid; 998 } 999 1000 sb_finish_set_opts(newsb); 1001 out: 1002 mutex_unlock(&newsbsec->lock); 1003 return rc; 1004 } 1005 1006 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1007 { 1008 struct selinux_mnt_opts *opts = *mnt_opts; 1009 1010 if (token == Opt_seclabel) /* eaten and completely ignored */ 1011 return 0; 1012 1013 if (!opts) { 1014 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1015 if (!opts) 1016 return -ENOMEM; 1017 *mnt_opts = opts; 1018 } 1019 if (!s) 1020 return -ENOMEM; 1021 switch (token) { 1022 case Opt_context: 1023 if (opts->context || opts->defcontext) 1024 goto Einval; 1025 opts->context = s; 1026 break; 1027 case Opt_fscontext: 1028 if (opts->fscontext) 1029 goto Einval; 1030 opts->fscontext = s; 1031 break; 1032 case Opt_rootcontext: 1033 if (opts->rootcontext) 1034 goto Einval; 1035 opts->rootcontext = s; 1036 break; 1037 case Opt_defcontext: 1038 if (opts->context || opts->defcontext) 1039 goto Einval; 1040 opts->defcontext = s; 1041 break; 1042 } 1043 return 0; 1044 Einval: 1045 pr_warn(SEL_MOUNT_FAIL_MSG); 1046 return -EINVAL; 1047 } 1048 1049 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1050 void **mnt_opts) 1051 { 1052 int token = Opt_error; 1053 int rc, i; 1054 1055 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1056 if (strcmp(option, tokens[i].name) == 0) { 1057 token = tokens[i].opt; 1058 break; 1059 } 1060 } 1061 1062 if (token == Opt_error) 1063 return -EINVAL; 1064 1065 if (token != Opt_seclabel) 1066 val = kmemdup_nul(val, len, GFP_KERNEL); 1067 rc = selinux_add_opt(token, val, mnt_opts); 1068 if (unlikely(rc)) { 1069 kfree(val); 1070 if (*mnt_opts) { 1071 selinux_free_mnt_opts(*mnt_opts); 1072 *mnt_opts = NULL; 1073 } 1074 } 1075 return rc; 1076 } 1077 1078 static int show_sid(struct seq_file *m, u32 sid) 1079 { 1080 char *context = NULL; 1081 u32 len; 1082 int rc; 1083 1084 rc = security_sid_to_context(&selinux_state, sid, 1085 &context, &len); 1086 if (!rc) { 1087 bool has_comma = context && strchr(context, ','); 1088 1089 if (has_comma) 1090 seq_putc(m, '\"'); 1091 seq_escape(m, context, "\"\n\\"); 1092 if (has_comma) 1093 seq_putc(m, '\"'); 1094 } 1095 kfree(context); 1096 return rc; 1097 } 1098 1099 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1100 { 1101 struct superblock_security_struct *sbsec = sb->s_security; 1102 int rc; 1103 1104 if (!(sbsec->flags & SE_SBINITIALIZED)) 1105 return 0; 1106 1107 if (!selinux_state.initialized) 1108 return 0; 1109 1110 if (sbsec->flags & FSCONTEXT_MNT) { 1111 seq_putc(m, ','); 1112 seq_puts(m, FSCONTEXT_STR); 1113 rc = show_sid(m, sbsec->sid); 1114 if (rc) 1115 return rc; 1116 } 1117 if (sbsec->flags & CONTEXT_MNT) { 1118 seq_putc(m, ','); 1119 seq_puts(m, CONTEXT_STR); 1120 rc = show_sid(m, sbsec->mntpoint_sid); 1121 if (rc) 1122 return rc; 1123 } 1124 if (sbsec->flags & DEFCONTEXT_MNT) { 1125 seq_putc(m, ','); 1126 seq_puts(m, DEFCONTEXT_STR); 1127 rc = show_sid(m, sbsec->def_sid); 1128 if (rc) 1129 return rc; 1130 } 1131 if (sbsec->flags & ROOTCONTEXT_MNT) { 1132 struct dentry *root = sbsec->sb->s_root; 1133 struct inode_security_struct *isec = backing_inode_security(root); 1134 seq_putc(m, ','); 1135 seq_puts(m, ROOTCONTEXT_STR); 1136 rc = show_sid(m, isec->sid); 1137 if (rc) 1138 return rc; 1139 } 1140 if (sbsec->flags & SBLABEL_MNT) { 1141 seq_putc(m, ','); 1142 seq_puts(m, LABELSUPP_STR); 1143 } 1144 return 0; 1145 } 1146 1147 static inline u16 inode_mode_to_security_class(umode_t mode) 1148 { 1149 switch (mode & S_IFMT) { 1150 case S_IFSOCK: 1151 return SECCLASS_SOCK_FILE; 1152 case S_IFLNK: 1153 return SECCLASS_LNK_FILE; 1154 case S_IFREG: 1155 return SECCLASS_FILE; 1156 case S_IFBLK: 1157 return SECCLASS_BLK_FILE; 1158 case S_IFDIR: 1159 return SECCLASS_DIR; 1160 case S_IFCHR: 1161 return SECCLASS_CHR_FILE; 1162 case S_IFIFO: 1163 return SECCLASS_FIFO_FILE; 1164 1165 } 1166 1167 return SECCLASS_FILE; 1168 } 1169 1170 static inline int default_protocol_stream(int protocol) 1171 { 1172 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1173 } 1174 1175 static inline int default_protocol_dgram(int protocol) 1176 { 1177 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1178 } 1179 1180 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1181 { 1182 int extsockclass = selinux_policycap_extsockclass(); 1183 1184 switch (family) { 1185 case PF_UNIX: 1186 switch (type) { 1187 case SOCK_STREAM: 1188 case SOCK_SEQPACKET: 1189 return SECCLASS_UNIX_STREAM_SOCKET; 1190 case SOCK_DGRAM: 1191 case SOCK_RAW: 1192 return SECCLASS_UNIX_DGRAM_SOCKET; 1193 } 1194 break; 1195 case PF_INET: 1196 case PF_INET6: 1197 switch (type) { 1198 case SOCK_STREAM: 1199 case SOCK_SEQPACKET: 1200 if (default_protocol_stream(protocol)) 1201 return SECCLASS_TCP_SOCKET; 1202 else if (extsockclass && protocol == IPPROTO_SCTP) 1203 return SECCLASS_SCTP_SOCKET; 1204 else 1205 return SECCLASS_RAWIP_SOCKET; 1206 case SOCK_DGRAM: 1207 if (default_protocol_dgram(protocol)) 1208 return SECCLASS_UDP_SOCKET; 1209 else if (extsockclass && (protocol == IPPROTO_ICMP || 1210 protocol == IPPROTO_ICMPV6)) 1211 return SECCLASS_ICMP_SOCKET; 1212 else 1213 return SECCLASS_RAWIP_SOCKET; 1214 case SOCK_DCCP: 1215 return SECCLASS_DCCP_SOCKET; 1216 default: 1217 return SECCLASS_RAWIP_SOCKET; 1218 } 1219 break; 1220 case PF_NETLINK: 1221 switch (protocol) { 1222 case NETLINK_ROUTE: 1223 return SECCLASS_NETLINK_ROUTE_SOCKET; 1224 case NETLINK_SOCK_DIAG: 1225 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1226 case NETLINK_NFLOG: 1227 return SECCLASS_NETLINK_NFLOG_SOCKET; 1228 case NETLINK_XFRM: 1229 return SECCLASS_NETLINK_XFRM_SOCKET; 1230 case NETLINK_SELINUX: 1231 return SECCLASS_NETLINK_SELINUX_SOCKET; 1232 case NETLINK_ISCSI: 1233 return SECCLASS_NETLINK_ISCSI_SOCKET; 1234 case NETLINK_AUDIT: 1235 return SECCLASS_NETLINK_AUDIT_SOCKET; 1236 case NETLINK_FIB_LOOKUP: 1237 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1238 case NETLINK_CONNECTOR: 1239 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1240 case NETLINK_NETFILTER: 1241 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1242 case NETLINK_DNRTMSG: 1243 return SECCLASS_NETLINK_DNRT_SOCKET; 1244 case NETLINK_KOBJECT_UEVENT: 1245 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1246 case NETLINK_GENERIC: 1247 return SECCLASS_NETLINK_GENERIC_SOCKET; 1248 case NETLINK_SCSITRANSPORT: 1249 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1250 case NETLINK_RDMA: 1251 return SECCLASS_NETLINK_RDMA_SOCKET; 1252 case NETLINK_CRYPTO: 1253 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1254 default: 1255 return SECCLASS_NETLINK_SOCKET; 1256 } 1257 case PF_PACKET: 1258 return SECCLASS_PACKET_SOCKET; 1259 case PF_KEY: 1260 return SECCLASS_KEY_SOCKET; 1261 case PF_APPLETALK: 1262 return SECCLASS_APPLETALK_SOCKET; 1263 } 1264 1265 if (extsockclass) { 1266 switch (family) { 1267 case PF_AX25: 1268 return SECCLASS_AX25_SOCKET; 1269 case PF_IPX: 1270 return SECCLASS_IPX_SOCKET; 1271 case PF_NETROM: 1272 return SECCLASS_NETROM_SOCKET; 1273 case PF_ATMPVC: 1274 return SECCLASS_ATMPVC_SOCKET; 1275 case PF_X25: 1276 return SECCLASS_X25_SOCKET; 1277 case PF_ROSE: 1278 return SECCLASS_ROSE_SOCKET; 1279 case PF_DECnet: 1280 return SECCLASS_DECNET_SOCKET; 1281 case PF_ATMSVC: 1282 return SECCLASS_ATMSVC_SOCKET; 1283 case PF_RDS: 1284 return SECCLASS_RDS_SOCKET; 1285 case PF_IRDA: 1286 return SECCLASS_IRDA_SOCKET; 1287 case PF_PPPOX: 1288 return SECCLASS_PPPOX_SOCKET; 1289 case PF_LLC: 1290 return SECCLASS_LLC_SOCKET; 1291 case PF_CAN: 1292 return SECCLASS_CAN_SOCKET; 1293 case PF_TIPC: 1294 return SECCLASS_TIPC_SOCKET; 1295 case PF_BLUETOOTH: 1296 return SECCLASS_BLUETOOTH_SOCKET; 1297 case PF_IUCV: 1298 return SECCLASS_IUCV_SOCKET; 1299 case PF_RXRPC: 1300 return SECCLASS_RXRPC_SOCKET; 1301 case PF_ISDN: 1302 return SECCLASS_ISDN_SOCKET; 1303 case PF_PHONET: 1304 return SECCLASS_PHONET_SOCKET; 1305 case PF_IEEE802154: 1306 return SECCLASS_IEEE802154_SOCKET; 1307 case PF_CAIF: 1308 return SECCLASS_CAIF_SOCKET; 1309 case PF_ALG: 1310 return SECCLASS_ALG_SOCKET; 1311 case PF_NFC: 1312 return SECCLASS_NFC_SOCKET; 1313 case PF_VSOCK: 1314 return SECCLASS_VSOCK_SOCKET; 1315 case PF_KCM: 1316 return SECCLASS_KCM_SOCKET; 1317 case PF_QIPCRTR: 1318 return SECCLASS_QIPCRTR_SOCKET; 1319 case PF_SMC: 1320 return SECCLASS_SMC_SOCKET; 1321 case PF_XDP: 1322 return SECCLASS_XDP_SOCKET; 1323 #if PF_MAX > 45 1324 #error New address family defined, please update this function. 1325 #endif 1326 } 1327 } 1328 1329 return SECCLASS_SOCKET; 1330 } 1331 1332 static int selinux_genfs_get_sid(struct dentry *dentry, 1333 u16 tclass, 1334 u16 flags, 1335 u32 *sid) 1336 { 1337 int rc; 1338 struct super_block *sb = dentry->d_sb; 1339 char *buffer, *path; 1340 1341 buffer = (char *)__get_free_page(GFP_KERNEL); 1342 if (!buffer) 1343 return -ENOMEM; 1344 1345 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1346 if (IS_ERR(path)) 1347 rc = PTR_ERR(path); 1348 else { 1349 if (flags & SE_SBPROC) { 1350 /* each process gets a /proc/PID/ entry. Strip off the 1351 * PID part to get a valid selinux labeling. 1352 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1353 while (path[1] >= '0' && path[1] <= '9') { 1354 path[1] = '/'; 1355 path++; 1356 } 1357 } 1358 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1359 path, tclass, sid); 1360 if (rc == -ENOENT) { 1361 /* No match in policy, mark as unlabeled. */ 1362 *sid = SECINITSID_UNLABELED; 1363 rc = 0; 1364 } 1365 } 1366 free_page((unsigned long)buffer); 1367 return rc; 1368 } 1369 1370 /* The inode's security attributes must be initialized before first use. */ 1371 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1372 { 1373 struct superblock_security_struct *sbsec = NULL; 1374 struct inode_security_struct *isec = inode->i_security; 1375 u32 task_sid, sid = 0; 1376 u16 sclass; 1377 struct dentry *dentry; 1378 #define INITCONTEXTLEN 255 1379 char *context = NULL; 1380 unsigned len = 0; 1381 int rc = 0; 1382 1383 if (isec->initialized == LABEL_INITIALIZED) 1384 return 0; 1385 1386 spin_lock(&isec->lock); 1387 if (isec->initialized == LABEL_INITIALIZED) 1388 goto out_unlock; 1389 1390 if (isec->sclass == SECCLASS_FILE) 1391 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1392 1393 sbsec = inode->i_sb->s_security; 1394 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1395 /* Defer initialization until selinux_complete_init, 1396 after the initial policy is loaded and the security 1397 server is ready to handle calls. */ 1398 spin_lock(&sbsec->isec_lock); 1399 if (list_empty(&isec->list)) 1400 list_add(&isec->list, &sbsec->isec_head); 1401 spin_unlock(&sbsec->isec_lock); 1402 goto out_unlock; 1403 } 1404 1405 sclass = isec->sclass; 1406 task_sid = isec->task_sid; 1407 sid = isec->sid; 1408 isec->initialized = LABEL_PENDING; 1409 spin_unlock(&isec->lock); 1410 1411 switch (sbsec->behavior) { 1412 case SECURITY_FS_USE_NATIVE: 1413 break; 1414 case SECURITY_FS_USE_XATTR: 1415 if (!(inode->i_opflags & IOP_XATTR)) { 1416 sid = sbsec->def_sid; 1417 break; 1418 } 1419 /* Need a dentry, since the xattr API requires one. 1420 Life would be simpler if we could just pass the inode. */ 1421 if (opt_dentry) { 1422 /* Called from d_instantiate or d_splice_alias. */ 1423 dentry = dget(opt_dentry); 1424 } else { 1425 /* 1426 * Called from selinux_complete_init, try to find a dentry. 1427 * Some filesystems really want a connected one, so try 1428 * that first. We could split SECURITY_FS_USE_XATTR in 1429 * two, depending upon that... 1430 */ 1431 dentry = d_find_alias(inode); 1432 if (!dentry) 1433 dentry = d_find_any_alias(inode); 1434 } 1435 if (!dentry) { 1436 /* 1437 * this is can be hit on boot when a file is accessed 1438 * before the policy is loaded. When we load policy we 1439 * may find inodes that have no dentry on the 1440 * sbsec->isec_head list. No reason to complain as these 1441 * will get fixed up the next time we go through 1442 * inode_doinit with a dentry, before these inodes could 1443 * be used again by userspace. 1444 */ 1445 goto out; 1446 } 1447 1448 len = INITCONTEXTLEN; 1449 context = kmalloc(len+1, GFP_NOFS); 1450 if (!context) { 1451 rc = -ENOMEM; 1452 dput(dentry); 1453 goto out; 1454 } 1455 context[len] = '\0'; 1456 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1457 if (rc == -ERANGE) { 1458 kfree(context); 1459 1460 /* Need a larger buffer. Query for the right size. */ 1461 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1462 if (rc < 0) { 1463 dput(dentry); 1464 goto out; 1465 } 1466 len = rc; 1467 context = kmalloc(len+1, GFP_NOFS); 1468 if (!context) { 1469 rc = -ENOMEM; 1470 dput(dentry); 1471 goto out; 1472 } 1473 context[len] = '\0'; 1474 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1475 } 1476 dput(dentry); 1477 if (rc < 0) { 1478 if (rc != -ENODATA) { 1479 pr_warn("SELinux: %s: getxattr returned " 1480 "%d for dev=%s ino=%ld\n", __func__, 1481 -rc, inode->i_sb->s_id, inode->i_ino); 1482 kfree(context); 1483 goto out; 1484 } 1485 /* Map ENODATA to the default file SID */ 1486 sid = sbsec->def_sid; 1487 rc = 0; 1488 } else { 1489 rc = security_context_to_sid_default(&selinux_state, 1490 context, rc, &sid, 1491 sbsec->def_sid, 1492 GFP_NOFS); 1493 if (rc) { 1494 char *dev = inode->i_sb->s_id; 1495 unsigned long ino = inode->i_ino; 1496 1497 if (rc == -EINVAL) { 1498 if (printk_ratelimit()) 1499 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid " 1500 "context=%s. This indicates you may need to relabel the inode or the " 1501 "filesystem in question.\n", ino, dev, context); 1502 } else { 1503 pr_warn("SELinux: %s: context_to_sid(%s) " 1504 "returned %d for dev=%s ino=%ld\n", 1505 __func__, context, -rc, dev, ino); 1506 } 1507 kfree(context); 1508 /* Leave with the unlabeled SID */ 1509 rc = 0; 1510 break; 1511 } 1512 } 1513 kfree(context); 1514 break; 1515 case SECURITY_FS_USE_TASK: 1516 sid = task_sid; 1517 break; 1518 case SECURITY_FS_USE_TRANS: 1519 /* Default to the fs SID. */ 1520 sid = sbsec->sid; 1521 1522 /* Try to obtain a transition SID. */ 1523 rc = security_transition_sid(&selinux_state, task_sid, sid, 1524 sclass, NULL, &sid); 1525 if (rc) 1526 goto out; 1527 break; 1528 case SECURITY_FS_USE_MNTPOINT: 1529 sid = sbsec->mntpoint_sid; 1530 break; 1531 default: 1532 /* Default to the fs superblock SID. */ 1533 sid = sbsec->sid; 1534 1535 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1536 /* We must have a dentry to determine the label on 1537 * procfs inodes */ 1538 if (opt_dentry) { 1539 /* Called from d_instantiate or 1540 * d_splice_alias. */ 1541 dentry = dget(opt_dentry); 1542 } else { 1543 /* Called from selinux_complete_init, try to 1544 * find a dentry. Some filesystems really want 1545 * a connected one, so try that first. 1546 */ 1547 dentry = d_find_alias(inode); 1548 if (!dentry) 1549 dentry = d_find_any_alias(inode); 1550 } 1551 /* 1552 * This can be hit on boot when a file is accessed 1553 * before the policy is loaded. When we load policy we 1554 * may find inodes that have no dentry on the 1555 * sbsec->isec_head list. No reason to complain as 1556 * these will get fixed up the next time we go through 1557 * inode_doinit() with a dentry, before these inodes 1558 * could be used again by userspace. 1559 */ 1560 if (!dentry) 1561 goto out; 1562 rc = selinux_genfs_get_sid(dentry, sclass, 1563 sbsec->flags, &sid); 1564 dput(dentry); 1565 if (rc) 1566 goto out; 1567 } 1568 break; 1569 } 1570 1571 out: 1572 spin_lock(&isec->lock); 1573 if (isec->initialized == LABEL_PENDING) { 1574 if (!sid || rc) { 1575 isec->initialized = LABEL_INVALID; 1576 goto out_unlock; 1577 } 1578 1579 isec->initialized = LABEL_INITIALIZED; 1580 isec->sid = sid; 1581 } 1582 1583 out_unlock: 1584 spin_unlock(&isec->lock); 1585 return rc; 1586 } 1587 1588 /* Convert a Linux signal to an access vector. */ 1589 static inline u32 signal_to_av(int sig) 1590 { 1591 u32 perm = 0; 1592 1593 switch (sig) { 1594 case SIGCHLD: 1595 /* Commonly granted from child to parent. */ 1596 perm = PROCESS__SIGCHLD; 1597 break; 1598 case SIGKILL: 1599 /* Cannot be caught or ignored */ 1600 perm = PROCESS__SIGKILL; 1601 break; 1602 case SIGSTOP: 1603 /* Cannot be caught or ignored */ 1604 perm = PROCESS__SIGSTOP; 1605 break; 1606 default: 1607 /* All other signals. */ 1608 perm = PROCESS__SIGNAL; 1609 break; 1610 } 1611 1612 return perm; 1613 } 1614 1615 #if CAP_LAST_CAP > 63 1616 #error Fix SELinux to handle capabilities > 63. 1617 #endif 1618 1619 /* Check whether a task is allowed to use a capability. */ 1620 static int cred_has_capability(const struct cred *cred, 1621 int cap, int audit, bool initns) 1622 { 1623 struct common_audit_data ad; 1624 struct av_decision avd; 1625 u16 sclass; 1626 u32 sid = cred_sid(cred); 1627 u32 av = CAP_TO_MASK(cap); 1628 int rc; 1629 1630 ad.type = LSM_AUDIT_DATA_CAP; 1631 ad.u.cap = cap; 1632 1633 switch (CAP_TO_INDEX(cap)) { 1634 case 0: 1635 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1636 break; 1637 case 1: 1638 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1639 break; 1640 default: 1641 pr_err("SELinux: out of range capability %d\n", cap); 1642 BUG(); 1643 return -EINVAL; 1644 } 1645 1646 rc = avc_has_perm_noaudit(&selinux_state, 1647 sid, sid, sclass, av, 0, &avd); 1648 if (audit == SECURITY_CAP_AUDIT) { 1649 int rc2 = avc_audit(&selinux_state, 1650 sid, sid, sclass, av, &avd, rc, &ad, 0); 1651 if (rc2) 1652 return rc2; 1653 } 1654 return rc; 1655 } 1656 1657 /* Check whether a task has a particular permission to an inode. 1658 The 'adp' parameter is optional and allows other audit 1659 data to be passed (e.g. the dentry). */ 1660 static int inode_has_perm(const struct cred *cred, 1661 struct inode *inode, 1662 u32 perms, 1663 struct common_audit_data *adp) 1664 { 1665 struct inode_security_struct *isec; 1666 u32 sid; 1667 1668 validate_creds(cred); 1669 1670 if (unlikely(IS_PRIVATE(inode))) 1671 return 0; 1672 1673 sid = cred_sid(cred); 1674 isec = inode->i_security; 1675 1676 return avc_has_perm(&selinux_state, 1677 sid, isec->sid, isec->sclass, perms, adp); 1678 } 1679 1680 /* Same as inode_has_perm, but pass explicit audit data containing 1681 the dentry to help the auditing code to more easily generate the 1682 pathname if needed. */ 1683 static inline int dentry_has_perm(const struct cred *cred, 1684 struct dentry *dentry, 1685 u32 av) 1686 { 1687 struct inode *inode = d_backing_inode(dentry); 1688 struct common_audit_data ad; 1689 1690 ad.type = LSM_AUDIT_DATA_DENTRY; 1691 ad.u.dentry = dentry; 1692 __inode_security_revalidate(inode, dentry, true); 1693 return inode_has_perm(cred, inode, av, &ad); 1694 } 1695 1696 /* Same as inode_has_perm, but pass explicit audit data containing 1697 the path to help the auditing code to more easily generate the 1698 pathname if needed. */ 1699 static inline int path_has_perm(const struct cred *cred, 1700 const struct path *path, 1701 u32 av) 1702 { 1703 struct inode *inode = d_backing_inode(path->dentry); 1704 struct common_audit_data ad; 1705 1706 ad.type = LSM_AUDIT_DATA_PATH; 1707 ad.u.path = *path; 1708 __inode_security_revalidate(inode, path->dentry, true); 1709 return inode_has_perm(cred, inode, av, &ad); 1710 } 1711 1712 /* Same as path_has_perm, but uses the inode from the file struct. */ 1713 static inline int file_path_has_perm(const struct cred *cred, 1714 struct file *file, 1715 u32 av) 1716 { 1717 struct common_audit_data ad; 1718 1719 ad.type = LSM_AUDIT_DATA_FILE; 1720 ad.u.file = file; 1721 return inode_has_perm(cred, file_inode(file), av, &ad); 1722 } 1723 1724 #ifdef CONFIG_BPF_SYSCALL 1725 static int bpf_fd_pass(struct file *file, u32 sid); 1726 #endif 1727 1728 /* Check whether a task can use an open file descriptor to 1729 access an inode in a given way. Check access to the 1730 descriptor itself, and then use dentry_has_perm to 1731 check a particular permission to the file. 1732 Access to the descriptor is implicitly granted if it 1733 has the same SID as the process. If av is zero, then 1734 access to the file is not checked, e.g. for cases 1735 where only the descriptor is affected like seek. */ 1736 static int file_has_perm(const struct cred *cred, 1737 struct file *file, 1738 u32 av) 1739 { 1740 struct file_security_struct *fsec = file->f_security; 1741 struct inode *inode = file_inode(file); 1742 struct common_audit_data ad; 1743 u32 sid = cred_sid(cred); 1744 int rc; 1745 1746 ad.type = LSM_AUDIT_DATA_FILE; 1747 ad.u.file = file; 1748 1749 if (sid != fsec->sid) { 1750 rc = avc_has_perm(&selinux_state, 1751 sid, fsec->sid, 1752 SECCLASS_FD, 1753 FD__USE, 1754 &ad); 1755 if (rc) 1756 goto out; 1757 } 1758 1759 #ifdef CONFIG_BPF_SYSCALL 1760 rc = bpf_fd_pass(file, cred_sid(cred)); 1761 if (rc) 1762 return rc; 1763 #endif 1764 1765 /* av is zero if only checking access to the descriptor. */ 1766 rc = 0; 1767 if (av) 1768 rc = inode_has_perm(cred, inode, av, &ad); 1769 1770 out: 1771 return rc; 1772 } 1773 1774 /* 1775 * Determine the label for an inode that might be unioned. 