1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/sctp.h> 69 #include <net/sctp/structs.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/msg.h> 86 #include <linux/shm.h> 87 #include <uapi/linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring/cmd.h> 95 #include <uapi/linux/lsm.h> 96 97 #include "avc.h" 98 #include "objsec.h" 99 #include "netif.h" 100 #include "netnode.h" 101 #include "netport.h" 102 #include "ibpkey.h" 103 #include "xfrm.h" 104 #include "netlabel.h" 105 #include "audit.h" 106 #include "avc_ss.h" 107 108 #define SELINUX_INODE_INIT_XATTRS 1 109 110 struct selinux_state selinux_state; 111 112 /* SECMARK reference count */ 113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 114 115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 116 static int selinux_enforcing_boot __initdata; 117 118 static int __init enforcing_setup(char *str) 119 { 120 unsigned long enforcing; 121 if (!kstrtoul(str, 0, &enforcing)) 122 selinux_enforcing_boot = enforcing ? 1 : 0; 123 return 1; 124 } 125 __setup("enforcing=", enforcing_setup); 126 #else 127 #define selinux_enforcing_boot 1 128 #endif 129 130 int selinux_enabled_boot __initdata = 1; 131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 132 static int __init selinux_enabled_setup(char *str) 133 { 134 unsigned long enabled; 135 if (!kstrtoul(str, 0, &enabled)) 136 selinux_enabled_boot = enabled ? 1 : 0; 137 return 1; 138 } 139 __setup("selinux=", selinux_enabled_setup); 140 #endif 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 if (checkreqprot) 148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 149 } 150 return 1; 151 } 152 __setup("checkreqprot=", checkreqprot_setup); 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct task_security_struct *tsec; 214 215 /* NOTE: the lsm framework zeros out the buffer on allocation */ 216 217 tsec = selinux_cred(unrcu_pointer(current->real_cred)); 218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 static void __ad_net_init(struct common_audit_data *ad, 233 struct lsm_network_audit *net, 234 int ifindex, struct sock *sk, u16 family) 235 { 236 ad->type = LSM_AUDIT_DATA_NET; 237 ad->u.net = net; 238 net->netif = ifindex; 239 net->sk = sk; 240 net->family = family; 241 } 242 243 static void ad_net_init_from_sk(struct common_audit_data *ad, 244 struct lsm_network_audit *net, 245 struct sock *sk) 246 { 247 __ad_net_init(ad, net, 0, sk, 0); 248 } 249 250 static void ad_net_init_from_iif(struct common_audit_data *ad, 251 struct lsm_network_audit *net, 252 int ifindex, u16 family) 253 { 254 __ad_net_init(ad, net, ifindex, NULL, family); 255 } 256 257 /* 258 * get the objective security ID of a task 259 */ 260 static inline u32 task_sid_obj(const struct task_struct *task) 261 { 262 u32 sid; 263 264 rcu_read_lock(); 265 sid = cred_sid(__task_cred(task)); 266 rcu_read_unlock(); 267 return sid; 268 } 269 270 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 271 272 /* 273 * Try reloading inode security labels that have been marked as invalid. The 274 * @may_sleep parameter indicates when sleeping and thus reloading labels is 275 * allowed; when set to false, returns -ECHILD when the label is 276 * invalid. The @dentry parameter should be set to a dentry of the inode. 277 */ 278 static int __inode_security_revalidate(struct inode *inode, 279 struct dentry *dentry, 280 bool may_sleep) 281 { 282 if (!selinux_initialized()) 283 return 0; 284 285 if (may_sleep) 286 might_sleep(); 287 else 288 return -ECHILD; 289 290 /* 291 * Check to ensure that an inode's SELinux state is valid and try 292 * reloading the inode security label if necessary. This will fail if 293 * @dentry is NULL and no dentry for this inode can be found; in that 294 * case, continue using the old label. 295 */ 296 inode_doinit_with_dentry(inode, dentry); 297 return 0; 298 } 299 300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 301 { 302 return selinux_inode(inode); 303 } 304 305 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 306 bool rcu) 307 { 308 int rc; 309 struct inode_security_struct *isec = selinux_inode(inode); 310 311 /* check below is racy, but revalidate will recheck with lock held */ 312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 313 return isec; 314 rc = __inode_security_revalidate(inode, NULL, !rcu); 315 if (rc) 316 return ERR_PTR(rc); 317 return isec; 318 } 319 320 /* 321 * Get the security label of an inode. 322 */ 323 static inline struct inode_security_struct *inode_security(struct inode *inode) 324 { 325 struct inode_security_struct *isec = selinux_inode(inode); 326 327 /* check below is racy, but revalidate will recheck with lock held */ 328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 329 return isec; 330 __inode_security_revalidate(inode, NULL, true); 331 return isec; 332 } 333 334 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 335 { 336 return selinux_inode(d_backing_inode(dentry)); 337 } 338 339 /* 340 * Get the security label of a dentry's backing inode. 341 */ 342 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 343 { 344 struct inode *inode = d_backing_inode(dentry); 345 struct inode_security_struct *isec = selinux_inode(inode); 346 347 /* check below is racy, but revalidate will recheck with lock held */ 348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 349 return isec; 350 __inode_security_revalidate(inode, dentry, true); 351 return isec; 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 u32 fscontext_sid; 381 u32 context_sid; 382 u32 rootcontext_sid; 383 u32 defcontext_sid; 384 }; 385 386 static void selinux_free_mnt_opts(void *mnt_opts) 387 { 388 kfree(mnt_opts); 389 } 390 391 enum { 392 Opt_error = -1, 393 Opt_context = 0, 394 Opt_defcontext = 1, 395 Opt_fscontext = 2, 396 Opt_rootcontext = 3, 397 Opt_seclabel = 4, 398 }; 399 400 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 401 static const struct { 402 const char *name; 403 int len; 404 int opt; 405 bool has_arg; 406 } tokens[] = { 407 A(context, true), 408 A(fscontext, true), 409 A(defcontext, true), 410 A(rootcontext, true), 411 A(seclabel, false), 412 }; 413 #undef A 414 415 static int match_opt_prefix(char *s, int l, char **arg) 416 { 417 unsigned int i; 418 419 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 420 size_t len = tokens[i].len; 421 if (len > l || memcmp(s, tokens[i].name, len)) 422 continue; 423 if (tokens[i].has_arg) { 424 if (len == l || s[len] != '=') 425 continue; 426 *arg = s + len + 1; 427 } else if (len != l) 428 continue; 429 return tokens[i].opt; 430 } 431 return Opt_error; 432 } 433 434 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 435 436 static int may_context_mount_sb_relabel(u32 sid, 437 struct superblock_security_struct *sbsec, 438 const struct cred *cred) 439 { 440 const struct task_security_struct *tsec = selinux_cred(cred); 441 int rc; 442 443 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 444 FILESYSTEM__RELABELFROM, NULL); 445 if (rc) 446 return rc; 447 448 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELTO, NULL); 450 return rc; 451 } 452 453 static int may_context_mount_inode_relabel(u32 sid, 454 struct superblock_security_struct *sbsec, 455 const struct cred *cred) 456 { 457 const struct task_security_struct *tsec = selinux_cred(cred); 458 int rc; 459 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 460 FILESYSTEM__RELABELFROM, NULL); 461 if (rc) 462 return rc; 463 464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__ASSOCIATE, NULL); 466 return rc; 467 } 468 469 static int selinux_is_genfs_special_handling(struct super_block *sb) 470 { 471 /* Special handling. Genfs but also in-core setxattr handler */ 472 return !strcmp(sb->s_type->name, "sysfs") || 473 !strcmp(sb->s_type->name, "pstore") || 474 !strcmp(sb->s_type->name, "debugfs") || 475 !strcmp(sb->s_type->name, "tracefs") || 476 !strcmp(sb->s_type->name, "rootfs") || 477 (selinux_policycap_cgroupseclabel() && 478 (!strcmp(sb->s_type->name, "cgroup") || 479 !strcmp(sb->s_type->name, "cgroup2"))); 480 } 481 482 static int selinux_is_sblabel_mnt(struct super_block *sb) 483 { 484 struct superblock_security_struct *sbsec = selinux_superblock(sb); 485 486 /* 487 * IMPORTANT: Double-check logic in this function when adding a new 488 * SECURITY_FS_USE_* definition! 489 */ 490 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 491 492 switch (sbsec->behavior) { 493 case SECURITY_FS_USE_XATTR: 494 case SECURITY_FS_USE_TRANS: 495 case SECURITY_FS_USE_TASK: 496 case SECURITY_FS_USE_NATIVE: 497 return 1; 498 499 case SECURITY_FS_USE_GENFS: 500 return selinux_is_genfs_special_handling(sb); 501 502 /* Never allow relabeling on context mounts */ 503 case SECURITY_FS_USE_MNTPOINT: 504 case SECURITY_FS_USE_NONE: 505 default: 506 return 0; 507 } 508 } 509 510 static int sb_check_xattr_support(struct super_block *sb) 511 { 512 struct superblock_security_struct *sbsec = selinux_superblock(sb); 513 struct dentry *root = sb->s_root; 514 struct inode *root_inode = d_backing_inode(root); 515 u32 sid; 516 int rc; 517 518 /* 519 * Make sure that the xattr handler exists and that no 520 * error other than -ENODATA is returned by getxattr on 521 * the root directory. -ENODATA is ok, as this may be 522 * the first boot of the SELinux kernel before we have 523 * assigned xattr values to the filesystem. 524 */ 525 if (!(root_inode->i_opflags & IOP_XATTR)) { 526 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 527 sb->s_id, sb->s_type->name); 528 goto fallback; 529 } 530 531 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 532 if (rc < 0 && rc != -ENODATA) { 533 if (rc == -EOPNOTSUPP) { 534 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 535 sb->s_id, sb->s_type->name); 536 goto fallback; 537 } else { 538 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 539 sb->s_id, sb->s_type->name, -rc); 540 return rc; 541 } 542 } 543 return 0; 544 545 fallback: 546 /* No xattr support - try to fallback to genfs if possible. */ 547 rc = security_genfs_sid(sb->s_type->name, "/", 548 SECCLASS_DIR, &sid); 549 if (rc) 550 return -EOPNOTSUPP; 551 552 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 553 sb->s_id, sb->s_type->name); 554 sbsec->behavior = SECURITY_FS_USE_GENFS; 555 sbsec->sid = sid; 556 return 0; 557 } 558 559 static int sb_finish_set_opts(struct super_block *sb) 560 { 561 struct superblock_security_struct *sbsec = selinux_superblock(sb); 562 struct dentry *root = sb->s_root; 563 struct inode *root_inode = d_backing_inode(root); 564 int rc = 0; 565 566 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 567 rc = sb_check_xattr_support(sb); 568 if (rc) 569 return rc; 570 } 571 572 sbsec->flags |= SE_SBINITIALIZED; 573 574 /* 575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 576 * leave the flag untouched because sb_clone_mnt_opts might be handing 577 * us a superblock that needs the flag to be cleared. 578 */ 579 if (selinux_is_sblabel_mnt(sb)) 580 sbsec->flags |= SBLABEL_MNT; 581 else 582 sbsec->flags &= ~SBLABEL_MNT; 583 584 /* Initialize the root inode. */ 585 rc = inode_doinit_with_dentry(root_inode, root); 586 587 /* Initialize any other inodes associated with the superblock, e.g. 588 inodes created prior to initial policy load or inodes created 589 during get_sb by a pseudo filesystem that directly 590 populates itself. */ 591 spin_lock(&sbsec->isec_lock); 592 while (!list_empty(&sbsec->isec_head)) { 593 struct inode_security_struct *isec = 594 list_first_entry(&sbsec->isec_head, 595 struct inode_security_struct, list); 596 struct inode *inode = isec->inode; 597 list_del_init(&isec->list); 598 spin_unlock(&sbsec->isec_lock); 599 inode = igrab(inode); 600 if (inode) { 601 if (!IS_PRIVATE(inode)) 602 inode_doinit_with_dentry(inode, NULL); 603 iput(inode); 604 } 605 spin_lock(&sbsec->isec_lock); 606 } 607 spin_unlock(&sbsec->isec_lock); 608 return rc; 609 } 610 611 static int bad_option(struct superblock_security_struct *sbsec, char flag, 612 u32 old_sid, u32 new_sid) 613 { 614 char mnt_flags = sbsec->flags & SE_MNTMASK; 615 616 /* check if the old mount command had the same options */ 617 if (sbsec->flags & SE_SBINITIALIZED) 618 if (!(sbsec->flags & flag) || 619 (old_sid != new_sid)) 620 return 1; 621 622 /* check if we were passed the same options twice, 623 * aka someone passed context=a,context=b 624 */ 625 if (!(sbsec->flags & SE_SBINITIALIZED)) 626 if (mnt_flags & flag) 627 return 1; 628 return 0; 629 } 630 631 /* 632 * Allow filesystems with binary mount data to explicitly set mount point 633 * labeling information. 634 */ 635 static int selinux_set_mnt_opts(struct super_block *sb, 636 void *mnt_opts, 637 unsigned long kern_flags, 638 unsigned long *set_kern_flags) 639 { 640 const struct cred *cred = current_cred(); 641 struct superblock_security_struct *sbsec = selinux_superblock(sb); 642 struct dentry *root = sb->s_root; 643 struct selinux_mnt_opts *opts = mnt_opts; 644 struct inode_security_struct *root_isec; 645 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 646 u32 defcontext_sid = 0; 647 int rc = 0; 648 649 /* 650 * Specifying internal flags without providing a place to 651 * place the results is not allowed 652 */ 653 if (kern_flags && !set_kern_flags) 654 return -EINVAL; 655 656 mutex_lock(&sbsec->lock); 657 658 if (!selinux_initialized()) { 659 if (!opts) { 660 /* Defer initialization until selinux_complete_init, 661 after the initial policy is loaded and the security 662 server is ready to handle calls. */ 663 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 664 sbsec->flags |= SE_SBNATIVE; 665 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 666 } 667 goto out; 668 } 669 rc = -EINVAL; 670 pr_warn("SELinux: Unable to set superblock options " 671 "before the security server is initialized\n"); 672 goto out; 673 } 674 675 /* 676 * Binary mount data FS will come through this function twice. Once 677 * from an explicit call and once from the generic calls from the vfs. 678 * Since the generic VFS calls will not contain any security mount data 679 * we need to skip the double mount verification. 