1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 125 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #else 135 int selinux_enabled = 1; 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 static struct kmem_cache *sel_inode_cache; 152 static struct kmem_cache *file_security_cache; 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred *cred = (struct cred *) current->real_cred; 214 struct task_security_struct *tsec; 215 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 217 if (!tsec) 218 panic("SELinux: Failed to initialize initial task.\n"); 219 220 tsec->osid = tsec->sid = SECINITSID_KERNEL; 221 cred->security = tsec; 222 } 223 224 /* 225 * get the security ID of a set of credentials 226 */ 227 static inline u32 cred_sid(const struct cred *cred) 228 { 229 const struct task_security_struct *tsec; 230 231 tsec = cred->security; 232 return tsec->sid; 233 } 234 235 /* 236 * get the objective security ID of a task 237 */ 238 static inline u32 task_sid(const struct task_struct *task) 239 { 240 u32 sid; 241 242 rcu_read_lock(); 243 sid = cred_sid(__task_cred(task)); 244 rcu_read_unlock(); 245 return sid; 246 } 247 248 /* Allocate and free functions for each kind of security blob. */ 249 250 static int inode_alloc_security(struct inode *inode) 251 { 252 struct inode_security_struct *isec; 253 u32 sid = current_sid(); 254 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 256 if (!isec) 257 return -ENOMEM; 258 259 spin_lock_init(&isec->lock); 260 INIT_LIST_HEAD(&isec->list); 261 isec->inode = inode; 262 isec->sid = SECINITSID_UNLABELED; 263 isec->sclass = SECCLASS_FILE; 264 isec->task_sid = sid; 265 isec->initialized = LABEL_INVALID; 266 inode->i_security = isec; 267 268 return 0; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @dentry parameter should be set to a dentry of the inode. 278 */ 279 static int __inode_security_revalidate(struct inode *inode, 280 struct dentry *dentry, 281 bool may_sleep) 282 { 283 struct inode_security_struct *isec = inode->i_security; 284 285 might_sleep_if(may_sleep); 286 287 if (selinux_state.initialized && 288 isec->initialized != LABEL_INITIALIZED) { 289 if (!may_sleep) 290 return -ECHILD; 291 292 /* 293 * Try reloading the inode security label. This will fail if 294 * @opt_dentry is NULL and no dentry for this inode can be 295 * found; in that case, continue using the old label. 296 */ 297 inode_doinit_with_dentry(inode, dentry); 298 } 299 return 0; 300 } 301 302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 303 { 304 return inode->i_security; 305 } 306 307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 308 { 309 int error; 310 311 error = __inode_security_revalidate(inode, NULL, !rcu); 312 if (error) 313 return ERR_PTR(error); 314 return inode->i_security; 315 } 316 317 /* 318 * Get the security label of an inode. 319 */ 320 static struct inode_security_struct *inode_security(struct inode *inode) 321 { 322 __inode_security_revalidate(inode, NULL, true); 323 return inode->i_security; 324 } 325 326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 327 { 328 struct inode *inode = d_backing_inode(dentry); 329 330 return inode->i_security; 331 } 332 333 /* 334 * Get the security label of a dentry's backing inode. 335 */ 336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 337 { 338 struct inode *inode = d_backing_inode(dentry); 339 340 __inode_security_revalidate(inode, dentry, true); 341 return inode->i_security; 342 } 343 344 static void inode_free_rcu(struct rcu_head *head) 345 { 346 struct inode_security_struct *isec; 347 348 isec = container_of(head, struct inode_security_struct, rcu); 349 kmem_cache_free(sel_inode_cache, isec); 350 } 351 352 static void inode_free_security(struct inode *inode) 353 { 354 struct inode_security_struct *isec = inode->i_security; 355 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 356 357 /* 358 * As not all inode security structures are in a list, we check for 359 * empty list outside of the lock to make sure that we won't waste 360 * time taking a lock doing nothing. 361 * 362 * The list_del_init() function can be safely called more than once. 363 * It should not be possible for this function to be called with 364 * concurrent list_add(), but for better safety against future changes 365 * in the code, we use list_empty_careful() here. 366 */ 367 if (!list_empty_careful(&isec->list)) { 368 spin_lock(&sbsec->isec_lock); 369 list_del_init(&isec->list); 370 spin_unlock(&sbsec->isec_lock); 371 } 372 373 /* 374 * The inode may still be referenced in a path walk and 375 * a call to selinux_inode_permission() can be made 376 * after inode_free_security() is called. Ideally, the VFS 377 * wouldn't do this, but fixing that is a much harder 378 * job. For now, simply free the i_security via RCU, and 379 * leave the current inode->i_security pointer intact. 380 * The inode will be freed after the RCU grace period too. 381 */ 382 call_rcu(&isec->rcu, inode_free_rcu); 383 } 384 385 static int file_alloc_security(struct file *file) 386 { 387 struct file_security_struct *fsec; 388 u32 sid = current_sid(); 389 390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 391 if (!fsec) 392 return -ENOMEM; 393 394 fsec->sid = sid; 395 fsec->fown_sid = sid; 396 file->f_security = fsec; 397 398 return 0; 399 } 400 401 static void file_free_security(struct file *file) 402 { 403 struct file_security_struct *fsec = file->f_security; 404 file->f_security = NULL; 405 kmem_cache_free(file_security_cache, fsec); 406 } 407 408 static int superblock_alloc_security(struct super_block *sb) 409 { 410 struct superblock_security_struct *sbsec; 411 412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 413 if (!sbsec) 414 return -ENOMEM; 415 416 mutex_init(&sbsec->lock); 417 INIT_LIST_HEAD(&sbsec->isec_head); 418 spin_lock_init(&sbsec->isec_lock); 419 sbsec->sb = sb; 420 sbsec->sid = SECINITSID_UNLABELED; 421 sbsec->def_sid = SECINITSID_FILE; 422 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 423 sb->s_security = sbsec; 424 425 return 0; 426 } 427 428 static void superblock_free_security(struct super_block *sb) 429 { 430 struct superblock_security_struct *sbsec = sb->s_security; 431 sb->s_security = NULL; 432 kfree(sbsec); 433 } 434 435 static inline int inode_doinit(struct inode *inode) 436 { 437 return inode_doinit_with_dentry(inode, NULL); 438 } 439 440 enum { 441 Opt_error = -1, 442 Opt_context = 1, 443 Opt_fscontext = 2, 444 Opt_defcontext = 3, 445 Opt_rootcontext = 4, 446 Opt_labelsupport = 5, 447 Opt_nextmntopt = 6, 448 }; 449 450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 451 452 static const match_table_t tokens = { 453 {Opt_context, CONTEXT_STR "%s"}, 454 {Opt_fscontext, FSCONTEXT_STR "%s"}, 455 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 457 {Opt_labelsupport, LABELSUPP_STR}, 458 {Opt_error, NULL}, 459 }; 460 461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 462 463 static int may_context_mount_sb_relabel(u32 sid, 464 struct superblock_security_struct *sbsec, 465 const struct cred *cred) 466 { 467 const struct task_security_struct *tsec = cred->security; 468 int rc; 469 470 rc = avc_has_perm(&selinux_state, 471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 472 FILESYSTEM__RELABELFROM, NULL); 473 if (rc) 474 return rc; 475 476 rc = avc_has_perm(&selinux_state, 477 tsec->sid, sid, SECCLASS_FILESYSTEM, 478 FILESYSTEM__RELABELTO, NULL); 479 return rc; 480 } 481 482 static int may_context_mount_inode_relabel(u32 sid, 483 struct superblock_security_struct *sbsec, 484 const struct cred *cred) 485 { 486 const struct task_security_struct *tsec = cred->security; 487 int rc; 488 rc = avc_has_perm(&selinux_state, 489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 490 FILESYSTEM__RELABELFROM, NULL); 491 if (rc) 492 return rc; 493 494 rc = avc_has_perm(&selinux_state, 495 sid, sbsec->sid, SECCLASS_FILESYSTEM, 496 FILESYSTEM__ASSOCIATE, NULL); 497 return rc; 498 } 499 500 static int selinux_is_sblabel_mnt(struct super_block *sb) 501 { 502 struct superblock_security_struct *sbsec = sb->s_security; 503 504 return sbsec->behavior == SECURITY_FS_USE_XATTR || 505 sbsec->behavior == SECURITY_FS_USE_TRANS || 506 sbsec->behavior == SECURITY_FS_USE_TASK || 507 sbsec->behavior == SECURITY_FS_USE_NATIVE || 508 /* Special handling. Genfs but also in-core setxattr handler */ 509 !strcmp(sb->s_type->name, "sysfs") || 510 !strcmp(sb->s_type->name, "pstore") || 511 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "rootfs") || 514 (selinux_policycap_cgroupseclabel() && 515 (!strcmp(sb->s_type->name, "cgroup") || 516 !strcmp(sb->s_type->name, "cgroup2"))); 517 } 518 519 static int sb_finish_set_opts(struct super_block *sb) 520 { 521 struct superblock_security_struct *sbsec = sb->s_security; 522 struct dentry *root = sb->s_root; 523 struct inode *root_inode = d_backing_inode(root); 524 int rc = 0; 525 526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 527 /* Make sure that the xattr handler exists and that no 528 error other than -ENODATA is returned by getxattr on 529 the root directory. -ENODATA is ok, as this may be 530 the first boot of the SELinux kernel before we have 531 assigned xattr values to the filesystem. */ 532 if (!(root_inode->i_opflags & IOP_XATTR)) { 533 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 534 "xattr support\n", sb->s_id, sb->s_type->name); 535 rc = -EOPNOTSUPP; 536 goto out; 537 } 538 539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 540 if (rc < 0 && rc != -ENODATA) { 541 if (rc == -EOPNOTSUPP) 542 printk(KERN_WARNING "SELinux: (dev %s, type " 543 "%s) has no security xattr handler\n", 544 sb->s_id, sb->s_type->name); 545 else 546 printk(KERN_WARNING "SELinux: (dev %s, type " 547 "%s) getxattr errno %d\n", sb->s_id, 548 sb->s_type->name, -rc); 549 goto out; 550 } 551 } 552 553 sbsec->flags |= SE_SBINITIALIZED; 554 555 /* 556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 557 * leave the flag untouched because sb_clone_mnt_opts might be handing 558 * us a superblock that needs the flag to be cleared. 559 */ 560 if (selinux_is_sblabel_mnt(sb)) 561 sbsec->flags |= SBLABEL_MNT; 562 else 563 sbsec->flags &= ~SBLABEL_MNT; 564 565 /* Initialize the root inode. */ 566 rc = inode_doinit_with_dentry(root_inode, root); 567 568 /* Initialize any other inodes associated with the superblock, e.g. 569 inodes created prior to initial policy load or inodes created 570 during get_sb by a pseudo filesystem that directly 571 populates itself. */ 572 spin_lock(&sbsec->isec_lock); 573 next_inode: 574 if (!list_empty(&sbsec->isec_head)) { 575 struct inode_security_struct *isec = 576 list_entry(sbsec->isec_head.next, 577 struct inode_security_struct, list); 578 struct inode *inode = isec->inode; 579 list_del_init(&isec->list); 580 spin_unlock(&sbsec->isec_lock); 581 inode = igrab(inode); 582 if (inode) { 583 if (!IS_PRIVATE(inode)) 584 inode_doinit(inode); 585 iput(inode); 586 } 587 spin_lock(&sbsec->isec_lock); 588 goto next_inode; 589 } 590 spin_unlock(&sbsec->isec_lock); 591 out: 592 return rc; 593 } 594 595 /* 596 * This function should allow an FS to ask what it's mount security 597 * options were so it can use those later for submounts, displaying 598 * mount options, or whatever. 599 */ 600 static int selinux_get_mnt_opts(const struct super_block *sb, 601 struct security_mnt_opts *opts) 602 { 603 int rc = 0, i; 604 struct superblock_security_struct *sbsec = sb->s_security; 605 char *context = NULL; 606 u32 len; 607 char tmp; 608 609 security_init_mnt_opts(opts); 610 611 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 return -EINVAL; 613 614 if (!selinux_state.initialized) 615 return -EINVAL; 616 617 /* make sure we always check enough bits to cover the mask */ 618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 619 620 tmp = sbsec->flags & SE_MNTMASK; 621 /* count the number of mount options for this sb */ 622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 623 if (tmp & 0x01) 624 opts->num_mnt_opts++; 625 tmp >>= 1; 626 } 627 /* Check if the Label support flag is set */ 628 if (sbsec->flags & SBLABEL_MNT) 629 opts->num_mnt_opts++; 630 631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 632 if (!opts->mnt_opts) { 633 rc = -ENOMEM; 634 goto out_free; 635 } 636 637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 638 if (!opts->mnt_opts_flags) { 639 rc = -ENOMEM; 640 goto out_free; 641 } 642 643 i = 0; 644 if (sbsec->flags & FSCONTEXT_MNT) { 645 rc = security_sid_to_context(&selinux_state, sbsec->sid, 646 &context, &len); 647 if (rc) 648 goto out_free; 649 opts->mnt_opts[i] = context; 650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 } 652 if (sbsec->flags & CONTEXT_MNT) { 653 rc = security_sid_to_context(&selinux_state, 654 sbsec->mntpoint_sid, 655 &context, &len); 656 if (rc) 657 goto out_free; 658 opts->mnt_opts[i] = context; 659 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 } 661 if (sbsec->flags & DEFCONTEXT_MNT) { 662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid, 663 &context, &len); 664 if (rc) 665 goto out_free; 666 opts->mnt_opts[i] = context; 667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 668 } 669 if (sbsec->flags & ROOTCONTEXT_MNT) { 670 struct dentry *root = sbsec->sb->s_root; 671 struct inode_security_struct *isec = backing_inode_security(root); 672 673 rc = security_sid_to_context(&selinux_state, isec->sid, 674 &context, &len); 675 if (rc) 676 goto out_free; 677 opts->mnt_opts[i] = context; 678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 679 } 680 if (sbsec->flags & SBLABEL_MNT) { 681 opts->mnt_opts[i] = NULL; 682 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 683 } 684 685 BUG_ON(i != opts->num_mnt_opts); 686 687 return 0; 688 689 out_free: 690 security_free_mnt_opts(opts); 691 return rc; 692 } 693 694 static int bad_option(struct superblock_security_struct *sbsec, char flag, 695 u32 old_sid, u32 new_sid) 696 { 697 char mnt_flags = sbsec->flags & SE_MNTMASK; 698 699 /* check if the old mount command had the same options */ 700 if (sbsec->flags & SE_SBINITIALIZED) 701 if (!(sbsec->flags & flag) || 702 (old_sid != new_sid)) 703 return 1; 704 705 /* check if we were passed the same options twice, 706 * aka someone passed context=a,context=b 707 */ 708 if (!(sbsec->flags & SE_SBINITIALIZED)) 709 if (mnt_flags & flag) 710 return 1; 711 return 0; 712 } 713 714 /* 715 * Allow filesystems with binary mount data to explicitly set mount point 716 * labeling information. 717 */ 718 static int selinux_set_mnt_opts(struct super_block *sb, 719 struct security_mnt_opts *opts, 720 unsigned long kern_flags, 721 unsigned long *set_kern_flags) 722 { 723 const struct cred *cred = current_cred(); 724 int rc = 0, i; 725 struct superblock_security_struct *sbsec = sb->s_security; 726 const char *name = sb->s_type->name; 727 struct dentry *root = sbsec->sb->s_root; 728 struct inode_security_struct *root_isec; 729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 730 u32 defcontext_sid = 0; 731 char **mount_options = opts->mnt_opts; 732 int *flags = opts->mnt_opts_flags; 733 int num_opts = opts->num_mnt_opts; 734 735 mutex_lock(&sbsec->lock); 736 737 if (!selinux_state.initialized) { 738 if (!num_opts) { 739 /* Defer initialization until selinux_complete_init, 740 after the initial policy is loaded and the security 741 server is ready to handle calls. */ 742 goto out; 743 } 744 rc = -EINVAL; 745 printk(KERN_WARNING "SELinux: Unable to set superblock options " 746 "before the security server is initialized\n"); 747 goto out; 748 } 749 if (kern_flags && !set_kern_flags) { 750 /* Specifying internal flags without providing a place to 751 * place the results is not allowed */ 752 rc = -EINVAL; 753 goto out; 754 } 755 756 /* 757 * Binary mount data FS will come through this function twice. Once 758 * from an explicit call and once from the generic calls from the vfs. 759 * Since the generic VFS calls will not contain any security mount data 760 * we need to skip the double mount verification. 761 * 762 * This does open a hole in which we will not notice if the first 763 * mount using this sb set explict options and a second mount using 764 * this sb does not set any security options. (The first options 765 * will be used for both mounts) 766 */ 767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 768 && (num_opts == 0)) 769 goto out; 770 771 root_isec = backing_inode_security_novalidate(root); 772 773 /* 774 * parse the mount options, check if they are valid sids. 775 * also check if someone is trying to mount the same sb more 776 * than once with different security options. 777 */ 778 for (i = 0; i < num_opts; i++) { 779 u32 sid; 780 781 if (flags[i] == SBLABEL_MNT) 782 continue; 783 rc = security_context_str_to_sid(&selinux_state, 784 mount_options[i], &sid, 785 GFP_KERNEL); 786 if (rc) { 787 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 788 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 mount_options[i], sb->s_id, name, rc); 790 goto out; 791 } 792 switch (flags[i]) { 793 case FSCONTEXT_MNT: 794 fscontext_sid = sid; 795 796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 797 fscontext_sid)) 798 goto out_double_mount; 799 800 sbsec->flags |= FSCONTEXT_MNT; 801 break; 802 case CONTEXT_MNT: 803 context_sid = sid; 804 805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 806 context_sid)) 807 goto out_double_mount; 808 809 sbsec->flags |= CONTEXT_MNT; 810 break; 811 case ROOTCONTEXT_MNT: 812 rootcontext_sid = sid; 813 814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 815 rootcontext_sid)) 816 goto out_double_mount; 817 818 sbsec->flags |= ROOTCONTEXT_MNT; 819 820 break; 821 case DEFCONTEXT_MNT: 822 defcontext_sid = sid; 823 824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 825 defcontext_sid)) 826 goto out_double_mount; 827 828 sbsec->flags |= DEFCONTEXT_MNT; 829 830 break; 831 default: 832 rc = -EINVAL; 833 goto out; 834 } 835 } 836 837 if (sbsec->flags & SE_SBINITIALIZED) { 838 /* previously mounted with options, but not on this attempt? */ 839 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 840 goto out_double_mount; 841 rc = 0; 842 goto out; 843 } 844 845 if (strcmp(sb->s_type->name, "proc") == 0) 846 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 847 848 if (!strcmp(sb->s_type->name, "debugfs") || 849 !strcmp(sb->s_type->name, "tracefs") || 850 !strcmp(sb->s_type->name, "sysfs") || 851 !strcmp(sb->s_type->name, "pstore") || 852 !strcmp(sb->s_type->name, "cgroup") || 853 !strcmp(sb->s_type->name, "cgroup2")) 854 sbsec->flags |= SE_SBGENFS; 855 856 if (!sbsec->behavior) { 857 /* 858 * Determine the labeling behavior to use for this 859 * filesystem type. 860 */ 861 rc = security_fs_use(&selinux_state, sb); 862 if (rc) { 863 printk(KERN_WARNING 864 "%s: security_fs_use(%s) returned %d\n", 865 __func__, sb->s_type->name, rc); 866 goto out; 867 } 868 } 869 870 /* 871 * If this is a user namespace mount and the filesystem type is not 872 * explicitly whitelisted, then no contexts are allowed on the command 873 * line and security labels must be ignored. 874 */ 875 if (sb->s_user_ns != &init_user_ns && 876 strcmp(sb->s_type->name, "tmpfs") && 877 strcmp(sb->s_type->name, "ramfs") && 878 strcmp(sb->s_type->name, "devpts")) { 879 if (context_sid || fscontext_sid || rootcontext_sid || 880 defcontext_sid) { 881 rc = -EACCES; 882 goto out; 883 } 884 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 885 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 886 rc = security_transition_sid(&selinux_state, 887 current_sid(), 888 current_sid(), 889 SECCLASS_FILE, NULL, 890 &sbsec->mntpoint_sid); 891 if (rc) 892 goto out; 893 } 894 goto out_set_opts; 895 } 896 897 /* sets the context of the superblock for the fs being mounted. */ 898 if (fscontext_sid) { 899 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 900 if (rc) 901 goto out; 902 903 sbsec->sid = fscontext_sid; 904 } 905 906 /* 907 * Switch to using mount point labeling behavior. 908 * sets the label used on all file below the mountpoint, and will set 909 * the superblock context if not already set. 910 */ 911 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 912 sbsec->behavior = SECURITY_FS_USE_NATIVE; 913 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 914 } 915 916 if (context_sid) { 917 if (!fscontext_sid) { 918 rc = may_context_mount_sb_relabel(context_sid, sbsec, 919 cred); 920 if (rc) 921 goto out; 922 sbsec->sid = context_sid; 923 } else { 924 rc = may_context_mount_inode_relabel(context_sid, sbsec, 925 cred); 926 if (rc) 927 goto out; 928 } 929 if (!rootcontext_sid) 930 rootcontext_sid = context_sid; 931 932 sbsec->mntpoint_sid = context_sid; 933 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 934 } 935 936 if (rootcontext_sid) { 937 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 938 cred); 939 if (rc) 940 goto out; 941 942 root_isec->sid = rootcontext_sid; 943 root_isec->initialized = LABEL_INITIALIZED; 944 } 945 946 if (defcontext_sid) { 947 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 948 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 949 rc = -EINVAL; 950 printk(KERN_WARNING "SELinux: defcontext option is " 951 "invalid for this filesystem type\n"); 952 goto out; 953 } 954 955 if (defcontext_sid != sbsec->def_sid) { 956 rc = may_context_mount_inode_relabel(defcontext_sid, 957 sbsec, cred); 958 if (rc) 959 goto out; 960 } 961 962 sbsec->def_sid = defcontext_sid; 963 } 964 965 out_set_opts: 966 rc = sb_finish_set_opts(sb); 967 out: 968 mutex_unlock(&sbsec->lock); 969 return rc; 970 out_double_mount: 971 rc = -EINVAL; 972 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 973 "security settings for (dev %s, type %s)\n", sb->s_id, name); 974 goto out; 975 } 976 977 static int selinux_cmp_sb_context(const struct super_block *oldsb, 978 const struct super_block *newsb) 979 { 980 struct superblock_security_struct *old = oldsb->s_security; 981 struct superblock_security_struct *new = newsb->s_security; 982 char oldflags = old->flags & SE_MNTMASK; 983 char newflags = new->flags & SE_MNTMASK; 984 985 if (oldflags != newflags) 986 goto mismatch; 987 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 988 goto mismatch; 989 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 990 goto mismatch; 991 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 992 goto mismatch; 993 if (oldflags & ROOTCONTEXT_MNT) { 994 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 995 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 996 if (oldroot->sid != newroot->sid) 997 goto mismatch; 998 } 999 return 0; 1000 mismatch: 1001 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 1002 "different security settings for (dev %s, " 1003 "type %s)\n", newsb->s_id, newsb->s_type->name); 1004 return -EBUSY; 1005 } 1006 1007 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 1008 struct super_block *newsb, 1009 unsigned long kern_flags, 1010 unsigned long *set_kern_flags) 1011 { 1012 int rc = 0; 1013 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 1014 struct superblock_security_struct *newsbsec = newsb->s_security; 1015 1016 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 1017 int set_context = (oldsbsec->flags & CONTEXT_MNT); 1018 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 1019 1020 /* 1021 * if the parent was able to be mounted it clearly had no special lsm 1022 * mount options. thus we can safely deal with this superblock later 1023 */ 1024 if (!selinux_state.initialized) 1025 return 0; 1026 1027 /* 1028 * Specifying internal flags without providing a place to 1029 * place the results is not allowed. 1030 */ 1031 if (kern_flags && !set_kern_flags) 1032 return -EINVAL; 1033 1034 /* how can we clone if the old one wasn't set up?? */ 1035 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1036 1037 /* if fs is reusing a sb, make sure that the contexts match */ 1038 if (newsbsec->flags & SE_SBINITIALIZED) 1039 return selinux_cmp_sb_context(oldsb, newsb); 1040 1041 mutex_lock(&newsbsec->lock); 1042 1043 newsbsec->flags = oldsbsec->flags; 1044 1045 newsbsec->sid = oldsbsec->sid; 1046 newsbsec->def_sid = oldsbsec->def_sid; 1047 newsbsec->behavior = oldsbsec->behavior; 1048 1049 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1050 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1051 rc = security_fs_use(&selinux_state, newsb); 1052 if (rc) 1053 goto out; 1054 } 1055 1056 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1057 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1058 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1059 } 1060 1061 if (set_context) { 1062 u32 sid = oldsbsec->mntpoint_sid; 1063 1064 if (!set_fscontext) 1065 newsbsec->sid = sid; 1066 if (!set_rootcontext) { 1067 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1068 newisec->sid = sid; 1069 } 1070 newsbsec->mntpoint_sid = sid; 1071 } 1072 if (set_rootcontext) { 1073 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1074 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1075 1076 newisec->sid = oldisec->sid; 1077 } 1078 1079 sb_finish_set_opts(newsb); 1080 out: 1081 mutex_unlock(&newsbsec->lock); 1082 return rc; 1083 } 1084 1085 static int selinux_parse_opts_str(char *options, 1086 struct security_mnt_opts *opts) 1087 { 1088 char *p; 1089 char *context = NULL, *defcontext = NULL; 1090 char *fscontext = NULL, *rootcontext = NULL; 1091 int rc, num_mnt_opts = 0; 1092 1093 opts->num_mnt_opts = 0; 1094 1095 /* Standard string-based options. */ 1096 while ((p = strsep(&options, "|")) != NULL) { 1097 int token; 1098 substring_t args[MAX_OPT_ARGS]; 1099 1100 if (!