1776 */ 1777 static int 1778 selinux_determine_inode_label(const struct task_security_struct *tsec, 1779 struct inode *dir, 1780 const struct qstr *name, u16 tclass, 1781 u32 *_new_isid) 1782 { 1783 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1784 1785 if ((sbsec->flags & SE_SBINITIALIZED) && 1786 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1787 *_new_isid = sbsec->mntpoint_sid; 1788 } else if ((sbsec->flags & SBLABEL_MNT) && 1789 tsec->create_sid) { 1790 *_new_isid = tsec->create_sid; 1791 } else { 1792 const struct inode_security_struct *dsec = inode_security(dir); 1793 return security_transition_sid(&selinux_state, tsec->sid, 1794 dsec->sid, tclass, 1795 name, _new_isid); 1796 } 1797 1798 return 0; 1799 } 1800 1801 /* Check whether a task can create a file. */ 1802 static int may_create(struct inode *dir, 1803 struct dentry *dentry, 1804 u16 tclass) 1805 { 1806 const struct task_security_struct *tsec = current_security(); 1807 struct inode_security_struct *dsec; 1808 struct superblock_security_struct *sbsec; 1809 u32 sid, newsid; 1810 struct common_audit_data ad; 1811 int rc; 1812 1813 dsec = inode_security(dir); 1814 sbsec = dir->i_sb->s_security; 1815 1816 sid = tsec->sid; 1817 1818 ad.type = LSM_AUDIT_DATA_DENTRY; 1819 ad.u.dentry = dentry; 1820 1821 rc = avc_has_perm(&selinux_state, 1822 sid, dsec->sid, SECCLASS_DIR, 1823 DIR__ADD_NAME | DIR__SEARCH, 1824 &ad); 1825 if (rc) 1826 return rc; 1827 1828 rc = selinux_determine_inode_label(current_security(), dir, 1829 &dentry->d_name, tclass, &newsid); 1830 if (rc) 1831 return rc; 1832 1833 rc = avc_has_perm(&selinux_state, 1834 sid, newsid, tclass, FILE__CREATE, &ad); 1835 if (rc) 1836 return rc; 1837 1838 return avc_has_perm(&selinux_state, 1839 newsid, sbsec->sid, 1840 SECCLASS_FILESYSTEM, 1841 FILESYSTEM__ASSOCIATE, &ad); 1842 } 1843 1844 #define MAY_LINK 0 1845 #define MAY_UNLINK 1 1846 #define MAY_RMDIR 2 1847 1848 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1849 static int may_link(struct inode *dir, 1850 struct dentry *dentry, 1851 int kind) 1852 1853 { 1854 struct inode_security_struct *dsec, *isec; 1855 struct common_audit_data ad; 1856 u32 sid = current_sid(); 1857 u32 av; 1858 int rc; 1859 1860 dsec = inode_security(dir); 1861 isec = backing_inode_security(dentry); 1862 1863 ad.type = LSM_AUDIT_DATA_DENTRY; 1864 ad.u.dentry = dentry; 1865 1866 av = DIR__SEARCH; 1867 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1868 rc = avc_has_perm(&selinux_state, 1869 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1870 if (rc) 1871 return rc; 1872 1873 switch (kind) { 1874 case MAY_LINK: 1875 av = FILE__LINK; 1876 break; 1877 case MAY_UNLINK: 1878 av = FILE__UNLINK; 1879 break; 1880 case MAY_RMDIR: 1881 av = DIR__RMDIR; 1882 break; 1883 default: 1884 pr_warn("SELinux: %s: unrecognized kind %d\n", 1885 __func__, kind); 1886 return 0; 1887 } 1888 1889 rc = avc_has_perm(&selinux_state, 1890 sid, isec->sid, isec->sclass, av, &ad); 1891 return rc; 1892 } 1893 1894 static inline int may_rename(struct inode *old_dir, 1895 struct dentry *old_dentry, 1896 struct inode *new_dir, 1897 struct dentry *new_dentry) 1898 { 1899 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1900 struct common_audit_data ad; 1901 u32 sid = current_sid(); 1902 u32 av; 1903 int old_is_dir, new_is_dir; 1904 int rc; 1905 1906 old_dsec = inode_security(old_dir); 1907 old_isec = backing_inode_security(old_dentry); 1908 old_is_dir = d_is_dir(old_dentry); 1909 new_dsec = inode_security(new_dir); 1910 1911 ad.type = LSM_AUDIT_DATA_DENTRY; 1912 1913 ad.u.dentry = old_dentry; 1914 rc = avc_has_perm(&selinux_state, 1915 sid, old_dsec->sid, SECCLASS_DIR, 1916 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1917 if (rc) 1918 return rc; 1919 rc = avc_has_perm(&selinux_state, 1920 sid, old_isec->sid, 1921 old_isec->sclass, FILE__RENAME, &ad); 1922 if (rc) 1923 return rc; 1924 if (old_is_dir && new_dir != old_dir) { 1925 rc = avc_has_perm(&selinux_state, 1926 sid, old_isec->sid, 1927 old_isec->sclass, DIR__REPARENT, &ad); 1928 if (rc) 1929 return rc; 1930 } 1931 1932 ad.u.dentry = new_dentry; 1933 av = DIR__ADD_NAME | DIR__SEARCH; 1934 if (d_is_positive(new_dentry)) 1935 av |= DIR__REMOVE_NAME; 1936 rc = avc_has_perm(&selinux_state, 1937 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1938 if (rc) 1939 return rc; 1940 if (d_is_positive(new_dentry)) { 1941 new_isec = backing_inode_security(new_dentry); 1942 new_is_dir = d_is_dir(new_dentry); 1943 rc = avc_has_perm(&selinux_state, 1944 sid, new_isec->sid, 1945 new_isec->sclass, 1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1947 if (rc) 1948 return rc; 1949 } 1950 1951 return 0; 1952 } 1953 1954 /* Check whether a task can perform a filesystem operation. */ 1955 static int superblock_has_perm(const struct cred *cred, 1956 struct super_block *sb, 1957 u32 perms, 1958 struct common_audit_data *ad) 1959 { 1960 struct superblock_security_struct *sbsec; 1961 u32 sid = cred_sid(cred); 1962 1963 sbsec = sb->s_security; 1964 return avc_has_perm(&selinux_state, 1965 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1966 } 1967 1968 /* Convert a Linux mode and permission mask to an access vector. */ 1969 static inline u32 file_mask_to_av(int mode, int mask) 1970 { 1971 u32 av = 0; 1972 1973 if (!S_ISDIR(mode)) { 1974 if (mask & MAY_EXEC) 1975 av |= FILE__EXECUTE; 1976 if (mask & MAY_READ) 1977 av |= FILE__READ; 1978 1979 if (mask & MAY_APPEND) 1980 av |= FILE__APPEND; 1981 else if (mask & MAY_WRITE) 1982 av |= FILE__WRITE; 1983 1984 } else { 1985 if (mask & MAY_EXEC) 1986 av |= DIR__SEARCH; 1987 if (mask & MAY_WRITE) 1988 av |= DIR__WRITE; 1989 if (mask & MAY_READ) 1990 av |= DIR__READ; 1991 } 1992 1993 return av; 1994 } 1995 1996 /* Convert a Linux file to an access vector. */ 1997 static inline u32 file_to_av(struct file *file) 1998 { 1999 u32 av = 0; 2000 2001 if (file->f_mode & FMODE_READ) 2002 av |= FILE__READ; 2003 if (file->f_mode & FMODE_WRITE) { 2004 if (file->f_flags & O_APPEND) 2005 av |= FILE__APPEND; 2006 else 2007 av |= FILE__WRITE; 2008 } 2009 if (!av) { 2010 /* 2011 * Special file opened with flags 3 for ioctl-only use. 2012 */ 2013 av = FILE__IOCTL; 2014 } 2015 2016 return av; 2017 } 2018 2019 /* 2020 * Convert a file to an access vector and include the correct open 2021 * open permission. 2022 */ 2023 static inline u32 open_file_to_av(struct file *file) 2024 { 2025 u32 av = file_to_av(file); 2026 struct inode *inode = file_inode(file); 2027 2028 if (selinux_policycap_openperm() && 2029 inode->i_sb->s_magic != SOCKFS_MAGIC) 2030 av |= FILE__OPEN; 2031 2032 return av; 2033 } 2034 2035 /* Hook functions begin here. */ 2036 2037 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2038 { 2039 u32 mysid = current_sid(); 2040 u32 mgrsid = task_sid(mgr); 2041 2042 return avc_has_perm(&selinux_state, 2043 mysid, mgrsid, SECCLASS_BINDER, 2044 BINDER__SET_CONTEXT_MGR, NULL); 2045 } 2046 2047 static int selinux_binder_transaction(struct task_struct *from, 2048 struct task_struct *to) 2049 { 2050 u32 mysid = current_sid(); 2051 u32 fromsid = task_sid(from); 2052 u32 tosid = task_sid(to); 2053 int rc; 2054 2055 if (mysid != fromsid) { 2056 rc = avc_has_perm(&selinux_state, 2057 mysid, fromsid, SECCLASS_BINDER, 2058 BINDER__IMPERSONATE, NULL); 2059 if (rc) 2060 return rc; 2061 } 2062 2063 return avc_has_perm(&selinux_state, 2064 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2065 NULL); 2066 } 2067 2068 static int selinux_binder_transfer_binder(struct task_struct *from, 2069 struct task_struct *to) 2070 { 2071 u32 fromsid = task_sid(from); 2072 u32 tosid = task_sid(to); 2073 2074 return avc_has_perm(&selinux_state, 2075 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2076 NULL); 2077 } 2078 2079 static int selinux_binder_transfer_file(struct task_struct *from, 2080 struct task_struct *to, 2081 struct file *file) 2082 { 2083 u32 sid = task_sid(to); 2084 struct file_security_struct *fsec = file->f_security; 2085 struct dentry *dentry = file->f_path.dentry; 2086 struct inode_security_struct *isec; 2087 struct common_audit_data ad; 2088 int rc; 2089 2090 ad.type = LSM_AUDIT_DATA_PATH; 2091 ad.u.path = file->f_path; 2092 2093 if (sid != fsec->sid) { 2094 rc = avc_has_perm(&selinux_state, 2095 sid, fsec->sid, 2096 SECCLASS_FD, 2097 FD__USE, 2098 &ad); 2099 if (rc) 2100 return rc; 2101 } 2102 2103 #ifdef CONFIG_BPF_SYSCALL 2104 rc = bpf_fd_pass(file, sid); 2105 if (rc) 2106 return rc; 2107 #endif 2108 2109 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2110 return 0; 2111 2112 isec = backing_inode_security(dentry); 2113 return avc_has_perm(&selinux_state, 2114 sid, isec->sid, isec->sclass, file_to_av(file), 2115 &ad); 2116 } 2117 2118 static int selinux_ptrace_access_check(struct task_struct *child, 2119 unsigned int mode) 2120 { 2121 u32 sid = current_sid(); 2122 u32 csid = task_sid(child); 2123 2124 if (mode & PTRACE_MODE_READ) 2125 return avc_has_perm(&selinux_state, 2126 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2127 2128 return avc_has_perm(&selinux_state, 2129 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2130 } 2131 2132 static int selinux_ptrace_traceme(struct task_struct *parent) 2133 { 2134 return avc_has_perm(&selinux_state, 2135 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2136 PROCESS__PTRACE, NULL); 2137 } 2138 2139 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2140 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2141 { 2142 return avc_has_perm(&selinux_state, 2143 current_sid(), task_sid(target), SECCLASS_PROCESS, 2144 PROCESS__GETCAP, NULL); 2145 } 2146 2147 static int selinux_capset(struct cred *new, const struct cred *old, 2148 const kernel_cap_t *effective, 2149 const kernel_cap_t *inheritable, 2150 const kernel_cap_t *permitted) 2151 { 2152 return avc_has_perm(&selinux_state, 2153 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2154 PROCESS__SETCAP, NULL); 2155 } 2156 2157 /* 2158 * (This comment used to live with the selinux_task_setuid hook, 2159 * which was removed). 2160 * 2161 * Since setuid only affects the current process, and since the SELinux 2162 * controls are not based on the Linux identity attributes, SELinux does not 2163 * need to control this operation. However, SELinux does control the use of 2164 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2165 */ 2166 2167 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2168 int cap, int audit) 2169 { 2170 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2171 } 2172 2173 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2174 { 2175 const struct cred *cred = current_cred(); 2176 int rc = 0; 2177 2178 if (!sb) 2179 return 0; 2180 2181 switch (cmds) { 2182 case Q_SYNC: 2183 case Q_QUOTAON: 2184 case Q_QUOTAOFF: 2185 case Q_SETINFO: 2186 case Q_SETQUOTA: 2187 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2188 break; 2189 case Q_GETFMT: 2190 case Q_GETINFO: 2191 case Q_GETQUOTA: 2192 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2193 break; 2194 default: 2195 rc = 0; /* let the kernel handle invalid cmds */ 2196 break; 2197 } 2198 return rc; 2199 } 2200 2201 static int selinux_quota_on(struct dentry *dentry) 2202 { 2203 const struct cred *cred = current_cred(); 2204 2205 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2206 } 2207 2208 static int selinux_syslog(int type) 2209 { 2210 switch (type) { 2211 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2212 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2213 return avc_has_perm(&selinux_state, 2214 current_sid(), SECINITSID_KERNEL, 2215 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2216 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2217 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2218 /* Set level of messages printed to console */ 2219 case SYSLOG_ACTION_CONSOLE_LEVEL: 2220 return avc_has_perm(&selinux_state, 2221 current_sid(), SECINITSID_KERNEL, 2222 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2223 NULL); 2224 } 2225 /* All other syslog types */ 2226 return avc_has_perm(&selinux_state, 2227 current_sid(), SECINITSID_KERNEL, 2228 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2229 } 2230 2231 /* 2232 * Check that a process has enough memory to allocate a new virtual 2233 * mapping. 0 means there is enough memory for the allocation to 2234 * succeed and -ENOMEM implies there is not. 2235 * 2236 * Do not audit the selinux permission check, as this is applied to all 2237 * processes that allocate mappings. 2238 */ 2239 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2240 { 2241 int rc, cap_sys_admin = 0; 2242 2243 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2244 SECURITY_CAP_NOAUDIT, true); 2245 if (rc == 0) 2246 cap_sys_admin = 1; 2247 2248 return cap_sys_admin; 2249 } 2250 2251 /* binprm security operations */ 2252 2253 static u32 ptrace_parent_sid(void) 2254 { 2255 u32 sid = 0; 2256 struct task_struct *tracer; 2257 2258 rcu_read_lock(); 2259 tracer = ptrace_parent(current); 2260 if (tracer) 2261 sid = task_sid(tracer); 2262 rcu_read_unlock(); 2263 2264 return sid; 2265 } 2266 2267 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2268 const struct task_security_struct *old_tsec, 2269 const struct task_security_struct *new_tsec) 2270 { 2271 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2272 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2273 int rc; 2274 u32 av; 2275 2276 if (!nnp && !nosuid) 2277 return 0; /* neither NNP nor nosuid */ 2278 2279 if (new_tsec->sid == old_tsec->sid) 2280 return 0; /* No change in credentials */ 2281 2282 /* 2283 * If the policy enables the nnp_nosuid_transition policy capability, 2284 * then we permit transitions under NNP or nosuid if the 2285 * policy allows the corresponding permission between 2286 * the old and new contexts. 2287 */ 2288 if (selinux_policycap_nnp_nosuid_transition()) { 2289 av = 0; 2290 if (nnp) 2291 av |= PROCESS2__NNP_TRANSITION; 2292 if (nosuid) 2293 av |= PROCESS2__NOSUID_TRANSITION; 2294 rc = avc_has_perm(&selinux_state, 2295 old_tsec->sid, new_tsec->sid, 2296 SECCLASS_PROCESS2, av, NULL); 2297 if (!rc) 2298 return 0; 2299 } 2300 2301 /* 2302 * We also permit NNP or nosuid transitions to bounded SIDs, 2303 * i.e. SIDs that are guaranteed to only be allowed a subset 2304 * of the permissions of the current SID. 2305 */ 2306 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2307 new_tsec->sid); 2308 if (!rc) 2309 return 0; 2310 2311 /* 2312 * On failure, preserve the errno values for NNP vs nosuid. 2313 * NNP: Operation not permitted for caller. 2314 * nosuid: Permission denied to file. 2315 */ 2316 if (nnp) 2317 return -EPERM; 2318 return -EACCES; 2319 } 2320 2321 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2322 { 2323 const struct task_security_struct *old_tsec; 2324 struct task_security_struct *new_tsec; 2325 struct inode_security_struct *isec; 2326 struct common_audit_data ad; 2327 struct inode *inode = file_inode(bprm->file); 2328 int rc; 2329 2330 /* SELinux context only depends on initial program or script and not 2331 * the script interpreter */ 2332 if (bprm->called_set_creds) 2333 return 0; 2334 2335 old_tsec = current_security(); 2336 new_tsec = bprm->cred->security; 2337 isec = inode_security(inode); 2338 2339 /* Default to the current task SID. */ 2340 new_tsec->sid = old_tsec->sid; 2341 new_tsec->osid = old_tsec->sid; 2342 2343 /* Reset fs, key, and sock SIDs on execve. */ 2344 new_tsec->create_sid = 0; 2345 new_tsec->keycreate_sid = 0; 2346 new_tsec->sockcreate_sid = 0; 2347 2348 if (old_tsec->exec_sid) { 2349 new_tsec->sid = old_tsec->exec_sid; 2350 /* Reset exec SID on execve. */ 2351 new_tsec->exec_sid = 0; 2352 2353 /* Fail on NNP or nosuid if not an allowed transition. */ 2354 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2355 if (rc) 2356 return rc; 2357 } else { 2358 /* Check for a default transition on this program. */ 2359 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2360 isec->sid, SECCLASS_PROCESS, NULL, 2361 &new_tsec->sid); 2362 if (rc) 2363 return rc; 2364 2365 /* 2366 * Fallback to old SID on NNP or nosuid if not an allowed 2367 * transition. 2368 */ 2369 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2370 if (rc) 2371 new_tsec->sid = old_tsec->sid; 2372 } 2373 2374 ad.type = LSM_AUDIT_DATA_FILE; 2375 ad.u.file = bprm->file; 2376 2377 if (new_tsec->sid == old_tsec->sid) { 2378 rc = avc_has_perm(&selinux_state, 2379 old_tsec->sid, isec->sid, 2380 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2381 if (rc) 2382 return rc; 2383 } else { 2384 /* Check permissions for the transition. */ 2385 rc = avc_has_perm(&selinux_state, 2386 old_tsec->sid, new_tsec->sid, 2387 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2388 if (rc) 2389 return rc; 2390 2391 rc = avc_has_perm(&selinux_state, 2392 new_tsec->sid, isec->sid, 2393 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2394 if (rc) 2395 return rc; 2396 2397 /* Check for shared state */ 2398 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2399 rc = avc_has_perm(&selinux_state, 2400 old_tsec->sid, new_tsec->sid, 2401 SECCLASS_PROCESS, PROCESS__SHARE, 2402 NULL); 2403 if (rc) 2404 return -EPERM; 2405 } 2406 2407 /* Make sure that anyone attempting to ptrace over a task that 2408 * changes its SID has the appropriate permit */ 2409 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2410 u32 ptsid = ptrace_parent_sid(); 2411 if (ptsid != 0) { 2412 rc = avc_has_perm(&selinux_state, 2413 ptsid, new_tsec->sid, 2414 SECCLASS_PROCESS, 2415 PROCESS__PTRACE, NULL); 2416 if (rc) 2417 return -EPERM; 2418 } 2419 } 2420 2421 /* Clear any possibly unsafe personality bits on exec: */ 2422 bprm->per_clear |= PER_CLEAR_ON_SETID; 2423 2424 /* Enable secure mode for SIDs transitions unless 2425 the noatsecure permission is granted between 2426 the two SIDs, i.e. ahp returns 0. */ 2427 rc = avc_has_perm(&selinux_state, 2428 old_tsec->sid, new_tsec->sid, 2429 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2430 NULL); 2431 bprm->secureexec |= !!rc; 2432 } 2433 2434 return 0; 2435 } 2436 2437 static int match_file(const void *p, struct file *file, unsigned fd) 2438 { 2439 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2440 } 2441 2442 /* Derived from fs/exec.c:flush_old_files. */ 2443 static inline void flush_unauthorized_files(const struct cred *cred, 2444 struct files_struct *files) 2445 { 2446 struct file *file, *devnull = NULL; 2447 struct tty_struct *tty; 2448 int drop_tty = 0; 2449 unsigned n; 2450 2451 tty = get_current_tty(); 2452 if (tty) { 2453 spin_lock(&tty->files_lock); 2454 if (!list_empty(&tty->tty_files)) { 2455 struct tty_file_private *file_priv; 2456 2457 /* Revalidate access to controlling tty. 2458 Use file_path_has_perm on the tty path directly 2459 rather than using file_has_perm, as this particular 2460 open file may belong to another process and we are 2461 only interested in the inode-based check here. */ 2462 file_priv = list_first_entry(&tty->tty_files, 2463 struct tty_file_private, list); 2464 file = file_priv->file; 2465 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2466 drop_tty = 1; 2467 } 2468 spin_unlock(&tty->files_lock); 2469 tty_kref_put(tty); 2470 } 2471 /* Reset controlling tty. */ 2472 if (drop_tty) 2473 no_tty(); 2474 2475 /* Revalidate access to inherited open files. */ 2476 n = iterate_fd(files, 0, match_file, cred); 2477 if (!n) /* none found? */ 2478 return; 2479 2480 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2481 if (IS_ERR(devnull)) 2482 devnull = NULL; 2483 /* replace all the matching ones with this */ 2484 do { 2485 replace_fd(n - 1, devnull, 0); 2486 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2487 if (devnull) 2488 fput(devnull); 2489 } 2490 2491 /* 2492 * Prepare a process for imminent new credential changes due to exec 2493 */ 2494 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2495 { 2496 struct task_security_struct *new_tsec; 2497 struct rlimit *rlim, *initrlim; 2498 int rc, i; 2499 2500 new_tsec = bprm->cred->security; 2501 if (new_tsec->sid == new_tsec->osid) 2502 return; 2503 2504 /* Close files for which the new task SID is not authorized. */ 2505 flush_unauthorized_files(bprm->cred, current->files); 2506 2507 /* Always clear parent death signal on SID transitions. */ 2508 current->pdeath_signal = 0; 2509 2510 /* Check whether the new SID can inherit resource limits from the old 2511 * SID. If not, reset all soft limits to the lower of the current 2512 * task's hard limit and the init task's soft limit. 2513 * 2514 * Note that the setting of hard limits (even to lower them) can be 2515 * controlled by the setrlimit check. The inclusion of the init task's 2516 * soft limit into the computation is to avoid resetting soft limits 2517 * higher than the default soft limit for cases where the default is 2518 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2519 */ 2520 rc = avc_has_perm(&selinux_state, 2521 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2522 PROCESS__RLIMITINH, NULL); 2523 if (rc) { 2524 /* protect against do_prlimit() */ 2525 task_lock(current); 2526 for (i = 0; i < RLIM_NLIMITS; i++) { 2527 rlim = current->signal->rlim + i; 2528 initrlim = init_task.signal->rlim + i; 2529 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2530 } 2531 task_unlock(current); 2532 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2533 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2534 } 2535 } 2536 2537 /* 2538 * Clean up the process immediately after the installation of new credentials 2539 * due to exec 2540 */ 2541 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2542 { 2543 const struct task_security_struct *tsec = current_security(); 2544 struct itimerval itimer; 2545 u32 osid, sid; 2546 int rc, i; 2547 2548 osid = tsec->osid; 2549 sid = tsec->sid; 2550 2551 if (sid == osid) 2552 return; 2553 2554 /* Check whether the new SID can inherit signal state from the old SID. 2555 * If not, clear itimers to avoid subsequent signal generation and 2556 * flush and unblock signals. 