1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/sctp.h> 69 #include <net/sctp/structs.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/msg.h> 86 #include <linux/shm.h> 87 #include <uapi/linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring/cmd.h> 95 #include <uapi/linux/lsm.h> 96 #include <linux/memfd.h> 97 98 #include "initcalls.h" 99 #include "avc.h" 100 #include "objsec.h" 101 #include "netif.h" 102 #include "netnode.h" 103 #include "netport.h" 104 #include "ibpkey.h" 105 #include "xfrm.h" 106 #include "netlabel.h" 107 #include "audit.h" 108 #include "avc_ss.h" 109 110 #define SELINUX_INODE_INIT_XATTRS 1 111 112 struct selinux_state selinux_state; 113 114 /* SECMARK reference count */ 115 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 116 117 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 118 static int selinux_enforcing_boot __initdata; 119 120 static int __init enforcing_setup(char *str) 121 { 122 unsigned long enforcing; 123 if (!kstrtoul(str, 0, &enforcing)) 124 selinux_enforcing_boot = enforcing ? 1 : 0; 125 return 1; 126 } 127 __setup("enforcing=", enforcing_setup); 128 #else 129 #define selinux_enforcing_boot 1 130 #endif 131 132 int selinux_enabled_boot __initdata = 1; 133 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 134 static int __init selinux_enabled_setup(char *str) 135 { 136 unsigned long enabled; 137 if (!kstrtoul(str, 0, &enabled)) 138 selinux_enabled_boot = enabled ? 1 : 0; 139 return 1; 140 } 141 __setup("selinux=", selinux_enabled_setup); 142 #endif 143 144 static int __init checkreqprot_setup(char *str) 145 { 146 unsigned long checkreqprot; 147 148 if (!kstrtoul(str, 0, &checkreqprot)) { 149 if (checkreqprot) 150 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 151 } 152 return 1; 153 } 154 __setup("checkreqprot=", checkreqprot_setup); 155 156 /** 157 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 158 * 159 * Description: 160 * This function checks the SECMARK reference counter to see if any SECMARK 161 * targets are currently configured, if the reference counter is greater than 162 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 163 * enabled, false (0) if SECMARK is disabled. If the always_check_network 164 * policy capability is enabled, SECMARK is always considered enabled. 165 * 166 */ 167 static int selinux_secmark_enabled(void) 168 { 169 return (selinux_policycap_alwaysnetwork() || 170 atomic_read(&selinux_secmark_refcount)); 171 } 172 173 /** 174 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 175 * 176 * Description: 177 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 178 * (1) if any are enabled or false (0) if neither are enabled. If the 179 * always_check_network policy capability is enabled, peer labeling 180 * is always considered enabled. 181 * 182 */ 183 static int selinux_peerlbl_enabled(void) 184 { 185 return (selinux_policycap_alwaysnetwork() || 186 netlbl_enabled() || selinux_xfrm_enabled()); 187 } 188 189 static int selinux_netcache_avc_callback(u32 event) 190 { 191 if (event == AVC_CALLBACK_RESET) { 192 sel_netif_flush(); 193 sel_netnode_flush(); 194 sel_netport_flush(); 195 synchronize_net(); 196 } 197 return 0; 198 } 199 200 static int selinux_lsm_notifier_avc_callback(u32 event) 201 { 202 if (event == AVC_CALLBACK_RESET) { 203 sel_ib_pkey_flush(); 204 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 205 } 206 207 return 0; 208 } 209 210 /* 211 * initialise the security for the init task 212 */ 213 static void cred_init_security(void) 214 { 215 struct cred_security_struct *crsec; 216 217 /* NOTE: the lsm framework zeros out the buffer on allocation */ 218 219 crsec = selinux_cred(unrcu_pointer(current->real_cred)); 220 crsec->osid = crsec->sid = SECINITSID_KERNEL; 221 } 222 223 /* 224 * get the security ID of a set of credentials 225 */ 226 static inline u32 cred_sid(const struct cred *cred) 227 { 228 const struct cred_security_struct *crsec; 229 230 crsec = selinux_cred(cred); 231 return crsec->sid; 232 } 233 234 static void __ad_net_init(struct common_audit_data *ad, 235 struct lsm_network_audit *net, 236 int ifindex, struct sock *sk, u16 family) 237 { 238 ad->type = LSM_AUDIT_DATA_NET; 239 ad->u.net = net; 240 net->netif = ifindex; 241 net->sk = sk; 242 net->family = family; 243 } 244 245 static void ad_net_init_from_sk(struct common_audit_data *ad, 246 struct lsm_network_audit *net, 247 struct sock *sk) 248 { 249 __ad_net_init(ad, net, 0, sk, 0); 250 } 251 252 static void ad_net_init_from_iif(struct common_audit_data *ad, 253 struct lsm_network_audit *net, 254 int ifindex, u16 family) 255 { 256 __ad_net_init(ad, net, ifindex, NULL, family); 257 } 258 259 /* 260 * get the objective security ID of a task 261 */ 262 static inline u32 task_sid_obj(const struct task_struct *task) 263 { 264 u32 sid; 265 266 rcu_read_lock(); 267 sid = cred_sid(__task_cred(task)); 268 rcu_read_unlock(); 269 return sid; 270 } 271 272 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 273 274 /* 275 * Try reloading inode security labels that have been marked as invalid. The 276 * @may_sleep parameter indicates when sleeping and thus reloading labels is 277 * allowed; when set to false, returns -ECHILD when the label is 278 * invalid. The @dentry parameter should be set to a dentry of the inode. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *dentry, 282 bool may_sleep) 283 { 284 if (!selinux_initialized()) 285 return 0; 286 287 if (may_sleep) 288 might_sleep(); 289 else 290 return -ECHILD; 291 292 /* 293 * Check to ensure that an inode's SELinux state is valid and try 294 * reloading the inode security label if necessary. This will fail if 295 * @dentry is NULL and no dentry for this inode can be found; in that 296 * case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, dentry); 299 return 0; 300 } 301 302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 303 { 304 return selinux_inode(inode); 305 } 306 307 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 308 bool rcu) 309 { 310 int rc; 311 struct inode_security_struct *isec = selinux_inode(inode); 312 313 /* check below is racy, but revalidate will recheck with lock held */ 314 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 315 return isec; 316 rc = __inode_security_revalidate(inode, NULL, !rcu); 317 if (rc) 318 return ERR_PTR(rc); 319 return isec; 320 } 321 322 /* 323 * Get the security label of an inode. 324 */ 325 static inline struct inode_security_struct *inode_security(struct inode *inode) 326 { 327 struct inode_security_struct *isec = selinux_inode(inode); 328 329 /* check below is racy, but revalidate will recheck with lock held */ 330 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 331 return isec; 332 __inode_security_revalidate(inode, NULL, true); 333 return isec; 334 } 335 336 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 337 { 338 return selinux_inode(d_backing_inode(dentry)); 339 } 340 341 /* 342 * Get the security label of a dentry's backing inode. 343 */ 344 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 345 { 346 struct inode *inode = d_backing_inode(dentry); 347 struct inode_security_struct *isec = selinux_inode(inode); 348 349 /* check below is racy, but revalidate will recheck with lock held */ 350 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 351 return isec; 352 __inode_security_revalidate(inode, dentry, true); 353 return isec; 354 } 355 356 static void inode_free_security(struct inode *inode) 357 { 358 struct inode_security_struct *isec = selinux_inode(inode); 359 struct superblock_security_struct *sbsec; 360 361 if (!isec) 362 return; 363 sbsec = selinux_superblock(inode->i_sb); 364 /* 365 * As not all inode security structures are in a list, we check for 366 * empty list outside of the lock to make sure that we won't waste 367 * time taking a lock doing nothing. 368 * 369 * The list_del_init() function can be safely called more than once. 370 * It should not be possible for this function to be called with 371 * concurrent list_add(), but for better safety against future changes 372 * in the code, we use list_empty_careful() here. 373 */ 374 if (!list_empty_careful(&isec->list)) { 375 spin_lock(&sbsec->isec_lock); 376 list_del_init(&isec->list); 377 spin_unlock(&sbsec->isec_lock); 378 } 379 } 380 381 struct selinux_mnt_opts { 382 u32 fscontext_sid; 383 u32 context_sid; 384 u32 rootcontext_sid; 385 u32 defcontext_sid; 386 }; 387 388 static void selinux_free_mnt_opts(void *mnt_opts) 389 { 390 kfree(mnt_opts); 391 } 392 393 enum { 394 Opt_error = -1, 395 Opt_context = 0, 396 Opt_defcontext = 1, 397 Opt_fscontext = 2, 398 Opt_rootcontext = 3, 399 Opt_seclabel = 4, 400 }; 401 402 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 403 static const struct { 404 const char *name; 405 int len; 406 int opt; 407 bool has_arg; 408 } tokens[] = { 409 A(context, true), 410 A(fscontext, true), 411 A(defcontext, true), 412 A(rootcontext, true), 413 A(seclabel, false), 414 }; 415 #undef A 416 417 static int match_opt_prefix(char *s, int l, char **arg) 418 { 419 unsigned int i; 420 421 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 422 size_t len = tokens[i].len; 423 if (len > l || memcmp(s, tokens[i].name, len)) 424 continue; 425 if (tokens[i].has_arg) { 426 if (len == l || s[len] != '=') 427 continue; 428 *arg = s + len + 1; 429 } else if (len != l) 430 continue; 431 return tokens[i].opt; 432 } 433 return Opt_error; 434 } 435 436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 437 438 static int may_context_mount_sb_relabel(u32 sid, 439 struct superblock_security_struct *sbsec, 440 const struct cred *cred) 441 { 442 const struct cred_security_struct *crsec = selinux_cred(cred); 443 int rc; 444 445 rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 446 FILESYSTEM__RELABELFROM, NULL); 447 if (rc) 448 return rc; 449 450 rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM, 451 FILESYSTEM__RELABELTO, NULL); 452 return rc; 453 } 454 455 static int may_context_mount_inode_relabel(u32 sid, 456 struct superblock_security_struct *sbsec, 457 const struct cred *cred) 458 { 459 const struct cred_security_struct *crsec = selinux_cred(cred); 460 int rc; 461 rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 462 FILESYSTEM__RELABELFROM, NULL); 463 if (rc) 464 return rc; 465 466 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 467 FILESYSTEM__ASSOCIATE, NULL); 468 return rc; 469 } 470 471 static int selinux_is_genfs_special_handling(struct super_block *sb) 472 { 473 /* Special handling. Genfs but also in-core setxattr handler */ 474 return !strcmp(sb->s_type->name, "sysfs") || 475 !strcmp(sb->s_type->name, "pstore") || 476 !strcmp(sb->s_type->name, "debugfs") || 477 !strcmp(sb->s_type->name, "tracefs") || 478 !strcmp(sb->s_type->name, "rootfs") || 479 (selinux_policycap_cgroupseclabel() && 480 (!strcmp(sb->s_type->name, "cgroup") || 481 !strcmp(sb->s_type->name, "cgroup2"))) || 482 (selinux_policycap_functionfs_seclabel() && 483 !strcmp(sb->s_type->name, "functionfs")); 484 } 485 486 static int selinux_is_sblabel_mnt(struct super_block *sb) 487 { 488 struct superblock_security_struct *sbsec = selinux_superblock(sb); 489 490 /* 491 * IMPORTANT: Double-check logic in this function when adding a new 492 * SECURITY_FS_USE_* definition! 493 */ 494 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 495 496 switch (sbsec->behavior) { 497 case SECURITY_FS_USE_XATTR: 498 case SECURITY_FS_USE_TRANS: 499 case SECURITY_FS_USE_TASK: 500 case SECURITY_FS_USE_NATIVE: 501 return 1; 502 503 case SECURITY_FS_USE_GENFS: 504 return selinux_is_genfs_special_handling(sb); 505 506 /* Never allow relabeling on context mounts */ 507 case SECURITY_FS_USE_MNTPOINT: 508 case SECURITY_FS_USE_NONE: 509 default: 510 return 0; 511 } 512 } 513 514 static int sb_check_xattr_support(struct super_block *sb) 515 { 516 struct superblock_security_struct *sbsec = selinux_superblock(sb); 517 struct dentry *root = sb->s_root; 518 struct inode *root_inode = d_backing_inode(root); 519 u32 sid; 520 int rc; 521 522 /* 523 * Make sure that the xattr handler exists and that no 524 * error other than -ENODATA is returned by getxattr on 525 * the root directory. -ENODATA is ok, as this may be 526 * the first boot of the SELinux kernel before we have 527 * assigned xattr values to the filesystem. 528 */ 529 if (!(root_inode->i_opflags & IOP_XATTR)) { 530 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 531 sb->s_id, sb->s_type->name); 532 goto fallback; 533 } 534 535 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 536 if (rc < 0 && rc != -ENODATA) { 537 if (rc == -EOPNOTSUPP) { 538 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 539 sb->s_id, sb->s_type->name); 540 goto fallback; 541 } else { 542 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 543 sb->s_id, sb->s_type->name, -rc); 544 return rc; 545 } 546 } 547 return 0; 548 549 fallback: 550 /* No xattr support - try to fallback to genfs if possible. */ 551 rc = security_genfs_sid(sb->s_type->name, "/", 552 SECCLASS_DIR, &sid); 553 if (rc) 554 return -EOPNOTSUPP; 555 556 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 557 sb->s_id, sb->s_type->name); 558 sbsec->behavior = SECURITY_FS_USE_GENFS; 559 sbsec->sid = sid; 560 return 0; 561 } 562 563 static int sb_finish_set_opts(struct super_block *sb) 564 { 565 struct superblock_security_struct *sbsec = selinux_superblock(sb); 566 struct dentry *root = sb->s_root; 567 struct inode *root_inode = d_backing_inode(root); 568 int rc = 0; 569 570 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 571 rc = sb_check_xattr_support(sb); 572 if (rc) 573 return rc; 574 } 575 576 sbsec->flags |= SE_SBINITIALIZED; 577 578 /* 579 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 580 * leave the flag untouched because sb_clone_mnt_opts might be handing 581 * us a superblock that needs the flag to be cleared. 582 */ 583 if (selinux_is_sblabel_mnt(sb)) 584 sbsec->flags |= SBLABEL_MNT; 585 else 586 sbsec->flags &= ~SBLABEL_MNT; 587 588 /* Initialize the root inode. */ 589 rc = inode_doinit_with_dentry(root_inode, root); 590 591 /* Initialize any other inodes associated with the superblock, e.g. 592 inodes created prior to initial policy load or inodes created 593 during get_sb by a pseudo filesystem that directly 594 populates itself. */ 595 spin_lock(&sbsec->isec_lock); 596 while (!list_empty(&sbsec->isec_head)) { 597 struct inode_security_struct *isec = 598 list_first_entry(&sbsec->isec_head, 599 struct inode_security_struct, list); 600 struct inode *inode = isec->inode; 601 list_del_init(&isec->list); 602 spin_unlock(&sbsec->isec_lock); 603 inode = igrab(inode); 604 if (inode) { 605 if (!IS_PRIVATE(inode)) 606 inode_doinit_with_dentry(inode, NULL); 607 iput(inode); 608 } 609 spin_lock(&sbsec->isec_lock); 610 } 611 spin_unlock(&sbsec->isec_lock); 612 return rc; 613 } 614 615 static int bad_option(struct superblock_security_struct *sbsec, char flag, 616 u32 old_sid, u32 new_sid) 617 { 618 char mnt_flags = sbsec->flags & SE_MNTMASK; 619 620 /* check if the old mount command had the same options */ 621 if (sbsec->flags & SE_SBINITIALIZED) 622 if (!(sbsec->flags & flag) || 623 (old_sid != new_sid)) 624 return 1; 625 626 /* check if we were passed the same options twice, 627 * aka someone passed context=a,context=b 628 */ 629 if (!(sbsec->flags & SE_SBINITIALIZED)) 630 if (mnt_flags & flag) 631 return 1; 632 return 0; 633 } 634 635 /* 636 * Allow filesystems with binary mount data to explicitly set mount point 637 * labeling information. 638 */ 639 static int selinux_set_mnt_opts(struct super_block *sb, 640 void *mnt_opts, 641 unsigned long kern_flags, 642 unsigned long *set_kern_flags) 643 { 644 const struct cred *cred = current_cred(); 645 struct superblock_security_struct *sbsec = selinux_superblock(sb); 646 struct dentry *root = sb->s_root; 647 struct selinux_mnt_opts *opts = mnt_opts; 648 struct inode_security_struct *root_isec; 649 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 650 u32 defcontext_sid = 0; 651 int rc = 0; 652 653 /* 654 * Specifying internal flags without providing a place to 655 * place the results is not allowed 656 */ 657 if (kern_flags && !set_kern_flags) 658 return -EINVAL; 659 660 mutex_lock(&sbsec->lock); 661 662 if (!selinux_initialized()) { 663 if (!opts) { 664 /* Defer initialization until selinux_complete_init, 665 after the initial policy is loaded and the security 666 server is ready to handle calls. */ 667 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 668 sbsec->flags |= SE_SBNATIVE; 669 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 670 } 671 goto out; 672 } 673 rc = -EINVAL; 674 pr_warn("SELinux: Unable to set superblock options " 675 "before the security server is initialized\n"); 676 goto out; 677 } 678 679 /* 680 * Binary mount data FS will come through this function twice. Once 681 * from an explicit call and once from the generic calls from the vfs. 682 * Since the generic VFS calls will not contain any security mount data 683 * we need to skip the double mount verification. 684 * 685 * This does open a hole in which we will not notice if the first 686 * mount using this sb set explicit options and a second mount using 687 * this sb does not set any security options. (The first options 688 * will be used for both mounts) 689 */ 690 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 691 && !opts) 692 goto out; 693 694 root_isec = backing_inode_security_novalidate(root); 695 696 /* 697 * parse the mount options, check if they are valid sids. 698 * also check if someone is trying to mount the same sb more 699 * than once with different security options. 700 */ 701 if (opts) { 702 if (opts->fscontext_sid) { 703 fscontext_sid = opts->fscontext_sid; 704 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 705 fscontext_sid)) 706 goto out_double_mount; 707 sbsec->flags |= FSCONTEXT_MNT; 708 } 709 if (opts->context_sid) { 710 context_sid = opts->context_sid; 711 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 712 context_sid)) 713 goto out_double_mount; 714 sbsec->flags |= CONTEXT_MNT; 715 } 716 if (opts->rootcontext_sid) { 717 rootcontext_sid = opts->rootcontext_sid; 718 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 719 rootcontext_sid)) 720 goto out_double_mount; 721 sbsec->flags |= ROOTCONTEXT_MNT; 722 } 723 if (opts->defcontext_sid) { 724 defcontext_sid = opts->defcontext_sid; 725 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 726 defcontext_sid)) 727 goto out_double_mount; 728 sbsec->flags |= DEFCONTEXT_MNT; 729 } 730 } 731 732 if (sbsec->flags & SE_SBINITIALIZED) { 733 /* previously mounted with options, but not on this attempt? */ 734 if ((sbsec->flags & SE_MNTMASK) && !opts) 735 goto out_double_mount; 736 rc = 0; 737 goto out; 738 } 739 740 if (strcmp(sb->s_type->name, "proc") == 0) 741 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 742 743 if (!strcmp(sb->s_type->name, "debugfs") || 744 !strcmp(sb->s_type->name, "tracefs") || 745 !strcmp(sb->s_type->name, "binder") || 746 !strcmp(sb->s_type->name, "bpf") || 747 !strcmp(sb->s_type->name, "pstore") || 748 !strcmp(sb->s_type->name, "securityfs") || 749 (selinux_policycap_functionfs_seclabel() && 750 !strcmp(sb->s_type->name, "functionfs"))) 751 sbsec->flags |= SE_SBGENFS; 752 753 if (!strcmp(sb->s_type->name, "sysfs") || 754 !strcmp(sb->s_type->name, "cgroup") || 755 !strcmp(sb->s_type->name, "cgroup2")) 756 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 757 758 if (!sbsec->behavior) { 759 /* 760 * Determine the labeling behavior to use for this 761 * filesystem type. 762 */ 763 rc = security_fs_use(sb); 764 if (rc) { 765 pr_warn("%s: security_fs_use(%s) returned %d\n", 766 __func__, sb->s_type->name, rc); 767 goto out; 768 } 769 } 770 771 /* 772 * If this is a user namespace mount and the filesystem type is not 773 * explicitly whitelisted, then no contexts are allowed on the command 774 * line and security labels must be ignored. 775 */ 776 if (sb->s_user_ns != &init_user_ns && 777 strcmp(sb->s_type->name, "tmpfs") && 778 strcmp(sb->s_type->name, "ramfs") && 779 strcmp(sb->s_type->name, "devpts") && 780 strcmp(sb->s_type->name, "overlay")) { 781 if (context_sid || fscontext_sid || rootcontext_sid || 782 defcontext_sid) { 783 rc = -EACCES; 784 goto out; 785 } 786 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 787 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 788 rc = security_transition_sid(current_sid(), 789 current_sid(), 790 SECCLASS_FILE, NULL, 791 &sbsec->mntpoint_sid); 792 if (rc) 793 goto out; 794 } 795 goto out_set_opts; 796 } 797 798 /* sets the context of the superblock for the fs being mounted. */ 799 if (fscontext_sid) { 800 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 801 if (rc) 802 goto out; 803 804 sbsec->sid = fscontext_sid; 805 } 806 807 /* 808 * Switch to using mount point labeling behavior. 809 * sets the label used on all file below the mountpoint, and will set 810 * the superblock context if not already set. 811 */ 812 if (sbsec->flags & SE_SBNATIVE) { 813 /* 814 * This means we are initializing a superblock that has been 815 * mounted before the SELinux was initialized and the 816 * filesystem requested native labeling. We had already 817 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 818 * in the original mount attempt, so now we just need to set 819 * the SECURITY_FS_USE_NATIVE behavior. 820 */ 821 sbsec->behavior = SECURITY_FS_USE_NATIVE; 822 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 823 sbsec->behavior = SECURITY_FS_USE_NATIVE; 824 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 825 } 826 827 if (context_sid) { 828 if (!fscontext_sid) { 829 rc = may_context_mount_sb_relabel(context_sid, sbsec, 830 cred); 831 if (rc) 832 goto out; 833 sbsec->sid = context_sid; 834 } else { 835 rc = may_context_mount_inode_relabel(context_sid, sbsec, 836 cred); 837 if (rc) 838 goto out; 839 } 840 if (!rootcontext_sid) 841 rootcontext_sid = context_sid; 842 843 sbsec->mntpoint_sid = context_sid; 844 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 845 } 846 847 if (rootcontext_sid) { 848 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 849 cred); 850 if (rc) 851 goto out; 852 853 root_isec->sid = rootcontext_sid; 854 root_isec->initialized = LABEL_INITIALIZED; 855 } 856 857 if (defcontext_sid) { 858 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 859 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 860 rc = -EINVAL; 861 pr_warn("SELinux: defcontext option is " 862 "invalid for this filesystem type\n"); 863 goto out; 864 } 865 866 if (defcontext_sid != sbsec->def_sid) { 867 rc = may_context_mount_inode_relabel(defcontext_sid, 868 sbsec, cred); 869 if (rc) 870 goto out; 871 } 872 873 sbsec->def_sid = defcontext_sid; 874 } 875 876 out_set_opts: 877 rc = sb_finish_set_opts(sb); 878 out: 879 mutex_unlock(&sbsec->lock); 880 return rc; 881 out_double_mount: 882 rc = -EINVAL; 883 pr_warn("SELinux: mount invalid. Same superblock, different " 884 "security settings for (dev %s, type %s)\n", sb->s_id, 885 sb->s_type->name); 886 goto out; 887 } 888 889 static int selinux_cmp_sb_context(const struct super_block *oldsb, 890 const struct super_block *newsb) 891 { 892 struct superblock_security_struct *old = selinux_superblock(oldsb); 893 struct superblock_security_struct *new = selinux_superblock(newsb); 894 char oldflags = old->flags & SE_MNTMASK; 895 char newflags = new->flags & SE_MNTMASK; 896 897 if (oldflags != newflags) 898 goto mismatch; 899 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 900 goto mismatch; 901 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 902 goto mismatch; 903 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 904 goto mismatch; 905 if (oldflags & ROOTCONTEXT_MNT) { 906 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 907 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 908 if (oldroot->sid != newroot->sid) 909 goto mismatch; 910 } 911 return 0; 912 mismatch: 913 pr_warn("SELinux: mount invalid. Same superblock, " 914 "different security settings for (dev %s, " 915 "type %s)\n", newsb->s_id, newsb->s_type->name); 916 return -EBUSY; 917 } 918 919 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 920 struct super_block *newsb, 921 unsigned long kern_flags, 922 unsigned long *set_kern_flags) 923 { 924 int rc = 0; 925 const struct superblock_security_struct *oldsbsec = 926 selinux_superblock(oldsb); 927 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 928 929 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 930 int set_context = (oldsbsec->flags & CONTEXT_MNT); 931 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 932 933 /* 934 * Specifying internal flags without providing a place to 935 * place the results is not allowed. 936 */ 937 if (kern_flags && !set_kern_flags) 938 return -EINVAL; 939 940 mutex_lock(&newsbsec->lock); 941 942 /* 943 * if the parent was able to be mounted it clearly had no special lsm 944 * mount options. thus we can safely deal with this superblock later 945 */ 946 if (!selinux_initialized()) { 947 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 948 newsbsec->flags |= SE_SBNATIVE; 949 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 950 } 951 goto out; 952 } 953 954 /* how can we clone if the old one wasn't set up?? */ 955 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 956 957 /* if fs is reusing a sb, make sure that the contexts match */ 958 if (newsbsec->flags & SE_SBINITIALIZED) { 959 mutex_unlock(&newsbsec->lock); 960 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 961 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 962 return selinux_cmp_sb_context(oldsb, newsb); 963 } 964 965 newsbsec->flags = oldsbsec->flags; 966 967 newsbsec->sid = oldsbsec->sid; 968 newsbsec->def_sid = oldsbsec->def_sid; 969 newsbsec->behavior = oldsbsec->behavior; 970 971 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 972 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 973 rc = security_fs_use(newsb); 974 if (rc) 975 goto out; 976 } 977 978 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 979 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 980 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 981 } 982 983 if (set_context) { 984 u32 sid = oldsbsec->mntpoint_sid; 985 986 if (!set_fscontext) 987 newsbsec->sid = sid; 988 if (!set_rootcontext) { 989 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 990 newisec->sid = sid; 991 } 992 newsbsec->mntpoint_sid = sid; 993 } 994 if (set_rootcontext) { 995 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 996 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 997 998 newisec->sid = oldisec->sid; 999 } 1000 1001 sb_finish_set_opts(newsb); 1002 out: 1003 mutex_unlock(&newsbsec->lock); 1004 return rc; 1005 } 1006 1007 /* 1008 * NOTE: the caller is responsible for freeing the memory even if on error. 