*p) 1101 continue; 1102 1103 token = match_token(p, tokens, args); 1104 1105 switch (token) { 1106 case Opt_context: 1107 if (context || defcontext) { 1108 rc = -EINVAL; 1109 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1110 goto out_err; 1111 } 1112 context = match_strdup(&args[0]); 1113 if (!context) { 1114 rc = -ENOMEM; 1115 goto out_err; 1116 } 1117 break; 1118 1119 case Opt_fscontext: 1120 if (fscontext) { 1121 rc = -EINVAL; 1122 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1123 goto out_err; 1124 } 1125 fscontext = match_strdup(&args[0]); 1126 if (!fscontext) { 1127 rc = -ENOMEM; 1128 goto out_err; 1129 } 1130 break; 1131 1132 case Opt_rootcontext: 1133 if (rootcontext) { 1134 rc = -EINVAL; 1135 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1136 goto out_err; 1137 } 1138 rootcontext = match_strdup(&args[0]); 1139 if (!rootcontext) { 1140 rc = -ENOMEM; 1141 goto out_err; 1142 } 1143 break; 1144 1145 case Opt_defcontext: 1146 if (context || defcontext) { 1147 rc = -EINVAL; 1148 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1149 goto out_err; 1150 } 1151 defcontext = match_strdup(&args[0]); 1152 if (!defcontext) { 1153 rc = -ENOMEM; 1154 goto out_err; 1155 } 1156 break; 1157 case Opt_labelsupport: 1158 break; 1159 default: 1160 rc = -EINVAL; 1161 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1162 goto out_err; 1163 1164 } 1165 } 1166 1167 rc = -ENOMEM; 1168 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1169 if (!opts->mnt_opts) 1170 goto out_err; 1171 1172 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1173 GFP_KERNEL); 1174 if (!opts->mnt_opts_flags) 1175 goto out_err; 1176 1177 if (fscontext) { 1178 opts->mnt_opts[num_mnt_opts] = fscontext; 1179 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1180 } 1181 if (context) { 1182 opts->mnt_opts[num_mnt_opts] = context; 1183 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1184 } 1185 if (rootcontext) { 1186 opts->mnt_opts[num_mnt_opts] = rootcontext; 1187 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1188 } 1189 if (defcontext) { 1190 opts->mnt_opts[num_mnt_opts] = defcontext; 1191 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1192 } 1193 1194 opts->num_mnt_opts = num_mnt_opts; 1195 return 0; 1196 1197 out_err: 1198 security_free_mnt_opts(opts); 1199 kfree(context); 1200 kfree(defcontext); 1201 kfree(fscontext); 1202 kfree(rootcontext); 1203 return rc; 1204 } 1205 /* 1206 * string mount options parsing and call set the sbsec 1207 */ 1208 static int superblock_doinit(struct super_block *sb, void *data) 1209 { 1210 int rc = 0; 1211 char *options = data; 1212 struct security_mnt_opts opts; 1213 1214 security_init_mnt_opts(&opts); 1215 1216 if (!data) 1217 goto out; 1218 1219 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1220 1221 rc = selinux_parse_opts_str(options, &opts); 1222 if (rc) 1223 goto out_err; 1224 1225 out: 1226 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1227 1228 out_err: 1229 security_free_mnt_opts(&opts); 1230 return rc; 1231 } 1232 1233 static void selinux_write_opts(struct seq_file *m, 1234 struct security_mnt_opts *opts) 1235 { 1236 int i; 1237 char *prefix; 1238 1239 for (i = 0; i < opts->num_mnt_opts; i++) { 1240 char *has_comma; 1241 1242 if (opts->mnt_opts[i]) 1243 has_comma = strchr(opts->mnt_opts[i], ','); 1244 else 1245 has_comma = NULL; 1246 1247 switch (opts->mnt_opts_flags[i]) { 1248 case CONTEXT_MNT: 1249 prefix = CONTEXT_STR; 1250 break; 1251 case FSCONTEXT_MNT: 1252 prefix = FSCONTEXT_STR; 1253 break; 1254 case ROOTCONTEXT_MNT: 1255 prefix = ROOTCONTEXT_STR; 1256 break; 1257 case DEFCONTEXT_MNT: 1258 prefix = DEFCONTEXT_STR; 1259 break; 1260 case SBLABEL_MNT: 1261 seq_putc(m, ','); 1262 seq_puts(m, LABELSUPP_STR); 1263 continue; 1264 default: 1265 BUG(); 1266 return; 1267 }; 1268 /* we need a comma before each option */ 1269 seq_putc(m, ','); 1270 seq_puts(m, prefix); 1271 if (has_comma) 1272 seq_putc(m, '\"'); 1273 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1274 if (has_comma) 1275 seq_putc(m, '\"'); 1276 } 1277 } 1278 1279 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1280 { 1281 struct security_mnt_opts opts; 1282 int rc; 1283 1284 rc = selinux_get_mnt_opts(sb, &opts); 1285 if (rc) { 1286 /* before policy load we may get EINVAL, don't show anything */ 1287 if (rc == -EINVAL) 1288 rc = 0; 1289 return rc; 1290 } 1291 1292 selinux_write_opts(m, &opts); 1293 1294 security_free_mnt_opts(&opts); 1295 1296 return rc; 1297 } 1298 1299 static inline u16 inode_mode_to_security_class(umode_t mode) 1300 { 1301 switch (mode & S_IFMT) { 1302 case S_IFSOCK: 1303 return SECCLASS_SOCK_FILE; 1304 case S_IFLNK: 1305 return SECCLASS_LNK_FILE; 1306 case S_IFREG: 1307 return SECCLASS_FILE; 1308 case S_IFBLK: 1309 return SECCLASS_BLK_FILE; 1310 case S_IFDIR: 1311 return SECCLASS_DIR; 1312 case S_IFCHR: 1313 return SECCLASS_CHR_FILE; 1314 case S_IFIFO: 1315 return SECCLASS_FIFO_FILE; 1316 1317 } 1318 1319 return SECCLASS_FILE; 1320 } 1321 1322 static inline int default_protocol_stream(int protocol) 1323 { 1324 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1325 } 1326 1327 static inline int default_protocol_dgram(int protocol) 1328 { 1329 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1330 } 1331 1332 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1333 { 1334 int extsockclass = selinux_policycap_extsockclass(); 1335 1336 switch (family) { 1337 case PF_UNIX: 1338 switch (type) { 1339 case SOCK_STREAM: 1340 case SOCK_SEQPACKET: 1341 return SECCLASS_UNIX_STREAM_SOCKET; 1342 case SOCK_DGRAM: 1343 case SOCK_RAW: 1344 return SECCLASS_UNIX_DGRAM_SOCKET; 1345 } 1346 break; 1347 case PF_INET: 1348 case PF_INET6: 1349 switch (type) { 1350 case SOCK_STREAM: 1351 case SOCK_SEQPACKET: 1352 if (default_protocol_stream(protocol)) 1353 return SECCLASS_TCP_SOCKET; 1354 else if (extsockclass && protocol == IPPROTO_SCTP) 1355 return SECCLASS_SCTP_SOCKET; 1356 else 1357 return SECCLASS_RAWIP_SOCKET; 1358 case SOCK_DGRAM: 1359 if (default_protocol_dgram(protocol)) 1360 return SECCLASS_UDP_SOCKET; 1361 else if (extsockclass && (protocol == IPPROTO_ICMP || 1362 protocol == IPPROTO_ICMPV6)) 1363 return SECCLASS_ICMP_SOCKET; 1364 else 1365 return SECCLASS_RAWIP_SOCKET; 1366 case SOCK_DCCP: 1367 return SECCLASS_DCCP_SOCKET; 1368 default: 1369 return SECCLASS_RAWIP_SOCKET; 1370 } 1371 break; 1372 case PF_NETLINK: 1373 switch (protocol) { 1374 case NETLINK_ROUTE: 1375 return SECCLASS_NETLINK_ROUTE_SOCKET; 1376 case NETLINK_SOCK_DIAG: 1377 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1378 case NETLINK_NFLOG: 1379 return SECCLASS_NETLINK_NFLOG_SOCKET; 1380 case NETLINK_XFRM: 1381 return SECCLASS_NETLINK_XFRM_SOCKET; 1382 case NETLINK_SELINUX: 1383 return SECCLASS_NETLINK_SELINUX_SOCKET; 1384 case NETLINK_ISCSI: 1385 return SECCLASS_NETLINK_ISCSI_SOCKET; 1386 case NETLINK_AUDIT: 1387 return SECCLASS_NETLINK_AUDIT_SOCKET; 1388 case NETLINK_FIB_LOOKUP: 1389 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1390 case NETLINK_CONNECTOR: 1391 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1392 case NETLINK_NETFILTER: 1393 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1394 case NETLINK_DNRTMSG: 1395 return SECCLASS_NETLINK_DNRT_SOCKET; 1396 case NETLINK_KOBJECT_UEVENT: 1397 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1398 case NETLINK_GENERIC: 1399 return SECCLASS_NETLINK_GENERIC_SOCKET; 1400 case NETLINK_SCSITRANSPORT: 1401 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1402 case NETLINK_RDMA: 1403 return SECCLASS_NETLINK_RDMA_SOCKET; 1404 case NETLINK_CRYPTO: 1405 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1406 default: 1407 return SECCLASS_NETLINK_SOCKET; 1408 } 1409 case PF_PACKET: 1410 return SECCLASS_PACKET_SOCKET; 1411 case PF_KEY: 1412 return SECCLASS_KEY_SOCKET; 1413 case PF_APPLETALK: 1414 return SECCLASS_APPLETALK_SOCKET; 1415 } 1416 1417 if (extsockclass) { 1418 switch (family) { 1419 case PF_AX25: 1420 return SECCLASS_AX25_SOCKET; 1421 case PF_IPX: 1422 return SECCLASS_IPX_SOCKET; 1423 case PF_NETROM: 1424 return SECCLASS_NETROM_SOCKET; 1425 case PF_ATMPVC: 1426 return SECCLASS_ATMPVC_SOCKET; 1427 case PF_X25: 1428 return SECCLASS_X25_SOCKET; 1429 case PF_ROSE: 1430 return SECCLASS_ROSE_SOCKET; 1431 case PF_DECnet: 1432 return SECCLASS_DECNET_SOCKET; 1433 case PF_ATMSVC: 1434 return SECCLASS_ATMSVC_SOCKET; 1435 case PF_RDS: 1436 return SECCLASS_RDS_SOCKET; 1437 case PF_IRDA: 1438 return SECCLASS_IRDA_SOCKET; 1439 case PF_PPPOX: 1440 return SECCLASS_PPPOX_SOCKET; 1441 case PF_LLC: 1442 return SECCLASS_LLC_SOCKET; 1443 case PF_CAN: 1444 return SECCLASS_CAN_SOCKET; 1445 case PF_TIPC: 1446 return SECCLASS_TIPC_SOCKET; 1447 case PF_BLUETOOTH: 1448 return SECCLASS_BLUETOOTH_SOCKET; 1449 case PF_IUCV: 1450 return SECCLASS_IUCV_SOCKET; 1451 case PF_RXRPC: 1452 return SECCLASS_RXRPC_SOCKET; 1453 case PF_ISDN: 1454 return SECCLASS_ISDN_SOCKET; 1455 case PF_PHONET: 1456 return SECCLASS_PHONET_SOCKET; 1457 case PF_IEEE802154: 1458 return SECCLASS_IEEE802154_SOCKET; 1459 case PF_CAIF: 1460 return SECCLASS_CAIF_SOCKET; 1461 case PF_ALG: 1462 return SECCLASS_ALG_SOCKET; 1463 case PF_NFC: 1464 return SECCLASS_NFC_SOCKET; 1465 case PF_VSOCK: 1466 return SECCLASS_VSOCK_SOCKET; 1467 case PF_KCM: 1468 return SECCLASS_KCM_SOCKET; 1469 case PF_QIPCRTR: 1470 return SECCLASS_QIPCRTR_SOCKET; 1471 case PF_SMC: 1472 return SECCLASS_SMC_SOCKET; 1473 case PF_XDP: 1474 return SECCLASS_XDP_SOCKET; 1475 #if PF_MAX > 45 1476 #error New address family defined, please update this function. 1477 #endif 1478 } 1479 } 1480 1481 return SECCLASS_SOCKET; 1482 } 1483 1484 static int selinux_genfs_get_sid(struct dentry *dentry, 1485 u16 tclass, 1486 u16 flags, 1487 u32 *sid) 1488 { 1489 int rc; 1490 struct super_block *sb = dentry->d_sb; 1491 char *buffer, *path; 1492 1493 buffer = (char *)__get_free_page(GFP_KERNEL); 1494 if (!buffer) 1495 return -ENOMEM; 1496 1497 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1498 if (IS_ERR(path)) 1499 rc = PTR_ERR(path); 1500 else { 1501 if (flags & SE_SBPROC) { 1502 /* each process gets a /proc/PID/ entry. Strip off the 1503 * PID part to get a valid selinux labeling. 1504 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1505 while (path[1] >= '0' && path[1] <= '9') { 1506 path[1] = '/'; 1507 path++; 1508 } 1509 } 1510 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1511 path, tclass, sid); 1512 } 1513 free_page((unsigned long)buffer); 1514 return rc; 1515 } 1516 1517 /* The inode's security attributes must be initialized before first use. */ 1518 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1519 { 1520 struct superblock_security_struct *sbsec = NULL; 1521 struct inode_security_struct *isec = inode->i_security; 1522 u32 task_sid, sid = 0; 1523 u16 sclass; 1524 struct dentry *dentry; 1525 #define INITCONTEXTLEN 255 1526 char *context = NULL; 1527 unsigned len = 0; 1528 int rc = 0; 1529 1530 if (isec->initialized == LABEL_INITIALIZED) 1531 return 0; 1532 1533 spin_lock(&isec->lock); 1534 if (isec->initialized == LABEL_INITIALIZED) 1535 goto out_unlock; 1536 1537 if (isec->sclass == SECCLASS_FILE) 1538 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1539 1540 sbsec = inode->i_sb->s_security; 1541 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1542 /* Defer initialization until selinux_complete_init, 1543 after the initial policy is loaded and the security 1544 server is ready to handle calls. */ 1545 spin_lock(&sbsec->isec_lock); 1546 if (list_empty(&isec->list)) 1547 list_add(&isec->list, &sbsec->isec_head); 1548 spin_unlock(&sbsec->isec_lock); 1549 goto out_unlock; 1550 } 1551 1552 sclass = isec->sclass; 1553 task_sid = isec->task_sid; 1554 sid = isec->sid; 1555 isec->initialized = LABEL_PENDING; 1556 spin_unlock(&isec->lock); 1557 1558 switch (sbsec->behavior) { 1559 case SECURITY_FS_USE_NATIVE: 1560 break; 1561 case SECURITY_FS_USE_XATTR: 1562 if (!(inode->i_opflags & IOP_XATTR)) { 1563 sid = sbsec->def_sid; 1564 break; 1565 } 1566 /* Need a dentry, since the xattr API requires one. 1567 Life would be simpler if we could just pass the inode. */ 1568 if (opt_dentry) { 1569 /* Called from d_instantiate or d_splice_alias. */ 1570 dentry = dget(opt_dentry); 1571 } else { 1572 /* 1573 * Called from selinux_complete_init, try to find a dentry. 1574 * Some filesystems really want a connected one, so try 1575 * that first. We could split SECURITY_FS_USE_XATTR in 1576 * two, depending upon that... 1577 */ 1578 dentry = d_find_alias(inode); 1579 if (!dentry) 1580 dentry = d_find_any_alias(inode); 1581 } 1582 if (!dentry) { 1583 /* 1584 * this is can be hit on boot when a file is accessed 1585 * before the policy is loaded. When we load policy we 1586 * may find inodes that have no dentry on the 1587 * sbsec->isec_head list. No reason to complain as these 1588 * will get fixed up the next time we go through 1589 * inode_doinit with a dentry, before these inodes could 1590 * be used again by userspace. 1591 */ 1592 goto out; 1593 } 1594 1595 len = INITCONTEXTLEN; 1596 context = kmalloc(len+1, GFP_NOFS); 1597 if (!context) { 1598 rc = -ENOMEM; 1599 dput(dentry); 1600 goto out; 1601 } 1602 context[len] = '\0'; 1603 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1604 if (rc == -ERANGE) { 1605 kfree(context); 1606 1607 /* Need a larger buffer. Query for the right size. */ 1608 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1609 if (rc < 0) { 1610 dput(dentry); 1611 goto out; 1612 } 1613 len = rc; 1614 context = kmalloc(len+1, GFP_NOFS); 1615 if (!context) { 1616 rc = -ENOMEM; 1617 dput(dentry); 1618 goto out; 1619 } 1620 context[len] = '\0'; 1621 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1622 } 1623 dput(dentry); 1624 if (rc < 0) { 1625 if (rc != -ENODATA) { 1626 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1627 "%d for dev=%s ino=%ld\n", __func__, 1628 -rc, inode->i_sb->s_id, inode->i_ino); 1629 kfree(context); 1630 goto out; 1631 } 1632 /* Map ENODATA to the default file SID */ 1633 sid = sbsec->def_sid; 1634 rc = 0; 1635 } else { 1636 rc = security_context_to_sid_default(&selinux_state, 1637 context, rc, &sid, 1638 sbsec->def_sid, 1639 GFP_NOFS); 1640 if (rc) { 1641 char *dev = inode->i_sb->s_id; 1642 unsigned long ino = inode->i_ino; 1643 1644 if (rc == -EINVAL) { 1645 if (printk_ratelimit()) 1646 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1647 "context=%s. This indicates you may need to relabel the inode or the " 1648 "filesystem in question.\n", ino, dev, context); 1649 } else { 1650 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1651 "returned %d for dev=%s ino=%ld\n", 1652 __func__, context, -rc, dev, ino); 1653 } 1654 kfree(context); 1655 /* Leave with the unlabeled SID */ 1656 rc = 0; 1657 break; 1658 } 1659 } 1660 kfree(context); 1661 break; 1662 case SECURITY_FS_USE_TASK: 1663 sid = task_sid; 1664 break; 1665 case SECURITY_FS_USE_TRANS: 1666 /* Default to the fs SID. */ 1667 sid = sbsec->sid; 1668 1669 /* Try to obtain a transition SID. */ 1670 rc = security_transition_sid(&selinux_state, task_sid, sid, 1671 sclass, NULL, &sid); 1672 if (rc) 1673 goto out; 1674 break; 1675 case SECURITY_FS_USE_MNTPOINT: 1676 sid = sbsec->mntpoint_sid; 1677 break; 1678 default: 1679 /* Default to the fs superblock SID. */ 1680 sid = sbsec->sid; 1681 1682 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1683 /* We must have a dentry to determine the label on 1684 * procfs inodes */ 1685 if (opt_dentry) { 1686 /* Called from d_instantiate or 1687 * d_splice_alias. */ 1688 dentry = dget(opt_dentry); 1689 } else { 1690 /* Called from selinux_complete_init, try to 1691 * find a dentry. Some filesystems really want 1692 * a connected one, so try that first. 1693 */ 1694 dentry = d_find_alias(inode); 1695 if (!dentry) 1696 dentry = d_find_any_alias(inode); 1697 } 1698 /* 1699 * This can be hit on boot when a file is accessed 1700 * before the policy is loaded. When we load policy we 1701 * may find inodes that have no dentry on the 1702 * sbsec->isec_head list. No reason to complain as 1703 * these will get fixed up the next time we go through 1704 * inode_doinit() with a dentry, before these inodes 1705 * could be used again by userspace. 1706 */ 1707 if (!dentry) 1708 goto out; 1709 rc = selinux_genfs_get_sid(dentry, sclass, 1710 sbsec->flags, &sid); 1711 dput(dentry); 1712 if (rc) 1713 goto out; 1714 } 1715 break; 1716 } 1717 1718 out: 1719 spin_lock(&isec->lock); 1720 if (isec->initialized == LABEL_PENDING) { 1721 if (!sid || rc) { 1722 isec->initialized = LABEL_INVALID; 1723 goto out_unlock; 1724 } 1725 1726 isec->initialized = LABEL_INITIALIZED; 1727 isec->sid = sid; 1728 } 1729 1730 out_unlock: 1731 spin_unlock(&isec->lock); 1732 return rc; 1733 } 1734 1735 /* Convert a Linux signal to an access vector. */ 1736 static inline u32 signal_to_av(int sig) 1737 { 1738 u32 perm = 0; 1739 1740 switch (sig) { 1741 case SIGCHLD: 1742 /* Commonly granted from child to parent. */ 1743 perm = PROCESS__SIGCHLD; 1744 break; 1745 case SIGKILL: 1746 /* Cannot be caught or ignored */ 1747 perm = PROCESS__SIGKILL; 1748 break; 1749 case SIGSTOP: 1750 /* Cannot be caught or ignored */ 1751 perm = PROCESS__SIGSTOP; 1752 break; 1753 default: 1754 /* All other signals. */ 1755 perm = PROCESS__SIGNAL; 1756 break; 1757 } 1758 1759 return perm; 1760 } 1761 1762 #if CAP_LAST_CAP > 63 1763 #error Fix SELinux to handle capabilities > 63. 1764 #endif 1765 1766 /* Check whether a task is allowed to use a capability. */ 1767 static int cred_has_capability(const struct cred *cred, 1768 int cap, int audit, bool initns) 1769 { 1770 struct common_audit_data ad; 1771 struct av_decision avd; 1772 u16 sclass; 1773 u32 sid = cred_sid(cred); 1774 u32 av = CAP_TO_MASK(cap); 1775 int rc; 1776 1777 ad.type = LSM_AUDIT_DATA_CAP; 1778 ad.u.cap = cap; 1779 1780 switch (CAP_TO_INDEX(cap)) { 1781 case 0: 1782 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1783 break; 1784 case 1: 1785 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1786 break; 1787 default: 1788 printk(KERN_ERR 1789 "SELinux: out of range capability %d\n", cap); 1790 BUG(); 1791 return -EINVAL; 1792 } 1793 1794 rc = avc_has_perm_noaudit(&selinux_state, 1795 sid, sid, sclass, av, 0, &avd); 1796 if (audit == SECURITY_CAP_AUDIT) { 1797 int rc2 = avc_audit(&selinux_state, 1798 sid, sid, sclass, av, &avd, rc, &ad, 0); 1799 if (rc2) 1800 return rc2; 1801 } 1802 return rc; 1803 } 1804 1805 /* Check whether a task has a particular permission to an inode. 1806 The 'adp' parameter is optional and allows other audit 1807 data to be passed (e.g. the dentry). */ 1808 static int inode_has_perm(const struct cred *cred, 1809 struct inode *inode, 1810 u32 perms, 1811 struct common_audit_data *adp) 1812 { 1813 struct inode_security_struct *isec; 1814 u32 sid; 1815 1816 validate_creds(cred); 1817 1818 if (unlikely(IS_PRIVATE(inode))) 1819 return 0; 1820 1821 sid = cred_sid(cred); 1822 isec = inode->i_security; 1823 1824 return avc_has_perm(&selinux_state, 1825 sid, isec->sid, isec->sclass, perms, adp); 1826 } 1827 1828 /* Same as inode_has_perm, but pass explicit audit data containing 1829 the dentry to help the auditing code to more easily generate the 1830 pathname if needed. */ 1831 static inline int dentry_has_perm(const struct cred *cred, 1832 struct dentry *dentry, 1833 u32 av) 1834 { 1835 struct inode *inode = d_backing_inode(dentry); 1836 struct common_audit_data ad; 1837 1838 ad.type = LSM_AUDIT_DATA_DENTRY; 1839 ad.u.dentry = dentry; 1840 __inode_security_revalidate(inode, dentry, true); 1841 return inode_has_perm(cred, inode, av, &ad); 1842 } 1843 1844 /* Same as inode_has_perm, but pass explicit audit data containing 1845 the path to help the auditing code to more easily generate the 1846 pathname if needed. */ 1847 static inline int path_has_perm(const struct cred *cred, 1848 const struct path *path, 1849 u32 av) 1850 { 1851 struct inode *inode = d_backing_inode(path->dentry); 1852 struct common_audit_data ad; 1853 1854 ad.type = LSM_AUDIT_DATA_PATH; 1855 ad.u.path = *path; 1856 __inode_security_revalidate(inode, path->dentry, true); 1857 return inode_has_perm(cred, inode, av, &ad); 1858 } 1859 1860 /* Same as path_has_perm, but uses the inode from the file struct. */ 1861 static inline int file_path_has_perm(const struct cred *cred, 1862 struct file *file, 1863 u32 av) 1864 { 1865 struct common_audit_data ad; 1866 1867 ad.type = LSM_AUDIT_DATA_FILE; 1868 ad.u.file = file; 1869 return inode_has_perm(cred, file_inode(file), av, &ad); 1870 } 1871 1872 #ifdef CONFIG_BPF_SYSCALL 1873 static int bpf_fd_pass(struct file *file, u32 sid); 1874 #endif 1875 1876 /* Check whether a task can use an open file descriptor to 1877 access an inode in a given way. Check access to the 1878 descriptor itself, and then use dentry_has_perm to 1879 check a particular permission to the file. 1880 Access to the descriptor is implicitly granted if it 1881 has the same SID as the process. If av is zero, then 1882 access to the file is not checked, e.g. for cases 1883 where only the descriptor is affected like seek. */ 1884 static int file_has_perm(const struct cred *cred, 1885 struct file *file, 1886 u32 av) 1887 { 1888 struct file_security_struct *fsec = file->f_security; 1889 struct inode *inode = file_inode(file); 1890 struct common_audit_data ad; 1891 u32 sid = cred_sid(cred); 1892 int rc; 1893 1894 ad.type = LSM_AUDIT_DATA_FILE; 1895 ad.u.file = file; 1896 1897 if (sid != fsec->sid) { 1898 rc = avc_has_perm(&selinux_state, 1899 sid, fsec->sid, 1900 SECCLASS_FD, 1901 FD__USE, 1902 &ad); 1903 if (rc) 1904 goto out; 1905 } 1906 1907 #ifdef CONFIG_BPF_SYSCALL 1908 rc = bpf_fd_pass(file, cred_sid(cred)); 1909 if (rc) 1910 return rc; 1911 #endif 1912 1913 /* av is zero if only checking access to the descriptor. */ 1914 rc = 0; 1915 if (av) 1916 rc = inode_has_perm(cred, inode, av, &ad); 1917 1918 out: 1919 return rc; 1920 } 1921 1922 /* 1923 * Determine the label for an inode that might be unioned. 