680 * 681 * This does open a hole in which we will not notice if the first 682 * mount using this sb set explicit options and a second mount using 683 * this sb does not set any security options. (The first options 684 * will be used for both mounts) 685 */ 686 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 687 && !opts) 688 goto out; 689 690 root_isec = backing_inode_security_novalidate(root); 691 692 /* 693 * parse the mount options, check if they are valid sids. 694 * also check if someone is trying to mount the same sb more 695 * than once with different security options. 696 */ 697 if (opts) { 698 if (opts->fscontext_sid) { 699 fscontext_sid = opts->fscontext_sid; 700 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 701 fscontext_sid)) 702 goto out_double_mount; 703 sbsec->flags |= FSCONTEXT_MNT; 704 } 705 if (opts->context_sid) { 706 context_sid = opts->context_sid; 707 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 708 context_sid)) 709 goto out_double_mount; 710 sbsec->flags |= CONTEXT_MNT; 711 } 712 if (opts->rootcontext_sid) { 713 rootcontext_sid = opts->rootcontext_sid; 714 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 715 rootcontext_sid)) 716 goto out_double_mount; 717 sbsec->flags |= ROOTCONTEXT_MNT; 718 } 719 if (opts->defcontext_sid) { 720 defcontext_sid = opts->defcontext_sid; 721 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 722 defcontext_sid)) 723 goto out_double_mount; 724 sbsec->flags |= DEFCONTEXT_MNT; 725 } 726 } 727 728 if (sbsec->flags & SE_SBINITIALIZED) { 729 /* previously mounted with options, but not on this attempt? */ 730 if ((sbsec->flags & SE_MNTMASK) && !opts) 731 goto out_double_mount; 732 rc = 0; 733 goto out; 734 } 735 736 if (strcmp(sb->s_type->name, "proc") == 0) 737 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 738 739 if (!strcmp(sb->s_type->name, "debugfs") || 740 !strcmp(sb->s_type->name, "tracefs") || 741 !strcmp(sb->s_type->name, "binder") || 742 !strcmp(sb->s_type->name, "bpf") || 743 !strcmp(sb->s_type->name, "pstore") || 744 !strcmp(sb->s_type->name, "securityfs")) 745 sbsec->flags |= SE_SBGENFS; 746 747 if (!strcmp(sb->s_type->name, "sysfs") || 748 !strcmp(sb->s_type->name, "cgroup") || 749 !strcmp(sb->s_type->name, "cgroup2")) 750 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 751 752 if (!sbsec->behavior) { 753 /* 754 * Determine the labeling behavior to use for this 755 * filesystem type. 756 */ 757 rc = security_fs_use(sb); 758 if (rc) { 759 pr_warn("%s: security_fs_use(%s) returned %d\n", 760 __func__, sb->s_type->name, rc); 761 goto out; 762 } 763 } 764 765 /* 766 * If this is a user namespace mount and the filesystem type is not 767 * explicitly whitelisted, then no contexts are allowed on the command 768 * line and security labels must be ignored. 769 */ 770 if (sb->s_user_ns != &init_user_ns && 771 strcmp(sb->s_type->name, "tmpfs") && 772 strcmp(sb->s_type->name, "ramfs") && 773 strcmp(sb->s_type->name, "devpts") && 774 strcmp(sb->s_type->name, "overlay")) { 775 if (context_sid || fscontext_sid || rootcontext_sid || 776 defcontext_sid) { 777 rc = -EACCES; 778 goto out; 779 } 780 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 781 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 782 rc = security_transition_sid(current_sid(), 783 current_sid(), 784 SECCLASS_FILE, NULL, 785 &sbsec->mntpoint_sid); 786 if (rc) 787 goto out; 788 } 789 goto out_set_opts; 790 } 791 792 /* sets the context of the superblock for the fs being mounted. */ 793 if (fscontext_sid) { 794 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 795 if (rc) 796 goto out; 797 798 sbsec->sid = fscontext_sid; 799 } 800 801 /* 802 * Switch to using mount point labeling behavior. 803 * sets the label used on all file below the mountpoint, and will set 804 * the superblock context if not already set. 805 */ 806 if (sbsec->flags & SE_SBNATIVE) { 807 /* 808 * This means we are initializing a superblock that has been 809 * mounted before the SELinux was initialized and the 810 * filesystem requested native labeling. We had already 811 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 812 * in the original mount attempt, so now we just need to set 813 * the SECURITY_FS_USE_NATIVE behavior. 814 */ 815 sbsec->behavior = SECURITY_FS_USE_NATIVE; 816 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 817 sbsec->behavior = SECURITY_FS_USE_NATIVE; 818 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 819 } 820 821 if (context_sid) { 822 if (!fscontext_sid) { 823 rc = may_context_mount_sb_relabel(context_sid, sbsec, 824 cred); 825 if (rc) 826 goto out; 827 sbsec->sid = context_sid; 828 } else { 829 rc = may_context_mount_inode_relabel(context_sid, sbsec, 830 cred); 831 if (rc) 832 goto out; 833 } 834 if (!rootcontext_sid) 835 rootcontext_sid = context_sid; 836 837 sbsec->mntpoint_sid = context_sid; 838 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 839 } 840 841 if (rootcontext_sid) { 842 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 843 cred); 844 if (rc) 845 goto out; 846 847 root_isec->sid = rootcontext_sid; 848 root_isec->initialized = LABEL_INITIALIZED; 849 } 850 851 if (defcontext_sid) { 852 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 853 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 854 rc = -EINVAL; 855 pr_warn("SELinux: defcontext option is " 856 "invalid for this filesystem type\n"); 857 goto out; 858 } 859 860 if (defcontext_sid != sbsec->def_sid) { 861 rc = may_context_mount_inode_relabel(defcontext_sid, 862 sbsec, cred); 863 if (rc) 864 goto out; 865 } 866 867 sbsec->def_sid = defcontext_sid; 868 } 869 870 out_set_opts: 871 rc = sb_finish_set_opts(sb); 872 out: 873 mutex_unlock(&sbsec->lock); 874 return rc; 875 out_double_mount: 876 rc = -EINVAL; 877 pr_warn("SELinux: mount invalid. Same superblock, different " 878 "security settings for (dev %s, type %s)\n", sb->s_id, 879 sb->s_type->name); 880 goto out; 881 } 882 883 static int selinux_cmp_sb_context(const struct super_block *oldsb, 884 const struct super_block *newsb) 885 { 886 struct superblock_security_struct *old = selinux_superblock(oldsb); 887 struct superblock_security_struct *new = selinux_superblock(newsb); 888 char oldflags = old->flags & SE_MNTMASK; 889 char newflags = new->flags & SE_MNTMASK; 890 891 if (oldflags != newflags) 892 goto mismatch; 893 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 894 goto mismatch; 895 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 896 goto mismatch; 897 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 898 goto mismatch; 899 if (oldflags & ROOTCONTEXT_MNT) { 900 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 901 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 902 if (oldroot->sid != newroot->sid) 903 goto mismatch; 904 } 905 return 0; 906 mismatch: 907 pr_warn("SELinux: mount invalid. Same superblock, " 908 "different security settings for (dev %s, " 909 "type %s)\n", newsb->s_id, newsb->s_type->name); 910 return -EBUSY; 911 } 912 913 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 914 struct super_block *newsb, 915 unsigned long kern_flags, 916 unsigned long *set_kern_flags) 917 { 918 int rc = 0; 919 const struct superblock_security_struct *oldsbsec = 920 selinux_superblock(oldsb); 921 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 922 923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 924 int set_context = (oldsbsec->flags & CONTEXT_MNT); 925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 926 927 /* 928 * Specifying internal flags without providing a place to 929 * place the results is not allowed. 930 */ 931 if (kern_flags && !set_kern_flags) 932 return -EINVAL; 933 934 mutex_lock(&newsbsec->lock); 935 936 /* 937 * if the parent was able to be mounted it clearly had no special lsm 938 * mount options. thus we can safely deal with this superblock later 939 */ 940 if (!selinux_initialized()) { 941 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 942 newsbsec->flags |= SE_SBNATIVE; 943 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 944 } 945 goto out; 946 } 947 948 /* how can we clone if the old one wasn't set up?? */ 949 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 950 951 /* if fs is reusing a sb, make sure that the contexts match */ 952 if (newsbsec->flags & SE_SBINITIALIZED) { 953 mutex_unlock(&newsbsec->lock); 954 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 955 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 956 return selinux_cmp_sb_context(oldsb, newsb); 957 } 958 959 newsbsec->flags = oldsbsec->flags; 960 961 newsbsec->sid = oldsbsec->sid; 962 newsbsec->def_sid = oldsbsec->def_sid; 963 newsbsec->behavior = oldsbsec->behavior; 964 965 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 966 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 967 rc = security_fs_use(newsb); 968 if (rc) 969 goto out; 970 } 971 972 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 973 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 974 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 975 } 976 977 if (set_context) { 978 u32 sid = oldsbsec->mntpoint_sid; 979 980 if (!set_fscontext) 981 newsbsec->sid = sid; 982 if (!set_rootcontext) { 983 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 984 newisec->sid = sid; 985 } 986 newsbsec->mntpoint_sid = sid; 987 } 988 if (set_rootcontext) { 989 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 990 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 991 992 newisec->sid = oldisec->sid; 993 } 994 995 sb_finish_set_opts(newsb); 996 out: 997 mutex_unlock(&newsbsec->lock); 998 return rc; 999 } 1000 1001 /* 1002 * NOTE: the caller is responsible for freeing the memory even if on error. 1003 */ 1004 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1005 { 1006 struct selinux_mnt_opts *opts = *mnt_opts; 1007 u32 *dst_sid; 1008 int rc; 1009 1010 if (token == Opt_seclabel) 1011 /* eaten and completely ignored */ 1012 return 0; 1013 if (!s) 1014 return -EINVAL; 1015 1016 if (!selinux_initialized()) { 1017 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1018 return -EINVAL; 1019 } 1020 1021 if (!opts) { 1022 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1023 if (!opts) 1024 return -ENOMEM; 1025 *mnt_opts = opts; 1026 } 1027 1028 switch (token) { 1029 case Opt_context: 1030 if (opts->context_sid || opts->defcontext_sid) 1031 goto err; 1032 dst_sid = &opts->context_sid; 1033 break; 1034 case Opt_fscontext: 1035 if (opts->fscontext_sid) 1036 goto err; 1037 dst_sid = &opts->fscontext_sid; 1038 break; 1039 case Opt_rootcontext: 1040 if (opts->rootcontext_sid) 1041 goto err; 1042 dst_sid = &opts->rootcontext_sid; 1043 break; 1044 case Opt_defcontext: 1045 if (opts->context_sid || opts->defcontext_sid) 1046 goto err; 1047 dst_sid = &opts->defcontext_sid; 1048 break; 1049 default: 1050 WARN_ON(1); 1051 return -EINVAL; 1052 } 1053 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1054 if (rc) 1055 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1056 s, rc); 1057 return rc; 1058 1059 err: 1060 pr_warn(SEL_MOUNT_FAIL_MSG); 1061 return -EINVAL; 1062 } 1063 1064 static int show_sid(struct seq_file *m, u32 sid) 1065 { 1066 char *context = NULL; 1067 u32 len; 1068 int rc; 1069 1070 rc = security_sid_to_context(sid, &context, &len); 1071 if (!rc) { 1072 bool has_comma = strchr(context, ','); 1073 1074 seq_putc(m, '='); 1075 if (has_comma) 1076 seq_putc(m, '\"'); 1077 seq_escape(m, context, "\"\n\\"); 1078 if (has_comma) 1079 seq_putc(m, '\"'); 1080 } 1081 kfree(context); 1082 return rc; 1083 } 1084 1085 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1086 { 1087 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1088 int rc; 1089 1090 if (!(sbsec->flags & SE_SBINITIALIZED)) 1091 return 0; 1092 1093 if (!selinux_initialized()) 1094 return 0; 1095 1096 if (sbsec->flags & FSCONTEXT_MNT) { 1097 seq_putc(m, ','); 1098 seq_puts(m, FSCONTEXT_STR); 1099 rc = show_sid(m, sbsec->sid); 1100 if (rc) 1101 return rc; 1102 } 1103 if (sbsec->flags & CONTEXT_MNT) { 1104 seq_putc(m, ','); 1105 seq_puts(m, CONTEXT_STR); 1106 rc = show_sid(m, sbsec->mntpoint_sid); 1107 if (rc) 1108 return rc; 1109 } 1110 if (sbsec->flags & DEFCONTEXT_MNT) { 1111 seq_putc(m, ','); 1112 seq_puts(m, DEFCONTEXT_STR); 1113 rc = show_sid(m, sbsec->def_sid); 1114 if (rc) 1115 return rc; 1116 } 1117 if (sbsec->flags & ROOTCONTEXT_MNT) { 1118 struct dentry *root = sb->s_root; 1119 struct inode_security_struct *isec = backing_inode_security(root); 1120 seq_putc(m, ','); 1121 seq_puts(m, ROOTCONTEXT_STR); 1122 rc = show_sid(m, isec->sid); 1123 if (rc) 1124 return rc; 1125 } 1126 if (sbsec->flags & SBLABEL_MNT) { 1127 seq_putc(m, ','); 1128 seq_puts(m, SECLABEL_STR); 1129 } 1130 return 0; 1131 } 1132 1133 static inline u16 inode_mode_to_security_class(umode_t mode) 1134 { 1135 switch (mode & S_IFMT) { 1136 case S_IFSOCK: 1137 return SECCLASS_SOCK_FILE; 1138 case S_IFLNK: 1139 return SECCLASS_LNK_FILE; 1140 case S_IFREG: 1141 return SECCLASS_FILE; 1142 case S_IFBLK: 1143 return SECCLASS_BLK_FILE; 1144 case S_IFDIR: 1145 return SECCLASS_DIR; 1146 case S_IFCHR: 1147 return SECCLASS_CHR_FILE; 1148 case S_IFIFO: 1149 return SECCLASS_FIFO_FILE; 1150 1151 } 1152 1153 return SECCLASS_FILE; 1154 } 1155 1156 static inline int default_protocol_stream(int protocol) 1157 { 1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1159 protocol == IPPROTO_MPTCP); 1160 } 1161 1162 static inline int default_protocol_dgram(int protocol) 1163 { 1164 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1165 } 1166 1167 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1168 { 1169 bool extsockclass = selinux_policycap_extsockclass(); 1170 1171 switch (family) { 1172 case PF_UNIX: 1173 switch (type) { 1174 case SOCK_STREAM: 1175 case SOCK_SEQPACKET: 1176 return SECCLASS_UNIX_STREAM_SOCKET; 1177 case SOCK_DGRAM: 1178 case SOCK_RAW: 1179 return SECCLASS_UNIX_DGRAM_SOCKET; 1180 } 1181 break; 1182 case PF_INET: 1183 case PF_INET6: 1184 switch (type) { 1185 case SOCK_STREAM: 1186 case SOCK_SEQPACKET: 1187 if (default_protocol_stream(protocol)) 1188 return SECCLASS_TCP_SOCKET; 1189 else if (extsockclass && protocol == IPPROTO_SCTP) 1190 