1009 */ 1010 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1011 { 1012 struct selinux_mnt_opts *opts = *mnt_opts; 1013 u32 *dst_sid; 1014 int rc; 1015 1016 if (token == Opt_seclabel) 1017 /* eaten and completely ignored */ 1018 return 0; 1019 if (!s) 1020 return -EINVAL; 1021 1022 if (!selinux_initialized()) { 1023 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1024 return -EINVAL; 1025 } 1026 1027 if (!opts) { 1028 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1029 if (!opts) 1030 return -ENOMEM; 1031 *mnt_opts = opts; 1032 } 1033 1034 switch (token) { 1035 case Opt_context: 1036 if (opts->context_sid || opts->defcontext_sid) 1037 goto err; 1038 dst_sid = &opts->context_sid; 1039 break; 1040 case Opt_fscontext: 1041 if (opts->fscontext_sid) 1042 goto err; 1043 dst_sid = &opts->fscontext_sid; 1044 break; 1045 case Opt_rootcontext: 1046 if (opts->rootcontext_sid) 1047 goto err; 1048 dst_sid = &opts->rootcontext_sid; 1049 break; 1050 case Opt_defcontext: 1051 if (opts->context_sid || opts->defcontext_sid) 1052 goto err; 1053 dst_sid = &opts->defcontext_sid; 1054 break; 1055 default: 1056 WARN_ON(1); 1057 return -EINVAL; 1058 } 1059 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1060 if (rc) 1061 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1062 s, rc); 1063 return rc; 1064 1065 err: 1066 pr_warn(SEL_MOUNT_FAIL_MSG); 1067 return -EINVAL; 1068 } 1069 1070 static int show_sid(struct seq_file *m, u32 sid) 1071 { 1072 char *context = NULL; 1073 u32 len; 1074 int rc; 1075 1076 rc = security_sid_to_context(sid, &context, &len); 1077 if (!rc) { 1078 bool has_comma = strchr(context, ','); 1079 1080 seq_putc(m, '='); 1081 if (has_comma) 1082 seq_putc(m, '\"'); 1083 seq_escape(m, context, "\"\n\\"); 1084 if (has_comma) 1085 seq_putc(m, '\"'); 1086 } 1087 kfree(context); 1088 return rc; 1089 } 1090 1091 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1092 { 1093 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1094 int rc; 1095 1096 if (!(sbsec->flags & SE_SBINITIALIZED)) 1097 return 0; 1098 1099 if (!selinux_initialized()) 1100 return 0; 1101 1102 if (sbsec->flags & FSCONTEXT_MNT) { 1103 seq_putc(m, ','); 1104 seq_puts(m, FSCONTEXT_STR); 1105 rc = show_sid(m, sbsec->sid); 1106 if (rc) 1107 return rc; 1108 } 1109 if (sbsec->flags & CONTEXT_MNT) { 1110 seq_putc(m, ','); 1111 seq_puts(m, CONTEXT_STR); 1112 rc = show_sid(m, sbsec->mntpoint_sid); 1113 if (rc) 1114 return rc; 1115 } 1116 if (sbsec->flags & DEFCONTEXT_MNT) { 1117 seq_putc(m, ','); 1118 seq_puts(m, DEFCONTEXT_STR); 1119 rc = show_sid(m, sbsec->def_sid); 1120 if (rc) 1121 return rc; 1122 } 1123 if (sbsec->flags & ROOTCONTEXT_MNT) { 1124 struct dentry *root = sb->s_root; 1125 struct inode_security_struct *isec = backing_inode_security(root); 1126 seq_putc(m, ','); 1127 seq_puts(m, ROOTCONTEXT_STR); 1128 rc = show_sid(m, isec->sid); 1129 if (rc) 1130 return rc; 1131 } 1132 if (sbsec->flags & SBLABEL_MNT) { 1133 seq_putc(m, ','); 1134 seq_puts(m, SECLABEL_STR); 1135 } 1136 return 0; 1137 } 1138 1139 static inline u16 inode_mode_to_security_class(umode_t mode) 1140 { 1141 switch (mode & S_IFMT) { 1142 case S_IFSOCK: 1143 return SECCLASS_SOCK_FILE; 1144 case S_IFLNK: 1145 return SECCLASS_LNK_FILE; 1146 case S_IFREG: 1147 return SECCLASS_FILE; 1148 case S_IFBLK: 1149 return SECCLASS_BLK_FILE; 1150 case S_IFDIR: 1151 return SECCLASS_DIR; 1152 case S_IFCHR: 1153 return SECCLASS_CHR_FILE; 1154 case S_IFIFO: 1155 return SECCLASS_FIFO_FILE; 1156 1157 } 1158 1159 return SECCLASS_FILE; 1160 } 1161 1162 static inline int default_protocol_stream(int protocol) 1163 { 1164 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1165 protocol == IPPROTO_MPTCP); 1166 } 1167 1168 static inline int default_protocol_dgram(int protocol) 1169 { 1170 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1171 } 1172 1173 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1174 { 1175 bool extsockclass = selinux_policycap_extsockclass(); 1176 1177 switch (family) { 1178 case PF_UNIX: 1179 switch (type) { 1180 case SOCK_STREAM: 1181 case SOCK_SEQPACKET: 1182 return SECCLASS_UNIX_STREAM_SOCKET; 1183 case SOCK_DGRAM: 1184 case SOCK_RAW: 1185 return SECCLASS_UNIX_DGRAM_SOCKET; 1186 } 1187 break; 1188 case PF_INET: 1189 case PF_INET6: 1190 switch (type) { 1191 case SOCK_STREAM: 1192 case SOCK_SEQPACKET: 1193 if (default_protocol_stream(protocol)) 1194 return SECCLASS_TCP_SOCKET; 1195 else if (extsockclass && protocol == IPPROTO_SCTP) 1196 return SECCLASS_SCTP_SOCKET; 1197 else 1198 return SECCLASS_RAWIP_SOCKET; 1199 case SOCK_DGRAM: 1200 if (default_protocol_dgram(protocol)) 1201 return SECCLASS_UDP_SOCKET; 1202 else if (extsockclass && (protocol == IPPROTO_ICMP || 1203 protocol == IPPROTO_ICMPV6)) 1204 return SECCLASS_ICMP_SOCKET; 1205 else 1206 return SECCLASS_RAWIP_SOCKET; 1207 default: 1208 return SECCLASS_RAWIP_SOCKET; 1209 } 1210 break; 1211 case PF_NETLINK: 1212 switch (protocol) { 1213 case NETLINK_ROUTE: 1214 return SECCLASS_NETLINK_ROUTE_SOCKET; 1215 case NETLINK_SOCK_DIAG: 1216 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1217 case NETLINK_NFLOG: 1218 return SECCLASS_NETLINK_NFLOG_SOCKET; 1219 case NETLINK_XFRM: 1220 return SECCLASS_NETLINK_XFRM_SOCKET; 1221 case NETLINK_SELINUX: 1222 return SECCLASS_NETLINK_SELINUX_SOCKET; 1223 case NETLINK_ISCSI: 1224 return SECCLASS_NETLINK_ISCSI_SOCKET; 1225 case NETLINK_AUDIT: 1226 return SECCLASS_NETLINK_AUDIT_SOCKET; 1227 case NETLINK_FIB_LOOKUP: 1228 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1229 case NETLINK_CONNECTOR: 1230 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1231 case NETLINK_NETFILTER: 1232 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1233 case NETLINK_DNRTMSG: 1234 return SECCLASS_NETLINK_DNRT_SOCKET; 1235 case NETLINK_KOBJECT_UEVENT: 1236 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1237 case NETLINK_GENERIC: 1238 return SECCLASS_NETLINK_GENERIC_SOCKET; 1239 case NETLINK_SCSITRANSPORT: 1240 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1241 case NETLINK_RDMA: 1242 return SECCLASS_NETLINK_RDMA_SOCKET; 1243 case NETLINK_CRYPTO: 1244 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1245 default: 1246 return SECCLASS_NETLINK_SOCKET; 1247 } 1248 case PF_PACKET: 1249 return SECCLASS_PACKET_SOCKET; 1250 case PF_KEY: 1251 return SECCLASS_KEY_SOCKET; 1252 case PF_APPLETALK: 1253 return SECCLASS_APPLETALK_SOCKET; 1254 } 1255 1256 if (extsockclass) { 1257 switch (family) { 1258 case PF_AX25: 1259 return SECCLASS_AX25_SOCKET; 1260 case PF_IPX: 1261 return SECCLASS_IPX_SOCKET; 1262 case PF_NETROM: 1263 return SECCLASS_NETROM_SOCKET; 1264 case PF_ATMPVC: 1265 return SECCLASS_ATMPVC_SOCKET; 1266 case PF_X25: 1267 return SECCLASS_X25_SOCKET; 1268 case PF_ROSE: 1269 return SECCLASS_ROSE_SOCKET; 1270 case PF_DECnet: 1271 return SECCLASS_DECNET_SOCKET; 1272 case PF_ATMSVC: 1273 return SECCLASS_ATMSVC_SOCKET; 1274 case PF_RDS: 1275 return SECCLASS_RDS_SOCKET; 1276 case PF_IRDA: 1277 return SECCLASS_IRDA_SOCKET; 1278 case PF_PPPOX: 1279 return SECCLASS_PPPOX_SOCKET; 1280 case PF_LLC: 1281 return SECCLASS_LLC_SOCKET; 1282 case PF_CAN: 1283 return SECCLASS_CAN_SOCKET; 1284 case PF_TIPC: 1285 return SECCLASS_TIPC_SOCKET; 1286 case PF_BLUETOOTH: 1287 return SECCLASS_BLUETOOTH_SOCKET; 1288 case PF_IUCV: 1289 return SECCLASS_IUCV_SOCKET; 1290 case PF_RXRPC: 1291 return SECCLASS_RXRPC_SOCKET; 1292 case PF_ISDN: 1293 return SECCLASS_ISDN_SOCKET; 1294 case PF_PHONET: 1295 return SECCLASS_PHONET_SOCKET; 1296 case PF_IEEE802154: 1297 return SECCLASS_IEEE802154_SOCKET; 1298 case PF_CAIF: 1299 return SECCLASS_CAIF_SOCKET; 1300 case PF_ALG: 1301 return SECCLASS_ALG_SOCKET; 1302 case PF_NFC: 1303 return SECCLASS_NFC_SOCKET; 1304 case PF_VSOCK: 1305 return SECCLASS_VSOCK_SOCKET; 1306 case PF_KCM: 1307 return SECCLASS_KCM_SOCKET; 1308 case PF_QIPCRTR: 1309 return SECCLASS_QIPCRTR_SOCKET; 1310 case PF_SMC: 1311 return SECCLASS_SMC_SOCKET; 1312 case PF_XDP: 1313 return SECCLASS_XDP_SOCKET; 1314 case PF_MCTP: 1315 return SECCLASS_MCTP_SOCKET; 1316 #if PF_MAX > 46 1317 #error New address family defined, please update this function. 1318 #endif 1319 } 1320 } 1321 1322 return SECCLASS_SOCKET; 1323 } 1324 1325 static int selinux_genfs_get_sid(struct dentry *dentry, 1326 u16 tclass, 1327 u16 flags, 1328 u32 *sid) 1329 { 1330 int rc; 1331 struct super_block *sb = dentry->d_sb; 1332 char *buffer, *path; 1333 1334 buffer = (char *)__get_free_page(GFP_KERNEL); 1335 if (!buffer) 1336 return -ENOMEM; 1337 1338 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1339 if (IS_ERR(path)) 1340 rc = PTR_ERR(path); 1341 else { 1342 if (flags & SE_SBPROC) { 1343 /* each process gets a /proc/PID/ entry. Strip off the 1344 * PID part to get a valid selinux labeling. 1345 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1346 while (path[1] >= '0' && path[1] <= '9') { 1347 path[1] = '/'; 1348 path++; 1349 } 1350 } 1351 rc = security_genfs_sid(sb->s_type->name, 1352 path, tclass, sid); 1353 if (rc == -ENOENT) { 1354 /* No match in policy, mark as unlabeled. */ 1355 *sid = SECINITSID_UNLABELED; 1356 rc = 0; 1357 } 1358 } 1359 free_page((unsigned long)buffer); 1360 return rc; 1361 } 1362 1363 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1364 u32 def_sid, u32 *sid) 1365 { 1366 #define INITCONTEXTLEN 255 1367 char *context; 1368 unsigned int len; 1369 int rc; 1370 1371 len = INITCONTEXTLEN; 1372 context = kmalloc(len + 1, GFP_NOFS); 1373 if (!context) 1374 return -ENOMEM; 1375 1376 context[len] = '\0'; 1377 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1378 if (rc == -ERANGE) { 1379 kfree(context); 1380 1381 /* Need a larger buffer. Query for the right size. */ 1382 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1383 if (rc < 0) 1384 return rc; 1385 1386 len = rc; 1387 context = kmalloc(len + 1, GFP_NOFS); 1388 if (!context) 1389 return -ENOMEM; 1390 1391 context[len] = '\0'; 1392 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1393 context, len); 1394 } 1395 if (rc < 0) { 1396 kfree(context); 1397 if (rc != -ENODATA) { 1398 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1399 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1400 return rc; 1401 } 1402 *sid = def_sid; 1403 return 0; 1404 } 1405 1406 rc = security_context_to_sid_default(context, rc, sid, 1407 def_sid, GFP_NOFS); 1408 if (rc) { 1409 char *dev = inode->i_sb->s_id; 1410 unsigned long ino = inode->i_ino; 1411 1412 if (rc == -EINVAL) { 1413 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1414 ino, dev, context); 1415 } else { 1416 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1417 __func__, context, -rc, dev, ino); 1418 } 1419 } 1420 kfree(context); 1421 return 0; 1422 } 1423 1424 /* The inode's security attributes must be initialized before first use. */ 1425 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1426 { 1427 struct superblock_security_struct *sbsec = NULL; 1428 struct inode_security_struct *isec = selinux_inode(inode); 1429 u32 task_sid, sid = 0; 1430 u16 sclass; 1431 struct dentry *dentry; 1432 int rc = 0; 1433 1434 if (isec->initialized == LABEL_INITIALIZED) 1435 return 0; 1436 1437 spin_lock(&isec->lock); 1438 if (isec->initialized == LABEL_INITIALIZED) 1439 goto out_unlock; 1440 1441 if (isec->sclass == SECCLASS_FILE) 1442 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1443 1444 sbsec = selinux_superblock(inode->i_sb); 1445 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1446 /* Defer initialization until selinux_complete_init, 1447 after the initial policy is loaded and the security 1448 server is ready to handle calls. */ 1449 spin_lock(&sbsec->isec_lock); 1450 if (list_empty(&isec->list)) 1451 list_add(&isec->list, &sbsec->isec_head); 1452 spin_unlock(&sbsec->isec_lock); 1453 goto out_unlock; 1454 } 1455 1456 sclass = isec->sclass; 1457 task_sid = isec->task_sid; 1458 sid = isec->sid; 1459 isec->initialized = LABEL_PENDING; 1460 spin_unlock(&isec->lock); 1461 1462 switch (sbsec->behavior) { 1463 /* 1464 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1465 * via xattr when called from delayed_superblock_init(). 1466 */ 1467 case SECURITY_FS_USE_NATIVE: 1468 case SECURITY_FS_USE_XATTR: 1469 if (!(inode->i_opflags & IOP_XATTR)) { 1470 sid = sbsec->def_sid; 1471 break; 1472 } 1473 /* Need a dentry, since the xattr API requires one. 1474 Life would be simpler if we could just pass the inode. */ 1475 if (opt_dentry) { 1476 /* Called from d_instantiate or d_splice_alias. */ 1477 dentry = dget(opt_dentry); 1478 } else { 1479 /* 1480 * Called from selinux_complete_init, try to find a dentry. 1481 * Some filesystems really want a connected one, so try 1482 * that first. We could split SECURITY_FS_USE_XATTR in 1483 * two, depending upon that... 1484 */ 1485 dentry = d_find_alias(inode); 1486 if (!dentry) 1487 dentry = d_find_any_alias(inode); 1488 } 1489 if (!dentry) { 1490 /* 1491 * this is can be hit on boot when a file is accessed 1492 * before the policy is loaded. When we load policy we 1493 * may find inodes that have no dentry on the 1494 * sbsec->isec_head list. No reason to complain as these 1495 * will get fixed up the next time we go through 1496 * inode_doinit with a dentry, before these inodes could 1497 * be used again by userspace. 1498 */ 1499 goto out_invalid; 1500 } 1501 1502 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1503 &sid); 1504 dput(dentry); 1505 if (rc) 1506 goto out; 1507 break; 1508 case SECURITY_FS_USE_TASK: 1509 sid = task_sid; 1510 break; 1511 case SECURITY_FS_USE_TRANS: 1512 /* Default to the fs SID. */ 1513 sid = sbsec->sid; 1514 1515 /* Try to obtain a transition SID. */ 1516 rc = security_transition_sid(task_sid, sid, 1517 sclass, NULL, &sid); 1518 if (rc) 1519 goto out; 1520 break; 1521 case SECURITY_FS_USE_MNTPOINT: 1522 sid = sbsec->mntpoint_sid; 1523 break; 1524 default: 1525 /* Default to the fs superblock SID. */ 1526 sid = sbsec->sid; 1527 1528 if ((sbsec->flags & SE_SBGENFS) && 1529 (!S_ISLNK(inode->i_mode) || 1530 selinux_policycap_genfs_seclabel_symlinks())) { 1531 /* We must have a dentry to determine the label on 1532 * procfs inodes */ 1533 if (opt_dentry) { 1534 /* Called from d_instantiate or 1535 * d_splice_alias. */ 1536 dentry = dget(opt_dentry); 1537 } else { 1538 /* Called from selinux_complete_init, try to 1539 * find a dentry. Some filesystems really want 1540 * a connected one, so try that first. 1541 */ 1542 dentry = d_find_alias(inode); 1543 if (!dentry) 1544 dentry = d_find_any_alias(inode); 1545 } 1546 /* 1547 * This can be hit on boot when a file is accessed 1548 * before the policy is loaded. When we load policy we 1549 * may find inodes that have no dentry on the 1550 * sbsec->isec_head list. No reason to complain as 1551 * these will get fixed up the next time we go through 1552 * inode_doinit() with a dentry, before these inodes 1553 * could be used again by userspace. 1554 */ 1555 if (!dentry) 1556 goto out_invalid; 1557 rc = selinux_genfs_get_sid(dentry, sclass, 1558 sbsec->flags, &sid); 1559 if (rc) { 1560 dput(dentry); 1561 goto out; 1562 } 1563 1564 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1565 (inode->i_opflags & IOP_XATTR)) { 1566 rc = inode_doinit_use_xattr(inode, dentry, 1567 sid, &sid); 1568 if (rc) { 1569 dput(dentry); 1570 goto out; 1571 } 1572 } 1573 dput(dentry); 1574 } 1575 break; 1576 } 1577 1578 out: 1579 spin_lock(&isec->lock); 1580 if (isec->initialized == LABEL_PENDING) { 1581 if (rc) { 1582 isec->initialized = LABEL_INVALID; 1583 goto out_unlock; 1584 } 1585 isec->initialized = LABEL_INITIALIZED; 1586 isec->sid = sid; 1587 } 1588 1589 out_unlock: 1590 spin_unlock(&isec->lock); 1591 return rc; 1592 1593 out_invalid: 1594 spin_lock(&isec->lock); 1595 if (isec->initialized == LABEL_PENDING) { 1596 isec->initialized = LABEL_INVALID; 1597 isec->sid = sid; 1598 } 1599 spin_unlock(&isec->lock); 1600 return 0; 1601 } 1602 1603 /* Convert a Linux signal to an access vector. */ 1604 static inline u32 signal_to_av(int sig) 1605 { 1606 u32 perm = 0; 1607 1608 switch (sig) { 1609 case SIGCHLD: 1610 /* Commonly granted from child to parent. */ 1611 perm = PROCESS__SIGCHLD; 1612 break; 1613 case SIGKILL: 1614 /* Cannot be caught or ignored */ 1615 perm = PROCESS__SIGKILL; 1616 break; 1617 case SIGSTOP: 1618 /* Cannot be caught or ignored */ 1619 perm = PROCESS__SIGSTOP; 1620 break; 1621 default: 1622 /* All other signals. */ 1623 perm = PROCESS__SIGNAL; 1624 break; 1625 } 1626 1627 return perm; 1628 } 1629 1630 #if CAP_LAST_CAP > 63 1631 #error Fix SELinux to handle capabilities > 63. 1632 #endif 1633 1634 /* Check whether a task is allowed to use a capability. */ 1635 static int cred_has_capability(const struct cred *cred, 1636 int cap, unsigned int opts, bool initns) 1637 { 1638 struct common_audit_data ad; 1639 struct av_decision avd; 1640 u16 sclass; 1641 u32 sid = cred_sid(cred); 1642 u32 av = CAP_TO_MASK(cap); 1643 int rc; 1644 1645 ad.type = LSM_AUDIT_DATA_CAP; 1646 ad.u.cap = cap; 1647 1648 switch (CAP_TO_INDEX(cap)) { 1649 case 0: 1650 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1651 break; 1652 case 1: 1653 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1654 break; 1655 default: 1656 pr_err("SELinux: out of range capability %d\n", cap); 1657 BUG(); 1658 return -EINVAL; 1659 } 1660 1661 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1662 if (!(opts & CAP_OPT_NOAUDIT)) { 1663 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1664 if (rc2) 1665 return rc2; 1666 } 1667 return rc; 1668 } 1669 1670 /* Check whether a task has a particular permission to an inode. 1671 The 'adp' parameter is optional and allows other audit 1672 data to be passed (e.g. the dentry). */ 1673 static int inode_has_perm(const struct cred *cred, 1674 struct inode *inode, 1675 u32 perms, 1676 struct common_audit_data *adp) 1677 { 1678 struct inode_security_struct *isec; 1679 u32 sid; 1680 1681 if (unlikely(IS_PRIVATE(inode))) 1682 return 0; 1683 1684 sid = cred_sid(cred); 1685 isec = selinux_inode(inode); 1686 1687 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1688 } 1689 1690 /* Same as inode_has_perm, but pass explicit audit data containing 1691 the dentry to help the auditing code to more easily generate the 1692 pathname if needed. */ 1693 static inline int dentry_has_perm(const struct cred *cred, 1694 struct dentry *dentry, 1695 u32 av) 1696 { 1697 struct common_audit_data ad; 1698 struct inode *inode = d_backing_inode(dentry); 1699 struct inode_security_struct *isec = selinux_inode(inode); 1700 1701 ad.type = LSM_AUDIT_DATA_DENTRY; 1702 ad.u.dentry = dentry; 1703 /* check below is racy, but revalidate will recheck with lock held */ 1704 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1705 __inode_security_revalidate(inode, dentry, true); 1706 return inode_has_perm(cred, inode, av, &ad); 1707 } 1708 1709 /* Same as inode_has_perm, but pass explicit audit data containing 1710 the path to help the auditing code to more easily generate the 1711 pathname if needed. */ 1712 static inline int path_has_perm(const struct cred *cred, 1713 const struct path *path, 1714 u32 av) 1715 { 1716 struct common_audit_data ad; 1717 struct inode *inode = d_backing_inode(path->dentry); 1718 struct inode_security_struct *isec = selinux_inode(inode); 1719 1720 ad.type = LSM_AUDIT_DATA_PATH; 1721 ad.u.path = *path; 1722 /* check below is racy, but revalidate will recheck with lock held */ 1723 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1724 __inode_security_revalidate(inode, path->dentry, true); 1725 return inode_has_perm(cred, inode, av, &ad); 1726 } 1727 1728 /* Same as path_has_perm, but uses the inode from the file struct. */ 1729 static inline int file_path_has_perm(const struct cred *cred, 1730 struct file *file, 1731 u32 av) 1732 { 1733 struct common_audit_data ad; 1734 1735 ad.type = LSM_AUDIT_DATA_FILE; 1736 ad.u.file = file; 1737 return inode_has_perm(cred, file_inode(file), av, &ad); 1738 } 1739 1740 #ifdef CONFIG_BPF_SYSCALL 1741 static int bpf_fd_pass(const struct file *file, u32 sid); 1742 #endif 1743 1744 /* Check whether a task can use an open file descriptor to 1745 access an inode in a given way. Check access to the 1746 descriptor itself, and then use dentry_has_perm to 1747 check a particular permission to the file. 1748 Access to the descriptor is implicitly granted if it 1749 has the same SID as the process. If av is zero, then 1750 access to the file is not checked, e.g. for cases 1751 where only the descriptor is affected like seek. */ 1752 static int file_has_perm(const struct cred *cred, 1753 struct file *file, 1754 u32 av) 1755 { 1756 struct file_security_struct *fsec = selinux_file(file); 1757 struct inode *inode = file_inode(file); 1758 struct common_audit_data ad; 1759 u32 sid = cred_sid(cred); 1760 int rc; 1761 1762 ad.type = LSM_AUDIT_DATA_FILE; 1763 ad.u.file = file; 1764 1765 if (sid != fsec->sid) { 1766 rc = avc_has_perm(sid, fsec->sid, 1767 SECCLASS_FD, 1768 FD__USE, 1769 &ad); 1770 if (rc) 1771 goto out; 1772 } 1773 1774 #ifdef CONFIG_BPF_SYSCALL 1775 rc = bpf_fd_pass(file, cred_sid(cred)); 1776 if (rc) 1777 return rc; 1778 #endif 1779 1780 /* av is zero if only checking access to the descriptor. */ 1781 rc = 0; 1782 if (av) 1783 rc = inode_has_perm(cred, inode, av, &ad); 1784 1785 out: 1786 return rc; 1787 } 1788 1789 /* 1790 * Determine the label for an inode that might be unioned. 1791 */ 1792 static int 1793 selinux_determine_inode_label(const struct cred_security_struct *crsec, 1794 struct inode *dir, 1795 const struct qstr *name, u16 tclass, 1796 u32 *_new_isid) 1797 { 1798 const struct superblock_security_struct *sbsec = 1799 selinux_superblock(dir->i_sb); 1800 1801 if ((sbsec->flags & SE_SBINITIALIZED) && 1802 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1803 *_new_isid = sbsec->mntpoint_sid; 1804 } else if ((sbsec->flags & SBLABEL_MNT) && 1805 crsec->create_sid) { 1806 *_new_isid = crsec->create_sid; 1807 } else { 1808 const struct inode_security_struct *dsec = inode_security(dir); 1809 return security_transition_sid(crsec->sid, 1810 dsec->sid, tclass, 1811 name, _new_isid); 1812 } 1813 1814 return 0; 1815 } 1816 1817 /* Check whether a task can create a file. */ 1818 static int may_create(struct inode *dir, 1819 struct dentry *dentry, 1820 u16 tclass) 1821 { 1822 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 1823 struct inode_security_struct *dsec; 1824 struct superblock_security_struct *sbsec; 1825 u32 sid, newsid; 1826 struct common_audit_data ad; 1827 int rc; 1828 1829 dsec = inode_security(dir); 1830 sbsec = selinux_superblock(dir->i_sb); 1831 1832 sid = crsec->sid; 1833 1834 ad.type = LSM_AUDIT_DATA_DENTRY; 1835 ad.u.dentry = dentry; 1836 1837 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1838 DIR__ADD_NAME | DIR__SEARCH, 1839 &ad); 1840 if (rc) 1841 return rc; 1842 1843 rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass, 1844 &newsid); 1845 if (rc) 1846 return rc; 1847 1848 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1849 if (rc) 1850 return rc; 1851 1852 return avc_has_perm(newsid, sbsec->sid, 1853 SECCLASS_FILESYSTEM, 1854 FILESYSTEM__ASSOCIATE, &ad); 1855 } 1856 1857 #define MAY_LINK 0 1858 #define MAY_UNLINK 1 1859 #define MAY_RMDIR 2 1860 1861 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1862 static int may_link(struct inode *dir, 1863 struct dentry *dentry, 1864 int kind) 1865 1866 { 1867 struct inode_security_struct *dsec, *isec; 1868 struct common_audit_data ad; 1869 u32 sid = current_sid(); 1870 u32 av; 1871 int rc; 1872 1873 dsec = inode_security(dir); 1874 isec = backing_inode_security(dentry); 1875 1876 ad.type = LSM_AUDIT_DATA_DENTRY; 1877 ad.u.dentry = dentry; 1878 1879 av = DIR__SEARCH; 1880 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1881 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1882 if (rc) 1883 return rc; 1884 1885 switch (kind) { 1886 case MAY_LINK: 1887 av = FILE__LINK; 1888 break; 1889 case MAY_UNLINK: 1890 av = FILE__UNLINK; 1891 break; 1892 case MAY_RMDIR: 1893 av = DIR__RMDIR; 1894 break; 1895 default: 1896 pr_warn("SELinux: %s: unrecognized kind %d\n", 1897 __func__, kind); 1898 return 0; 1899 } 1900 1901 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1902 return rc; 1903 } 1904 1905 static inline int may_rename(struct inode *old_dir, 1906 struct dentry *old_dentry, 1907 struct inode *new_dir, 1908 struct dentry *new_dentry) 1909 { 1910 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1911 struct common_audit_data ad; 1912 u32 sid = current_sid(); 1913 u32 av; 1914 int old_is_dir, new_is_dir; 1915 int rc; 1916 1917 old_dsec = inode_security(old_dir); 1918 old_isec = backing_inode_security(old_dentry); 1919 old_is_dir = d_is_dir(old_dentry); 1920 new_dsec = inode_security(new_dir); 1921 1922 ad.type = LSM_AUDIT_DATA_DENTRY; 1923 1924 ad.u.dentry = old_dentry; 1925 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1926 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1927 if (rc) 1928 return rc; 1929 rc = avc_has_perm(sid, old_isec->sid, 1930 old_isec->sclass, FILE__RENAME, &ad); 1931 if (rc) 1932 return rc; 1933 if (old_is_dir && new_dir != old_dir) { 1934 rc = avc_has_perm(sid, old_isec->sid, 1935 old_isec->sclass, DIR__REPARENT, &ad); 1936 if (rc) 1937 return rc; 1938 } 1939 1940 ad.u.dentry = new_dentry; 1941 av = DIR__ADD_NAME | DIR__SEARCH; 1942 if (d_is_positive(new_dentry)) 1943 av |= DIR__REMOVE_NAME; 1944 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1945 if (rc) 1946 return rc; 1947 if (d_is_positive(new_dentry)) { 1948 new_isec = backing_inode_security(new_dentry); 1949 new_is_dir = d_is_dir(new_dentry); 1950 rc = avc_has_perm(sid, new_isec->sid, 1951 new_isec->sclass, 1952 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1953 if (rc) 1954 return rc; 1955 } 1956 1957 return 0; 1958 } 1959 1960 /* Check whether a task can perform a filesystem operation. */ 1961 static int superblock_has_perm(const struct cred *cred, 1962 const struct super_block *sb, 1963 u32 perms, 1964 struct common_audit_data *ad) 1965 { 1966 struct superblock_security_struct *sbsec; 1967 u32 sid = cred_sid(cred); 1968 1969 sbsec = selinux_superblock(sb); 1970 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1971 } 1972 1973 /* Convert a Linux mode and permission mask to an access vector. */ 1974 static inline u32 file_mask_to_av(int mode, int mask) 1975 { 1976 u32 av = 0; 1977 1978 if (!S_ISDIR(mode)) { 1979 if (mask & MAY_EXEC) 1980 av |= FILE__EXECUTE; 1981 if (mask & MAY_READ) 1982 av |= FILE__READ; 1983 1984 if (mask & MAY_APPEND) 1985 av |= FILE__APPEND; 1986 else if (mask & MAY_WRITE) 1987 av |= FILE__WRITE; 1988 1989 } else { 1990 if (mask & MAY_EXEC) 1991 av |= DIR__SEARCH; 1992 if (mask & MAY_WRITE) 1993 av |= DIR__WRITE; 1994 if (mask & MAY_READ) 1995 av |= DIR__READ; 1996 } 1997 1998 return av; 1999 } 2000 2001 /* Convert a Linux file to an access vector. */ 2002 static inline u32 file_to_av(const struct file *file) 2003 { 2004 u32 av = 0; 2005 2006 if (file->f_mode & FMODE_READ) 2007 av |= FILE__READ; 2008 if (file->f_mode & FMODE_WRITE) { 2009 if (file->f_flags & O_APPEND) 2010 av |= FILE__APPEND; 2011 else 2012 av |= FILE__WRITE; 2013 } 2014 if (!av) { 2015 /* 2016 * Special file opened with flags 3 for ioctl-only use. 2017 */ 2018 av = FILE__IOCTL; 2019 } 2020 2021 return av; 2022 } 2023 2024 /* 2025 * Convert a file to an access vector and include the correct 2026 * open permission. 