1924 */ 1925 static int 1926 selinux_determine_inode_label(const struct task_security_struct *tsec, 1927 struct inode *dir, 1928 const struct qstr *name, u16 tclass, 1929 u32 *_new_isid) 1930 { 1931 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1932 1933 if ((sbsec->flags & SE_SBINITIALIZED) && 1934 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1935 *_new_isid = sbsec->mntpoint_sid; 1936 } else if ((sbsec->flags & SBLABEL_MNT) && 1937 tsec->create_sid) { 1938 *_new_isid = tsec->create_sid; 1939 } else { 1940 const struct inode_security_struct *dsec = inode_security(dir); 1941 return security_transition_sid(&selinux_state, tsec->sid, 1942 dsec->sid, tclass, 1943 name, _new_isid); 1944 } 1945 1946 return 0; 1947 } 1948 1949 /* Check whether a task can create a file. */ 1950 static int may_create(struct inode *dir, 1951 struct dentry *dentry, 1952 u16 tclass) 1953 { 1954 const struct task_security_struct *tsec = current_security(); 1955 struct inode_security_struct *dsec; 1956 struct superblock_security_struct *sbsec; 1957 u32 sid, newsid; 1958 struct common_audit_data ad; 1959 int rc; 1960 1961 dsec = inode_security(dir); 1962 sbsec = dir->i_sb->s_security; 1963 1964 sid = tsec->sid; 1965 1966 ad.type = LSM_AUDIT_DATA_DENTRY; 1967 ad.u.dentry = dentry; 1968 1969 rc = avc_has_perm(&selinux_state, 1970 sid, dsec->sid, SECCLASS_DIR, 1971 DIR__ADD_NAME | DIR__SEARCH, 1972 &ad); 1973 if (rc) 1974 return rc; 1975 1976 rc = selinux_determine_inode_label(current_security(), dir, 1977 &dentry->d_name, tclass, &newsid); 1978 if (rc) 1979 return rc; 1980 1981 rc = avc_has_perm(&selinux_state, 1982 sid, newsid, tclass, FILE__CREATE, &ad); 1983 if (rc) 1984 return rc; 1985 1986 return avc_has_perm(&selinux_state, 1987 newsid, sbsec->sid, 1988 SECCLASS_FILESYSTEM, 1989 FILESYSTEM__ASSOCIATE, &ad); 1990 } 1991 1992 #define MAY_LINK 0 1993 #define MAY_UNLINK 1 1994 #define MAY_RMDIR 2 1995 1996 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1997 static int may_link(struct inode *dir, 1998 struct dentry *dentry, 1999 int kind) 2000 2001 { 2002 struct inode_security_struct *dsec, *isec; 2003 struct common_audit_data ad; 2004 u32 sid = current_sid(); 2005 u32 av; 2006 int rc; 2007 2008 dsec = inode_security(dir); 2009 isec = backing_inode_security(dentry); 2010 2011 ad.type = LSM_AUDIT_DATA_DENTRY; 2012 ad.u.dentry = dentry; 2013 2014 av = DIR__SEARCH; 2015 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2016 rc = avc_has_perm(&selinux_state, 2017 sid, dsec->sid, SECCLASS_DIR, av, &ad); 2018 if (rc) 2019 return rc; 2020 2021 switch (kind) { 2022 case MAY_LINK: 2023 av = FILE__LINK; 2024 break; 2025 case MAY_UNLINK: 2026 av = FILE__UNLINK; 2027 break; 2028 case MAY_RMDIR: 2029 av = DIR__RMDIR; 2030 break; 2031 default: 2032 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 2033 __func__, kind); 2034 return 0; 2035 } 2036 2037 rc = avc_has_perm(&selinux_state, 2038 sid, isec->sid, isec->sclass, av, &ad); 2039 return rc; 2040 } 2041 2042 static inline int may_rename(struct inode *old_dir, 2043 struct dentry *old_dentry, 2044 struct inode *new_dir, 2045 struct dentry *new_dentry) 2046 { 2047 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 2048 struct common_audit_data ad; 2049 u32 sid = current_sid(); 2050 u32 av; 2051 int old_is_dir, new_is_dir; 2052 int rc; 2053 2054 old_dsec = inode_security(old_dir); 2055 old_isec = backing_inode_security(old_dentry); 2056 old_is_dir = d_is_dir(old_dentry); 2057 new_dsec = inode_security(new_dir); 2058 2059 ad.type = LSM_AUDIT_DATA_DENTRY; 2060 2061 ad.u.dentry = old_dentry; 2062 rc = avc_has_perm(&selinux_state, 2063 sid, old_dsec->sid, SECCLASS_DIR, 2064 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2065 if (rc) 2066 return rc; 2067 rc = avc_has_perm(&selinux_state, 2068 sid, old_isec->sid, 2069 old_isec->sclass, FILE__RENAME, &ad); 2070 if (rc) 2071 return rc; 2072 if (old_is_dir && new_dir != old_dir) { 2073 rc = avc_has_perm(&selinux_state, 2074 sid, old_isec->sid, 2075 old_isec->sclass, DIR__REPARENT, &ad); 2076 if (rc) 2077 return rc; 2078 } 2079 2080 ad.u.dentry = new_dentry; 2081 av = DIR__ADD_NAME | DIR__SEARCH; 2082 if (d_is_positive(new_dentry)) 2083 av |= DIR__REMOVE_NAME; 2084 rc = avc_has_perm(&selinux_state, 2085 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2086 if (rc) 2087 return rc; 2088 if (d_is_positive(new_dentry)) { 2089 new_isec = backing_inode_security(new_dentry); 2090 new_is_dir = d_is_dir(new_dentry); 2091 rc = avc_has_perm(&selinux_state, 2092 sid, new_isec->sid, 2093 new_isec->sclass, 2094 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2095 if (rc) 2096 return rc; 2097 } 2098 2099 return 0; 2100 } 2101 2102 /* Check whether a task can perform a filesystem operation. */ 2103 static int superblock_has_perm(const struct cred *cred, 2104 struct super_block *sb, 2105 u32 perms, 2106 struct common_audit_data *ad) 2107 { 2108 struct superblock_security_struct *sbsec; 2109 u32 sid = cred_sid(cred); 2110 2111 sbsec = sb->s_security; 2112 return avc_has_perm(&selinux_state, 2113 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2114 } 2115 2116 /* Convert a Linux mode and permission mask to an access vector. */ 2117 static inline u32 file_mask_to_av(int mode, int mask) 2118 { 2119 u32 av = 0; 2120 2121 if (!S_ISDIR(mode)) { 2122 if (mask & MAY_EXEC) 2123 av |= FILE__EXECUTE; 2124 if (mask & MAY_READ) 2125 av |= FILE__READ; 2126 2127 if (mask & MAY_APPEND) 2128 av |= FILE__APPEND; 2129 else if (mask & MAY_WRITE) 2130 av |= FILE__WRITE; 2131 2132 } else { 2133 if (mask & MAY_EXEC) 2134 av |= DIR__SEARCH; 2135 if (mask & MAY_WRITE) 2136 av |= DIR__WRITE; 2137 if (mask & MAY_READ) 2138 av |= DIR__READ; 2139 } 2140 2141 return av; 2142 } 2143 2144 /* Convert a Linux file to an access vector. */ 2145 static inline u32 file_to_av(struct file *file) 2146 { 2147 u32 av = 0; 2148 2149 if (file->f_mode & FMODE_READ) 2150 av |= FILE__READ; 2151 if (file->f_mode & FMODE_WRITE) { 2152 if (file->f_flags & O_APPEND) 2153 av |= FILE__APPEND; 2154 else 2155 av |= FILE__WRITE; 2156 } 2157 if (!av) { 2158 /* 2159 * Special file opened with flags 3 for ioctl-only use. 2160 */ 2161 av = FILE__IOCTL; 2162 } 2163 2164 return av; 2165 } 2166 2167 /* 2168 * Convert a file to an access vector and include the correct open 2169 * open permission. 2170 */ 2171 static inline u32 open_file_to_av(struct file *file) 2172 { 2173 u32 av = file_to_av(file); 2174 struct inode *inode = file_inode(file); 2175 2176 if (selinux_policycap_openperm() && 2177 inode->i_sb->s_magic != SOCKFS_MAGIC) 2178 av |= FILE__OPEN; 2179 2180 return av; 2181 } 2182 2183 /* Hook functions begin here. */ 2184 2185 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2186 { 2187 u32 mysid = current_sid(); 2188 u32 mgrsid = task_sid(mgr); 2189 2190 return avc_has_perm(&selinux_state, 2191 mysid, mgrsid, SECCLASS_BINDER, 2192 BINDER__SET_CONTEXT_MGR, NULL); 2193 } 2194 2195 static int selinux_binder_transaction(struct task_struct *from, 2196 struct task_struct *to) 2197 { 2198 u32 mysid = current_sid(); 2199 u32 fromsid = task_sid(from); 2200 u32 tosid = task_sid(to); 2201 int rc; 2202 2203 if (mysid != fromsid) { 2204 rc = avc_has_perm(&selinux_state, 2205 mysid, fromsid, SECCLASS_BINDER, 2206 BINDER__IMPERSONATE, NULL); 2207 if (rc) 2208 return rc; 2209 } 2210 2211 return avc_has_perm(&selinux_state, 2212 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2213 NULL); 2214 } 2215 2216 static int selinux_binder_transfer_binder(struct task_struct *from, 2217 struct task_struct *to) 2218 { 2219 u32 fromsid = task_sid(from); 2220 u32 tosid = task_sid(to); 2221 2222 return avc_has_perm(&selinux_state, 2223 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2224 NULL); 2225 } 2226 2227 static int selinux_binder_transfer_file(struct task_struct *from, 2228 struct task_struct *to, 2229 struct file *file) 2230 { 2231 u32 sid = task_sid(to); 2232 struct file_security_struct *fsec = file->f_security; 2233 struct dentry *dentry = file->f_path.dentry; 2234 struct inode_security_struct *isec; 2235 struct common_audit_data ad; 2236 int rc; 2237 2238 ad.type = LSM_AUDIT_DATA_PATH; 2239 ad.u.path = file->f_path; 2240 2241 if (sid != fsec->sid) { 2242 rc = avc_has_perm(&selinux_state, 2243 sid, fsec->sid, 2244 SECCLASS_FD, 2245 FD__USE, 2246 &ad); 2247 if (rc) 2248 return rc; 2249 } 2250 2251 #ifdef CONFIG_BPF_SYSCALL 2252 rc = bpf_fd_pass(file, sid); 2253 if (rc) 2254 return rc; 2255 #endif 2256 2257 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2258 return 0; 2259 2260 isec = backing_inode_security(dentry); 2261 return avc_has_perm(&selinux_state, 2262 sid, isec->sid, isec->sclass, file_to_av(file), 2263 &ad); 2264 } 2265 2266 static int selinux_ptrace_access_check(struct task_struct *child, 2267 unsigned int mode) 2268 { 2269 u32 sid = current_sid(); 2270 u32 csid = task_sid(child); 2271 2272 if (mode & PTRACE_MODE_READ) 2273 return avc_has_perm(&selinux_state, 2274 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2275 2276 return avc_has_perm(&selinux_state, 2277 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2278 } 2279 2280 static int selinux_ptrace_traceme(struct task_struct *parent) 2281 { 2282 return avc_has_perm(&selinux_state, 2283 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2284 PROCESS__PTRACE, NULL); 2285 } 2286 2287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2288 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2289 { 2290 return avc_has_perm(&selinux_state, 2291 current_sid(), task_sid(target), SECCLASS_PROCESS, 2292 PROCESS__GETCAP, NULL); 2293 } 2294 2295 static int selinux_capset(struct cred *new, const struct cred *old, 2296 const kernel_cap_t *effective, 2297 const kernel_cap_t *inheritable, 2298 const kernel_cap_t *permitted) 2299 { 2300 return avc_has_perm(&selinux_state, 2301 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2302 PROCESS__SETCAP, NULL); 2303 } 2304 2305 /* 2306 * (This comment used to live with the selinux_task_setuid hook, 2307 * which was removed). 2308 * 2309 * Since setuid only affects the current process, and since the SELinux 2310 * controls are not based on the Linux identity attributes, SELinux does not 2311 * need to control this operation. However, SELinux does control the use of 2312 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2313 */ 2314 2315 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2316 int cap, int audit) 2317 { 2318 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2319 } 2320 2321 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2322 { 2323 const struct cred *cred = current_cred(); 2324 int rc = 0; 2325 2326 if (!sb) 2327 return 0; 2328 2329 switch (cmds) { 2330 case Q_SYNC: 2331 case Q_QUOTAON: 2332 case Q_QUOTAOFF: 2333 case Q_SETINFO: 2334 case Q_SETQUOTA: 2335 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2336 break; 2337 case Q_GETFMT: 2338 case Q_GETINFO: 2339 case Q_GETQUOTA: 2340 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2341 break; 2342 default: 2343 rc = 0; /* let the kernel handle invalid cmds */ 2344 break; 2345 } 2346 return rc; 2347 } 2348 2349 static int selinux_quota_on(struct dentry *dentry) 2350 { 2351 const struct cred *cred = current_cred(); 2352 2353 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2354 } 2355 2356 static int selinux_syslog(int type) 2357 { 2358 switch (type) { 2359 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2360 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2361 return avc_has_perm(&selinux_state, 2362 current_sid(), SECINITSID_KERNEL, 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2364 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2365 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2366 /* Set level of messages printed to console */ 2367 case SYSLOG_ACTION_CONSOLE_LEVEL: 2368 return avc_has_perm(&selinux_state, 2369 current_sid(), SECINITSID_KERNEL, 2370 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2371 NULL); 2372 } 2373 /* All other syslog types */ 2374 return avc_has_perm(&selinux_state, 2375 current_sid(), SECINITSID_KERNEL, 2376 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2377 } 2378 2379 /* 2380 * Check that a process has enough memory to allocate a new virtual 2381 * mapping. 0 means there is enough memory for the allocation to 2382 * succeed and -ENOMEM implies there is not. 2383 * 2384 * Do not audit the selinux permission check, as this is applied to all 2385 * processes that allocate mappings. 2386 */ 2387 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2388 { 2389 int rc, cap_sys_admin = 0; 2390 2391 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2392 SECURITY_CAP_NOAUDIT, true); 2393 if (rc == 0) 2394 cap_sys_admin = 1; 2395 2396 return cap_sys_admin; 2397 } 2398 2399 /* binprm security operations */ 2400 2401 static u32 ptrace_parent_sid(void) 2402 { 2403 u32 sid = 0; 2404 struct task_struct *tracer; 2405 2406 rcu_read_lock(); 2407 tracer = ptrace_parent(current); 2408 if (tracer) 2409 sid = task_sid(tracer); 2410 rcu_read_unlock(); 2411 2412 return sid; 2413 } 2414 2415 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2416 const struct task_security_struct *old_tsec, 2417 const struct task_security_struct *new_tsec) 2418 { 2419 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2420 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2421 int rc; 2422 u32 av; 2423 2424 if (!nnp && !nosuid) 2425 return 0; /* neither NNP nor nosuid */ 2426 2427 if (new_tsec->sid == old_tsec->sid) 2428 return 0; /* No change in credentials */ 2429 2430 /* 2431 * If the policy enables the nnp_nosuid_transition policy capability, 2432 * then we permit transitions under NNP or nosuid if the 2433 * policy allows the corresponding permission between 2434 * the old and new contexts. 2435 */ 2436 if (selinux_policycap_nnp_nosuid_transition()) { 2437 av = 0; 2438 if (nnp) 2439 av |= PROCESS2__NNP_TRANSITION; 2440 if (nosuid) 2441 av |= PROCESS2__NOSUID_TRANSITION; 2442 rc = avc_has_perm(&selinux_state, 2443 old_tsec->sid, new_tsec->sid, 2444 SECCLASS_PROCESS2, av, NULL); 2445 if (!rc) 2446 return 0; 2447 } 2448 2449 /* 2450 * We also permit NNP or nosuid transitions to bounded SIDs, 2451 * i.e. SIDs that are guaranteed to only be allowed a subset 2452 * of the permissions of the current SID. 2453 */ 2454 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2455 new_tsec->sid); 2456 if (!rc) 2457 return 0; 2458 2459 /* 2460 * On failure, preserve the errno values for NNP vs nosuid. 2461 * NNP: Operation not permitted for caller. 2462 * nosuid: Permission denied to file. 2463 */ 2464 if (nnp) 2465 return -EPERM; 2466 return -EACCES; 2467 } 2468 2469 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2470 { 2471 const struct task_security_struct *old_tsec; 2472 struct task_security_struct *new_tsec; 2473 struct inode_security_struct *isec; 2474 struct common_audit_data ad; 2475 struct inode *inode = file_inode(bprm->file); 2476 int rc; 2477 2478 /* SELinux context only depends on initial program or script and not 2479 * the script interpreter */ 2480 if (bprm->called_set_creds) 2481 return 0; 2482 2483 old_tsec = current_security(); 2484 new_tsec = bprm->cred->security; 2485 isec = inode_security(inode); 2486 2487 /* Default to the current task SID. */ 2488 new_tsec->sid = old_tsec->sid; 2489 new_tsec->osid = old_tsec->sid; 2490 2491 /* Reset fs, key, and sock SIDs on execve. */ 2492 new_tsec->create_sid = 0; 2493 new_tsec->keycreate_sid = 0; 2494 new_tsec->sockcreate_sid = 0; 2495 2496 if (old_tsec->exec_sid) { 2497 new_tsec->sid = old_tsec->exec_sid; 2498 /* Reset exec SID on execve. */ 2499 new_tsec->exec_sid = 0; 2500 2501 /* Fail on NNP or nosuid if not an allowed transition. */ 2502 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2503 if (rc) 2504 return rc; 2505 } else { 2506 /* Check for a default transition on this program. */ 2507 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2508 isec->sid, SECCLASS_PROCESS, NULL, 2509 &new_tsec->sid); 2510 if (rc) 2511 return rc; 2512 2513 /* 2514 * Fallback to old SID on NNP or nosuid if not an allowed 2515 * transition. 2516 */ 2517 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2518 if (rc) 2519 new_tsec->sid = old_tsec->sid; 2520 } 2521 2522 ad.type = LSM_AUDIT_DATA_FILE; 2523 ad.u.file = bprm->file; 2524 2525 if (new_tsec->sid == old_tsec->sid) { 2526 rc = avc_has_perm(&selinux_state, 2527 old_tsec->sid, isec->sid, 2528 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2529 if (rc) 2530 return rc; 2531 } else { 2532 /* Check permissions for the transition. */ 2533 rc = avc_has_perm(&selinux_state, 2534 old_tsec->sid, new_tsec->sid, 2535 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2536 if (rc) 2537 return rc; 2538 2539 rc = avc_has_perm(&selinux_state, 2540 new_tsec->sid, isec->sid, 2541 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2542 if (rc) 2543 return rc; 2544 2545 /* Check for shared state */ 2546 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2547 rc = avc_has_perm(&selinux_state, 2548 old_tsec->sid, new_tsec->sid, 2549 SECCLASS_PROCESS, PROCESS__SHARE, 2550 NULL); 2551 if (rc) 2552 return -EPERM; 2553 } 2554 2555 /* Make sure that anyone attempting to ptrace over a task that 2556 * changes its SID has the appropriate permit */ 2557 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2558 u32 ptsid = ptrace_parent_sid(); 2559 if (ptsid != 0) { 2560 rc = avc_has_perm(&selinux_state, 2561 ptsid, new_tsec->sid, 2562 SECCLASS_PROCESS, 2563 PROCESS__PTRACE, NULL); 2564 if (rc) 2565 return -EPERM; 2566 } 2567 } 2568 2569 /* Clear any possibly unsafe personality bits on exec: */ 2570 bprm->per_clear |= PER_CLEAR_ON_SETID; 2571 2572 /* Enable secure mode for SIDs transitions unless 2573 the noatsecure permission is granted between 2574 the two SIDs, i.e. ahp returns 0. */ 2575 rc = avc_has_perm(&selinux_state, 2576 old_tsec->sid, new_tsec->sid, 2577 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2578 NULL); 2579 bprm->secureexec |= !!rc; 2580 } 2581 2582 return 0; 2583 } 2584 2585 static int match_file(const void *p, struct file *file, unsigned fd) 2586 { 2587 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2588 } 2589 2590 /* Derived from fs/exec.c:flush_old_files. */ 2591 static inline void flush_unauthorized_files(const struct cred *cred, 2592 struct files_struct *files) 2593 { 2594 struct file *file, *devnull = NULL; 2595 struct tty_struct *tty; 2596 int drop_tty = 0; 2597 unsigned n; 2598 2599 tty = get_current_tty(); 2600 if (tty) { 2601 spin_lock(&tty->files_lock); 2602 if (!list_empty(&tty->tty_files)) { 2603 struct tty_file_private *file_priv; 2604 2605 /* Revalidate access to controlling tty. 2606 Use file_path_has_perm on the tty path directly 2607 rather than using file_has_perm, as this particular 2608 open file may belong to another process and we are 2609 only interested in the inode-based check here. */ 2610 file_priv = list_first_entry(&tty->tty_files, 2611 struct tty_file_private, list); 2612 file = file_priv->file; 2613 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2614 drop_tty = 1; 2615 } 2616 spin_unlock(&tty->files_lock); 2617 tty_kref_put(tty); 2618 } 2619 /* Reset controlling tty. */ 2620 if (drop_tty) 2621 no_tty(); 2622 2623 /* Revalidate access to inherited open files. */ 2624 n = iterate_fd(files, 0, match_file, cred); 2625 if (!n) /* none found? */ 2626 return; 2627 2628 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2629 if (IS_ERR(devnull)) 2630 devnull = NULL; 2631 /* replace all the matching ones with this */ 2632 do { 2633 replace_fd(n - 1, devnull, 0); 2634 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2635 if (devnull) 2636 fput(devnull); 2637 } 2638 2639 /* 2640 * Prepare a process for imminent new credential changes due to exec 2641 */ 2642 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2643 { 2644 struct task_security_struct *new_tsec; 2645 struct rlimit *rlim, *initrlim; 2646 int rc, i; 2647 2648 new_tsec = bprm->cred->security; 2649 if (new_tsec->sid == new_tsec->osid) 2650 return; 2651 2652 /* Close files for which the new task SID is not authorized. */ 2653 flush_unauthorized_files(bprm->cred, current->files); 2654 2655 /* Always clear parent death signal on SID transitions. */ 2656 current->pdeath_signal = 0; 2657 2658 /* Check whether the new SID can inherit resource limits from the old 2659 * SID. If not, reset all soft limits to the lower of the current 2660 * task's hard limit and the init task's soft limit. 2661 * 2662 * Note that the setting of hard limits (even to lower them) can be 2663 * controlled by the setrlimit check. The inclusion of the init task's 2664 * soft limit into the computation is to avoid resetting soft limits 2665 * higher than the default soft limit for cases where the default is 2666 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2667 */ 2668 rc = avc_has_perm(&selinux_state, 2669 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2670 PROCESS__RLIMITINH, NULL); 2671 if (rc) { 2672 /* protect against do_prlimit() */ 2673 task_lock(current); 2674 for (i = 0; i < RLIM_NLIMITS; i++) { 2675 rlim = current->signal->rlim + i; 2676 initrlim = init_task.signal->rlim + i; 2677 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2678 } 2679 task_unlock(current); 2680 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2681 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2682 } 2683 } 2684 2685 /* 2686 * Clean up the process immediately after the installation of new credentials 2687 * due to exec 2688 */ 2689 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2690 { 2691 const struct task_security_struct *tsec = current_security(); 2692 struct itimerval itimer; 2693 u32 osid, sid; 2694 int rc, i; 2695 2696 osid = tsec->osid; 2697 sid = tsec->sid; 2698 2699 if (sid == osid) 2700 return; 2701 2702 /* Check whether the new SID can inherit signal state from the old SID. 2703 * If not, clear itimers to avoid subsequent signal generation and 2704 * flush and unblock signals. 2705 * 2706 * This must occur _after_ the task SID has been updated so that any 2707 * kill done after the flush will be checked against the new SID. 2708 */ 2709 rc = avc_has_perm(&selinux_state, 2710 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2711 if (rc) { 2712 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2713 memset(&itimer, 0, sizeof itimer); 2714 for (i = 0; i < 3; i++) 2715 do_setitimer(i, &itimer, NULL); 2716 } 2717 spin_lock_irq(¤t->sighand->siglock); 2718 if (!fatal_signal_pending(current)) { 2719 flush_sigqueue(¤t->pending); 2720 flush_sigqueue(¤t->signal->shared_pending); 2721 flush_signal_handlers(current, 1); 2722 sigemptyset(¤t->blocked); 2723 recalc_sigpending(); 2724 } 2725 spin_unlock_irq(¤t->sighand->siglock); 2726 } 2727 2728 /* Wake up the parent if it is waiting so that it can recheck 2729 * wait permission to the new task SID. */ 2730 read_lock(&tasklist_lock); 2731 __wake_up_parent(current, current->real_parent); 2732 read_unlock(&tasklist_lock); 2733 } 2734 2735 /* superblock security operations */ 2736 2737 static int selinux_sb_alloc_security(struct super_block *sb) 2738 { 2739 return superblock_alloc_security(sb); 2740 } 2741 2742 static void selinux_sb_free_security(struct super_block *sb) 2743 { 2744 superblock_free_security(sb); 2745 } 2746 2747 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2748 { 2749 if (plen > olen) 2750 return 0; 2751 2752 return !memcmp(prefix, option, plen); 2753 } 2754 2755 static inline int selinux_option(char *option, int len) 2756 { 2757 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2758 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2759 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2760 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2761 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2762 } 2763 2764 static inline void take_option(char **to, char *from, int *first, int len) 2765 { 2766 if (!*first) { 2767 **to = ','; 2768 *to += 1; 2769 } else 2770 *first = 0; 2771 memcpy(*to, from, len); 2772 *to += len; 2773 } 2774 2775 static inline void take_selinux_option(char **to, char *from, int *first, 2776 int len) 2777 { 2778 int current_size = 0; 2779 2780 if (!*first) { 2781 **to = '|'; 2782 *to += 1; 2783 } else 2784 *first = 0; 2785 2786 while (current_size < len) { 2787 if (*from != '"') { 2788 **to = *from; 2789 *to += 1; 2790 } 2791 from += 1; 2792 current_size += 1; 2793 } 2794 } 2795 2796 static int selinux_sb_copy_data(char *orig, char *copy) 2797 { 2798 int fnosec, fsec, rc = 0; 2799 char *in_save, *in_curr, *in_end; 2800 char *sec_curr, *nosec_save, *nosec; 2801 int open_quote = 0; 2802 2803 in_curr = orig; 2804 sec_curr = copy; 2805 2806 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2807 if (!nosec) { 2808 rc = -ENOMEM; 2809 goto out; 2810 } 2811 2812 nosec_save = nosec; 2813 fnosec = fsec = 1; 2814 in_save = in_end = orig; 2815 2816 do { 2817 if (*in_end == '"') 2818 open_quote = !open_quote; 2819 if ((*in_end == ',' && open_quote == 0) || 2820 *in_end == '\0') { 2821 int len = in_end - in_curr; 2822 2823 if (selinux_option(in_curr, len)) 2824 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2825 else 2826 take_option(&nosec, in_curr, &fnosec, len); 2827 2828 in_curr = in_end + 1; 2829 } 2830 } while (*in_end++); 2831 2832 strcpy(in_save, nosec_save); 2833 free_page((unsigned long)nosec_save); 2834 out: 2835 return rc; 2836 } 2837 2838 static int selinux_sb_remount(struct super_block *sb, void *data) 2839 { 2840 int rc, i, *flags; 2841 struct security_mnt_opts opts; 2842 char *secdata, **mount_options; 2843 struct superblock_security_struct *sbsec = sb->s_security; 2844 2845 if (!