return SECCLASS_SCTP_SOCKET; 1191 else 1192 return SECCLASS_RAWIP_SOCKET; 1193 case SOCK_DGRAM: 1194 if (default_protocol_dgram(protocol)) 1195 return SECCLASS_UDP_SOCKET; 1196 else if (extsockclass && (protocol == IPPROTO_ICMP || 1197 protocol == IPPROTO_ICMPV6)) 1198 return SECCLASS_ICMP_SOCKET; 1199 else 1200 return SECCLASS_RAWIP_SOCKET; 1201 default: 1202 return SECCLASS_RAWIP_SOCKET; 1203 } 1204 break; 1205 case PF_NETLINK: 1206 switch (protocol) { 1207 case NETLINK_ROUTE: 1208 return SECCLASS_NETLINK_ROUTE_SOCKET; 1209 case NETLINK_SOCK_DIAG: 1210 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1211 case NETLINK_NFLOG: 1212 return SECCLASS_NETLINK_NFLOG_SOCKET; 1213 case NETLINK_XFRM: 1214 return SECCLASS_NETLINK_XFRM_SOCKET; 1215 case NETLINK_SELINUX: 1216 return SECCLASS_NETLINK_SELINUX_SOCKET; 1217 case NETLINK_ISCSI: 1218 return SECCLASS_NETLINK_ISCSI_SOCKET; 1219 case NETLINK_AUDIT: 1220 return SECCLASS_NETLINK_AUDIT_SOCKET; 1221 case NETLINK_FIB_LOOKUP: 1222 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1223 case NETLINK_CONNECTOR: 1224 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1225 case NETLINK_NETFILTER: 1226 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1227 case NETLINK_DNRTMSG: 1228 return SECCLASS_NETLINK_DNRT_SOCKET; 1229 case NETLINK_KOBJECT_UEVENT: 1230 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1231 case NETLINK_GENERIC: 1232 return SECCLASS_NETLINK_GENERIC_SOCKET; 1233 case NETLINK_SCSITRANSPORT: 1234 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1235 case NETLINK_RDMA: 1236 return SECCLASS_NETLINK_RDMA_SOCKET; 1237 case NETLINK_CRYPTO: 1238 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1239 default: 1240 return SECCLASS_NETLINK_SOCKET; 1241 } 1242 case PF_PACKET: 1243 return SECCLASS_PACKET_SOCKET; 1244 case PF_KEY: 1245 return SECCLASS_KEY_SOCKET; 1246 case PF_APPLETALK: 1247 return SECCLASS_APPLETALK_SOCKET; 1248 } 1249 1250 if (extsockclass) { 1251 switch (family) { 1252 case PF_AX25: 1253 return SECCLASS_AX25_SOCKET; 1254 case PF_IPX: 1255 return SECCLASS_IPX_SOCKET; 1256 case PF_NETROM: 1257 return SECCLASS_NETROM_SOCKET; 1258 case PF_ATMPVC: 1259 return SECCLASS_ATMPVC_SOCKET; 1260 case PF_X25: 1261 return SECCLASS_X25_SOCKET; 1262 case PF_ROSE: 1263 return SECCLASS_ROSE_SOCKET; 1264 case PF_DECnet: 1265 return SECCLASS_DECNET_SOCKET; 1266 case PF_ATMSVC: 1267 return SECCLASS_ATMSVC_SOCKET; 1268 case PF_RDS: 1269 return SECCLASS_RDS_SOCKET; 1270 case PF_IRDA: 1271 return SECCLASS_IRDA_SOCKET; 1272 case PF_PPPOX: 1273 return SECCLASS_PPPOX_SOCKET; 1274 case PF_LLC: 1275 return SECCLASS_LLC_SOCKET; 1276 case PF_CAN: 1277 return SECCLASS_CAN_SOCKET; 1278 case PF_TIPC: 1279 return SECCLASS_TIPC_SOCKET; 1280 case PF_BLUETOOTH: 1281 return SECCLASS_BLUETOOTH_SOCKET; 1282 case PF_IUCV: 1283 return SECCLASS_IUCV_SOCKET; 1284 case PF_RXRPC: 1285 return SECCLASS_RXRPC_SOCKET; 1286 case PF_ISDN: 1287 return SECCLASS_ISDN_SOCKET; 1288 case PF_PHONET: 1289 return SECCLASS_PHONET_SOCKET; 1290 case PF_IEEE802154: 1291 return SECCLASS_IEEE802154_SOCKET; 1292 case PF_CAIF: 1293 return SECCLASS_CAIF_SOCKET; 1294 case PF_ALG: 1295 return SECCLASS_ALG_SOCKET; 1296 case PF_NFC: 1297 return SECCLASS_NFC_SOCKET; 1298 case PF_VSOCK: 1299 return SECCLASS_VSOCK_SOCKET; 1300 case PF_KCM: 1301 return SECCLASS_KCM_SOCKET; 1302 case PF_QIPCRTR: 1303 return SECCLASS_QIPCRTR_SOCKET; 1304 case PF_SMC: 1305 return SECCLASS_SMC_SOCKET; 1306 case PF_XDP: 1307 return SECCLASS_XDP_SOCKET; 1308 case PF_MCTP: 1309 return SECCLASS_MCTP_SOCKET; 1310 #if PF_MAX > 46 1311 #error New address family defined, please update this function. 1312 #endif 1313 } 1314 } 1315 1316 return SECCLASS_SOCKET; 1317 } 1318 1319 static int selinux_genfs_get_sid(struct dentry *dentry, 1320 u16 tclass, 1321 u16 flags, 1322 u32 *sid) 1323 { 1324 int rc; 1325 struct super_block *sb = dentry->d_sb; 1326 char *buffer, *path; 1327 1328 buffer = (char *)__get_free_page(GFP_KERNEL); 1329 if (!buffer) 1330 return -ENOMEM; 1331 1332 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1333 if (IS_ERR(path)) 1334 rc = PTR_ERR(path); 1335 else { 1336 if (flags & SE_SBPROC) { 1337 /* each process gets a /proc/PID/ entry. Strip off the 1338 * PID part to get a valid selinux labeling. 1339 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1340 while (path[1] >= '0' && path[1] <= '9') { 1341 path[1] = '/'; 1342 path++; 1343 } 1344 } 1345 rc = security_genfs_sid(sb->s_type->name, 1346 path, tclass, sid); 1347 if (rc == -ENOENT) { 1348 /* No match in policy, mark as unlabeled. */ 1349 *sid = SECINITSID_UNLABELED; 1350 rc = 0; 1351 } 1352 } 1353 free_page((unsigned long)buffer); 1354 return rc; 1355 } 1356 1357 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1358 u32 def_sid, u32 *sid) 1359 { 1360 #define INITCONTEXTLEN 255 1361 char *context; 1362 unsigned int len; 1363 int rc; 1364 1365 len = INITCONTEXTLEN; 1366 context = kmalloc(len + 1, GFP_NOFS); 1367 if (!context) 1368 return -ENOMEM; 1369 1370 context[len] = '\0'; 1371 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1372 if (rc == -ERANGE) { 1373 kfree(context); 1374 1375 /* Need a larger buffer. Query for the right size. */ 1376 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1377 if (rc < 0) 1378 return rc; 1379 1380 len = rc; 1381 context = kmalloc(len + 1, GFP_NOFS); 1382 if (!context) 1383 return -ENOMEM; 1384 1385 context[len] = '\0'; 1386 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1387 context, len); 1388 } 1389 if (rc < 0) { 1390 kfree(context); 1391 if (rc != -ENODATA) { 1392 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1393 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1394 return rc; 1395 } 1396 *sid = def_sid; 1397 return 0; 1398 } 1399 1400 rc = security_context_to_sid_default(context, rc, sid, 1401 def_sid, GFP_NOFS); 1402 if (rc) { 1403 char *dev = inode->i_sb->s_id; 1404 unsigned long ino = inode->i_ino; 1405 1406 if (rc == -EINVAL) { 1407 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1408 ino, dev, context); 1409 } else { 1410 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1411 __func__, context, -rc, dev, ino); 1412 } 1413 } 1414 kfree(context); 1415 return 0; 1416 } 1417 1418 /* The inode's security attributes must be initialized before first use. */ 1419 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1420 { 1421 struct superblock_security_struct *sbsec = NULL; 1422 struct inode_security_struct *isec = selinux_inode(inode); 1423 u32 task_sid, sid = 0; 1424 u16 sclass; 1425 struct dentry *dentry; 1426 int rc = 0; 1427 1428 if (isec->initialized == LABEL_INITIALIZED) 1429 return 0; 1430 1431 spin_lock(&isec->lock); 1432 if (isec->initialized == LABEL_INITIALIZED) 1433 goto out_unlock; 1434 1435 if (isec->sclass == SECCLASS_FILE) 1436 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1437 1438 sbsec = selinux_superblock(inode->i_sb); 1439 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1440 /* Defer initialization until selinux_complete_init, 1441 after the initial policy is loaded and the security 1442 server is ready to handle calls. */ 1443 spin_lock(&sbsec->isec_lock); 1444 if (list_empty(&isec->list)) 1445 list_add(&isec->list, &sbsec->isec_head); 1446 spin_unlock(&sbsec->isec_lock); 1447 goto out_unlock; 1448 } 1449 1450 sclass = isec->sclass; 1451 task_sid = isec->task_sid; 1452 sid = isec->sid; 1453 isec->initialized = LABEL_PENDING; 1454 spin_unlock(&isec->lock); 1455 1456 switch (sbsec->behavior) { 1457 /* 1458 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1459 * via xattr when called from delayed_superblock_init(). 1460 */ 1461 case SECURITY_FS_USE_NATIVE: 1462 case SECURITY_FS_USE_XATTR: 1463 if (!(inode->i_opflags & IOP_XATTR)) { 1464 sid = sbsec->def_sid; 1465 break; 1466 } 1467 /* Need a dentry, since the xattr API requires one. 1468 Life would be simpler if we could just pass the inode. */ 1469 if (opt_dentry) { 1470 /* Called from d_instantiate or d_splice_alias. */ 1471 dentry = dget(opt_dentry); 1472 } else { 1473 /* 1474 * Called from selinux_complete_init, try to find a dentry. 1475 * Some filesystems really want a connected one, so try 1476 * that first. We could split SECURITY_FS_USE_XATTR in 1477 * two, depending upon that... 1478 */ 1479 dentry = d_find_alias(inode); 1480 if (!dentry) 1481 dentry = d_find_any_alias(inode); 1482 } 1483 if (!dentry) { 1484 /* 1485 * this is can be hit on boot when a file is accessed 1486 * before the policy is loaded. When we load policy we 1487 * may find inodes that have no dentry on the 1488 * sbsec->isec_head list. No reason to complain as these 1489 * will get fixed up the next time we go through 1490 * inode_doinit with a dentry, before these inodes could 1491 * be used again by userspace. 1492 */ 1493 goto out_invalid; 1494 } 1495 1496 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1497 &sid); 1498 dput(dentry); 1499 if (rc) 1500 goto out; 1501 break; 1502 case SECURITY_FS_USE_TASK: 1503 sid = task_sid; 1504 break; 1505 case SECURITY_FS_USE_TRANS: 1506 /* Default to the fs SID. */ 1507 sid = sbsec->sid; 1508 1509 /* Try to obtain a transition SID. */ 1510 rc = security_transition_sid(task_sid, sid, 1511 sclass, NULL, &sid); 1512 if (rc) 1513 goto out; 1514 break; 1515 case SECURITY_FS_USE_MNTPOINT: 1516 sid = sbsec->mntpoint_sid; 1517 break; 1518 default: 1519 /* Default to the fs superblock SID. */ 1520 sid = sbsec->sid; 1521 1522 if ((sbsec->flags & SE_SBGENFS) && 1523 (!S_ISLNK(inode->i_mode) || 1524 selinux_policycap_genfs_seclabel_symlinks())) { 1525 /* We must have a dentry to determine the label on 1526 * procfs inodes */ 1527 if (opt_dentry) { 1528 /* Called from d_instantiate or 1529 * d_splice_alias. */ 1530 dentry = dget(opt_dentry); 1531 } else { 1532 /* Called from selinux_complete_init, try to 1533 * find a dentry. Some filesystems really want 1534 * a connected one, so try that first. 1535 */ 1536 dentry = d_find_alias(inode); 1537 if (!dentry) 1538 dentry = d_find_any_alias(inode); 1539 } 1540 /* 1541 * This can be hit on boot when a file is accessed 1542 * before the policy is loaded. When we load policy we 1543 * may find inodes that have no dentry on the 1544 * sbsec->isec_head list. No reason to complain as 1545 * these will get fixed up the next time we go through 1546 * inode_doinit() with a dentry, before these inodes 1547 * could be used again by userspace. 1548 */ 1549 if (!dentry) 1550 goto out_invalid; 1551 rc = selinux_genfs_get_sid(dentry, sclass, 1552 sbsec->flags, &sid); 1553 if (rc) { 1554 dput(dentry); 1555 goto out; 1556 } 1557 1558 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1559 (inode->i_opflags & IOP_XATTR)) { 1560 rc = inode_doinit_use_xattr(inode, dentry, 1561 sid, &sid); 1562 if (rc) { 1563 dput(dentry); 1564 goto out; 1565 } 1566 } 1567 dput(dentry); 1568 } 1569 break; 1570 } 1571 1572 out: 1573 spin_lock(&isec->lock); 1574 if (isec->initialized == LABEL_PENDING) { 1575 if (rc) { 1576 isec->initialized = LABEL_INVALID; 1577 goto out_unlock; 1578 } 1579 isec->initialized = LABEL_INITIALIZED; 1580 isec->sid = sid; 1581 } 1582 1583 out_unlock: 1584 spin_unlock(&isec->lock); 1585 return rc; 1586 1587 out_invalid: 1588 spin_lock(&isec->lock); 1589 if (isec->initialized == LABEL_PENDING) { 1590 isec->initialized = LABEL_INVALID; 1591 isec->sid = sid; 1592 } 1593 spin_unlock(&isec->lock); 1594 return 0; 1595 } 1596 1597 /* Convert a Linux signal to an access vector. */ 1598 static inline u32 signal_to_av(int sig) 1599 { 1600 u32 perm = 0; 1601 1602 switch (sig) { 1603 case SIGCHLD: 1604 /* Commonly granted from child to parent. */ 1605 perm = PROCESS__SIGCHLD; 1606 break; 1607 case SIGKILL: 1608 /* Cannot be caught or ignored */ 1609 perm = PROCESS__SIGKILL; 1610 break; 1611 case SIGSTOP: 1612 /* Cannot be caught or ignored */ 1613 perm = PROCESS__SIGSTOP; 1614 break; 1615 default: 1616 /* All other signals. */ 1617 perm = PROCESS__SIGNAL; 1618 break; 1619 } 1620 1621 return perm; 1622 } 1623 1624 #if CAP_LAST_CAP > 63 1625 #error Fix SELinux to handle capabilities > 63. 1626 #endif 1627 1628 /* Check whether a task is allowed to use a capability. */ 1629 static int cred_has_capability(const struct cred *cred, 1630 int cap, unsigned int opts, bool initns) 1631 { 1632 struct common_audit_data ad; 1633 struct av_decision avd; 1634 u16 sclass; 1635 u32 sid = cred_sid(cred); 1636 u32 av = CAP_TO_MASK(cap); 1637 int rc; 1638 1639 ad.type = LSM_AUDIT_DATA_CAP; 1640 ad.u.cap = cap; 1641 1642 switch (CAP_TO_INDEX(cap)) { 1643 case 0: 1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1645 break; 1646 case 1: 1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1648 break; 1649 default: 1650 pr_err("SELinux: out of range capability %d\n", cap); 1651 BUG(); 1652 return -EINVAL; 1653 } 1654 1655 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1656 if (!(opts & CAP_OPT_NOAUDIT)) { 1657 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1658 if (rc2) 1659 return rc2; 1660 } 1661 return rc; 1662 } 1663 1664 /* Check whether a task has a particular permission to an inode. 