2027 */ 2028 static inline u32 open_file_to_av(struct file *file) 2029 { 2030 u32 av = file_to_av(file); 2031 struct inode *inode = file_inode(file); 2032 2033 if (selinux_policycap_openperm() && 2034 inode->i_sb->s_magic != SOCKFS_MAGIC) 2035 av |= FILE__OPEN; 2036 2037 return av; 2038 } 2039 2040 /* Hook functions begin here. */ 2041 2042 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2043 { 2044 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2045 BINDER__SET_CONTEXT_MGR, NULL); 2046 } 2047 2048 static int selinux_binder_transaction(const struct cred *from, 2049 const struct cred *to) 2050 { 2051 u32 mysid = current_sid(); 2052 u32 fromsid = cred_sid(from); 2053 u32 tosid = cred_sid(to); 2054 int rc; 2055 2056 if (mysid != fromsid) { 2057 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2058 BINDER__IMPERSONATE, NULL); 2059 if (rc) 2060 return rc; 2061 } 2062 2063 return avc_has_perm(fromsid, tosid, 2064 SECCLASS_BINDER, BINDER__CALL, NULL); 2065 } 2066 2067 static int selinux_binder_transfer_binder(const struct cred *from, 2068 const struct cred *to) 2069 { 2070 return avc_has_perm(cred_sid(from), cred_sid(to), 2071 SECCLASS_BINDER, BINDER__TRANSFER, 2072 NULL); 2073 } 2074 2075 static int selinux_binder_transfer_file(const struct cred *from, 2076 const struct cred *to, 2077 const struct file *file) 2078 { 2079 u32 sid = cred_sid(to); 2080 struct file_security_struct *fsec = selinux_file(file); 2081 struct dentry *dentry = file->f_path.dentry; 2082 struct inode_security_struct *isec; 2083 struct common_audit_data ad; 2084 int rc; 2085 2086 ad.type = LSM_AUDIT_DATA_PATH; 2087 ad.u.path = file->f_path; 2088 2089 if (sid != fsec->sid) { 2090 rc = avc_has_perm(sid, fsec->sid, 2091 SECCLASS_FD, 2092 FD__USE, 2093 &ad); 2094 if (rc) 2095 return rc; 2096 } 2097 2098 #ifdef CONFIG_BPF_SYSCALL 2099 rc = bpf_fd_pass(file, sid); 2100 if (rc) 2101 return rc; 2102 #endif 2103 2104 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2105 return 0; 2106 2107 isec = backing_inode_security(dentry); 2108 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2109 &ad); 2110 } 2111 2112 static int selinux_ptrace_access_check(struct task_struct *child, 2113 unsigned int mode) 2114 { 2115 u32 sid = current_sid(); 2116 u32 csid = task_sid_obj(child); 2117 2118 if (mode & PTRACE_MODE_READ) 2119 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2120 NULL); 2121 2122 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2123 NULL); 2124 } 2125 2126 static int selinux_ptrace_traceme(struct task_struct *parent) 2127 { 2128 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2129 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2130 } 2131 2132 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2133 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2134 { 2135 return avc_has_perm(current_sid(), task_sid_obj(target), 2136 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2137 } 2138 2139 static int selinux_capset(struct cred *new, const struct cred *old, 2140 const kernel_cap_t *effective, 2141 const kernel_cap_t *inheritable, 2142 const kernel_cap_t *permitted) 2143 { 2144 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2145 PROCESS__SETCAP, NULL); 2146 } 2147 2148 /* 2149 * (This comment used to live with the selinux_task_setuid hook, 2150 * which was removed). 2151 * 2152 * Since setuid only affects the current process, and since the SELinux 2153 * controls are not based on the Linux identity attributes, SELinux does not 2154 * need to control this operation. However, SELinux does control the use of 2155 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2156 */ 2157 2158 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2159 int cap, unsigned int opts) 2160 { 2161 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2162 } 2163 2164 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2165 { 2166 const struct cred *cred = current_cred(); 2167 int rc = 0; 2168 2169 if (!sb) 2170 return 0; 2171 2172 switch (cmds) { 2173 case Q_SYNC: 2174 case Q_QUOTAON: 2175 case Q_QUOTAOFF: 2176 case Q_SETINFO: 2177 case Q_SETQUOTA: 2178 case Q_XQUOTAOFF: 2179 case Q_XQUOTAON: 2180 case Q_XSETQLIM: 2181 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2182 break; 2183 case Q_GETFMT: 2184 case Q_GETINFO: 2185 case Q_GETQUOTA: 2186 case Q_XGETQUOTA: 2187 case Q_XGETQSTAT: 2188 case Q_XGETQSTATV: 2189 case Q_XGETNEXTQUOTA: 2190 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2191 break; 2192 default: 2193 rc = 0; /* let the kernel handle invalid cmds */ 2194 break; 2195 } 2196 return rc; 2197 } 2198 2199 static int selinux_quota_on(struct dentry *dentry) 2200 { 2201 const struct cred *cred = current_cred(); 2202 2203 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2204 } 2205 2206 static int selinux_syslog(int type) 2207 { 2208 switch (type) { 2209 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2210 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2211 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2212 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2213 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2214 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2215 /* Set level of messages printed to console */ 2216 case SYSLOG_ACTION_CONSOLE_LEVEL: 2217 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2218 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2219 NULL); 2220 } 2221 /* All other syslog types */ 2222 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2223 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2224 } 2225 2226 /* 2227 * Check permission for allocating a new virtual mapping. Returns 2228 * 0 if permission is granted, negative error code if not. 2229 * 2230 * Do not audit the selinux permission check, as this is applied to all 2231 * processes that allocate mappings. 2232 */ 2233 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2234 { 2235 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2236 CAP_OPT_NOAUDIT, true); 2237 } 2238 2239 /* binprm security operations */ 2240 2241 static u32 ptrace_parent_sid(void) 2242 { 2243 u32 sid = 0; 2244 struct task_struct *tracer; 2245 2246 rcu_read_lock(); 2247 tracer = ptrace_parent(current); 2248 if (tracer) 2249 sid = task_sid_obj(tracer); 2250 rcu_read_unlock(); 2251 2252 return sid; 2253 } 2254 2255 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2256 const struct cred_security_struct *old_crsec, 2257 const struct cred_security_struct *new_crsec) 2258 { 2259 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2260 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2261 int rc; 2262 u32 av; 2263 2264 if (!nnp && !nosuid) 2265 return 0; /* neither NNP nor nosuid */ 2266 2267 if (new_crsec->sid == old_crsec->sid) 2268 return 0; /* No change in credentials */ 2269 2270 /* 2271 * If the policy enables the nnp_nosuid_transition policy capability, 2272 * then we permit transitions under NNP or nosuid if the 2273 * policy allows the corresponding permission between 2274 * the old and new contexts. 2275 */ 2276 if (selinux_policycap_nnp_nosuid_transition()) { 2277 av = 0; 2278 if (nnp) 2279 av |= PROCESS2__NNP_TRANSITION; 2280 if (nosuid) 2281 av |= PROCESS2__NOSUID_TRANSITION; 2282 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2283 SECCLASS_PROCESS2, av, NULL); 2284 if (!rc) 2285 return 0; 2286 } 2287 2288 /* 2289 * We also permit NNP or nosuid transitions to bounded SIDs, 2290 * i.e. SIDs that are guaranteed to only be allowed a subset 2291 * of the permissions of the current SID. 2292 */ 2293 rc = security_bounded_transition(old_crsec->sid, 2294 new_crsec->sid); 2295 if (!rc) 2296 return 0; 2297 2298 /* 2299 * On failure, preserve the errno values for NNP vs nosuid. 2300 * NNP: Operation not permitted for caller. 2301 * nosuid: Permission denied to file. 2302 */ 2303 if (nnp) 2304 return -EPERM; 2305 return -EACCES; 2306 } 2307 2308 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2309 { 2310 const struct cred_security_struct *old_crsec; 2311 struct cred_security_struct *new_crsec; 2312 struct inode_security_struct *isec; 2313 struct common_audit_data ad; 2314 struct inode *inode = file_inode(bprm->file); 2315 int rc; 2316 2317 /* SELinux context only depends on initial program or script and not 2318 * the script interpreter */ 2319 2320 old_crsec = selinux_cred(current_cred()); 2321 new_crsec = selinux_cred(bprm->cred); 2322 isec = inode_security(inode); 2323 2324 if (WARN_ON(isec->sclass != SECCLASS_FILE && 2325 isec->sclass != SECCLASS_MEMFD_FILE)) 2326 return -EACCES; 2327 2328 /* Default to the current task SID. */ 2329 new_crsec->sid = old_crsec->sid; 2330 new_crsec->osid = old_crsec->sid; 2331 2332 /* Reset fs, key, and sock SIDs on execve. */ 2333 new_crsec->create_sid = 0; 2334 new_crsec->keycreate_sid = 0; 2335 new_crsec->sockcreate_sid = 0; 2336 2337 /* 2338 * Before policy is loaded, label any task outside kernel space 2339 * as SECINITSID_INIT, so that any userspace tasks surviving from 2340 * early boot end up with a label different from SECINITSID_KERNEL 2341 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2342 */ 2343 if (!selinux_initialized()) { 2344 new_crsec->sid = SECINITSID_INIT; 2345 /* also clear the exec_sid just in case */ 2346 new_crsec->exec_sid = 0; 2347 return 0; 2348 } 2349 2350 if (old_crsec->exec_sid) { 2351 new_crsec->sid = old_crsec->exec_sid; 2352 /* Reset exec SID on execve. */ 2353 new_crsec->exec_sid = 0; 2354 2355 /* Fail on NNP or nosuid if not an allowed transition. */ 2356 rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2357 if (rc) 2358 return rc; 2359 } else { 2360 /* Check for a default transition on this program. */ 2361 rc = security_transition_sid(old_crsec->sid, 2362 isec->sid, SECCLASS_PROCESS, NULL, 2363 &new_crsec->sid); 2364 if (rc) 2365 return rc; 2366 2367 /* 2368 * Fallback to old SID on NNP or nosuid if not an allowed 2369 * transition. 2370 */ 2371 rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2372 if (rc) 2373 new_crsec->sid = old_crsec->sid; 2374 } 2375 2376 ad.type = LSM_AUDIT_DATA_FILE; 2377 ad.u.file = bprm->file; 2378 2379 if (new_crsec->sid == old_crsec->sid) { 2380 rc = avc_has_perm(old_crsec->sid, isec->sid, isec->sclass, 2381 FILE__EXECUTE_NO_TRANS, &ad); 2382 if (rc) 2383 return rc; 2384 } else { 2385 /* Check permissions for the transition. */ 2386 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2387 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2388 if (rc) 2389 return rc; 2390 2391 rc = avc_has_perm(new_crsec->sid, isec->sid, isec->sclass, 2392 FILE__ENTRYPOINT, &ad); 2393 if (rc) 2394 return rc; 2395 2396 /* Check for shared state */ 2397 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2398 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2399 SECCLASS_PROCESS, PROCESS__SHARE, 2400 NULL); 2401 if (rc) 2402 return -EPERM; 2403 } 2404 2405 /* Make sure that anyone attempting to ptrace over a task that 2406 * changes its SID has the appropriate permit */ 2407 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2408 u32 ptsid = ptrace_parent_sid(); 2409 if (ptsid != 0) { 2410 rc = avc_has_perm(ptsid, new_crsec->sid, 2411 SECCLASS_PROCESS, 2412 PROCESS__PTRACE, NULL); 2413 if (rc) 2414 return -EPERM; 2415 } 2416 } 2417 2418 /* Clear any possibly unsafe personality bits on exec: */ 2419 bprm->per_clear |= PER_CLEAR_ON_SETID; 2420 2421 /* Enable secure mode for SIDs transitions unless 2422 the noatsecure permission is granted between 2423 the two SIDs, i.e. ahp returns 0. */ 2424 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2425 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2426 NULL); 2427 bprm->secureexec |= !!rc; 2428 } 2429 2430 return 0; 2431 } 2432 2433 static int match_file(const void *p, struct file *file, unsigned fd) 2434 { 2435 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2436 } 2437 2438 /* Derived from fs/exec.c:flush_old_files. */ 2439 static inline void flush_unauthorized_files(const struct cred *cred, 2440 struct files_struct *files) 2441 { 2442 struct file *file, *devnull = NULL; 2443 struct tty_struct *tty; 2444 int drop_tty = 0; 2445 unsigned n; 2446 2447 tty = get_current_tty(); 2448 if (tty) { 2449 spin_lock(&tty->files_lock); 2450 if (!list_empty(&tty->tty_files)) { 2451 struct tty_file_private *file_priv; 2452 2453 /* Revalidate access to controlling tty. 2454 Use file_path_has_perm on the tty path directly 2455 rather than using file_has_perm, as this particular 2456 open file may belong to another process and we are 2457 only interested in the inode-based check here. */ 2458 file_priv = list_first_entry(&tty->tty_files, 2459 struct tty_file_private, list); 2460 file = file_priv->file; 2461 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2462 drop_tty = 1; 2463 } 2464 spin_unlock(&tty->files_lock); 2465 tty_kref_put(tty); 2466 } 2467 /* Reset controlling tty. */ 2468 if (drop_tty) 2469 no_tty(); 2470 2471 /* Revalidate access to inherited open files. */ 2472 n = iterate_fd(files, 0, match_file, cred); 2473 if (!n) /* none found? */ 2474 return; 2475 2476 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2477 if (IS_ERR(devnull)) 2478 devnull = NULL; 2479 /* replace all the matching ones with this */ 2480 do { 2481 replace_fd(n - 1, devnull, 0); 2482 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2483 if (devnull) 2484 fput(devnull); 2485 } 2486 2487 /* 2488 * Prepare a process for imminent new credential changes due to exec 2489 */ 2490 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2491 { 2492 struct cred_security_struct *new_crsec; 2493 struct rlimit *rlim, *initrlim; 2494 int rc, i; 2495 2496 new_crsec = selinux_cred(bprm->cred); 2497 if (new_crsec->sid == new_crsec->osid) 2498 return; 2499 2500 /* Close files for which the new task SID is not authorized. */ 2501 flush_unauthorized_files(bprm->cred, current->files); 2502 2503 /* Always clear parent death signal on SID transitions. */ 2504 current->pdeath_signal = 0; 2505 2506 /* Check whether the new SID can inherit resource limits from the old 2507 * SID. If not, reset all soft limits to the lower of the current 2508 * task's hard limit and the init task's soft limit. 2509 * 2510 * Note that the setting of hard limits (even to lower them) can be 2511 * controlled by the setrlimit check. The inclusion of the init task's 2512 * soft limit into the computation is to avoid resetting soft limits 2513 * higher than the default soft limit for cases where the default is 2514 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2515 */ 2516 rc = avc_has_perm(new_crsec->osid, new_crsec->sid, SECCLASS_PROCESS, 2517 PROCESS__RLIMITINH, NULL); 2518 if (rc) { 2519 /* protect against do_prlimit() */ 2520 task_lock(current); 2521 for (i = 0; i < RLIM_NLIMITS; i++) { 2522 rlim = current->signal->rlim + i; 2523 initrlim = init_task.signal->rlim + i; 2524 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2525 } 2526 task_unlock(current); 2527 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2528 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2529 } 2530 } 2531 2532 /* 2533 * Clean up the process immediately after the installation of new credentials 2534 * due to exec 2535 */ 2536 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2537 { 2538 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2539 u32 osid, sid; 2540 int rc; 2541 2542 osid = crsec->osid; 2543 sid = crsec->sid; 2544 2545 if (sid == osid) 2546 return; 2547 2548 /* Check whether the new SID can inherit signal state from the old SID. 2549 * If not, clear itimers to avoid subsequent signal generation and 2550 * flush and unblock signals. 2551 * 2552 * This must occur _after_ the task SID has been updated so that any 2553 * kill done after the flush will be checked against the new SID. 2554 */ 2555 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2556 if (rc) { 2557 clear_itimer(); 2558 2559 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2560 if (!fatal_signal_pending(current)) { 2561 flush_sigqueue(¤t->pending); 2562 flush_sigqueue(¤t->signal->shared_pending); 2563 flush_signal_handlers(current, 1); 2564 sigemptyset(¤t->blocked); 2565 recalc_sigpending(); 2566 } 2567 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2568 } 2569 2570 /* Wake up the parent if it is waiting so that it can recheck 2571 * wait permission to the new task SID. */ 2572 read_lock(&tasklist_lock); 2573 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2574 read_unlock(&tasklist_lock); 2575 } 2576 2577 /* superblock security operations */ 2578 2579 static int selinux_sb_alloc_security(struct super_block *sb) 2580 { 2581 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2582 2583 mutex_init(&sbsec->lock); 2584 INIT_LIST_HEAD(&sbsec->isec_head); 2585 spin_lock_init(&sbsec->isec_lock); 2586 sbsec->sid = SECINITSID_UNLABELED; 2587 sbsec->def_sid = SECINITSID_FILE; 2588 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2589 2590 return 0; 2591 } 2592 2593 static inline int opt_len(const char *s) 2594 { 2595 bool open_quote = false; 2596 int len; 2597 char c; 2598 2599 for (len = 0; (c = s[len]) != '\0'; len++) { 2600 if (c == '"') 2601 open_quote = !open_quote; 2602 if (c == ',' && !open_quote) 2603 break; 2604 } 2605 return len; 2606 } 2607 2608 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2609 { 2610 char *from = options; 2611 char *to = options; 2612 bool first = true; 2613 int rc; 2614 2615 while (1) { 2616 int len = opt_len(from); 2617 int token; 2618 char *arg = NULL; 2619 2620 token = match_opt_prefix(from, len, &arg); 2621 2622 if (token != Opt_error) { 2623 char *p, *q; 2624 2625 /* strip quotes */ 2626 if (arg) { 2627 for (p = q = arg; p < from + len; p++) { 2628 char c = *p; 2629 if (c != '"') 2630 *q++ = c; 2631 } 2632 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2633 if (!arg) { 2634 rc = -ENOMEM; 2635 goto free_opt; 2636 } 2637 } 2638 rc = selinux_add_opt(token, arg, mnt_opts); 2639 kfree(arg); 2640 arg = NULL; 2641 if (unlikely(rc)) { 2642 goto free_opt; 2643 } 2644 } else { 2645 if (!first) { // copy with preceding comma 2646 from--; 2647 len++; 2648 } 2649 if (to != from) 2650 memmove(to, from, len); 2651 to += len; 2652 first = false; 2653 } 2654 if (!from[len]) 2655 break; 2656 from += len + 1; 2657 } 2658 *to = '\0'; 2659 return 0; 2660 2661 free_opt: 2662 if (*mnt_opts) { 2663 selinux_free_mnt_opts(*mnt_opts); 2664 *mnt_opts = NULL; 2665 } 2666 return rc; 2667 } 2668 2669 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2670 { 2671 struct selinux_mnt_opts *opts = mnt_opts; 2672 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2673 2674 /* 2675 * Superblock not initialized (i.e. no options) - reject if any 2676 * options specified, otherwise accept. 2677 */ 2678 if (!(sbsec->flags & SE_SBINITIALIZED)) 2679 return opts ? 1 : 0; 2680 2681 /* 2682 * Superblock initialized and no options specified - reject if 2683 * superblock has any options set, otherwise accept. 2684 */ 2685 if (!opts) 2686 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2687 2688 if (opts->fscontext_sid) { 2689 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2690 opts->fscontext_sid)) 2691 return 1; 2692 } 2693 if (opts->context_sid) { 2694 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2695 opts->context_sid)) 2696 return 1; 2697 } 2698 if (opts->rootcontext_sid) { 2699 struct inode_security_struct *root_isec; 2700 2701 root_isec = backing_inode_security(sb->s_root); 2702 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2703 opts->rootcontext_sid)) 2704 return 1; 2705 } 2706 if (opts->defcontext_sid) { 2707 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2708 opts->defcontext_sid)) 2709 return 1; 2710 } 2711 return 0; 2712 } 2713 2714 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2715 { 2716 struct selinux_mnt_opts *opts = mnt_opts; 2717 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2718 2719 if (!(sbsec->flags & SE_SBINITIALIZED)) 2720 return 0; 2721 2722 if (!opts) 2723 return 0; 2724 2725 if (opts->fscontext_sid) { 2726 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2727 opts->fscontext_sid)) 2728 goto out_bad_option; 2729 } 2730 if (opts->context_sid) { 2731 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2732 opts->context_sid)) 2733 goto out_bad_option; 2734 } 2735 if (opts->rootcontext_sid) { 2736 struct inode_security_struct *root_isec; 2737 root_isec = backing_inode_security(sb->s_root); 2738 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2739 opts->rootcontext_sid)) 2740 goto out_bad_option; 2741 } 2742 if (opts->defcontext_sid) { 2743 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2744 opts->defcontext_sid)) 2745 goto out_bad_option; 2746 } 2747 return 0; 2748 2749 out_bad_option: 2750 pr_warn("SELinux: unable to change security options " 2751 "during remount (dev %s, type=%s)\n", sb->s_id, 2752 sb->s_type->name); 2753 return -EINVAL; 2754 } 2755 2756 static int selinux_sb_kern_mount(const struct super_block *sb) 2757 { 2758 const struct cred *cred = current_cred(); 2759 struct common_audit_data ad; 2760 2761 ad.type = LSM_AUDIT_DATA_DENTRY; 2762 ad.u.dentry = sb->s_root; 2763 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2764 } 2765 2766 static int selinux_sb_statfs(struct dentry *dentry) 2767 { 2768 const struct cred *cred = current_cred(); 2769 struct common_audit_data ad; 2770 2771 ad.type = LSM_AUDIT_DATA_DENTRY; 2772 ad.u.dentry = dentry->d_sb->s_root; 2773 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2774 } 2775 2776 static int selinux_mount(const char *dev_name, 2777 const struct path *path, 2778 const char *type, 2779 unsigned long flags, 2780 void *data) 2781 { 2782 const struct cred *cred = current_cred(); 2783 2784 if (flags & MS_REMOUNT) 2785 return superblock_has_perm(cred, path->dentry->d_sb, 2786 FILESYSTEM__REMOUNT, NULL); 2787 else 2788 return path_has_perm(cred, path, FILE__MOUNTON); 2789 } 2790 2791 static int selinux_move_mount(const struct path *from_path, 2792 const struct path *to_path) 2793 { 2794 const struct cred *cred = current_cred(); 2795 2796 return path_has_perm(cred, to_path, FILE__MOUNTON); 2797 } 2798 2799 static int selinux_umount(struct vfsmount *mnt, int flags) 2800 { 2801 const struct cred *cred = current_cred(); 2802 2803 return superblock_has_perm(cred, mnt->mnt_sb, 2804 FILESYSTEM__UNMOUNT, NULL); 2805 } 2806 2807 static int selinux_fs_context_submount(struct fs_context *fc, 2808 struct super_block *reference) 2809 { 2810 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2811 struct selinux_mnt_opts *opts; 2812 2813 /* 2814 * Ensure that fc->security remains NULL when no options are set 2815 * as expected by selinux_set_mnt_opts(). 2816 */ 2817 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2818 return 0; 2819 2820 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2821 if (!opts) 2822 return -ENOMEM; 2823 2824 if (sbsec->flags & FSCONTEXT_MNT) 2825 opts->fscontext_sid = sbsec->sid; 2826 if (sbsec->flags & CONTEXT_MNT) 2827 opts->context_sid = sbsec->mntpoint_sid; 2828 if (sbsec->flags & DEFCONTEXT_MNT) 2829 opts->defcontext_sid = sbsec->def_sid; 2830 fc->security = opts; 2831 return 0; 2832 } 2833 2834 static int selinux_fs_context_dup(struct fs_context *fc, 2835 struct fs_context *src_fc) 2836 { 2837 const struct selinux_mnt_opts *src = src_fc->security; 2838 2839 if (!src) 2840 return 0; 2841 2842 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2843 return fc->security ? 0 : -ENOMEM; 2844 } 2845 2846 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2847 fsparam_string(CONTEXT_STR, Opt_context), 2848 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2849 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2850 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2851 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2852 {} 2853 }; 2854 2855 static int selinux_fs_context_parse_param(struct fs_context *fc, 2856 struct fs_parameter *param) 2857 { 2858 struct fs_parse_result result; 2859 int opt; 2860 2861 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2862 if (opt < 0) 2863 return opt; 2864 2865 return selinux_add_opt(opt, param->string, &fc->security); 2866 } 2867 2868 /* inode security operations */ 2869 2870 static int selinux_inode_alloc_security(struct inode *inode) 2871 { 2872 struct inode_security_struct *isec = selinux_inode(inode); 2873 u32 sid = current_sid(); 2874 2875 spin_lock_init(&isec->lock); 2876 INIT_LIST_HEAD(&isec->list); 2877 isec->inode = inode; 2878 isec->sid = SECINITSID_UNLABELED; 2879 isec->sclass = SECCLASS_FILE; 2880 isec->task_sid = sid; 2881 isec->initialized = LABEL_INVALID; 2882 2883 return 0; 2884 } 2885 2886 static void selinux_inode_free_security(struct inode *inode) 2887 { 2888 inode_free_security(inode); 2889 } 2890 2891 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2892 const struct qstr *name, 2893 const char **xattr_name, 2894 struct lsm_context *cp) 2895 { 2896 u32 newsid; 2897 int rc; 2898 2899 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2900 d_inode(dentry->d_parent), name, 2901 inode_mode_to_security_class(mode), 2902 &newsid); 2903 if (rc) 2904 return rc; 2905 2906 if (xattr_name) 2907 *xattr_name = XATTR_NAME_SELINUX; 2908 2909 cp->id = LSM_ID_SELINUX; 2910 return security_sid_to_context(newsid, &cp->context, &cp->len); 2911 } 2912 2913 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2914 const struct qstr *name, 2915 const struct cred *old, 2916 struct cred *new) 2917 { 2918 u32 newsid; 2919 int rc; 2920 struct cred_security_struct *crsec; 2921 2922 rc = selinux_determine_inode_label(selinux_cred(old), 2923 d_inode(dentry->d_parent), name, 2924 inode_mode_to_security_class(mode), 2925 &newsid); 2926 if (rc) 2927 return rc; 2928 2929 crsec = selinux_cred(new); 2930 crsec->create_sid = newsid; 2931 return 0; 2932 } 2933 2934 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2935 const struct qstr *qstr, 2936 struct xattr *xattrs, int *xattr_count) 2937 { 2938 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2939 struct superblock_security_struct *sbsec; 2940 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2941 u32 newsid, clen; 2942 u16 newsclass; 2943 int rc; 2944 char *context; 2945 2946 sbsec = selinux_superblock(dir->i_sb); 2947 2948 newsid = crsec->create_sid; 2949 newsclass = inode_mode_to_security_class(inode->i_mode); 2950 rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid); 2951 if (rc) 2952 return rc; 2953 2954 /* Possibly defer initialization to selinux_complete_init. */ 2955 if (sbsec->flags & SE_SBINITIALIZED) { 2956 struct inode_security_struct *isec = selinux_inode(inode); 2957 isec->sclass = newsclass; 2958 isec->sid = newsid; 2959 isec->initialized = LABEL_INITIALIZED; 2960 } 2961 2962 if (!selinux_initialized() || 2963 !(sbsec->flags & SBLABEL_MNT)) 2964 return -EOPNOTSUPP; 2965 2966 if (xattr) { 2967 rc = security_sid_to_context_force(newsid, 2968 &context, &clen); 2969 if (rc) 2970 return rc; 2971 xattr->value = context; 2972 xattr->value_len = clen; 2973 xattr->name = XATTR_SELINUX_SUFFIX; 2974 } 2975 2976 return 0; 2977 } 2978 2979 static int selinux_inode_init_security_anon(struct inode *inode, 2980 const struct qstr *name, 2981 const struct inode *context_inode) 2982 { 2983 u32 sid = current_sid(); 2984 struct common_audit_data ad; 2985 struct inode_security_struct *isec; 2986 int rc; 2987 bool is_memfd = false; 2988 2989 if (unlikely(!selinux_initialized())) 2990 return 0; 2991 2992 if (name != NULL && name->name != NULL && 2993 !strcmp(name->name, MEMFD_ANON_NAME)) { 2994 if (!selinux_policycap_memfd_class()) 2995 return 0; 2996 is_memfd = true; 2997 } 2998 2999 isec = selinux_inode(inode); 3000 3001 /* 3002 * We only get here once per ephemeral inode. The inode has 3003 * been initialized via inode_alloc_security but is otherwise 3004 * untouched. 3005 */ 3006 3007 if (context_inode) { 3008 struct inode_security_struct *context_isec = 3009 selinux_inode(context_inode); 3010 if (context_isec->initialized != LABEL_INITIALIZED) { 3011 pr_err("SELinux: context_inode is not initialized\n"); 3012 return -EACCES; 3013 } 3014 3015 isec->sclass = context_isec->sclass; 3016 isec->sid = context_isec->sid; 3017 } else { 3018 if (is_memfd) 3019 isec->sclass = SECCLASS_MEMFD_FILE; 3020 else 3021 isec->sclass = SECCLASS_ANON_INODE; 3022 rc = security_transition_sid( 3023 sid, sid, 3024 isec->sclass, name, &isec->sid); 3025 if (rc) 3026 return rc; 3027 } 3028 3029 isec->initialized = LABEL_INITIALIZED; 3030 /* 3031 * Now that we've initialized security, check whether we're 3032 * allowed to actually create this type of anonymous inode. 