(sbsec->flags & SE_SBINITIALIZED)) 2846 return 0; 2847 2848 if (!data) 2849 return 0; 2850 2851 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2852 return 0; 2853 2854 security_init_mnt_opts(&opts); 2855 secdata = alloc_secdata(); 2856 if (!secdata) 2857 return -ENOMEM; 2858 rc = selinux_sb_copy_data(data, secdata); 2859 if (rc) 2860 goto out_free_secdata; 2861 2862 rc = selinux_parse_opts_str(secdata, &opts); 2863 if (rc) 2864 goto out_free_secdata; 2865 2866 mount_options = opts.mnt_opts; 2867 flags = opts.mnt_opts_flags; 2868 2869 for (i = 0; i < opts.num_mnt_opts; i++) { 2870 u32 sid; 2871 2872 if (flags[i] == SBLABEL_MNT) 2873 continue; 2874 rc = security_context_str_to_sid(&selinux_state, 2875 mount_options[i], &sid, 2876 GFP_KERNEL); 2877 if (rc) { 2878 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2879 "(%s) failed for (dev %s, type %s) errno=%d\n", 2880 mount_options[i], sb->s_id, sb->s_type->name, rc); 2881 goto out_free_opts; 2882 } 2883 rc = -EINVAL; 2884 switch (flags[i]) { 2885 case FSCONTEXT_MNT: 2886 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2887 goto out_bad_option; 2888 break; 2889 case CONTEXT_MNT: 2890 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2891 goto out_bad_option; 2892 break; 2893 case ROOTCONTEXT_MNT: { 2894 struct inode_security_struct *root_isec; 2895 root_isec = backing_inode_security(sb->s_root); 2896 2897 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2898 goto out_bad_option; 2899 break; 2900 } 2901 case DEFCONTEXT_MNT: 2902 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2903 goto out_bad_option; 2904 break; 2905 default: 2906 goto out_free_opts; 2907 } 2908 } 2909 2910 rc = 0; 2911 out_free_opts: 2912 security_free_mnt_opts(&opts); 2913 out_free_secdata: 2914 free_secdata(secdata); 2915 return rc; 2916 out_bad_option: 2917 printk(KERN_WARNING "SELinux: unable to change security options " 2918 "during remount (dev %s, type=%s)\n", sb->s_id, 2919 sb->s_type->name); 2920 goto out_free_opts; 2921 } 2922 2923 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2924 { 2925 const struct cred *cred = current_cred(); 2926 struct common_audit_data ad; 2927 int rc; 2928 2929 rc = superblock_doinit(sb, data); 2930 if (rc) 2931 return rc; 2932 2933 /* Allow all mounts performed by the kernel */ 2934 if (flags & MS_KERNMOUNT) 2935 return 0; 2936 2937 ad.type = LSM_AUDIT_DATA_DENTRY; 2938 ad.u.dentry = sb->s_root; 2939 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2940 } 2941 2942 static int selinux_sb_statfs(struct dentry *dentry) 2943 { 2944 const struct cred *cred = current_cred(); 2945 struct common_audit_data ad; 2946 2947 ad.type = LSM_AUDIT_DATA_DENTRY; 2948 ad.u.dentry = dentry->d_sb->s_root; 2949 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2950 } 2951 2952 static int selinux_mount(const char *dev_name, 2953 const struct path *path, 2954 const char *type, 2955 unsigned long flags, 2956 void *data) 2957 { 2958 const struct cred *cred = current_cred(); 2959 2960 if (flags & MS_REMOUNT) 2961 return superblock_has_perm(cred, path->dentry->d_sb, 2962 FILESYSTEM__REMOUNT, NULL); 2963 else 2964 return path_has_perm(cred, path, FILE__MOUNTON); 2965 } 2966 2967 static int selinux_umount(struct vfsmount *mnt, int flags) 2968 { 2969 const struct cred *cred = current_cred(); 2970 2971 return superblock_has_perm(cred, mnt->mnt_sb, 2972 FILESYSTEM__UNMOUNT, NULL); 2973 } 2974 2975 /* inode security operations */ 2976 2977 static int selinux_inode_alloc_security(struct inode *inode) 2978 { 2979 return inode_alloc_security(inode); 2980 } 2981 2982 static void selinux_inode_free_security(struct inode *inode) 2983 { 2984 inode_free_security(inode); 2985 } 2986 2987 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2988 const struct qstr *name, void **ctx, 2989 u32 *ctxlen) 2990 { 2991 u32 newsid; 2992 int rc; 2993 2994 rc = selinux_determine_inode_label(current_security(), 2995 d_inode(dentry->d_parent), name, 2996 inode_mode_to_security_class(mode), 2997 &newsid); 2998 if (rc) 2999 return rc; 3000 3001 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 3002 ctxlen); 3003 } 3004 3005 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 3006 struct qstr *name, 3007 const struct cred *old, 3008 struct cred *new) 3009 { 3010 u32 newsid; 3011 int rc; 3012 struct task_security_struct *tsec; 3013 3014 rc = selinux_determine_inode_label(old->security, 3015 d_inode(dentry->d_parent), name, 3016 inode_mode_to_security_class(mode), 3017 &newsid); 3018 if (rc) 3019 return rc; 3020 3021 tsec = new->security; 3022 tsec->create_sid = newsid; 3023 return 0; 3024 } 3025 3026 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 3027 const struct qstr *qstr, 3028 const char **name, 3029 void **value, size_t *len) 3030 { 3031 const struct task_security_struct *tsec = current_security(); 3032 struct superblock_security_struct *sbsec; 3033 u32 newsid, clen; 3034 int rc; 3035 char *context; 3036 3037 sbsec = dir->i_sb->s_security; 3038 3039 newsid = tsec->create_sid; 3040 3041 rc = selinux_determine_inode_label(current_security(), 3042 dir, qstr, 3043 inode_mode_to_security_class(inode->i_mode), 3044 &newsid); 3045 if (rc) 3046 return rc; 3047 3048 /* Possibly defer initialization to selinux_complete_init. */ 3049 if (sbsec->flags & SE_SBINITIALIZED) { 3050 struct inode_security_struct *isec = inode->i_security; 3051 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3052 isec->sid = newsid; 3053 isec->initialized = LABEL_INITIALIZED; 3054 } 3055 3056 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 3057 return -EOPNOTSUPP; 3058 3059 if (name) 3060 *name = XATTR_SELINUX_SUFFIX; 3061 3062 if (value && len) { 3063 rc = security_sid_to_context_force(&selinux_state, newsid, 3064 &context, &clen); 3065 if (rc) 3066 return rc; 3067 *value = context; 3068 *len = clen; 3069 } 3070 3071 return 0; 3072 } 3073 3074 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3075 { 3076 return may_create(dir, dentry, SECCLASS_FILE); 3077 } 3078 3079 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3080 { 3081 return may_link(dir, old_dentry, MAY_LINK); 3082 } 3083 3084 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3085 { 3086 return may_link(dir, dentry, MAY_UNLINK); 3087 } 3088 3089 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3090 { 3091 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3092 } 3093 3094 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3095 { 3096 return may_create(dir, dentry, SECCLASS_DIR); 3097 } 3098 3099 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3100 { 3101 return may_link(dir, dentry, MAY_RMDIR); 3102 } 3103 3104 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3105 { 3106 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3107 } 3108 3109 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3110 struct inode *new_inode, struct dentry *new_dentry) 3111 { 3112 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3113 } 3114 3115 static int selinux_inode_readlink(struct dentry *dentry) 3116 { 3117 const struct cred *cred = current_cred(); 3118 3119 return dentry_has_perm(cred, dentry, FILE__READ); 3120 } 3121 3122 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3123 bool rcu) 3124 { 3125 const struct cred *cred = current_cred(); 3126 struct common_audit_data ad; 3127 struct inode_security_struct *isec; 3128 u32 sid; 3129 3130 validate_creds(cred); 3131 3132 ad.type = LSM_AUDIT_DATA_DENTRY; 3133 ad.u.dentry = dentry; 3134 sid = cred_sid(cred); 3135 isec = inode_security_rcu(inode, rcu); 3136 if (IS_ERR(isec)) 3137 return PTR_ERR(isec); 3138 3139 return avc_has_perm_flags(&selinux_state, 3140 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3141 rcu ? MAY_NOT_BLOCK : 0); 3142 } 3143 3144 static noinline int audit_inode_permission(struct inode *inode, 3145 u32 perms, u32 audited, u32 denied, 3146 int result, 3147 unsigned flags) 3148 { 3149 struct common_audit_data ad; 3150 struct inode_security_struct *isec = inode->i_security; 3151 int rc; 3152 3153 ad.type = LSM_AUDIT_DATA_INODE; 3154 ad.u.inode = inode; 3155 3156 rc = slow_avc_audit(&selinux_state, 3157 current_sid(), isec->sid, isec->sclass, perms, 3158 audited, denied, result, &ad, flags); 3159 if (rc) 3160 return rc; 3161 return 0; 3162 } 3163 3164 static int selinux_inode_permission(struct inode *inode, int mask) 3165 { 3166 const struct cred *cred = current_cred(); 3167 u32 perms; 3168 bool from_access; 3169 unsigned flags = mask & MAY_NOT_BLOCK; 3170 struct inode_security_struct *isec; 3171 u32 sid; 3172 struct av_decision avd; 3173 int rc, rc2; 3174 u32 audited, denied; 3175 3176 from_access = mask & MAY_ACCESS; 3177 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3178 3179 /* No permission to check. Existence test. */ 3180 if (!mask) 3181 return 0; 3182 3183 validate_creds(cred); 3184 3185 if (unlikely(IS_PRIVATE(inode))) 3186 return 0; 3187 3188 perms = file_mask_to_av(inode->i_mode, mask); 3189 3190 sid = cred_sid(cred); 3191 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3192 if (IS_ERR(isec)) 3193 return PTR_ERR(isec); 3194 3195 rc = avc_has_perm_noaudit(&selinux_state, 3196 sid, isec->sid, isec->sclass, perms, 0, &avd); 3197 audited = avc_audit_required(perms, &avd, rc, 3198 from_access ? FILE__AUDIT_ACCESS : 0, 3199 &denied); 3200 if (likely(!audited)) 3201 return rc; 3202 3203 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3204 if (rc2) 3205 return rc2; 3206 return rc; 3207 } 3208 3209 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3210 { 3211 const struct cred *cred = current_cred(); 3212 struct inode *inode = d_backing_inode(dentry); 3213 unsigned int ia_valid = iattr->ia_valid; 3214 __u32 av = FILE__WRITE; 3215 3216 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3217 if (ia_valid & ATTR_FORCE) { 3218 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3219 ATTR_FORCE); 3220 if (!ia_valid) 3221 return 0; 3222 } 3223 3224 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3225 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3226 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3227 3228 if (selinux_policycap_openperm() && 3229 inode->i_sb->s_magic != SOCKFS_MAGIC && 3230 (ia_valid & ATTR_SIZE) && 3231 !(ia_valid & ATTR_FILE)) 3232 av |= FILE__OPEN; 3233 3234 return dentry_has_perm(cred, dentry, av); 3235 } 3236 3237 static int selinux_inode_getattr(const struct path *path) 3238 { 3239 return path_has_perm(current_cred(), path, FILE__GETATTR); 3240 } 3241 3242 static bool has_cap_mac_admin(bool audit) 3243 { 3244 const struct cred *cred = current_cred(); 3245 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3246 3247 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3248 return false; 3249 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3250 return false; 3251 return true; 3252 } 3253 3254 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3255 const void *value, size_t size, int flags) 3256 { 3257 struct inode *inode = d_backing_inode(dentry); 3258 struct inode_security_struct *isec; 3259 struct superblock_security_struct *sbsec; 3260 struct common_audit_data ad; 3261 u32 newsid, sid = current_sid(); 3262 int rc = 0; 3263 3264 if (strcmp(name, XATTR_NAME_SELINUX)) { 3265 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3266 if (rc) 3267 return rc; 3268 3269 /* Not an attribute we recognize, so just check the 3270 ordinary setattr permission. */ 3271 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3272 } 3273 3274 sbsec = inode->i_sb->s_security; 3275 if (!(sbsec->flags & SBLABEL_MNT)) 3276 return -EOPNOTSUPP; 3277 3278 if (!inode_owner_or_capable(inode)) 3279 return -EPERM; 3280 3281 ad.type = LSM_AUDIT_DATA_DENTRY; 3282 ad.u.dentry = dentry; 3283 3284 isec = backing_inode_security(dentry); 3285 rc = avc_has_perm(&selinux_state, 3286 sid, isec->sid, isec->sclass, 3287 FILE__RELABELFROM, &ad); 3288 if (rc) 3289 return rc; 3290 3291 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3292 GFP_KERNEL); 3293 if (rc == -EINVAL) { 3294 if (!has_cap_mac_admin(true)) { 3295 struct audit_buffer *ab; 3296 size_t audit_size; 3297 3298 /* We strip a nul only if it is at the end, otherwise the 3299 * context contains a nul and we should audit that */ 3300 if (value) { 3301 const char *str = value; 3302 3303 if (str[size - 1] == '\0') 3304 audit_size = size - 1; 3305 else 3306 audit_size = size; 3307 } else { 3308 audit_size = 0; 3309 } 3310 ab = audit_log_start(audit_context(), 3311 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3312 audit_log_format(ab, "op=setxattr invalid_context="); 3313 audit_log_n_untrustedstring(ab, value, audit_size); 3314 audit_log_end(ab); 3315 3316 return rc; 3317 } 3318 rc = security_context_to_sid_force(&selinux_state, value, 3319 size, &newsid); 3320 } 3321 if (rc) 3322 return rc; 3323 3324 rc = avc_has_perm(&selinux_state, 3325 sid, newsid, isec->sclass, 3326 FILE__RELABELTO, &ad); 3327 if (rc) 3328 return rc; 3329 3330 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3331 sid, isec->sclass); 3332 if (rc) 3333 return rc; 3334 3335 return avc_has_perm(&selinux_state, 3336 newsid, 3337 sbsec->sid, 3338 SECCLASS_FILESYSTEM, 3339 FILESYSTEM__ASSOCIATE, 3340 &ad); 3341 } 3342 3343 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3344 const void *value, size_t size, 3345 int flags) 3346 { 3347 struct inode *inode = d_backing_inode(dentry); 3348 struct inode_security_struct *isec; 3349 u32 newsid; 3350 int rc; 3351 3352 if (strcmp(name, XATTR_NAME_SELINUX)) { 3353 /* Not an attribute we recognize, so nothing to do. */ 3354 return; 3355 } 3356 3357 rc = security_context_to_sid_force(&selinux_state, value, size, 3358 &newsid); 3359 if (rc) { 3360 printk(KERN_ERR "SELinux: unable to map context to SID" 3361 "for (%s, %lu), rc=%d\n", 3362 inode->i_sb->s_id, inode->i_ino, -rc); 3363 return; 3364 } 3365 3366 isec = backing_inode_security(dentry); 3367 spin_lock(&isec->lock); 3368 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3369 isec->sid = newsid; 3370 isec->initialized = LABEL_INITIALIZED; 3371 spin_unlock(&isec->lock); 3372 3373 return; 3374 } 3375 3376 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3377 { 3378 const struct cred *cred = current_cred(); 3379 3380 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3381 } 3382 3383 static int selinux_inode_listxattr(struct dentry *dentry) 3384 { 3385 const struct cred *cred = current_cred(); 3386 3387 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3388 } 3389 3390 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3391 { 3392 if (strcmp(name, XATTR_NAME_SELINUX)) { 3393 int rc = cap_inode_removexattr(dentry, name); 3394 if (rc) 3395 return rc; 3396 3397 /* Not an attribute we recognize, so just check the 3398 ordinary setattr permission. */ 3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3400 } 3401 3402 /* No one is allowed to remove a SELinux security label. 3403 You can change the label, but all data must be labeled. */ 3404 return -EACCES; 3405 } 3406 3407 /* 3408 * Copy the inode security context value to the user. 3409 * 3410 * Permission check is handled by selinux_inode_getxattr hook. 3411 */ 3412 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3413 { 3414 u32 size; 3415 int error; 3416 char *context = NULL; 3417 struct inode_security_struct *isec; 3418 3419 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3420 return -EOPNOTSUPP; 3421 3422 /* 3423 * If the caller has CAP_MAC_ADMIN, then get the raw context 3424 * value even if it is not defined by current policy; otherwise, 3425 * use the in-core value under current policy. 3426 * Use the non-auditing forms of the permission checks since 3427 * getxattr may be called by unprivileged processes commonly 3428 * and lack of permission just means that we fall back to the 3429 * in-core context value, not a denial. 3430 */ 3431 isec = inode_security(inode); 3432 if (has_cap_mac_admin(false)) 3433 error = security_sid_to_context_force(&selinux_state, 3434 isec->sid, &context, 3435 &size); 3436 else 3437 error = security_sid_to_context(&selinux_state, isec->sid, 3438 &context, &size); 3439 if (error) 3440 return error; 3441 error = size; 3442 if (alloc) { 3443 *buffer = context; 3444 goto out_nofree; 3445 } 3446 kfree(context); 3447 out_nofree: 3448 return error; 3449 } 3450 3451 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3452 const void *value, size_t size, int flags) 3453 { 3454 struct inode_security_struct *isec = inode_security_novalidate(inode); 3455 u32 newsid; 3456 int rc; 3457 3458 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3459 return -EOPNOTSUPP; 3460 3461 if (!value || !size) 3462 return -EACCES; 3463 3464 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3465 GFP_KERNEL); 3466 if (rc) 3467 return rc; 3468 3469 spin_lock(&isec->lock); 3470 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3471 isec->sid = newsid; 3472 isec->initialized = LABEL_INITIALIZED; 3473 spin_unlock(&isec->lock); 3474 return 0; 3475 } 3476 3477 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3478 { 3479 const int len = sizeof(XATTR_NAME_SELINUX); 3480 if (buffer && len <= buffer_size) 3481 memcpy(buffer, XATTR_NAME_SELINUX, len); 3482 return len; 3483 } 3484 3485 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3486 { 3487 struct inode_security_struct *isec = inode_security_novalidate(inode); 3488 *secid = isec->sid; 3489 } 3490 3491 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3492 { 3493 u32 sid; 3494 struct task_security_struct *tsec; 3495 struct cred *new_creds = *new; 3496 3497 if (new_creds == NULL) { 3498 new_creds = prepare_creds(); 3499 if (!new_creds) 3500 return -ENOMEM; 3501 } 3502 3503 tsec = new_creds->security; 3504 /* Get label from overlay inode and set it in create_sid */ 3505 selinux_inode_getsecid(d_inode(src), &sid); 3506 tsec->create_sid = sid; 3507 *new = new_creds; 3508 return 0; 3509 } 3510 3511 static int selinux_inode_copy_up_xattr(const char *name) 3512 { 3513 /* The copy_up hook above sets the initial context on an inode, but we 3514 * don't then want to overwrite it by blindly copying all the lower 3515 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3516 */ 3517 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3518 return 1; /* Discard */ 3519 /* 3520 * Any other attribute apart from SELINUX is not claimed, supported 3521 * by selinux. 3522 */ 3523 return -EOPNOTSUPP; 3524 } 3525 3526 /* file security operations */ 3527 3528 static int selinux_revalidate_file_permission(struct file *file, int mask) 3529 { 3530 const struct cred *cred = current_cred(); 3531 struct inode *inode = file_inode(file); 3532 3533 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3534 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3535 mask |= MAY_APPEND; 3536 3537 return file_has_perm(cred, file, 3538 file_mask_to_av(inode->i_mode, mask)); 3539 } 3540 3541 static int selinux_file_permission(struct file *file, int mask) 3542 { 3543 struct inode *inode = file_inode(file); 3544 struct file_security_struct *fsec = file->f_security; 3545 struct inode_security_struct *isec; 3546 u32 sid = current_sid(); 3547 3548 if (!mask) 3549 /* No permission to check. Existence test. */ 3550 return 0; 3551 3552 isec = inode_security(inode); 3553 if (sid == fsec->sid && fsec->isid == isec->sid && 3554 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3555 /* No change since file_open check. */ 3556 return 0; 3557 3558 return selinux_revalidate_file_permission(file, mask); 3559 } 3560 3561 static int selinux_file_alloc_security(struct file *file) 3562 { 3563 return file_alloc_security(file); 3564 } 3565 3566 static void selinux_file_free_security(struct file *file) 3567 { 3568 file_free_security(file); 3569 } 3570 3571 /* 3572 * Check whether a task has the ioctl permission and cmd 3573 * operation to an inode. 3574 */ 3575 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3576 u32 requested, u16 cmd) 3577 { 3578 struct common_audit_data ad; 3579 struct file_security_struct *fsec = file->f_security; 3580 struct inode *inode = file_inode(file); 3581 struct inode_security_struct *isec; 3582 struct lsm_ioctlop_audit ioctl; 3583 u32 ssid = cred_sid(cred); 3584 int rc; 3585 u8 driver = cmd >> 8; 3586 u8 xperm = cmd & 0xff; 3587 3588 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3589 ad.u.op = &ioctl; 3590 ad.u.op->cmd = cmd; 3591 ad.u.op->path = file->f_path; 3592 3593 if (ssid != fsec->sid) { 3594 rc = avc_has_perm(&selinux_state, 3595 ssid, fsec->sid, 3596 SECCLASS_FD, 3597 FD__USE, 3598 &ad); 3599 if (rc) 3600 goto out; 3601 } 3602 3603 if (unlikely(IS_PRIVATE(inode))) 3604 return 0; 3605 3606 isec = inode_security(inode); 3607 rc = avc_has_extended_perms(&selinux_state, 3608 ssid, isec->sid, isec->sclass, 3609 requested, driver, xperm, &ad); 3610 out: 3611 return rc; 3612 } 3613 3614 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3615 unsigned long arg) 3616 { 3617 const struct cred *cred = current_cred(); 3618 int error = 0; 3619 3620 switch (cmd) { 3621 case FIONREAD: 3622 /* fall through */ 3623 case FIBMAP: 3624 /* fall through */ 3625 case FIGETBSZ: 3626 /* fall through */ 3627 case FS_IOC_GETFLAGS: 3628 /* fall through */ 3629 case FS_IOC_GETVERSION: 3630 error = file_has_perm(cred, file, FILE__GETATTR); 3631 break; 3632 3633 case FS_IOC_SETFLAGS: 3634 /* fall through */ 3635 case FS_IOC_SETVERSION: 3636 error = file_has_perm(cred, file, FILE__SETATTR); 3637 break; 3638 3639 /* sys_ioctl() checks */ 3640 case FIONBIO: 3641 /* fall through */ 3642 case FIOASYNC: 3643 error = file_has_perm(cred, file, 0); 3644 break; 3645 3646 case KDSKBENT: 3647 case KDSKBSENT: 3648 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3649 SECURITY_CAP_AUDIT, true); 3650 break; 3651 3652 /* default case assumes that the command will go 3653 * to the file's ioctl() function. 3654 */ 3655 default: 3656 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3657 } 3658 return error; 3659 } 3660 3661 static int default_noexec; 3662 3663 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3664 { 3665 const struct cred *cred = current_cred(); 3666 u32 sid = cred_sid(cred); 3667 int rc = 0; 3668 3669 if (default_noexec && 3670 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3671 (!shared && (prot & PROT_WRITE)))) { 3672 /* 3673 * We are making executable an anonymous mapping or a 3674 * private file mapping that will also be writable. 3675 * This has an additional check. 3676 */ 3677 rc = avc_has_perm(&selinux_state, 3678 sid, sid, SECCLASS_PROCESS, 3679 PROCESS__EXECMEM, NULL); 3680 if (rc) 3681 goto error; 3682 } 3683 3684 if (file) { 3685 /* read access is always possible with a mapping */ 3686 u32 av = FILE__READ; 3687 3688 /* write access only matters if the mapping is shared */ 3689 if (shared && (prot & PROT_WRITE)) 3690 av |= FILE__WRITE; 3691 3692 if (prot & PROT_EXEC) 3693 av |= FILE__EXECUTE; 3694 3695 return file_has_perm(cred, file, av); 3696 } 3697 3698 error: 3699 return rc; 3700 } 3701 3702 static int selinux_mmap_addr(unsigned long addr) 3703 { 3704 int rc = 0; 3705 3706 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3707 u32 sid = current_sid(); 3708 rc = avc_has_perm(&selinux_state, 3709 sid, sid, SECCLASS_MEMPROTECT, 3710 MEMPROTECT__MMAP_ZERO, NULL); 3711 } 3712 3713 return rc; 3714 } 3715 3716 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3717 unsigned long prot, unsigned long flags) 3718 { 3719 struct common_audit_data ad; 3720 int rc; 3721 3722 if (file) { 3723 ad.type = LSM_AUDIT_DATA_FILE; 3724 ad.u.file = file; 3725 rc = inode_has_perm(current_cred(), file_inode(file), 3726 FILE__MAP, &ad); 3727 if (rc) 3728 return rc; 3729 } 3730 3731 if (selinux_state.checkreqprot) 3732 prot = reqprot; 3733 3734 return file_map_prot_check(file, prot, 3735 (flags & MAP_TYPE) == MAP_SHARED); 3736 } 3737 3738 static int selinux_file_mprotect(struct vm_area_struct *vma, 3739 unsigned long reqprot, 3740 unsigned long prot) 3741 { 3742 const struct cred *cred = current_cred(); 3743 u32 sid = cred_sid(cred); 3744 3745 if (selinux_state.checkreqprot) 3746 prot = reqprot; 3747 3748 if (default_noexec && 3749 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3750 int rc = 0; 3751 if (vma->vm_start >= vma->vm_mm->start_brk && 3752 vma->vm_end <= vma->vm_mm->brk) { 3753 rc = avc_has_perm(&selinux_state, 3754 sid, sid, SECCLASS_PROCESS, 3755 PROCESS__EXECHEAP, NULL); 3756 } else if (!vma->vm_file && 3757 ((vma->vm_start <= vma->vm_mm->start_stack && 3758 vma->vm_end >= vma->vm_mm->start_stack) || 3759 vma_is_stack_for_current(vma))) { 3760 rc = avc_has_perm(&selinux_state, 3761 sid, sid, SECCLASS_PROCESS, 3762 PROCESS__EXECSTACK, NULL); 3763 } else if (vma->vm_file && vma->anon_vma) { 3764 /* 3765 * We are making executable a file mapping that has 3766 * had some COW done. Since pages might have been 3767 * written, check ability to execute the possibly 3768 * modified content. This typically should only 3769 * occur for text relocations. 3770 */ 3771 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3772 } 3773 if (rc) 3774 return rc; 3775 } 3776 3777 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3778 } 3779 3780 static int selinux_file_lock(struct file *file, unsigned int cmd) 3781 { 3782 const struct cred *cred = current_cred(); 3783 3784 return file_has_perm(cred, file, FILE__LOCK); 3785 } 3786 3787 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3788 unsigned long arg) 3789 { 3790 const struct cred *cred = current_cred(); 3791 int err = 0; 3792 3793 switch (cmd) { 3794 case F_SETFL: 3795 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3796 err = file_has_perm(cred, file, FILE__WRITE); 3797 break; 3798 } 3799 /* fall through */ 3800 case F_SETOWN: 3801 case F_SETSIG: 3802 case F_GETFL: 3803 case F_GETOWN: 3804 case F_GETSIG: 3805 case F_GETOWNER_UIDS: 3806 /* Just check FD__USE permission */ 3807 err = file_has_perm(cred, file, 0); 3808 break; 3809 case F_GETLK: 3810 case F_SETLK: 3811 case F_SETLKW: 3812 case F_OFD_GETLK: 3813 case F_OFD_SETLK: 3814 case F_OFD_SETLKW: 3815 #if BITS_PER_LONG == 32 3816 case F_GETLK64: 3817 case F_SETLK64: 3818 case F_SETLKW64: 3819 #endif 3820 err = file_has_perm(cred, file, FILE__LOCK); 3821 break; 3822 } 3823 3824 return err; 3825 } 3826 3827 static void selinux_file_set_fowner(struct file *file) 3828 { 3829 struct file_security_struct *fsec; 3830 3831 fsec = file->f_security; 3832 fsec->fown_sid = current_sid(); 3833 } 3834 3835 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3836 struct fown_struct *fown, int signum) 3837 { 3838 struct file *file; 3839 u32 sid = task_sid(tsk); 3840 u32 perm; 3841 struct file_security_struct *fsec; 3842 3843 /* struct fown_struct is never outside the context of a struct file */ 3844 file = container_of(fown, struct file, f_owner); 3845 3846 fsec = file->f_security; 3847 3848 if (!signum) 3849 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3850 else 3851 perm = signal_to_av(signum); 3852 3853 return avc_has_perm(&selinux_state, 3854 fsec->fown_sid, sid, 3855 SECCLASS_PROCESS, perm, NULL); 3856 } 3857 3858 static int selinux_file_receive(struct file *file) 3859 { 3860 const struct cred *cred = current_cred(); 3861 3862 return file_has_perm(cred, file, file_to_av(file)); 3863 } 3864 3865 static int selinux_file_open(struct file *file, const struct cred *cred) 3866 { 3867 struct file_security_struct *fsec; 3868 struct inode_security_struct *isec; 3869 3870 fsec = file->f_security; 3871 isec = inode_security(file_inode(file)); 3872 /* 3873 * Save inode label and policy sequence number 3874 * at open-time so that selinux_file_permission 3875 * can determine whether revalidation is necessary. 