1665 The 'adp' parameter is optional and allows other audit 1666 data to be passed (e.g. the dentry). */ 1667 static int inode_has_perm(const struct cred *cred, 1668 struct inode *inode, 1669 u32 perms, 1670 struct common_audit_data *adp) 1671 { 1672 struct inode_security_struct *isec; 1673 u32 sid; 1674 1675 if (unlikely(IS_PRIVATE(inode))) 1676 return 0; 1677 1678 sid = cred_sid(cred); 1679 isec = selinux_inode(inode); 1680 1681 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1682 } 1683 1684 /* Same as inode_has_perm, but pass explicit audit data containing 1685 the dentry to help the auditing code to more easily generate the 1686 pathname if needed. */ 1687 static inline int dentry_has_perm(const struct cred *cred, 1688 struct dentry *dentry, 1689 u32 av) 1690 { 1691 struct common_audit_data ad; 1692 struct inode *inode = d_backing_inode(dentry); 1693 struct inode_security_struct *isec = selinux_inode(inode); 1694 1695 ad.type = LSM_AUDIT_DATA_DENTRY; 1696 ad.u.dentry = dentry; 1697 /* check below is racy, but revalidate will recheck with lock held */ 1698 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1699 __inode_security_revalidate(inode, dentry, true); 1700 return inode_has_perm(cred, inode, av, &ad); 1701 } 1702 1703 /* Same as inode_has_perm, but pass explicit audit data containing 1704 the path to help the auditing code to more easily generate the 1705 pathname if needed. */ 1706 static inline int path_has_perm(const struct cred *cred, 1707 const struct path *path, 1708 u32 av) 1709 { 1710 struct common_audit_data ad; 1711 struct inode *inode = d_backing_inode(path->dentry); 1712 struct inode_security_struct *isec = selinux_inode(inode); 1713 1714 ad.type = LSM_AUDIT_DATA_PATH; 1715 ad.u.path = *path; 1716 /* check below is racy, but revalidate will recheck with lock held */ 1717 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1718 __inode_security_revalidate(inode, path->dentry, true); 1719 return inode_has_perm(cred, inode, av, &ad); 1720 } 1721 1722 /* Same as path_has_perm, but uses the inode from the file struct. */ 1723 static inline int file_path_has_perm(const struct cred *cred, 1724 struct file *file, 1725 u32 av) 1726 { 1727 struct common_audit_data ad; 1728 1729 ad.type = LSM_AUDIT_DATA_FILE; 1730 ad.u.file = file; 1731 return inode_has_perm(cred, file_inode(file), av, &ad); 1732 } 1733 1734 #ifdef CONFIG_BPF_SYSCALL 1735 static int bpf_fd_pass(const struct file *file, u32 sid); 1736 #endif 1737 1738 /* Check whether a task can use an open file descriptor to 1739 access an inode in a given way. Check access to the 1740 descriptor itself, and then use dentry_has_perm to 1741 check a particular permission to the file. 1742 Access to the descriptor is implicitly granted if it 1743 has the same SID as the process. If av is zero, then 1744 access to the file is not checked, e.g. for cases 1745 where only the descriptor is affected like seek. */ 1746 static int file_has_perm(const struct cred *cred, 1747 struct file *file, 1748 u32 av) 1749 { 1750 struct file_security_struct *fsec = selinux_file(file); 1751 struct inode *inode = file_inode(file); 1752 struct common_audit_data ad; 1753 u32 sid = cred_sid(cred); 1754 int rc; 1755 1756 ad.type = LSM_AUDIT_DATA_FILE; 1757 ad.u.file = file; 1758 1759 if (sid != fsec->sid) { 1760 rc = avc_has_perm(sid, fsec->sid, 1761 SECCLASS_FD, 1762 FD__USE, 1763 &ad); 1764 if (rc) 1765 goto out; 1766 } 1767 1768 #ifdef CONFIG_BPF_SYSCALL 1769 rc = bpf_fd_pass(file, cred_sid(cred)); 1770 if (rc) 1771 return rc; 1772 #endif 1773 1774 /* av is zero if only checking access to the descriptor. */ 1775 rc = 0; 1776 if (av) 1777 rc = inode_has_perm(cred, inode, av, &ad); 1778 1779 out: 1780 return rc; 1781 } 1782 1783 /* 1784 * Determine the label for an inode that might be unioned. 1785 */ 1786 static int 1787 selinux_determine_inode_label(const struct task_security_struct *tsec, 1788 struct inode *dir, 1789 const struct qstr *name, u16 tclass, 1790 u32 *_new_isid) 1791 { 1792 const struct superblock_security_struct *sbsec = 1793 selinux_superblock(dir->i_sb); 1794 1795 if ((sbsec->flags & SE_SBINITIALIZED) && 1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1797 *_new_isid = sbsec->mntpoint_sid; 1798 } else if ((sbsec->flags & SBLABEL_MNT) && 1799 tsec->create_sid) { 1800 *_new_isid = tsec->create_sid; 1801 } else { 1802 const struct inode_security_struct *dsec = inode_security(dir); 1803 return security_transition_sid(tsec->sid, 1804 dsec->sid, tclass, 1805 name, _new_isid); 1806 } 1807 1808 return 0; 1809 } 1810 1811 /* Check whether a task can create a file. */ 1812 static int may_create(struct inode *dir, 1813 struct dentry *dentry, 1814 u16 tclass) 1815 { 1816 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1817 struct inode_security_struct *dsec; 1818 struct superblock_security_struct *sbsec; 1819 u32 sid, newsid; 1820 struct common_audit_data ad; 1821 int rc; 1822 1823 dsec = inode_security(dir); 1824 sbsec = selinux_superblock(dir->i_sb); 1825 1826 sid = tsec->sid; 1827 1828 ad.type = LSM_AUDIT_DATA_DENTRY; 1829 ad.u.dentry = dentry; 1830 1831 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1832 DIR__ADD_NAME | DIR__SEARCH, 1833 &ad); 1834 if (rc) 1835 return rc; 1836 1837 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1838 &newsid); 1839 if (rc) 1840 return rc; 1841 1842 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1843 if (rc) 1844 return rc; 1845 1846 return avc_has_perm(newsid, sbsec->sid, 1847 SECCLASS_FILESYSTEM, 1848 FILESYSTEM__ASSOCIATE, &ad); 1849 } 1850 1851 #define MAY_LINK 0 1852 #define MAY_UNLINK 1 1853 #define MAY_RMDIR 2 1854 1855 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1856 static int may_link(struct inode *dir, 1857 struct dentry *dentry, 1858 int kind) 1859 1860 { 1861 struct inode_security_struct *dsec, *isec; 1862 struct common_audit_data ad; 1863 u32 sid = current_sid(); 1864 u32 av; 1865 int rc; 1866 1867 dsec = inode_security(dir); 1868 isec = backing_inode_security(dentry); 1869 1870 ad.type = LSM_AUDIT_DATA_DENTRY; 1871 ad.u.dentry = dentry; 1872 1873 av = DIR__SEARCH; 1874 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1875 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1876 if (rc) 1877 return rc; 1878 1879 switch (kind) { 1880 case MAY_LINK: 1881 av = FILE__LINK; 1882 break; 1883 case MAY_UNLINK: 1884 av = FILE__UNLINK; 1885 break; 1886 case MAY_RMDIR: 1887 av = DIR__RMDIR; 1888 break; 1889 default: 1890 pr_warn("SELinux: %s: unrecognized kind %d\n", 1891 __func__, kind); 1892 return 0; 1893 } 1894 1895 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1896 return rc; 1897 } 1898 1899 static inline int may_rename(struct inode *old_dir, 1900 struct dentry *old_dentry, 1901 struct inode *new_dir, 1902 struct dentry *new_dentry) 1903 { 1904 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1905 struct common_audit_data ad; 1906 u32 sid = current_sid(); 1907 u32 av; 1908 int old_is_dir, new_is_dir; 1909 int rc; 1910 1911 old_dsec = inode_security(old_dir); 1912 old_isec = backing_inode_security(old_dentry); 1913 old_is_dir = d_is_dir(old_dentry); 1914 new_dsec = inode_security(new_dir); 1915 1916 ad.type = LSM_AUDIT_DATA_DENTRY; 1917 1918 ad.u.dentry = old_dentry; 1919 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1920 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1921 if (rc) 1922 return rc; 1923 rc = avc_has_perm(sid, old_isec->sid, 1924 old_isec->sclass, FILE__RENAME, &ad); 1925 if (rc) 1926 return rc; 1927 if (old_is_dir && new_dir != old_dir) { 1928 rc = avc_has_perm(sid, old_isec->sid, 1929 old_isec->sclass, DIR__REPARENT, &ad); 1930 if (rc) 1931 return rc; 1932 } 1933 1934 ad.u.dentry = new_dentry; 1935 av = DIR__ADD_NAME | DIR__SEARCH; 1936 if (d_is_positive(new_dentry)) 1937 av |= DIR__REMOVE_NAME; 1938 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1939 if (rc) 1940 return rc; 1941 if (d_is_positive(new_dentry)) { 1942 new_isec = backing_inode_security(new_dentry); 1943 new_is_dir = d_is_dir(new_dentry); 1944 rc = avc_has_perm(sid, new_isec->sid, 1945 new_isec->sclass, 1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1947 if (rc) 1948 return rc; 1949 } 1950 1951 return 0; 1952 } 1953 1954 /* Check whether a task can perform a filesystem operation. */ 1955 static int superblock_has_perm(const struct cred *cred, 1956 const struct super_block *sb, 1957 u32 perms, 1958 struct common_audit_data *ad) 1959 { 1960 struct superblock_security_struct *sbsec; 1961 u32 sid = cred_sid(cred); 1962 1963 sbsec = selinux_superblock(sb); 1964 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1965 } 1966 1967 /* Convert a Linux mode and permission mask to an access vector. */ 1968 static inline u32 file_mask_to_av(int mode, int mask) 1969 { 1970 u32 av = 0; 1971 1972 if (!S_ISDIR(mode)) { 1973 if (mask & MAY_EXEC) 1974 av |= FILE__EXECUTE; 1975 if (mask & MAY_READ) 1976 av |= FILE__READ; 1977 1978 if (mask & MAY_APPEND) 1979 av |= FILE__APPEND; 1980 else if (mask & MAY_WRITE) 1981 av |= FILE__WRITE; 1982 1983 } else { 1984 if (mask & MAY_EXEC) 1985 av |= DIR__SEARCH; 1986 if (mask & MAY_WRITE) 1987 av |= DIR__WRITE; 1988 if (mask & MAY_READ) 1989 av |= DIR__READ; 1990 } 1991 1992 return av; 1993 } 1994 1995 /* Convert a Linux file to an access vector. */ 1996 static inline u32 file_to_av(const struct file *file) 1997 { 1998 u32 av = 0; 1999 2000 if (file->f_mode & FMODE_READ) 2001 av |= FILE__READ; 2002 if (file->f_mode & FMODE_WRITE) { 2003 if (file->f_flags & O_APPEND) 2004 av |= FILE__APPEND; 2005 else 2006 av |= FILE__WRITE; 2007 } 2008 if (!av) { 2009 /* 2010 * Special file opened with flags 3 for ioctl-only use. 2011 */ 2012 av = FILE__IOCTL; 2013 } 2014 2015 return av; 2016 } 2017 2018 /* 2019 * Convert a file to an access vector and include the correct 2020 * open permission. 2021 */ 2022 static inline u32 open_file_to_av(struct file *file) 2023 { 2024 u32 av = file_to_av(file); 2025 struct inode *inode = file_inode(file); 2026 2027 if (selinux_policycap_openperm() && 2028 inode->i_sb->s_magic != SOCKFS_MAGIC) 2029 av |= FILE__OPEN; 2030 2031 return av; 2032 } 2033 2034 /* Hook functions begin here. */ 2035 2036 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2037 { 2038 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2039 BINDER__SET_CONTEXT_MGR, NULL); 2040 } 2041 2042 static int selinux_binder_transaction(const struct cred *from, 2043 const struct cred *to) 2044 { 2045 u32 mysid = current_sid(); 2046 u32 fromsid = cred_sid(from); 2047 u32 tosid = cred_sid(to); 2048 int rc; 2049 2050 if (mysid != fromsid) { 2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2052 BINDER__IMPERSONATE, NULL); 2053 if (rc) 2054 return rc; 2055 } 2056 2057 return avc_has_perm(fromsid, tosid, 2058 SECCLASS_BINDER, BINDER__CALL, NULL); 2059 } 2060 2061 static int selinux_binder_transfer_binder(const struct cred *from, 2062 const struct cred *to) 2063 { 2064 return avc_has_perm(cred_sid(from), cred_sid(to), 2065 SECCLASS_BINDER, BINDER__TRANSFER, 2066 NULL); 2067 } 2068 2069 static int selinux_binder_transfer_file(const struct cred *from, 2070 const struct cred *to, 2071 const struct file *file) 2072 { 2073 u32 sid = cred_sid(to); 2074 struct file_security_struct *fsec = selinux_file(file); 2075 struct dentry *dentry = file->f_path.dentry; 2076 struct inode_security_struct *isec; 2077 struct common_audit_data ad; 2078 int rc; 2079 2080 ad.type = LSM_AUDIT_DATA_PATH; 2081 ad.u.path = file->f_path; 2082 2083 if (sid != fsec->sid) { 2084 rc = avc_has_perm(sid, fsec->sid, 2085 SECCLASS_FD, 2086 FD__USE, 2087 &ad); 2088 if (rc) 2089 return rc; 2090 } 2091 2092 #ifdef CONFIG_BPF_SYSCALL 2093 rc = bpf_fd_pass(file, sid); 2094 if (rc) 2095 return rc; 2096 #endif 2097 2098 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2099 return 0; 2100 2101 isec = backing_inode_security(dentry); 2102 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2103 &ad); 2104 } 2105 2106 static int selinux_ptrace_access_check(struct task_struct *child, 2107 unsigned int mode) 2108 { 2109 u32 sid = current_sid(); 2110 u32 csid = task_sid_obj(child); 2111 2112 if (mode & PTRACE_MODE_READ) 2113 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2114 NULL); 2115 2116 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2117 NULL); 2118 } 2119 2120 static int selinux_ptrace_traceme(struct task_struct *parent) 2121 { 2122 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2123 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2124 } 2125 2126 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2127 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2128 { 2129 return avc_has_perm(current_sid(), task_sid_obj(target), 2130 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2131 } 2132 2133 static int selinux_capset(struct cred *new, const struct cred *old, 2134 const kernel_cap_t *effective, 2135 const kernel_cap_t *inheritable, 2136 const kernel_cap_t *permitted) 2137 { 2138 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2139 PROCESS__SETCAP, NULL); 2140 } 2141 2142 /* 2143 * (This comment used to live with the selinux_task_setuid hook, 2144 * which was removed). 2145 * 2146 * Since setuid only affects the current process, and since the SELinux 2147 * controls are not based on the Linux identity attributes, SELinux does not 2148 * need to control this operation. However, SELinux does control the use of 2149 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2150 */ 2151 2152 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2153 int cap, unsigned int opts) 2154 { 2155 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2156 } 2157 2158 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2159 { 2160 const struct cred *cred = current_cred(); 2161 int rc = 0; 2162 2163 if (!sb) 2164 return 0; 2165 2166 switch (cmds) { 2167 case Q_SYNC: 2168 case Q_QUOTAON: 2169 case Q_QUOTAOFF: 2170 case Q_SETINFO: 2171 case Q_SETQUOTA: 2172 case Q_XQUOTAOFF: 2173 case Q_XQUOTAON: 2174 case Q_XSETQLIM: 2175 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2176 break; 2177 case Q_GETFMT: 2178 case Q_GETINFO: 2179 case Q_GETQUOTA: 2180 case Q_XGETQUOTA: 2181 case Q_XGETQSTAT: 2182 case Q_XGETQSTATV: 2183 case Q_XGETNEXTQUOTA: 2184 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2185 break; 2186 default: 2187 rc = 0; /* let the kernel handle invalid cmds */ 2188 break; 2189 } 2190 return rc; 2191 } 2192 2193 static int selinux_quota_on(struct dentry *dentry) 2194 { 2195 const struct cred *cred = current_cred(); 2196 2197 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2198 } 2199 2200 static int selinux_syslog(int type) 2201 { 2202 switch (type) { 2203 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2204 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2205 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2206 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2207 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2208 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2209 /* Set level of messages printed to console */ 2210 case SYSLOG_ACTION_CONSOLE_LEVEL: 2211 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2212 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2213 NULL); 2214 } 2215 /* All other syslog types */ 2216 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2217 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2218 } 2219 2220 /* 2221 * Check permission for allocating a new virtual mapping. Returns 2222 * 0 if permission is granted, negative error code if not. 2223 * 2224 * Do not audit the selinux permission check, as this is applied to all 2225 * processes that allocate mappings. 