2557 * 2558 * This must occur _after_ the task SID has been updated so that any 2559 * kill done after the flush will be checked against the new SID. 2560 */ 2561 rc = avc_has_perm(&selinux_state, 2562 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2563 if (rc) { 2564 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2565 memset(&itimer, 0, sizeof itimer); 2566 for (i = 0; i < 3; i++) 2567 do_setitimer(i, &itimer, NULL); 2568 } 2569 spin_lock_irq(¤t->sighand->siglock); 2570 if (!fatal_signal_pending(current)) { 2571 flush_sigqueue(¤t->pending); 2572 flush_sigqueue(¤t->signal->shared_pending); 2573 flush_signal_handlers(current, 1); 2574 sigemptyset(¤t->blocked); 2575 recalc_sigpending(); 2576 } 2577 spin_unlock_irq(¤t->sighand->siglock); 2578 } 2579 2580 /* Wake up the parent if it is waiting so that it can recheck 2581 * wait permission to the new task SID. */ 2582 read_lock(&tasklist_lock); 2583 __wake_up_parent(current, current->real_parent); 2584 read_unlock(&tasklist_lock); 2585 } 2586 2587 /* superblock security operations */ 2588 2589 static int selinux_sb_alloc_security(struct super_block *sb) 2590 { 2591 return superblock_alloc_security(sb); 2592 } 2593 2594 static void selinux_sb_free_security(struct super_block *sb) 2595 { 2596 superblock_free_security(sb); 2597 } 2598 2599 static inline int opt_len(const char *s) 2600 { 2601 bool open_quote = false; 2602 int len; 2603 char c; 2604 2605 for (len = 0; (c = s[len]) != '\0'; len++) { 2606 if (c == '"') 2607 open_quote = !open_quote; 2608 if (c == ',' && !open_quote) 2609 break; 2610 } 2611 return len; 2612 } 2613 2614 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2615 { 2616 char *from = options; 2617 char *to = options; 2618 bool first = true; 2619 2620 while (1) { 2621 int len = opt_len(from); 2622 int token, rc; 2623 char *arg = NULL; 2624 2625 token = match_opt_prefix(from, len, &arg); 2626 2627 if (token != Opt_error) { 2628 char *p, *q; 2629 2630 /* strip quotes */ 2631 if (arg) { 2632 for (p = q = arg; p < from + len; p++) { 2633 char c = *p; 2634 if (c != '"') 2635 *q++ = c; 2636 } 2637 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2638 } 2639 rc = selinux_add_opt(token, arg, mnt_opts); 2640 if (unlikely(rc)) { 2641 kfree(arg); 2642 if (*mnt_opts) { 2643 selinux_free_mnt_opts(*mnt_opts); 2644 *mnt_opts = NULL; 2645 } 2646 return rc; 2647 } 2648 } else { 2649 if (!first) { // copy with preceding comma 2650 from--; 2651 len++; 2652 } 2653 if (to != from) 2654 memmove(to, from, len); 2655 to += len; 2656 first = false; 2657 } 2658 if (!from[len]) 2659 break; 2660 from += len + 1; 2661 } 2662 *to = '\0'; 2663 return 0; 2664 } 2665 2666 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2667 { 2668 struct selinux_mnt_opts *opts = mnt_opts; 2669 struct superblock_security_struct *sbsec = sb->s_security; 2670 u32 sid; 2671 int rc; 2672 2673 if (!(sbsec->flags & SE_SBINITIALIZED)) 2674 return 0; 2675 2676 if (!opts) 2677 return 0; 2678 2679 if (opts->fscontext) { 2680 rc = parse_sid(sb, opts->fscontext, &sid); 2681 if (rc) 2682 return rc; 2683 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2684 goto out_bad_option; 2685 } 2686 if (opts->context) { 2687 rc = parse_sid(sb, opts->context, &sid); 2688 if (rc) 2689 return rc; 2690 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2691 goto out_bad_option; 2692 } 2693 if (opts->rootcontext) { 2694 struct inode_security_struct *root_isec; 2695 root_isec = backing_inode_security(sb->s_root); 2696 rc = parse_sid(sb, opts->rootcontext, &sid); 2697 if (rc) 2698 return rc; 2699 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2700 goto out_bad_option; 2701 } 2702 if (opts->defcontext) { 2703 rc = parse_sid(sb, opts->defcontext, &sid); 2704 if (rc) 2705 return rc; 2706 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2707 goto out_bad_option; 2708 } 2709 return 0; 2710 2711 out_bad_option: 2712 pr_warn("SELinux: unable to change security options " 2713 "during remount (dev %s, type=%s)\n", sb->s_id, 2714 sb->s_type->name); 2715 return -EINVAL; 2716 } 2717 2718 static int selinux_sb_kern_mount(struct super_block *sb) 2719 { 2720 const struct cred *cred = current_cred(); 2721 struct common_audit_data ad; 2722 2723 ad.type = LSM_AUDIT_DATA_DENTRY; 2724 ad.u.dentry = sb->s_root; 2725 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2726 } 2727 2728 static int selinux_sb_statfs(struct dentry *dentry) 2729 { 2730 const struct cred *cred = current_cred(); 2731 struct common_audit_data ad; 2732 2733 ad.type = LSM_AUDIT_DATA_DENTRY; 2734 ad.u.dentry = dentry->d_sb->s_root; 2735 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2736 } 2737 2738 static int selinux_mount(const char *dev_name, 2739 const struct path *path, 2740 const char *type, 2741 unsigned long flags, 2742 void *data) 2743 { 2744 const struct cred *cred = current_cred(); 2745 2746 if (flags & MS_REMOUNT) 2747 return superblock_has_perm(cred, path->dentry->d_sb, 2748 FILESYSTEM__REMOUNT, NULL); 2749 else 2750 return path_has_perm(cred, path, FILE__MOUNTON); 2751 } 2752 2753 static int selinux_umount(struct vfsmount *mnt, int flags) 2754 { 2755 const struct cred *cred = current_cred(); 2756 2757 return superblock_has_perm(cred, mnt->mnt_sb, 2758 FILESYSTEM__UNMOUNT, NULL); 2759 } 2760 2761 /* inode security operations */ 2762 2763 static int selinux_inode_alloc_security(struct inode *inode) 2764 { 2765 return inode_alloc_security(inode); 2766 } 2767 2768 static void selinux_inode_free_security(struct inode *inode) 2769 { 2770 inode_free_security(inode); 2771 } 2772 2773 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2774 const struct qstr *name, void **ctx, 2775 u32 *ctxlen) 2776 { 2777 u32 newsid; 2778 int rc; 2779 2780 rc = selinux_determine_inode_label(current_security(), 2781 d_inode(dentry->d_parent), name, 2782 inode_mode_to_security_class(mode), 2783 &newsid); 2784 if (rc) 2785 return rc; 2786 2787 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2788 ctxlen); 2789 } 2790 2791 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2792 struct qstr *name, 2793 const struct cred *old, 2794 struct cred *new) 2795 { 2796 u32 newsid; 2797 int rc; 2798 struct task_security_struct *tsec; 2799 2800 rc = selinux_determine_inode_label(old->security, 2801 d_inode(dentry->d_parent), name, 2802 inode_mode_to_security_class(mode), 2803 &newsid); 2804 if (rc) 2805 return rc; 2806 2807 tsec = new->security; 2808 tsec->create_sid = newsid; 2809 return 0; 2810 } 2811 2812 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2813 const struct qstr *qstr, 2814 const char **name, 2815 void **value, size_t *len) 2816 { 2817 const struct task_security_struct *tsec = current_security(); 2818 struct superblock_security_struct *sbsec; 2819 u32 newsid, clen; 2820 int rc; 2821 char *context; 2822 2823 sbsec = dir->i_sb->s_security; 2824 2825 newsid = tsec->create_sid; 2826 2827 rc = selinux_determine_inode_label(current_security(), 2828 dir, qstr, 2829 inode_mode_to_security_class(inode->i_mode), 2830 &newsid); 2831 if (rc) 2832 return rc; 2833 2834 /* Possibly defer initialization to selinux_complete_init. */ 2835 if (sbsec->flags & SE_SBINITIALIZED) { 2836 struct inode_security_struct *isec = inode->i_security; 2837 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2838 isec->sid = newsid; 2839 isec->initialized = LABEL_INITIALIZED; 2840 } 2841 2842 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 2843 return -EOPNOTSUPP; 2844 2845 if (name) 2846 *name = XATTR_SELINUX_SUFFIX; 2847 2848 if (value && len) { 2849 rc = security_sid_to_context_force(&selinux_state, newsid, 2850 &context, &clen); 2851 if (rc) 2852 return rc; 2853 *value = context; 2854 *len = clen; 2855 } 2856 2857 return 0; 2858 } 2859 2860 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2861 { 2862 return may_create(dir, dentry, SECCLASS_FILE); 2863 } 2864 2865 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2866 { 2867 return may_link(dir, old_dentry, MAY_LINK); 2868 } 2869 2870 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2871 { 2872 return may_link(dir, dentry, MAY_UNLINK); 2873 } 2874 2875 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2876 { 2877 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2878 } 2879 2880 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2881 { 2882 return may_create(dir, dentry, SECCLASS_DIR); 2883 } 2884 2885 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2886 { 2887 return may_link(dir, dentry, MAY_RMDIR); 2888 } 2889 2890 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2891 { 2892 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2893 } 2894 2895 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2896 struct inode *new_inode, struct dentry *new_dentry) 2897 { 2898 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2899 } 2900 2901 static int selinux_inode_readlink(struct dentry *dentry) 2902 { 2903 const struct cred *cred = current_cred(); 2904 2905 return dentry_has_perm(cred, dentry, FILE__READ); 2906 } 2907 2908 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2909 bool rcu) 2910 { 2911 const struct cred *cred = current_cred(); 2912 struct common_audit_data ad; 2913 struct inode_security_struct *isec; 2914 u32 sid; 2915 2916 validate_creds(cred); 2917 2918 ad.type = LSM_AUDIT_DATA_DENTRY; 2919 ad.u.dentry = dentry; 2920 sid = cred_sid(cred); 2921 isec = inode_security_rcu(inode, rcu); 2922 if (IS_ERR(isec)) 2923 return PTR_ERR(isec); 2924 2925 return avc_has_perm_flags(&selinux_state, 2926 sid, isec->sid, isec->sclass, FILE__READ, &ad, 2927 rcu ? MAY_NOT_BLOCK : 0); 2928 } 2929 2930 static noinline int audit_inode_permission(struct inode *inode, 2931 u32 perms, u32 audited, u32 denied, 2932 int result, 2933 unsigned flags) 2934 { 2935 struct common_audit_data ad; 2936 struct inode_security_struct *isec = inode->i_security; 2937 int rc; 2938 2939 ad.type = LSM_AUDIT_DATA_INODE; 2940 ad.u.inode = inode; 2941 2942 rc = slow_avc_audit(&selinux_state, 2943 current_sid(), isec->sid, isec->sclass, perms, 2944 audited, denied, result, &ad, flags); 2945 if (rc) 2946 return rc; 2947 return 0; 2948 } 2949 2950 static int selinux_inode_permission(struct inode *inode, int mask) 2951 { 2952 const struct cred *cred = current_cred(); 2953 u32 perms; 2954 bool from_access; 2955 unsigned flags = mask & MAY_NOT_BLOCK; 2956 struct inode_security_struct *isec; 2957 u32 sid; 2958 struct av_decision avd; 2959 int rc, rc2; 2960 u32 audited, denied; 2961 2962 from_access = mask & MAY_ACCESS; 2963 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2964 2965 /* No permission to check. Existence test. */ 2966 if (!mask) 2967 return 0; 2968 2969 validate_creds(cred); 2970 2971 if (unlikely(IS_PRIVATE(inode))) 2972 return 0; 2973 2974 perms = file_mask_to_av(inode->i_mode, mask); 2975 2976 sid = cred_sid(cred); 2977 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 2978 if (IS_ERR(isec)) 2979 return PTR_ERR(isec); 2980 2981 rc = avc_has_perm_noaudit(&selinux_state, 2982 sid, isec->sid, isec->sclass, perms, 0, &avd); 2983 audited = avc_audit_required(perms, &avd, rc, 2984 from_access ? FILE__AUDIT_ACCESS : 0, 2985 &denied); 2986 if (likely(!audited)) 2987 return rc; 2988 2989 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 2990 if (rc2) 2991 return rc2; 2992 return rc; 2993 } 2994 2995 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2996 { 2997 const struct cred *cred = current_cred(); 2998 struct inode *inode = d_backing_inode(dentry); 2999 unsigned int ia_valid = iattr->ia_valid; 3000 __u32 av = FILE__WRITE; 3001 3002 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3003 if (ia_valid & ATTR_FORCE) { 3004 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3005 ATTR_FORCE); 3006 if (!ia_valid) 3007 return 0; 3008 } 3009 3010 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3011 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3012 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3013 3014 if (selinux_policycap_openperm() && 3015 inode->i_sb->s_magic != SOCKFS_MAGIC && 3016 (ia_valid & ATTR_SIZE) && 3017 !(ia_valid & ATTR_FILE)) 3018 av |= FILE__OPEN; 3019 3020 return dentry_has_perm(cred, dentry, av); 3021 } 3022 3023 static int selinux_inode_getattr(const struct path *path) 3024 { 3025 return path_has_perm(current_cred(), path, FILE__GETATTR); 3026 } 3027 3028 static bool has_cap_mac_admin(bool audit) 3029 { 3030 const struct cred *cred = current_cred(); 3031 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3032 3033 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3034 return false; 3035 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3036 return false; 3037 return true; 3038 } 3039 3040 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3041 const void *value, size_t size, int flags) 3042 { 3043 struct inode *inode = d_backing_inode(dentry); 3044 struct inode_security_struct *isec; 3045 struct superblock_security_struct *sbsec; 3046 struct common_audit_data ad; 3047 u32 newsid, sid = current_sid(); 3048 int rc = 0; 3049 3050 if (strcmp(name, XATTR_NAME_SELINUX)) { 3051 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3052 if (rc) 3053 return rc; 3054 3055 /* Not an attribute we recognize, so just check the 3056 ordinary setattr permission. */ 3057 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3058 } 3059 3060 sbsec = inode->i_sb->s_security; 3061 if (!(sbsec->flags & SBLABEL_MNT)) 3062 return -EOPNOTSUPP; 3063 3064 if (!inode_owner_or_capable(inode)) 3065 return -EPERM; 3066 3067 ad.type = LSM_AUDIT_DATA_DENTRY; 3068 ad.u.dentry = dentry; 3069 3070 isec = backing_inode_security(dentry); 3071 rc = avc_has_perm(&selinux_state, 3072 sid, isec->sid, isec->sclass, 3073 FILE__RELABELFROM, &ad); 3074 if (rc) 3075 return rc; 3076 3077 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3078 GFP_KERNEL); 3079 if (rc == -EINVAL) { 3080 if (!has_cap_mac_admin(true)) { 3081 struct audit_buffer *ab; 3082 size_t audit_size; 3083 3084 /* We strip a nul only if it is at the end, otherwise the 3085 * context contains a nul and we should audit that */ 3086 if (value) { 3087 const char *str = value; 3088 3089 if (str[size - 1] == '\0') 3090 audit_size = size - 1; 3091 else 3092 audit_size = size; 3093 } else { 3094 audit_size = 0; 3095 } 3096 ab = audit_log_start(audit_context(), 3097 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3098 audit_log_format(ab, "op=setxattr invalid_context="); 3099 audit_log_n_untrustedstring(ab, value, audit_size); 3100 audit_log_end(ab); 3101 3102 return rc; 3103 } 3104 rc = security_context_to_sid_force(&selinux_state, value, 3105 size, &newsid); 3106 } 3107 if (rc) 3108 return rc; 3109 3110 rc = avc_has_perm(&selinux_state, 3111 sid, newsid, isec->sclass, 3112 FILE__RELABELTO, &ad); 3113 if (rc) 3114 return rc; 3115 3116 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3117 sid, isec->sclass); 3118 if (rc) 3119 return rc; 3120 3121 return avc_has_perm(&selinux_state, 3122 newsid, 3123 sbsec->sid, 3124 SECCLASS_FILESYSTEM, 3125 FILESYSTEM__ASSOCIATE, 3126 &ad); 3127 } 3128 3129 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3130 const void *value, size_t size, 3131 int flags) 3132 { 3133 struct inode *inode = d_backing_inode(dentry); 3134 struct inode_security_struct *isec; 3135 u32 newsid; 3136 int rc; 3137 3138 if (strcmp(name, XATTR_NAME_SELINUX)) { 3139 /* Not an attribute we recognize, so nothing to do. */ 3140 return; 3141 } 3142 3143 rc = security_context_to_sid_force(&selinux_state, value, size, 3144 &newsid); 3145 if (rc) { 3146 pr_err("SELinux: unable to map context to SID" 3147 "for (%s, %lu), rc=%d\n", 3148 inode->i_sb->s_id, inode->i_ino, -rc); 3149 return; 3150 } 3151 3152 isec = backing_inode_security(dentry); 3153 spin_lock(&isec->lock); 3154 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3155 isec->sid = newsid; 3156 isec->initialized = LABEL_INITIALIZED; 3157 spin_unlock(&isec->lock); 3158 3159 return; 3160 } 3161 3162 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3163 { 3164 const struct cred *cred = current_cred(); 3165 3166 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3167 } 3168 3169 static int selinux_inode_listxattr(struct dentry *dentry) 3170 { 3171 const struct cred *cred = current_cred(); 3172 3173 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3174 } 3175 3176 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3177 { 3178 if (strcmp(name, XATTR_NAME_SELINUX)) { 3179 int rc = cap_inode_removexattr(dentry, name); 3180 if (rc) 3181 return rc; 3182 3183 /* Not an attribute we recognize, so just check the 3184 ordinary setattr permission. */ 3185 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3186 } 3187 3188 /* No one is allowed to remove a SELinux security label. 3189 You can change the label, but all data must be labeled. */ 3190 return -EACCES; 3191 } 3192 3193 /* 3194 * Copy the inode security context value to the user. 3195 * 3196 * Permission check is handled by selinux_inode_getxattr hook. 3197 */ 3198 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3199 { 3200 u32 size; 3201 int error; 3202 char *context = NULL; 3203 struct inode_security_struct *isec; 3204 3205 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3206 return -EOPNOTSUPP; 3207 3208 /* 3209 * If the caller has CAP_MAC_ADMIN, then get the raw context 3210 * value even if it is not defined by current policy; otherwise, 3211 * use the in-core value under current policy. 3212 * Use the non-auditing forms of the permission checks since 3213 * getxattr may be called by unprivileged processes commonly 3214 * and lack of permission just means that we fall back to the 3215 * in-core context value, not a denial. 3216 */ 3217 isec = inode_security(inode); 3218 if (has_cap_mac_admin(false)) 3219 error = security_sid_to_context_force(&selinux_state, 3220 isec->sid, &context, 3221 &size); 3222 else 3223 error = security_sid_to_context(&selinux_state, isec->sid, 3224 &context, &size); 3225 if (error) 3226 return error; 3227 error = size; 3228 if (alloc) { 3229 *buffer = context; 3230 goto out_nofree; 3231 } 3232 kfree(context); 3233 out_nofree: 3234 return error; 3235 } 3236 3237 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3238 const void *value, size_t size, int flags) 3239 { 3240 struct inode_security_struct *isec = inode_security_novalidate(inode); 3241 u32 newsid; 3242 int rc; 3243 3244 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3245 return -EOPNOTSUPP; 3246 3247 if (!value || !size) 3248 return -EACCES; 3249 3250 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3251 GFP_KERNEL); 3252 if (rc) 3253 return rc; 3254 3255 spin_lock(&isec->lock); 3256 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3257 isec->sid = newsid; 3258 isec->initialized = LABEL_INITIALIZED; 3259 spin_unlock(&isec->lock); 3260 return 0; 3261 } 3262 3263 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3264 { 3265 const int len = sizeof(XATTR_NAME_SELINUX); 3266 if (buffer && len <= buffer_size) 3267 memcpy(buffer, XATTR_NAME_SELINUX, len); 3268 return len; 3269 } 3270 3271 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3272 { 3273 struct inode_security_struct *isec = inode_security_novalidate(inode); 3274 *secid = isec->sid; 3275 } 3276 3277 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3278 { 3279 u32 sid; 3280 struct task_security_struct *tsec; 3281 struct cred *new_creds = *new; 3282 3283 if (new_creds == NULL) { 3284 new_creds = prepare_creds(); 3285 if (!new_creds) 3286 return -ENOMEM; 3287 } 3288 3289 tsec = new_creds->security; 3290 /* Get label from overlay inode and set it in create_sid */ 3291 selinux_inode_getsecid(d_inode(src), &sid); 3292 tsec->create_sid = sid; 3293 *new = new_creds; 3294 return 0; 3295 } 3296 3297 static int selinux_inode_copy_up_xattr(const char *name) 3298 { 3299 /* The copy_up hook above sets the initial context on an inode, but we 3300 * don't then want to overwrite it by blindly copying all the lower 3301 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3302 */ 3303 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3304 return 1; /* Discard */ 3305 /* 3306 * Any other attribute apart from SELINUX is not claimed, supported 3307 * by selinux. 3308 */ 3309 return -EOPNOTSUPP; 3310 } 3311 3312 /* file security operations */ 3313 3314 static int selinux_revalidate_file_permission(struct file *file, int mask) 3315 { 3316 const struct cred *cred = current_cred(); 3317 struct inode *inode = file_inode(file); 3318 3319 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3320 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3321 mask |= MAY_APPEND; 3322 3323 return file_has_perm(cred, file, 3324 file_mask_to_av(inode->i_mode, mask)); 3325 } 3326 3327 static int selinux_file_permission(struct file *file, int mask) 3328 { 3329 struct inode *inode = file_inode(file); 3330 struct file_security_struct *fsec = file->f_security; 3331 struct inode_security_struct *isec; 3332 u32 sid = current_sid(); 3333 3334 if (!mask) 3335 /* No permission to check. Existence test. */ 3336 return 0; 3337 3338 isec = inode_security(inode); 3339 if (sid == fsec->sid && fsec->isid == isec->sid && 3340 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3341 /* No change since file_open check. */ 3342 return 0; 3343 3344 return selinux_revalidate_file_permission(file, mask); 3345 } 3346 3347 static int selinux_file_alloc_security(struct file *file) 3348 { 3349 return file_alloc_security(file); 3350 } 3351 3352 static void selinux_file_free_security(struct file *file) 3353 { 3354 file_free_security(file); 3355 } 3356 3357 /* 3358 * Check whether a task has the ioctl permission and cmd 3359 * operation to an inode. 