3876 * Task label is already saved in the file security 3877 * struct as its SID. 3878 */ 3879 fsec->isid = isec->sid; 3880 fsec->pseqno = avc_policy_seqno(&selinux_state); 3881 /* 3882 * Since the inode label or policy seqno may have changed 3883 * between the selinux_inode_permission check and the saving 3884 * of state above, recheck that access is still permitted. 3885 * Otherwise, access might never be revalidated against the 3886 * new inode label or new policy. 3887 * This check is not redundant - do not remove. 3888 */ 3889 return file_path_has_perm(cred, file, open_file_to_av(file)); 3890 } 3891 3892 /* task security operations */ 3893 3894 static int selinux_task_alloc(struct task_struct *task, 3895 unsigned long clone_flags) 3896 { 3897 u32 sid = current_sid(); 3898 3899 return avc_has_perm(&selinux_state, 3900 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3901 } 3902 3903 /* 3904 * allocate the SELinux part of blank credentials 3905 */ 3906 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3907 { 3908 struct task_security_struct *tsec; 3909 3910 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3911 if (!tsec) 3912 return -ENOMEM; 3913 3914 cred->security = tsec; 3915 return 0; 3916 } 3917 3918 /* 3919 * detach and free the LSM part of a set of credentials 3920 */ 3921 static void selinux_cred_free(struct cred *cred) 3922 { 3923 struct task_security_struct *tsec = cred->security; 3924 3925 /* 3926 * cred->security == NULL if security_cred_alloc_blank() or 3927 * security_prepare_creds() returned an error. 3928 */ 3929 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3930 cred->security = (void *) 0x7UL; 3931 kfree(tsec); 3932 } 3933 3934 /* 3935 * prepare a new set of credentials for modification 3936 */ 3937 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3938 gfp_t gfp) 3939 { 3940 const struct task_security_struct *old_tsec; 3941 struct task_security_struct *tsec; 3942 3943 old_tsec = old->security; 3944 3945 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3946 if (!tsec) 3947 return -ENOMEM; 3948 3949 new->security = tsec; 3950 return 0; 3951 } 3952 3953 /* 3954 * transfer the SELinux data to a blank set of creds 3955 */ 3956 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3957 { 3958 const struct task_security_struct *old_tsec = old->security; 3959 struct task_security_struct *tsec = new->security; 3960 3961 *tsec = *old_tsec; 3962 } 3963 3964 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3965 { 3966 *secid = cred_sid(c); 3967 } 3968 3969 /* 3970 * set the security data for a kernel service 3971 * - all the creation contexts are set to unlabelled 3972 */ 3973 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3974 { 3975 struct task_security_struct *tsec = new->security; 3976 u32 sid = current_sid(); 3977 int ret; 3978 3979 ret = avc_has_perm(&selinux_state, 3980 sid, secid, 3981 SECCLASS_KERNEL_SERVICE, 3982 KERNEL_SERVICE__USE_AS_OVERRIDE, 3983 NULL); 3984 if (ret == 0) { 3985 tsec->sid = secid; 3986 tsec->create_sid = 0; 3987 tsec->keycreate_sid = 0; 3988 tsec->sockcreate_sid = 0; 3989 } 3990 return ret; 3991 } 3992 3993 /* 3994 * set the file creation context in a security record to the same as the 3995 * objective context of the specified inode 3996 */ 3997 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3998 { 3999 struct inode_security_struct *isec = inode_security(inode); 4000 struct task_security_struct *tsec = new->security; 4001 u32 sid = current_sid(); 4002 int ret; 4003 4004 ret = avc_has_perm(&selinux_state, 4005 sid, isec->sid, 4006 SECCLASS_KERNEL_SERVICE, 4007 KERNEL_SERVICE__CREATE_FILES_AS, 4008 NULL); 4009 4010 if (ret == 0) 4011 tsec->create_sid = isec->sid; 4012 return ret; 4013 } 4014 4015 static int selinux_kernel_module_request(char *kmod_name) 4016 { 4017 struct common_audit_data ad; 4018 4019 ad.type = LSM_AUDIT_DATA_KMOD; 4020 ad.u.kmod_name = kmod_name; 4021 4022 return avc_has_perm(&selinux_state, 4023 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4024 SYSTEM__MODULE_REQUEST, &ad); 4025 } 4026 4027 static int selinux_kernel_module_from_file(struct file *file) 4028 { 4029 struct common_audit_data ad; 4030 struct inode_security_struct *isec; 4031 struct file_security_struct *fsec; 4032 u32 sid = current_sid(); 4033 int rc; 4034 4035 /* init_module */ 4036 if (file == NULL) 4037 return avc_has_perm(&selinux_state, 4038 sid, sid, SECCLASS_SYSTEM, 4039 SYSTEM__MODULE_LOAD, NULL); 4040 4041 /* finit_module */ 4042 4043 ad.type = LSM_AUDIT_DATA_FILE; 4044 ad.u.file = file; 4045 4046 fsec = file->f_security; 4047 if (sid != fsec->sid) { 4048 rc = avc_has_perm(&selinux_state, 4049 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4050 if (rc) 4051 return rc; 4052 } 4053 4054 isec = inode_security(file_inode(file)); 4055 return avc_has_perm(&selinux_state, 4056 sid, isec->sid, SECCLASS_SYSTEM, 4057 SYSTEM__MODULE_LOAD, &ad); 4058 } 4059 4060 static int selinux_kernel_read_file(struct file *file, 4061 enum kernel_read_file_id id) 4062 { 4063 int rc = 0; 4064 4065 switch (id) { 4066 case READING_MODULE: 4067 rc = selinux_kernel_module_from_file(file); 4068 break; 4069 default: 4070 break; 4071 } 4072 4073 return rc; 4074 } 4075 4076 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4077 { 4078 return avc_has_perm(&selinux_state, 4079 current_sid(), task_sid(p), SECCLASS_PROCESS, 4080 PROCESS__SETPGID, NULL); 4081 } 4082 4083 static int selinux_task_getpgid(struct task_struct *p) 4084 { 4085 return avc_has_perm(&selinux_state, 4086 current_sid(), task_sid(p), SECCLASS_PROCESS, 4087 PROCESS__GETPGID, NULL); 4088 } 4089 4090 static int selinux_task_getsid(struct task_struct *p) 4091 { 4092 return avc_has_perm(&selinux_state, 4093 current_sid(), task_sid(p), SECCLASS_PROCESS, 4094 PROCESS__GETSESSION, NULL); 4095 } 4096 4097 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4098 { 4099 *secid = task_sid(p); 4100 } 4101 4102 static int selinux_task_setnice(struct task_struct *p, int nice) 4103 { 4104 return avc_has_perm(&selinux_state, 4105 current_sid(), task_sid(p), SECCLASS_PROCESS, 4106 PROCESS__SETSCHED, NULL); 4107 } 4108 4109 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4110 { 4111 return avc_has_perm(&selinux_state, 4112 current_sid(), task_sid(p), SECCLASS_PROCESS, 4113 PROCESS__SETSCHED, NULL); 4114 } 4115 4116 static int selinux_task_getioprio(struct task_struct *p) 4117 { 4118 return avc_has_perm(&selinux_state, 4119 current_sid(), task_sid(p), SECCLASS_PROCESS, 4120 PROCESS__GETSCHED, NULL); 4121 } 4122 4123 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4124 unsigned int flags) 4125 { 4126 u32 av = 0; 4127 4128 if (!flags) 4129 return 0; 4130 if (flags & LSM_PRLIMIT_WRITE) 4131 av |= PROCESS__SETRLIMIT; 4132 if (flags & LSM_PRLIMIT_READ) 4133 av |= PROCESS__GETRLIMIT; 4134 return avc_has_perm(&selinux_state, 4135 cred_sid(cred), cred_sid(tcred), 4136 SECCLASS_PROCESS, av, NULL); 4137 } 4138 4139 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4140 struct rlimit *new_rlim) 4141 { 4142 struct rlimit *old_rlim = p->signal->rlim + resource; 4143 4144 /* Control the ability to change the hard limit (whether 4145 lowering or raising it), so that the hard limit can 4146 later be used as a safe reset point for the soft limit 4147 upon context transitions. See selinux_bprm_committing_creds. */ 4148 if (old_rlim->rlim_max != new_rlim->rlim_max) 4149 return avc_has_perm(&selinux_state, 4150 current_sid(), task_sid(p), 4151 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4152 4153 return 0; 4154 } 4155 4156 static int selinux_task_setscheduler(struct task_struct *p) 4157 { 4158 return avc_has_perm(&selinux_state, 4159 current_sid(), task_sid(p), SECCLASS_PROCESS, 4160 PROCESS__SETSCHED, NULL); 4161 } 4162 4163 static int selinux_task_getscheduler(struct task_struct *p) 4164 { 4165 return avc_has_perm(&selinux_state, 4166 current_sid(), task_sid(p), SECCLASS_PROCESS, 4167 PROCESS__GETSCHED, NULL); 4168 } 4169 4170 static int selinux_task_movememory(struct task_struct *p) 4171 { 4172 return avc_has_perm(&selinux_state, 4173 current_sid(), task_sid(p), SECCLASS_PROCESS, 4174 PROCESS__SETSCHED, NULL); 4175 } 4176 4177 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4178 int sig, const struct cred *cred) 4179 { 4180 u32 secid; 4181 u32 perm; 4182 4183 if (!sig) 4184 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4185 else 4186 perm = signal_to_av(sig); 4187 if (!cred) 4188 secid = current_sid(); 4189 else 4190 secid = cred_sid(cred); 4191 return avc_has_perm(&selinux_state, 4192 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4193 } 4194 4195 static void selinux_task_to_inode(struct task_struct *p, 4196 struct inode *inode) 4197 { 4198 struct inode_security_struct *isec = inode->i_security; 4199 u32 sid = task_sid(p); 4200 4201 spin_lock(&isec->lock); 4202 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4203 isec->sid = sid; 4204 isec->initialized = LABEL_INITIALIZED; 4205 spin_unlock(&isec->lock); 4206 } 4207 4208 /* Returns error only if unable to parse addresses */ 4209 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4210 struct common_audit_data *ad, u8 *proto) 4211 { 4212 int offset, ihlen, ret = -EINVAL; 4213 struct iphdr _iph, *ih; 4214 4215 offset = skb_network_offset(skb); 4216 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4217 if (ih == NULL) 4218 goto out; 4219 4220 ihlen = ih->ihl * 4; 4221 if (ihlen < sizeof(_iph)) 4222 goto out; 4223 4224 ad->u.net->v4info.saddr = ih->saddr; 4225 ad->u.net->v4info.daddr = ih->daddr; 4226 ret = 0; 4227 4228 if (proto) 4229 *proto = ih->protocol; 4230 4231 switch (ih->protocol) { 4232 case IPPROTO_TCP: { 4233 struct tcphdr _tcph, *th; 4234 4235 if (ntohs(ih->frag_off) & IP_OFFSET) 4236 break; 4237 4238 offset += ihlen; 4239 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4240 if (th == NULL) 4241 break; 4242 4243 ad->u.net->sport = th->source; 4244 ad->u.net->dport = th->dest; 4245 break; 4246 } 4247 4248 case IPPROTO_UDP: { 4249 struct udphdr _udph, *uh; 4250 4251 if (ntohs(ih->frag_off) & IP_OFFSET) 4252 break; 4253 4254 offset += ihlen; 4255 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4256 if (uh == NULL) 4257 break; 4258 4259 ad->u.net->sport = uh->source; 4260 ad->u.net->dport = uh->dest; 4261 break; 4262 } 4263 4264 case IPPROTO_DCCP: { 4265 struct dccp_hdr _dccph, *dh; 4266 4267 if (ntohs(ih->frag_off) & IP_OFFSET) 4268 break; 4269 4270 offset += ihlen; 4271 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4272 if (dh == NULL) 4273 break; 4274 4275 ad->u.net->sport = dh->dccph_sport; 4276 ad->u.net->dport = dh->dccph_dport; 4277 break; 4278 } 4279 4280 #if IS_ENABLED(CONFIG_IP_SCTP) 4281 case IPPROTO_SCTP: { 4282 struct sctphdr _sctph, *sh; 4283 4284 if (ntohs(ih->frag_off) & IP_OFFSET) 4285 break; 4286 4287 offset += ihlen; 4288 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4289 if (sh == NULL) 4290 break; 4291 4292 ad->u.net->sport = sh->source; 4293 ad->u.net->dport = sh->dest; 4294 break; 4295 } 4296 #endif 4297 default: 4298 break; 4299 } 4300 out: 4301 return ret; 4302 } 4303 4304 #if IS_ENABLED(CONFIG_IPV6) 4305 4306 /* Returns error only if unable to parse addresses */ 4307 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4308 struct common_audit_data *ad, u8 *proto) 4309 { 4310 u8 nexthdr; 4311 int ret = -EINVAL, offset; 4312 struct ipv6hdr _ipv6h, *ip6; 4313 __be16 frag_off; 4314 4315 offset = skb_network_offset(skb); 4316 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4317 if (ip6 == NULL) 4318 goto out; 4319 4320 ad->u.net->v6info.saddr = ip6->saddr; 4321 ad->u.net->v6info.daddr = ip6->daddr; 4322 ret = 0; 4323 4324 nexthdr = ip6->nexthdr; 4325 offset += sizeof(_ipv6h); 4326 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4327 if (offset < 0) 4328 goto out; 4329 4330 if (proto) 4331 *proto = nexthdr; 4332 4333 switch (nexthdr) { 4334 case IPPROTO_TCP: { 4335 struct tcphdr _tcph, *th; 4336 4337 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4338 if (th == NULL) 4339 break; 4340 4341 ad->u.net->sport = th->source; 4342 ad->u.net->dport = th->dest; 4343 break; 4344 } 4345 4346 case IPPROTO_UDP: { 4347 struct udphdr _udph, *uh; 4348 4349 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4350 if (uh == NULL) 4351 break; 4352 4353 ad->u.net->sport = uh->source; 4354 ad->u.net->dport = uh->dest; 4355 break; 4356 } 4357 4358 case IPPROTO_DCCP: { 4359 struct dccp_hdr _dccph, *dh; 4360 4361 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4362 if (dh == NULL) 4363 break; 4364 4365 ad->u.net->sport = dh->dccph_sport; 4366 ad->u.net->dport = dh->dccph_dport; 4367 break; 4368 } 4369 4370 #if IS_ENABLED(CONFIG_IP_SCTP) 4371 case IPPROTO_SCTP: { 4372 struct sctphdr _sctph, *sh; 4373 4374 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4375 if (sh == NULL) 4376 break; 4377 4378 ad->u.net->sport = sh->source; 4379 ad->u.net->dport = sh->dest; 4380 break; 4381 } 4382 #endif 4383 /* includes fragments */ 4384 default: 4385 break; 4386 } 4387 out: 4388 return ret; 4389 } 4390 4391 #endif /* IPV6 */ 4392 4393 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4394 char **_addrp, int src, u8 *proto) 4395 { 4396 char *addrp; 4397 int ret; 4398 4399 switch (ad->u.net->family) { 4400 case PF_INET: 4401 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4402 if (ret) 4403 goto parse_error; 4404 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4405 &ad->u.net->v4info.daddr); 4406 goto okay; 4407 4408 #if IS_ENABLED(CONFIG_IPV6) 4409 case PF_INET6: 4410 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4411 if (ret) 4412 goto parse_error; 4413 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4414 &ad->u.net->v6info.daddr); 4415 goto okay; 4416 #endif /* IPV6 */ 4417 default: 4418 addrp = NULL; 4419 goto okay; 4420 } 4421 4422 parse_error: 4423 printk(KERN_WARNING 4424 "SELinux: failure in selinux_parse_skb()," 4425 " unable to parse packet\n"); 4426 return ret; 4427 4428 okay: 4429 if (_addrp) 4430 *_addrp = addrp; 4431 return 0; 4432 } 4433 4434 /** 4435 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4436 * @skb: the packet 4437 * @family: protocol family 4438 * @sid: the packet's peer label SID 4439 * 4440 * Description: 4441 * Check the various different forms of network peer labeling and determine 4442 * the peer label/SID for the packet; most of the magic actually occurs in 4443 * the security server function security_net_peersid_cmp(). The function 4444 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4445 * or -EACCES if @sid is invalid due to inconsistencies with the different 4446 * peer labels. 4447 * 4448 */ 4449 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4450 { 4451 int err; 4452 u32 xfrm_sid; 4453 u32 nlbl_sid; 4454 u32 nlbl_type; 4455 4456 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4457 if (unlikely(err)) 4458 return -EACCES; 4459 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4460 if (unlikely(err)) 4461 return -EACCES; 4462 4463 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4464 nlbl_type, xfrm_sid, sid); 4465 if (unlikely(err)) { 4466 printk(KERN_WARNING 4467 "SELinux: failure in selinux_skb_peerlbl_sid()," 4468 " unable to determine packet's peer label\n"); 4469 return -EACCES; 4470 } 4471 4472 return 0; 4473 } 4474 4475 /** 4476 * selinux_conn_sid - Determine the child socket label for a connection 4477 * @sk_sid: the parent socket's SID 4478 * @skb_sid: the packet's SID 4479 * @conn_sid: the resulting connection SID 4480 * 4481 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4482 * combined with the MLS information from @skb_sid in order to create 4483 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4484 * of @sk_sid. Returns zero on success, negative values on failure. 4485 * 4486 */ 4487 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4488 { 4489 int err = 0; 4490 4491 if (skb_sid != SECSID_NULL) 4492 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4493 conn_sid); 4494 else 4495 *conn_sid = sk_sid; 4496 4497 return err; 4498 } 4499 4500 /* socket security operations */ 4501 4502 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4503 u16 secclass, u32 *socksid) 4504 { 4505 if (tsec->sockcreate_sid > SECSID_NULL) { 4506 *socksid = tsec->sockcreate_sid; 4507 return 0; 4508 } 4509 4510 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4511 secclass, NULL, socksid); 4512 } 4513 4514 static int sock_has_perm(struct sock *sk, u32 perms) 4515 { 4516 struct sk_security_struct *sksec = sk->sk_security; 4517 struct common_audit_data ad; 4518 struct lsm_network_audit net = {0,}; 4519 4520 if (sksec->sid == SECINITSID_KERNEL) 4521 return 0; 4522 4523 ad.type = LSM_AUDIT_DATA_NET; 4524 ad.u.net = &net; 4525 ad.u.net->sk = sk; 4526 4527 return avc_has_perm(&selinux_state, 4528 current_sid(), sksec->sid, sksec->sclass, perms, 4529 &ad); 4530 } 4531 4532 static int selinux_socket_create(int family, int type, 4533 int protocol, int kern) 4534 { 4535 const struct task_security_struct *tsec = current_security(); 4536 u32 newsid; 4537 u16 secclass; 4538 int rc; 4539 4540 if (kern) 4541 return 0; 4542 4543 secclass = socket_type_to_security_class(family, type, protocol); 4544 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4545 if (rc) 4546 return rc; 4547 4548 return avc_has_perm(&selinux_state, 4549 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4550 } 4551 4552 static int selinux_socket_post_create(struct socket *sock, int family, 4553 int type, int protocol, int kern) 4554 { 4555 const struct task_security_struct *tsec = current_security(); 4556 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4557 struct sk_security_struct *sksec; 4558 u16 sclass = socket_type_to_security_class(family, type, protocol); 4559 u32 sid = SECINITSID_KERNEL; 4560 int err = 0; 4561 4562 if (!kern) { 4563 err = socket_sockcreate_sid(tsec, sclass, &sid); 4564 if (err) 4565 return err; 4566 } 4567 4568 isec->sclass = sclass; 4569 isec->sid = sid; 4570 isec->initialized = LABEL_INITIALIZED; 4571 4572 if (sock->sk) { 4573 sksec = sock->sk->sk_security; 4574 sksec->sclass = sclass; 4575 sksec->sid = sid; 4576 /* Allows detection of the first association on this socket */ 4577 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4578 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4579 4580 err = selinux_netlbl_socket_post_create(sock->sk, family); 4581 } 4582 4583 return err; 4584 } 4585 4586 static int selinux_socket_socketpair(struct socket *socka, 4587 struct socket *sockb) 4588 { 4589 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4590 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4591 4592 sksec_a->peer_sid = sksec_b->sid; 4593 sksec_b->peer_sid = sksec_a->sid; 4594 4595 return 0; 4596 } 4597 4598 /* Range of port numbers used to automatically bind. 4599 Need to determine whether we should perform a name_bind 4600 permission check between the socket and the port number. */ 4601 4602 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4603 { 4604 struct sock *sk = sock->sk; 4605 struct sk_security_struct *sksec = sk->sk_security; 4606 u16 family; 4607 int err; 4608 4609 err = sock_has_perm(sk, SOCKET__BIND); 4610 if (err) 4611 goto out; 4612 4613 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4614 family = sk->sk_family; 4615 if (family == PF_INET || family == PF_INET6) { 4616 char *addrp; 4617 struct common_audit_data ad; 4618 struct lsm_network_audit net = {0,}; 4619 struct sockaddr_in *addr4 = NULL; 4620 struct sockaddr_in6 *addr6 = NULL; 4621 u16 family_sa = address->sa_family; 4622 unsigned short snum; 4623 u32 sid, node_perm; 4624 4625 /* 4626 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4627 * that validates multiple binding addresses. Because of this 4628 * need to check address->sa_family as it is possible to have 4629 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4630 */ 4631 switch (family_sa) { 4632 case AF_UNSPEC: 4633 case AF_INET: 4634 if (addrlen < sizeof(struct sockaddr_in)) 4635 return -EINVAL; 4636 addr4 = (struct sockaddr_in *)address; 4637 if (family_sa == AF_UNSPEC) { 4638 /* see __inet_bind(), we only want to allow 4639 * AF_UNSPEC if the address is INADDR_ANY 4640 */ 4641 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4642 goto err_af; 4643 family_sa = AF_INET; 4644 } 4645 snum = ntohs(addr4->sin_port); 4646 addrp = (char *)&addr4->sin_addr.s_addr; 4647 break; 4648 case AF_INET6: 4649 if (addrlen < SIN6_LEN_RFC2133) 4650 return -EINVAL; 4651 addr6 = (struct sockaddr_in6 *)address; 4652 snum = ntohs(addr6->sin6_port); 4653 addrp = (char *)&addr6->sin6_addr.s6_addr; 4654 break; 4655 default: 4656 goto err_af; 4657 } 4658 4659 ad.type = LSM_AUDIT_DATA_NET; 4660 ad.u.net = &net; 4661 ad.u.net->sport = htons(snum); 4662 ad.u.net->family = family_sa; 4663 4664 if (snum) { 4665 int low, high; 4666 4667 inet_get_local_port_range(sock_net(sk), &low, &high); 4668 4669 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4670 snum > high) { 4671 err = sel_netport_sid(sk->sk_protocol, 4672 snum, &sid); 4673 if (err) 4674 goto out; 4675 err = avc_has_perm(&selinux_state, 4676 sksec->sid, sid, 4677 sksec->sclass, 4678 SOCKET__NAME_BIND, &ad); 4679 if (err) 4680 goto out; 4681 } 4682 } 4683 4684 switch (sksec->sclass) { 4685 case SECCLASS_TCP_SOCKET: 4686 node_perm = TCP_SOCKET__NODE_BIND; 4687 break; 4688 4689 case SECCLASS_UDP_SOCKET: 4690 node_perm = UDP_SOCKET__NODE_BIND; 4691 break; 4692 4693 case SECCLASS_DCCP_SOCKET: 4694 node_perm = DCCP_SOCKET__NODE_BIND; 4695 break; 4696 4697 case SECCLASS_SCTP_SOCKET: 4698 node_perm = SCTP_SOCKET__NODE_BIND; 4699 break; 4700 4701 default: 4702 node_perm = RAWIP_SOCKET__NODE_BIND; 4703 break; 4704 } 4705 4706 err = sel_netnode_sid(addrp, family_sa, &sid); 4707 if (err) 4708 goto out; 4709 4710 if (family_sa == AF_INET) 4711 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4712 else 4713 ad.u.net->v6info.saddr = addr6->sin6_addr; 4714 4715 err = avc_has_perm(&selinux_state, 4716 sksec->sid, sid, 4717 sksec->sclass, node_perm, &ad); 4718 if (err) 4719 goto out; 4720 } 4721 out: 4722 return err; 4723 err_af: 4724 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4725 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4726 return -EINVAL; 4727 return -EAFNOSUPPORT; 4728 } 4729 4730 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4731 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst 4732 */ 4733 static int selinux_socket_connect_helper(struct socket *sock, 4734 struct sockaddr *address, int addrlen) 4735 { 4736 struct sock *sk = sock->sk; 4737 struct sk_security_struct *sksec = sk->sk_security; 4738 int err; 4739 4740 err = sock_has_perm(sk, SOCKET__CONNECT); 4741 if (err) 4742 return err; 4743 4744 /* 4745 * If a TCP, DCCP or SCTP socket, check name_connect permission 4746 * for the port. 4747 */ 4748 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4749 sksec->sclass == SECCLASS_DCCP_SOCKET || 4750 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4751 struct common_audit_data ad; 4752 struct lsm_network_audit net = {0,}; 4753 struct sockaddr_in *addr4 = NULL; 4754 struct sockaddr_in6 *addr6 = NULL; 4755 unsigned short snum; 4756 u32 sid, perm; 4757 4758 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4759 * that validates multiple connect addresses. Because of this 4760 * need to check address->sa_family as it is possible to have 4761 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4762 */ 4763 switch (address->sa_family) { 4764 case AF_INET: 4765 addr4 = (struct sockaddr_in *)address; 4766 if (addrlen < sizeof(struct sockaddr_in)) 4767 return -EINVAL; 4768 snum = ntohs(addr4->sin_port); 4769 break; 4770 case AF_INET6: 4771 addr6 = (struct sockaddr_in6 *)address; 4772 if (addrlen < SIN6_LEN_RFC2133) 4773 return -EINVAL; 4774 snum = ntohs(addr6->sin6_port); 4775 break; 4776 default: 4777 /* Note that SCTP services expect -EINVAL, whereas 4778 * others expect -EAFNOSUPPORT. 