2226 */ 2227 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2228 { 2229 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2230 CAP_OPT_NOAUDIT, true); 2231 } 2232 2233 /* binprm security operations */ 2234 2235 static u32 ptrace_parent_sid(void) 2236 { 2237 u32 sid = 0; 2238 struct task_struct *tracer; 2239 2240 rcu_read_lock(); 2241 tracer = ptrace_parent(current); 2242 if (tracer) 2243 sid = task_sid_obj(tracer); 2244 rcu_read_unlock(); 2245 2246 return sid; 2247 } 2248 2249 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2250 const struct task_security_struct *old_tsec, 2251 const struct task_security_struct *new_tsec) 2252 { 2253 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2254 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2255 int rc; 2256 u32 av; 2257 2258 if (!nnp && !nosuid) 2259 return 0; /* neither NNP nor nosuid */ 2260 2261 if (new_tsec->sid == old_tsec->sid) 2262 return 0; /* No change in credentials */ 2263 2264 /* 2265 * If the policy enables the nnp_nosuid_transition policy capability, 2266 * then we permit transitions under NNP or nosuid if the 2267 * policy allows the corresponding permission between 2268 * the old and new contexts. 2269 */ 2270 if (selinux_policycap_nnp_nosuid_transition()) { 2271 av = 0; 2272 if (nnp) 2273 av |= PROCESS2__NNP_TRANSITION; 2274 if (nosuid) 2275 av |= PROCESS2__NOSUID_TRANSITION; 2276 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2277 SECCLASS_PROCESS2, av, NULL); 2278 if (!rc) 2279 return 0; 2280 } 2281 2282 /* 2283 * We also permit NNP or nosuid transitions to bounded SIDs, 2284 * i.e. SIDs that are guaranteed to only be allowed a subset 2285 * of the permissions of the current SID. 2286 */ 2287 rc = security_bounded_transition(old_tsec->sid, 2288 new_tsec->sid); 2289 if (!rc) 2290 return 0; 2291 2292 /* 2293 * On failure, preserve the errno values for NNP vs nosuid. 2294 * NNP: Operation not permitted for caller. 2295 * nosuid: Permission denied to file. 2296 */ 2297 if (nnp) 2298 return -EPERM; 2299 return -EACCES; 2300 } 2301 2302 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2303 { 2304 const struct task_security_struct *old_tsec; 2305 struct task_security_struct *new_tsec; 2306 struct inode_security_struct *isec; 2307 struct common_audit_data ad; 2308 struct inode *inode = file_inode(bprm->file); 2309 int rc; 2310 2311 /* SELinux context only depends on initial program or script and not 2312 * the script interpreter */ 2313 2314 old_tsec = selinux_cred(current_cred()); 2315 new_tsec = selinux_cred(bprm->cred); 2316 isec = inode_security(inode); 2317 2318 /* Default to the current task SID. */ 2319 new_tsec->sid = old_tsec->sid; 2320 new_tsec->osid = old_tsec->sid; 2321 2322 /* Reset fs, key, and sock SIDs on execve. */ 2323 new_tsec->create_sid = 0; 2324 new_tsec->keycreate_sid = 0; 2325 new_tsec->sockcreate_sid = 0; 2326 2327 /* 2328 * Before policy is loaded, label any task outside kernel space 2329 * as SECINITSID_INIT, so that any userspace tasks surviving from 2330 * early boot end up with a label different from SECINITSID_KERNEL 2331 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2332 */ 2333 if (!selinux_initialized()) { 2334 new_tsec->sid = SECINITSID_INIT; 2335 /* also clear the exec_sid just in case */ 2336 new_tsec->exec_sid = 0; 2337 return 0; 2338 } 2339 2340 if (old_tsec->exec_sid) { 2341 new_tsec->sid = old_tsec->exec_sid; 2342 /* Reset exec SID on execve. */ 2343 new_tsec->exec_sid = 0; 2344 2345 /* Fail on NNP or nosuid if not an allowed transition. */ 2346 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2347 if (rc) 2348 return rc; 2349 } else { 2350 /* Check for a default transition on this program. */ 2351 rc = security_transition_sid(old_tsec->sid, 2352 isec->sid, SECCLASS_PROCESS, NULL, 2353 &new_tsec->sid); 2354 if (rc) 2355 return rc; 2356 2357 /* 2358 * Fallback to old SID on NNP or nosuid if not an allowed 2359 * transition. 2360 */ 2361 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2362 if (rc) 2363 new_tsec->sid = old_tsec->sid; 2364 } 2365 2366 ad.type = LSM_AUDIT_DATA_FILE; 2367 ad.u.file = bprm->file; 2368 2369 if (new_tsec->sid == old_tsec->sid) { 2370 rc = avc_has_perm(old_tsec->sid, isec->sid, 2371 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2372 if (rc) 2373 return rc; 2374 } else { 2375 /* Check permissions for the transition. */ 2376 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2377 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2378 if (rc) 2379 return rc; 2380 2381 rc = avc_has_perm(new_tsec->sid, isec->sid, 2382 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2383 if (rc) 2384 return rc; 2385 2386 /* Check for shared state */ 2387 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2388 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2389 SECCLASS_PROCESS, PROCESS__SHARE, 2390 NULL); 2391 if (rc) 2392 return -EPERM; 2393 } 2394 2395 /* Make sure that anyone attempting to ptrace over a task that 2396 * changes its SID has the appropriate permit */ 2397 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2398 u32 ptsid = ptrace_parent_sid(); 2399 if (ptsid != 0) { 2400 rc = avc_has_perm(ptsid, new_tsec->sid, 2401 SECCLASS_PROCESS, 2402 PROCESS__PTRACE, NULL); 2403 if (rc) 2404 return -EPERM; 2405 } 2406 } 2407 2408 /* Clear any possibly unsafe personality bits on exec: */ 2409 bprm->per_clear |= PER_CLEAR_ON_SETID; 2410 2411 /* Enable secure mode for SIDs transitions unless 2412 the noatsecure permission is granted between 2413 the two SIDs, i.e. ahp returns 0. */ 2414 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2415 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2416 NULL); 2417 bprm->secureexec |= !!rc; 2418 } 2419 2420 return 0; 2421 } 2422 2423 static int match_file(const void *p, struct file *file, unsigned fd) 2424 { 2425 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2426 } 2427 2428 /* Derived from fs/exec.c:flush_old_files. */ 2429 static inline void flush_unauthorized_files(const struct cred *cred, 2430 struct files_struct *files) 2431 { 2432 struct file *file, *devnull = NULL; 2433 struct tty_struct *tty; 2434 int drop_tty = 0; 2435 unsigned n; 2436 2437 tty = get_current_tty(); 2438 if (tty) { 2439 spin_lock(&tty->files_lock); 2440 if (!list_empty(&tty->tty_files)) { 2441 struct tty_file_private *file_priv; 2442 2443 /* Revalidate access to controlling tty. 2444 Use file_path_has_perm on the tty path directly 2445 rather than using file_has_perm, as this particular 2446 open file may belong to another process and we are 2447 only interested in the inode-based check here. */ 2448 file_priv = list_first_entry(&tty->tty_files, 2449 struct tty_file_private, list); 2450 file = file_priv->file; 2451 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2452 drop_tty = 1; 2453 } 2454 spin_unlock(&tty->files_lock); 2455 tty_kref_put(tty); 2456 } 2457 /* Reset controlling tty. */ 2458 if (drop_tty) 2459 no_tty(); 2460 2461 /* Revalidate access to inherited open files. */ 2462 n = iterate_fd(files, 0, match_file, cred); 2463 if (!n) /* none found? */ 2464 return; 2465 2466 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2467 if (IS_ERR(devnull)) 2468 devnull = NULL; 2469 /* replace all the matching ones with this */ 2470 do { 2471 replace_fd(n - 1, devnull, 0); 2472 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2473 if (devnull) 2474 fput(devnull); 2475 } 2476 2477 /* 2478 * Prepare a process for imminent new credential changes due to exec 2479 */ 2480 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2481 { 2482 struct task_security_struct *new_tsec; 2483 struct rlimit *rlim, *initrlim; 2484 int rc, i; 2485 2486 new_tsec = selinux_cred(bprm->cred); 2487 if (new_tsec->sid == new_tsec->osid) 2488 return; 2489 2490 /* Close files for which the new task SID is not authorized. */ 2491 flush_unauthorized_files(bprm->cred, current->files); 2492 2493 /* Always clear parent death signal on SID transitions. */ 2494 current->pdeath_signal = 0; 2495 2496 /* Check whether the new SID can inherit resource limits from the old 2497 * SID. If not, reset all soft limits to the lower of the current 2498 * task's hard limit and the init task's soft limit. 2499 * 2500 * Note that the setting of hard limits (even to lower them) can be 2501 * controlled by the setrlimit check. The inclusion of the init task's 2502 * soft limit into the computation is to avoid resetting soft limits 2503 * higher than the default soft limit for cases where the default is 2504 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2505 */ 2506 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2507 PROCESS__RLIMITINH, NULL); 2508 if (rc) { 2509 /* protect against do_prlimit() */ 2510 task_lock(current); 2511 for (i = 0; i < RLIM_NLIMITS; i++) { 2512 rlim = current->signal->rlim + i; 2513 initrlim = init_task.signal->rlim + i; 2514 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2515 } 2516 task_unlock(current); 2517 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2518 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2519 } 2520 } 2521 2522 /* 2523 * Clean up the process immediately after the installation of new credentials 2524 * due to exec 2525 */ 2526 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2527 { 2528 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2529 u32 osid, sid; 2530 int rc; 2531 2532 osid = tsec->osid; 2533 sid = tsec->sid; 2534 2535 if (sid == osid) 2536 return; 2537 2538 /* Check whether the new SID can inherit signal state from the old SID. 2539 * If not, clear itimers to avoid subsequent signal generation and 2540 * flush and unblock signals. 2541 * 2542 * This must occur _after_ the task SID has been updated so that any 2543 * kill done after the flush will be checked against the new SID. 2544 */ 2545 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2546 if (rc) { 2547 clear_itimer(); 2548 2549 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2550 if (!fatal_signal_pending(current)) { 2551 flush_sigqueue(¤t->pending); 2552 flush_sigqueue(¤t->signal->shared_pending); 2553 flush_signal_handlers(current, 1); 2554 sigemptyset(¤t->blocked); 2555 recalc_sigpending(); 2556 } 2557 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2558 } 2559 2560 /* Wake up the parent if it is waiting so that it can recheck 2561 * wait permission to the new task SID. */ 2562 read_lock(&tasklist_lock); 2563 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2564 read_unlock(&tasklist_lock); 2565 } 2566 2567 /* superblock security operations */ 2568 2569 static int selinux_sb_alloc_security(struct super_block *sb) 2570 { 2571 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2572 2573 mutex_init(&sbsec->lock); 2574 INIT_LIST_HEAD(&sbsec->isec_head); 2575 spin_lock_init(&sbsec->isec_lock); 2576 sbsec->sid = SECINITSID_UNLABELED; 2577 sbsec->def_sid = SECINITSID_FILE; 2578 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2579 2580 return 0; 2581 } 2582 2583 static inline int opt_len(const char *s) 2584 { 2585 bool open_quote = false; 2586 int len; 2587 char c; 2588 2589 for (len = 0; (c = s[len]) != '\0'; len++) { 2590 if (c == '"') 2591 open_quote = !open_quote; 2592 if (c == ',' && !open_quote) 2593 break; 2594 } 2595 return len; 2596 } 2597 2598 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2599 { 2600 char *from = options; 2601 char *to = options; 2602 bool first = true; 2603 int rc; 2604 2605 while (1) { 2606 int len = opt_len(from); 2607 int token; 2608 char *arg = NULL; 2609 2610 token = match_opt_prefix(from, len, &arg); 2611 2612 if (token != Opt_error) { 2613 char *p, *q; 2614 2615 /* strip quotes */ 2616 if (arg) { 2617 for (p = q = arg; p < from + len; p++) { 2618 char c = *p; 2619 if (c != '"') 2620 *q++ = c; 2621 } 2622 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2623 if (!arg) { 2624 rc = -ENOMEM; 2625 goto free_opt; 2626 } 2627 } 2628 rc = selinux_add_opt(token, arg, mnt_opts); 2629 kfree(arg); 2630 arg = NULL; 2631 if (unlikely(rc)) { 2632 goto free_opt; 2633 } 2634 } else { 2635 if (!first) { // copy with preceding comma 2636 from--; 2637 len++; 2638 } 2639 if (to != from) 2640 memmove(to, from, len); 2641 to += len; 2642 first = false; 2643 } 2644 if (!from[len]) 2645 break; 2646 from += len + 1; 2647 } 2648 *to = '\0'; 2649 return 0; 2650 2651 free_opt: 2652 if (*mnt_opts) { 2653 selinux_free_mnt_opts(*mnt_opts); 2654 *mnt_opts = NULL; 2655 } 2656 return rc; 2657 } 2658 2659 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2660 { 2661 struct selinux_mnt_opts *opts = mnt_opts; 2662 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2663 2664 /* 2665 * Superblock not initialized (i.e. no options) - reject if any 2666 * options specified, otherwise accept. 2667 */ 2668 if (!(sbsec->flags & SE_SBINITIALIZED)) 2669 return opts ? 1 : 0; 2670 2671 /* 2672 * Superblock initialized and no options specified - reject if 2673 * superblock has any options set, otherwise accept. 2674 */ 2675 if (!opts) 2676 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2677 2678 if (opts->fscontext_sid) { 2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2680 opts->fscontext_sid)) 2681 return 1; 2682 } 2683 if (opts->context_sid) { 2684 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2685 opts->context_sid)) 2686 return 1; 2687 } 2688 if (opts->rootcontext_sid) { 2689 struct inode_security_struct *root_isec; 2690 2691 root_isec = backing_inode_security(sb->s_root); 2692 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2693 opts->rootcontext_sid)) 2694 return 1; 2695 } 2696 if (opts->defcontext_sid) { 2697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2698 opts->defcontext_sid)) 2699 return 1; 2700 } 2701 return 0; 2702 } 2703 2704 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2705 { 2706 struct selinux_mnt_opts *opts = mnt_opts; 2707 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2708 2709 if (!