3033 */ 3034 3035 ad.type = LSM_AUDIT_DATA_ANONINODE; 3036 ad.u.anonclass = name ? (const char *)name->name : "?"; 3037 3038 return avc_has_perm(sid, 3039 isec->sid, 3040 isec->sclass, 3041 FILE__CREATE, 3042 &ad); 3043 } 3044 3045 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3046 { 3047 return may_create(dir, dentry, SECCLASS_FILE); 3048 } 3049 3050 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3051 { 3052 return may_link(dir, old_dentry, MAY_LINK); 3053 } 3054 3055 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3056 { 3057 return may_link(dir, dentry, MAY_UNLINK); 3058 } 3059 3060 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3061 { 3062 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3063 } 3064 3065 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3066 { 3067 return may_create(dir, dentry, SECCLASS_DIR); 3068 } 3069 3070 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3071 { 3072 return may_link(dir, dentry, MAY_RMDIR); 3073 } 3074 3075 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3076 { 3077 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3078 } 3079 3080 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3081 struct inode *new_inode, struct dentry *new_dentry) 3082 { 3083 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3084 } 3085 3086 static int selinux_inode_readlink(struct dentry *dentry) 3087 { 3088 const struct cred *cred = current_cred(); 3089 3090 return dentry_has_perm(cred, dentry, FILE__READ); 3091 } 3092 3093 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3094 bool rcu) 3095 { 3096 struct common_audit_data ad; 3097 struct inode_security_struct *isec; 3098 u32 sid = current_sid(); 3099 3100 ad.type = LSM_AUDIT_DATA_DENTRY; 3101 ad.u.dentry = dentry; 3102 isec = inode_security_rcu(inode, rcu); 3103 if (IS_ERR(isec)) 3104 return PTR_ERR(isec); 3105 3106 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3107 } 3108 3109 static noinline int audit_inode_permission(struct inode *inode, 3110 u32 perms, u32 audited, u32 denied, 3111 int result) 3112 { 3113 struct common_audit_data ad; 3114 struct inode_security_struct *isec = selinux_inode(inode); 3115 3116 ad.type = LSM_AUDIT_DATA_INODE; 3117 ad.u.inode = inode; 3118 3119 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3120 audited, denied, result, &ad); 3121 } 3122 3123 /** 3124 * task_avdcache_reset - Reset the task's AVD cache 3125 * @tsec: the task's security state 3126 * 3127 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3128 * and task's info. 3129 */ 3130 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3131 { 3132 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3133 tsec->avdcache.sid = current_sid(); 3134 tsec->avdcache.seqno = avc_policy_seqno(); 3135 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3136 } 3137 3138 /** 3139 * task_avdcache_search - Search the task's AVD cache 3140 * @tsec: the task's security state 3141 * @isec: the inode to search for in the cache 3142 * @avdc: matching avd cache entry returned to the caller 3143 * 3144 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3145 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3146 */ 3147 static inline int task_avdcache_search(struct task_security_struct *tsec, 3148 struct inode_security_struct *isec, 3149 struct avdc_entry **avdc) 3150 { 3151 int orig, iter; 3152 3153 /* focused on path walk optimization, only cache directories */ 3154 if (isec->sclass != SECCLASS_DIR) 3155 return -ENOENT; 3156 3157 if (unlikely(current_sid() != tsec->avdcache.sid || 3158 tsec->avdcache.seqno != avc_policy_seqno())) { 3159 task_avdcache_reset(tsec); 3160 return -ENOENT; 3161 } 3162 3163 orig = iter = tsec->avdcache.dir_spot; 3164 do { 3165 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3166 /* cache hit */ 3167 tsec->avdcache.dir_spot = iter; 3168 *avdc = &tsec->avdcache.dir[iter]; 3169 return 0; 3170 } 3171 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3172 } while (iter != orig); 3173 3174 return -ENOENT; 3175 } 3176 3177 /** 3178 * task_avdcache_update - Update the task's AVD cache 3179 * @tsec: the task's security state 3180 * @isec: the inode associated with the cache entry 3181 * @avd: the AVD to cache 3182 * @audited: the permission audit bitmask to cache 3183 * 3184 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3185 * with @isec. 3186 */ 3187 static inline void task_avdcache_update(struct task_security_struct *tsec, 3188 struct inode_security_struct *isec, 3189 struct av_decision *avd, 3190 u32 audited) 3191 { 3192 int spot; 3193 3194 /* focused on path walk optimization, only cache directories */ 3195 if (isec->sclass != SECCLASS_DIR) 3196 return; 3197 3198 /* update cache */ 3199 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3200 tsec->avdcache.dir_spot = spot; 3201 tsec->avdcache.dir[spot].isid = isec->sid; 3202 tsec->avdcache.dir[spot].audited = audited; 3203 tsec->avdcache.dir[spot].allowed = avd->allowed; 3204 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3205 tsec->avdcache.permissive_neveraudit = 3206 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3207 } 3208 3209 /** 3210 * selinux_inode_permission - Check if the current task can access an inode 3211 * @inode: the inode that is being accessed 3212 * @requested: the accesses being requested 3213 * 3214 * Check if the current task is allowed to access @inode according to 3215 * @requested. Returns 0 if allowed, negative values otherwise. 3216 */ 3217 static int selinux_inode_permission(struct inode *inode, int requested) 3218 { 3219 int mask; 3220 u32 perms; 3221 u32 sid = current_sid(); 3222 struct task_security_struct *tsec; 3223 struct inode_security_struct *isec; 3224 struct avdc_entry *avdc; 3225 int rc, rc2; 3226 u32 audited, denied; 3227 3228 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3229 3230 /* No permission to check. Existence test. */ 3231 if (!mask) 3232 return 0; 3233 3234 tsec = selinux_task(current); 3235 if (task_avdcache_permnoaudit(tsec, sid)) 3236 return 0; 3237 3238 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3239 if (IS_ERR(isec)) 3240 return PTR_ERR(isec); 3241 perms = file_mask_to_av(inode->i_mode, mask); 3242 3243 rc = task_avdcache_search(tsec, isec, &avdc); 3244 if (likely(!rc)) { 3245 /* Cache hit. */ 3246 audited = perms & avdc->audited; 3247 denied = perms & ~avdc->allowed; 3248 if (unlikely(denied && enforcing_enabled() && 3249 !avdc->permissive)) 3250 rc = -EACCES; 3251 } else { 3252 struct av_decision avd; 3253 3254 /* Cache miss. */ 3255 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, 3256 perms, 0, &avd); 3257 audited = avc_audit_required(perms, &avd, rc, 3258 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3259 &denied); 3260 task_avdcache_update(tsec, isec, &avd, audited); 3261 } 3262 3263 if (likely(!audited)) 3264 return rc; 3265 3266 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3267 if (rc2) 3268 return rc2; 3269 3270 return rc; 3271 } 3272 3273 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3274 struct iattr *iattr) 3275 { 3276 const struct cred *cred = current_cred(); 3277 struct inode *inode = d_backing_inode(dentry); 3278 unsigned int ia_valid = iattr->ia_valid; 3279 u32 av = FILE__WRITE; 3280 3281 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3282 if (ia_valid & ATTR_FORCE) { 3283 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3284 ATTR_FORCE); 3285 if (!ia_valid) 3286 return 0; 3287 } 3288 3289 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3290 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3291 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3292 3293 if (selinux_policycap_openperm() && 3294 inode->i_sb->s_magic != SOCKFS_MAGIC && 3295 (ia_valid & ATTR_SIZE) && 3296 !(ia_valid & ATTR_FILE)) 3297 av |= FILE__OPEN; 3298 3299 return dentry_has_perm(cred, dentry, av); 3300 } 3301 3302 static int selinux_inode_getattr(const struct path *path) 3303 { 3304 struct task_security_struct *tsec; 3305 3306 tsec = selinux_task(current); 3307 3308 if (task_avdcache_permnoaudit(tsec, current_sid())) 3309 return 0; 3310 3311 return path_has_perm(current_cred(), path, FILE__GETATTR); 3312 } 3313 3314 static bool has_cap_mac_admin(bool audit) 3315 { 3316 const struct cred *cred = current_cred(); 3317 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3318 3319 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3320 return false; 3321 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3322 return false; 3323 return true; 3324 } 3325 3326 /** 3327 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3328 * @name: name of the xattr 3329 * 3330 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3331 * named @name; the LSM layer should avoid enforcing any traditional 3332 * capability based access controls on this xattr. Returns 0 to indicate that 3333 * SELinux does not "own" the access control rights to xattrs named @name and is 3334 * deferring to the LSM layer for further access controls, including capability 3335 * based controls. 3336 */ 3337 static int selinux_inode_xattr_skipcap(const char *name) 3338 { 3339 /* require capability check if not a selinux xattr */ 3340 return !strcmp(name, XATTR_NAME_SELINUX); 3341 } 3342 3343 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3344 struct dentry *dentry, const char *name, 3345 const void *value, size_t size, int flags) 3346 { 3347 struct inode *inode = d_backing_inode(dentry); 3348 struct inode_security_struct *isec; 3349 struct superblock_security_struct *sbsec; 3350 struct common_audit_data ad; 3351 u32 newsid, sid = current_sid(); 3352 int rc = 0; 3353 3354 /* if not a selinux xattr, only check the ordinary setattr perm */ 3355 if (strcmp(name, XATTR_NAME_SELINUX)) 3356 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3357 3358 if (!selinux_initialized()) 3359 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3360 3361 sbsec = selinux_superblock(inode->i_sb); 3362 if (!(sbsec->flags & SBLABEL_MNT)) 3363 return -EOPNOTSUPP; 3364 3365 if (!inode_owner_or_capable(idmap, inode)) 3366 return -EPERM; 3367 3368 ad.type = LSM_AUDIT_DATA_DENTRY; 3369 ad.u.dentry = dentry; 3370 3371 isec = backing_inode_security(dentry); 3372 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3373 FILE__RELABELFROM, &ad); 3374 if (rc) 3375 return rc; 3376 3377 rc = security_context_to_sid(value, size, &newsid, 3378 GFP_KERNEL); 3379 if (rc == -EINVAL) { 3380 if (!has_cap_mac_admin(true)) { 3381 struct audit_buffer *ab; 3382 size_t audit_size; 3383 3384 /* We strip a nul only if it is at the end, otherwise the 3385 * context contains a nul and we should audit that */ 3386 if (value) { 3387 const char *str = value; 3388 3389 if (str[size - 1] == '\0') 3390 audit_size = size - 1; 3391 else 3392 audit_size = size; 3393 } else { 3394 audit_size = 0; 3395 } 3396 ab = audit_log_start(audit_context(), 3397 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3398 if (!ab) 3399 return rc; 3400 audit_log_format(ab, "op=setxattr invalid_context="); 3401 audit_log_n_untrustedstring(ab, value, audit_size); 3402 audit_log_end(ab); 3403 3404 return rc; 3405 } 3406 rc = security_context_to_sid_force(value, 3407 size, &newsid); 3408 } 3409 if (rc) 3410 return rc; 3411 3412 rc = avc_has_perm(sid, newsid, isec->sclass, 3413 FILE__RELABELTO, &ad); 3414 if (rc) 3415 return rc; 3416 3417 rc = security_validate_transition(isec->sid, newsid, 3418 sid, isec->sclass); 3419 if (rc) 3420 return rc; 3421 3422 return avc_has_perm(newsid, 3423 sbsec->sid, 3424 SECCLASS_FILESYSTEM, 3425 FILESYSTEM__ASSOCIATE, 3426 &ad); 3427 } 3428 3429 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3430 struct dentry *dentry, const char *acl_name, 3431 struct posix_acl *kacl) 3432 { 3433 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3434 } 3435 3436 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3437 struct dentry *dentry, const char *acl_name) 3438 { 3439 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3440 } 3441 3442 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3443 struct dentry *dentry, const char *acl_name) 3444 { 3445 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3446 } 3447 3448 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3449 const void *value, size_t size, 3450 int flags) 3451 { 3452 struct inode *inode = d_backing_inode(dentry); 3453 struct inode_security_struct *isec; 3454 u32 newsid; 3455 int rc; 3456 3457 if (strcmp(name, XATTR_NAME_SELINUX)) { 3458 /* Not an attribute we recognize, so nothing to do. */ 3459 return; 3460 } 3461 3462 if (!selinux_initialized()) { 3463 /* If we haven't even been initialized, then we can't validate 3464 * against a policy, so leave the label as invalid. It may 3465 * resolve to a valid label on the next revalidation try if 3466 * we've since initialized. 3467 */ 3468 return; 3469 } 3470 3471 rc = security_context_to_sid_force(value, size, 3472 &newsid); 3473 if (rc) { 3474 pr_err("SELinux: unable to map context to SID" 3475 "for (%s, %lu), rc=%d\n", 3476 inode->i_sb->s_id, inode->i_ino, -rc); 3477 return; 3478 } 3479 3480 isec = backing_inode_security(dentry); 3481 spin_lock(&isec->lock); 3482 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3483 isec->sid = newsid; 3484 isec->initialized = LABEL_INITIALIZED; 3485 spin_unlock(&isec->lock); 3486 } 3487 3488 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3489 { 3490 const struct cred *cred = current_cred(); 3491 3492 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3493 } 3494 3495 static int selinux_inode_listxattr(struct dentry *dentry) 3496 { 3497 const struct cred *cred = current_cred(); 3498 3499 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3500 } 3501 3502 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3503 struct dentry *dentry, const char *name) 3504 { 3505 /* if not a selinux xattr, only check the ordinary setattr perm */ 3506 if (strcmp(name, XATTR_NAME_SELINUX)) 3507 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3508 3509 if (!selinux_initialized()) 3510 return 0; 3511 3512 /* No one is allowed to remove a SELinux security label. 3513 You can change the label, but all data must be labeled. */ 3514 return -EACCES; 3515 } 3516 3517 static int selinux_inode_file_setattr(struct dentry *dentry, 3518 struct file_kattr *fa) 3519 { 3520 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3521 } 3522 3523 static int selinux_inode_file_getattr(struct dentry *dentry, 3524 struct file_kattr *fa) 3525 { 3526 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3527 } 3528 3529 static int selinux_path_notify(const struct path *path, u64 mask, 3530 unsigned int obj_type) 3531 { 3532 int ret; 3533 u32 perm; 3534 3535 struct common_audit_data ad; 3536 3537 ad.type = LSM_AUDIT_DATA_PATH; 3538 ad.u.path = *path; 3539 3540 /* 3541 * Set permission needed based on the type of mark being set. 3542 * Performs an additional check for sb watches. 3543 */ 3544 switch (obj_type) { 3545 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3546 perm = FILE__WATCH_MOUNT; 3547 break; 3548 case FSNOTIFY_OBJ_TYPE_SB: 3549 perm = FILE__WATCH_SB; 3550 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3551 FILESYSTEM__WATCH, &ad); 3552 if (ret) 3553 return ret; 3554 break; 3555 case FSNOTIFY_OBJ_TYPE_INODE: 3556 perm = FILE__WATCH; 3557 break; 3558 case FSNOTIFY_OBJ_TYPE_MNTNS: 3559 perm = FILE__WATCH_MOUNTNS; 3560 break; 3561 default: 3562 return -EINVAL; 3563 } 3564 3565 /* blocking watches require the file:watch_with_perm permission */ 3566 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3567 perm |= FILE__WATCH_WITH_PERM; 3568 3569 /* watches on read-like events need the file:watch_reads permission */ 3570 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3571 FS_CLOSE_NOWRITE)) 3572 perm |= FILE__WATCH_READS; 3573 3574 return path_has_perm(current_cred(), path, perm); 3575 } 3576 3577 /* 3578 * Copy the inode security context value to the user. 3579 * 3580 * Permission check is handled by selinux_inode_getxattr hook. 3581 */ 3582 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3583 struct inode *inode, const char *name, 3584 void **buffer, bool alloc) 3585 { 3586 u32 size; 3587 int error; 3588 char *context = NULL; 3589 struct inode_security_struct *isec; 3590 3591 /* 3592 * If we're not initialized yet, then we can't validate contexts, so 3593 * just let vfs_getxattr fall back to using the on-disk xattr. 3594 */ 3595 if (!selinux_initialized() || 3596 strcmp(name, XATTR_SELINUX_SUFFIX)) 3597 return -EOPNOTSUPP; 3598 3599 /* 3600 * If the caller has CAP_MAC_ADMIN, then get the raw context 3601 * value even if it is not defined by current policy; otherwise, 3602 * use the in-core value under current policy. 3603 * Use the non-auditing forms of the permission checks since 3604 * getxattr may be called by unprivileged processes commonly 3605 * and lack of permission just means that we fall back to the 3606 * in-core context value, not a denial. 3607 */ 3608 isec = inode_security(inode); 3609 if (has_cap_mac_admin(false)) 3610 error = security_sid_to_context_force(isec->sid, &context, 3611 &size); 3612 else 3613 error = security_sid_to_context(isec->sid, 3614 &context, &size); 3615 if (error) 3616 return error; 3617 error = size; 3618 if (alloc) { 3619 *buffer = context; 3620 goto out_nofree; 3621 } 3622 kfree(context); 3623 out_nofree: 3624 return error; 3625 } 3626 3627 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3628 const void *value, size_t size, int flags) 3629 { 3630 struct inode_security_struct *isec = inode_security_novalidate(inode); 3631 struct superblock_security_struct *sbsec; 3632 u32 newsid; 3633 int rc; 3634 3635 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3636 return -EOPNOTSUPP; 3637 3638 sbsec = selinux_superblock(inode->i_sb); 3639 if (!(sbsec->flags & SBLABEL_MNT)) 3640 return -EOPNOTSUPP; 3641 3642 if (!value || !size) 3643 return -EACCES; 3644 3645 rc = security_context_to_sid(value, size, &newsid, 3646 GFP_KERNEL); 3647 if (rc) 3648 return rc; 3649 3650 spin_lock(&isec->lock); 3651 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3652 isec->sid = newsid; 3653 isec->initialized = LABEL_INITIALIZED; 3654 spin_unlock(&isec->lock); 3655 return 0; 3656 } 3657 3658 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3659 { 3660 const int len = sizeof(XATTR_NAME_SELINUX); 3661 3662 if (!selinux_initialized()) 3663 return 0; 3664 3665 if (buffer && len <= buffer_size) 3666 memcpy(buffer, XATTR_NAME_SELINUX, len); 3667 return len; 3668 } 3669 3670 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3671 { 3672 struct inode_security_struct *isec = inode_security_novalidate(inode); 3673 3674 prop->selinux.secid = isec->sid; 3675 } 3676 3677 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3678 { 3679 struct lsm_prop prop; 3680 struct cred_security_struct *crsec; 3681 struct cred *new_creds = *new; 3682 3683 if (new_creds == NULL) { 3684 new_creds = prepare_creds(); 3685 if (!new_creds) 3686 return -ENOMEM; 3687 } 3688 3689 crsec = selinux_cred(new_creds); 3690 /* Get label from overlay inode and set it in create_sid */ 3691 selinux_inode_getlsmprop(d_inode(src), &prop); 3692 crsec->create_sid = prop.selinux.secid; 3693 *new = new_creds; 3694 return 0; 3695 } 3696 3697 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3698 { 3699 /* The copy_up hook above sets the initial context on an inode, but we 3700 * don't then want to overwrite it by blindly copying all the lower 3701 * xattrs up. Instead, filter out SELinux-related xattrs following 3702 * policy load. 3703 */ 3704 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3705 return -ECANCELED; /* Discard */ 3706 /* 3707 * Any other attribute apart from SELINUX is not claimed, supported 3708 * by selinux. 3709 */ 3710 return -EOPNOTSUPP; 3711 } 3712 3713 /* kernfs node operations */ 3714 3715 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3716 struct kernfs_node *kn) 3717 { 3718 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 3719 u32 parent_sid, newsid, clen; 3720 int rc; 3721 char *context; 3722 3723 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3724 if (rc == -ENODATA) 3725 return 0; 3726 else if (rc < 0) 3727 return rc; 3728 3729 clen = (u32)rc; 3730 context = kmalloc(clen, GFP_KERNEL); 3731 if (!context) 3732 return -ENOMEM; 3733 3734 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3735 if (rc < 0) { 3736 kfree(context); 3737 return rc; 3738 } 3739 3740 rc = security_context_to_sid(context, clen, &parent_sid, 3741 GFP_KERNEL); 3742 kfree(context); 3743 if (rc) 3744 return rc; 3745 3746 if (crsec->create_sid) { 3747 newsid = crsec->create_sid; 3748 } else { 3749 u16 secclass = inode_mode_to_security_class(kn->mode); 3750 const char *kn_name; 3751 struct qstr q; 3752 3753 /* kn is fresh, can't be renamed, name goes not away */ 3754 kn_name = rcu_dereference_check(kn->name, true); 3755 q.name = kn_name; 3756 q.hash_len = hashlen_string(kn_dir, kn_name); 3757 3758 rc = security_transition_sid(crsec->sid, 3759 parent_sid, secclass, &q, 3760 &newsid); 3761 if (rc) 3762 return rc; 3763 } 3764 3765 rc = security_sid_to_context_force(newsid, 3766 &context, &clen); 3767 if (rc) 3768 return rc; 3769 3770 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3771 XATTR_CREATE); 3772 kfree(context); 3773 return rc; 3774 } 3775 3776 3777 /* file security operations */ 3778 3779 static int selinux_revalidate_file_permission(struct file *file, int mask) 3780 { 3781 const struct cred *cred = current_cred(); 3782 struct inode *inode = file_inode(file); 3783 3784 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3785 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3786 mask |= MAY_APPEND; 3787 3788 return file_has_perm(cred, file, 3789 file_mask_to_av(inode->i_mode, mask)); 3790 } 3791 3792 static int selinux_file_permission(struct file *file, int mask) 3793 { 3794 struct inode *inode = file_inode(file); 3795 struct file_security_struct *fsec = selinux_file(file); 3796 struct inode_security_struct *isec; 3797 u32 sid = current_sid(); 3798 3799 if (!mask) 3800 /* No permission to check. Existence test. */ 3801 return 0; 3802 3803 isec = inode_security(inode); 3804 if (sid == fsec->sid && fsec->isid == isec->sid && 3805 fsec->pseqno == avc_policy_seqno()) 3806 /* No change since file_open check. */ 3807 return 0; 3808 3809 return selinux_revalidate_file_permission(file, mask); 3810 } 3811 3812 static int selinux_file_alloc_security(struct file *file) 3813 { 3814 struct file_security_struct *fsec = selinux_file(file); 3815 u32 sid = current_sid(); 3816 3817 fsec->sid = sid; 3818 fsec->fown_sid = sid; 3819 3820 return 0; 3821 } 3822 3823 /* 3824 * Check whether a task has the ioctl permission and cmd 3825 * operation to an inode. 3826 */ 3827 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3828 u32 requested, u16 cmd) 3829 { 3830 struct common_audit_data ad; 3831 struct file_security_struct *fsec = selinux_file(file); 3832 struct inode *inode = file_inode(file); 3833 struct inode_security_struct *isec; 3834 struct lsm_ioctlop_audit ioctl; 3835 u32 ssid = cred_sid(cred); 3836 int rc; 3837 u8 driver = cmd >> 8; 3838 u8 xperm = cmd & 0xff; 3839 3840 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3841 ad.u.op = &ioctl; 3842 ad.u.op->cmd = cmd; 3843 ad.u.op->path = file->f_path; 3844 3845 if (ssid != fsec->sid) { 3846 rc = avc_has_perm(ssid, fsec->sid, 3847 SECCLASS_FD, 3848 FD__USE, 3849 &ad); 3850 if (rc) 3851 goto out; 3852 } 3853 3854 if (unlikely(IS_PRIVATE(inode))) 3855 return 0; 3856 3857 isec = inode_security(inode); 3858 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3859 driver, AVC_EXT_IOCTL, xperm, &ad); 3860 out: 3861 return rc; 3862 } 3863 3864 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3865 unsigned long arg) 3866 { 3867 const struct cred *cred = current_cred(); 3868 int error = 0; 3869 3870 switch (cmd) { 3871 case FIONREAD: 3872 case FIBMAP: 3873 case FIGETBSZ: 3874 case FS_IOC_GETFLAGS: 3875 case FS_IOC_GETVERSION: 3876 error = file_has_perm(cred, file, FILE__GETATTR); 3877 break; 3878 3879 case FS_IOC_SETFLAGS: 3880 case FS_IOC_SETVERSION: 3881 error = file_has_perm(cred, file, FILE__SETATTR); 3882 break; 3883 3884 /* sys_ioctl() checks */ 3885 case FIONBIO: 3886 case FIOASYNC: 3887 error = file_has_perm(cred, file, 0); 3888 break; 3889 3890 case KDSKBENT: 3891 case KDSKBSENT: 3892 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3893 CAP_OPT_NONE, true); 3894 break; 3895 3896 case FIOCLEX: 3897 case FIONCLEX: 3898 if (!selinux_policycap_ioctl_skip_cloexec()) 3899 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3900 break; 3901 3902 /* default case assumes that the command will go 3903 * to the file's ioctl() function. 3904 */ 3905 default: 3906 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3907 } 3908 return error; 3909 } 3910 3911 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3912 unsigned long arg) 3913 { 3914 /* 3915 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3916 * make sure we don't compare 32-bit flags to 64-bit flags. 3917 */ 3918 switch (cmd) { 3919 case FS_IOC32_GETFLAGS: 3920 cmd = FS_IOC_GETFLAGS; 3921 break; 3922 case FS_IOC32_SETFLAGS: 3923 cmd = FS_IOC_SETFLAGS; 3924 break; 3925 case FS_IOC32_GETVERSION: 3926 cmd = FS_IOC_GETVERSION; 3927 break; 3928 case FS_IOC32_SETVERSION: 3929 cmd = FS_IOC_SETVERSION; 3930 break; 3931 default: 3932 break; 3933 } 3934 3935 return selinux_file_ioctl(file, cmd, arg); 3936 } 3937 3938 static int default_noexec __ro_after_init; 3939 3940 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3941 { 3942 const struct cred *cred = current_cred(); 3943 u32 sid = cred_sid(cred); 3944 int rc = 0; 3945 3946 if (default_noexec && 3947 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3948 (!shared && (prot & PROT_WRITE)))) { 3949 /* 3950 * We are making executable an anonymous mapping or a 3951 * private file mapping that will also be writable. 3952 * This has an additional check. 