4779 */ 4780 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4781 return -EINVAL; 4782 else 4783 return -EAFNOSUPPORT; 4784 } 4785 4786 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4787 if (err) 4788 return err; 4789 4790 switch (sksec->sclass) { 4791 case SECCLASS_TCP_SOCKET: 4792 perm = TCP_SOCKET__NAME_CONNECT; 4793 break; 4794 case SECCLASS_DCCP_SOCKET: 4795 perm = DCCP_SOCKET__NAME_CONNECT; 4796 break; 4797 case SECCLASS_SCTP_SOCKET: 4798 perm = SCTP_SOCKET__NAME_CONNECT; 4799 break; 4800 } 4801 4802 ad.type = LSM_AUDIT_DATA_NET; 4803 ad.u.net = &net; 4804 ad.u.net->dport = htons(snum); 4805 ad.u.net->family = address->sa_family; 4806 err = avc_has_perm(&selinux_state, 4807 sksec->sid, sid, sksec->sclass, perm, &ad); 4808 if (err) 4809 return err; 4810 } 4811 4812 return 0; 4813 } 4814 4815 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4816 static int selinux_socket_connect(struct socket *sock, 4817 struct sockaddr *address, int addrlen) 4818 { 4819 int err; 4820 struct sock *sk = sock->sk; 4821 4822 err = selinux_socket_connect_helper(sock, address, addrlen); 4823 if (err) 4824 return err; 4825 4826 return selinux_netlbl_socket_connect(sk, address); 4827 } 4828 4829 static int selinux_socket_listen(struct socket *sock, int backlog) 4830 { 4831 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4832 } 4833 4834 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4835 { 4836 int err; 4837 struct inode_security_struct *isec; 4838 struct inode_security_struct *newisec; 4839 u16 sclass; 4840 u32 sid; 4841 4842 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4843 if (err) 4844 return err; 4845 4846 isec = inode_security_novalidate(SOCK_INODE(sock)); 4847 spin_lock(&isec->lock); 4848 sclass = isec->sclass; 4849 sid = isec->sid; 4850 spin_unlock(&isec->lock); 4851 4852 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4853 newisec->sclass = sclass; 4854 newisec->sid = sid; 4855 newisec->initialized = LABEL_INITIALIZED; 4856 4857 return 0; 4858 } 4859 4860 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4861 int size) 4862 { 4863 return sock_has_perm(sock->sk, SOCKET__WRITE); 4864 } 4865 4866 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4867 int size, int flags) 4868 { 4869 return sock_has_perm(sock->sk, SOCKET__READ); 4870 } 4871 4872 static int selinux_socket_getsockname(struct socket *sock) 4873 { 4874 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4875 } 4876 4877 static int selinux_socket_getpeername(struct socket *sock) 4878 { 4879 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4880 } 4881 4882 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4883 { 4884 int err; 4885 4886 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4887 if (err) 4888 return err; 4889 4890 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4891 } 4892 4893 static int selinux_socket_getsockopt(struct socket *sock, int level, 4894 int optname) 4895 { 4896 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4897 } 4898 4899 static int selinux_socket_shutdown(struct socket *sock, int how) 4900 { 4901 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4902 } 4903 4904 static int selinux_socket_unix_stream_connect(struct sock *sock, 4905 struct sock *other, 4906 struct sock *newsk) 4907 { 4908 struct sk_security_struct *sksec_sock = sock->sk_security; 4909 struct sk_security_struct *sksec_other = other->sk_security; 4910 struct sk_security_struct *sksec_new = newsk->sk_security; 4911 struct common_audit_data ad; 4912 struct lsm_network_audit net = {0,}; 4913 int err; 4914 4915 ad.type = LSM_AUDIT_DATA_NET; 4916 ad.u.net = &net; 4917 ad.u.net->sk = other; 4918 4919 err = avc_has_perm(&selinux_state, 4920 sksec_sock->sid, sksec_other->sid, 4921 sksec_other->sclass, 4922 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4923 if (err) 4924 return err; 4925 4926 /* server child socket */ 4927 sksec_new->peer_sid = sksec_sock->sid; 4928 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4929 sksec_sock->sid, &sksec_new->sid); 4930 if (err) 4931 return err; 4932 4933 /* connecting socket */ 4934 sksec_sock->peer_sid = sksec_new->sid; 4935 4936 return 0; 4937 } 4938 4939 static int selinux_socket_unix_may_send(struct socket *sock, 4940 struct socket *other) 4941 { 4942 struct sk_security_struct *ssec = sock->sk->sk_security; 4943 struct sk_security_struct *osec = other->sk->sk_security; 4944 struct common_audit_data ad; 4945 struct lsm_network_audit net = {0,}; 4946 4947 ad.type = LSM_AUDIT_DATA_NET; 4948 ad.u.net = &net; 4949 ad.u.net->sk = other->sk; 4950 4951 return avc_has_perm(&selinux_state, 4952 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4953 &ad); 4954 } 4955 4956 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4957 char *addrp, u16 family, u32 peer_sid, 4958 struct common_audit_data *ad) 4959 { 4960 int err; 4961 u32 if_sid; 4962 u32 node_sid; 4963 4964 err = sel_netif_sid(ns, ifindex, &if_sid); 4965 if (err) 4966 return err; 4967 err = avc_has_perm(&selinux_state, 4968 peer_sid, if_sid, 4969 SECCLASS_NETIF, NETIF__INGRESS, ad); 4970 if (err) 4971 return err; 4972 4973 err = sel_netnode_sid(addrp, family, &node_sid); 4974 if (err) 4975 return err; 4976 return avc_has_perm(&selinux_state, 4977 peer_sid, node_sid, 4978 SECCLASS_NODE, NODE__RECVFROM, ad); 4979 } 4980 4981 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4982 u16 family) 4983 { 4984 int err = 0; 4985 struct sk_security_struct *sksec = sk->sk_security; 4986 u32 sk_sid = sksec->sid; 4987 struct common_audit_data ad; 4988 struct lsm_network_audit net = {0,}; 4989 char *addrp; 4990 4991 ad.type = LSM_AUDIT_DATA_NET; 4992 ad.u.net = &net; 4993 ad.u.net->netif = skb->skb_iif; 4994 ad.u.net->family = family; 4995 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4996 if (err) 4997 return err; 4998 4999 if (selinux_secmark_enabled()) { 5000 err = avc_has_perm(&selinux_state, 5001 sk_sid, skb->secmark, SECCLASS_PACKET, 5002 PACKET__RECV, &ad); 5003 if (err) 5004 return err; 5005 } 5006 5007 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5008 if (err) 5009 return err; 5010 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5011 5012 return err; 5013 } 5014 5015 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5016 { 5017 int err; 5018 struct sk_security_struct *sksec = sk->sk_security; 5019 u16 family = sk->sk_family; 5020 u32 sk_sid = sksec->sid; 5021 struct common_audit_data ad; 5022 struct lsm_network_audit net = {0,}; 5023 char *addrp; 5024 u8 secmark_active; 5025 u8 peerlbl_active; 5026 5027 if (family != PF_INET && family != PF_INET6) 5028 return 0; 5029 5030 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5031 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5032 family = PF_INET; 5033 5034 /* If any sort of compatibility mode is enabled then handoff processing 5035 * to the selinux_sock_rcv_skb_compat() function to deal with the 5036 * special handling. We do this in an attempt to keep this function 5037 * as fast and as clean as possible. */ 5038 if (!selinux_policycap_netpeer()) 5039 return selinux_sock_rcv_skb_compat(sk, skb, family); 5040 5041 secmark_active = selinux_secmark_enabled(); 5042 peerlbl_active = selinux_peerlbl_enabled(); 5043 if (!secmark_active && !peerlbl_active) 5044 return 0; 5045 5046 ad.type = LSM_AUDIT_DATA_NET; 5047 ad.u.net = &net; 5048 ad.u.net->netif = skb->skb_iif; 5049 ad.u.net->family = family; 5050 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5051 if (err) 5052 return err; 5053 5054 if (peerlbl_active) { 5055 u32 peer_sid; 5056 5057 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5058 if (err) 5059 return err; 5060 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5061 addrp, family, peer_sid, &ad); 5062 if (err) { 5063 selinux_netlbl_err(skb, family, err, 0); 5064 return err; 5065 } 5066 err = avc_has_perm(&selinux_state, 5067 sk_sid, peer_sid, SECCLASS_PEER, 5068 PEER__RECV, &ad); 5069 if (err) { 5070 selinux_netlbl_err(skb, family, err, 0); 5071 return err; 5072 } 5073 } 5074 5075 if (secmark_active) { 5076 err = avc_has_perm(&selinux_state, 5077 sk_sid, skb->secmark, SECCLASS_PACKET, 5078 PACKET__RECV, &ad); 5079 if (err) 5080 return err; 5081 } 5082 5083 return err; 5084 } 5085 5086 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5087 int __user *optlen, unsigned len) 5088 { 5089 int err = 0; 5090 char *scontext; 5091 u32 scontext_len; 5092 struct sk_security_struct *sksec = sock->sk->sk_security; 5093 u32 peer_sid = SECSID_NULL; 5094 5095 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5096 sksec->sclass == SECCLASS_TCP_SOCKET || 5097 sksec->sclass == SECCLASS_SCTP_SOCKET) 5098 peer_sid = sksec->peer_sid; 5099 if (peer_sid == SECSID_NULL) 5100 return -ENOPROTOOPT; 5101 5102 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5103 &scontext_len); 5104 if (err) 5105 return err; 5106 5107 if (scontext_len > len) { 5108 err = -ERANGE; 5109 goto out_len; 5110 } 5111 5112 if (copy_to_user(optval, scontext, scontext_len)) 5113 err = -EFAULT; 5114 5115 out_len: 5116 if (put_user(scontext_len, optlen)) 5117 err = -EFAULT; 5118 kfree(scontext); 5119 return err; 5120 } 5121 5122 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5123 { 5124 u32 peer_secid = SECSID_NULL; 5125 u16 family; 5126 struct inode_security_struct *isec; 5127 5128 if (skb && skb->protocol == htons(ETH_P_IP)) 5129 family = PF_INET; 5130 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5131 family = PF_INET6; 5132 else if (sock) 5133 family = sock->sk->sk_family; 5134 else 5135 goto out; 5136 5137 if (sock && family == PF_UNIX) { 5138 isec = inode_security_novalidate(SOCK_INODE(sock)); 5139 peer_secid = isec->sid; 5140 } else if (skb) 5141 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5142 5143 out: 5144 *secid = peer_secid; 5145 if (peer_secid == SECSID_NULL) 5146 return -EINVAL; 5147 return 0; 5148 } 5149 5150 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5151 { 5152 struct sk_security_struct *sksec; 5153 5154 sksec = kzalloc(sizeof(*sksec), priority); 5155 if (!sksec) 5156 return -ENOMEM; 5157 5158 sksec->peer_sid = SECINITSID_UNLABELED; 5159 sksec->sid = SECINITSID_UNLABELED; 5160 sksec->sclass = SECCLASS_SOCKET; 5161 selinux_netlbl_sk_security_reset(sksec); 5162 sk->sk_security = sksec; 5163 5164 return 0; 5165 } 5166 5167 static void selinux_sk_free_security(struct sock *sk) 5168 { 5169 struct sk_security_struct *sksec = sk->sk_security; 5170 5171 sk->sk_security = NULL; 5172 selinux_netlbl_sk_security_free(sksec); 5173 kfree(sksec); 5174 } 5175 5176 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5177 { 5178 struct sk_security_struct *sksec = sk->sk_security; 5179 struct sk_security_struct *newsksec = newsk->sk_security; 5180 5181 newsksec->sid = sksec->sid; 5182 newsksec->peer_sid = sksec->peer_sid; 5183 newsksec->sclass = sksec->sclass; 5184 5185 selinux_netlbl_sk_security_reset(newsksec); 5186 } 5187 5188 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5189 { 5190 if (!sk) 5191 *secid = SECINITSID_ANY_SOCKET; 5192 else { 5193 struct sk_security_struct *sksec = sk->sk_security; 5194 5195 *secid = sksec->sid; 5196 } 5197 } 5198 5199 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5200 { 5201 struct inode_security_struct *isec = 5202 inode_security_novalidate(SOCK_INODE(parent)); 5203 struct sk_security_struct *sksec = sk->sk_security; 5204 5205 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5206 sk->sk_family == PF_UNIX) 5207 isec->sid = sksec->sid; 5208 sksec->sclass = isec->sclass; 5209 } 5210 5211 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5212 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5213 * already present). 5214 */ 5215 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5216 struct sk_buff *skb) 5217 { 5218 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5219 struct common_audit_data ad; 5220 struct lsm_network_audit net = {0,}; 5221 u8 peerlbl_active; 5222 u32 peer_sid = SECINITSID_UNLABELED; 5223 u32 conn_sid; 5224 int err = 0; 5225 5226 if (!selinux_policycap_extsockclass()) 5227 return 0; 5228 5229 peerlbl_active = selinux_peerlbl_enabled(); 5230 5231 if (peerlbl_active) { 5232 /* This will return peer_sid = SECSID_NULL if there are 5233 * no peer labels, see security_net_peersid_resolve(). 5234 */ 5235 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5236 &peer_sid); 5237 if (err) 5238 return err; 5239 5240 if (peer_sid == SECSID_NULL) 5241 peer_sid = SECINITSID_UNLABELED; 5242 } 5243 5244 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5245 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5246 5247 /* Here as first association on socket. As the peer SID 5248 * was allowed by peer recv (and the netif/node checks), 5249 * then it is approved by policy and used as the primary 5250 * peer SID for getpeercon(3). 5251 */ 5252 sksec->peer_sid = peer_sid; 5253 } else if (sksec->peer_sid != peer_sid) { 5254 /* Other association peer SIDs are checked to enforce 5255 * consistency among the peer SIDs. 5256 */ 5257 ad.type = LSM_AUDIT_DATA_NET; 5258 ad.u.net = &net; 5259 ad.u.net->sk = ep->base.sk; 5260 err = avc_has_perm(&selinux_state, 5261 sksec->peer_sid, peer_sid, sksec->sclass, 5262 SCTP_SOCKET__ASSOCIATION, &ad); 5263 if (err) 5264 return err; 5265 } 5266 5267 /* Compute the MLS component for the connection and store 5268 * the information in ep. This will be used by SCTP TCP type 5269 * sockets and peeled off connections as they cause a new 5270 * socket to be generated. selinux_sctp_sk_clone() will then 5271 * plug this into the new socket. 5272 */ 5273 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5274 if (err) 5275 return err; 5276 5277 ep->secid = conn_sid; 5278 ep->peer_secid = peer_sid; 5279 5280 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5281 return selinux_netlbl_sctp_assoc_request(ep, skb); 5282 } 5283 5284 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5285 * based on their @optname. 5286 */ 5287 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5288 struct sockaddr *address, 5289 int addrlen) 5290 { 5291 int len, err = 0, walk_size = 0; 5292 void *addr_buf; 5293 struct sockaddr *addr; 5294 struct socket *sock; 5295 5296 if (!selinux_policycap_extsockclass()) 5297 return 0; 5298 5299 /* Process one or more addresses that may be IPv4 or IPv6 */ 5300 sock = sk->sk_socket; 5301 addr_buf = address; 5302 5303 while (walk_size < addrlen) { 5304 addr = addr_buf; 5305 switch (addr->sa_family) { 5306 case AF_UNSPEC: 5307 case AF_INET: 5308 len = sizeof(struct sockaddr_in); 5309 break; 5310 case AF_INET6: 5311 len = sizeof(struct sockaddr_in6); 5312 break; 5313 default: 5314 return -EINVAL; 5315 } 5316 5317 err = -EINVAL; 5318 switch (optname) { 5319 /* Bind checks */ 5320 case SCTP_PRIMARY_ADDR: 5321 case SCTP_SET_PEER_PRIMARY_ADDR: 5322 case SCTP_SOCKOPT_BINDX_ADD: 5323 err = selinux_socket_bind(sock, addr, len); 5324 break; 5325 /* Connect checks */ 5326 case SCTP_SOCKOPT_CONNECTX: 5327 case SCTP_PARAM_SET_PRIMARY: 5328 case SCTP_PARAM_ADD_IP: 5329 case SCTP_SENDMSG_CONNECT: 5330 err = selinux_socket_connect_helper(sock, addr, len); 5331 if (err) 5332 return err; 5333 5334 /* As selinux_sctp_bind_connect() is called by the 5335 * SCTP protocol layer, the socket is already locked, 5336 * therefore selinux_netlbl_socket_connect_locked() is 5337 * is called here. The situations handled are: 5338 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5339 * whenever a new IP address is added or when a new 5340 * primary address is selected. 5341 * Note that an SCTP connect(2) call happens before 5342 * the SCTP protocol layer and is handled via 5343 * selinux_socket_connect(). 5344 */ 5345 err = selinux_netlbl_socket_connect_locked(sk, addr); 5346 break; 5347 } 5348 5349 if (err) 5350 return err; 5351 5352 addr_buf += len; 5353 walk_size += len; 5354 } 5355 5356 return 0; 5357 } 5358 5359 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5360 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5361 struct sock *newsk) 5362 { 5363 struct sk_security_struct *sksec = sk->sk_security; 5364 struct sk_security_struct *newsksec = newsk->sk_security; 5365 5366 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5367 * the non-sctp clone version. 5368 */ 5369 if (!selinux_policycap_extsockclass()) 5370 return selinux_sk_clone_security(sk, newsk); 5371 5372 newsksec->sid = ep->secid; 5373 newsksec->peer_sid = ep->peer_secid; 5374 newsksec->sclass = sksec->sclass; 5375 selinux_netlbl_sctp_sk_clone(sk, newsk); 5376 } 5377 5378 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5379 struct request_sock *req) 5380 { 5381 struct sk_security_struct *sksec = sk->sk_security; 5382 int err; 5383 u16 family = req->rsk_ops->family; 5384 u32 connsid; 5385 u32 peersid; 5386 5387 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5388 if (err) 5389 return err; 5390 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5391 if (err) 5392 return err; 5393 req->secid = connsid; 5394 req->peer_secid = peersid; 5395 5396 return selinux_netlbl_inet_conn_request(req, family); 5397 } 5398 5399 static void selinux_inet_csk_clone(struct sock *newsk, 5400 const struct request_sock *req) 5401 { 5402 struct sk_security_struct *newsksec = newsk->sk_security; 5403 5404 newsksec->sid = req->secid; 5405 newsksec->peer_sid = req->peer_secid; 5406 /* NOTE: Ideally, we should also get the isec->sid for the 5407 new socket in sync, but we don't have the isec available yet. 5408 So we will wait until sock_graft to do it, by which 5409 time it will have been created and available. */ 5410 5411 /* We don't need to take any sort of lock here as we are the only 5412 * thread with access to newsksec */ 5413 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5414 } 5415 5416 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5417 { 5418 u16 family = sk->sk_family; 5419 struct sk_security_struct *sksec = sk->sk_security; 5420 5421 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5422 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5423 family = PF_INET; 5424 5425 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5426 } 5427 5428 static int selinux_secmark_relabel_packet(u32 sid) 5429 { 5430 const struct task_security_struct *__tsec; 5431 u32 tsid; 5432 5433 __tsec = current_security(); 5434 tsid = __tsec->sid; 5435 5436 return avc_has_perm(&selinux_state, 5437 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5438 NULL); 5439 } 5440 5441 static void selinux_secmark_refcount_inc(void) 5442 { 5443 atomic_inc(&selinux_secmark_refcount); 5444 } 5445 5446 static void selinux_secmark_refcount_dec(void) 5447 { 5448 atomic_dec(&selinux_secmark_refcount); 5449 } 5450 5451 static void selinux_req_classify_flow(const struct request_sock *req, 5452 struct flowi *fl) 5453 { 5454 fl->flowi_secid = req->secid; 5455 } 5456 5457 static int selinux_tun_dev_alloc_security(void **security) 5458 { 5459 struct tun_security_struct *tunsec; 5460 5461 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5462 if (!tunsec) 5463 return -ENOMEM; 5464 tunsec->sid = current_sid(); 5465 5466 *security = tunsec; 5467 return 0; 5468 } 5469 5470 static void selinux_tun_dev_free_security(void *security) 5471 { 5472 kfree(security); 5473 } 5474 5475 static int selinux_tun_dev_create(void) 5476 { 5477 u32 sid = current_sid(); 5478 5479 /* we aren't taking into account the "sockcreate" SID since the socket 5480 * that is being created here is not a socket in the traditional sense, 5481 * instead it is a private sock, accessible only to the kernel, and 5482 * representing a wide range of network traffic spanning multiple 5483 * connections unlike traditional sockets - check the TUN driver to 5484 * get a better understanding of why this socket is special */ 5485 5486 return avc_has_perm(&selinux_state, 5487 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5488 NULL); 5489 } 5490 5491 static int selinux_tun_dev_attach_queue(void *security) 5492 { 5493 struct tun_security_struct *tunsec = security; 5494 5495 return avc_has_perm(&selinux_state, 5496 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5497 TUN_SOCKET__ATTACH_QUEUE, NULL); 5498 } 5499 5500 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5501 { 5502 struct tun_security_struct *tunsec = security; 5503 struct sk_security_struct *sksec = sk->sk_security; 5504 5505 /* we don't currently perform any NetLabel based labeling here and it 5506 * isn't clear that we would want to do so anyway; while we could apply 5507 * labeling without the support of the TUN user the resulting labeled 5508 * traffic from the other end of the connection would almost certainly 5509 * cause confusion to the TUN user that had no idea network labeling 5510 * protocols were being used */ 5511 5512 sksec->sid = tunsec->sid; 5513 sksec->sclass = SECCLASS_TUN_SOCKET; 5514 5515 return 0; 5516 } 5517 5518 static int selinux_tun_dev_open(void *security) 5519 { 5520 struct tun_security_struct *tunsec = security; 5521 u32 sid = current_sid(); 5522 int err; 5523 5524 err = avc_has_perm(&selinux_state, 5525 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5526 TUN_SOCKET__RELABELFROM, NULL); 5527 if (err) 5528 return err; 5529 err = avc_has_perm(&selinux_state, 5530 sid, sid, SECCLASS_TUN_SOCKET, 5531 TUN_SOCKET__RELABELTO, NULL); 5532 if (err) 5533 return err; 5534 tunsec->sid = sid; 5535 5536 return 0; 5537 } 5538 5539 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5540 { 5541 int err = 0; 5542 u32 perm; 5543 struct nlmsghdr *nlh; 5544 struct sk_security_struct *sksec = sk->sk_security; 5545 5546 if (skb->len < NLMSG_HDRLEN) { 5547 err = -EINVAL; 5548 goto out; 5549 } 5550 nlh = nlmsg_hdr(skb); 5551 5552 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5553 if (err) { 5554 if (err == -EINVAL) { 5555 pr_warn_ratelimited("SELinux: unrecognized netlink" 5556 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5557 " pig=%d comm=%s\n", 5558 sk->sk_protocol, nlh->nlmsg_type, 5559 secclass_map[sksec->sclass - 1].name, 5560 task_pid_nr(current), current->comm); 5561 if (!enforcing_enabled(&selinux_state) || 5562 security_get_allow_unknown(&selinux_state)) 5563 err = 0; 5564 } 5565 5566 /* Ignore */ 5567 if (err == -ENOENT) 5568 err = 0; 5569 goto out; 5570 } 5571 5572 err = sock_has_perm(sk, perm); 5573 out: 5574 return err; 5575 } 5576 5577 #ifdef CONFIG_NETFILTER 5578 5579 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5580 const struct net_device *indev, 5581 u16 family) 5582 { 5583 int err; 5584 char *addrp; 5585 u32 peer_sid; 5586 struct common_audit_data ad; 5587 struct lsm_network_audit net = {0,}; 5588 u8 secmark_active; 5589 u8 netlbl_active; 5590 u8 peerlbl_active; 5591 5592 if (!selinux_policycap_netpeer()) 5593 return NF_ACCEPT; 5594 5595 secmark_active = selinux_secmark_enabled(); 5596 netlbl_active = netlbl_enabled(); 5597 peerlbl_active = selinux_peerlbl_enabled(); 5598 if (!secmark_active && !peerlbl_active) 5599 return NF_ACCEPT; 5600 5601 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5602 return NF_DROP; 5603 5604 ad.type = LSM_AUDIT_DATA_NET; 5605 ad.u.net = &net; 5606 ad.u.net->netif = indev->ifindex; 5607 ad.u.net->family = family; 5608 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5609 return NF_DROP; 5610 5611 if (peerlbl_active) { 5612 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5613 addrp, family, peer_sid, &ad); 5614 if (err) { 5615 selinux_netlbl_err(skb, family, err, 1); 5616 return NF_DROP; 5617 } 5618 } 5619 5620 if (secmark_active) 5621 if (avc_has_perm(&selinux_state, 5622 peer_sid, skb->secmark, 5623 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5624 return NF_DROP; 5625 5626 if (netlbl_active) 5627 /* we do this in the FORWARD path and not the POST_ROUTING 5628 * path because we want to make sure we apply the necessary 5629 * labeling before IPsec is applied so we can leverage AH 5630 * protection */ 5631 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5632 return NF_DROP; 5633 5634 return NF_ACCEPT; 5635 } 5636 5637 static unsigned int selinux_ipv4_forward(void *priv, 5638 struct sk_buff *skb, 5639 const struct nf_hook_state *state) 5640 { 5641 return selinux_ip_forward(skb, state->in, PF_INET); 5642 } 5643 5644 #if IS_ENABLED(CONFIG_IPV6) 5645 static unsigned int selinux_ipv6_forward(void *priv, 5646 struct sk_buff *skb, 5647 const struct nf_hook_state *state) 5648 { 5649 return selinux_ip_forward(skb, state->in, PF_INET6); 5650 } 5651 #endif /* IPV6 */ 5652 5653 static unsigned int selinux_ip_output(struct sk_buff *skb, 5654 u16 family) 5655 { 5656 struct sock *sk; 5657 u32 sid; 5658 5659 if (!netlbl_enabled()) 5660 return NF_ACCEPT; 5661 5662 