(sbsec->flags & SE_SBINITIALIZED)) 2710 return 0; 2711 2712 if (!opts) 2713 return 0; 2714 2715 if (opts->fscontext_sid) { 2716 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2717 opts->fscontext_sid)) 2718 goto out_bad_option; 2719 } 2720 if (opts->context_sid) { 2721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2722 opts->context_sid)) 2723 goto out_bad_option; 2724 } 2725 if (opts->rootcontext_sid) { 2726 struct inode_security_struct *root_isec; 2727 root_isec = backing_inode_security(sb->s_root); 2728 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2729 opts->rootcontext_sid)) 2730 goto out_bad_option; 2731 } 2732 if (opts->defcontext_sid) { 2733 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2734 opts->defcontext_sid)) 2735 goto out_bad_option; 2736 } 2737 return 0; 2738 2739 out_bad_option: 2740 pr_warn("SELinux: unable to change security options " 2741 "during remount (dev %s, type=%s)\n", sb->s_id, 2742 sb->s_type->name); 2743 return -EINVAL; 2744 } 2745 2746 static int selinux_sb_kern_mount(const struct super_block *sb) 2747 { 2748 const struct cred *cred = current_cred(); 2749 struct common_audit_data ad; 2750 2751 ad.type = LSM_AUDIT_DATA_DENTRY; 2752 ad.u.dentry = sb->s_root; 2753 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2754 } 2755 2756 static int selinux_sb_statfs(struct dentry *dentry) 2757 { 2758 const struct cred *cred = current_cred(); 2759 struct common_audit_data ad; 2760 2761 ad.type = LSM_AUDIT_DATA_DENTRY; 2762 ad.u.dentry = dentry->d_sb->s_root; 2763 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2764 } 2765 2766 static int selinux_mount(const char *dev_name, 2767 const struct path *path, 2768 const char *type, 2769 unsigned long flags, 2770 void *data) 2771 { 2772 const struct cred *cred = current_cred(); 2773 2774 if (flags & MS_REMOUNT) 2775 return superblock_has_perm(cred, path->dentry->d_sb, 2776 FILESYSTEM__REMOUNT, NULL); 2777 else 2778 return path_has_perm(cred, path, FILE__MOUNTON); 2779 } 2780 2781 static int selinux_move_mount(const struct path *from_path, 2782 const struct path *to_path) 2783 { 2784 const struct cred *cred = current_cred(); 2785 2786 return path_has_perm(cred, to_path, FILE__MOUNTON); 2787 } 2788 2789 static int selinux_umount(struct vfsmount *mnt, int flags) 2790 { 2791 const struct cred *cred = current_cred(); 2792 2793 return superblock_has_perm(cred, mnt->mnt_sb, 2794 FILESYSTEM__UNMOUNT, NULL); 2795 } 2796 2797 static int selinux_fs_context_submount(struct fs_context *fc, 2798 struct super_block *reference) 2799 { 2800 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2801 struct selinux_mnt_opts *opts; 2802 2803 /* 2804 * Ensure that fc->security remains NULL when no options are set 2805 * as expected by selinux_set_mnt_opts(). 2806 */ 2807 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2808 return 0; 2809 2810 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2811 if (!opts) 2812 return -ENOMEM; 2813 2814 if (sbsec->flags & FSCONTEXT_MNT) 2815 opts->fscontext_sid = sbsec->sid; 2816 if (sbsec->flags & CONTEXT_MNT) 2817 opts->context_sid = sbsec->mntpoint_sid; 2818 if (sbsec->flags & DEFCONTEXT_MNT) 2819 opts->defcontext_sid = sbsec->def_sid; 2820 fc->security = opts; 2821 return 0; 2822 } 2823 2824 static int selinux_fs_context_dup(struct fs_context *fc, 2825 struct fs_context *src_fc) 2826 { 2827 const struct selinux_mnt_opts *src = src_fc->security; 2828 2829 if (!src) 2830 return 0; 2831 2832 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2833 return fc->security ? 0 : -ENOMEM; 2834 } 2835 2836 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2837 fsparam_string(CONTEXT_STR, Opt_context), 2838 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2839 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2840 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2841 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2842 {} 2843 }; 2844 2845 static int selinux_fs_context_parse_param(struct fs_context *fc, 2846 struct fs_parameter *param) 2847 { 2848 struct fs_parse_result result; 2849 int opt; 2850 2851 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2852 if (opt < 0) 2853 return opt; 2854 2855 return selinux_add_opt(opt, param->string, &fc->security); 2856 } 2857 2858 /* inode security operations */ 2859 2860 static int selinux_inode_alloc_security(struct inode *inode) 2861 { 2862 struct inode_security_struct *isec = selinux_inode(inode); 2863 u32 sid = current_sid(); 2864 2865 spin_lock_init(&isec->lock); 2866 INIT_LIST_HEAD(&isec->list); 2867 isec->inode = inode; 2868 isec->sid = SECINITSID_UNLABELED; 2869 isec->sclass = SECCLASS_FILE; 2870 isec->task_sid = sid; 2871 isec->initialized = LABEL_INVALID; 2872 2873 return 0; 2874 } 2875 2876 static void selinux_inode_free_security(struct inode *inode) 2877 { 2878 inode_free_security(inode); 2879 } 2880 2881 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2882 const struct qstr *name, 2883 const char **xattr_name, 2884 struct lsm_context *cp) 2885 { 2886 u32 newsid; 2887 int rc; 2888 2889 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2890 d_inode(dentry->d_parent), name, 2891 inode_mode_to_security_class(mode), 2892 &newsid); 2893 if (rc) 2894 return rc; 2895 2896 if (xattr_name) 2897 *xattr_name = XATTR_NAME_SELINUX; 2898 2899 cp->id = LSM_ID_SELINUX; 2900 return security_sid_to_context(newsid, &cp->context, &cp->len); 2901 } 2902 2903 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2904 struct qstr *name, 2905 const struct cred *old, 2906 struct cred *new) 2907 { 2908 u32 newsid; 2909 int rc; 2910 struct task_security_struct *tsec; 2911 2912 rc = selinux_determine_inode_label(selinux_cred(old), 2913 d_inode(dentry->d_parent), name, 2914 inode_mode_to_security_class(mode), 2915 &newsid); 2916 if (rc) 2917 return rc; 2918 2919 tsec = selinux_cred(new); 2920 tsec->create_sid = newsid; 2921 return 0; 2922 } 2923 2924 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2925 const struct qstr *qstr, 2926 struct xattr *xattrs, int *xattr_count) 2927 { 2928 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2929 struct superblock_security_struct *sbsec; 2930 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2931 u32 newsid, clen; 2932 u16 newsclass; 2933 int rc; 2934 char *context; 2935 2936 sbsec = selinux_superblock(dir->i_sb); 2937 2938 newsid = tsec->create_sid; 2939 newsclass = inode_mode_to_security_class(inode->i_mode); 2940 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); 2941 if (rc) 2942 return rc; 2943 2944 /* Possibly defer initialization to selinux_complete_init. */ 2945 if (sbsec->flags & SE_SBINITIALIZED) { 2946 struct inode_security_struct *isec = selinux_inode(inode); 2947 isec->sclass = newsclass; 2948 isec->sid = newsid; 2949 isec->initialized = LABEL_INITIALIZED; 2950 } 2951 2952 if (!selinux_initialized() || 2953 !(sbsec->flags & SBLABEL_MNT)) 2954 return -EOPNOTSUPP; 2955 2956 if (xattr) { 2957 rc = security_sid_to_context_force(newsid, 2958 &context, &clen); 2959 if (rc) 2960 return rc; 2961 xattr->value = context; 2962 xattr->value_len = clen; 2963 xattr->name = XATTR_SELINUX_SUFFIX; 2964 } 2965 2966 return 0; 2967 } 2968 2969 static int selinux_inode_init_security_anon(struct inode *inode, 2970 const struct qstr *name, 2971 const struct inode *context_inode) 2972 { 2973 u32 sid = current_sid(); 2974 struct common_audit_data ad; 2975 struct inode_security_struct *isec; 2976 int rc; 2977 2978 if (unlikely(!selinux_initialized())) 2979 return 0; 2980 2981 isec = selinux_inode(inode); 2982 2983 /* 2984 * We only get here once per ephemeral inode. The inode has 2985 * been initialized via inode_alloc_security but is otherwise 2986 * untouched. 2987 */ 2988 2989 if (context_inode) { 2990 struct inode_security_struct *context_isec = 2991 selinux_inode(context_inode); 2992 if (context_isec->initialized != LABEL_INITIALIZED) { 2993 pr_err("SELinux: context_inode is not initialized\n"); 2994 return -EACCES; 2995 } 2996 2997 isec->sclass = context_isec->sclass; 2998 isec->sid = context_isec->sid; 2999 } else { 3000 isec->sclass = SECCLASS_ANON_INODE; 3001 rc = security_transition_sid( 3002 sid, sid, 3003 isec->sclass, name, &isec->sid); 3004 if (rc) 3005 return rc; 3006 } 3007 3008 isec->initialized = LABEL_INITIALIZED; 3009 /* 3010 * Now that we've initialized security, check whether we're 3011 * allowed to actually create this type of anonymous inode. 3012 */ 3013 3014 ad.type = LSM_AUDIT_DATA_ANONINODE; 3015 ad.u.anonclass = name ? (const char *)name->name : "?"; 3016 3017 return avc_has_perm(sid, 3018 isec->sid, 3019 isec->sclass, 3020 FILE__CREATE, 3021 &ad); 3022 } 3023 3024 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3025 { 3026 return may_create(dir, dentry, SECCLASS_FILE); 3027 } 3028 3029 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3030 { 3031 return may_link(dir, old_dentry, MAY_LINK); 3032 } 3033 3034 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3035 { 3036 return may_link(dir, dentry, MAY_UNLINK); 3037 } 3038 3039 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3040 { 3041 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3042 } 3043 3044 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3045 { 3046 return may_create(dir, dentry, SECCLASS_DIR); 3047 } 3048 3049 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3050 { 3051 return may_link(dir, dentry, MAY_RMDIR); 3052 } 3053 3054 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3055 { 3056 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3057 } 3058 3059 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3060 struct inode *new_inode, struct dentry *new_dentry) 3061 { 3062 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3063 } 3064 3065 static int selinux_inode_readlink(struct dentry *dentry) 3066 { 3067 const struct cred *cred = current_cred(); 3068 3069 return dentry_has_perm(cred, dentry, FILE__READ); 3070 } 3071 3072 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3073 bool rcu) 3074 { 3075 struct common_audit_data ad; 3076 struct inode_security_struct *isec; 3077 u32 sid = current_sid(); 3078 3079 ad.type = LSM_AUDIT_DATA_DENTRY; 3080 ad.u.dentry = dentry; 3081 isec = inode_security_rcu(inode, rcu); 3082 if (IS_ERR(isec)) 3083 return PTR_ERR(isec); 3084 3085 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3086 } 3087 3088 static noinline int audit_inode_permission(struct inode *inode, 3089 u32 perms, u32 audited, u32 denied, 3090 int result) 3091 { 3092 struct common_audit_data ad; 3093 struct inode_security_struct *isec = selinux_inode(inode); 3094 3095 ad.type = LSM_AUDIT_DATA_INODE; 3096 ad.u.inode = inode; 3097 3098 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3099 audited, denied, result, &ad); 3100 } 3101 3102 /** 3103 * task_avdcache_reset - Reset the task's AVD cache 3104 * @tsec: the task's security state 3105 * 3106 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3107 * and task's info. 3108 */ 3109 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3110 { 3111 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3112 tsec->avdcache.sid = tsec->sid; 3113 tsec->avdcache.seqno = avc_policy_seqno(); 3114 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3115 } 3116 3117 /** 3118 * task_avdcache_search - Search the task's AVD cache 3119 * @tsec: the task's security state 3120 * @isec: the inode to search for in the cache 3121 * @avdc: matching avd cache entry returned to the caller 3122 * 3123 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3124 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3125 */ 3126 static inline int task_avdcache_search(struct task_security_struct *tsec, 3127 struct inode_security_struct *isec, 3128 struct avdc_entry **avdc) 3129 { 3130 int orig, iter; 3131 3132 /* focused on path walk optimization, only cache directories */ 3133 if (isec->sclass != SECCLASS_DIR) 3134 return -ENOENT; 3135 3136 if (unlikely(tsec->sid != tsec->avdcache.sid || 3137 tsec->avdcache.seqno != avc_policy_seqno())) { 3138 task_avdcache_reset(tsec); 3139 return -ENOENT; 3140 } 3141 3142 orig = iter = tsec->avdcache.dir_spot; 3143 do { 3144 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3145 /* cache hit */ 3146 tsec->avdcache.dir_spot = iter; 3147 *avdc = &tsec->avdcache.dir[iter]; 3148 return 0; 3149 } 3150 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3151 } while (iter != orig); 3152 3153 return -ENOENT; 3154 } 3155 3156 /** 3157 * task_avdcache_update - Update the task's AVD cache 3158 * @tsec: the task's security state 3159 * @isec: the inode associated with the cache entry 3160 * @avd: the AVD to cache 3161 * @audited: the permission audit bitmask to cache 3162 * 3163 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3164 * with @isec. 3165 */ 3166 static inline void task_avdcache_update(struct task_security_struct *tsec, 3167 struct inode_security_struct *isec, 3168 struct av_decision *avd, 3169 u32 audited) 3170 { 3171 int spot; 3172 3173 /* focused on path walk optimization, only cache directories */ 3174 if (isec->sclass != SECCLASS_DIR) 3175 return; 3176 3177 /* update cache */ 3178 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3179 tsec->avdcache.dir_spot = spot; 3180 tsec->avdcache.dir[spot].isid = isec->sid; 3181 tsec->avdcache.dir[spot].audited = audited; 3182 tsec->avdcache.dir[spot].allowed = avd->allowed; 3183 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3184 } 3185 3186 /** 3187 * selinux_inode_permission - Check if the current task can access an inode 3188 * @inode: the inode that is being accessed 3189 * @requested: the accesses being requested 3190 * 3191 * Check if the current task is allowed to access @inode according to 3192 * @requested. Returns 0 if allowed, negative values otherwise. 