3953 */ 3954 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3955 PROCESS__EXECMEM, NULL); 3956 if (rc) 3957 goto error; 3958 } 3959 3960 if (file) { 3961 /* read access is always possible with a mapping */ 3962 u32 av = FILE__READ; 3963 3964 /* write access only matters if the mapping is shared */ 3965 if (shared && (prot & PROT_WRITE)) 3966 av |= FILE__WRITE; 3967 3968 if (prot & PROT_EXEC) 3969 av |= FILE__EXECUTE; 3970 3971 return file_has_perm(cred, file, av); 3972 } 3973 3974 error: 3975 return rc; 3976 } 3977 3978 static int selinux_mmap_addr(unsigned long addr) 3979 { 3980 int rc = 0; 3981 3982 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3983 u32 sid = current_sid(); 3984 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3985 MEMPROTECT__MMAP_ZERO, NULL); 3986 } 3987 3988 return rc; 3989 } 3990 3991 static int selinux_mmap_file(struct file *file, 3992 unsigned long reqprot __always_unused, 3993 unsigned long prot, unsigned long flags) 3994 { 3995 struct common_audit_data ad; 3996 int rc; 3997 3998 if (file) { 3999 ad.type = LSM_AUDIT_DATA_FILE; 4000 ad.u.file = file; 4001 rc = inode_has_perm(current_cred(), file_inode(file), 4002 FILE__MAP, &ad); 4003 if (rc) 4004 return rc; 4005 } 4006 4007 return file_map_prot_check(file, prot, 4008 (flags & MAP_TYPE) == MAP_SHARED); 4009 } 4010 4011 static int selinux_file_mprotect(struct vm_area_struct *vma, 4012 unsigned long reqprot __always_unused, 4013 unsigned long prot) 4014 { 4015 const struct cred *cred = current_cred(); 4016 u32 sid = cred_sid(cred); 4017 4018 if (default_noexec && 4019 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 4020 int rc = 0; 4021 /* 4022 * We don't use the vma_is_initial_heap() helper as it has 4023 * a history of problems and is currently broken on systems 4024 * where there is no heap, e.g. brk == start_brk. Before 4025 * replacing the conditional below with vma_is_initial_heap(), 4026 * or something similar, please ensure that the logic is the 4027 * same as what we have below or you have tested every possible 4028 * corner case you can think to test. 4029 */ 4030 if (vma->vm_start >= vma->vm_mm->start_brk && 4031 vma->vm_end <= vma->vm_mm->brk) { 4032 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4033 PROCESS__EXECHEAP, NULL); 4034 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 4035 vma_is_stack_for_current(vma))) { 4036 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4037 PROCESS__EXECSTACK, NULL); 4038 } else if (vma->vm_file && vma->anon_vma) { 4039 /* 4040 * We are making executable a file mapping that has 4041 * had some COW done. Since pages might have been 4042 * written, check ability to execute the possibly 4043 * modified content. This typically should only 4044 * occur for text relocations. 4045 */ 4046 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4047 } 4048 if (rc) 4049 return rc; 4050 } 4051 4052 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4053 } 4054 4055 static int selinux_file_lock(struct file *file, unsigned int cmd) 4056 { 4057 const struct cred *cred = current_cred(); 4058 4059 return file_has_perm(cred, file, FILE__LOCK); 4060 } 4061 4062 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4063 unsigned long arg) 4064 { 4065 const struct cred *cred = current_cred(); 4066 int err = 0; 4067 4068 switch (cmd) { 4069 case F_SETFL: 4070 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4071 err = file_has_perm(cred, file, FILE__WRITE); 4072 break; 4073 } 4074 fallthrough; 4075 case F_SETOWN: 4076 case F_SETSIG: 4077 case F_GETFL: 4078 case F_GETOWN: 4079 case F_GETSIG: 4080 case F_GETOWNER_UIDS: 4081 /* Just check FD__USE permission */ 4082 err = file_has_perm(cred, file, 0); 4083 break; 4084 case F_GETLK: 4085 case F_SETLK: 4086 case F_SETLKW: 4087 case F_OFD_GETLK: 4088 case F_OFD_SETLK: 4089 case F_OFD_SETLKW: 4090 #if BITS_PER_LONG == 32 4091 case F_GETLK64: 4092 case F_SETLK64: 4093 case F_SETLKW64: 4094 #endif 4095 err = file_has_perm(cred, file, FILE__LOCK); 4096 break; 4097 } 4098 4099 return err; 4100 } 4101 4102 static void selinux_file_set_fowner(struct file *file) 4103 { 4104 struct file_security_struct *fsec; 4105 4106 fsec = selinux_file(file); 4107 fsec->fown_sid = current_sid(); 4108 } 4109 4110 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4111 struct fown_struct *fown, int signum) 4112 { 4113 struct file *file; 4114 u32 sid = task_sid_obj(tsk); 4115 u32 perm; 4116 struct file_security_struct *fsec; 4117 4118 /* struct fown_struct is never outside the context of a struct file */ 4119 file = fown->file; 4120 4121 fsec = selinux_file(file); 4122 4123 if (!signum) 4124 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4125 else 4126 perm = signal_to_av(signum); 4127 4128 return avc_has_perm(fsec->fown_sid, sid, 4129 SECCLASS_PROCESS, perm, NULL); 4130 } 4131 4132 static int selinux_file_receive(struct file *file) 4133 { 4134 const struct cred *cred = current_cred(); 4135 4136 return file_has_perm(cred, file, file_to_av(file)); 4137 } 4138 4139 static int selinux_file_open(struct file *file) 4140 { 4141 struct file_security_struct *fsec; 4142 struct inode_security_struct *isec; 4143 4144 fsec = selinux_file(file); 4145 isec = inode_security(file_inode(file)); 4146 /* 4147 * Save inode label and policy sequence number 4148 * at open-time so that selinux_file_permission 4149 * can determine whether revalidation is necessary. 4150 * Task label is already saved in the file security 4151 * struct as its SID. 4152 */ 4153 fsec->isid = isec->sid; 4154 fsec->pseqno = avc_policy_seqno(); 4155 /* 4156 * Since the inode label or policy seqno may have changed 4157 * between the selinux_inode_permission check and the saving 4158 * of state above, recheck that access is still permitted. 4159 * Otherwise, access might never be revalidated against the 4160 * new inode label or new policy. 4161 * This check is not redundant - do not remove. 4162 */ 4163 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4164 } 4165 4166 /* task security operations */ 4167 4168 static int selinux_task_alloc(struct task_struct *task, 4169 u64 clone_flags) 4170 { 4171 u32 sid = current_sid(); 4172 struct task_security_struct *old_tsec = selinux_task(current); 4173 struct task_security_struct *new_tsec = selinux_task(task); 4174 4175 *new_tsec = *old_tsec; 4176 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4177 } 4178 4179 /* 4180 * prepare a new set of credentials for modification 4181 */ 4182 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4183 gfp_t gfp) 4184 { 4185 const struct cred_security_struct *old_crsec = selinux_cred(old); 4186 struct cred_security_struct *crsec = selinux_cred(new); 4187 4188 *crsec = *old_crsec; 4189 return 0; 4190 } 4191 4192 /* 4193 * transfer the SELinux data to a blank set of creds 4194 */ 4195 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4196 { 4197 const struct cred_security_struct *old_crsec = selinux_cred(old); 4198 struct cred_security_struct *crsec = selinux_cred(new); 4199 4200 *crsec = *old_crsec; 4201 } 4202 4203 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4204 { 4205 *secid = cred_sid(c); 4206 } 4207 4208 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4209 { 4210 prop->selinux.secid = cred_sid(c); 4211 } 4212 4213 /* 4214 * set the security data for a kernel service 4215 * - all the creation contexts are set to unlabelled 4216 */ 4217 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4218 { 4219 struct cred_security_struct *crsec = selinux_cred(new); 4220 u32 sid = current_sid(); 4221 int ret; 4222 4223 ret = avc_has_perm(sid, secid, 4224 SECCLASS_KERNEL_SERVICE, 4225 KERNEL_SERVICE__USE_AS_OVERRIDE, 4226 NULL); 4227 if (ret == 0) { 4228 crsec->sid = secid; 4229 crsec->create_sid = 0; 4230 crsec->keycreate_sid = 0; 4231 crsec->sockcreate_sid = 0; 4232 } 4233 return ret; 4234 } 4235 4236 /* 4237 * set the file creation context in a security record to the same as the 4238 * objective context of the specified inode 4239 */ 4240 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4241 { 4242 struct inode_security_struct *isec = inode_security(inode); 4243 struct cred_security_struct *crsec = selinux_cred(new); 4244 u32 sid = current_sid(); 4245 int ret; 4246 4247 ret = avc_has_perm(sid, isec->sid, 4248 SECCLASS_KERNEL_SERVICE, 4249 KERNEL_SERVICE__CREATE_FILES_AS, 4250 NULL); 4251 4252 if (ret == 0) 4253 crsec->create_sid = isec->sid; 4254 return ret; 4255 } 4256 4257 static int selinux_kernel_module_request(char *kmod_name) 4258 { 4259 struct common_audit_data ad; 4260 4261 ad.type = LSM_AUDIT_DATA_KMOD; 4262 ad.u.kmod_name = kmod_name; 4263 4264 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4265 SYSTEM__MODULE_REQUEST, &ad); 4266 } 4267 4268 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4269 { 4270 struct common_audit_data ad; 4271 struct inode_security_struct *isec; 4272 struct file_security_struct *fsec; 4273 u32 sid = current_sid(); 4274 int rc; 4275 4276 if (file == NULL) 4277 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4278 4279 ad.type = LSM_AUDIT_DATA_FILE; 4280 ad.u.file = file; 4281 4282 fsec = selinux_file(file); 4283 if (sid != fsec->sid) { 4284 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4285 if (rc) 4286 return rc; 4287 } 4288 4289 isec = inode_security(file_inode(file)); 4290 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4291 } 4292 4293 static int selinux_kernel_read_file(struct file *file, 4294 enum kernel_read_file_id id, 4295 bool contents) 4296 { 4297 int rc = 0; 4298 4299 BUILD_BUG_ON_MSG(READING_MAX_ID > 8, 4300 "New kernel_read_file_id introduced; update SELinux!"); 4301 4302 switch (id) { 4303 case READING_FIRMWARE: 4304 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4305 break; 4306 case READING_MODULE: 4307 case READING_MODULE_COMPRESSED: 4308 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4309 break; 4310 case READING_KEXEC_IMAGE: 4311 rc = selinux_kernel_load_from_file(file, 4312 SYSTEM__KEXEC_IMAGE_LOAD); 4313 break; 4314 case READING_KEXEC_INITRAMFS: 4315 rc = selinux_kernel_load_from_file(file, 4316 SYSTEM__KEXEC_INITRAMFS_LOAD); 4317 break; 4318 case READING_POLICY: 4319 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4320 break; 4321 case READING_X509_CERTIFICATE: 4322 rc = selinux_kernel_load_from_file(file, 4323 SYSTEM__X509_CERTIFICATE_LOAD); 4324 break; 4325 default: 4326 break; 4327 } 4328 4329 return rc; 4330 } 4331 4332 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4333 { 4334 int rc = 0; 4335 4336 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 8, 4337 "New kernel_load_data_id introduced; update SELinux!"); 4338 4339 switch (id) { 4340 case LOADING_FIRMWARE: 4341 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4342 break; 4343 case LOADING_MODULE: 4344 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4345 break; 4346 case LOADING_KEXEC_IMAGE: 4347 rc = selinux_kernel_load_from_file(NULL, 4348 SYSTEM__KEXEC_IMAGE_LOAD); 4349 break; 4350 case LOADING_KEXEC_INITRAMFS: 4351 rc = selinux_kernel_load_from_file(NULL, 4352 SYSTEM__KEXEC_INITRAMFS_LOAD); 4353 break; 4354 case LOADING_POLICY: 4355 rc = selinux_kernel_load_from_file(NULL, 4356 SYSTEM__POLICY_LOAD); 4357 break; 4358 case LOADING_X509_CERTIFICATE: 4359 rc = selinux_kernel_load_from_file(NULL, 4360 SYSTEM__X509_CERTIFICATE_LOAD); 4361 break; 4362 default: 4363 break; 4364 } 4365 4366 return rc; 4367 } 4368 4369 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4370 { 4371 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4372 PROCESS__SETPGID, NULL); 4373 } 4374 4375 static int selinux_task_getpgid(struct task_struct *p) 4376 { 4377 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4378 PROCESS__GETPGID, NULL); 4379 } 4380 4381 static int selinux_task_getsid(struct task_struct *p) 4382 { 4383 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4384 PROCESS__GETSESSION, NULL); 4385 } 4386 4387 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4388 { 4389 prop->selinux.secid = current_sid(); 4390 } 4391 4392 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4393 struct lsm_prop *prop) 4394 { 4395 prop->selinux.secid = task_sid_obj(p); 4396 } 4397 4398 static int selinux_task_setnice(struct task_struct *p, int nice) 4399 { 4400 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4401 PROCESS__SETSCHED, NULL); 4402 } 4403 4404 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4405 { 4406 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4407 PROCESS__SETSCHED, NULL); 4408 } 4409 4410 static int selinux_task_getioprio(struct task_struct *p) 4411 { 4412 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4413 PROCESS__GETSCHED, NULL); 4414 } 4415 4416 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4417 unsigned int flags) 4418 { 4419 u32 av = 0; 4420 4421 if (!flags) 4422 return 0; 4423 if (flags & LSM_PRLIMIT_WRITE) 4424 av |= PROCESS__SETRLIMIT; 4425 if (flags & LSM_PRLIMIT_READ) 4426 av |= PROCESS__GETRLIMIT; 4427 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4428 SECCLASS_PROCESS, av, NULL); 4429 } 4430 4431 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4432 struct rlimit *new_rlim) 4433 { 4434 struct rlimit *old_rlim = p->signal->rlim + resource; 4435 4436 /* Control the ability to change the hard limit (whether 4437 lowering or raising it), so that the hard limit can 4438 later be used as a safe reset point for the soft limit 4439 upon context transitions. See selinux_bprm_committing_creds. */ 4440 if (old_rlim->rlim_max != new_rlim->rlim_max) 4441 return avc_has_perm(current_sid(), task_sid_obj(p), 4442 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4443 4444 return 0; 4445 } 4446 4447 static int selinux_task_setscheduler(struct task_struct *p) 4448 { 4449 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4450 PROCESS__SETSCHED, NULL); 4451 } 4452 4453 static int selinux_task_getscheduler(struct task_struct *p) 4454 { 4455 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4456 PROCESS__GETSCHED, NULL); 4457 } 4458 4459 static int selinux_task_movememory(struct task_struct *p) 4460 { 4461 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4462 PROCESS__SETSCHED, NULL); 4463 } 4464 4465 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4466 int sig, const struct cred *cred) 4467 { 4468 u32 secid; 4469 u32 perm; 4470 4471 if (!sig) 4472 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4473 else 4474 perm = signal_to_av(sig); 4475 if (!cred) 4476 secid = current_sid(); 4477 else 4478 secid = cred_sid(cred); 4479 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4480 } 4481 4482 static void selinux_task_to_inode(struct task_struct *p, 4483 struct inode *inode) 4484 { 4485 struct inode_security_struct *isec = selinux_inode(inode); 4486 u32 sid = task_sid_obj(p); 4487 4488 spin_lock(&isec->lock); 4489 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4490 isec->sid = sid; 4491 isec->initialized = LABEL_INITIALIZED; 4492 spin_unlock(&isec->lock); 4493 } 4494 4495 static int selinux_userns_create(const struct cred *cred) 4496 { 4497 u32 sid = current_sid(); 4498 4499 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4500 USER_NAMESPACE__CREATE, NULL); 4501 } 4502 4503 /* Returns error only if unable to parse addresses */ 4504 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4505 struct common_audit_data *ad, u8 *proto) 4506 { 4507 int offset, ihlen, ret = -EINVAL; 4508 struct iphdr _iph, *ih; 4509 4510 offset = skb_network_offset(skb); 4511 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4512 if (ih == NULL) 4513 goto out; 4514 4515 ihlen = ih->ihl * 4; 4516 if (ihlen < sizeof(_iph)) 4517 goto out; 4518 4519 ad->u.net->v4info.saddr = ih->saddr; 4520 ad->u.net->v4info.daddr = ih->daddr; 4521 ret = 0; 4522 4523 if (proto) 4524 *proto = ih->protocol; 4525 4526 switch (ih->protocol) { 4527 case IPPROTO_TCP: { 4528 struct tcphdr _tcph, *th; 4529 4530 if (ntohs(ih->frag_off) & IP_OFFSET) 4531 break; 4532 4533 offset += ihlen; 4534 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4535 if (th == NULL) 4536 break; 4537 4538 ad->u.net->sport = th->source; 4539 ad->u.net->dport = th->dest; 4540 break; 4541 } 4542 4543 case IPPROTO_UDP: { 4544 struct udphdr _udph, *uh; 4545 4546 if (ntohs(ih->frag_off) & IP_OFFSET) 4547 break; 4548 4549 offset += ihlen; 4550 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4551 if (uh == NULL) 4552 break; 4553 4554 ad->u.net->sport = uh->source; 4555 ad->u.net->dport = uh->dest; 4556 break; 4557 } 4558 4559 #if IS_ENABLED(CONFIG_IP_SCTP) 4560 case IPPROTO_SCTP: { 4561 struct sctphdr _sctph, *sh; 4562 4563 if (ntohs(ih->frag_off) & IP_OFFSET) 4564 break; 4565 4566 offset += ihlen; 4567 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4568 if (sh == NULL) 4569 break; 4570 4571 ad->u.net->sport = sh->source; 4572 ad->u.net->dport = sh->dest; 4573 break; 4574 } 4575 #endif 4576 default: 4577 break; 4578 } 4579 out: 4580 return ret; 4581 } 4582 4583 #if IS_ENABLED(CONFIG_IPV6) 4584 4585 /* Returns error only if unable to parse addresses */ 4586 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4587 struct common_audit_data *ad, u8 *proto) 4588 { 4589 u8 nexthdr; 4590 int ret = -EINVAL, offset; 4591 struct ipv6hdr _ipv6h, *ip6; 4592 __be16 frag_off; 4593 4594 offset = skb_network_offset(skb); 4595 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4596 if (ip6 == NULL) 4597 goto out; 4598 4599 ad->u.net->v6info.saddr = ip6->saddr; 4600 ad->u.net->v6info.daddr = ip6->daddr; 4601 ret = 0; 4602 4603 nexthdr = ip6->nexthdr; 4604 offset += sizeof(_ipv6h); 4605 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4606 if (offset < 0) 4607 goto out; 4608 4609 if (proto) 4610 *proto = nexthdr; 4611 4612 switch (nexthdr) { 4613 case IPPROTO_TCP: { 4614 struct tcphdr _tcph, *th; 4615 4616 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4617 if (th == NULL) 4618 break; 4619 4620 ad->u.net->sport = th->source; 4621 ad->u.net->dport = th->dest; 4622 break; 4623 } 4624 4625 case IPPROTO_UDP: { 4626 struct udphdr _udph, *uh; 4627 4628 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4629 if (uh == NULL) 4630 break; 4631 4632 ad->u.net->sport = uh->source; 4633 ad->u.net->dport = uh->dest; 4634 break; 4635 } 4636 4637 #if IS_ENABLED(CONFIG_IP_SCTP) 4638 case IPPROTO_SCTP: { 4639 struct sctphdr _sctph, *sh; 4640 4641 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4642 if (sh == NULL) 4643 break; 4644 4645 ad->u.net->sport = sh->source; 4646 ad->u.net->dport = sh->dest; 4647 break; 4648 } 4649 #endif 4650 /* includes fragments */ 4651 default: 4652 break; 4653 } 4654 out: 4655 return ret; 4656 } 4657 4658 #endif /* IPV6 */ 4659 4660 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4661 char **_addrp, int src, u8 *proto) 4662 { 4663 char *addrp; 4664 int ret; 4665 4666 switch (ad->u.net->family) { 4667 case PF_INET: 4668 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4669 if (ret) 4670 goto parse_error; 4671 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4672 &ad->u.net->v4info.daddr); 4673 goto okay; 4674 4675 #if IS_ENABLED(CONFIG_IPV6) 4676 case PF_INET6: 4677 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4678 if (ret) 4679 goto parse_error; 4680 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4681 &ad->u.net->v6info.daddr); 4682 goto okay; 4683 #endif /* IPV6 */ 4684 default: 4685 addrp = NULL; 4686 goto okay; 4687 } 4688 4689 parse_error: 4690 pr_warn( 4691 "SELinux: failure in selinux_parse_skb()," 4692 " unable to parse packet\n"); 4693 return ret; 4694 4695 okay: 4696 if (_addrp) 4697 *_addrp = addrp; 4698 return 0; 4699 } 4700 4701 /** 4702 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4703 * @skb: the packet 4704 * @family: protocol family 4705 * @sid: the packet's peer label SID 4706 * 4707 * Description: 4708 * Check the various different forms of network peer labeling and determine 4709 * the peer label/SID for the packet; most of the magic actually occurs in 4710 * the security server function security_net_peersid_cmp(). The function 4711 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4712 * or -EACCES if @sid is invalid due to inconsistencies with the different 4713 * peer labels. 4714 * 4715 */ 4716 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4717 { 4718 int err; 4719 u32 xfrm_sid; 4720 u32 nlbl_sid; 4721 u32 nlbl_type; 4722 4723 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4724 if (unlikely(err)) 4725 return -EACCES; 4726 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4727 if (unlikely(err)) 4728 return -EACCES; 4729 4730 err = security_net_peersid_resolve(nlbl_sid, 4731 nlbl_type, xfrm_sid, sid); 4732 if (unlikely(err)) { 4733 pr_warn( 4734 "SELinux: failure in selinux_skb_peerlbl_sid()," 4735 " unable to determine packet's peer label\n"); 4736 return -EACCES; 4737 } 4738 4739 return 0; 4740 } 4741 4742 /** 4743 * selinux_conn_sid - Determine the child socket label for a connection 4744 * @sk_sid: the parent socket's SID 4745 * @skb_sid: the packet's SID 4746 * @conn_sid: the resulting connection SID 4747 * 4748 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4749 * combined with the MLS information from @skb_sid in order to create 4750 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4751 * of @sk_sid. Returns zero on success, negative values on failure. 4752 * 4753 */ 4754 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4755 { 4756 int err = 0; 4757 4758 if (skb_sid != SECSID_NULL) 4759 err = security_sid_mls_copy(sk_sid, skb_sid, 4760 conn_sid); 4761 else 4762 *conn_sid = sk_sid; 4763 4764 return err; 4765 } 4766 4767 /* socket security operations */ 4768 4769 static int socket_sockcreate_sid(const struct cred_security_struct *crsec, 4770 u16 secclass, u32 *socksid) 4771 { 4772 if (crsec->sockcreate_sid > SECSID_NULL) { 4773 *socksid = crsec->sockcreate_sid; 4774 return 0; 4775 } 4776 4777 return security_transition_sid(crsec->sid, crsec->sid, 4778 secclass, NULL, socksid); 4779 } 4780 4781 static bool sock_skip_has_perm(u32 sid) 4782 { 4783 if (sid == SECINITSID_KERNEL) 4784 return true; 4785 4786 /* 4787 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4788 * inherited the kernel context from early boot used to be skipped 4789 * here, so preserve that behavior unless the capability is set. 4790 * 4791 * By setting the capability the policy signals that it is ready 4792 * for this quirk to be fixed. Note that sockets created by a kernel 4793 * thread or a usermode helper executed without a transition will 4794 * still be skipped in this check regardless of the policycap 4795 * setting. 4796 */ 4797 if (!selinux_policycap_userspace_initial_context() && 4798 sid == SECINITSID_INIT) 4799 return true; 4800 return false; 4801 } 4802 4803 4804 static int sock_has_perm(struct sock *sk, u32 perms) 4805 { 4806 struct sk_security_struct *sksec = sk->sk_security; 4807 struct common_audit_data ad; 4808 struct lsm_network_audit net; 4809 4810 if (sock_skip_has_perm(sksec->sid)) 4811 return 0; 4812 4813 ad_net_init_from_sk(&ad, &net, sk); 4814 4815 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4816 &ad); 4817 } 4818 4819 static int selinux_socket_create(int family, int type, 4820 int protocol, int kern) 4821 { 4822 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4823 u32 newsid; 4824 u16 secclass; 4825 int rc; 4826 4827 if (kern) 4828 return 0; 4829 4830 secclass = socket_type_to_security_class(family, type, protocol); 4831 rc = socket_sockcreate_sid(crsec, secclass, &newsid); 4832 if (rc) 4833 return rc; 4834 4835 return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4836 } 4837 4838 static int selinux_socket_post_create(struct socket *sock, int family, 4839 int type, int protocol, int kern) 4840 { 4841 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4842 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4843 struct sk_security_struct *sksec; 4844 u16 sclass = socket_type_to_security_class(family, type, protocol); 4845 u32 sid = SECINITSID_KERNEL; 4846 int err = 0; 4847 4848 if (!kern) { 4849 err = socket_sockcreate_sid(crsec, sclass, &sid); 4850 if (err) 4851 return err; 4852 } 4853 4854 isec->sclass = sclass; 4855 isec->sid = sid; 4856 isec->initialized = LABEL_INITIALIZED; 4857 4858 if (sock->sk) { 4859 sksec = selinux_sock(sock->sk); 4860 sksec->sclass = sclass; 4861 sksec->sid = sid; 4862 /* Allows detection of the first association on this socket */ 4863 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4864 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4865 4866 err = selinux_netlbl_socket_post_create(sock->sk, family); 4867 } 4868 4869 return err; 4870 } 4871 4872 static int selinux_socket_socketpair(struct socket *socka, 4873 struct socket *sockb) 4874 { 4875 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4876 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4877 4878 sksec_a->peer_sid = sksec_b->sid; 4879 sksec_b->peer_sid = sksec_a->sid; 4880 4881 return 0; 4882 } 4883 4884 /* Range of port numbers used to automatically bind. 4885 Need to determine whether we should perform a name_bind 4886 permission check between the socket and the port number. */ 4887 4888 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4889 { 4890 struct sock *sk = sock->sk; 4891 struct sk_security_struct *sksec = selinux_sock(sk); 4892 u16 family; 4893 int err; 4894 4895 err = sock_has_perm(sk, SOCKET__BIND); 4896 if (err) 4897 goto out; 4898 4899 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4900 family = sk->sk_family; 4901 if (family == PF_INET || family == PF_INET6) { 4902 char *addrp; 4903 struct common_audit_data ad; 4904 struct lsm_network_audit net = {0,}; 4905 struct sockaddr_in *addr4 = NULL; 4906 struct sockaddr_in6 *addr6 = NULL; 4907 u16 family_sa; 4908 unsigned short snum; 4909 u32 sid, node_perm; 4910 4911 /* 4912 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4913 * that validates multiple binding addresses. Because of this 4914 * need to check address->sa_family as it is possible to have 4915 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4916 */ 4917 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4918 return -EINVAL; 4919 family_sa = address->sa_family; 4920 switch (family_sa) { 4921 case AF_UNSPEC: 4922 case AF_INET: 4923 if (addrlen < sizeof(struct sockaddr_in)) 4924 return -EINVAL; 4925 addr4 = (struct sockaddr_in *)address; 4926 if (family_sa == AF_UNSPEC) { 4927 if (family == PF_INET6) { 4928 /* Length check from inet6_bind_sk() */ 4929 if (addrlen < SIN6_LEN_RFC2133) 4930 return -EINVAL; 4931 /* Family check from __inet6_bind() */ 4932 goto err_af; 4933 } 4934 /* see __inet_bind(), we only want to allow 4935 * AF_UNSPEC if the address is INADDR_ANY 4936 */ 4937 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4938 goto err_af; 4939 family_sa = AF_INET; 4940 } 4941 snum = ntohs(addr4->sin_port); 4942 addrp = (char *)&addr4->sin_addr.s_addr; 4943 break; 4944 case AF_INET6: 4945 if (addrlen < SIN6_LEN_RFC2133) 4946 return -EINVAL; 4947 addr6 = (struct sockaddr_in6 *)address; 4948 snum = ntohs(addr6->sin6_port); 4949 addrp = (char *)&addr6->sin6_addr.s6_addr; 4950 break; 4951 default: 4952 goto err_af; 4953 } 4954 4955 ad.type = LSM_AUDIT_DATA_NET; 4956 ad.u.net = &net; 4957 ad.u.net->sport = htons(snum); 4958 ad.u.net->family = family_sa; 4959 4960 if (snum) { 4961 int low, high; 4962 4963 inet_get_local_port_range(sock_net(sk), &low, &high); 4964 4965 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4966 snum < low || snum > high) { 4967 err = sel_netport_sid(sk->sk_protocol, 4968 snum, &sid); 4969 if (err) 4970 goto out; 4971 err = avc_has_perm(sksec->sid, sid, 4972 sksec->sclass, 4973 SOCKET__NAME_BIND, &ad); 4974 if (err) 4975 goto out; 4976 } 4977 } 4978 4979 switch (sksec->sclass) { 4980 case SECCLASS_TCP_SOCKET: 4981 node_perm = TCP_SOCKET__NODE_BIND; 4982 break; 4983 4984 case SECCLASS_UDP_SOCKET: 4985 node_perm = UDP_SOCKET__NODE_BIND; 4986 break; 4987 4988 case SECCLASS_SCTP_SOCKET: 4989 node_perm = SCTP_SOCKET__NODE_BIND; 4990 break; 4991 4992 default: 4993 node_perm = RAWIP_SOCKET__NODE_BIND; 4994 break; 4995 } 4996 4997 err = sel_netnode_sid(addrp, family_sa, &sid); 4998 if (err) 4999 goto out; 5000 5001 if (family_sa == AF_INET) 5002 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 5003 else 5004 ad.u.net->v6info.saddr = addr6->sin6_addr; 5005 5006 err = avc_has_perm(sksec->sid, sid, 5007 sksec->sclass, node_perm, &ad); 5008 if (err) 5009 goto out; 5010 } 5011 out: 5012 return err; 5013 err_af: 5014 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 5015 if (sk->sk_protocol == IPPROTO_SCTP) 5016 return -EINVAL; 5017 return -EAFNOSUPPORT; 5018 } 5019 5020 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 5021 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 5022 */ 5023 static int selinux_socket_connect_helper(struct socket *sock, 5024 struct sockaddr *address, int addrlen) 5025 { 5026 struct sock *sk = sock->sk; 5027 struct sk_security_struct *sksec = selinux_sock(sk); 5028 int err; 5029 5030 err = sock_has_perm(sk, SOCKET__CONNECT); 5031 if (err) 5032 return err; 5033 if (addrlen < offsetofend(struct sockaddr, sa_family)) 5034 return -EINVAL; 5035 5036 /* connect(AF_UNSPEC) has special handling, as it is a documented 5037 * way to disconnect the socket 5038 */ 5039 if (address->sa_family == AF_UNSPEC) 5040 return 0; 5041 5042 /* 5043 * If a TCP or SCTP socket, check name_connect permission 5044 * for the port. 5045 */ 5046 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5047 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5048 struct common_audit_data ad; 5049 struct lsm_network_audit net = {0,}; 5050 struct sockaddr_in *addr4 = NULL; 5051 struct sockaddr_in6 *addr6 = NULL; 5052 unsigned short snum; 5053 u32 sid, perm; 5054 5055 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5056 * that validates multiple connect addresses. Because of this 5057 * need to check address->sa_family as it is possible to have 5058 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5059 */ 5060 switch (address->sa_family) { 5061 case AF_INET: 5062 addr4 = (struct sockaddr_in *)address; 5063 if (addrlen < sizeof(struct sockaddr_in)) 5064 return -EINVAL; 5065 snum = ntohs(addr4->sin_port); 5066 break; 5067 case AF_INET6: 5068 addr6 = (struct sockaddr_in6 *)address; 5069 if (addrlen < SIN6_LEN_RFC2133) 5070 return -EINVAL; 5071 snum = ntohs(addr6->sin6_port); 5072 break; 5073 default: 5074 /* Note that SCTP services expect -EINVAL, whereas 5075 * others expect -EAFNOSUPPORT. 