3360 */ 3361 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3362 u32 requested, u16 cmd) 3363 { 3364 struct common_audit_data ad; 3365 struct file_security_struct *fsec = file->f_security; 3366 struct inode *inode = file_inode(file); 3367 struct inode_security_struct *isec; 3368 struct lsm_ioctlop_audit ioctl; 3369 u32 ssid = cred_sid(cred); 3370 int rc; 3371 u8 driver = cmd >> 8; 3372 u8 xperm = cmd & 0xff; 3373 3374 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3375 ad.u.op = &ioctl; 3376 ad.u.op->cmd = cmd; 3377 ad.u.op->path = file->f_path; 3378 3379 if (ssid != fsec->sid) { 3380 rc = avc_has_perm(&selinux_state, 3381 ssid, fsec->sid, 3382 SECCLASS_FD, 3383 FD__USE, 3384 &ad); 3385 if (rc) 3386 goto out; 3387 } 3388 3389 if (unlikely(IS_PRIVATE(inode))) 3390 return 0; 3391 3392 isec = inode_security(inode); 3393 rc = avc_has_extended_perms(&selinux_state, 3394 ssid, isec->sid, isec->sclass, 3395 requested, driver, xperm, &ad); 3396 out: 3397 return rc; 3398 } 3399 3400 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3401 unsigned long arg) 3402 { 3403 const struct cred *cred = current_cred(); 3404 int error = 0; 3405 3406 switch (cmd) { 3407 case FIONREAD: 3408 /* fall through */ 3409 case FIBMAP: 3410 /* fall through */ 3411 case FIGETBSZ: 3412 /* fall through */ 3413 case FS_IOC_GETFLAGS: 3414 /* fall through */ 3415 case FS_IOC_GETVERSION: 3416 error = file_has_perm(cred, file, FILE__GETATTR); 3417 break; 3418 3419 case FS_IOC_SETFLAGS: 3420 /* fall through */ 3421 case FS_IOC_SETVERSION: 3422 error = file_has_perm(cred, file, FILE__SETATTR); 3423 break; 3424 3425 /* sys_ioctl() checks */ 3426 case FIONBIO: 3427 /* fall through */ 3428 case FIOASYNC: 3429 error = file_has_perm(cred, file, 0); 3430 break; 3431 3432 case KDSKBENT: 3433 case KDSKBSENT: 3434 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3435 SECURITY_CAP_AUDIT, true); 3436 break; 3437 3438 /* default case assumes that the command will go 3439 * to the file's ioctl() function. 3440 */ 3441 default: 3442 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3443 } 3444 return error; 3445 } 3446 3447 static int default_noexec; 3448 3449 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3450 { 3451 const struct cred *cred = current_cred(); 3452 u32 sid = cred_sid(cred); 3453 int rc = 0; 3454 3455 if (default_noexec && 3456 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3457 (!shared && (prot & PROT_WRITE)))) { 3458 /* 3459 * We are making executable an anonymous mapping or a 3460 * private file mapping that will also be writable. 3461 * This has an additional check. 3462 */ 3463 rc = avc_has_perm(&selinux_state, 3464 sid, sid, SECCLASS_PROCESS, 3465 PROCESS__EXECMEM, NULL); 3466 if (rc) 3467 goto error; 3468 } 3469 3470 if (file) { 3471 /* read access is always possible with a mapping */ 3472 u32 av = FILE__READ; 3473 3474 /* write access only matters if the mapping is shared */ 3475 if (shared && (prot & PROT_WRITE)) 3476 av |= FILE__WRITE; 3477 3478 if (prot & PROT_EXEC) 3479 av |= FILE__EXECUTE; 3480 3481 return file_has_perm(cred, file, av); 3482 } 3483 3484 error: 3485 return rc; 3486 } 3487 3488 static int selinux_mmap_addr(unsigned long addr) 3489 { 3490 int rc = 0; 3491 3492 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3493 u32 sid = current_sid(); 3494 rc = avc_has_perm(&selinux_state, 3495 sid, sid, SECCLASS_MEMPROTECT, 3496 MEMPROTECT__MMAP_ZERO, NULL); 3497 } 3498 3499 return rc; 3500 } 3501 3502 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3503 unsigned long prot, unsigned long flags) 3504 { 3505 struct common_audit_data ad; 3506 int rc; 3507 3508 if (file) { 3509 ad.type = LSM_AUDIT_DATA_FILE; 3510 ad.u.file = file; 3511 rc = inode_has_perm(current_cred(), file_inode(file), 3512 FILE__MAP, &ad); 3513 if (rc) 3514 return rc; 3515 } 3516 3517 if (selinux_state.checkreqprot) 3518 prot = reqprot; 3519 3520 return file_map_prot_check(file, prot, 3521 (flags & MAP_TYPE) == MAP_SHARED); 3522 } 3523 3524 static int selinux_file_mprotect(struct vm_area_struct *vma, 3525 unsigned long reqprot, 3526 unsigned long prot) 3527 { 3528 const struct cred *cred = current_cred(); 3529 u32 sid = cred_sid(cred); 3530 3531 if (selinux_state.checkreqprot) 3532 prot = reqprot; 3533 3534 if (default_noexec && 3535 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3536 int rc = 0; 3537 if (vma->vm_start >= vma->vm_mm->start_brk && 3538 vma->vm_end <= vma->vm_mm->brk) { 3539 rc = avc_has_perm(&selinux_state, 3540 sid, sid, SECCLASS_PROCESS, 3541 PROCESS__EXECHEAP, NULL); 3542 } else if (!vma->vm_file && 3543 ((vma->vm_start <= vma->vm_mm->start_stack && 3544 vma->vm_end >= vma->vm_mm->start_stack) || 3545 vma_is_stack_for_current(vma))) { 3546 rc = avc_has_perm(&selinux_state, 3547 sid, sid, SECCLASS_PROCESS, 3548 PROCESS__EXECSTACK, NULL); 3549 } else if (vma->vm_file && vma->anon_vma) { 3550 /* 3551 * We are making executable a file mapping that has 3552 * had some COW done. Since pages might have been 3553 * written, check ability to execute the possibly 3554 * modified content. This typically should only 3555 * occur for text relocations. 3556 */ 3557 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3558 } 3559 if (rc) 3560 return rc; 3561 } 3562 3563 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3564 } 3565 3566 static int selinux_file_lock(struct file *file, unsigned int cmd) 3567 { 3568 const struct cred *cred = current_cred(); 3569 3570 return file_has_perm(cred, file, FILE__LOCK); 3571 } 3572 3573 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3574 unsigned long arg) 3575 { 3576 const struct cred *cred = current_cred(); 3577 int err = 0; 3578 3579 switch (cmd) { 3580 case F_SETFL: 3581 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3582 err = file_has_perm(cred, file, FILE__WRITE); 3583 break; 3584 } 3585 /* fall through */ 3586 case F_SETOWN: 3587 case F_SETSIG: 3588 case F_GETFL: 3589 case F_GETOWN: 3590 case F_GETSIG: 3591 case F_GETOWNER_UIDS: 3592 /* Just check FD__USE permission */ 3593 err = file_has_perm(cred, file, 0); 3594 break; 3595 case F_GETLK: 3596 case F_SETLK: 3597 case F_SETLKW: 3598 case F_OFD_GETLK: 3599 case F_OFD_SETLK: 3600 case F_OFD_SETLKW: 3601 #if BITS_PER_LONG == 32 3602 case F_GETLK64: 3603 case F_SETLK64: 3604 case F_SETLKW64: 3605 #endif 3606 err = file_has_perm(cred, file, FILE__LOCK); 3607 break; 3608 } 3609 3610 return err; 3611 } 3612 3613 static void selinux_file_set_fowner(struct file *file) 3614 { 3615 struct file_security_struct *fsec; 3616 3617 fsec = file->f_security; 3618 fsec->fown_sid = current_sid(); 3619 } 3620 3621 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3622 struct fown_struct *fown, int signum) 3623 { 3624 struct file *file; 3625 u32 sid = task_sid(tsk); 3626 u32 perm; 3627 struct file_security_struct *fsec; 3628 3629 /* struct fown_struct is never outside the context of a struct file */ 3630 file = container_of(fown, struct file, f_owner); 3631 3632 fsec = file->f_security; 3633 3634 if (!signum) 3635 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3636 else 3637 perm = signal_to_av(signum); 3638 3639 return avc_has_perm(&selinux_state, 3640 fsec->fown_sid, sid, 3641 SECCLASS_PROCESS, perm, NULL); 3642 } 3643 3644 static int selinux_file_receive(struct file *file) 3645 { 3646 const struct cred *cred = current_cred(); 3647 3648 return file_has_perm(cred, file, file_to_av(file)); 3649 } 3650 3651 static int selinux_file_open(struct file *file) 3652 { 3653 struct file_security_struct *fsec; 3654 struct inode_security_struct *isec; 3655 3656 fsec = file->f_security; 3657 isec = inode_security(file_inode(file)); 3658 /* 3659 * Save inode label and policy sequence number 3660 * at open-time so that selinux_file_permission 3661 * can determine whether revalidation is necessary. 3662 * Task label is already saved in the file security 3663 * struct as its SID. 3664 */ 3665 fsec->isid = isec->sid; 3666 fsec->pseqno = avc_policy_seqno(&selinux_state); 3667 /* 3668 * Since the inode label or policy seqno may have changed 3669 * between the selinux_inode_permission check and the saving 3670 * of state above, recheck that access is still permitted. 3671 * Otherwise, access might never be revalidated against the 3672 * new inode label or new policy. 3673 * This check is not redundant - do not remove. 3674 */ 3675 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3676 } 3677 3678 /* task security operations */ 3679 3680 static int selinux_task_alloc(struct task_struct *task, 3681 unsigned long clone_flags) 3682 { 3683 u32 sid = current_sid(); 3684 3685 return avc_has_perm(&selinux_state, 3686 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3687 } 3688 3689 /* 3690 * allocate the SELinux part of blank credentials 3691 */ 3692 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3693 { 3694 struct task_security_struct *tsec; 3695 3696 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3697 if (!tsec) 3698 return -ENOMEM; 3699 3700 cred->security = tsec; 3701 return 0; 3702 } 3703 3704 /* 3705 * detach and free the LSM part of a set of credentials 3706 */ 3707 static void selinux_cred_free(struct cred *cred) 3708 { 3709 struct task_security_struct *tsec = cred->security; 3710 3711 /* 3712 * cred->security == NULL if security_cred_alloc_blank() or 3713 * security_prepare_creds() returned an error. 3714 */ 3715 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3716 cred->security = (void *) 0x7UL; 3717 kfree(tsec); 3718 } 3719 3720 /* 3721 * prepare a new set of credentials for modification 3722 */ 3723 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3724 gfp_t gfp) 3725 { 3726 const struct task_security_struct *old_tsec; 3727 struct task_security_struct *tsec; 3728 3729 old_tsec = old->security; 3730 3731 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3732 if (!tsec) 3733 return -ENOMEM; 3734 3735 new->security = tsec; 3736 return 0; 3737 } 3738 3739 /* 3740 * transfer the SELinux data to a blank set of creds 3741 */ 3742 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3743 { 3744 const struct task_security_struct *old_tsec = old->security; 3745 struct task_security_struct *tsec = new->security; 3746 3747 *tsec = *old_tsec; 3748 } 3749 3750 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3751 { 3752 *secid = cred_sid(c); 3753 } 3754 3755 /* 3756 * set the security data for a kernel service 3757 * - all the creation contexts are set to unlabelled 3758 */ 3759 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3760 { 3761 struct task_security_struct *tsec = new->security; 3762 u32 sid = current_sid(); 3763 int ret; 3764 3765 ret = avc_has_perm(&selinux_state, 3766 sid, secid, 3767 SECCLASS_KERNEL_SERVICE, 3768 KERNEL_SERVICE__USE_AS_OVERRIDE, 3769 NULL); 3770 if (ret == 0) { 3771 tsec->sid = secid; 3772 tsec->create_sid = 0; 3773 tsec->keycreate_sid = 0; 3774 tsec->sockcreate_sid = 0; 3775 } 3776 return ret; 3777 } 3778 3779 /* 3780 * set the file creation context in a security record to the same as the 3781 * objective context of the specified inode 3782 */ 3783 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3784 { 3785 struct inode_security_struct *isec = inode_security(inode); 3786 struct task_security_struct *tsec = new->security; 3787 u32 sid = current_sid(); 3788 int ret; 3789 3790 ret = avc_has_perm(&selinux_state, 3791 sid, isec->sid, 3792 SECCLASS_KERNEL_SERVICE, 3793 KERNEL_SERVICE__CREATE_FILES_AS, 3794 NULL); 3795 3796 if (ret == 0) 3797 tsec->create_sid = isec->sid; 3798 return ret; 3799 } 3800 3801 static int selinux_kernel_module_request(char *kmod_name) 3802 { 3803 struct common_audit_data ad; 3804 3805 ad.type = LSM_AUDIT_DATA_KMOD; 3806 ad.u.kmod_name = kmod_name; 3807 3808 return avc_has_perm(&selinux_state, 3809 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3810 SYSTEM__MODULE_REQUEST, &ad); 3811 } 3812 3813 static int selinux_kernel_module_from_file(struct file *file) 3814 { 3815 struct common_audit_data ad; 3816 struct inode_security_struct *isec; 3817 struct file_security_struct *fsec; 3818 u32 sid = current_sid(); 3819 int rc; 3820 3821 /* init_module */ 3822 if (file == NULL) 3823 return avc_has_perm(&selinux_state, 3824 sid, sid, SECCLASS_SYSTEM, 3825 SYSTEM__MODULE_LOAD, NULL); 3826 3827 /* finit_module */ 3828 3829 ad.type = LSM_AUDIT_DATA_FILE; 3830 ad.u.file = file; 3831 3832 fsec = file->f_security; 3833 if (sid != fsec->sid) { 3834 rc = avc_has_perm(&selinux_state, 3835 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3836 if (rc) 3837 return rc; 3838 } 3839 3840 isec = inode_security(file_inode(file)); 3841 return avc_has_perm(&selinux_state, 3842 sid, isec->sid, SECCLASS_SYSTEM, 3843 SYSTEM__MODULE_LOAD, &ad); 3844 } 3845 3846 static int selinux_kernel_read_file(struct file *file, 3847 enum kernel_read_file_id id) 3848 { 3849 int rc = 0; 3850 3851 switch (id) { 3852 case READING_MODULE: 3853 rc = selinux_kernel_module_from_file(file); 3854 break; 3855 default: 3856 break; 3857 } 3858 3859 return rc; 3860 } 3861 3862 static int selinux_kernel_load_data(enum kernel_load_data_id id) 3863 { 3864 int rc = 0; 3865 3866 switch (id) { 3867 case LOADING_MODULE: 3868 rc = selinux_kernel_module_from_file(NULL); 3869 default: 3870 break; 3871 } 3872 3873 return rc; 3874 } 3875 3876 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3877 { 3878 return avc_has_perm(&selinux_state, 3879 current_sid(), task_sid(p), SECCLASS_PROCESS, 3880 PROCESS__SETPGID, NULL); 3881 } 3882 3883 static int selinux_task_getpgid(struct task_struct *p) 3884 { 3885 return avc_has_perm(&selinux_state, 3886 current_sid(), task_sid(p), SECCLASS_PROCESS, 3887 PROCESS__GETPGID, NULL); 3888 } 3889 3890 static int selinux_task_getsid(struct task_struct *p) 3891 { 3892 return avc_has_perm(&selinux_state, 3893 current_sid(), task_sid(p), SECCLASS_PROCESS, 3894 PROCESS__GETSESSION, NULL); 3895 } 3896 3897 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3898 { 3899 *secid = task_sid(p); 3900 } 3901 3902 static int selinux_task_setnice(struct task_struct *p, int nice) 3903 { 3904 return avc_has_perm(&selinux_state, 3905 current_sid(), task_sid(p), SECCLASS_PROCESS, 3906 PROCESS__SETSCHED, NULL); 3907 } 3908 3909 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3910 { 3911 return avc_has_perm(&selinux_state, 3912 current_sid(), task_sid(p), SECCLASS_PROCESS, 3913 PROCESS__SETSCHED, NULL); 3914 } 3915 3916 static int selinux_task_getioprio(struct task_struct *p) 3917 { 3918 return avc_has_perm(&selinux_state, 3919 current_sid(), task_sid(p), SECCLASS_PROCESS, 3920 PROCESS__GETSCHED, NULL); 3921 } 3922 3923 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3924 unsigned int flags) 3925 { 3926 u32 av = 0; 3927 3928 if (!flags) 3929 return 0; 3930 if (flags & LSM_PRLIMIT_WRITE) 3931 av |= PROCESS__SETRLIMIT; 3932 if (flags & LSM_PRLIMIT_READ) 3933 av |= PROCESS__GETRLIMIT; 3934 return avc_has_perm(&selinux_state, 3935 cred_sid(cred), cred_sid(tcred), 3936 SECCLASS_PROCESS, av, NULL); 3937 } 3938 3939 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3940 struct rlimit *new_rlim) 3941 { 3942 struct rlimit *old_rlim = p->signal->rlim + resource; 3943 3944 /* Control the ability to change the hard limit (whether 3945 lowering or raising it), so that the hard limit can 3946 later be used as a safe reset point for the soft limit 3947 upon context transitions. See selinux_bprm_committing_creds. */ 3948 if (old_rlim->rlim_max != new_rlim->rlim_max) 3949 return avc_has_perm(&selinux_state, 3950 current_sid(), task_sid(p), 3951 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 3952 3953 return 0; 3954 } 3955 3956 static int selinux_task_setscheduler(struct task_struct *p) 3957 { 3958 return avc_has_perm(&selinux_state, 3959 current_sid(), task_sid(p), SECCLASS_PROCESS, 3960 PROCESS__SETSCHED, NULL); 3961 } 3962 3963 static int selinux_task_getscheduler(struct task_struct *p) 3964 { 3965 return avc_has_perm(&selinux_state, 3966 current_sid(), task_sid(p), SECCLASS_PROCESS, 3967 PROCESS__GETSCHED, NULL); 3968 } 3969 3970 static int selinux_task_movememory(struct task_struct *p) 3971 { 3972 return avc_has_perm(&selinux_state, 3973 current_sid(), task_sid(p), SECCLASS_PROCESS, 3974 PROCESS__SETSCHED, NULL); 3975 } 3976 3977 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 3978 int sig, const struct cred *cred) 3979 { 3980 u32 secid; 3981 u32 perm; 3982 3983 if (!sig) 3984 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3985 else 3986 perm = signal_to_av(sig); 3987 if (!cred) 3988 secid = current_sid(); 3989 else 3990 secid = cred_sid(cred); 3991 return avc_has_perm(&selinux_state, 3992 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 3993 } 3994 3995 static void selinux_task_to_inode(struct task_struct *p, 3996 struct inode *inode) 3997 { 3998 struct inode_security_struct *isec = inode->i_security; 3999 u32 sid = task_sid(p); 4000 4001 spin_lock(&isec->lock); 4002 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4003 isec->sid = sid; 4004 isec->initialized = LABEL_INITIALIZED; 4005 spin_unlock(&isec->lock); 4006 } 4007 4008 /* Returns error only if unable to parse addresses */ 4009 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4010 struct common_audit_data *ad, u8 *proto) 4011 { 4012 int offset, ihlen, ret = -EINVAL; 4013 struct iphdr _iph, *ih; 4014 4015 offset = skb_network_offset(skb); 4016 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4017 if (ih == NULL) 4018 goto out; 4019 4020 ihlen = ih->ihl * 4; 4021 if (ihlen < sizeof(_iph)) 4022 goto out; 4023 4024 ad->u.net->v4info.saddr = ih->saddr; 4025 ad->u.net->v4info.daddr = ih->daddr; 4026 ret = 0; 4027 4028 if (proto) 4029 *proto = ih->protocol; 4030 4031 switch (ih->protocol) { 4032 case IPPROTO_TCP: { 4033 struct tcphdr _tcph, *th; 4034 4035 if (ntohs(ih->frag_off) & IP_OFFSET) 4036 break; 4037 4038 offset += ihlen; 4039 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4040 if (th == NULL) 4041 break; 4042 4043 ad->u.net->sport = th->source; 4044 ad->u.net->dport = th->dest; 4045 break; 4046 } 4047 4048 case IPPROTO_UDP: { 4049 struct udphdr _udph, *uh; 4050 4051 if (ntohs(ih->frag_off) & IP_OFFSET) 4052 break; 4053 4054 offset += ihlen; 4055 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4056 if (uh == NULL) 4057 break; 4058 4059 ad->u.net->sport = uh->source; 4060 ad->u.net->dport = uh->dest; 4061 break; 4062 } 4063 4064 case IPPROTO_DCCP: { 4065 struct dccp_hdr _dccph, *dh; 4066 4067 if (ntohs(ih->frag_off) & IP_OFFSET) 4068 break; 4069 4070 offset += ihlen; 4071 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4072 if (dh == NULL) 4073 break; 4074 4075 ad->u.net->sport = dh->dccph_sport; 4076 ad->u.net->dport = dh->dccph_dport; 4077 break; 4078 } 4079 4080 #if IS_ENABLED(CONFIG_IP_SCTP) 4081 case IPPROTO_SCTP: { 4082 struct sctphdr _sctph, *sh; 4083 4084 if (ntohs(ih->frag_off) & IP_OFFSET) 4085 break; 4086 4087 offset += ihlen; 4088 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4089 if (sh == NULL) 4090 break; 4091 4092 ad->u.net->sport = sh->source; 4093 ad->u.net->dport = sh->dest; 4094 break; 4095 } 4096 #endif 4097 default: 4098 break; 4099 } 4100 out: 4101 return ret; 4102 } 4103 4104 #if IS_ENABLED(CONFIG_IPV6) 4105 4106 /* Returns error only if unable to parse addresses */ 4107 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4108 struct common_audit_data *ad, u8 *proto) 4109 { 4110 u8 nexthdr; 4111 int ret = -EINVAL, offset; 4112 struct ipv6hdr _ipv6h, *ip6; 4113 __be16 frag_off; 4114 4115 offset = skb_network_offset(skb); 4116 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4117 if (ip6 == NULL) 4118 goto out; 4119 4120 ad->u.net->v6info.saddr = ip6->saddr; 4121 ad->u.net->v6info.daddr = ip6->daddr; 4122 ret = 0; 4123 4124 nexthdr = ip6->nexthdr; 4125 offset += sizeof(_ipv6h); 4126 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4127 if (offset < 0) 4128 goto out; 4129 4130 if (proto) 4131 *proto = nexthdr; 4132 4133 switch (nexthdr) { 4134 case IPPROTO_TCP: { 4135 struct tcphdr _tcph, *th; 4136 4137 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4138 if (th == NULL) 4139 break; 4140 4141 ad->u.net->sport = th->source; 4142 ad->u.net->dport = th->dest; 4143 break; 4144 } 4145 4146 case IPPROTO_UDP: { 4147 struct udphdr _udph, *uh; 4148 4149 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4150 if (uh == NULL) 4151 break; 4152 4153 ad->u.net->sport = uh->source; 4154 ad->u.net->dport = uh->dest; 4155 break; 4156 } 4157 4158 case IPPROTO_DCCP: { 4159 struct dccp_hdr _dccph, *dh; 4160 4161 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4162 if (dh == NULL) 4163 break; 4164 4165 ad->u.net->sport = dh->dccph_sport; 4166 ad->u.net->dport = dh->dccph_dport; 4167 break; 4168 } 4169 4170 #if IS_ENABLED(CONFIG_IP_SCTP) 4171 case IPPROTO_SCTP: { 4172 struct sctphdr _sctph, *sh; 4173 4174 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4175 if (sh == NULL) 4176 break; 4177 4178 ad->u.net->sport = sh->source; 4179 ad->u.net->dport = sh->dest; 4180 break; 4181 } 4182 #endif 4183 /* includes fragments */ 4184 default: 4185 break; 4186 } 4187 out: 4188 return ret; 4189 } 4190 4191 #endif /* IPV6 */ 4192 4193 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4194 char **_addrp, int src, u8 *proto) 4195 { 4196 char *addrp; 4197 int ret; 4198 4199 switch (ad->u.net->family) { 4200 case PF_INET: 4201 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4202 if (ret) 4203 goto parse_error; 4204 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4205 &ad->u.net->v4info.daddr); 4206 goto okay; 4207 4208 #if IS_ENABLED(CONFIG_IPV6) 4209 case PF_INET6: 4210 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4211 if (ret) 4212 goto parse_error; 4213 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4214 &ad->u.net->v6info.daddr); 4215 goto okay; 4216 #endif /* IPV6 */ 4217 default: 4218 addrp = NULL; 4219 goto okay; 4220 } 4221 4222 parse_error: 4223 pr_warn( 4224 "SELinux: failure in selinux_parse_skb()," 4225 " unable to parse packet\n"); 4226 return ret; 4227 4228 okay: 4229 if (_addrp) 4230 *_addrp = addrp; 4231 return 0; 4232 } 4233 4234 /** 4235 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4236 * @skb: the packet 4237 * @family: protocol family 4238 * @sid: the packet's peer label SID 4239 * 4240 * Description: 4241 * Check the various different forms of network peer labeling and determine 4242 * the peer label/SID for the packet; most of the magic actually occurs in 4243 * the security server function security_net_peersid_cmp(). The function 4244 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4245 * or -EACCES if @sid is invalid due to inconsistencies with the different 4246 * peer labels. 