3193 */ 3194 static int selinux_inode_permission(struct inode *inode, int requested) 3195 { 3196 int mask; 3197 u32 perms; 3198 struct task_security_struct *tsec; 3199 struct inode_security_struct *isec; 3200 struct avdc_entry *avdc; 3201 int rc, rc2; 3202 u32 audited, denied; 3203 3204 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3205 3206 /* No permission to check. Existence test. */ 3207 if (!mask) 3208 return 0; 3209 3210 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3211 if (IS_ERR(isec)) 3212 return PTR_ERR(isec); 3213 tsec = selinux_cred(current_cred()); 3214 perms = file_mask_to_av(inode->i_mode, mask); 3215 3216 rc = task_avdcache_search(tsec, isec, &avdc); 3217 if (likely(!rc)) { 3218 /* Cache hit. */ 3219 audited = perms & avdc->audited; 3220 denied = perms & ~avdc->allowed; 3221 if (unlikely(denied && enforcing_enabled() && 3222 !avdc->permissive)) 3223 rc = -EACCES; 3224 } else { 3225 struct av_decision avd; 3226 3227 /* Cache miss. */ 3228 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, 3229 perms, 0, &avd); 3230 audited = avc_audit_required(perms, &avd, rc, 3231 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3232 &denied); 3233 task_avdcache_update(tsec, isec, &avd, audited); 3234 } 3235 3236 if (likely(!audited)) 3237 return rc; 3238 3239 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3240 if (rc2) 3241 return rc2; 3242 3243 return rc; 3244 } 3245 3246 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3247 struct iattr *iattr) 3248 { 3249 const struct cred *cred = current_cred(); 3250 struct inode *inode = d_backing_inode(dentry); 3251 unsigned int ia_valid = iattr->ia_valid; 3252 u32 av = FILE__WRITE; 3253 3254 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3255 if (ia_valid & ATTR_FORCE) { 3256 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3257 ATTR_FORCE); 3258 if (!ia_valid) 3259 return 0; 3260 } 3261 3262 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3263 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3264 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3265 3266 if (selinux_policycap_openperm() && 3267 inode->i_sb->s_magic != SOCKFS_MAGIC && 3268 (ia_valid & ATTR_SIZE) && 3269 !(ia_valid & ATTR_FILE)) 3270 av |= FILE__OPEN; 3271 3272 return dentry_has_perm(cred, dentry, av); 3273 } 3274 3275 static int selinux_inode_getattr(const struct path *path) 3276 { 3277 return path_has_perm(current_cred(), path, FILE__GETATTR); 3278 } 3279 3280 static bool has_cap_mac_admin(bool audit) 3281 { 3282 const struct cred *cred = current_cred(); 3283 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3284 3285 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3286 return false; 3287 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3288 return false; 3289 return true; 3290 } 3291 3292 /** 3293 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3294 * @name: name of the xattr 3295 * 3296 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3297 * named @name; the LSM layer should avoid enforcing any traditional 3298 * capability based access controls on this xattr. Returns 0 to indicate that 3299 * SELinux does not "own" the access control rights to xattrs named @name and is 3300 * deferring to the LSM layer for further access controls, including capability 3301 * based controls. 3302 */ 3303 static int selinux_inode_xattr_skipcap(const char *name) 3304 { 3305 /* require capability check if not a selinux xattr */ 3306 return !strcmp(name, XATTR_NAME_SELINUX); 3307 } 3308 3309 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3310 struct dentry *dentry, const char *name, 3311 const void *value, size_t size, int flags) 3312 { 3313 struct inode *inode = d_backing_inode(dentry); 3314 struct inode_security_struct *isec; 3315 struct superblock_security_struct *sbsec; 3316 struct common_audit_data ad; 3317 u32 newsid, sid = current_sid(); 3318 int rc = 0; 3319 3320 /* if not a selinux xattr, only check the ordinary setattr perm */ 3321 if (strcmp(name, XATTR_NAME_SELINUX)) 3322 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3323 3324 if (!selinux_initialized()) 3325 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3326 3327 sbsec = selinux_superblock(inode->i_sb); 3328 if (!(sbsec->flags & SBLABEL_MNT)) 3329 return -EOPNOTSUPP; 3330 3331 if (!inode_owner_or_capable(idmap, inode)) 3332 return -EPERM; 3333 3334 ad.type = LSM_AUDIT_DATA_DENTRY; 3335 ad.u.dentry = dentry; 3336 3337 isec = backing_inode_security(dentry); 3338 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3339 FILE__RELABELFROM, &ad); 3340 if (rc) 3341 return rc; 3342 3343 rc = security_context_to_sid(value, size, &newsid, 3344 GFP_KERNEL); 3345 if (rc == -EINVAL) { 3346 if (!has_cap_mac_admin(true)) { 3347 struct audit_buffer *ab; 3348 size_t audit_size; 3349 3350 /* We strip a nul only if it is at the end, otherwise the 3351 * context contains a nul and we should audit that */ 3352 if (value) { 3353 const char *str = value; 3354 3355 if (str[size - 1] == '\0') 3356 audit_size = size - 1; 3357 else 3358 audit_size = size; 3359 } else { 3360 audit_size = 0; 3361 } 3362 ab = audit_log_start(audit_context(), 3363 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3364 if (!ab) 3365 return rc; 3366 audit_log_format(ab, "op=setxattr invalid_context="); 3367 audit_log_n_untrustedstring(ab, value, audit_size); 3368 audit_log_end(ab); 3369 3370 return rc; 3371 } 3372 rc = security_context_to_sid_force(value, 3373 size, &newsid); 3374 } 3375 if (rc) 3376 return rc; 3377 3378 rc = avc_has_perm(sid, newsid, isec->sclass, 3379 FILE__RELABELTO, &ad); 3380 if (rc) 3381 return rc; 3382 3383 rc = security_validate_transition(isec->sid, newsid, 3384 sid, isec->sclass); 3385 if (rc) 3386 return rc; 3387 3388 return avc_has_perm(newsid, 3389 sbsec->sid, 3390 SECCLASS_FILESYSTEM, 3391 FILESYSTEM__ASSOCIATE, 3392 &ad); 3393 } 3394 3395 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3396 struct dentry *dentry, const char *acl_name, 3397 struct posix_acl *kacl) 3398 { 3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3400 } 3401 3402 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3403 struct dentry *dentry, const char *acl_name) 3404 { 3405 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3406 } 3407 3408 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3409 struct dentry *dentry, const char *acl_name) 3410 { 3411 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3412 } 3413 3414 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3415 const void *value, size_t size, 3416 int flags) 3417 { 3418 struct inode *inode = d_backing_inode(dentry); 3419 struct inode_security_struct *isec; 3420 u32 newsid; 3421 int rc; 3422 3423 if (strcmp(name, XATTR_NAME_SELINUX)) { 3424 /* Not an attribute we recognize, so nothing to do. */ 3425 return; 3426 } 3427 3428 if (!selinux_initialized()) { 3429 /* If we haven't even been initialized, then we can't validate 3430 * against a policy, so leave the label as invalid. It may 3431 * resolve to a valid label on the next revalidation try if 3432 * we've since initialized. 3433 */ 3434 return; 3435 } 3436 3437 rc = security_context_to_sid_force(value, size, 3438 &newsid); 3439 if (rc) { 3440 pr_err("SELinux: unable to map context to SID" 3441 "for (%s, %lu), rc=%d\n", 3442 inode->i_sb->s_id, inode->i_ino, -rc); 3443 return; 3444 } 3445 3446 isec = backing_inode_security(dentry); 3447 spin_lock(&isec->lock); 3448 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3449 isec->sid = newsid; 3450 isec->initialized = LABEL_INITIALIZED; 3451 spin_unlock(&isec->lock); 3452 } 3453 3454 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3455 { 3456 const struct cred *cred = current_cred(); 3457 3458 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3459 } 3460 3461 static int selinux_inode_listxattr(struct dentry *dentry) 3462 { 3463 const struct cred *cred = current_cred(); 3464 3465 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3466 } 3467 3468 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3469 struct dentry *dentry, const char *name) 3470 { 3471 /* if not a selinux xattr, only check the ordinary setattr perm */ 3472 if (strcmp(name, XATTR_NAME_SELINUX)) 3473 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3474 3475 if (!selinux_initialized()) 3476 return 0; 3477 3478 /* No one is allowed to remove a SELinux security label. 3479 You can change the label, but all data must be labeled. */ 3480 return -EACCES; 3481 } 3482 3483 static int selinux_inode_file_setattr(struct dentry *dentry, 3484 struct fileattr *fa) 3485 { 3486 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3487 } 3488 3489 static int selinux_inode_file_getattr(struct dentry *dentry, 3490 struct fileattr *fa) 3491 { 3492 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3493 } 3494 3495 static int selinux_path_notify(const struct path *path, u64 mask, 3496 unsigned int obj_type) 3497 { 3498 int ret; 3499 u32 perm; 3500 3501 struct common_audit_data ad; 3502 3503 ad.type = LSM_AUDIT_DATA_PATH; 3504 ad.u.path = *path; 3505 3506 /* 3507 * Set permission needed based on the type of mark being set. 3508 * Performs an additional check for sb watches. 3509 */ 3510 switch (obj_type) { 3511 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3512 perm = FILE__WATCH_MOUNT; 3513 break; 3514 case FSNOTIFY_OBJ_TYPE_SB: 3515 perm = FILE__WATCH_SB; 3516 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3517 FILESYSTEM__WATCH, &ad); 3518 if (ret) 3519 return ret; 3520 break; 3521 case FSNOTIFY_OBJ_TYPE_INODE: 3522 perm = FILE__WATCH; 3523 break; 3524 case FSNOTIFY_OBJ_TYPE_MNTNS: 3525 perm = FILE__WATCH_MOUNTNS; 3526 break; 3527 default: 3528 return -EINVAL; 3529 } 3530 3531 /* blocking watches require the file:watch_with_perm permission */ 3532 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3533 perm |= FILE__WATCH_WITH_PERM; 3534 3535 /* watches on read-like events need the file:watch_reads permission */ 3536 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3537 FS_CLOSE_NOWRITE)) 3538 perm |= FILE__WATCH_READS; 3539 3540 return path_has_perm(current_cred(), path, perm); 3541 } 3542 3543 /* 3544 * Copy the inode security context value to the user. 3545 * 3546 * Permission check is handled by selinux_inode_getxattr hook. 3547 */ 3548 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3549 struct inode *inode, const char *name, 3550 void **buffer, bool alloc) 3551 { 3552 u32 size; 3553 int error; 3554 char *context = NULL; 3555 struct inode_security_struct *isec; 3556 3557 /* 3558 * If we're not initialized yet, then we can't validate contexts, so 3559 * just let vfs_getxattr fall back to using the on-disk xattr. 3560 */ 3561 if (!selinux_initialized() || 3562 strcmp(name, XATTR_SELINUX_SUFFIX)) 3563 return -EOPNOTSUPP; 3564 3565 /* 3566 * If the caller has CAP_MAC_ADMIN, then get the raw context 3567 * value even if it is not defined by current policy; otherwise, 3568 * use the in-core value under current policy. 3569 * Use the non-auditing forms of the permission checks since 3570 * getxattr may be called by unprivileged processes commonly 3571 * and lack of permission just means that we fall back to the 3572 * in-core context value, not a denial. 3573 */ 3574 isec = inode_security(inode); 3575 if (has_cap_mac_admin(false)) 3576 error = security_sid_to_context_force(isec->sid, &context, 3577 &size); 3578 else 3579 error = security_sid_to_context(isec->sid, 3580 &context, &size); 3581 if (error) 3582 return error; 3583 error = size; 3584 if (alloc) { 3585 *buffer = context; 3586 goto out_nofree; 3587 } 3588 kfree(context); 3589 out_nofree: 3590 return error; 3591 } 3592 3593 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3594 const void *value, size_t size, int flags) 3595 { 3596 struct inode_security_struct *isec = inode_security_novalidate(inode); 3597 struct superblock_security_struct *sbsec; 3598 u32 newsid; 3599 int rc; 3600 3601 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3602 return -EOPNOTSUPP; 3603 3604 sbsec = selinux_superblock(inode->i_sb); 3605 if (!(sbsec->flags & SBLABEL_MNT)) 3606 return -EOPNOTSUPP; 3607 3608 if (!value || !size) 3609 return -EACCES; 3610 3611 rc = security_context_to_sid(value, size, &newsid, 3612 GFP_KERNEL); 3613 if (rc) 3614 return rc; 3615 3616 spin_lock(&isec->lock); 3617 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3618 isec->sid = newsid; 3619 isec->initialized = LABEL_INITIALIZED; 3620 spin_unlock(&isec->lock); 3621 return 0; 3622 } 3623 3624 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3625 { 3626 const int len = sizeof(XATTR_NAME_SELINUX); 3627 3628 if (!selinux_initialized()) 3629 return 0; 3630 3631 if (buffer && len <= buffer_size) 3632 memcpy(buffer, XATTR_NAME_SELINUX, len); 3633 return len; 3634 } 3635 3636 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3637 { 3638 struct inode_security_struct *isec = inode_security_novalidate(inode); 3639 3640 prop->selinux.secid = isec->sid; 3641 } 3642 3643 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3644 { 3645 struct lsm_prop prop; 3646 struct task_security_struct *tsec; 3647 struct cred *new_creds = *new; 3648 3649 if (new_creds == NULL) { 3650 new_creds = prepare_creds(); 3651 if (!new_creds) 3652 return -ENOMEM; 3653 } 3654 3655 tsec = selinux_cred(new_creds); 3656 /* Get label from overlay inode and set it in create_sid */ 3657 selinux_inode_getlsmprop(d_inode(src), &prop); 3658 tsec->create_sid = prop.selinux.secid; 3659 *new = new_creds; 3660 return 0; 3661 } 3662 3663 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3664 { 3665 /* The copy_up hook above sets the initial context on an inode, but we 3666 * don't then want to overwrite it by blindly copying all the lower 3667 * xattrs up. Instead, filter out SELinux-related xattrs following 3668 * policy load. 3669 */ 3670 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3671 return -ECANCELED; /* Discard */ 3672 /* 3673 * Any other attribute apart from SELINUX is not claimed, supported 3674 * by selinux. 