5076 */ 5077 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5078 return -EINVAL; 5079 else 5080 return -EAFNOSUPPORT; 5081 } 5082 5083 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5084 if (err) 5085 return err; 5086 5087 switch (sksec->sclass) { 5088 case SECCLASS_TCP_SOCKET: 5089 perm = TCP_SOCKET__NAME_CONNECT; 5090 break; 5091 case SECCLASS_SCTP_SOCKET: 5092 perm = SCTP_SOCKET__NAME_CONNECT; 5093 break; 5094 } 5095 5096 ad.type = LSM_AUDIT_DATA_NET; 5097 ad.u.net = &net; 5098 ad.u.net->dport = htons(snum); 5099 ad.u.net->family = address->sa_family; 5100 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5101 if (err) 5102 return err; 5103 } 5104 5105 return 0; 5106 } 5107 5108 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5109 static int selinux_socket_connect(struct socket *sock, 5110 struct sockaddr *address, int addrlen) 5111 { 5112 int err; 5113 struct sock *sk = sock->sk; 5114 5115 err = selinux_socket_connect_helper(sock, address, addrlen); 5116 if (err) 5117 return err; 5118 5119 return selinux_netlbl_socket_connect(sk, address); 5120 } 5121 5122 static int selinux_socket_listen(struct socket *sock, int backlog) 5123 { 5124 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5125 } 5126 5127 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5128 { 5129 int err; 5130 struct inode_security_struct *isec; 5131 struct inode_security_struct *newisec; 5132 u16 sclass; 5133 u32 sid; 5134 5135 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5136 if (err) 5137 return err; 5138 5139 isec = inode_security_novalidate(SOCK_INODE(sock)); 5140 spin_lock(&isec->lock); 5141 sclass = isec->sclass; 5142 sid = isec->sid; 5143 spin_unlock(&isec->lock); 5144 5145 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5146 newisec->sclass = sclass; 5147 newisec->sid = sid; 5148 newisec->initialized = LABEL_INITIALIZED; 5149 5150 return 0; 5151 } 5152 5153 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5154 int size) 5155 { 5156 return sock_has_perm(sock->sk, SOCKET__WRITE); 5157 } 5158 5159 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5160 int size, int flags) 5161 { 5162 return sock_has_perm(sock->sk, SOCKET__READ); 5163 } 5164 5165 static int selinux_socket_getsockname(struct socket *sock) 5166 { 5167 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5168 } 5169 5170 static int selinux_socket_getpeername(struct socket *sock) 5171 { 5172 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5173 } 5174 5175 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5176 { 5177 int err; 5178 5179 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5180 if (err) 5181 return err; 5182 5183 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5184 } 5185 5186 static int selinux_socket_getsockopt(struct socket *sock, int level, 5187 int optname) 5188 { 5189 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5190 } 5191 5192 static int selinux_socket_shutdown(struct socket *sock, int how) 5193 { 5194 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5195 } 5196 5197 static int selinux_socket_unix_stream_connect(struct sock *sock, 5198 struct sock *other, 5199 struct sock *newsk) 5200 { 5201 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5202 struct sk_security_struct *sksec_other = selinux_sock(other); 5203 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5204 struct common_audit_data ad; 5205 struct lsm_network_audit net; 5206 int err; 5207 5208 ad_net_init_from_sk(&ad, &net, other); 5209 5210 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5211 sksec_other->sclass, 5212 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5213 if (err) 5214 return err; 5215 5216 /* server child socket */ 5217 sksec_new->peer_sid = sksec_sock->sid; 5218 err = security_sid_mls_copy(sksec_other->sid, 5219 sksec_sock->sid, &sksec_new->sid); 5220 if (err) 5221 return err; 5222 5223 /* connecting socket */ 5224 sksec_sock->peer_sid = sksec_new->sid; 5225 5226 return 0; 5227 } 5228 5229 static int selinux_socket_unix_may_send(struct socket *sock, 5230 struct socket *other) 5231 { 5232 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5233 struct sk_security_struct *osec = selinux_sock(other->sk); 5234 struct common_audit_data ad; 5235 struct lsm_network_audit net; 5236 5237 ad_net_init_from_sk(&ad, &net, other->sk); 5238 5239 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5240 &ad); 5241 } 5242 5243 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5244 char *addrp, u16 family, u32 peer_sid, 5245 struct common_audit_data *ad) 5246 { 5247 int err; 5248 u32 if_sid; 5249 u32 node_sid; 5250 5251 err = sel_netif_sid(ns, ifindex, &if_sid); 5252 if (err) 5253 return err; 5254 err = avc_has_perm(peer_sid, if_sid, 5255 SECCLASS_NETIF, NETIF__INGRESS, ad); 5256 if (err) 5257 return err; 5258 5259 err = sel_netnode_sid(addrp, family, &node_sid); 5260 if (err) 5261 return err; 5262 return avc_has_perm(peer_sid, node_sid, 5263 SECCLASS_NODE, NODE__RECVFROM, ad); 5264 } 5265 5266 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5267 u16 family) 5268 { 5269 int err = 0; 5270 struct sk_security_struct *sksec = selinux_sock(sk); 5271 u32 sk_sid = sksec->sid; 5272 struct common_audit_data ad; 5273 struct lsm_network_audit net; 5274 char *addrp; 5275 5276 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5277 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5278 if (err) 5279 return err; 5280 5281 if (selinux_secmark_enabled()) { 5282 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5283 PACKET__RECV, &ad); 5284 if (err) 5285 return err; 5286 } 5287 5288 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5289 if (err) 5290 return err; 5291 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5292 5293 return err; 5294 } 5295 5296 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5297 { 5298 int err, peerlbl_active, secmark_active; 5299 struct sk_security_struct *sksec = selinux_sock(sk); 5300 u16 family = sk->sk_family; 5301 u32 sk_sid = sksec->sid; 5302 struct common_audit_data ad; 5303 struct lsm_network_audit net; 5304 char *addrp; 5305 5306 if (family != PF_INET && family != PF_INET6) 5307 return 0; 5308 5309 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5310 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5311 family = PF_INET; 5312 5313 /* If any sort of compatibility mode is enabled then handoff processing 5314 * to the selinux_sock_rcv_skb_compat() function to deal with the 5315 * special handling. We do this in an attempt to keep this function 5316 * as fast and as clean as possible. */ 5317 if (!selinux_policycap_netpeer()) 5318 return selinux_sock_rcv_skb_compat(sk, skb, family); 5319 5320 secmark_active = selinux_secmark_enabled(); 5321 peerlbl_active = selinux_peerlbl_enabled(); 5322 if (!secmark_active && !peerlbl_active) 5323 return 0; 5324 5325 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5326 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5327 if (err) 5328 return err; 5329 5330 if (peerlbl_active) { 5331 u32 peer_sid; 5332 5333 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5334 if (err) 5335 return err; 5336 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5337 addrp, family, peer_sid, &ad); 5338 if (err) { 5339 selinux_netlbl_err(skb, family, err, 0); 5340 return err; 5341 } 5342 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5343 PEER__RECV, &ad); 5344 if (err) { 5345 selinux_netlbl_err(skb, family, err, 0); 5346 return err; 5347 } 5348 } 5349 5350 if (secmark_active) { 5351 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5352 PACKET__RECV, &ad); 5353 if (err) 5354 return err; 5355 } 5356 5357 return err; 5358 } 5359 5360 static int selinux_socket_getpeersec_stream(struct socket *sock, 5361 sockptr_t optval, sockptr_t optlen, 5362 unsigned int len) 5363 { 5364 int err = 0; 5365 char *scontext = NULL; 5366 u32 scontext_len; 5367 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5368 u32 peer_sid = SECSID_NULL; 5369 5370 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5371 sksec->sclass == SECCLASS_TCP_SOCKET || 5372 sksec->sclass == SECCLASS_SCTP_SOCKET) 5373 peer_sid = sksec->peer_sid; 5374 if (peer_sid == SECSID_NULL) 5375 return -ENOPROTOOPT; 5376 5377 err = security_sid_to_context(peer_sid, &scontext, 5378 &scontext_len); 5379 if (err) 5380 return err; 5381 if (scontext_len > len) { 5382 err = -ERANGE; 5383 goto out_len; 5384 } 5385 5386 if (copy_to_sockptr(optval, scontext, scontext_len)) 5387 err = -EFAULT; 5388 out_len: 5389 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5390 err = -EFAULT; 5391 kfree(scontext); 5392 return err; 5393 } 5394 5395 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5396 struct sk_buff *skb, u32 *secid) 5397 { 5398 u32 peer_secid = SECSID_NULL; 5399 u16 family; 5400 5401 if (skb && skb->protocol == htons(ETH_P_IP)) 5402 family = PF_INET; 5403 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5404 family = PF_INET6; 5405 else if (sock) 5406 family = sock->sk->sk_family; 5407 else { 5408 *secid = SECSID_NULL; 5409 return -EINVAL; 5410 } 5411 5412 if (sock && family == PF_UNIX) { 5413 struct inode_security_struct *isec; 5414 isec = inode_security_novalidate(SOCK_INODE(sock)); 5415 peer_secid = isec->sid; 5416 } else if (skb) 5417 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5418 5419 *secid = peer_secid; 5420 if (peer_secid == SECSID_NULL) 5421 return -ENOPROTOOPT; 5422 return 0; 5423 } 5424 5425 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5426 { 5427 struct sk_security_struct *sksec = selinux_sock(sk); 5428 5429 sksec->peer_sid = SECINITSID_UNLABELED; 5430 sksec->sid = SECINITSID_UNLABELED; 5431 sksec->sclass = SECCLASS_SOCKET; 5432 selinux_netlbl_sk_security_reset(sksec); 5433 5434 return 0; 5435 } 5436 5437 static void selinux_sk_free_security(struct sock *sk) 5438 { 5439 struct sk_security_struct *sksec = selinux_sock(sk); 5440 5441 selinux_netlbl_sk_security_free(sksec); 5442 } 5443 5444 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5445 { 5446 struct sk_security_struct *sksec = selinux_sock(sk); 5447 struct sk_security_struct *newsksec = selinux_sock(newsk); 5448 5449 newsksec->sid = sksec->sid; 5450 newsksec->peer_sid = sksec->peer_sid; 5451 newsksec->sclass = sksec->sclass; 5452 5453 selinux_netlbl_sk_security_reset(newsksec); 5454 } 5455 5456 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5457 { 5458 if (!sk) 5459 *secid = SECINITSID_ANY_SOCKET; 5460 else { 5461 const struct sk_security_struct *sksec = selinux_sock(sk); 5462 5463 *secid = sksec->sid; 5464 } 5465 } 5466 5467 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5468 { 5469 struct inode_security_struct *isec = 5470 inode_security_novalidate(SOCK_INODE(parent)); 5471 struct sk_security_struct *sksec = selinux_sock(sk); 5472 5473 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5474 sk->sk_family == PF_UNIX) 5475 isec->sid = sksec->sid; 5476 sksec->sclass = isec->sclass; 5477 } 5478 5479 /* 5480 * Determines peer_secid for the asoc and updates socket's peer label 5481 * if it's the first association on the socket. 5482 */ 5483 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5484 struct sk_buff *skb) 5485 { 5486 struct sock *sk = asoc->base.sk; 5487 u16 family = sk->sk_family; 5488 struct sk_security_struct *sksec = selinux_sock(sk); 5489 struct common_audit_data ad; 5490 struct lsm_network_audit net; 5491 int err; 5492 5493 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5494 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5495 family = PF_INET; 5496 5497 if (selinux_peerlbl_enabled()) { 5498 asoc->peer_secid = SECSID_NULL; 5499 5500 /* This will return peer_sid = SECSID_NULL if there are 5501 * no peer labels, see security_net_peersid_resolve(). 5502 */ 5503 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5504 if (err) 5505 return err; 5506 5507 if (asoc->peer_secid == SECSID_NULL) 5508 asoc->peer_secid = SECINITSID_UNLABELED; 5509 } else { 5510 asoc->peer_secid = SECINITSID_UNLABELED; 5511 } 5512 5513 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5514 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5515 5516 /* Here as first association on socket. As the peer SID 5517 * was allowed by peer recv (and the netif/node checks), 5518 * then it is approved by policy and used as the primary 5519 * peer SID for getpeercon(3). 5520 */ 5521 sksec->peer_sid = asoc->peer_secid; 5522 } else if (sksec->peer_sid != asoc->peer_secid) { 5523 /* Other association peer SIDs are checked to enforce 5524 * consistency among the peer SIDs. 5525 */ 5526 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5527 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5528 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5529 &ad); 5530 if (err) 5531 return err; 5532 } 5533 return 0; 5534 } 5535 5536 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5537 * happens on an incoming connect(2), sctp_connectx(3) or 5538 * sctp_sendmsg(3) (with no association already present). 5539 */ 5540 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5541 struct sk_buff *skb) 5542 { 5543 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5544 u32 conn_sid; 5545 int err; 5546 5547 if (!selinux_policycap_extsockclass()) 5548 return 0; 5549 5550 err = selinux_sctp_process_new_assoc(asoc, skb); 5551 if (err) 5552 return err; 5553 5554 /* Compute the MLS component for the connection and store 5555 * the information in asoc. This will be used by SCTP TCP type 5556 * sockets and peeled off connections as they cause a new 5557 * socket to be generated. selinux_sctp_sk_clone() will then 5558 * plug this into the new socket. 5559 */ 5560 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5561 if (err) 5562 return err; 5563 5564 asoc->secid = conn_sid; 5565 5566 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5567 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5568 } 5569 5570 /* Called when SCTP receives a COOKIE ACK chunk as the final 5571 * response to an association request (initited by us). 5572 */ 5573 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5574 struct sk_buff *skb) 5575 { 5576 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5577 5578 if (!selinux_policycap_extsockclass()) 5579 return 0; 5580 5581 /* Inherit secid from the parent socket - this will be picked up 5582 * by selinux_sctp_sk_clone() if the association gets peeled off 5583 * into a new socket. 5584 */ 5585 asoc->secid = sksec->sid; 5586 5587 return selinux_sctp_process_new_assoc(asoc, skb); 5588 } 5589 5590 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5591 * based on their @optname. 5592 */ 5593 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5594 struct sockaddr *address, 5595 int addrlen) 5596 { 5597 int len, err = 0, walk_size = 0; 5598 void *addr_buf; 5599 struct sockaddr *addr; 5600 struct socket *sock; 5601 5602 if (!selinux_policycap_extsockclass()) 5603 return 0; 5604 5605 /* Process one or more addresses that may be IPv4 or IPv6 */ 5606 sock = sk->sk_socket; 5607 addr_buf = address; 5608 5609 while (walk_size < addrlen) { 5610 if (walk_size + sizeof(sa_family_t) > addrlen) 5611 return -EINVAL; 5612 5613 addr = addr_buf; 5614 switch (addr->sa_family) { 5615 case AF_UNSPEC: 5616 case AF_INET: 5617 len = sizeof(struct sockaddr_in); 5618 break; 5619 case AF_INET6: 5620 len = sizeof(struct sockaddr_in6); 5621 break; 5622 default: 5623 return -EINVAL; 5624 } 5625 5626 if (walk_size + len > addrlen) 5627 return -EINVAL; 5628 5629 err = -EINVAL; 5630 switch (optname) { 5631 /* Bind checks */ 5632 case SCTP_PRIMARY_ADDR: 5633 case SCTP_SET_PEER_PRIMARY_ADDR: 5634 case SCTP_SOCKOPT_BINDX_ADD: 5635 err = selinux_socket_bind(sock, addr, len); 5636 break; 5637 /* Connect checks */ 5638 case SCTP_SOCKOPT_CONNECTX: 5639 case SCTP_PARAM_SET_PRIMARY: 5640 case SCTP_PARAM_ADD_IP: 5641 case SCTP_SENDMSG_CONNECT: 5642 err = selinux_socket_connect_helper(sock, addr, len); 5643 if (err) 5644 return err; 5645 5646 /* As selinux_sctp_bind_connect() is called by the 5647 * SCTP protocol layer, the socket is already locked, 5648 * therefore selinux_netlbl_socket_connect_locked() 5649 * is called here. The situations handled are: 5650 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5651 * whenever a new IP address is added or when a new 5652 * primary address is selected. 5653 * Note that an SCTP connect(2) call happens before 5654 * the SCTP protocol layer and is handled via 5655 * selinux_socket_connect(). 5656 */ 5657 err = selinux_netlbl_socket_connect_locked(sk, addr); 5658 break; 5659 } 5660 5661 if (err) 5662 return err; 5663 5664 addr_buf += len; 5665 walk_size += len; 5666 } 5667 5668 return 0; 5669 } 5670 5671 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5672 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5673 struct sock *newsk) 5674 { 5675 struct sk_security_struct *sksec = selinux_sock(sk); 5676 struct sk_security_struct *newsksec = selinux_sock(newsk); 5677 5678 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5679 * the non-sctp clone version. 5680 */ 5681 if (!selinux_policycap_extsockclass()) 5682 return selinux_sk_clone_security(sk, newsk); 5683 5684 newsksec->sid = asoc->secid; 5685 newsksec->peer_sid = asoc->peer_secid; 5686 newsksec->sclass = sksec->sclass; 5687 selinux_netlbl_sctp_sk_clone(sk, newsk); 5688 } 5689 5690 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5691 { 5692 struct sk_security_struct *ssksec = selinux_sock(ssk); 5693 struct sk_security_struct *sksec = selinux_sock(sk); 5694 5695 ssksec->sclass = sksec->sclass; 5696 ssksec->sid = sksec->sid; 5697 5698 /* replace the existing subflow label deleting the existing one 5699 * and re-recreating a new label using the updated context 5700 */ 5701 selinux_netlbl_sk_security_free(ssksec); 5702 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5703 } 5704 5705 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5706 struct request_sock *req) 5707 { 5708 struct sk_security_struct *sksec = selinux_sock(sk); 5709 int err; 5710 u16 family = req->rsk_ops->family; 5711 u32 connsid; 5712 u32 peersid; 5713 5714 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5715 if (err) 5716 return err; 5717 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5718 if (err) 5719 return err; 5720 req->secid = connsid; 5721 req->peer_secid = peersid; 5722 5723 return selinux_netlbl_inet_conn_request(req, family); 5724 } 5725 5726 static void selinux_inet_csk_clone(struct sock *newsk, 5727 const struct request_sock *req) 5728 { 5729 struct sk_security_struct *newsksec = selinux_sock(newsk); 5730 5731 newsksec->sid = req->secid; 5732 newsksec->peer_sid = req->peer_secid; 5733 /* NOTE: Ideally, we should also get the isec->sid for the 5734 new socket in sync, but we don't have the isec available yet. 5735 So we will wait until sock_graft to do it, by which 5736 time it will have been created and available. */ 5737 5738 /* We don't need to take any sort of lock here as we are the only 5739 * thread with access to newsksec */ 5740 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5741 } 5742 5743 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5744 { 5745 u16 family = sk->sk_family; 5746 struct sk_security_struct *sksec = selinux_sock(sk); 5747 5748 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5749 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5750 family = PF_INET; 5751 5752 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5753 } 5754 5755 static int selinux_secmark_relabel_packet(u32 sid) 5756 { 5757 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5758 NULL); 5759 } 5760 5761 static void selinux_secmark_refcount_inc(void) 5762 { 5763 atomic_inc(&selinux_secmark_refcount); 5764 } 5765 5766 static void selinux_secmark_refcount_dec(void) 5767 { 5768 atomic_dec(&selinux_secmark_refcount); 5769 } 5770 5771 static void selinux_req_classify_flow(const struct request_sock *req, 5772 struct flowi_common *flic) 5773 { 5774 flic->flowic_secid = req->secid; 5775 } 5776 5777 static int selinux_tun_dev_alloc_security(void *security) 5778 { 5779 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5780 5781 tunsec->sid = current_sid(); 5782 return 0; 5783 } 5784 5785 static int selinux_tun_dev_create(void) 5786 { 5787 u32 sid = current_sid(); 5788 5789 /* we aren't taking into account the "sockcreate" SID since the socket 5790 * that is being created here is not a socket in the traditional sense, 5791 * instead it is a private sock, accessible only to the kernel, and 5792 * representing a wide range of network traffic spanning multiple 5793 * connections unlike traditional sockets - check the TUN driver to 5794 * get a better understanding of why this socket is special */ 5795 5796 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5797 NULL); 5798 } 5799 5800 static int selinux_tun_dev_attach_queue(void *security) 5801 { 5802 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5803 5804 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5805 TUN_SOCKET__ATTACH_QUEUE, NULL); 5806 } 5807 5808 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5809 { 5810 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5811 struct sk_security_struct *sksec = selinux_sock(sk); 5812 5813 /* we don't currently perform any NetLabel based labeling here and it 5814 * isn't clear that we would want to do so anyway; while we could apply 5815 * labeling without the support of the TUN user the resulting labeled 5816 * traffic from the other end of the connection would almost certainly 5817 * cause confusion to the TUN user that had no idea network labeling 5818 * protocols were being used */ 5819 5820 sksec->sid = tunsec->sid; 5821 sksec->sclass = SECCLASS_TUN_SOCKET; 5822 5823 return 0; 5824 } 5825 5826 static int selinux_tun_dev_open(void *security) 5827 { 5828 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5829 u32 sid = current_sid(); 5830 int err; 5831 5832 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5833 TUN_SOCKET__RELABELFROM, NULL); 5834 if (err) 5835 return err; 5836 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5837 TUN_SOCKET__RELABELTO, NULL); 5838 if (err) 5839 return err; 5840 tunsec->sid = sid; 5841 5842 return 0; 5843 } 5844 5845 #ifdef CONFIG_NETFILTER 5846 5847 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5848 const struct nf_hook_state *state) 5849 { 5850 int ifindex; 5851 u16 family; 5852 char *addrp; 5853 u32 peer_sid; 5854 struct common_audit_data ad; 5855 struct lsm_network_audit net; 5856 int secmark_active, peerlbl_active; 5857 5858 if (!selinux_policycap_netpeer()) 5859 return NF_ACCEPT; 5860 5861 secmark_active = selinux_secmark_enabled(); 5862 peerlbl_active = selinux_peerlbl_enabled(); 5863 if (!secmark_active && !peerlbl_active) 5864 return NF_ACCEPT; 5865 5866 family = state->pf; 5867 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5868 return NF_DROP; 5869 5870 ifindex = state->in->ifindex; 5871 ad_net_init_from_iif(&ad, &net, ifindex, family); 5872 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5873 return NF_DROP; 5874 5875 if (peerlbl_active) { 5876 int err; 5877 5878 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5879 addrp, family, peer_sid, &ad); 5880 if (err) { 5881 selinux_netlbl_err(skb, family, err, 1); 5882 return NF_DROP; 5883 } 5884 } 5885 5886 if (secmark_active) 5887 if (avc_has_perm(peer_sid, skb->secmark, 5888 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5889 return NF_DROP; 5890 5891 if (netlbl_enabled()) 5892 /* we do this in the FORWARD path and not the POST_ROUTING 5893 * path because we want to make sure we apply the necessary 5894 * labeling before IPsec is applied so we can leverage AH 5895 * protection */ 5896 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5897 return NF_DROP; 5898 5899 return NF_ACCEPT; 5900 } 5901 5902 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5903 const struct nf_hook_state *state) 5904 { 5905 struct sock *sk; 5906 u32 sid; 5907 5908 if (!netlbl_enabled()) 5909 return NF_ACCEPT; 5910 5911 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5912 * because we want to make sure we apply the necessary labeling 5913 * before IPsec is applied so we can leverage AH protection */ 5914 sk = skb_to_full_sk(skb); 5915 if (sk) { 5916 struct sk_security_struct *sksec; 5917 5918 if (sk_listener(sk)) 5919 /* if the socket is the listening state then this 5920 * packet is a SYN-ACK packet which means it needs to 5921 * be labeled based on the connection/request_sock and 5922 * not the parent socket. unfortunately, we can't 5923 * lookup the request_sock yet as it isn't queued on 5924 * the parent socket until after the SYN-ACK is sent. 5925 * the "solution" is to simply pass the packet as-is 5926 * as any IP option based labeling should be copied 5927 * from the initial connection request (in the IP 5928 * layer). it is far from ideal, but until we get a 5929 * security label in the packet itself this is the 5930 * best we can do. */ 5931 return NF_ACCEPT; 5932 5933 /* standard practice, label using the parent socket */ 5934 sksec = selinux_sock(sk); 5935 sid = sksec->sid; 5936 } else 5937 sid = SECINITSID_KERNEL; 5938 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5939 return NF_DROP; 5940 5941 return NF_ACCEPT; 5942 } 5943 5944 5945 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5946 const struct nf_hook_state *state) 5947 { 5948 struct sock *sk; 5949 struct sk_security_struct *sksec; 5950 struct common_audit_data ad; 5951 struct lsm_network_audit net; 5952 u8 proto = 0; 5953 5954 sk = skb_to_full_sk(skb); 5955 if (sk == NULL) 5956 return NF_ACCEPT; 5957 sksec = selinux_sock(sk); 5958 5959 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5960 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5961 return NF_DROP; 5962 5963 if (selinux_secmark_enabled()) 5964 if (avc_has_perm(sksec->sid, skb->secmark, 5965 SECCLASS_PACKET, PACKET__SEND, &ad)) 5966 return NF_DROP_ERR(-ECONNREFUSED); 5967 5968 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5969 return NF_DROP_ERR(-ECONNREFUSED); 5970 5971 return NF_ACCEPT; 5972 } 5973 5974 static unsigned int selinux_ip_postroute(void *priv, 5975 struct sk_buff *skb, 5976 const struct nf_hook_state *state) 5977 { 5978 u16 family; 5979 u32 secmark_perm; 5980 u32 peer_sid; 5981 int ifindex; 5982 struct sock *sk; 5983 struct common_audit_data ad; 5984 struct lsm_network_audit net; 5985 char *addrp; 5986 int secmark_active, peerlbl_active; 5987 5988 /* If any sort of compatibility mode is enabled then handoff processing 5989 * to the selinux_ip_postroute_compat() function to deal with the 5990 * special handling. We do this in an attempt to keep this function 5991 * as fast and as clean as possible. */ 5992 if (!selinux_policycap_netpeer()) 5993 return selinux_ip_postroute_compat(skb, state); 5994 5995 secmark_active = selinux_secmark_enabled(); 5996 peerlbl_active = selinux_peerlbl_enabled(); 5997 if (!secmark_active && !peerlbl_active) 5998 return NF_ACCEPT; 5999 6000 sk = skb_to_full_sk(skb); 6001 6002 #ifdef CONFIG_XFRM 6003 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 6004 * packet transformation so allow the packet to pass without any checks 6005 * since we'll have another chance to perform access control checks 6006 * when the packet is on it's final way out. 6007 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 6008 * is NULL, in this case go ahead and apply access control. 