4247 * 4248 */ 4249 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4250 { 4251 int err; 4252 u32 xfrm_sid; 4253 u32 nlbl_sid; 4254 u32 nlbl_type; 4255 4256 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4257 if (unlikely(err)) 4258 return -EACCES; 4259 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4260 if (unlikely(err)) 4261 return -EACCES; 4262 4263 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4264 nlbl_type, xfrm_sid, sid); 4265 if (unlikely(err)) { 4266 pr_warn( 4267 "SELinux: failure in selinux_skb_peerlbl_sid()," 4268 " unable to determine packet's peer label\n"); 4269 return -EACCES; 4270 } 4271 4272 return 0; 4273 } 4274 4275 /** 4276 * selinux_conn_sid - Determine the child socket label for a connection 4277 * @sk_sid: the parent socket's SID 4278 * @skb_sid: the packet's SID 4279 * @conn_sid: the resulting connection SID 4280 * 4281 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4282 * combined with the MLS information from @skb_sid in order to create 4283 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4284 * of @sk_sid. Returns zero on success, negative values on failure. 4285 * 4286 */ 4287 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4288 { 4289 int err = 0; 4290 4291 if (skb_sid != SECSID_NULL) 4292 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4293 conn_sid); 4294 else 4295 *conn_sid = sk_sid; 4296 4297 return err; 4298 } 4299 4300 /* socket security operations */ 4301 4302 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4303 u16 secclass, u32 *socksid) 4304 { 4305 if (tsec->sockcreate_sid > SECSID_NULL) { 4306 *socksid = tsec->sockcreate_sid; 4307 return 0; 4308 } 4309 4310 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4311 secclass, NULL, socksid); 4312 } 4313 4314 static int sock_has_perm(struct sock *sk, u32 perms) 4315 { 4316 struct sk_security_struct *sksec = sk->sk_security; 4317 struct common_audit_data ad; 4318 struct lsm_network_audit net = {0,}; 4319 4320 if (sksec->sid == SECINITSID_KERNEL) 4321 return 0; 4322 4323 ad.type = LSM_AUDIT_DATA_NET; 4324 ad.u.net = &net; 4325 ad.u.net->sk = sk; 4326 4327 return avc_has_perm(&selinux_state, 4328 current_sid(), sksec->sid, sksec->sclass, perms, 4329 &ad); 4330 } 4331 4332 static int selinux_socket_create(int family, int type, 4333 int protocol, int kern) 4334 { 4335 const struct task_security_struct *tsec = current_security(); 4336 u32 newsid; 4337 u16 secclass; 4338 int rc; 4339 4340 if (kern) 4341 return 0; 4342 4343 secclass = socket_type_to_security_class(family, type, protocol); 4344 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4345 if (rc) 4346 return rc; 4347 4348 return avc_has_perm(&selinux_state, 4349 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4350 } 4351 4352 static int selinux_socket_post_create(struct socket *sock, int family, 4353 int type, int protocol, int kern) 4354 { 4355 const struct task_security_struct *tsec = current_security(); 4356 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4357 struct sk_security_struct *sksec; 4358 u16 sclass = socket_type_to_security_class(family, type, protocol); 4359 u32 sid = SECINITSID_KERNEL; 4360 int err = 0; 4361 4362 if (!kern) { 4363 err = socket_sockcreate_sid(tsec, sclass, &sid); 4364 if (err) 4365 return err; 4366 } 4367 4368 isec->sclass = sclass; 4369 isec->sid = sid; 4370 isec->initialized = LABEL_INITIALIZED; 4371 4372 if (sock->sk) { 4373 sksec = sock->sk->sk_security; 4374 sksec->sclass = sclass; 4375 sksec->sid = sid; 4376 /* Allows detection of the first association on this socket */ 4377 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4378 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4379 4380 err = selinux_netlbl_socket_post_create(sock->sk, family); 4381 } 4382 4383 return err; 4384 } 4385 4386 static int selinux_socket_socketpair(struct socket *socka, 4387 struct socket *sockb) 4388 { 4389 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4390 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4391 4392 sksec_a->peer_sid = sksec_b->sid; 4393 sksec_b->peer_sid = sksec_a->sid; 4394 4395 return 0; 4396 } 4397 4398 /* Range of port numbers used to automatically bind. 4399 Need to determine whether we should perform a name_bind 4400 permission check between the socket and the port number. */ 4401 4402 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4403 { 4404 struct sock *sk = sock->sk; 4405 struct sk_security_struct *sksec = sk->sk_security; 4406 u16 family; 4407 int err; 4408 4409 err = sock_has_perm(sk, SOCKET__BIND); 4410 if (err) 4411 goto out; 4412 4413 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4414 family = sk->sk_family; 4415 if (family == PF_INET || family == PF_INET6) { 4416 char *addrp; 4417 struct common_audit_data ad; 4418 struct lsm_network_audit net = {0,}; 4419 struct sockaddr_in *addr4 = NULL; 4420 struct sockaddr_in6 *addr6 = NULL; 4421 u16 family_sa = address->sa_family; 4422 unsigned short snum; 4423 u32 sid, node_perm; 4424 4425 /* 4426 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4427 * that validates multiple binding addresses. Because of this 4428 * need to check address->sa_family as it is possible to have 4429 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4430 */ 4431 switch (family_sa) { 4432 case AF_UNSPEC: 4433 case AF_INET: 4434 if (addrlen < sizeof(struct sockaddr_in)) 4435 return -EINVAL; 4436 addr4 = (struct sockaddr_in *)address; 4437 if (family_sa == AF_UNSPEC) { 4438 /* see __inet_bind(), we only want to allow 4439 * AF_UNSPEC if the address is INADDR_ANY 4440 */ 4441 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4442 goto err_af; 4443 family_sa = AF_INET; 4444 } 4445 snum = ntohs(addr4->sin_port); 4446 addrp = (char *)&addr4->sin_addr.s_addr; 4447 break; 4448 case AF_INET6: 4449 if (addrlen < SIN6_LEN_RFC2133) 4450 return -EINVAL; 4451 addr6 = (struct sockaddr_in6 *)address; 4452 snum = ntohs(addr6->sin6_port); 4453 addrp = (char *)&addr6->sin6_addr.s6_addr; 4454 break; 4455 default: 4456 goto err_af; 4457 } 4458 4459 ad.type = LSM_AUDIT_DATA_NET; 4460 ad.u.net = &net; 4461 ad.u.net->sport = htons(snum); 4462 ad.u.net->family = family_sa; 4463 4464 if (snum) { 4465 int low, high; 4466 4467 inet_get_local_port_range(sock_net(sk), &low, &high); 4468 4469 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4470 snum > high) { 4471 err = sel_netport_sid(sk->sk_protocol, 4472 snum, &sid); 4473 if (err) 4474 goto out; 4475 err = avc_has_perm(&selinux_state, 4476 sksec->sid, sid, 4477 sksec->sclass, 4478 SOCKET__NAME_BIND, &ad); 4479 if (err) 4480 goto out; 4481 } 4482 } 4483 4484 switch (sksec->sclass) { 4485 case SECCLASS_TCP_SOCKET: 4486 node_perm = TCP_SOCKET__NODE_BIND; 4487 break; 4488 4489 case SECCLASS_UDP_SOCKET: 4490 node_perm = UDP_SOCKET__NODE_BIND; 4491 break; 4492 4493 case SECCLASS_DCCP_SOCKET: 4494 node_perm = DCCP_SOCKET__NODE_BIND; 4495 break; 4496 4497 case SECCLASS_SCTP_SOCKET: 4498 node_perm = SCTP_SOCKET__NODE_BIND; 4499 break; 4500 4501 default: 4502 node_perm = RAWIP_SOCKET__NODE_BIND; 4503 break; 4504 } 4505 4506 err = sel_netnode_sid(addrp, family_sa, &sid); 4507 if (err) 4508 goto out; 4509 4510 if (family_sa == AF_INET) 4511 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4512 else 4513 ad.u.net->v6info.saddr = addr6->sin6_addr; 4514 4515 err = avc_has_perm(&selinux_state, 4516 sksec->sid, sid, 4517 sksec->sclass, node_perm, &ad); 4518 if (err) 4519 goto out; 4520 } 4521 out: 4522 return err; 4523 err_af: 4524 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4525 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4526 return -EINVAL; 4527 return -EAFNOSUPPORT; 4528 } 4529 4530 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4531 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst 4532 */ 4533 static int selinux_socket_connect_helper(struct socket *sock, 4534 struct sockaddr *address, int addrlen) 4535 { 4536 struct sock *sk = sock->sk; 4537 struct sk_security_struct *sksec = sk->sk_security; 4538 int err; 4539 4540 err = sock_has_perm(sk, SOCKET__CONNECT); 4541 if (err) 4542 return err; 4543 4544 /* 4545 * If a TCP, DCCP or SCTP socket, check name_connect permission 4546 * for the port. 4547 */ 4548 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4549 sksec->sclass == SECCLASS_DCCP_SOCKET || 4550 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4551 struct common_audit_data ad; 4552 struct lsm_network_audit net = {0,}; 4553 struct sockaddr_in *addr4 = NULL; 4554 struct sockaddr_in6 *addr6 = NULL; 4555 unsigned short snum; 4556 u32 sid, perm; 4557 4558 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4559 * that validates multiple connect addresses. Because of this 4560 * need to check address->sa_family as it is possible to have 4561 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4562 */ 4563 switch (address->sa_family) { 4564 case AF_INET: 4565 addr4 = (struct sockaddr_in *)address; 4566 if (addrlen < sizeof(struct sockaddr_in)) 4567 return -EINVAL; 4568 snum = ntohs(addr4->sin_port); 4569 break; 4570 case AF_INET6: 4571 addr6 = (struct sockaddr_in6 *)address; 4572 if (addrlen < SIN6_LEN_RFC2133) 4573 return -EINVAL; 4574 snum = ntohs(addr6->sin6_port); 4575 break; 4576 default: 4577 /* Note that SCTP services expect -EINVAL, whereas 4578 * others expect -EAFNOSUPPORT. 4579 */ 4580 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4581 return -EINVAL; 4582 else 4583 return -EAFNOSUPPORT; 4584 } 4585 4586 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4587 if (err) 4588 return err; 4589 4590 switch (sksec->sclass) { 4591 case SECCLASS_TCP_SOCKET: 4592 perm = TCP_SOCKET__NAME_CONNECT; 4593 break; 4594 case SECCLASS_DCCP_SOCKET: 4595 perm = DCCP_SOCKET__NAME_CONNECT; 4596 break; 4597 case SECCLASS_SCTP_SOCKET: 4598 perm = SCTP_SOCKET__NAME_CONNECT; 4599 break; 4600 } 4601 4602 ad.type = LSM_AUDIT_DATA_NET; 4603 ad.u.net = &net; 4604 ad.u.net->dport = htons(snum); 4605 ad.u.net->family = address->sa_family; 4606 err = avc_has_perm(&selinux_state, 4607 sksec->sid, sid, sksec->sclass, perm, &ad); 4608 if (err) 4609 return err; 4610 } 4611 4612 return 0; 4613 } 4614 4615 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4616 static int selinux_socket_connect(struct socket *sock, 4617 struct sockaddr *address, int addrlen) 4618 { 4619 int err; 4620 struct sock *sk = sock->sk; 4621 4622 err = selinux_socket_connect_helper(sock, address, addrlen); 4623 if (err) 4624 return err; 4625 4626 return selinux_netlbl_socket_connect(sk, address); 4627 } 4628 4629 static int selinux_socket_listen(struct socket *sock, int backlog) 4630 { 4631 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4632 } 4633 4634 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4635 { 4636 int err; 4637 struct inode_security_struct *isec; 4638 struct inode_security_struct *newisec; 4639 u16 sclass; 4640 u32 sid; 4641 4642 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4643 if (err) 4644 return err; 4645 4646 isec = inode_security_novalidate(SOCK_INODE(sock)); 4647 spin_lock(&isec->lock); 4648 sclass = isec->sclass; 4649 sid = isec->sid; 4650 spin_unlock(&isec->lock); 4651 4652 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4653 newisec->sclass = sclass; 4654 newisec->sid = sid; 4655 newisec->initialized = LABEL_INITIALIZED; 4656 4657 return 0; 4658 } 4659 4660 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4661 int size) 4662 { 4663 return sock_has_perm(sock->sk, SOCKET__WRITE); 4664 } 4665 4666 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4667 int size, int flags) 4668 { 4669 return sock_has_perm(sock->sk, SOCKET__READ); 4670 } 4671 4672 static int selinux_socket_getsockname(struct socket *sock) 4673 { 4674 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4675 } 4676 4677 static int selinux_socket_getpeername(struct socket *sock) 4678 { 4679 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4680 } 4681 4682 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4683 { 4684 int err; 4685 4686 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4687 if (err) 4688 return err; 4689 4690 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4691 } 4692 4693 static int selinux_socket_getsockopt(struct socket *sock, int level, 4694 int optname) 4695 { 4696 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4697 } 4698 4699 static int selinux_socket_shutdown(struct socket *sock, int how) 4700 { 4701 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4702 } 4703 4704 static int selinux_socket_unix_stream_connect(struct sock *sock, 4705 struct sock *other, 4706 struct sock *newsk) 4707 { 4708 struct sk_security_struct *sksec_sock = sock->sk_security; 4709 struct sk_security_struct *sksec_other = other->sk_security; 4710 struct sk_security_struct *sksec_new = newsk->sk_security; 4711 struct common_audit_data ad; 4712 struct lsm_network_audit net = {0,}; 4713 int err; 4714 4715 ad.type = LSM_AUDIT_DATA_NET; 4716 ad.u.net = &net; 4717 ad.u.net->sk = other; 4718 4719 err = avc_has_perm(&selinux_state, 4720 sksec_sock->sid, sksec_other->sid, 4721 sksec_other->sclass, 4722 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4723 if (err) 4724 return err; 4725 4726 /* server child socket */ 4727 sksec_new->peer_sid = sksec_sock->sid; 4728 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4729 sksec_sock->sid, &sksec_new->sid); 4730 if (err) 4731 return err; 4732 4733 /* connecting socket */ 4734 sksec_sock->peer_sid = sksec_new->sid; 4735 4736 return 0; 4737 } 4738 4739 static int selinux_socket_unix_may_send(struct socket *sock, 4740 struct socket *other) 4741 { 4742 struct sk_security_struct *ssec = sock->sk->sk_security; 4743 struct sk_security_struct *osec = other->sk->sk_security; 4744 struct common_audit_data ad; 4745 struct lsm_network_audit net = {0,}; 4746 4747 ad.type = LSM_AUDIT_DATA_NET; 4748 ad.u.net = &net; 4749 ad.u.net->sk = other->sk; 4750 4751 return avc_has_perm(&selinux_state, 4752 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4753 &ad); 4754 } 4755 4756 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4757 char *addrp, u16 family, u32 peer_sid, 4758 struct common_audit_data *ad) 4759 { 4760 int err; 4761 u32 if_sid; 4762 u32 node_sid; 4763 4764 err = sel_netif_sid(ns, ifindex, &if_sid); 4765 if (err) 4766 return err; 4767 err = avc_has_perm(&selinux_state, 4768 peer_sid, if_sid, 4769 SECCLASS_NETIF, NETIF__INGRESS, ad); 4770 if (err) 4771 return err; 4772 4773 err = sel_netnode_sid(addrp, family, &node_sid); 4774 if (err) 4775 return err; 4776 return avc_has_perm(&selinux_state, 4777 peer_sid, node_sid, 4778 SECCLASS_NODE, NODE__RECVFROM, ad); 4779 } 4780 4781 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4782 u16 family) 4783 { 4784 int err = 0; 4785 struct sk_security_struct *sksec = sk->sk_security; 4786 u32 sk_sid = sksec->sid; 4787 struct common_audit_data ad; 4788 struct lsm_network_audit net = {0,}; 4789 char *addrp; 4790 4791 ad.type = LSM_AUDIT_DATA_NET; 4792 ad.u.net = &net; 4793 ad.u.net->netif = skb->skb_iif; 4794 ad.u.net->family = family; 4795 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4796 if (err) 4797 return err; 4798 4799 if (selinux_secmark_enabled()) { 4800 err = avc_has_perm(&selinux_state, 4801 sk_sid, skb->secmark, SECCLASS_PACKET, 4802 PACKET__RECV, &ad); 4803 if (err) 4804 return err; 4805 } 4806 4807 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4808 if (err) 4809 return err; 4810 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4811 4812 return err; 4813 } 4814 4815 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4816 { 4817 int err; 4818 struct sk_security_struct *sksec = sk->sk_security; 4819 u16 family = sk->sk_family; 4820 u32 sk_sid = sksec->sid; 4821 struct common_audit_data ad; 4822 struct lsm_network_audit net = {0,}; 4823 char *addrp; 4824 u8 secmark_active; 4825 u8 peerlbl_active; 4826 4827 if (family != PF_INET && family != PF_INET6) 4828 return 0; 4829 4830 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4831 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4832 family = PF_INET; 4833 4834 /* If any sort of compatibility mode is enabled then handoff processing 4835 * to the selinux_sock_rcv_skb_compat() function to deal with the 4836 * special handling. We do this in an attempt to keep this function 4837 * as fast and as clean as possible. */ 4838 if (!selinux_policycap_netpeer()) 4839 return selinux_sock_rcv_skb_compat(sk, skb, family); 4840 4841 secmark_active = selinux_secmark_enabled(); 4842 peerlbl_active = selinux_peerlbl_enabled(); 4843 if (!secmark_active && !peerlbl_active) 4844 return 0; 4845 4846 ad.type = LSM_AUDIT_DATA_NET; 4847 ad.u.net = &net; 4848 ad.u.net->netif = skb->skb_iif; 4849 ad.u.net->family = family; 4850 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4851 if (err) 4852 return err; 4853 4854 if (peerlbl_active) { 4855 u32 peer_sid; 4856 4857 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4858 if (err) 4859 return err; 4860 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4861 addrp, family, peer_sid, &ad); 4862 if (err) { 4863 selinux_netlbl_err(skb, family, err, 0); 4864 return err; 4865 } 4866 err = avc_has_perm(&selinux_state, 4867 sk_sid, peer_sid, SECCLASS_PEER, 4868 PEER__RECV, &ad); 4869 if (err) { 4870 selinux_netlbl_err(skb, family, err, 0); 4871 return err; 4872 } 4873 } 4874 4875 if (secmark_active) { 4876 err = avc_has_perm(&selinux_state, 4877 sk_sid, skb->secmark, SECCLASS_PACKET, 4878 PACKET__RECV, &ad); 4879 if (err) 4880 return err; 4881 } 4882 4883 return err; 4884 } 4885 4886 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4887 int __user *optlen, unsigned len) 4888 { 4889 int err = 0; 4890 char *scontext; 4891 u32 scontext_len; 4892 struct sk_security_struct *sksec = sock->sk->sk_security; 4893 u32 peer_sid = SECSID_NULL; 4894 4895 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4896 sksec->sclass == SECCLASS_TCP_SOCKET || 4897 sksec->sclass == SECCLASS_SCTP_SOCKET) 4898 peer_sid = sksec->peer_sid; 4899 if (peer_sid == SECSID_NULL) 4900 return -ENOPROTOOPT; 4901 4902 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 4903 &scontext_len); 4904 if (err) 4905 return err; 4906 4907 if (scontext_len > len) { 4908 err = -ERANGE; 4909 goto out_len; 4910 } 4911 4912 if (copy_to_user(optval, scontext, scontext_len)) 4913 err = -EFAULT; 4914 4915 out_len: 4916 if (put_user(scontext_len, optlen)) 4917 err = -EFAULT; 4918 kfree(scontext); 4919 return err; 4920 } 4921 4922 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4923 { 4924 u32 peer_secid = SECSID_NULL; 4925 u16 family; 4926 struct inode_security_struct *isec; 4927 4928 if (skb && skb->protocol == htons(ETH_P_IP)) 4929 family = PF_INET; 4930 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4931 family = PF_INET6; 4932 else if (sock) 4933 family = sock->sk->sk_family; 4934 else 4935 goto out; 4936 4937 if (sock && family == PF_UNIX) { 4938 isec = inode_security_novalidate(SOCK_INODE(sock)); 4939 peer_secid = isec->sid; 4940 } else if (skb) 4941 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4942 4943 out: 4944 *secid = peer_secid; 4945 if (peer_secid == SECSID_NULL) 4946 return -EINVAL; 4947 return 0; 4948 } 4949 4950 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4951 { 4952 struct sk_security_struct *sksec; 4953 4954 sksec = kzalloc(sizeof(*sksec), priority); 4955 if (!sksec) 4956 return -ENOMEM; 4957 4958 sksec->peer_sid = SECINITSID_UNLABELED; 4959 sksec->sid = SECINITSID_UNLABELED; 4960 sksec->sclass = SECCLASS_SOCKET; 4961 selinux_netlbl_sk_security_reset(sksec); 4962 sk->sk_security = sksec; 4963 4964 return 0; 4965 } 4966 4967 static void selinux_sk_free_security(struct sock *sk) 4968 { 4969 struct sk_security_struct *sksec = sk->sk_security; 4970 4971 sk->sk_security = NULL; 4972 selinux_netlbl_sk_security_free(sksec); 4973 kfree(sksec); 4974 } 4975 4976 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4977 { 4978 struct sk_security_struct *sksec = sk->sk_security; 4979 struct sk_security_struct *newsksec = newsk->sk_security; 4980 4981 newsksec->sid = sksec->sid; 4982 newsksec->peer_sid = sksec->peer_sid; 4983 newsksec->sclass = sksec->sclass; 4984 4985 selinux_netlbl_sk_security_reset(newsksec); 4986 } 4987 4988 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4989 { 4990 if (!sk) 4991 *secid = SECINITSID_ANY_SOCKET; 4992 else { 4993 struct sk_security_struct *sksec = sk->sk_security; 4994 4995 *secid = sksec->sid; 4996 } 4997 } 4998 4999 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5000 { 5001 struct inode_security_struct *isec = 5002 inode_security_novalidate(SOCK_INODE(parent)); 5003 struct sk_security_struct *sksec = sk->sk_security; 5004 5005 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5006 sk->sk_family == PF_UNIX) 5007 isec->sid = sksec->sid; 5008 sksec->sclass = isec->sclass; 5009 } 5010 5011 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5012 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5013 * already present). 