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5663 * because we want to make sure we apply the necessary labeling 5664 * before IPsec is applied so we can leverage AH protection */ 5665 sk = skb->sk; 5666 if (sk) { 5667 struct sk_security_struct *sksec; 5668 5669 if (sk_listener(sk)) 5670 /* if the socket is the listening state then this 5671 * packet is a SYN-ACK packet which means it needs to 5672 * be labeled based on the connection/request_sock and 5673 * not the parent socket. unfortunately, we can't 5674 * lookup the request_sock yet as it isn't queued on 5675 * the parent socket until after the SYN-ACK is sent. 5676 * the "solution" is to simply pass the packet as-is 5677 * as any IP option based labeling should be copied 5678 * from the initial connection request (in the IP 5679 * layer). it is far from ideal, but until we get a 5680 * security label in the packet itself this is the 5681 * best we can do. */ 5682 return NF_ACCEPT; 5683 5684 /* standard practice, label using the parent socket */ 5685 sksec = sk->sk_security; 5686 sid = sksec->sid; 5687 } else 5688 sid = SECINITSID_KERNEL; 5689 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5690 return NF_DROP; 5691 5692 return NF_ACCEPT; 5693 } 5694 5695 static unsigned int selinux_ipv4_output(void *priv, 5696 struct sk_buff *skb, 5697 const struct nf_hook_state *state) 5698 { 5699 return selinux_ip_output(skb, PF_INET); 5700 } 5701 5702 #if IS_ENABLED(CONFIG_IPV6) 5703 static unsigned int selinux_ipv6_output(void *priv, 5704 struct sk_buff *skb, 5705 const struct nf_hook_state *state) 5706 { 5707 return selinux_ip_output(skb, PF_INET6); 5708 } 5709 #endif /* IPV6 */ 5710 5711 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5712 int ifindex, 5713 u16 family) 5714 { 5715 struct sock *sk = skb_to_full_sk(skb); 5716 struct sk_security_struct *sksec; 5717 struct common_audit_data ad; 5718 struct lsm_network_audit net = {0,}; 5719 char *addrp; 5720 u8 proto; 5721 5722 if (sk == NULL) 5723 return NF_ACCEPT; 5724 sksec = sk->sk_security; 5725 5726 ad.type = LSM_AUDIT_DATA_NET; 5727 ad.u.net = &net; 5728 ad.u.net->netif = ifindex; 5729 ad.u.net->family = family; 5730 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5731 return NF_DROP; 5732 5733 if (selinux_secmark_enabled()) 5734 if (avc_has_perm(&selinux_state, 5735 sksec->sid, skb->secmark, 5736 SECCLASS_PACKET, PACKET__SEND, &ad)) 5737 return NF_DROP_ERR(-ECONNREFUSED); 5738 5739 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5740 return NF_DROP_ERR(-ECONNREFUSED); 5741 5742 return NF_ACCEPT; 5743 } 5744 5745 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5746 const struct net_device *outdev, 5747 u16 family) 5748 { 5749 u32 secmark_perm; 5750 u32 peer_sid; 5751 int ifindex = outdev->ifindex; 5752 struct sock *sk; 5753 struct common_audit_data ad; 5754 struct lsm_network_audit net = {0,}; 5755 char *addrp; 5756 u8 secmark_active; 5757 u8 peerlbl_active; 5758 5759 /* If any sort of compatibility mode is enabled then handoff processing 5760 * to the selinux_ip_postroute_compat() function to deal with the 5761 * special handling. We do this in an attempt to keep this function 5762 * as fast and as clean as possible. */ 5763 if (!selinux_policycap_netpeer()) 5764 return selinux_ip_postroute_compat(skb, ifindex, family); 5765 5766 secmark_active = selinux_secmark_enabled(); 5767 peerlbl_active = selinux_peerlbl_enabled(); 5768 if (!secmark_active && !peerlbl_active) 5769 return NF_ACCEPT; 5770 5771 sk = skb_to_full_sk(skb); 5772 5773 #ifdef CONFIG_XFRM 5774 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5775 * packet transformation so allow the packet to pass without any checks 5776 * since we'll have another chance to perform access control checks 5777 * when the packet is on it's final way out. 5778 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5779 * is NULL, in this case go ahead and apply access control. 5780 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5781 * TCP listening state we cannot wait until the XFRM processing 5782 * is done as we will miss out on the SA label if we do; 5783 * unfortunately, this means more work, but it is only once per 5784 * connection. */ 5785 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5786 !(sk && sk_listener(sk))) 5787 return NF_ACCEPT; 5788 #endif 5789 5790 if (sk == NULL) { 5791 /* Without an associated socket the packet is either coming 5792 * from the kernel or it is being forwarded; check the packet 5793 * to determine which and if the packet is being forwarded 5794 * query the packet directly to determine the security label. */ 5795 if (skb->skb_iif) { 5796 secmark_perm = PACKET__FORWARD_OUT; 5797 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5798 return NF_DROP; 5799 } else { 5800 secmark_perm = PACKET__SEND; 5801 peer_sid = SECINITSID_KERNEL; 5802 } 5803 } else if (sk_listener(sk)) { 5804 /* Locally generated packet but the associated socket is in the 5805 * listening state which means this is a SYN-ACK packet. In 5806 * this particular case the correct security label is assigned 5807 * to the connection/request_sock but unfortunately we can't 5808 * query the request_sock as it isn't queued on the parent 5809 * socket until after the SYN-ACK packet is sent; the only 5810 * viable choice is to regenerate the label like we do in 5811 * selinux_inet_conn_request(). See also selinux_ip_output() 5812 * for similar problems. */ 5813 u32 skb_sid; 5814 struct sk_security_struct *sksec; 5815 5816 sksec = sk->sk_security; 5817 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5818 return NF_DROP; 5819 /* At this point, if the returned skb peerlbl is SECSID_NULL 5820 * and the packet has been through at least one XFRM 5821 * transformation then we must be dealing with the "final" 5822 * form of labeled IPsec packet; since we've already applied 5823 * all of our access controls on this packet we can safely 5824 * pass the packet. */ 5825 if (skb_sid == SECSID_NULL) { 5826 switch (family) { 5827 case PF_INET: 5828 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5829 return NF_ACCEPT; 5830 break; 5831 case PF_INET6: 5832 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5833 return NF_ACCEPT; 5834 break; 5835 default: 5836 return NF_DROP_ERR(-ECONNREFUSED); 5837 } 5838 } 5839 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5840 return NF_DROP; 5841 secmark_perm = PACKET__SEND; 5842 } else { 5843 /* Locally generated packet, fetch the security label from the 5844 * associated socket. */ 5845 struct sk_security_struct *sksec = sk->sk_security; 5846 peer_sid = sksec->sid; 5847 secmark_perm = PACKET__SEND; 5848 } 5849 5850 ad.type = LSM_AUDIT_DATA_NET; 5851 ad.u.net = &net; 5852 ad.u.net->netif = ifindex; 5853 ad.u.net->family = family; 5854 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5855 return NF_DROP; 5856 5857 if (secmark_active) 5858 if (avc_has_perm(&selinux_state, 5859 peer_sid, skb->secmark, 5860 SECCLASS_PACKET, secmark_perm, &ad)) 5861 return NF_DROP_ERR(-ECONNREFUSED); 5862 5863 if (peerlbl_active) { 5864 u32 if_sid; 5865 u32 node_sid; 5866 5867 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5868 return NF_DROP; 5869 if (avc_has_perm(&selinux_state, 5870 peer_sid, if_sid, 5871 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5872 return NF_DROP_ERR(-ECONNREFUSED); 5873 5874 if (sel_netnode_sid(addrp, family, &node_sid)) 5875 return NF_DROP; 5876 if (avc_has_perm(&selinux_state, 5877 peer_sid, node_sid, 5878 SECCLASS_NODE, NODE__SENDTO, &ad)) 5879 return NF_DROP_ERR(-ECONNREFUSED); 5880 } 5881 5882 return NF_ACCEPT; 5883 } 5884 5885 static unsigned int selinux_ipv4_postroute(void *priv, 5886 struct sk_buff *skb, 5887 const struct nf_hook_state *state) 5888 { 5889 return selinux_ip_postroute(skb, state->out, PF_INET); 5890 } 5891 5892 #if IS_ENABLED(CONFIG_IPV6) 5893 static unsigned int selinux_ipv6_postroute(void *priv, 5894 struct sk_buff *skb, 5895 const struct nf_hook_state *state) 5896 { 5897 return selinux_ip_postroute(skb, state->out, PF_INET6); 5898 } 5899 #endif /* IPV6 */ 5900 5901 #endif /* CONFIG_NETFILTER */ 5902 5903 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5904 { 5905 return selinux_nlmsg_perm(sk, skb); 5906 } 5907 5908 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5909 u16 sclass) 5910 { 5911 struct ipc_security_struct *isec; 5912 5913 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5914 if (!isec) 5915 return -ENOMEM; 5916 5917 isec->sclass = sclass; 5918 isec->sid = current_sid(); 5919 perm->security = isec; 5920 5921 return 0; 5922 } 5923 5924 static void ipc_free_security(struct kern_ipc_perm *perm) 5925 { 5926 struct ipc_security_struct *isec = perm->security; 5927 perm->security = NULL; 5928 kfree(isec); 5929 } 5930 5931 static int msg_msg_alloc_security(struct msg_msg *msg) 5932 { 5933 struct msg_security_struct *msec; 5934 5935 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5936 if (!msec) 5937 return -ENOMEM; 5938 5939 msec->sid = SECINITSID_UNLABELED; 5940 msg->security = msec; 5941 5942 return 0; 5943 } 5944 5945 static void msg_msg_free_security(struct msg_msg *msg) 5946 { 5947 struct msg_security_struct *msec = msg->security; 5948 5949 msg->security = NULL; 5950 kfree(msec); 5951 } 5952 5953 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5954 u32 perms) 5955 { 5956 struct ipc_security_struct *isec; 5957 struct common_audit_data ad; 5958 u32 sid = current_sid(); 5959 5960 isec = ipc_perms->security; 5961 5962 ad.type = LSM_AUDIT_DATA_IPC; 5963 ad.u.ipc_id = ipc_perms->key; 5964 5965 return avc_has_perm(&selinux_state, 5966 sid, isec->sid, isec->sclass, perms, &ad); 5967 } 5968 5969 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5970 { 5971 return msg_msg_alloc_security(msg); 5972 } 5973 5974 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5975 { 5976 msg_msg_free_security(msg); 5977 } 5978 5979 /* message queue security operations */ 5980 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5981 { 5982 struct ipc_security_struct *isec; 5983 struct common_audit_data ad; 5984 u32 sid = current_sid(); 5985 int rc; 5986 5987 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5988 if (rc) 5989 return rc; 5990 5991 isec = msq->security; 5992 5993 ad.type = LSM_AUDIT_DATA_IPC; 5994 ad.u.ipc_id = msq->key; 5995 5996 rc = avc_has_perm(&selinux_state, 5997 sid, isec->sid, SECCLASS_MSGQ, 5998 MSGQ__CREATE, &ad); 5999 if (rc) { 6000 ipc_free_security(msq); 6001 return rc; 6002 } 6003 return 0; 6004 } 6005 6006 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 6007 { 6008 ipc_free_security(msq); 6009 } 6010 6011 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6012 { 6013 struct ipc_security_struct *isec; 6014 struct common_audit_data ad; 6015 u32 sid = current_sid(); 6016 6017 isec = msq->security; 6018 6019 ad.type = LSM_AUDIT_DATA_IPC; 6020 ad.u.ipc_id = msq->key; 6021 6022 return avc_has_perm(&selinux_state, 6023 sid, isec->sid, SECCLASS_MSGQ, 6024 MSGQ__ASSOCIATE, &ad); 6025 } 6026 6027 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6028 { 6029 int err; 6030 int perms; 6031 6032 switch (cmd) { 6033 case IPC_INFO: 6034 case MSG_INFO: 6035 /* No specific object, just general system-wide information. */ 6036 return avc_has_perm(&selinux_state, 6037 current_sid(), SECINITSID_KERNEL, 6038 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6039 case IPC_STAT: 6040 case MSG_STAT: 6041 case MSG_STAT_ANY: 6042 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6043 break; 6044 case IPC_SET: 6045 perms = MSGQ__SETATTR; 6046 break; 6047 case IPC_RMID: 6048 perms = MSGQ__DESTROY; 6049 break; 6050 default: 6051 return 0; 6052 } 6053 6054 err = ipc_has_perm(msq, perms); 6055 return err; 6056 } 6057 6058 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6059 { 6060 struct ipc_security_struct *isec; 6061 struct msg_security_struct *msec; 6062 struct common_audit_data ad; 6063 u32 sid = current_sid(); 6064 int rc; 6065 6066 isec = msq->security; 6067 msec = msg->security; 6068 6069 /* 6070 * First time through, need to assign label to the message 6071 */ 6072 if (msec->sid == SECINITSID_UNLABELED) { 6073 /* 6074 * Compute new sid based on current process and 6075 * message queue this message will be stored in 6076 */ 6077 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6078 SECCLASS_MSG, NULL, &msec->sid); 6079 if (rc) 6080 return rc; 6081 } 6082 6083 ad.type = LSM_AUDIT_DATA_IPC; 6084 ad.u.ipc_id = msq->key; 6085 6086 /* Can this process write to the queue? */ 6087 rc = avc_has_perm(&selinux_state, 6088 sid, isec->sid, SECCLASS_MSGQ, 6089 MSGQ__WRITE, &ad); 6090 if (!rc) 6091 /* Can this process send the message */ 6092 rc = avc_has_perm(&selinux_state, 6093 sid, msec->sid, SECCLASS_MSG, 6094 MSG__SEND, &ad); 6095 if (!rc) 6096 /* Can the message be put in the queue? */ 6097 rc = avc_has_perm(&selinux_state, 6098 msec->sid, isec->sid, SECCLASS_MSGQ, 6099 MSGQ__ENQUEUE, &ad); 6100 6101 return rc; 6102 } 6103 6104 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6105 struct task_struct *target, 6106 long type, int mode) 6107 { 6108 struct ipc_security_struct *isec; 6109 struct msg_security_struct *msec; 6110 struct common_audit_data ad; 6111 u32 sid = task_sid(target); 6112 int rc; 6113 6114 isec = msq->security; 6115 msec = msg->security; 6116 6117 ad.type = LSM_AUDIT_DATA_IPC; 6118 ad.u.ipc_id = msq->key; 6119 6120 rc = avc_has_perm(&selinux_state, 6121 sid, isec->sid, 6122 SECCLASS_MSGQ, MSGQ__READ, &ad); 6123 if (!rc) 6124 rc = avc_has_perm(&selinux_state, 6125 sid, msec->sid, 6126 SECCLASS_MSG, MSG__RECEIVE, &ad); 6127 return rc; 6128 } 6129 6130 /* Shared Memory security operations */ 6131 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6132 { 6133 struct ipc_security_struct *isec; 6134 struct common_audit_data ad; 6135 u32 sid = current_sid(); 6136 int rc; 6137 6138 rc = ipc_alloc_security(shp, SECCLASS_SHM); 6139 if (rc) 6140 return rc; 6141 6142 isec = shp->security; 6143 6144 ad.type = LSM_AUDIT_DATA_IPC; 6145 ad.u.ipc_id = shp->key; 6146 6147 rc = avc_has_perm(&selinux_state, 6148 sid, isec->sid, SECCLASS_SHM, 6149 SHM__CREATE, &ad); 6150 if (rc) { 6151 ipc_free_security(shp); 6152 return rc; 6153 } 6154 return 0; 6155 } 6156 6157 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 6158 { 6159 ipc_free_security(shp); 6160 } 6161 6162 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6163 { 6164 struct ipc_security_struct *isec; 6165 struct common_audit_data ad; 6166 u32 sid = current_sid(); 6167 6168 isec = shp->security; 6169 6170 ad.type = LSM_AUDIT_DATA_IPC; 6171 ad.u.ipc_id = shp->key; 6172 6173 return avc_has_perm(&selinux_state, 6174 sid, isec->sid, SECCLASS_SHM, 6175 SHM__ASSOCIATE, &ad); 6176 } 6177 6178 /* Note, at this point, shp is locked down */ 6179 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6180 { 6181 int perms; 6182 int err; 6183 6184 switch (cmd) { 6185 case IPC_INFO: 6186 case SHM_INFO: 6187 /* No specific object, just general system-wide information. */ 6188 return avc_has_perm(&selinux_state, 6189 current_sid(), SECINITSID_KERNEL, 6190 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6191 case IPC_STAT: 6192 case SHM_STAT: 6193 case SHM_STAT_ANY: 6194 perms = SHM__GETATTR | SHM__ASSOCIATE; 6195 break; 6196 case IPC_SET: 6197 perms = SHM__SETATTR; 6198 break; 6199 case SHM_LOCK: 6200 case SHM_UNLOCK: 6201 perms = SHM__LOCK; 6202 break; 6203 case IPC_RMID: 6204 perms = SHM__DESTROY; 6205 break; 6206 default: 6207 return 0; 6208 } 6209 6210 err = ipc_has_perm(shp, perms); 6211 return err; 6212 } 6213 6214 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6215 char __user *shmaddr, int shmflg) 6216 { 6217 u32 perms; 6218 6219 if (shmflg & SHM_RDONLY) 6220 perms = SHM__READ; 6221 else 6222 perms = SHM__READ | SHM__WRITE; 6223 6224 return ipc_has_perm(shp, perms); 6225 } 6226 6227 /* Semaphore security operations */ 6228 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6229 { 6230 struct ipc_security_struct *isec; 6231 struct common_audit_data ad; 6232 u32 sid = current_sid(); 6233 int rc; 6234 6235 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6236 if (rc) 6237 return rc; 6238 6239 isec = sma->security; 6240 6241 ad.type = LSM_AUDIT_DATA_IPC; 6242 ad.u.ipc_id = sma->key; 6243 6244 rc = avc_has_perm(&selinux_state, 6245 sid, isec->sid, SECCLASS_SEM, 6246 SEM__CREATE, &ad); 6247 if (rc) { 6248 ipc_free_security(sma); 6249 return rc; 6250 } 6251 return 0; 6252 } 6253 6254 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6255 { 6256 ipc_free_security(sma); 6257 } 6258 6259 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6260 { 6261 struct ipc_security_struct *isec; 6262 struct common_audit_data ad; 6263 u32 sid = current_sid(); 6264 6265 isec = sma->security; 6266 6267 ad.type = LSM_AUDIT_DATA_IPC; 6268 ad.u.ipc_id = sma->key; 6269 6270 return avc_has_perm(&selinux_state, 6271 sid, isec->sid, SECCLASS_SEM, 6272 SEM__ASSOCIATE, &ad); 6273 } 6274 6275 /* Note, at this point, sma is locked down */ 6276 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6277 { 6278 int err; 6279 u32 perms; 6280 6281 switch (cmd) { 6282 case IPC_INFO: 6283 case SEM_INFO: 6284 /* No specific object, just general system-wide information. */ 6285 return avc_has_perm(&selinux_state, 6286 current_sid(), SECINITSID_KERNEL, 6287 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6288 case GETPID: 6289 case GETNCNT: 6290 case GETZCNT: 6291 perms = SEM__GETATTR; 6292 break; 6293 case GETVAL: 6294 case GETALL: 6295 perms = SEM__READ; 6296 break; 6297 case SETVAL: 6298 case SETALL: 6299 perms = SEM__WRITE; 6300 break; 6301 case IPC_RMID: 6302 perms = SEM__DESTROY; 6303 break; 6304 case IPC_SET: 6305 perms = SEM__SETATTR; 6306 break; 6307 case IPC_STAT: 6308 case SEM_STAT: 6309 case SEM_STAT_ANY: 6310 perms = SEM__GETATTR | SEM__ASSOCIATE; 6311 break; 6312 default: 6313 return 0; 6314 } 6315 6316 err = ipc_has_perm(sma, perms); 6317 return err; 6318 } 6319 6320 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6321 struct sembuf *sops, unsigned nsops, int alter) 6322 { 6323 u32 perms; 6324 6325 if (alter) 6326 perms = SEM__READ | SEM__WRITE; 6327 else 6328 perms = SEM__READ; 6329 6330 return ipc_has_perm(sma, perms); 6331 } 6332 6333 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6334 { 6335 u32 av = 0; 6336 6337 av = 0; 6338 if (flag & S_IRUGO) 6339 av |= IPC__UNIX_READ; 6340 if (flag & S_IWUGO) 6341 av |= IPC__UNIX_WRITE; 6342 6343 if (av == 0) 6344 return 0; 6345 6346 return ipc_has_perm(ipcp, av); 6347 } 6348 6349 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6350 { 6351 struct ipc_security_struct *isec = ipcp->security; 6352 *secid = isec->sid; 6353 } 6354 6355 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6356 { 6357 if (inode) 6358 inode_doinit_with_dentry(inode, dentry); 6359 } 6360 6361 static int selinux_getprocattr(struct task_struct *p, 6362 char *name, char **value) 6363 { 6364 const struct task_security_struct *__tsec; 6365 u32 sid; 6366 int error; 6367 unsigned len; 6368 6369 rcu_read_lock(); 6370 __tsec = __task_cred(p)->security; 6371 6372 if (current != p) { 6373 error = avc_has_perm(&selinux_state, 6374 current_sid(), __tsec->sid, 6375 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6376 if (error) 6377 goto bad; 6378 } 6379 6380 if (!strcmp(name, "current")) 6381 sid = __tsec->sid; 6382 else if (!strcmp(name, "prev")) 6383 sid = __tsec->osid; 6384 else if (!strcmp(name, "exec")) 6385 sid = __tsec->exec_sid; 6386 else if (!strcmp(name, "fscreate")) 6387 sid = __tsec->create_sid; 6388 else if (!strcmp(name, "keycreate")) 6389 sid = __tsec->keycreate_sid; 6390 else if (!strcmp(name, "sockcreate")) 6391 sid = __tsec->sockcreate_sid; 6392 else { 6393 error = -EINVAL; 6394 goto bad; 6395 } 6396 rcu_read_unlock(); 6397 6398 if (!sid) 6399 return 0; 6400 6401 error = security_sid_to_context(&selinux_state, sid, value, &len); 6402 if (error) 6403 return error; 6404 return len; 6405 6406 bad: 6407 rcu_read_unlock(); 6408 return error; 6409 } 6410 6411 static int selinux_setprocattr(const char *name, void *value, size_t size) 6412 { 6413 struct task_security_struct *tsec; 6414 struct cred *new; 6415 u32 mysid = current_sid(), sid = 0, ptsid; 6416 int error; 6417 char *str = value; 6418 6419 /* 6420 * Basic control over ability to set these attributes at all. 6421 */ 6422 if (!strcmp(name, "exec")) 6423 error = avc_has_perm(&selinux_state, 6424 mysid, mysid, SECCLASS_PROCESS, 6425 PROCESS__SETEXEC, NULL); 6426 else if (!strcmp(name, "fscreate")) 6427 error = avc_has_perm(&selinux_state, 6428 mysid, mysid, SECCLASS_PROCESS, 6429 PROCESS__SETFSCREATE, NULL); 6430 else if (!strcmp(name, "keycreate")) 6431 error = avc_has_perm(&selinux_state, 6432 mysid, mysid, SECCLASS_PROCESS, 6433 PROCESS__SETKEYCREATE, NULL); 6434 else if (!strcmp(name, "sockcreate")) 6435 error = avc_has_perm(&selinux_state, 6436 mysid, mysid, SECCLASS_PROCESS, 6437 PROCESS__SETSOCKCREATE, NULL); 6438 else if (!strcmp(name, "current")) 6439 error = avc_has_perm(&selinux_state, 6440 mysid, mysid, SECCLASS_PROCESS, 6441 PROCESS__SETCURRENT, NULL); 6442 else 6443 error = -EINVAL; 6444 if (error) 6445 return error; 6446 6447 /* Obtain a SID for the context, if one was specified. */ 6448 if (size && str[0] && str[0] != '\n') { 6449 if (str[size-1] == '\n') { 6450 str[size-1] = 0; 6451 size--; 6452 } 6453 error = security_context_to_sid(&selinux_state, value, size, 6454 &sid, GFP_KERNEL); 6455 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6456 if (!has_cap_mac_admin(true)) { 6457 struct audit_buffer *ab; 6458 size_t audit_size; 6459 6460 /* We strip a nul only if it is at the end, otherwise the 6461 * context contains a nul and we should audit that */ 6462 if (str[size - 1] == '\0') 6463 audit_size = size - 1; 6464 else 6465 audit_size = size; 6466 ab = audit_log_start(audit_context(), 6467 GFP_ATOMIC, 6468 AUDIT_SELINUX_ERR); 6469 audit_log_format(ab, "op=fscreate invalid_context="); 6470 audit_log_n_untrustedstring(ab, value, audit_size); 6471 audit_log_end(ab); 6472 6473 return error; 6474 } 6475 error = security_context_to_sid_force( 6476 &selinux_state, 6477 value, size, &sid); 6478 } 6479 if (error) 6480 return error; 6481 } 6482 6483 new = prepare_creds(); 6484 if (!new) 6485 return -ENOMEM; 6486 6487 /* Permission checking based on the specified context is 6488 performed during the actual operation (execve, 6489 open/mkdir/...), when we know the full context of the 6490 operation. See selinux_bprm_set_creds for the execve 6491 checks and may_create for the file creation checks. The 6492 operation will then fail if the context is not permitted. */ 6493 tsec = new->security; 6494 if (!strcmp(name, "exec")) { 6495 tsec->exec_sid = sid; 6496 } else if (!strcmp(name, "fscreate")) { 6497 tsec->create_sid = sid; 6498 } else if (!strcmp(name, "keycreate")) { 6499 error = avc_has_perm(&selinux_state, 6500 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6501 NULL); 6502 if (error) 6503 goto abort_change; 6504 tsec->keycreate_sid = sid; 6505 } else if (!strcmp(name, "sockcreate")) { 6506 tsec->sockcreate_sid = sid; 6507 } else if (!strcmp(name, "current")) { 6508 error = -EINVAL; 6509 if (sid == 0) 6510 goto abort_change; 6511 6512 /* Only allow single threaded processes to change context */ 6513 error = -EPERM; 6514 if (!current_is_single_threaded()) { 6515 error = security_bounded_transition(&selinux_state, 6516 tsec->sid, sid); 6517 if (error) 6518 goto abort_change; 6519 } 6520 6521 /* Check permissions for the transition. */ 6522 error = avc_has_perm(&selinux_state, 6523 tsec->sid, sid, SECCLASS_PROCESS, 6524 PROCESS__DYNTRANSITION, NULL); 6525 if (error) 6526 goto abort_change; 6527 6528 /* Check for ptracing, and update the task SID if ok. 6529 Otherwise, leave SID unchanged and fail. */ 6530 ptsid = ptrace_parent_sid(); 6531 if (ptsid != 0) { 6532 error = avc_has_perm(&selinux_state, 6533 ptsid, sid, SECCLASS_PROCESS, 6534 PROCESS__PTRACE, NULL); 6535 if (error) 6536 goto abort_change; 6537 } 6538 6539 tsec->sid = sid; 6540 } else { 6541 error = -EINVAL; 6542 goto abort_change; 6543 } 6544 6545 commit_creds(new); 6546 return size; 6547 6548 abort_change: 6549 abort_creds(new); 6550 return error; 6551 } 6552 6553 static int selinux_ismaclabel(const char *name) 6554 { 6555 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6556 } 6557 6558 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6559 { 6560 return security_sid_to_context(&selinux_state, secid, 6561 secdata, seclen); 6562 } 6563 6564 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6565 { 6566 return security_context_to_sid(&selinux_state, secdata, seclen, 6567 secid, GFP_KERNEL); 6568 } 6569 6570 static void selinux_release_secctx(char *secdata, u32 seclen) 6571 { 6572 kfree(secdata); 6573 } 6574 6575 static void selinux_inode_invalidate_secctx(struct inode *inode) 6576 { 6577 struct inode_security_struct *isec = inode->i_security; 6578 6579 