6009 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 6010 * TCP listening state we cannot wait until the XFRM processing 6011 * is done as we will miss out on the SA label if we do; 6012 * unfortunately, this means more work, but it is only once per 6013 * connection. */ 6014 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 6015 !(sk && sk_listener(sk))) 6016 return NF_ACCEPT; 6017 #endif 6018 6019 family = state->pf; 6020 if (sk == NULL) { 6021 /* Without an associated socket the packet is either coming 6022 * from the kernel or it is being forwarded; check the packet 6023 * to determine which and if the packet is being forwarded 6024 * query the packet directly to determine the security label. */ 6025 if (skb->skb_iif) { 6026 secmark_perm = PACKET__FORWARD_OUT; 6027 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 6028 return NF_DROP; 6029 } else { 6030 secmark_perm = PACKET__SEND; 6031 peer_sid = SECINITSID_KERNEL; 6032 } 6033 } else if (sk_listener(sk)) { 6034 /* Locally generated packet but the associated socket is in the 6035 * listening state which means this is a SYN-ACK packet. In 6036 * this particular case the correct security label is assigned 6037 * to the connection/request_sock but unfortunately we can't 6038 * query the request_sock as it isn't queued on the parent 6039 * socket until after the SYN-ACK packet is sent; the only 6040 * viable choice is to regenerate the label like we do in 6041 * selinux_inet_conn_request(). See also selinux_ip_output() 6042 * for similar problems. */ 6043 u32 skb_sid; 6044 struct sk_security_struct *sksec; 6045 6046 sksec = selinux_sock(sk); 6047 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6048 return NF_DROP; 6049 /* At this point, if the returned skb peerlbl is SECSID_NULL 6050 * and the packet has been through at least one XFRM 6051 * transformation then we must be dealing with the "final" 6052 * form of labeled IPsec packet; since we've already applied 6053 * all of our access controls on this packet we can safely 6054 * pass the packet. */ 6055 if (skb_sid == SECSID_NULL) { 6056 switch (family) { 6057 case PF_INET: 6058 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6059 return NF_ACCEPT; 6060 break; 6061 case PF_INET6: 6062 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6063 return NF_ACCEPT; 6064 break; 6065 default: 6066 return NF_DROP_ERR(-ECONNREFUSED); 6067 } 6068 } 6069 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6070 return NF_DROP; 6071 secmark_perm = PACKET__SEND; 6072 } else { 6073 /* Locally generated packet, fetch the security label from the 6074 * associated socket. */ 6075 struct sk_security_struct *sksec = selinux_sock(sk); 6076 peer_sid = sksec->sid; 6077 secmark_perm = PACKET__SEND; 6078 } 6079 6080 ifindex = state->out->ifindex; 6081 ad_net_init_from_iif(&ad, &net, ifindex, family); 6082 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6083 return NF_DROP; 6084 6085 if (secmark_active) 6086 if (avc_has_perm(peer_sid, skb->secmark, 6087 SECCLASS_PACKET, secmark_perm, &ad)) 6088 return NF_DROP_ERR(-ECONNREFUSED); 6089 6090 if (peerlbl_active) { 6091 u32 if_sid; 6092 u32 node_sid; 6093 6094 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6095 return NF_DROP; 6096 if (avc_has_perm(peer_sid, if_sid, 6097 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6098 return NF_DROP_ERR(-ECONNREFUSED); 6099 6100 if (sel_netnode_sid(addrp, family, &node_sid)) 6101 return NF_DROP; 6102 if (avc_has_perm(peer_sid, node_sid, 6103 SECCLASS_NODE, NODE__SENDTO, &ad)) 6104 return NF_DROP_ERR(-ECONNREFUSED); 6105 } 6106 6107 return NF_ACCEPT; 6108 } 6109 #endif /* CONFIG_NETFILTER */ 6110 6111 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6112 { 6113 struct sk_security_struct *sksec = sk->sk_security; 6114 struct common_audit_data ad; 6115 u8 driver; 6116 u8 xperm; 6117 6118 if (sock_skip_has_perm(sksec->sid)) 6119 return 0; 6120 6121 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6122 ad.u.nlmsg_type = nlmsg_type; 6123 6124 driver = nlmsg_type >> 8; 6125 xperm = nlmsg_type & 0xff; 6126 6127 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6128 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6129 } 6130 6131 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6132 { 6133 int rc = 0; 6134 unsigned int msg_len; 6135 unsigned int data_len = skb->len; 6136 unsigned char *data = skb->data; 6137 struct nlmsghdr *nlh; 6138 struct sk_security_struct *sksec = selinux_sock(sk); 6139 u16 sclass = sksec->sclass; 6140 u32 perm; 6141 6142 while (data_len >= nlmsg_total_size(0)) { 6143 nlh = (struct nlmsghdr *)data; 6144 6145 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6146 * users which means we can't reject skb's with bogus 6147 * length fields; our solution is to follow what 6148 * netlink_rcv_skb() does and simply skip processing at 6149 * messages with length fields that are clearly junk 6150 */ 6151 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6152 return 0; 6153 6154 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6155 if (rc == 0) { 6156 if (selinux_policycap_netlink_xperm()) { 6157 rc = nlmsg_sock_has_extended_perms( 6158 sk, perm, nlh->nlmsg_type); 6159 } else { 6160 rc = sock_has_perm(sk, perm); 6161 } 6162 if (rc) 6163 return rc; 6164 } else if (rc == -EINVAL) { 6165 /* -EINVAL is a missing msg/perm mapping */ 6166 pr_warn_ratelimited("SELinux: unrecognized netlink" 6167 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6168 " pid=%d comm=%s\n", 6169 sk->sk_protocol, nlh->nlmsg_type, 6170 secclass_map[sclass - 1].name, 6171 task_pid_nr(current), current->comm); 6172 if (enforcing_enabled() && 6173 !security_get_allow_unknown()) 6174 return rc; 6175 rc = 0; 6176 } else if (rc == -ENOENT) { 6177 /* -ENOENT is a missing socket/class mapping, ignore */ 6178 rc = 0; 6179 } else { 6180 return rc; 6181 } 6182 6183 /* move to the next message after applying netlink padding */ 6184 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6185 if (msg_len >= data_len) 6186 return 0; 6187 data_len -= msg_len; 6188 data += msg_len; 6189 } 6190 6191 return rc; 6192 } 6193 6194 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6195 { 6196 isec->sclass = sclass; 6197 isec->sid = current_sid(); 6198 } 6199 6200 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6201 u32 perms) 6202 { 6203 struct ipc_security_struct *isec; 6204 struct common_audit_data ad; 6205 u32 sid = current_sid(); 6206 6207 isec = selinux_ipc(ipc_perms); 6208 6209 ad.type = LSM_AUDIT_DATA_IPC; 6210 ad.u.ipc_id = ipc_perms->key; 6211 6212 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6213 } 6214 6215 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6216 { 6217 struct msg_security_struct *msec; 6218 6219 msec = selinux_msg_msg(msg); 6220 msec->sid = SECINITSID_UNLABELED; 6221 6222 return 0; 6223 } 6224 6225 /* message queue security operations */ 6226 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6227 { 6228 struct ipc_security_struct *isec; 6229 struct common_audit_data ad; 6230 u32 sid = current_sid(); 6231 6232 isec = selinux_ipc(msq); 6233 ipc_init_security(isec, SECCLASS_MSGQ); 6234 6235 ad.type = LSM_AUDIT_DATA_IPC; 6236 ad.u.ipc_id = msq->key; 6237 6238 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6239 MSGQ__CREATE, &ad); 6240 } 6241 6242 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6243 { 6244 struct ipc_security_struct *isec; 6245 struct common_audit_data ad; 6246 u32 sid = current_sid(); 6247 6248 isec = selinux_ipc(msq); 6249 6250 ad.type = LSM_AUDIT_DATA_IPC; 6251 ad.u.ipc_id = msq->key; 6252 6253 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6254 MSGQ__ASSOCIATE, &ad); 6255 } 6256 6257 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6258 { 6259 u32 perms; 6260 6261 switch (cmd) { 6262 case IPC_INFO: 6263 case MSG_INFO: 6264 /* No specific object, just general system-wide information. */ 6265 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6266 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6267 case IPC_STAT: 6268 case MSG_STAT: 6269 case MSG_STAT_ANY: 6270 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6271 break; 6272 case IPC_SET: 6273 perms = MSGQ__SETATTR; 6274 break; 6275 case IPC_RMID: 6276 perms = MSGQ__DESTROY; 6277 break; 6278 default: 6279 return 0; 6280 } 6281 6282 return ipc_has_perm(msq, perms); 6283 } 6284 6285 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6286 { 6287 struct ipc_security_struct *isec; 6288 struct msg_security_struct *msec; 6289 struct common_audit_data ad; 6290 u32 sid = current_sid(); 6291 int rc; 6292 6293 isec = selinux_ipc(msq); 6294 msec = selinux_msg_msg(msg); 6295 6296 /* 6297 * First time through, need to assign label to the message 6298 */ 6299 if (msec->sid == SECINITSID_UNLABELED) { 6300 /* 6301 * Compute new sid based on current process and 6302 * message queue this message will be stored in 6303 */ 6304 rc = security_transition_sid(sid, isec->sid, 6305 SECCLASS_MSG, NULL, &msec->sid); 6306 if (rc) 6307 return rc; 6308 } 6309 6310 ad.type = LSM_AUDIT_DATA_IPC; 6311 ad.u.ipc_id = msq->key; 6312 6313 /* Can this process write to the queue? */ 6314 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6315 MSGQ__WRITE, &ad); 6316 if (!rc) 6317 /* Can this process send the message */ 6318 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6319 MSG__SEND, &ad); 6320 if (!rc) 6321 /* Can the message be put in the queue? */ 6322 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6323 MSGQ__ENQUEUE, &ad); 6324 6325 return rc; 6326 } 6327 6328 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6329 struct task_struct *target, 6330 long type, int mode) 6331 { 6332 struct ipc_security_struct *isec; 6333 struct msg_security_struct *msec; 6334 struct common_audit_data ad; 6335 u32 sid = task_sid_obj(target); 6336 int rc; 6337 6338 isec = selinux_ipc(msq); 6339 msec = selinux_msg_msg(msg); 6340 6341 ad.type = LSM_AUDIT_DATA_IPC; 6342 ad.u.ipc_id = msq->key; 6343 6344 rc = avc_has_perm(sid, isec->sid, 6345 SECCLASS_MSGQ, MSGQ__READ, &ad); 6346 if (!rc) 6347 rc = avc_has_perm(sid, msec->sid, 6348 SECCLASS_MSG, MSG__RECEIVE, &ad); 6349 return rc; 6350 } 6351 6352 /* Shared Memory security operations */ 6353 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6354 { 6355 struct ipc_security_struct *isec; 6356 struct common_audit_data ad; 6357 u32 sid = current_sid(); 6358 6359 isec = selinux_ipc(shp); 6360 ipc_init_security(isec, SECCLASS_SHM); 6361 6362 ad.type = LSM_AUDIT_DATA_IPC; 6363 ad.u.ipc_id = shp->key; 6364 6365 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6366 SHM__CREATE, &ad); 6367 } 6368 6369 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6370 { 6371 struct ipc_security_struct *isec; 6372 struct common_audit_data ad; 6373 u32 sid = current_sid(); 6374 6375 isec = selinux_ipc(shp); 6376 6377 ad.type = LSM_AUDIT_DATA_IPC; 6378 ad.u.ipc_id = shp->key; 6379 6380 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6381 SHM__ASSOCIATE, &ad); 6382 } 6383 6384 /* Note, at this point, shp is locked down */ 6385 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6386 { 6387 u32 perms; 6388 6389 switch (cmd) { 6390 case IPC_INFO: 6391 case SHM_INFO: 6392 /* No specific object, just general system-wide information. */ 6393 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6394 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6395 case IPC_STAT: 6396 case SHM_STAT: 6397 case SHM_STAT_ANY: 6398 perms = SHM__GETATTR | SHM__ASSOCIATE; 6399 break; 6400 case IPC_SET: 6401 perms = SHM__SETATTR; 6402 break; 6403 case SHM_LOCK: 6404 case SHM_UNLOCK: 6405 perms = SHM__LOCK; 6406 break; 6407 case IPC_RMID: 6408 perms = SHM__DESTROY; 6409 break; 6410 default: 6411 return 0; 6412 } 6413 6414 return ipc_has_perm(shp, perms); 6415 } 6416 6417 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6418 char __user *shmaddr, int shmflg) 6419 { 6420 u32 perms; 6421 6422 if (shmflg & SHM_RDONLY) 6423 perms = SHM__READ; 6424 else 6425 perms = SHM__READ | SHM__WRITE; 6426 6427 return ipc_has_perm(shp, perms); 6428 } 6429 6430 /* Semaphore security operations */ 6431 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6432 { 6433 struct ipc_security_struct *isec; 6434 struct common_audit_data ad; 6435 u32 sid = current_sid(); 6436 6437 isec = selinux_ipc(sma); 6438 ipc_init_security(isec, SECCLASS_SEM); 6439 6440 ad.type = LSM_AUDIT_DATA_IPC; 6441 ad.u.ipc_id = sma->key; 6442 6443 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6444 SEM__CREATE, &ad); 6445 } 6446 6447 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6448 { 6449 struct ipc_security_struct *isec; 6450 struct common_audit_data ad; 6451 u32 sid = current_sid(); 6452 6453 isec = selinux_ipc(sma); 6454 6455 ad.type = LSM_AUDIT_DATA_IPC; 6456 ad.u.ipc_id = sma->key; 6457 6458 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6459 SEM__ASSOCIATE, &ad); 6460 } 6461 6462 /* Note, at this point, sma is locked down */ 6463 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6464 { 6465 int err; 6466 u32 perms; 6467 6468 switch (cmd) { 6469 case IPC_INFO: 6470 case SEM_INFO: 6471 /* No specific object, just general system-wide information. */ 6472 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6473 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6474 case GETPID: 6475 case GETNCNT: 6476 case GETZCNT: 6477 perms = SEM__GETATTR; 6478 break; 6479 case GETVAL: 6480 case GETALL: 6481 perms = SEM__READ; 6482 break; 6483 case SETVAL: 6484 case SETALL: 6485 perms = SEM__WRITE; 6486 break; 6487 case IPC_RMID: 6488 perms = SEM__DESTROY; 6489 break; 6490 case IPC_SET: 6491 perms = SEM__SETATTR; 6492 break; 6493 case IPC_STAT: 6494 case SEM_STAT: 6495 case SEM_STAT_ANY: 6496 perms = SEM__GETATTR | SEM__ASSOCIATE; 6497 break; 6498 default: 6499 return 0; 6500 } 6501 6502 err = ipc_has_perm(sma, perms); 6503 return err; 6504 } 6505 6506 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6507 struct sembuf *sops, unsigned nsops, int alter) 6508 { 6509 u32 perms; 6510 6511 if (alter) 6512 perms = SEM__READ | SEM__WRITE; 6513 else 6514 perms = SEM__READ; 6515 6516 return ipc_has_perm(sma, perms); 6517 } 6518 6519 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6520 { 6521 u32 av = 0; 6522 6523 av = 0; 6524 if (flag & S_IRUGO) 6525 av |= IPC__UNIX_READ; 6526 if (flag & S_IWUGO) 6527 av |= IPC__UNIX_WRITE; 6528 6529 if (av == 0) 6530 return 0; 6531 6532 return ipc_has_perm(ipcp, av); 6533 } 6534 6535 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6536 struct lsm_prop *prop) 6537 { 6538 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6539 prop->selinux.secid = isec->sid; 6540 } 6541 6542 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6543 { 6544 if (inode) 6545 inode_doinit_with_dentry(inode, dentry); 6546 } 6547 6548 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6549 char **value) 6550 { 6551 const struct cred_security_struct *crsec; 6552 int error; 6553 u32 sid; 6554 u32 len; 6555 6556 rcu_read_lock(); 6557 crsec = selinux_cred(__task_cred(p)); 6558 if (p != current) { 6559 error = avc_has_perm(current_sid(), crsec->sid, 6560 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6561 if (error) 6562 goto err_unlock; 6563 } 6564 switch (attr) { 6565 case LSM_ATTR_CURRENT: 6566 sid = crsec->sid; 6567 break; 6568 case LSM_ATTR_PREV: 6569 sid = crsec->osid; 6570 break; 6571 case LSM_ATTR_EXEC: 6572 sid = crsec->exec_sid; 6573 break; 6574 case LSM_ATTR_FSCREATE: 6575 sid = crsec->create_sid; 6576 break; 6577 case LSM_ATTR_KEYCREATE: 6578 sid = crsec->keycreate_sid; 6579 break; 6580 case LSM_ATTR_SOCKCREATE: 6581 sid = crsec->sockcreate_sid; 6582 break; 6583 default: 6584 error = -EOPNOTSUPP; 6585 goto err_unlock; 6586 } 6587 rcu_read_unlock(); 6588 6589 if (sid == SECSID_NULL) { 6590 *value = NULL; 6591 return 0; 6592 } 6593 6594 error = security_sid_to_context(sid, value, &len); 6595 if (error) 6596 return error; 6597 return len; 6598 6599 err_unlock: 6600 rcu_read_unlock(); 6601 return error; 6602 } 6603 6604 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6605 { 6606 struct cred_security_struct *crsec; 6607 struct cred *new; 6608 u32 mysid = current_sid(), sid = 0, ptsid; 6609 int error; 6610 char *str = value; 6611 6612 /* 6613 * Basic control over ability to set these attributes at all. 6614 */ 6615 switch (attr) { 6616 case LSM_ATTR_EXEC: 6617 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6618 PROCESS__SETEXEC, NULL); 6619 break; 6620 case LSM_ATTR_FSCREATE: 6621 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6622 PROCESS__SETFSCREATE, NULL); 6623 break; 6624 case LSM_ATTR_KEYCREATE: 6625 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6626 PROCESS__SETKEYCREATE, NULL); 6627 break; 6628 case LSM_ATTR_SOCKCREATE: 6629 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6630 PROCESS__SETSOCKCREATE, NULL); 6631 break; 6632 case LSM_ATTR_CURRENT: 6633 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6634 PROCESS__SETCURRENT, NULL); 6635 break; 6636 default: 6637 error = -EOPNOTSUPP; 6638 break; 6639 } 6640 if (error) 6641 return error; 6642 6643 /* Obtain a SID for the context, if one was specified. */ 6644 if (size && str[0] && str[0] != '\n') { 6645 if (str[size-1] == '\n') { 6646 str[size-1] = 0; 6647 size--; 6648 } 6649 error = security_context_to_sid(value, size, 6650 &sid, GFP_KERNEL); 6651 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6652 if (!has_cap_mac_admin(true)) { 6653 struct audit_buffer *ab; 6654 size_t audit_size; 6655 6656 /* We strip a nul only if it is at the end, 6657 * otherwise the context contains a nul and 6658 * we should audit that */ 6659 if (str[size - 1] == '\0') 6660 audit_size = size - 1; 6661 else 6662 audit_size = size; 6663 ab = audit_log_start(audit_context(), 6664 GFP_ATOMIC, 6665 AUDIT_SELINUX_ERR); 6666 if (!ab) 6667 return error; 6668 audit_log_format(ab, "op=fscreate invalid_context="); 6669 audit_log_n_untrustedstring(ab, value, 6670 audit_size); 6671 audit_log_end(ab); 6672 6673 return error; 6674 } 6675 error = security_context_to_sid_force(value, size, 6676 &sid); 6677 } 6678 if (error) 6679 return error; 6680 } 6681 6682 new = prepare_creds(); 6683 if (!new) 6684 return -ENOMEM; 6685 6686 /* Permission checking based on the specified context is 6687 performed during the actual operation (execve, 6688 open/mkdir/...), when we know the full context of the 6689 operation. See selinux_bprm_creds_for_exec for the execve 6690 checks and may_create for the file creation checks. The 6691 operation will then fail if the context is not permitted. */ 6692 crsec = selinux_cred(new); 6693 if (attr == LSM_ATTR_EXEC) { 6694 crsec->exec_sid = sid; 6695 } else if (attr == LSM_ATTR_FSCREATE) { 6696 crsec->create_sid = sid; 6697 } else if (attr == LSM_ATTR_KEYCREATE) { 6698 if (sid) { 6699 error = avc_has_perm(mysid, sid, 6700 SECCLASS_KEY, KEY__CREATE, NULL); 6701 if (error) 6702 goto abort_change; 6703 } 6704 crsec->keycreate_sid = sid; 6705 } else if (attr == LSM_ATTR_SOCKCREATE) { 6706 crsec->sockcreate_sid = sid; 6707 } else if (attr == LSM_ATTR_CURRENT) { 6708 error = -EINVAL; 6709 if (sid == 0) 6710 goto abort_change; 6711 6712 if (!current_is_single_threaded()) { 6713 error = security_bounded_transition(crsec->sid, sid); 6714 if (error) 6715 goto abort_change; 6716 } 6717 6718 /* Check permissions for the transition. */ 6719 error = avc_has_perm(crsec->sid, sid, SECCLASS_PROCESS, 6720 PROCESS__DYNTRANSITION, NULL); 6721 if (error) 6722 goto abort_change; 6723 6724 /* Check for ptracing, and update the task SID if ok. 6725 Otherwise, leave SID unchanged and fail. */ 6726 ptsid = ptrace_parent_sid(); 6727 if (ptsid != 0) { 6728 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6729 PROCESS__PTRACE, NULL); 6730 if (error) 6731 goto abort_change; 6732 } 6733 6734 crsec->sid = sid; 6735 } else { 6736 error = -EINVAL; 6737 goto abort_change; 6738 } 6739 6740 commit_creds(new); 6741 return size; 6742 6743 abort_change: 6744 abort_creds(new); 6745 return error; 6746 } 6747 6748 /** 6749 * selinux_getselfattr - Get SELinux current task attributes 6750 * @attr: the requested attribute 6751 * @ctx: buffer to receive the result 6752 * @size: buffer size (input), buffer size used (output) 6753 * @flags: unused 6754 * 6755 * Fill the passed user space @ctx with the details of the requested 6756 * attribute. 6757 * 6758 * Returns the number of attributes on success, an error code otherwise. 6759 * There will only ever be one attribute. 6760 */ 6761 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6762 u32 *size, u32 flags) 6763 { 6764 int rc; 6765 char *val = NULL; 6766 int val_len; 6767 6768 val_len = selinux_lsm_getattr(attr, current, &val); 6769 if (val_len < 0) 6770 return val_len; 6771 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6772 kfree(val); 6773 return (!rc ? 1 : rc); 6774 } 6775 6776 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6777 u32 size, u32 flags) 6778 { 6779 int rc; 6780 6781 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6782 if (rc > 0) 6783 return 0; 6784 return rc; 6785 } 6786 6787 static int selinux_getprocattr(struct task_struct *p, 6788 const char *name, char **value) 6789 { 6790 unsigned int attr = lsm_name_to_attr(name); 6791 int rc; 6792 6793 if (attr) { 6794 rc = selinux_lsm_getattr(attr, p, value); 6795 if (rc != -EOPNOTSUPP) 6796 return rc; 6797 } 6798 6799 return -EINVAL; 6800 } 6801 6802 static int selinux_setprocattr(const char *name, void *value, size_t size) 6803 { 6804 int attr = lsm_name_to_attr(name); 6805 6806 if (attr) 6807 return selinux_lsm_setattr(attr, value, size); 6808 return -EINVAL; 6809 } 6810 6811 static int selinux_ismaclabel(const char *name) 6812 { 6813 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6814 } 6815 6816 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6817 { 6818 u32 seclen; 6819 int ret; 6820 6821 if (cp) { 6822 cp->id = LSM_ID_SELINUX; 6823 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6824 if (ret < 0) 6825 return ret; 6826 return cp->len; 6827 } 6828 ret = security_sid_to_context(secid, NULL, &seclen); 6829 if (ret < 0) 6830 return ret; 6831 return seclen; 6832 } 6833 6834 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6835 struct lsm_context *cp) 6836 { 6837 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6838 } 6839 6840 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6841 { 6842 return security_context_to_sid(secdata, seclen, 6843 secid, GFP_KERNEL); 6844 } 6845 6846 static void selinux_release_secctx(struct lsm_context *cp) 6847 { 6848 if (cp->id == LSM_ID_SELINUX) { 6849 kfree(cp->context); 6850 cp->context = NULL; 6851 cp->id = LSM_ID_UNDEF; 6852 } 6853 } 6854 6855 static void selinux_inode_invalidate_secctx(struct inode *inode) 6856 { 6857 struct inode_security_struct *isec = selinux_inode(inode); 6858 6859 spin_lock(&isec->lock); 6860 isec->initialized = LABEL_INVALID; 6861 spin_unlock(&isec->lock); 6862 } 6863 6864 /* 6865 * called with inode->i_mutex locked 6866 */ 6867 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6868 { 6869 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6870 ctx, ctxlen, 0); 6871 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6872 return rc == -EOPNOTSUPP ? 0 : rc; 6873 } 6874 6875 /* 6876 * called with inode->i_mutex locked 6877 */ 6878 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6879 { 6880 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6881 ctx, ctxlen, 0, NULL); 6882 } 6883 6884 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6885 { 6886 int len; 6887 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6888 XATTR_SELINUX_SUFFIX, 6889 (void **)&cp->context, true); 6890 if (len < 0) 6891 return len; 6892 cp->len = len; 6893 cp->id = LSM_ID_SELINUX; 6894 return 0; 6895 } 6896 #ifdef CONFIG_KEYS 6897 6898 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6899 unsigned long flags) 6900 { 6901 const struct cred_security_struct *crsec; 6902 struct key_security_struct *ksec = selinux_key(k); 6903 6904 crsec = selinux_cred(cred); 6905 if (crsec->keycreate_sid) 6906 ksec->sid = crsec->keycreate_sid; 6907 else 6908 ksec->sid = crsec->sid; 6909 6910 return 0; 6911 } 6912 6913 static int selinux_key_permission(key_ref_t key_ref, 6914 const struct cred *cred, 6915 enum key_need_perm need_perm) 6916 { 6917 struct key *key; 6918 struct key_security_struct *ksec; 6919 u32 perm, sid; 6920 6921 switch (need_perm) { 6922 case KEY_NEED_VIEW: 6923 perm = KEY__VIEW; 6924 break; 6925 case KEY_NEED_READ: 6926 perm = KEY__READ; 6927 break; 6928 case KEY_NEED_WRITE: 6929 perm = KEY__WRITE; 6930 break; 6931 case KEY_NEED_SEARCH: 6932 perm = KEY__SEARCH; 6933 break; 6934 case KEY_NEED_LINK: 6935 perm = KEY__LINK; 6936 break; 6937 case KEY_NEED_SETATTR: 6938 perm = KEY__SETATTR; 6939 break; 6940 case KEY_NEED_UNLINK: 6941 case KEY_SYSADMIN_OVERRIDE: 6942 case KEY_AUTHTOKEN_OVERRIDE: 6943 case KEY_DEFER_PERM_CHECK: 6944 return 0; 6945 default: 6946 WARN_ON(1); 6947 return -EPERM; 6948 6949 } 6950 6951 sid = cred_sid(cred); 6952 key = key_ref_to_ptr(key_ref); 6953 ksec = selinux_key(key); 6954 6955 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6956 } 6957 6958 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6959 { 6960 struct key_security_struct *ksec = selinux_key(key); 6961 char *context = NULL; 6962 unsigned len; 6963 int rc; 6964 6965 rc = security_sid_to_context(ksec->sid, 6966 &context, &len); 6967 if (!rc) 6968 rc = len; 6969 *_buffer = context; 6970 return rc; 6971 } 6972 6973 #ifdef CONFIG_KEY_NOTIFICATIONS 6974 static int selinux_watch_key(struct key *key) 6975 { 6976 struct key_security_struct *ksec = selinux_key(key); 6977 u32 sid = current_sid(); 6978 6979 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6980 } 6981 #endif 6982 #endif 6983 6984 #ifdef CONFIG_SECURITY_INFINIBAND 6985 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6986 { 6987 struct common_audit_data ad; 6988 int err; 6989 u32 sid = 0; 6990 struct ib_security_struct *sec = ib_sec; 6991 struct lsm_ibpkey_audit ibpkey; 6992 6993 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6994 if (err) 6995 return err; 6996 6997 ad.type = LSM_AUDIT_DATA_IBPKEY; 6998 ibpkey.subnet_prefix = subnet_prefix; 6999 ibpkey.pkey = pkey_val; 7000 ad.u.ibpkey = &ibpkey; 7001 return avc_has_perm(sec->sid, sid, 7002 SECCLASS_INFINIBAND_PKEY, 7003 INFINIBAND_PKEY__ACCESS, &ad); 7004 } 7005 7006 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 7007 u8 port_num) 7008 { 7009 struct common_audit_data ad; 7010 int err; 7011 u32 sid = 0; 7012 struct ib_security_struct *sec = ib_sec; 7013 struct lsm_ibendport_audit ibendport; 7014 7015 err = security_ib_endport_sid(dev_name, port_num, 7016 &sid); 7017 7018 if (err) 7019 return err; 7020 7021 ad.type = LSM_AUDIT_DATA_IBENDPORT; 7022 ibendport.dev_name = dev_name; 7023 ibendport.port = port_num; 7024 ad.u.ibendport = &ibendport; 7025 return avc_has_perm(sec->sid, sid, 7026 SECCLASS_INFINIBAND_ENDPORT, 7027 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 7028 } 7029 7030 static int selinux_ib_alloc_security(void *ib_sec) 7031 { 7032 struct ib_security_struct *sec = selinux_ib(ib_sec); 7033 7034 sec->sid = current_sid(); 7035 return 0; 7036 } 7037 #endif 7038 7039 #ifdef CONFIG_BPF_SYSCALL 7040 static int selinux_bpf(int cmd, union bpf_attr *attr, 7041 unsigned int size, bool kernel) 7042 { 7043 u32 sid = current_sid(); 7044 int ret; 7045 7046 switch (cmd) { 7047 case BPF_MAP_CREATE: 7048 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7049 NULL); 7050 break; 7051 case BPF_PROG_LOAD: 7052 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7053 NULL); 7054 break; 7055 default: 7056 ret = 0; 7057 break; 7058 } 7059 7060 return ret; 7061 } 7062 7063 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7064 { 7065 u32 av = 0; 7066 7067 if (fmode & FMODE_READ) 7068 av |= BPF__MAP_READ; 7069 if (fmode & FMODE_WRITE) 7070 av |= BPF__MAP_WRITE; 7071 return av; 7072 } 7073 7074 /* This function will check the file pass through unix socket or binder to see 7075 * if it is a bpf related object. And apply corresponding checks on the bpf 7076 * object based on the type. The bpf maps and programs, not like other files and 7077 * socket, are using a shared anonymous inode inside the kernel as their inode. 