5014 */ 5015 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5016 struct sk_buff *skb) 5017 { 5018 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5019 struct common_audit_data ad; 5020 struct lsm_network_audit net = {0,}; 5021 u8 peerlbl_active; 5022 u32 peer_sid = SECINITSID_UNLABELED; 5023 u32 conn_sid; 5024 int err = 0; 5025 5026 if (!selinux_policycap_extsockclass()) 5027 return 0; 5028 5029 peerlbl_active = selinux_peerlbl_enabled(); 5030 5031 if (peerlbl_active) { 5032 /* This will return peer_sid = SECSID_NULL if there are 5033 * no peer labels, see security_net_peersid_resolve(). 5034 */ 5035 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5036 &peer_sid); 5037 if (err) 5038 return err; 5039 5040 if (peer_sid == SECSID_NULL) 5041 peer_sid = SECINITSID_UNLABELED; 5042 } 5043 5044 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5045 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5046 5047 /* Here as first association on socket. As the peer SID 5048 * was allowed by peer recv (and the netif/node checks), 5049 * then it is approved by policy and used as the primary 5050 * peer SID for getpeercon(3). 5051 */ 5052 sksec->peer_sid = peer_sid; 5053 } else if (sksec->peer_sid != peer_sid) { 5054 /* Other association peer SIDs are checked to enforce 5055 * consistency among the peer SIDs. 5056 */ 5057 ad.type = LSM_AUDIT_DATA_NET; 5058 ad.u.net = &net; 5059 ad.u.net->sk = ep->base.sk; 5060 err = avc_has_perm(&selinux_state, 5061 sksec->peer_sid, peer_sid, sksec->sclass, 5062 SCTP_SOCKET__ASSOCIATION, &ad); 5063 if (err) 5064 return err; 5065 } 5066 5067 /* Compute the MLS component for the connection and store 5068 * the information in ep. This will be used by SCTP TCP type 5069 * sockets and peeled off connections as they cause a new 5070 * socket to be generated. selinux_sctp_sk_clone() will then 5071 * plug this into the new socket. 5072 */ 5073 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5074 if (err) 5075 return err; 5076 5077 ep->secid = conn_sid; 5078 ep->peer_secid = peer_sid; 5079 5080 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5081 return selinux_netlbl_sctp_assoc_request(ep, skb); 5082 } 5083 5084 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5085 * based on their @optname. 5086 */ 5087 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5088 struct sockaddr *address, 5089 int addrlen) 5090 { 5091 int len, err = 0, walk_size = 0; 5092 void *addr_buf; 5093 struct sockaddr *addr; 5094 struct socket *sock; 5095 5096 if (!selinux_policycap_extsockclass()) 5097 return 0; 5098 5099 /* Process one or more addresses that may be IPv4 or IPv6 */ 5100 sock = sk->sk_socket; 5101 addr_buf = address; 5102 5103 while (walk_size < addrlen) { 5104 if (walk_size + sizeof(sa_family_t) > addrlen) 5105 return -EINVAL; 5106 5107 addr = addr_buf; 5108 switch (addr->sa_family) { 5109 case AF_UNSPEC: 5110 case AF_INET: 5111 len = sizeof(struct sockaddr_in); 5112 break; 5113 case AF_INET6: 5114 len = sizeof(struct sockaddr_in6); 5115 break; 5116 default: 5117 return -EINVAL; 5118 } 5119 5120 err = -EINVAL; 5121 switch (optname) { 5122 /* Bind checks */ 5123 case SCTP_PRIMARY_ADDR: 5124 case SCTP_SET_PEER_PRIMARY_ADDR: 5125 case SCTP_SOCKOPT_BINDX_ADD: 5126 err = selinux_socket_bind(sock, addr, len); 5127 break; 5128 /* Connect checks */ 5129 case SCTP_SOCKOPT_CONNECTX: 5130 case SCTP_PARAM_SET_PRIMARY: 5131 case SCTP_PARAM_ADD_IP: 5132 case SCTP_SENDMSG_CONNECT: 5133 err = selinux_socket_connect_helper(sock, addr, len); 5134 if (err) 5135 return err; 5136 5137 /* As selinux_sctp_bind_connect() is called by the 5138 * SCTP protocol layer, the socket is already locked, 5139 * therefore selinux_netlbl_socket_connect_locked() is 5140 * is called here. The situations handled are: 5141 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5142 * whenever a new IP address is added or when a new 5143 * primary address is selected. 5144 * Note that an SCTP connect(2) call happens before 5145 * the SCTP protocol layer and is handled via 5146 * selinux_socket_connect(). 5147 */ 5148 err = selinux_netlbl_socket_connect_locked(sk, addr); 5149 break; 5150 } 5151 5152 if (err) 5153 return err; 5154 5155 addr_buf += len; 5156 walk_size += len; 5157 } 5158 5159 return 0; 5160 } 5161 5162 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5163 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5164 struct sock *newsk) 5165 { 5166 struct sk_security_struct *sksec = sk->sk_security; 5167 struct sk_security_struct *newsksec = newsk->sk_security; 5168 5169 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5170 * the non-sctp clone version. 5171 */ 5172 if (!selinux_policycap_extsockclass()) 5173 return selinux_sk_clone_security(sk, newsk); 5174 5175 newsksec->sid = ep->secid; 5176 newsksec->peer_sid = ep->peer_secid; 5177 newsksec->sclass = sksec->sclass; 5178 selinux_netlbl_sctp_sk_clone(sk, newsk); 5179 } 5180 5181 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5182 struct request_sock *req) 5183 { 5184 struct sk_security_struct *sksec = sk->sk_security; 5185 int err; 5186 u16 family = req->rsk_ops->family; 5187 u32 connsid; 5188 u32 peersid; 5189 5190 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5191 if (err) 5192 return err; 5193 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5194 if (err) 5195 return err; 5196 req->secid = connsid; 5197 req->peer_secid = peersid; 5198 5199 return selinux_netlbl_inet_conn_request(req, family); 5200 } 5201 5202 static void selinux_inet_csk_clone(struct sock *newsk, 5203 const struct request_sock *req) 5204 { 5205 struct sk_security_struct *newsksec = newsk->sk_security; 5206 5207 newsksec->sid = req->secid; 5208 newsksec->peer_sid = req->peer_secid; 5209 /* NOTE: Ideally, we should also get the isec->sid for the 5210 new socket in sync, but we don't have the isec available yet. 5211 So we will wait until sock_graft to do it, by which 5212 time it will have been created and available. */ 5213 5214 /* We don't need to take any sort of lock here as we are the only 5215 * thread with access to newsksec */ 5216 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5217 } 5218 5219 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5220 { 5221 u16 family = sk->sk_family; 5222 struct sk_security_struct *sksec = sk->sk_security; 5223 5224 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5225 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5226 family = PF_INET; 5227 5228 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5229 } 5230 5231 static int selinux_secmark_relabel_packet(u32 sid) 5232 { 5233 const struct task_security_struct *__tsec; 5234 u32 tsid; 5235 5236 __tsec = current_security(); 5237 tsid = __tsec->sid; 5238 5239 return avc_has_perm(&selinux_state, 5240 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5241 NULL); 5242 } 5243 5244 static void selinux_secmark_refcount_inc(void) 5245 { 5246 atomic_inc(&selinux_secmark_refcount); 5247 } 5248 5249 static void selinux_secmark_refcount_dec(void) 5250 { 5251 atomic_dec(&selinux_secmark_refcount); 5252 } 5253 5254 static void selinux_req_classify_flow(const struct request_sock *req, 5255 struct flowi *fl) 5256 { 5257 fl->flowi_secid = req->secid; 5258 } 5259 5260 static int selinux_tun_dev_alloc_security(void **security) 5261 { 5262 struct tun_security_struct *tunsec; 5263 5264 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5265 if (!tunsec) 5266 return -ENOMEM; 5267 tunsec->sid = current_sid(); 5268 5269 *security = tunsec; 5270 return 0; 5271 } 5272 5273 static void selinux_tun_dev_free_security(void *security) 5274 { 5275 kfree(security); 5276 } 5277 5278 static int selinux_tun_dev_create(void) 5279 { 5280 u32 sid = current_sid(); 5281 5282 /* we aren't taking into account the "sockcreate" SID since the socket 5283 * that is being created here is not a socket in the traditional sense, 5284 * instead it is a private sock, accessible only to the kernel, and 5285 * representing a wide range of network traffic spanning multiple 5286 * connections unlike traditional sockets - check the TUN driver to 5287 * get a better understanding of why this socket is special */ 5288 5289 return avc_has_perm(&selinux_state, 5290 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5291 NULL); 5292 } 5293 5294 static int selinux_tun_dev_attach_queue(void *security) 5295 { 5296 struct tun_security_struct *tunsec = security; 5297 5298 return avc_has_perm(&selinux_state, 5299 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5300 TUN_SOCKET__ATTACH_QUEUE, NULL); 5301 } 5302 5303 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5304 { 5305 struct tun_security_struct *tunsec = security; 5306 struct sk_security_struct *sksec = sk->sk_security; 5307 5308 /* we don't currently perform any NetLabel based labeling here and it 5309 * isn't clear that we would want to do so anyway; while we could apply 5310 * labeling without the support of the TUN user the resulting labeled 5311 * traffic from the other end of the connection would almost certainly 5312 * cause confusion to the TUN user that had no idea network labeling 5313 * protocols were being used */ 5314 5315 sksec->sid = tunsec->sid; 5316 sksec->sclass = SECCLASS_TUN_SOCKET; 5317 5318 return 0; 5319 } 5320 5321 static int selinux_tun_dev_open(void *security) 5322 { 5323 struct tun_security_struct *tunsec = security; 5324 u32 sid = current_sid(); 5325 int err; 5326 5327 err = avc_has_perm(&selinux_state, 5328 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5329 TUN_SOCKET__RELABELFROM, NULL); 5330 if (err) 5331 return err; 5332 err = avc_has_perm(&selinux_state, 5333 sid, sid, SECCLASS_TUN_SOCKET, 5334 TUN_SOCKET__RELABELTO, NULL); 5335 if (err) 5336 return err; 5337 tunsec->sid = sid; 5338 5339 return 0; 5340 } 5341 5342 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5343 { 5344 int err = 0; 5345 u32 perm; 5346 struct nlmsghdr *nlh; 5347 struct sk_security_struct *sksec = sk->sk_security; 5348 5349 if (skb->len < NLMSG_HDRLEN) { 5350 err = -EINVAL; 5351 goto out; 5352 } 5353 nlh = nlmsg_hdr(skb); 5354 5355 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5356 if (err) { 5357 if (err == -EINVAL) { 5358 pr_warn_ratelimited("SELinux: unrecognized netlink" 5359 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5360 " pig=%d comm=%s\n", 5361 sk->sk_protocol, nlh->nlmsg_type, 5362 secclass_map[sksec->sclass - 1].name, 5363 task_pid_nr(current), current->comm); 5364 if (!enforcing_enabled(&selinux_state) || 5365 security_get_allow_unknown(&selinux_state)) 5366 err = 0; 5367 } 5368 5369 /* Ignore */ 5370 if (err == -ENOENT) 5371 err = 0; 5372 goto out; 5373 } 5374 5375 err = sock_has_perm(sk, perm); 5376 out: 5377 return err; 5378 } 5379 5380 #ifdef CONFIG_NETFILTER 5381 5382 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5383 const struct net_device *indev, 5384 u16 family) 5385 { 5386 int err; 5387 char *addrp; 5388 u32 peer_sid; 5389 struct common_audit_data ad; 5390 struct lsm_network_audit net = {0,}; 5391 u8 secmark_active; 5392 u8 netlbl_active; 5393 u8 peerlbl_active; 5394 5395 if (!selinux_policycap_netpeer()) 5396 return NF_ACCEPT; 5397 5398 secmark_active = selinux_secmark_enabled(); 5399 netlbl_active = netlbl_enabled(); 5400 peerlbl_active = selinux_peerlbl_enabled(); 5401 if (!secmark_active && !peerlbl_active) 5402 return NF_ACCEPT; 5403 5404 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5405 return NF_DROP; 5406 5407 ad.type = LSM_AUDIT_DATA_NET; 5408 ad.u.net = &net; 5409 ad.u.net->netif = indev->ifindex; 5410 ad.u.net->family = family; 5411 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5412 return NF_DROP; 5413 5414 if (peerlbl_active) { 5415 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5416 addrp, family, peer_sid, &ad); 5417 if (err) { 5418 selinux_netlbl_err(skb, family, err, 1); 5419 return NF_DROP; 5420 } 5421 } 5422 5423 if (secmark_active) 5424 if (avc_has_perm(&selinux_state, 5425 peer_sid, skb->secmark, 5426 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5427 return NF_DROP; 5428 5429 if (netlbl_active) 5430 /* we do this in the FORWARD path and not the POST_ROUTING 5431 * path because we want to make sure we apply the necessary 5432 * labeling before IPsec is applied so we can leverage AH 5433 * protection */ 5434 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5435 return NF_DROP; 5436 5437 return NF_ACCEPT; 5438 } 5439 5440 static unsigned int selinux_ipv4_forward(void *priv, 5441 struct sk_buff *skb, 5442 const struct nf_hook_state *state) 5443 { 5444 return selinux_ip_forward(skb, state->in, PF_INET); 5445 } 5446 5447 #if IS_ENABLED(CONFIG_IPV6) 5448 static unsigned int selinux_ipv6_forward(void *priv, 5449 struct sk_buff *skb, 5450 const struct nf_hook_state *state) 5451 { 5452 return selinux_ip_forward(skb, state->in, PF_INET6); 5453 } 5454 #endif /* IPV6 */ 5455 5456 static unsigned int selinux_ip_output(struct sk_buff *skb, 5457 u16 family) 5458 { 5459 struct sock *sk; 5460 u32 sid; 5461 5462 if (!netlbl_enabled()) 5463 return NF_ACCEPT; 5464 5465 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5466 * because we want to make sure we apply the necessary labeling 5467 * before IPsec is applied so we can leverage AH protection */ 5468 sk = skb->sk; 5469 if (sk) { 5470 struct sk_security_struct *sksec; 5471 5472 if (sk_listener(sk)) 5473 /* if the socket is the listening state then this 5474 * packet is a SYN-ACK packet which means it needs to 5475 * be labeled based on the connection/request_sock and 5476 * not the parent socket. unfortunately, we can't 5477 * lookup the request_sock yet as it isn't queued on 5478 * the parent socket until after the SYN-ACK is sent. 5479 * the "solution" is to simply pass the packet as-is 5480 * as any IP option based labeling should be copied 5481 * from the initial connection request (in the IP 5482 * layer). it is far from ideal, but until we get a 5483 * security label in the packet itself this is the 5484 * best we can do. */ 5485 return NF_ACCEPT; 5486 5487 /* standard practice, label using the parent socket */ 5488 sksec = sk->sk_security; 5489 sid = sksec->sid; 5490 } else 5491 sid = SECINITSID_KERNEL; 5492 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5493 return NF_DROP; 5494 5495 return NF_ACCEPT; 5496 } 5497 5498 static unsigned int selinux_ipv4_output(void *priv, 5499 struct sk_buff *skb, 5500 const struct nf_hook_state *state) 5501 { 5502 return selinux_ip_output(skb, PF_INET); 5503 } 5504 5505 #if IS_ENABLED(CONFIG_IPV6) 5506 static unsigned int selinux_ipv6_output(void *priv, 5507 struct sk_buff *skb, 5508 const struct nf_hook_state *state) 5509 { 5510 return selinux_ip_output(skb, PF_INET6); 5511 } 5512 #endif /* IPV6 */ 5513 5514 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5515 int ifindex, 5516 u16 family) 5517 { 5518 struct sock *sk = skb_to_full_sk(skb); 5519 struct sk_security_struct *sksec; 5520 struct common_audit_data ad; 5521 struct lsm_network_audit net = {0,}; 5522 char *addrp; 5523 u8 proto; 5524 5525 if (sk == NULL) 5526 return NF_ACCEPT; 5527 sksec = sk->sk_security; 5528 5529 ad.type = LSM_AUDIT_DATA_NET; 5530 ad.u.net = &net; 5531 ad.u.net->netif = ifindex; 5532 ad.u.net->family = family; 5533 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5534 return NF_DROP; 5535 5536 if (selinux_secmark_enabled()) 5537 if (avc_has_perm(&selinux_state, 5538 sksec->sid, skb->secmark, 5539 SECCLASS_PACKET, PACKET__SEND, &ad)) 5540 return NF_DROP_ERR(-ECONNREFUSED); 5541 5542 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5543 return NF_DROP_ERR(-ECONNREFUSED); 5544 5545 return NF_ACCEPT; 5546 } 5547 5548 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5549 const struct net_device *outdev, 5550 u16 family) 5551 { 5552 u32 secmark_perm; 5553 u32 peer_sid; 5554 int ifindex = outdev->ifindex; 5555 struct sock *sk; 5556 struct common_audit_data ad; 5557 struct lsm_network_audit net = {0,}; 5558 char *addrp; 5559 u8 secmark_active; 5560 u8 peerlbl_active; 5561 5562 /* If any sort of compatibility mode is enabled then handoff processing 5563 * to the selinux_ip_postroute_compat() function to deal with the 5564 * special handling. We do this in an attempt to keep this function 5565 * as fast and as clean as possible. */ 5566 if (!selinux_policycap_netpeer()) 5567 return selinux_ip_postroute_compat(skb, ifindex, family); 5568 5569 secmark_active = selinux_secmark_enabled(); 5570 peerlbl_active = selinux_peerlbl_enabled(); 5571 if (!secmark_active && !peerlbl_active) 5572 return NF_ACCEPT; 5573 5574 sk = skb_to_full_sk(skb); 5575 5576 #ifdef CONFIG_XFRM 5577 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5578 * packet transformation so allow the packet to pass without any checks 5579 * since we'll have another chance to perform access control checks 5580 * when the packet is on it's final way out. 5581 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5582 * is NULL, in this case go ahead and apply access control. 5583 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5584 * TCP listening state we cannot wait until the XFRM processing 5585 * is done as we will miss out on the SA label if we do; 5586 * unfortunately, this means more work, but it is only once per 5587 * connection. */ 5588 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5589 !