spin_lock(&isec->lock); 6580 isec->initialized = LABEL_INVALID; 6581 spin_unlock(&isec->lock); 6582 } 6583 6584 /* 6585 * called with inode->i_mutex locked 6586 */ 6587 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6588 { 6589 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6590 } 6591 6592 /* 6593 * called with inode->i_mutex locked 6594 */ 6595 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6596 { 6597 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6598 } 6599 6600 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6601 { 6602 int len = 0; 6603 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6604 ctx, true); 6605 if (len < 0) 6606 return len; 6607 *ctxlen = len; 6608 return 0; 6609 } 6610 #ifdef CONFIG_KEYS 6611 6612 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6613 unsigned long flags) 6614 { 6615 const struct task_security_struct *tsec; 6616 struct key_security_struct *ksec; 6617 6618 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6619 if (!ksec) 6620 return -ENOMEM; 6621 6622 tsec = cred->security; 6623 if (tsec->keycreate_sid) 6624 ksec->sid = tsec->keycreate_sid; 6625 else 6626 ksec->sid = tsec->sid; 6627 6628 k->security = ksec; 6629 return 0; 6630 } 6631 6632 static void selinux_key_free(struct key *k) 6633 { 6634 struct key_security_struct *ksec = k->security; 6635 6636 k->security = NULL; 6637 kfree(ksec); 6638 } 6639 6640 static int selinux_key_permission(key_ref_t key_ref, 6641 const struct cred *cred, 6642 unsigned perm) 6643 { 6644 struct key *key; 6645 struct key_security_struct *ksec; 6646 u32 sid; 6647 6648 /* if no specific permissions are requested, we skip the 6649 permission check. No serious, additional covert channels 6650 appear to be created. */ 6651 if (perm == 0) 6652 return 0; 6653 6654 sid = cred_sid(cred); 6655 6656 key = key_ref_to_ptr(key_ref); 6657 ksec = key->security; 6658 6659 return avc_has_perm(&selinux_state, 6660 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6661 } 6662 6663 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6664 { 6665 struct key_security_struct *ksec = key->security; 6666 char *context = NULL; 6667 unsigned len; 6668 int rc; 6669 6670 rc = security_sid_to_context(&selinux_state, ksec->sid, 6671 &context, &len); 6672 if (!rc) 6673 rc = len; 6674 *_buffer = context; 6675 return rc; 6676 } 6677 #endif 6678 6679 #ifdef CONFIG_SECURITY_INFINIBAND 6680 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6681 { 6682 struct common_audit_data ad; 6683 int err; 6684 u32 sid = 0; 6685 struct ib_security_struct *sec = ib_sec; 6686 struct lsm_ibpkey_audit ibpkey; 6687 6688 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6689 if (err) 6690 return err; 6691 6692 ad.type = LSM_AUDIT_DATA_IBPKEY; 6693 ibpkey.subnet_prefix = subnet_prefix; 6694 ibpkey.pkey = pkey_val; 6695 ad.u.ibpkey = &ibpkey; 6696 return avc_has_perm(&selinux_state, 6697 sec->sid, sid, 6698 SECCLASS_INFINIBAND_PKEY, 6699 INFINIBAND_PKEY__ACCESS, &ad); 6700 } 6701 6702 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6703 u8 port_num) 6704 { 6705 struct common_audit_data ad; 6706 int err; 6707 u32 sid = 0; 6708 struct ib_security_struct *sec = ib_sec; 6709 struct lsm_ibendport_audit ibendport; 6710 6711 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6712 &sid); 6713 6714 if (err) 6715 return err; 6716 6717 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6718 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6719 ibendport.port = port_num; 6720 ad.u.ibendport = &ibendport; 6721 return avc_has_perm(&selinux_state, 6722 sec->sid, sid, 6723 SECCLASS_INFINIBAND_ENDPORT, 6724 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6725 } 6726 6727 static int selinux_ib_alloc_security(void **ib_sec) 6728 { 6729 struct ib_security_struct *sec; 6730 6731 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6732 if (!sec) 6733 return -ENOMEM; 6734 sec->sid = current_sid(); 6735 6736 *ib_sec = sec; 6737 return 0; 6738 } 6739 6740 static void selinux_ib_free_security(void *ib_sec) 6741 { 6742 kfree(ib_sec); 6743 } 6744 #endif 6745 6746 #ifdef CONFIG_BPF_SYSCALL 6747 static int selinux_bpf(int cmd, union bpf_attr *attr, 6748 unsigned int size) 6749 { 6750 u32 sid = current_sid(); 6751 int ret; 6752 6753 switch (cmd) { 6754 case BPF_MAP_CREATE: 6755 ret = avc_has_perm(&selinux_state, 6756 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6757 NULL); 6758 break; 6759 case BPF_PROG_LOAD: 6760 ret = avc_has_perm(&selinux_state, 6761 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6762 NULL); 6763 break; 6764 default: 6765 ret = 0; 6766 break; 6767 } 6768 6769 return ret; 6770 } 6771 6772 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6773 { 6774 u32 av = 0; 6775 6776 if (fmode & FMODE_READ) 6777 av |= BPF__MAP_READ; 6778 if (fmode & FMODE_WRITE) 6779 av |= BPF__MAP_WRITE; 6780 return av; 6781 } 6782 6783 /* This function will check the file pass through unix socket or binder to see 6784 * if it is a bpf related object. And apply correspinding checks on the bpf 6785 * object based on the type. The bpf maps and programs, not like other files and 6786 * socket, are using a shared anonymous inode inside the kernel as their inode. 6787 * So checking that inode cannot identify if the process have privilege to 6788 * access the bpf object and that's why we have to add this additional check in 6789 * selinux_file_receive and selinux_binder_transfer_files. 6790 */ 6791 static int bpf_fd_pass(struct file *file, u32 sid) 6792 { 6793 struct bpf_security_struct *bpfsec; 6794 struct bpf_prog *prog; 6795 struct bpf_map *map; 6796 int ret; 6797 6798 if (file->f_op == &bpf_map_fops) { 6799 map = file->private_data; 6800 bpfsec = map->security; 6801 ret = avc_has_perm(&selinux_state, 6802 sid, bpfsec->sid, SECCLASS_BPF, 6803 bpf_map_fmode_to_av(file->f_mode), NULL); 6804 if (ret) 6805 return ret; 6806 } else if (file->f_op == &bpf_prog_fops) { 6807 prog = file->private_data; 6808 bpfsec = prog->aux->security; 6809 ret = avc_has_perm(&selinux_state, 6810 sid, bpfsec->sid, SECCLASS_BPF, 6811 BPF__PROG_RUN, NULL); 6812 if (ret) 6813 return ret; 6814 } 6815 return 0; 6816 } 6817 6818 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6819 { 6820 u32 sid = current_sid(); 6821 struct bpf_security_struct *bpfsec; 6822 6823 bpfsec = map->security; 6824 return avc_has_perm(&selinux_state, 6825 sid, bpfsec->sid, SECCLASS_BPF, 6826 bpf_map_fmode_to_av(fmode), NULL); 6827 } 6828 6829 static int selinux_bpf_prog(struct bpf_prog *prog) 6830 { 6831 u32 sid = current_sid(); 6832 struct bpf_security_struct *bpfsec; 6833 6834 bpfsec = prog->aux->security; 6835 return avc_has_perm(&selinux_state, 6836 sid, bpfsec->sid, SECCLASS_BPF, 6837 BPF__PROG_RUN, NULL); 6838 } 6839 6840 static int selinux_bpf_map_alloc(struct bpf_map *map) 6841 { 6842 struct bpf_security_struct *bpfsec; 6843 6844 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6845 if (!bpfsec) 6846 return -ENOMEM; 6847 6848 bpfsec->sid = current_sid(); 6849 map->security = bpfsec; 6850 6851 return 0; 6852 } 6853 6854 static void selinux_bpf_map_free(struct bpf_map *map) 6855 { 6856 struct bpf_security_struct *bpfsec = map->security; 6857 6858 map->security = NULL; 6859 kfree(bpfsec); 6860 } 6861 6862 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6863 { 6864 struct bpf_security_struct *bpfsec; 6865 6866 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6867 if (!bpfsec) 6868 return -ENOMEM; 6869 6870 bpfsec->sid = current_sid(); 6871 aux->security = bpfsec; 6872 6873 return 0; 6874 } 6875 6876 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6877 { 6878 struct bpf_security_struct *bpfsec = aux->security; 6879 6880 aux->security = NULL; 6881 kfree(bpfsec); 6882 } 6883 #endif 6884 6885 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6886 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6887 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6888 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6889 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6890 6891 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6892 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6893 LSM_HOOK_INIT(capget, selinux_capget), 6894 LSM_HOOK_INIT(capset, selinux_capset), 6895 LSM_HOOK_INIT(capable, selinux_capable), 6896 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6897 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6898 LSM_HOOK_INIT(syslog, selinux_syslog), 6899 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6900 6901 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6902 6903 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6904 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6905 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6906 6907 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6908 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6909 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6910 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6911 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6912 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6913 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6914 LSM_HOOK_INIT(sb_mount, selinux_mount), 6915 LSM_HOOK_INIT(sb_umount, selinux_umount), 6916 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6917 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6918 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6919 6920 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6921 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6922 6923 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6924 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6925 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6926 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6927 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6928 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6929 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6930 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6931 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6932 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6933 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6934 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6935 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6936 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6937 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6938 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6939 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6940 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6941 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6942 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6943 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6944 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6945 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6946 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6947 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6948 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6949 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6950 6951 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6952 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6953 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6954 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6955 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6956 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6957 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6958 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6959 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6960 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6961 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6962 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6963 6964 LSM_HOOK_INIT(file_open, selinux_file_open), 6965 6966 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6967 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6968 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6969 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6970 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6971 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6972 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6973 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6974 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6975 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6976 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6977 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6978 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6979 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6980 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6981 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6982 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6983 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6984 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6985 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6986 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6987 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6988 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6989 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6990 6991 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6992 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6993 6994 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6995 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6996 6997 LSM_HOOK_INIT(msg_queue_alloc_security, 6998 selinux_msg_queue_alloc_security), 6999 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 7000 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7001 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7002 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7003 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7004 7005 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7006 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 7007 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7008 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7009 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7010 7011 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7012 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 7013 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7014 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7015 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7016 7017 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7018 7019 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7020 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7021 7022 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7023 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7024 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7025 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7026 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7027 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7028 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7029 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7030 7031 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7032 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7033 7034 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7035 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7036 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7037 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7038 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7039 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7040 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7041 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7042 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7043 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7044 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7045 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7046 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7047 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7048 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7049 LSM_HOOK_INIT(socket_getpeersec_stream, 7050 selinux_socket_getpeersec_stream), 7051 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7052 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7053 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7054 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7055 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7056 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7057 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7058 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7059 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7060 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7061 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7062 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7063 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7064 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7065 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7066 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7067 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7068 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7069 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7070 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7071 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7072 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7073 #ifdef CONFIG_SECURITY_INFINIBAND 7074 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7075 LSM_HOOK_INIT(ib_endport_manage_subnet, 7076 selinux_ib_endport_manage_subnet), 7077 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7078 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7079 #endif 7080 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7081 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7082 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7083 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7084 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7085 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7086 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7087 selinux_xfrm_state_alloc_acquire), 7088 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7089 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7090 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7091 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7092 selinux_xfrm_state_pol_flow_match), 7093 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7094 #endif 7095 7096 #ifdef CONFIG_KEYS 7097 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7098 LSM_HOOK_INIT(key_free, selinux_key_free), 7099 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7100 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7101 #endif 7102 7103 #ifdef CONFIG_AUDIT 7104 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7105 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7106 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7107 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7108 #endif 7109 7110 #ifdef CONFIG_BPF_SYSCALL 7111 LSM_HOOK_INIT(bpf, selinux_bpf), 7112 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7113 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7114 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7115 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7116 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7117 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7118 #endif 7119 }; 7120 7121 static __init int selinux_init(void) 7122 { 7123 if (!security_module_enable("selinux")) { 7124 selinux_enabled = 0; 7125 return 0; 7126 } 7127 7128 if (!selinux_enabled) { 7129 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 7130 return 0; 7131 } 7132 7133 printk(KERN_INFO "SELinux: Initializing.\n"); 7134 7135 memset(&selinux_state, 0, sizeof(selinux_state)); 7136 enforcing_set(&selinux_state, selinux_enforcing_boot); 7137 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7138 selinux_ss_init(&selinux_state.ss); 7139 selinux_avc_init(&selinux_state.avc); 7140 7141 /* Set the security state for the initial task. */ 7142 cred_init_security(); 7143 7144 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7145 7146 sel_inode_cache = kmem_cache_create("selinux_inode_security", 7147 sizeof(struct inode_security_struct), 7148 0, SLAB_PANIC, NULL); 7149 file_security_cache = kmem_cache_create("selinux_file_security", 7150 sizeof(struct file_security_struct), 7151 0, SLAB_PANIC, NULL); 7152 avc_init(); 7153 7154 avtab_cache_init(); 7155 7156 ebitmap_cache_init(); 7157 7158 hashtab_cache_init(); 7159 7160 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7161 7162 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7163 panic("SELinux: Unable to register AVC netcache callback\n"); 7164 7165 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7166 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7167 7168 if (selinux_enforcing_boot) 7169 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7170 else 7171 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7172 7173 return 0; 7174 } 7175 7176 static void delayed_superblock_init(struct super_block *sb, void *unused) 7177 { 7178 superblock_doinit(sb, NULL); 7179 } 7180 7181 void selinux_complete_init(void) 7182 { 7183 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 7184 7185 /* Set up any superblocks initialized prior to the policy load. */ 7186 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 7187 iterate_supers(delayed_superblock_init, NULL); 7188 } 7189 7190 /* SELinux requires early initialization in order to label 7191 all processes and objects when they are created. */ 7192 security_initcall(selinux_init); 7193 7194 #if defined(CONFIG_NETFILTER) 7195 7196 static const struct nf_hook_ops selinux_nf_ops[] = { 7197 { 7198 .hook = selinux_ipv4_postroute, 7199 .pf = NFPROTO_IPV4, 7200 .hooknum = NF_INET_POST_ROUTING, 7201 .priority = NF_IP_PRI_SELINUX_LAST, 7202 }, 7203 { 7204 .hook = selinux_ipv4_forward, 7205 .pf = NFPROTO_IPV4, 7206 .hooknum = NF_INET_FORWARD, 7207 .priority = NF_IP_PRI_SELINUX_FIRST, 7208 }, 7209 { 7210 .hook = selinux_ipv4_output, 7211 .pf = NFPROTO_IPV4, 7212 .hooknum = NF_INET_LOCAL_OUT, 7213 .priority = NF_IP_PRI_SELINUX_FIRST, 7214 }, 7215 #if IS_ENABLED(CONFIG_IPV6) 7216 { 7217 .hook = selinux_ipv6_postroute, 7218 .pf = NFPROTO_IPV6, 7219 .hooknum = NF_INET_POST_ROUTING, 7220 .priority = NF_IP6_PRI_SELINUX_LAST, 7221 }, 7222 { 7223 .hook = selinux_ipv6_forward, 7224 .pf = NFPROTO_IPV6, 7225 .hooknum = NF_INET_FORWARD, 7226 .priority = NF_IP6_PRI_SELINUX_FIRST, 7227 }, 7228 { 7229 .hook = selinux_ipv6_output, 7230 .pf = NFPROTO_IPV6, 7231 .hooknum = NF_INET_LOCAL_OUT, 7232 .priority = NF_IP6_PRI_SELINUX_FIRST, 7233 }, 7234 #endif /* IPV6 */ 7235 }; 7236 7237 static int __net_init selinux_nf_register(struct net *net) 7238 { 7239 return nf_register_net_hooks(net, selinux_nf_ops, 7240 ARRAY_SIZE(selinux_nf_ops)); 7241 } 7242 7243 static void __net_exit selinux_nf_unregister(struct net *net) 7244 { 7245 nf_unregister_net_hooks(net, selinux_nf_ops, 7246 ARRAY_SIZE(selinux_nf_ops)); 7247 } 7248 7249 static struct pernet_operations selinux_net_ops = { 7250 .init = selinux_nf_register, 7251 .exit = selinux_nf_unregister, 7252 }; 7253 7254 static int __init selinux_nf_ip_init(void) 7255 { 7256 int err; 7257 7258 if (!selinux_enabled) 7259 return 0; 7260 7261 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 7262 7263 err = register_pernet_subsys(&selinux_net_ops); 7264 if (err) 7265 panic("SELinux: register_pernet_subsys: error %d\n", err); 7266 7267 return 0; 7268 } 7269 __initcall(selinux_nf_ip_init); 7270 7271 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7272 static void selinux_nf_ip_exit(void) 7273 { 7274 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 7275 7276 unregister_pernet_subsys(&selinux_net_ops); 7277 } 7278 #endif 7279 7280 #else /* CONFIG_NETFILTER */ 7281 7282 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7283 #define selinux_nf_ip_exit() 7284 #endif 7285 7286 #endif /* CONFIG_NETFILTER */ 7287 7288 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7289 int selinux_disable(struct selinux_state *state) 7290 { 7291 if (state->initialized) { 7292 /* Not permitted after initial policy load. */ 7293 return -EINVAL; 7294 } 7295 7296 if (state->disabled) { 7297 /* Only do this once. */ 7298 return -EINVAL; 7299 } 7300 7301 state->disabled = 1; 7302 7303 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7304 7305 selinux_enabled = 0; 7306 7307 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7308 7309 /* Try to destroy the avc node cache */ 7310 avc_disable(); 7311 7312 /* Unregister netfilter hooks. */ 7313 selinux_nf_ip_exit(); 7314 7315 /* Unregister selinuxfs. */ 7316 exit_sel_fs(); 7317 7318 return 0; 7319 } 7320 #endif 7321