7078 * So checking that inode cannot identify if the process have privilege to 7079 * access the bpf object and that's why we have to add this additional check in 7080 * selinux_file_receive and selinux_binder_transfer_files. 7081 */ 7082 static int bpf_fd_pass(const struct file *file, u32 sid) 7083 { 7084 struct bpf_security_struct *bpfsec; 7085 struct bpf_prog *prog; 7086 struct bpf_map *map; 7087 int ret; 7088 7089 if (file->f_op == &bpf_map_fops) { 7090 map = file->private_data; 7091 bpfsec = selinux_bpf_map_security(map); 7092 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7093 bpf_map_fmode_to_av(file->f_mode), NULL); 7094 if (ret) 7095 return ret; 7096 } else if (file->f_op == &bpf_prog_fops) { 7097 prog = file->private_data; 7098 bpfsec = selinux_bpf_prog_security(prog); 7099 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7100 BPF__PROG_RUN, NULL); 7101 if (ret) 7102 return ret; 7103 } 7104 return 0; 7105 } 7106 7107 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7108 { 7109 u32 sid = current_sid(); 7110 struct bpf_security_struct *bpfsec; 7111 7112 bpfsec = selinux_bpf_map_security(map); 7113 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7114 bpf_map_fmode_to_av(fmode), NULL); 7115 } 7116 7117 static int selinux_bpf_prog(struct bpf_prog *prog) 7118 { 7119 u32 sid = current_sid(); 7120 struct bpf_security_struct *bpfsec; 7121 7122 bpfsec = selinux_bpf_prog_security(prog); 7123 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7124 BPF__PROG_RUN, NULL); 7125 } 7126 7127 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7128 struct bpf_token *token, bool kernel) 7129 { 7130 struct bpf_security_struct *bpfsec; 7131 7132 bpfsec = selinux_bpf_map_security(map); 7133 bpfsec->sid = current_sid(); 7134 7135 return 0; 7136 } 7137 7138 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7139 struct bpf_token *token, bool kernel) 7140 { 7141 struct bpf_security_struct *bpfsec; 7142 7143 bpfsec = selinux_bpf_prog_security(prog); 7144 bpfsec->sid = current_sid(); 7145 7146 return 0; 7147 } 7148 7149 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 7150 const struct path *path) 7151 { 7152 struct bpf_security_struct *bpfsec; 7153 7154 bpfsec = selinux_bpf_token_security(token); 7155 bpfsec->sid = current_sid(); 7156 7157 return 0; 7158 } 7159 #endif 7160 7161 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7162 .lbs_cred = sizeof(struct cred_security_struct), 7163 .lbs_task = sizeof(struct task_security_struct), 7164 .lbs_file = sizeof(struct file_security_struct), 7165 .lbs_inode = sizeof(struct inode_security_struct), 7166 .lbs_ipc = sizeof(struct ipc_security_struct), 7167 .lbs_key = sizeof(struct key_security_struct), 7168 .lbs_msg_msg = sizeof(struct msg_security_struct), 7169 #ifdef CONFIG_PERF_EVENTS 7170 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7171 #endif 7172 .lbs_sock = sizeof(struct sk_security_struct), 7173 .lbs_superblock = sizeof(struct superblock_security_struct), 7174 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7175 .lbs_tun_dev = sizeof(struct tun_security_struct), 7176 .lbs_ib = sizeof(struct ib_security_struct), 7177 .lbs_bpf_map = sizeof(struct bpf_security_struct), 7178 .lbs_bpf_prog = sizeof(struct bpf_security_struct), 7179 .lbs_bpf_token = sizeof(struct bpf_security_struct), 7180 }; 7181 7182 #ifdef CONFIG_PERF_EVENTS 7183 static int selinux_perf_event_open(int type) 7184 { 7185 u32 requested, sid = current_sid(); 7186 7187 if (type == PERF_SECURITY_OPEN) 7188 requested = PERF_EVENT__OPEN; 7189 else if (type == PERF_SECURITY_CPU) 7190 requested = PERF_EVENT__CPU; 7191 else if (type == PERF_SECURITY_KERNEL) 7192 requested = PERF_EVENT__KERNEL; 7193 else if (type == PERF_SECURITY_TRACEPOINT) 7194 requested = PERF_EVENT__TRACEPOINT; 7195 else 7196 return -EINVAL; 7197 7198 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7199 requested, NULL); 7200 } 7201 7202 static int selinux_perf_event_alloc(struct perf_event *event) 7203 { 7204 struct perf_event_security_struct *perfsec; 7205 7206 perfsec = selinux_perf_event(event->security); 7207 perfsec->sid = current_sid(); 7208 7209 return 0; 7210 } 7211 7212 static int selinux_perf_event_read(struct perf_event *event) 7213 { 7214 struct perf_event_security_struct *perfsec = event->security; 7215 u32 sid = current_sid(); 7216 7217 return avc_has_perm(sid, perfsec->sid, 7218 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7219 } 7220 7221 static int selinux_perf_event_write(struct perf_event *event) 7222 { 7223 struct perf_event_security_struct *perfsec = event->security; 7224 u32 sid = current_sid(); 7225 7226 return avc_has_perm(sid, perfsec->sid, 7227 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7228 } 7229 #endif 7230 7231 #ifdef CONFIG_IO_URING 7232 /** 7233 * selinux_uring_override_creds - check the requested cred override 7234 * @new: the target creds 7235 * 7236 * Check to see if the current task is allowed to override it's credentials 7237 * to service an io_uring operation. 7238 */ 7239 static int selinux_uring_override_creds(const struct cred *new) 7240 { 7241 return avc_has_perm(current_sid(), cred_sid(new), 7242 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7243 } 7244 7245 /** 7246 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7247 * 7248 * Check to see if the current task is allowed to create a new io_uring 7249 * kernel polling thread. 7250 */ 7251 static int selinux_uring_sqpoll(void) 7252 { 7253 u32 sid = current_sid(); 7254 7255 return avc_has_perm(sid, sid, 7256 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7257 } 7258 7259 /** 7260 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7261 * @ioucmd: the io_uring command structure 7262 * 7263 * Check to see if the current domain is allowed to execute an 7264 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7265 * 7266 */ 7267 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7268 { 7269 struct file *file = ioucmd->file; 7270 struct inode *inode = file_inode(file); 7271 struct inode_security_struct *isec = selinux_inode(inode); 7272 struct common_audit_data ad; 7273 7274 ad.type = LSM_AUDIT_DATA_FILE; 7275 ad.u.file = file; 7276 7277 return avc_has_perm(current_sid(), isec->sid, 7278 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7279 } 7280 7281 /** 7282 * selinux_uring_allowed - check if io_uring_setup() can be called 7283 * 7284 * Check to see if the current task is allowed to call io_uring_setup(). 7285 */ 7286 static int selinux_uring_allowed(void) 7287 { 7288 u32 sid = current_sid(); 7289 7290 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7291 NULL); 7292 } 7293 #endif /* CONFIG_IO_URING */ 7294 7295 static const struct lsm_id selinux_lsmid = { 7296 .name = "selinux", 7297 .id = LSM_ID_SELINUX, 7298 }; 7299 7300 /* 7301 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7302 * 1. any hooks that don't belong to (2.) or (3.) below, 7303 * 2. hooks that both access structures allocated by other hooks, and allocate 7304 * structures that can be later accessed by other hooks (mostly "cloning" 7305 * hooks), 7306 * 3. hooks that only allocate structures that can be later accessed by other 7307 * hooks ("allocating" hooks). 7308 * 7309 * Please follow block comment delimiters in the list to keep this order. 7310 */ 7311 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7312 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7313 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7314 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7315 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7316 7317 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7318 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7319 LSM_HOOK_INIT(capget, selinux_capget), 7320 LSM_HOOK_INIT(capset, selinux_capset), 7321 LSM_HOOK_INIT(capable, selinux_capable), 7322 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7323 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7324 LSM_HOOK_INIT(syslog, selinux_syslog), 7325 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7326 7327 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7328 7329 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7330 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7331 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7332 7333 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7334 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7335 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7336 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7337 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7338 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7339 LSM_HOOK_INIT(sb_mount, selinux_mount), 7340 LSM_HOOK_INIT(sb_umount, selinux_umount), 7341 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7342 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7343 7344 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7345 7346 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7347 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7348 7349 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7350 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7351 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7352 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7353 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7354 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7355 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7356 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7357 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7358 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7359 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7360 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7361 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7362 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7363 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7364 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7365 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7366 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7367 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7368 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7369 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7370 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7371 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr), 7372 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr), 7373 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7374 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7375 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7376 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7377 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7378 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7379 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7380 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7381 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7382 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7383 7384 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7385 7386 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7387 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7388 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7389 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7390 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7391 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7392 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7393 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7394 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7395 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7396 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7397 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7398 7399 LSM_HOOK_INIT(file_open, selinux_file_open), 7400 7401 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7402 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7403 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7404 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7405 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7406 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7407 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7408 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7409 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7410 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7411 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7412 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7413 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7414 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7415 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7416 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7417 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7418 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7419 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7420 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7421 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7422 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7423 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7424 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7425 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7426 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7427 7428 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7429 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7430 7431 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7432 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7433 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7434 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7435 7436 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7437 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7438 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7439 7440 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7441 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7442 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7443 7444 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7445 7446 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7447 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7448 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7449 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7450 7451 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7452 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7453 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7454 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7455 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7456 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7457 7458 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7459 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7460 7461 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7462 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7463 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7464 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7465 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7466 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7467 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7468 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7469 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7470 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7471 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7472 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7473 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7474 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7475 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7476 LSM_HOOK_INIT(socket_getpeersec_stream, 7477 selinux_socket_getpeersec_stream), 7478 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7479 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7480 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7481 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7482 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7483 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7484 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7485 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7486 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7487 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7488 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7489 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7490 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7491 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7492 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7493 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7494 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7495 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7496 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7497 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7498 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7499 #ifdef CONFIG_SECURITY_INFINIBAND 7500 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7501 LSM_HOOK_INIT(ib_endport_manage_subnet, 7502 selinux_ib_endport_manage_subnet), 7503 #endif 7504 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7505 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7506 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7507 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7508 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7509 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7510 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7511 selinux_xfrm_state_pol_flow_match), 7512 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7513 #endif 7514 7515 #ifdef CONFIG_KEYS 7516 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7517 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7518 #ifdef CONFIG_KEY_NOTIFICATIONS 7519 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7520 #endif 7521 #endif 7522 7523 #ifdef CONFIG_AUDIT 7524 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7525 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7526 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7527 #endif 7528 7529 #ifdef CONFIG_BPF_SYSCALL 7530 LSM_HOOK_INIT(bpf, selinux_bpf), 7531 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7532 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7533 #endif 7534 7535 #ifdef CONFIG_PERF_EVENTS 7536 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7537 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7538 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7539 #endif 7540 7541 #ifdef CONFIG_IO_URING 7542 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7543 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7544 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7545 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7546 #endif 7547 7548 /* 7549 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7550 */ 7551 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7552 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7553 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7554 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7555 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7556 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7557 #endif 7558 7559 /* 7560 * PUT "ALLOCATING" HOOKS HERE 7561 */ 7562 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7563 LSM_HOOK_INIT(msg_queue_alloc_security, 7564 selinux_msg_queue_alloc_security), 7565 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7566 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7567 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7568 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7569 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7570 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7571 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7572 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7573 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7574 #ifdef CONFIG_SECURITY_INFINIBAND 7575 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7576 #endif 7577 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7578 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7579 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7580 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7581 selinux_xfrm_state_alloc_acquire), 7582 #endif 7583 #ifdef CONFIG_KEYS 7584 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7585 #endif 7586 #ifdef CONFIG_AUDIT 7587 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7588 #endif 7589 #ifdef CONFIG_BPF_SYSCALL 7590 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7591 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7592 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7593 #endif 7594 #ifdef CONFIG_PERF_EVENTS 7595 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7596 #endif 7597 }; 7598 7599 static __init int selinux_init(void) 7600 { 7601 pr_info("SELinux: Initializing.\n"); 7602 7603 memset(&selinux_state, 0, sizeof(selinux_state)); 7604 enforcing_set(selinux_enforcing_boot); 7605 selinux_avc_init(); 7606 mutex_init(&selinux_state.status_lock); 7607 mutex_init(&selinux_state.policy_mutex); 7608 7609 /* Set the security state for the initial task. */ 7610 cred_init_security(); 7611 7612 /* Inform the audit system that secctx is used */ 7613 audit_cfg_lsm(&selinux_lsmid, 7614 AUDIT_CFG_LSM_SECCTX_SUBJECT | 7615 AUDIT_CFG_LSM_SECCTX_OBJECT); 7616 7617 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7618 if (!default_noexec) 7619 pr_notice("SELinux: virtual memory is executable by default\n"); 7620 7621 avc_init(); 7622 7623 avtab_cache_init(); 7624 7625 ebitmap_cache_init(); 7626 7627 hashtab_cache_init(); 7628 7629 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7630 &selinux_lsmid); 7631 7632 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7633 panic("SELinux: Unable to register AVC netcache callback\n"); 7634 7635 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7636 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7637 7638 if (avc_add_callback(selinux_audit_rule_avc_callback, 7639 AVC_CALLBACK_RESET)) 7640 panic("SELinux: Unable to register AVC audit callback\n"); 7641 7642 if (selinux_enforcing_boot) 7643 pr_debug("SELinux: Starting in enforcing mode\n"); 7644 else 7645 pr_debug("SELinux: Starting in permissive mode\n"); 7646 7647 fs_validate_description("selinux", selinux_fs_parameters); 7648 7649 return 0; 7650 } 7651 7652 static void delayed_superblock_init(struct super_block *sb, void *unused) 7653 { 7654 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7655 } 7656 7657 void selinux_complete_init(void) 7658 { 7659 pr_debug("SELinux: Completing initialization.\n"); 7660 7661 /* Set up any superblocks initialized prior to the policy load. */ 7662 pr_debug("SELinux: Setting up existing superblocks.\n"); 7663 iterate_supers(delayed_superblock_init, NULL); 7664 } 7665 7666 /* SELinux requires early initialization in order to label 7667 all processes and objects when they are created. */ 7668 DEFINE_LSM(selinux) = { 7669 .id = &selinux_lsmid, 7670 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7671 .enabled = &selinux_enabled_boot, 7672 .blobs = &selinux_blob_sizes, 7673 .init = selinux_init, 7674 .initcall_device = selinux_initcall, 7675 }; 7676 7677 #if defined(CONFIG_NETFILTER) 7678 static const struct nf_hook_ops selinux_nf_ops[] = { 7679 { 7680 .hook = selinux_ip_postroute, 7681 .pf = NFPROTO_IPV4, 7682 .hooknum = NF_INET_POST_ROUTING, 7683 .priority = NF_IP_PRI_SELINUX_LAST, 7684 }, 7685 { 7686 .hook = selinux_ip_forward, 7687 .pf = NFPROTO_IPV4, 7688 .hooknum = NF_INET_FORWARD, 7689 .priority = NF_IP_PRI_SELINUX_FIRST, 7690 }, 7691 { 7692 .hook = selinux_ip_output, 7693 .pf = NFPROTO_IPV4, 7694 .hooknum = NF_INET_LOCAL_OUT, 7695 .priority = NF_IP_PRI_SELINUX_FIRST, 7696 }, 7697 #if IS_ENABLED(CONFIG_IPV6) 7698 { 7699 .hook = selinux_ip_postroute, 7700 .pf = NFPROTO_IPV6, 7701 .hooknum = NF_INET_POST_ROUTING, 7702 .priority = NF_IP6_PRI_SELINUX_LAST, 7703 }, 7704 { 7705 .hook = selinux_ip_forward, 7706 .pf = NFPROTO_IPV6, 7707 .hooknum = NF_INET_FORWARD, 7708 .priority = NF_IP6_PRI_SELINUX_FIRST, 7709 }, 7710 { 7711 .hook = selinux_ip_output, 7712 .pf = NFPROTO_IPV6, 7713 .hooknum = NF_INET_LOCAL_OUT, 7714 .priority = NF_IP6_PRI_SELINUX_FIRST, 7715 }, 7716 #endif /* IPV6 */ 7717 }; 7718 7719 static int __net_init selinux_nf_register(struct net *net) 7720 { 7721 return nf_register_net_hooks(net, selinux_nf_ops, 7722 ARRAY_SIZE(selinux_nf_ops)); 7723 } 7724 7725 static void __net_exit selinux_nf_unregister(struct net *net) 7726 { 7727 nf_unregister_net_hooks(net, selinux_nf_ops, 7728 ARRAY_SIZE(selinux_nf_ops)); 7729 } 7730 7731 static struct pernet_operations selinux_net_ops = { 7732 .init = selinux_nf_register, 7733 .exit = selinux_nf_unregister, 7734 }; 7735 7736 int __init selinux_nf_ip_init(void) 7737 { 7738 int err; 7739 7740 if (!selinux_enabled_boot) 7741 return 0; 7742 7743 pr_debug("SELinux: Registering netfilter hooks\n"); 7744 7745 err = register_pernet_subsys(&selinux_net_ops); 7746 if (err) 7747 panic("SELinux: register_pernet_subsys: error %d\n", err); 7748 7749 return 0; 7750 } 7751 #endif /* CONFIG_NETFILTER */ 7752