(sk && sk_listener(sk))) 5590 return NF_ACCEPT; 5591 #endif 5592 5593 if (sk == NULL) { 5594 /* Without an associated socket the packet is either coming 5595 * from the kernel or it is being forwarded; check the packet 5596 * to determine which and if the packet is being forwarded 5597 * query the packet directly to determine the security label. */ 5598 if (skb->skb_iif) { 5599 secmark_perm = PACKET__FORWARD_OUT; 5600 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5601 return NF_DROP; 5602 } else { 5603 secmark_perm = PACKET__SEND; 5604 peer_sid = SECINITSID_KERNEL; 5605 } 5606 } else if (sk_listener(sk)) { 5607 /* Locally generated packet but the associated socket is in the 5608 * listening state which means this is a SYN-ACK packet. In 5609 * this particular case the correct security label is assigned 5610 * to the connection/request_sock but unfortunately we can't 5611 * query the request_sock as it isn't queued on the parent 5612 * socket until after the SYN-ACK packet is sent; the only 5613 * viable choice is to regenerate the label like we do in 5614 * selinux_inet_conn_request(). See also selinux_ip_output() 5615 * for similar problems. */ 5616 u32 skb_sid; 5617 struct sk_security_struct *sksec; 5618 5619 sksec = sk->sk_security; 5620 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5621 return NF_DROP; 5622 /* At this point, if the returned skb peerlbl is SECSID_NULL 5623 * and the packet has been through at least one XFRM 5624 * transformation then we must be dealing with the "final" 5625 * form of labeled IPsec packet; since we've already applied 5626 * all of our access controls on this packet we can safely 5627 * pass the packet. */ 5628 if (skb_sid == SECSID_NULL) { 5629 switch (family) { 5630 case PF_INET: 5631 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5632 return NF_ACCEPT; 5633 break; 5634 case PF_INET6: 5635 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5636 return NF_ACCEPT; 5637 break; 5638 default: 5639 return NF_DROP_ERR(-ECONNREFUSED); 5640 } 5641 } 5642 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5643 return NF_DROP; 5644 secmark_perm = PACKET__SEND; 5645 } else { 5646 /* Locally generated packet, fetch the security label from the 5647 * associated socket. */ 5648 struct sk_security_struct *sksec = sk->sk_security; 5649 peer_sid = sksec->sid; 5650 secmark_perm = PACKET__SEND; 5651 } 5652 5653 ad.type = LSM_AUDIT_DATA_NET; 5654 ad.u.net = &net; 5655 ad.u.net->netif = ifindex; 5656 ad.u.net->family = family; 5657 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5658 return NF_DROP; 5659 5660 if (secmark_active) 5661 if (avc_has_perm(&selinux_state, 5662 peer_sid, skb->secmark, 5663 SECCLASS_PACKET, secmark_perm, &ad)) 5664 return NF_DROP_ERR(-ECONNREFUSED); 5665 5666 if (peerlbl_active) { 5667 u32 if_sid; 5668 u32 node_sid; 5669 5670 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5671 return NF_DROP; 5672 if (avc_has_perm(&selinux_state, 5673 peer_sid, if_sid, 5674 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5675 return NF_DROP_ERR(-ECONNREFUSED); 5676 5677 if (sel_netnode_sid(addrp, family, &node_sid)) 5678 return NF_DROP; 5679 if (avc_has_perm(&selinux_state, 5680 peer_sid, node_sid, 5681 SECCLASS_NODE, NODE__SENDTO, &ad)) 5682 return NF_DROP_ERR(-ECONNREFUSED); 5683 } 5684 5685 return NF_ACCEPT; 5686 } 5687 5688 static unsigned int selinux_ipv4_postroute(void *priv, 5689 struct sk_buff *skb, 5690 const struct nf_hook_state *state) 5691 { 5692 return selinux_ip_postroute(skb, state->out, PF_INET); 5693 } 5694 5695 #if IS_ENABLED(CONFIG_IPV6) 5696 static unsigned int selinux_ipv6_postroute(void *priv, 5697 struct sk_buff *skb, 5698 const struct nf_hook_state *state) 5699 { 5700 return selinux_ip_postroute(skb, state->out, PF_INET6); 5701 } 5702 #endif /* IPV6 */ 5703 5704 #endif /* CONFIG_NETFILTER */ 5705 5706 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5707 { 5708 return selinux_nlmsg_perm(sk, skb); 5709 } 5710 5711 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5712 u16 sclass) 5713 { 5714 struct ipc_security_struct *isec; 5715 5716 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5717 if (!isec) 5718 return -ENOMEM; 5719 5720 isec->sclass = sclass; 5721 isec->sid = current_sid(); 5722 perm->security = isec; 5723 5724 return 0; 5725 } 5726 5727 static void ipc_free_security(struct kern_ipc_perm *perm) 5728 { 5729 struct ipc_security_struct *isec = perm->security; 5730 perm->security = NULL; 5731 kfree(isec); 5732 } 5733 5734 static int msg_msg_alloc_security(struct msg_msg *msg) 5735 { 5736 struct msg_security_struct *msec; 5737 5738 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5739 if (!msec) 5740 return -ENOMEM; 5741 5742 msec->sid = SECINITSID_UNLABELED; 5743 msg->security = msec; 5744 5745 return 0; 5746 } 5747 5748 static void msg_msg_free_security(struct msg_msg *msg) 5749 { 5750 struct msg_security_struct *msec = msg->security; 5751 5752 msg->security = NULL; 5753 kfree(msec); 5754 } 5755 5756 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5757 u32 perms) 5758 { 5759 struct ipc_security_struct *isec; 5760 struct common_audit_data ad; 5761 u32 sid = current_sid(); 5762 5763 isec = ipc_perms->security; 5764 5765 ad.type = LSM_AUDIT_DATA_IPC; 5766 ad.u.ipc_id = ipc_perms->key; 5767 5768 return avc_has_perm(&selinux_state, 5769 sid, isec->sid, isec->sclass, perms, &ad); 5770 } 5771 5772 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5773 { 5774 return msg_msg_alloc_security(msg); 5775 } 5776 5777 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5778 { 5779 msg_msg_free_security(msg); 5780 } 5781 5782 /* message queue security operations */ 5783 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5784 { 5785 struct ipc_security_struct *isec; 5786 struct common_audit_data ad; 5787 u32 sid = current_sid(); 5788 int rc; 5789 5790 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5791 if (rc) 5792 return rc; 5793 5794 isec = msq->security; 5795 5796 ad.type = LSM_AUDIT_DATA_IPC; 5797 ad.u.ipc_id = msq->key; 5798 5799 rc = avc_has_perm(&selinux_state, 5800 sid, isec->sid, SECCLASS_MSGQ, 5801 MSGQ__CREATE, &ad); 5802 if (rc) { 5803 ipc_free_security(msq); 5804 return rc; 5805 } 5806 return 0; 5807 } 5808 5809 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 5810 { 5811 ipc_free_security(msq); 5812 } 5813 5814 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5815 { 5816 struct ipc_security_struct *isec; 5817 struct common_audit_data ad; 5818 u32 sid = current_sid(); 5819 5820 isec = msq->security; 5821 5822 ad.type = LSM_AUDIT_DATA_IPC; 5823 ad.u.ipc_id = msq->key; 5824 5825 return avc_has_perm(&selinux_state, 5826 sid, isec->sid, SECCLASS_MSGQ, 5827 MSGQ__ASSOCIATE, &ad); 5828 } 5829 5830 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5831 { 5832 int err; 5833 int perms; 5834 5835 switch (cmd) { 5836 case IPC_INFO: 5837 case MSG_INFO: 5838 /* No specific object, just general system-wide information. */ 5839 return avc_has_perm(&selinux_state, 5840 current_sid(), SECINITSID_KERNEL, 5841 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5842 case IPC_STAT: 5843 case MSG_STAT: 5844 case MSG_STAT_ANY: 5845 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5846 break; 5847 case IPC_SET: 5848 perms = MSGQ__SETATTR; 5849 break; 5850 case IPC_RMID: 5851 perms = MSGQ__DESTROY; 5852 break; 5853 default: 5854 return 0; 5855 } 5856 5857 err = ipc_has_perm(msq, perms); 5858 return err; 5859 } 5860 5861 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 5862 { 5863 struct ipc_security_struct *isec; 5864 struct msg_security_struct *msec; 5865 struct common_audit_data ad; 5866 u32 sid = current_sid(); 5867 int rc; 5868 5869 isec = msq->security; 5870 msec = msg->security; 5871 5872 /* 5873 * First time through, need to assign label to the message 5874 */ 5875 if (msec->sid == SECINITSID_UNLABELED) { 5876 /* 5877 * Compute new sid based on current process and 5878 * message queue this message will be stored in 5879 */ 5880 rc = security_transition_sid(&selinux_state, sid, isec->sid, 5881 SECCLASS_MSG, NULL, &msec->sid); 5882 if (rc) 5883 return rc; 5884 } 5885 5886 ad.type = LSM_AUDIT_DATA_IPC; 5887 ad.u.ipc_id = msq->key; 5888 5889 /* Can this process write to the queue? */ 5890 rc = avc_has_perm(&selinux_state, 5891 sid, isec->sid, SECCLASS_MSGQ, 5892 MSGQ__WRITE, &ad); 5893 if (!rc) 5894 /* Can this process send the message */ 5895 rc = avc_has_perm(&selinux_state, 5896 sid, msec->sid, SECCLASS_MSG, 5897 MSG__SEND, &ad); 5898 if (!rc) 5899 /* Can the message be put in the queue? */ 5900 rc = avc_has_perm(&selinux_state, 5901 msec->sid, isec->sid, SECCLASS_MSGQ, 5902 MSGQ__ENQUEUE, &ad); 5903 5904 return rc; 5905 } 5906 5907 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 5908 struct task_struct *target, 5909 long type, int mode) 5910 { 5911 struct ipc_security_struct *isec; 5912 struct msg_security_struct *msec; 5913 struct common_audit_data ad; 5914 u32 sid = task_sid(target); 5915 int rc; 5916 5917 isec = msq->security; 5918 msec = msg->security; 5919 5920 ad.type = LSM_AUDIT_DATA_IPC; 5921 ad.u.ipc_id = msq->key; 5922 5923 rc = avc_has_perm(&selinux_state, 5924 sid, isec->sid, 5925 SECCLASS_MSGQ, MSGQ__READ, &ad); 5926 if (!rc) 5927 rc = avc_has_perm(&selinux_state, 5928 sid, msec->sid, 5929 SECCLASS_MSG, MSG__RECEIVE, &ad); 5930 return rc; 5931 } 5932 5933 /* Shared Memory security operations */ 5934 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 5935 { 5936 struct ipc_security_struct *isec; 5937 struct common_audit_data ad; 5938 u32 sid = current_sid(); 5939 int rc; 5940 5941 rc = ipc_alloc_security(shp, SECCLASS_SHM); 5942 if (rc) 5943 return rc; 5944 5945 isec = shp->security; 5946 5947 ad.type = LSM_AUDIT_DATA_IPC; 5948 ad.u.ipc_id = shp->key; 5949 5950 rc = avc_has_perm(&selinux_state, 5951 sid, isec->sid, SECCLASS_SHM, 5952 SHM__CREATE, &ad); 5953 if (rc) { 5954 ipc_free_security(shp); 5955 return rc; 5956 } 5957 return 0; 5958 } 5959 5960 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 5961 { 5962 ipc_free_security(shp); 5963 } 5964 5965 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 5966 { 5967 struct ipc_security_struct *isec; 5968 struct common_audit_data ad; 5969 u32 sid = current_sid(); 5970 5971 isec = shp->security; 5972 5973 ad.type = LSM_AUDIT_DATA_IPC; 5974 ad.u.ipc_id = shp->key; 5975 5976 return avc_has_perm(&selinux_state, 5977 sid, isec->sid, SECCLASS_SHM, 5978 SHM__ASSOCIATE, &ad); 5979 } 5980 5981 /* Note, at this point, shp is locked down */ 5982 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 5983 { 5984 int perms; 5985 int err; 5986 5987 switch (cmd) { 5988 case IPC_INFO: 5989 case SHM_INFO: 5990 /* No specific object, just general system-wide information. */ 5991 return avc_has_perm(&selinux_state, 5992 current_sid(), SECINITSID_KERNEL, 5993 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5994 case IPC_STAT: 5995 case SHM_STAT: 5996 case SHM_STAT_ANY: 5997 perms = SHM__GETATTR | SHM__ASSOCIATE; 5998 break; 5999 case IPC_SET: 6000 perms = SHM__SETATTR; 6001 break; 6002 case SHM_LOCK: 6003 case SHM_UNLOCK: 6004 perms = SHM__LOCK; 6005 break; 6006 case IPC_RMID: 6007 perms = SHM__DESTROY; 6008 break; 6009 default: 6010 return 0; 6011 } 6012 6013 err = ipc_has_perm(shp, perms); 6014 return err; 6015 } 6016 6017 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6018 char __user *shmaddr, int shmflg) 6019 { 6020 u32 perms; 6021 6022 if (shmflg & SHM_RDONLY) 6023 perms = SHM__READ; 6024 else 6025 perms = SHM__READ | SHM__WRITE; 6026 6027 return ipc_has_perm(shp, perms); 6028 } 6029 6030 /* Semaphore security operations */ 6031 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6032 { 6033 struct ipc_security_struct *isec; 6034 struct common_audit_data ad; 6035 u32 sid = current_sid(); 6036 int rc; 6037 6038 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6039 if (rc) 6040 return rc; 6041 6042 isec = sma->security; 6043 6044 ad.type = LSM_AUDIT_DATA_IPC; 6045 ad.u.ipc_id = sma->key; 6046 6047 rc = avc_has_perm(&selinux_state, 6048 sid, isec->sid, SECCLASS_SEM, 6049 SEM__CREATE, &ad); 6050 if (rc) { 6051 ipc_free_security(sma); 6052 return rc; 6053 } 6054 return 0; 6055 } 6056 6057 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6058 { 6059 ipc_free_security(sma); 6060 } 6061 6062 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6063 { 6064 struct ipc_security_struct *isec; 6065 struct common_audit_data ad; 6066 u32 sid = current_sid(); 6067 6068 isec = sma->security; 6069 6070 ad.type = LSM_AUDIT_DATA_IPC; 6071 ad.u.ipc_id = sma->key; 6072 6073 return avc_has_perm(&selinux_state, 6074 sid, isec->sid, SECCLASS_SEM, 6075 SEM__ASSOCIATE, &ad); 6076 } 6077 6078 /* Note, at this point, sma is locked down */ 6079 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6080 { 6081 int err; 6082 u32 perms; 6083 6084 switch (cmd) { 6085 case IPC_INFO: 6086 case SEM_INFO: 6087 /* No specific object, just general system-wide information. */ 6088 return avc_has_perm(&selinux_state, 6089 current_sid(), SECINITSID_KERNEL, 6090 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6091 case GETPID: 6092 case GETNCNT: 6093 case GETZCNT: 6094 perms = SEM__GETATTR; 6095 break; 6096 case GETVAL: 6097 case GETALL: 6098 perms = SEM__READ; 6099 break; 6100 case SETVAL: 6101 case SETALL: 6102 perms = SEM__WRITE; 6103 break; 6104 case IPC_RMID: 6105 perms = SEM__DESTROY; 6106 break; 6107 case IPC_SET: 6108 perms = SEM__SETATTR; 6109 break; 6110 case IPC_STAT: 6111 case SEM_STAT: 6112 case SEM_STAT_ANY: 6113 perms = SEM__GETATTR | SEM__ASSOCIATE; 6114 break; 6115 default: 6116 return 0; 6117 } 6118 6119 err = ipc_has_perm(sma, perms); 6120 return err; 6121 } 6122 6123 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6124 struct sembuf *sops, unsigned nsops, int alter) 6125 { 6126 u32 perms; 6127 6128 if (alter) 6129 perms = SEM__READ | SEM__WRITE; 6130 else 6131 perms = SEM__READ; 6132 6133 return ipc_has_perm(sma, perms); 6134 } 6135 6136 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6137 { 6138 u32 av = 0; 6139 6140 av = 0; 6141 if (flag & S_IRUGO) 6142 av |= IPC__UNIX_READ; 6143 if (flag & S_IWUGO) 6144 av |= IPC__UNIX_WRITE; 6145 6146 if (av == 0) 6147 return 0; 6148 6149 return ipc_has_perm(ipcp, av); 6150 } 6151 6152 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6153 { 6154 struct ipc_security_struct *isec = ipcp->security; 6155 *secid = isec->sid; 6156 } 6157 6158 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6159 { 6160 if (inode) 6161 inode_doinit_with_dentry(inode, dentry); 6162 } 6163 6164 static int selinux_getprocattr(struct task_struct *p, 6165 char *name, char **value) 6166 { 6167 const struct task_security_struct *__tsec; 6168 u32 sid; 6169 int error; 6170 unsigned len; 6171 6172 rcu_read_lock(); 6173 __tsec = __task_cred(p)->security; 6174 6175 if (current != p) { 6176 error = avc_has_perm(&selinux_state, 6177 current_sid(), __tsec->sid, 6178 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6179 if (error) 6180 goto bad; 6181 } 6182 6183 if (!strcmp(name, "current")) 6184 sid = __tsec->sid; 6185 else if (!strcmp(name, "prev")) 6186 sid = __tsec->osid; 6187 else if (!strcmp(name, "exec")) 6188 sid = __tsec->exec_sid; 6189 else if (!strcmp(name, "fscreate")) 6190 sid = __tsec->create_sid; 6191 else if (!strcmp(name, "keycreate")) 6192 sid = __tsec->keycreate_sid; 6193 else if (!strcmp(name, "sockcreate")) 6194 sid = __tsec->sockcreate_sid; 6195 else { 6196 error = -EINVAL; 6197 goto bad; 6198 } 6199 rcu_read_unlock(); 6200 6201 if (!sid) 6202 return 0; 6203 6204 error = security_sid_to_context(&selinux_state, sid, value, &len); 6205 if (error) 6206 return error; 6207 return len; 6208 6209 bad: 6210 rcu_read_unlock(); 6211 return error; 6212 } 6213 6214 static int selinux_setprocattr(const char *name, void *value, size_t size) 6215 { 6216 struct task_security_struct *tsec; 6217 struct cred *new; 6218 u32 mysid = current_sid(), sid = 0, ptsid; 6219 int error; 6220 char *str = value; 6221 6222 /* 6223 * Basic control over ability to set these attributes at all. 6224 */ 6225 if (!strcmp(name, "exec")) 6226 error = avc_has_perm(&selinux_state, 6227 mysid, mysid, SECCLASS_PROCESS, 6228 PROCESS__SETEXEC, NULL); 6229 else if (!strcmp(name, "fscreate")) 6230 error = avc_has_perm(&selinux_state, 6231 mysid, mysid, SECCLASS_PROCESS, 6232 PROCESS__SETFSCREATE, NULL); 6233 else if (!strcmp(name, "keycreate")) 6234 error = avc_has_perm(&selinux_state, 6235 mysid, mysid, SECCLASS_PROCESS, 6236 PROCESS__SETKEYCREATE, NULL); 6237 else if (!strcmp(name, "sockcreate")) 6238 error = avc_has_perm(&selinux_state, 6239 mysid, mysid, SECCLASS_PROCESS, 6240 PROCESS__SETSOCKCREATE, NULL); 6241 else if (!strcmp(name, "current")) 6242 error = avc_has_perm(&selinux_state, 6243 mysid, mysid, SECCLASS_PROCESS, 6244 PROCESS__SETCURRENT, NULL); 6245 else 6246 error = -EINVAL; 6247 if (error) 6248 return error; 6249 6250 /* Obtain a SID for the context, if one was specified. */ 6251 if (size && str[0] && str[0] != '\n') { 6252 if (str[size-1] == '\n') { 6253 str[size-1] = 0; 6254 size--; 6255 } 6256 error = security_context_to_sid(&selinux_state, value, size, 6257 &sid, GFP_KERNEL); 6258 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6259 if (!has_cap_mac_admin(true)) { 6260 struct audit_buffer *ab; 6261 size_t audit_size; 6262 6263 /* We strip a nul only if it is at the end, otherwise the 6264 * context contains a nul and we should audit that */ 6265 if (str[size - 1] == '\0') 6266 audit_size = size - 1; 6267 else 6268 audit_size = size; 6269 ab = audit_log_start(audit_context(), 6270 GFP_ATOMIC, 6271 AUDIT_SELINUX_ERR); 6272 audit_log_format(ab, "op=fscreate invalid_context="); 6273 audit_log_n_untrustedstring(ab, value, audit_size); 6274 audit_log_end(ab); 6275 6276 return error; 6277 } 6278 error = security_context_to_sid_force( 6279 &selinux_state, 6280 value, size, &sid); 6281 } 6282 if (error) 6283 return error; 6284 } 6285 6286 new = prepare_creds(); 6287 if (!new) 6288 return -ENOMEM; 6289 6290 /* Permission checking based on the specified context is 6291 performed during the actual operation (execve, 6292 open/mkdir/...), when we know the full context of the 6293 operation. See selinux_bprm_set_creds for the execve 6294 checks and may_create for the file creation checks. The 6295 operation will then fail if the context is not permitted. */ 6296 tsec = new->security; 6297 if (!strcmp(name, "exec")) { 6298 tsec->exec_sid = sid; 6299 } else if (!strcmp(name, "fscreate")) { 6300 tsec->create_sid = sid; 6301 } else if (!strcmp(name, "keycreate")) { 6302 error = avc_has_perm(&selinux_state, 6303 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6304 NULL); 6305 if (error) 6306 goto abort_change; 6307 tsec->keycreate_sid = sid; 6308 } else if (!strcmp(name, "sockcreate")) { 6309 tsec->sockcreate_sid = sid; 6310 } else if (!strcmp(name, "current")) { 6311 error = -EINVAL; 6312 if (sid == 0) 6313 goto abort_change; 6314 6315 /* Only allow single threaded processes to change context */ 6316 error = -EPERM; 6317 if (!current_is_single_threaded()) { 6318 error = security_bounded_transition(&selinux_state, 6319 tsec->sid, sid); 6320 if (error) 6321 goto abort_change; 6322 } 6323 6324 /* Check permissions for the transition. */ 6325 error = avc_has_perm(&selinux_state, 6326 tsec->sid, sid, SECCLASS_PROCESS, 6327 PROCESS__DYNTRANSITION, NULL); 6328 if (error) 6329 goto abort_change; 6330 6331 /* Check for ptracing, and update the task SID if ok. 6332 Otherwise, leave SID unchanged and fail. */ 6333 ptsid = ptrace_parent_sid(); 6334 if (ptsid != 0) { 6335 error = avc_has_perm(&selinux_state, 6336 ptsid, sid, SECCLASS_PROCESS, 6337 PROCESS__PTRACE, NULL); 6338 if (error) 6339 goto abort_change; 6340 } 6341 6342 tsec->sid = sid; 6343 } else { 6344 error = -EINVAL; 6345 goto abort_change; 6346 } 6347 6348 commit_creds(new); 6349 return size; 6350 6351 abort_change: 6352 abort_creds(new); 6353 return error; 6354 } 6355 6356 static int selinux_ismaclabel(const char *name) 6357 { 6358 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6359 } 6360 6361 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6362 { 6363 return security_sid_to_context(&selinux_state, secid, 6364 secdata, seclen); 6365 } 6366 6367 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6368 { 6369 return security_context_to_sid(&selinux_state, secdata, seclen, 6370 secid, GFP_KERNEL); 6371 } 6372 6373 static void selinux_release_secctx(char *secdata, u32 seclen) 6374 { 6375 kfree(secdata); 6376 } 6377 6378 static void selinux_inode_invalidate_secctx(struct inode *inode) 6379 { 6380 struct inode_security_struct *isec = inode->i_security; 6381 6382 spin_lock(&isec->lock); 6383 isec->initialized = LABEL_INVALID; 6384 spin_unlock(&isec->lock); 6385 } 6386 6387 /* 6388 * called with inode->i_mutex locked 6389 */ 6390 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6391 { 6392 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6393 } 6394 6395 /* 6396 * called with inode->i_mutex locked 6397 */ 6398 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6399 { 6400 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6401 } 6402 6403 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6404 { 6405 int len = 0; 6406 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6407 ctx, true); 6408 if (len < 0) 6409 return len; 6410 *ctxlen = len; 6411 return 0; 6412 } 6413 #ifdef CONFIG_KEYS 6414 6415 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6416 unsigned long flags) 6417 { 6418 const struct task_security_struct *tsec; 6419 struct key_security_struct *ksec; 6420 6421 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6422 if (!ksec) 6423 return -ENOMEM; 6424 6425 tsec = cred->security; 6426 if (tsec->keycreate_sid) 6427 ksec->sid = tsec->keycreate_sid; 6428 else 6429 ksec->sid = tsec->sid; 6430 6431 k->security = ksec; 6432 return 0; 6433 } 6434 6435 static void selinux_key_free(struct key *k) 6436 { 6437 struct key_security_struct *ksec = k->security; 6438 6439 k->security = NULL; 6440 kfree(ksec); 6441 } 6442 6443 static int selinux_key_permission(key_ref_t key_ref, 6444 const struct cred *cred, 6445 unsigned perm) 6446 { 6447 struct key *key; 6448 struct key_security_struct *ksec; 6449 u32 sid; 6450 6451 /* if no specific permissions are requested, we skip the 6452 permission check. No serious, additional covert channels 6453 appear to be created. */ 6454 if (perm == 0) 6455 return 0; 6456 6457 sid = cred_sid(cred); 6458 6459 key = key_ref_to_ptr(key_ref); 6460 ksec = key->security; 6461 6462 return avc_has_perm(&selinux_state, 6463 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6464 } 6465 6466 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6467 { 6468 struct key_security_struct *ksec = key->security; 6469 char *context = NULL; 6470 unsigned len; 6471 int rc; 6472 6473 rc = security_sid_to_context(&selinux_state, ksec->sid, 6474 &context, &len); 6475 if (!rc) 6476 rc = len; 6477 *_buffer = context; 6478 return rc; 6479 } 6480 #endif 6481 6482 #ifdef CONFIG_SECURITY_INFINIBAND 6483 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6484 { 6485 struct common_audit_data ad; 6486 int err; 6487 u32 sid = 0; 6488 struct ib_security_struct *sec = ib_sec; 6489 struct lsm_ibpkey_audit ibpkey; 6490 6491 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6492 if (err) 6493 return err; 6494 6495 ad.type = LSM_AUDIT_DATA_IBPKEY; 6496 ibpkey.subnet_prefix = subnet_prefix; 6497 ibpkey.pkey = pkey_val; 6498 ad.u.ibpkey = &ibpkey; 6499 return avc_has_perm(&selinux_state, 6500 sec->sid, sid, 6501 SECCLASS_INFINIBAND_PKEY, 6502 INFINIBAND_PKEY__ACCESS, &ad); 6503 } 6504 6505 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6506 u8 port_num) 6507 { 6508 struct common_audit_data ad; 6509 int err; 6510 u32 sid = 0; 6511 struct ib_security_struct *sec = ib_sec; 6512 struct lsm_ibendport_audit ibendport; 6513 6514 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6515 &sid); 6516 6517 if (err) 6518 return err; 6519 6520 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6521 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6522 ibendport.port = port_num; 6523 ad.u.ibendport = &ibendport; 6524 return avc_has_perm(&selinux_state, 6525 sec->sid, sid, 6526 SECCLASS_INFINIBAND_ENDPORT, 6527 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6528 } 6529 6530 static int selinux_ib_alloc_security(void **ib_sec) 6531 { 6532 struct ib_security_struct *sec; 6533 6534 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6535 if (!sec) 6536 return -ENOMEM; 6537 sec->sid = current_sid(); 6538 6539 *ib_sec = sec; 6540 return 0; 6541 } 6542 6543 static void selinux_ib_free_security(void *ib_sec) 6544 { 6545 kfree(ib_sec); 6546 } 6547 #endif 6548 6549 #ifdef CONFIG_BPF_SYSCALL 6550 static int selinux_bpf(int cmd, union bpf_attr *attr, 6551 unsigned int size) 6552 { 6553 u32 sid = current_sid(); 6554 int ret; 6555 6556 switch (cmd) { 6557 case BPF_MAP_CREATE: 6558 ret = avc_has_perm(&selinux_state, 6559 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6560 NULL); 6561 break; 6562 case BPF_PROG_LOAD: 6563 ret = avc_has_perm(&selinux_state, 6564 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6565 NULL); 6566 break; 6567 default: 6568 ret = 0; 6569 break; 6570 } 6571 6572 return ret; 6573 } 6574 6575 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6576 { 6577 u32 av = 0; 6578 6579 if (fmode & FMODE_READ) 6580 av |= BPF__MAP_READ; 6581 if (fmode & FMODE_WRITE) 6582 av |= BPF__MAP_WRITE; 6583 return av; 6584 } 6585 6586 /* This function will check the file pass through unix socket or binder to see 6587 * if it is a bpf related object. And apply correspinding checks on the bpf 6588 * object based on the type. The bpf maps and programs, not like other files and 6589 * socket, are using a shared anonymous inode inside the kernel as their inode. 6590 * So checking that inode cannot identify if the process have privilege to 6591 * access the bpf object and that's why we have to add this additional check in 6592 * selinux_file_receive and selinux_binder_transfer_files. 6593 */ 6594 static int bpf_fd_pass(struct file *file, u32 sid) 6595 { 6596 struct bpf_security_struct *bpfsec; 6597 struct bpf_prog *prog; 6598 struct bpf_map *map; 6599 int ret; 6600 6601 if (file->f_op == &bpf_map_fops) { 6602 map = file->private_data; 6603 bpfsec = map->security; 6604 ret = avc_has_perm(&selinux_state, 6605 sid, bpfsec->sid, SECCLASS_BPF, 6606 bpf_map_fmode_to_av(file->f_mode), NULL); 6607 if (ret) 6608 return ret; 6609 } else if (file->f_op == &bpf_prog_fops) { 6610 prog = file->private_data; 6611 bpfsec = prog->aux->security; 6612 ret = avc_has_perm(&selinux_state, 6613 sid, bpfsec->sid, SECCLASS_BPF, 6614 BPF__PROG_RUN, NULL); 6615 if (ret) 6616 return ret; 6617 } 6618 return 0; 6619 } 6620 6621 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6622 { 6623 u32 sid = current_sid(); 6624 struct bpf_security_struct *bpfsec; 6625 6626 bpfsec = map->security; 6627 return avc_has_perm(&selinux_state, 6628 sid, bpfsec->sid, SECCLASS_BPF, 6629 bpf_map_fmode_to_av(fmode), NULL); 6630 } 6631 6632 static int selinux_bpf_prog(struct bpf_prog *prog) 6633 { 6634 u32 sid = current_sid(); 6635 struct bpf_security_struct *bpfsec; 6636 6637 bpfsec = prog->aux->security; 6638 return avc_has_perm(&selinux_state, 6639 sid, bpfsec->sid, SECCLASS_BPF, 6640 BPF__PROG_RUN, NULL); 6641 } 6642 6643 static int selinux_bpf_map_alloc(struct bpf_map *map) 6644 { 6645 struct bpf_security_struct *bpfsec; 6646 6647 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6648 if (!bpfsec) 6649 return -ENOMEM; 6650 6651 bpfsec->sid = current_sid(); 6652 map->security = bpfsec; 6653 6654 return 0; 6655 } 6656 6657 static void selinux_bpf_map_free(struct bpf_map *map) 6658 { 6659 struct bpf_security_struct *bpfsec = map->security; 6660 6661 map->security = NULL; 6662 kfree(bpfsec); 6663 } 6664 6665 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6666 { 6667 struct bpf_security_struct *bpfsec; 6668 6669 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6670 if (!bpfsec) 6671 return -ENOMEM; 6672 6673 bpfsec->sid = current_sid(); 6674 aux->security = bpfsec; 6675 6676 return 0; 6677 } 6678 6679 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6680 { 6681 struct bpf_security_struct *bpfsec = aux->security; 6682 6683 aux->security = NULL; 6684 kfree(bpfsec); 6685 } 6686 #endif 6687 6688 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6689 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6690 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6691 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6692 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6693 6694 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6695 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6696 LSM_HOOK_INIT(capget, selinux_capget), 6697 LSM_HOOK_INIT(capset, selinux_capset), 6698 LSM_HOOK_INIT(capable, selinux_capable), 6699 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6700 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6701 LSM_HOOK_INIT(syslog, selinux_syslog), 6702 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6703 6704 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6705 6706 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6707 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6708 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6709 6710 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6711 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6712 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6713 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6714 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6715 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6716 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6717 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6718 LSM_HOOK_INIT(sb_mount, selinux_mount), 6719 LSM_HOOK_INIT(sb_umount, selinux_umount), 6720 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6721 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6722 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 6723 6724 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6725 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6726 6727 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6728 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6729 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6730 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6731 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6732 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6733 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6734 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6735 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6736 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6737 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6738 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6739 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6740 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6741 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6742 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6743 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6744 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6745 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6746 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6747 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6748 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6749 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6750 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6751 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6752 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6753 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6754 6755 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6756 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6757 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6758 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6759 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6760 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6761 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6762 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6763 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6764 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6765 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6766 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6767 6768 LSM_HOOK_INIT(file_open, selinux_file_open), 6769 6770 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6771 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6772 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6773 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6774 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6775 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6776 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6777 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6778 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6779 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 6780 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6781 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6782 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6783 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6784 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6785 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6786 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6787 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6788 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6789 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6790 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6791 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6792 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6793 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6794 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6795 6796 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6797 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6798 6799 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6800 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6801 6802 LSM_HOOK_INIT(msg_queue_alloc_security, 6803 selinux_msg_queue_alloc_security), 6804 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6805 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6806 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6807 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6808 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6809 6810 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6811 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6812 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6813 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6814 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6815 6816 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6817 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6818 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6819 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6820 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6821 6822 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6823 6824 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6825 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6826 6827 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6828 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6829 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6830 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6831 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6832 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6833 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6834 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6835 6836 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6837 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6838 6839 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6840 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6841 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 6842 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6843 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6844 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6845 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6846 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6847 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6848 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6849 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6850 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6851 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6852 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6853 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6854 LSM_HOOK_INIT(socket_getpeersec_stream, 6855 selinux_socket_getpeersec_stream), 6856 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6857 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6858 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6859 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6860 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6861 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6862 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 6863 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 6864 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 6865 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6866 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6867 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6868 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6869 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6870 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6871 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6872 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6873 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6874 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6875 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6876 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6877 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6878 #ifdef CONFIG_SECURITY_INFINIBAND 6879 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6880 LSM_HOOK_INIT(ib_endport_manage_subnet, 6881 selinux_ib_endport_manage_subnet), 6882 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6883 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6884 #endif 6885 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6886 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6887 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6888 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6889 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6890 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6891 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6892 selinux_xfrm_state_alloc_acquire), 6893 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6894 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6895 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6896 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6897 selinux_xfrm_state_pol_flow_match), 6898 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6899 #endif 6900 6901 #ifdef CONFIG_KEYS 6902 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6903 LSM_HOOK_INIT(key_free, selinux_key_free), 6904 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6905 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6906 #endif 6907 6908 #ifdef CONFIG_AUDIT 6909 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6910 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6911 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6912 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6913 #endif 6914 6915 #ifdef CONFIG_BPF_SYSCALL 6916 LSM_HOOK_INIT(bpf, selinux_bpf), 6917 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 6918 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 6919 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 6920 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 6921 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 6922 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 6923 #endif 6924 }; 6925 6926 static __init int selinux_init(void) 6927 { 6928 pr_info("SELinux: Initializing.\n"); 6929 6930 memset(&selinux_state, 0, sizeof(selinux_state)); 6931 enforcing_set(&selinux_state, selinux_enforcing_boot); 6932 selinux_state.checkreqprot = selinux_checkreqprot_boot; 6933 selinux_ss_init(&selinux_state.ss); 6934 selinux_avc_init(&selinux_state.avc); 6935 6936 /* Set the security state for the initial task. */ 6937 cred_init_security(); 6938 6939 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6940 6941 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6942 sizeof(struct inode_security_struct), 6943 0, SLAB_PANIC, NULL); 6944 file_security_cache = kmem_cache_create("selinux_file_security", 6945 sizeof(struct file_security_struct), 6946 0, SLAB_PANIC, NULL); 6947 avc_init(); 6948 6949 avtab_cache_init(); 6950 6951 ebitmap_cache_init(); 6952 6953 hashtab_cache_init(); 6954 6955 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6956 6957 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6958 panic("SELinux: Unable to register AVC netcache callback\n"); 6959 6960 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6961 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6962 6963 if (selinux_enforcing_boot) 6964 pr_debug("SELinux: Starting in enforcing mode\n"); 6965 else 6966 pr_debug("SELinux: Starting in permissive mode\n"); 6967 6968 return 0; 6969 } 6970 6971 static void delayed_superblock_init(struct super_block *sb, void *unused) 6972 { 6973 selinux_set_mnt_opts(sb, NULL, 0, NULL); 6974 } 6975 6976 void selinux_complete_init(void) 6977 { 6978 pr_debug("SELinux: Completing initialization.\n"); 6979 6980 /* Set up any superblocks initialized prior to the policy load. */ 6981 pr_debug("SELinux: Setting up existing superblocks.\n"); 6982 iterate_supers(delayed_superblock_init, NULL); 6983 } 6984 6985 /* SELinux requires early initialization in order to label 6986 all processes and objects when they are created. */ 6987 DEFINE_LSM(selinux) = { 6988 .name = "selinux", 6989 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 6990 .enabled = &selinux_enabled, 6991 .init = selinux_init, 6992 }; 6993 6994 #if defined(CONFIG_NETFILTER) 6995 6996 static const struct nf_hook_ops selinux_nf_ops[] = { 6997 { 6998 .hook = selinux_ipv4_postroute, 6999 .pf = NFPROTO_IPV4, 7000 .hooknum = NF_INET_POST_ROUTING, 7001 .priority = NF_IP_PRI_SELINUX_LAST, 7002 }, 7003 { 7004 .hook = selinux_ipv4_forward, 7005 .pf = NFPROTO_IPV4, 7006 .hooknum = NF_INET_FORWARD, 7007 .priority = NF_IP_PRI_SELINUX_FIRST, 7008 }, 7009 { 7010 .hook = selinux_ipv4_output, 7011 .pf = NFPROTO_IPV4, 7012 .hooknum = NF_INET_LOCAL_OUT, 7013 .priority = NF_IP_PRI_SELINUX_FIRST, 7014 }, 7015 #if IS_ENABLED(CONFIG_IPV6) 7016 { 7017 .hook = selinux_ipv6_postroute, 7018 .pf = NFPROTO_IPV6, 7019 .hooknum = NF_INET_POST_ROUTING, 7020 .priority = NF_IP6_PRI_SELINUX_LAST, 7021 }, 7022 { 7023 .hook = selinux_ipv6_forward, 7024 .pf = NFPROTO_IPV6, 7025 .hooknum = NF_INET_FORWARD, 7026 .priority = NF_IP6_PRI_SELINUX_FIRST, 7027 }, 7028 { 7029 .hook = selinux_ipv6_output, 7030 .pf = NFPROTO_IPV6, 7031 .hooknum = NF_INET_LOCAL_OUT, 7032 .priority = NF_IP6_PRI_SELINUX_FIRST, 7033 }, 7034 #endif /* IPV6 */ 7035 }; 7036 7037 static int __net_init selinux_nf_register(struct net *net) 7038 { 7039 return nf_register_net_hooks(net, selinux_nf_ops, 7040 ARRAY_SIZE(selinux_nf_ops)); 7041 } 7042 7043 static void __net_exit selinux_nf_unregister(struct net *net) 7044 { 7045 nf_unregister_net_hooks(net, selinux_nf_ops, 7046 ARRAY_SIZE(selinux_nf_ops)); 7047 } 7048 7049 static struct pernet_operations selinux_net_ops = { 7050 .init = selinux_nf_register, 7051 .exit = selinux_nf_unregister, 7052 }; 7053 7054 static int __init selinux_nf_ip_init(void) 7055 { 7056 int err; 7057 7058 if (!selinux_enabled) 7059 return 0; 7060 7061 pr_debug("SELinux: Registering netfilter hooks\n"); 7062 7063 err = register_pernet_subsys(&selinux_net_ops); 7064 if (err) 7065 panic("SELinux: register_pernet_subsys: error %d\n", err); 7066 7067 return 0; 7068 } 7069 __initcall(selinux_nf_ip_init); 7070 7071 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7072 static void selinux_nf_ip_exit(void) 7073 { 7074 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7075 7076 unregister_pernet_subsys(&selinux_net_ops); 7077 } 7078 #endif 7079 7080 #else /* CONFIG_NETFILTER */ 7081 7082 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7083 #define selinux_nf_ip_exit() 7084 #endif 7085 7086 #endif /* CONFIG_NETFILTER */ 7087 7088 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7089 int selinux_disable(struct selinux_state *state) 7090 { 7091 if (state->initialized) { 7092 /* Not permitted after initial policy load. */ 7093 return -EINVAL; 7094 } 7095 7096 if (state->disabled) { 7097 /* Only do this once. */ 7098 return -EINVAL; 7099 } 7100 7101 state->disabled = 1; 7102 7103 pr_info("SELinux: Disabled at runtime.\n"); 7104 7105 selinux_enabled = 0; 7106 7107 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7108 7109 /* Try to destroy the avc node cache */ 7110 avc_disable(); 7111 7112 /* Unregister netfilter hooks. */ 7113 selinux_nf_ip_exit(); 7114 7115 /* Unregister selinuxfs. */ 7116 exit_sel_fs(); 7117 7118 return 0; 7119 } 7120 #endif 7121