3675 */ 3676 return -EOPNOTSUPP; 3677 } 3678 3679 /* kernfs node operations */ 3680 3681 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3682 struct kernfs_node *kn) 3683 { 3684 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3685 u32 parent_sid, newsid, clen; 3686 int rc; 3687 char *context; 3688 3689 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3690 if (rc == -ENODATA) 3691 return 0; 3692 else if (rc < 0) 3693 return rc; 3694 3695 clen = (u32)rc; 3696 context = kmalloc(clen, GFP_KERNEL); 3697 if (!context) 3698 return -ENOMEM; 3699 3700 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3701 if (rc < 0) { 3702 kfree(context); 3703 return rc; 3704 } 3705 3706 rc = security_context_to_sid(context, clen, &parent_sid, 3707 GFP_KERNEL); 3708 kfree(context); 3709 if (rc) 3710 return rc; 3711 3712 if (tsec->create_sid) { 3713 newsid = tsec->create_sid; 3714 } else { 3715 u16 secclass = inode_mode_to_security_class(kn->mode); 3716 const char *kn_name; 3717 struct qstr q; 3718 3719 /* kn is fresh, can't be renamed, name goes not away */ 3720 kn_name = rcu_dereference_check(kn->name, true); 3721 q.name = kn_name; 3722 q.hash_len = hashlen_string(kn_dir, kn_name); 3723 3724 rc = security_transition_sid(tsec->sid, 3725 parent_sid, secclass, &q, 3726 &newsid); 3727 if (rc) 3728 return rc; 3729 } 3730 3731 rc = security_sid_to_context_force(newsid, 3732 &context, &clen); 3733 if (rc) 3734 return rc; 3735 3736 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3737 XATTR_CREATE); 3738 kfree(context); 3739 return rc; 3740 } 3741 3742 3743 /* file security operations */ 3744 3745 static int selinux_revalidate_file_permission(struct file *file, int mask) 3746 { 3747 const struct cred *cred = current_cred(); 3748 struct inode *inode = file_inode(file); 3749 3750 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3751 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3752 mask |= MAY_APPEND; 3753 3754 return file_has_perm(cred, file, 3755 file_mask_to_av(inode->i_mode, mask)); 3756 } 3757 3758 static int selinux_file_permission(struct file *file, int mask) 3759 { 3760 struct inode *inode = file_inode(file); 3761 struct file_security_struct *fsec = selinux_file(file); 3762 struct inode_security_struct *isec; 3763 u32 sid = current_sid(); 3764 3765 if (!mask) 3766 /* No permission to check. Existence test. */ 3767 return 0; 3768 3769 isec = inode_security(inode); 3770 if (sid == fsec->sid && fsec->isid == isec->sid && 3771 fsec->pseqno == avc_policy_seqno()) 3772 /* No change since file_open check. */ 3773 return 0; 3774 3775 return selinux_revalidate_file_permission(file, mask); 3776 } 3777 3778 static int selinux_file_alloc_security(struct file *file) 3779 { 3780 struct file_security_struct *fsec = selinux_file(file); 3781 u32 sid = current_sid(); 3782 3783 fsec->sid = sid; 3784 fsec->fown_sid = sid; 3785 3786 return 0; 3787 } 3788 3789 /* 3790 * Check whether a task has the ioctl permission and cmd 3791 * operation to an inode. 3792 */ 3793 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3794 u32 requested, u16 cmd) 3795 { 3796 struct common_audit_data ad; 3797 struct file_security_struct *fsec = selinux_file(file); 3798 struct inode *inode = file_inode(file); 3799 struct inode_security_struct *isec; 3800 struct lsm_ioctlop_audit ioctl; 3801 u32 ssid = cred_sid(cred); 3802 int rc; 3803 u8 driver = cmd >> 8; 3804 u8 xperm = cmd & 0xff; 3805 3806 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3807 ad.u.op = &ioctl; 3808 ad.u.op->cmd = cmd; 3809 ad.u.op->path = file->f_path; 3810 3811 if (ssid != fsec->sid) { 3812 rc = avc_has_perm(ssid, fsec->sid, 3813 SECCLASS_FD, 3814 FD__USE, 3815 &ad); 3816 if (rc) 3817 goto out; 3818 } 3819 3820 if (unlikely(IS_PRIVATE(inode))) 3821 return 0; 3822 3823 isec = inode_security(inode); 3824 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3825 driver, AVC_EXT_IOCTL, xperm, &ad); 3826 out: 3827 return rc; 3828 } 3829 3830 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3831 unsigned long arg) 3832 { 3833 const struct cred *cred = current_cred(); 3834 int error = 0; 3835 3836 switch (cmd) { 3837 case FIONREAD: 3838 case FIBMAP: 3839 case FIGETBSZ: 3840 case FS_IOC_GETFLAGS: 3841 case FS_IOC_GETVERSION: 3842 error = file_has_perm(cred, file, FILE__GETATTR); 3843 break; 3844 3845 case FS_IOC_SETFLAGS: 3846 case FS_IOC_SETVERSION: 3847 error = file_has_perm(cred, file, FILE__SETATTR); 3848 break; 3849 3850 /* sys_ioctl() checks */ 3851 case FIONBIO: 3852 case FIOASYNC: 3853 error = file_has_perm(cred, file, 0); 3854 break; 3855 3856 case KDSKBENT: 3857 case KDSKBSENT: 3858 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3859 CAP_OPT_NONE, true); 3860 break; 3861 3862 case FIOCLEX: 3863 case FIONCLEX: 3864 if (!selinux_policycap_ioctl_skip_cloexec()) 3865 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3866 break; 3867 3868 /* default case assumes that the command will go 3869 * to the file's ioctl() function. 3870 */ 3871 default: 3872 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3873 } 3874 return error; 3875 } 3876 3877 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3878 unsigned long arg) 3879 { 3880 /* 3881 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3882 * make sure we don't compare 32-bit flags to 64-bit flags. 3883 */ 3884 switch (cmd) { 3885 case FS_IOC32_GETFLAGS: 3886 cmd = FS_IOC_GETFLAGS; 3887 break; 3888 case FS_IOC32_SETFLAGS: 3889 cmd = FS_IOC_SETFLAGS; 3890 break; 3891 case FS_IOC32_GETVERSION: 3892 cmd = FS_IOC_GETVERSION; 3893 break; 3894 case FS_IOC32_SETVERSION: 3895 cmd = FS_IOC_SETVERSION; 3896 break; 3897 default: 3898 break; 3899 } 3900 3901 return selinux_file_ioctl(file, cmd, arg); 3902 } 3903 3904 static int default_noexec __ro_after_init; 3905 3906 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3907 { 3908 const struct cred *cred = current_cred(); 3909 u32 sid = cred_sid(cred); 3910 int rc = 0; 3911 3912 if (default_noexec && 3913 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3914 (!shared && (prot & PROT_WRITE)))) { 3915 /* 3916 * We are making executable an anonymous mapping or a 3917 * private file mapping that will also be writable. 3918 * This has an additional check. 3919 */ 3920 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3921 PROCESS__EXECMEM, NULL); 3922 if (rc) 3923 goto error; 3924 } 3925 3926 if (file) { 3927 /* read access is always possible with a mapping */ 3928 u32 av = FILE__READ; 3929 3930 /* write access only matters if the mapping is shared */ 3931 if (shared && (prot & PROT_WRITE)) 3932 av |= FILE__WRITE; 3933 3934 if (prot & PROT_EXEC) 3935 av |= FILE__EXECUTE; 3936 3937 return file_has_perm(cred, file, av); 3938 } 3939 3940 error: 3941 return rc; 3942 } 3943 3944 static int selinux_mmap_addr(unsigned long addr) 3945 { 3946 int rc = 0; 3947 3948 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3949 u32 sid = current_sid(); 3950 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3951 MEMPROTECT__MMAP_ZERO, NULL); 3952 } 3953 3954 return rc; 3955 } 3956 3957 static int selinux_mmap_file(struct file *file, 3958 unsigned long reqprot __always_unused, 3959 unsigned long prot, unsigned long flags) 3960 { 3961 struct common_audit_data ad; 3962 int rc; 3963 3964 if (file) { 3965 ad.type = LSM_AUDIT_DATA_FILE; 3966 ad.u.file = file; 3967 rc = inode_has_perm(current_cred(), file_inode(file), 3968 FILE__MAP, &ad); 3969 if (rc) 3970 return rc; 3971 } 3972 3973 return file_map_prot_check(file, prot, 3974 (flags & MAP_TYPE) == MAP_SHARED); 3975 } 3976 3977 static int selinux_file_mprotect(struct vm_area_struct *vma, 3978 unsigned long reqprot __always_unused, 3979 unsigned long prot) 3980 { 3981 const struct cred *cred = current_cred(); 3982 u32 sid = cred_sid(cred); 3983 3984 if (default_noexec && 3985 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3986 int rc = 0; 3987 /* 3988 * We don't use the vma_is_initial_heap() helper as it has 3989 * a history of problems and is currently broken on systems 3990 * where there is no heap, e.g. brk == start_brk. Before 3991 * replacing the conditional below with vma_is_initial_heap(), 3992 * or something similar, please ensure that the logic is the 3993 * same as what we have below or you have tested every possible 3994 * corner case you can think to test. 3995 */ 3996 if (vma->vm_start >= vma->vm_mm->start_brk && 3997 vma->vm_end <= vma->vm_mm->brk) { 3998 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3999 PROCESS__EXECHEAP, NULL); 4000 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 4001 vma_is_stack_for_current(vma))) { 4002 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4003 PROCESS__EXECSTACK, NULL); 4004 } else if (vma->vm_file && vma->anon_vma) { 4005 /* 4006 * We are making executable a file mapping that has 4007 * had some COW done. Since pages might have been 4008 * written, check ability to execute the possibly 4009 * modified content. This typically should only 4010 * occur for text relocations. 4011 */ 4012 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4013 } 4014 if (rc) 4015 return rc; 4016 } 4017 4018 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4019 } 4020 4021 static int selinux_file_lock(struct file *file, unsigned int cmd) 4022 { 4023 const struct cred *cred = current_cred(); 4024 4025 return file_has_perm(cred, file, FILE__LOCK); 4026 } 4027 4028 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4029 unsigned long arg) 4030 { 4031 const struct cred *cred = current_cred(); 4032 int err = 0; 4033 4034 switch (cmd) { 4035 case F_SETFL: 4036 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4037 err = file_has_perm(cred, file, FILE__WRITE); 4038 break; 4039 } 4040 fallthrough; 4041 case F_SETOWN: 4042 case F_SETSIG: 4043 case F_GETFL: 4044 case F_GETOWN: 4045 case F_GETSIG: 4046 case F_GETOWNER_UIDS: 4047 /* Just check FD__USE permission */ 4048 err = file_has_perm(cred, file, 0); 4049 break; 4050 case F_GETLK: 4051 case F_SETLK: 4052 case F_SETLKW: 4053 case F_OFD_GETLK: 4054 case F_OFD_SETLK: 4055 case F_OFD_SETLKW: 4056 #if BITS_PER_LONG == 32 4057 case F_GETLK64: 4058 case F_SETLK64: 4059 case F_SETLKW64: 4060 #endif 4061 err = file_has_perm(cred, file, FILE__LOCK); 4062 break; 4063 } 4064 4065 return err; 4066 } 4067 4068 static void selinux_file_set_fowner(struct file *file) 4069 { 4070 struct file_security_struct *fsec; 4071 4072 fsec = selinux_file(file); 4073 fsec->fown_sid = current_sid(); 4074 } 4075 4076 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4077 struct fown_struct *fown, int signum) 4078 { 4079 struct file *file; 4080 u32 sid = task_sid_obj(tsk); 4081 u32 perm; 4082 struct file_security_struct *fsec; 4083 4084 /* struct fown_struct is never outside the context of a struct file */ 4085 file = fown->file; 4086 4087 fsec = selinux_file(file); 4088 4089 if (!signum) 4090 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4091 else 4092 perm = signal_to_av(signum); 4093 4094 return avc_has_perm(fsec->fown_sid, sid, 4095 SECCLASS_PROCESS, perm, NULL); 4096 } 4097 4098 static int selinux_file_receive(struct file *file) 4099 { 4100 const struct cred *cred = current_cred(); 4101 4102 return file_has_perm(cred, file, file_to_av(file)); 4103 } 4104 4105 static int selinux_file_open(struct file *file) 4106 { 4107 struct file_security_struct *fsec; 4108 struct inode_security_struct *isec; 4109 4110 fsec = selinux_file(file); 4111 isec = inode_security(file_inode(file)); 4112 /* 4113 * Save inode label and policy sequence number 4114 * at open-time so that selinux_file_permission 4115 * can determine whether revalidation is necessary. 4116 * Task label is already saved in the file security 4117 * struct as its SID. 4118 */ 4119 fsec->isid = isec->sid; 4120 fsec->pseqno = avc_policy_seqno(); 4121 /* 4122 * Since the inode label or policy seqno may have changed 4123 * between the selinux_inode_permission check and the saving 4124 * of state above, recheck that access is still permitted. 4125 * Otherwise, access might never be revalidated against the 4126 * new inode label or new policy. 4127 * This check is not redundant - do not remove. 4128 */ 4129 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4130 } 4131 4132 /* task security operations */ 4133 4134 static int selinux_task_alloc(struct task_struct *task, 4135 unsigned long clone_flags) 4136 { 4137 u32 sid = current_sid(); 4138 4139 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4140 } 4141 4142 /* 4143 * prepare a new set of credentials for modification 4144 */ 4145 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4146 gfp_t gfp) 4147 { 4148 const struct task_security_struct *old_tsec = selinux_cred(old); 4149 struct task_security_struct *tsec = selinux_cred(new); 4150 4151 *tsec = *old_tsec; 4152 return 0; 4153 } 4154 4155 /* 4156 * transfer the SELinux data to a blank set of creds 4157 */ 4158 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4159 { 4160 const struct task_security_struct *old_tsec = selinux_cred(old); 4161 struct task_security_struct *tsec = selinux_cred(new); 4162 4163 *tsec = *old_tsec; 4164 } 4165 4166 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4167 { 4168 *secid = cred_sid(c); 4169 } 4170 4171 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4172 { 4173 prop->selinux.secid = cred_sid(c); 4174 } 4175 4176 /* 4177 * set the security data for a kernel service 4178 * - all the creation contexts are set to unlabelled 4179 */ 4180 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4181 { 4182 struct task_security_struct *tsec = selinux_cred(new); 4183 u32 sid = current_sid(); 4184 int ret; 4185 4186 ret = avc_has_perm(sid, secid, 4187 SECCLASS_KERNEL_SERVICE, 4188 KERNEL_SERVICE__USE_AS_OVERRIDE, 4189 NULL); 4190 if (ret == 0) { 4191 tsec->sid = secid; 4192 tsec->create_sid = 0; 4193 tsec->keycreate_sid = 0; 4194 tsec->sockcreate_sid = 0; 4195 } 4196 return ret; 4197 } 4198 4199 /* 4200 * set the file creation context in a security record to the same as the 4201 * objective context of the specified inode 4202 */ 4203 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4204 { 4205 struct inode_security_struct *isec = inode_security(inode); 4206 struct task_security_struct *tsec = selinux_cred(new); 4207 u32 sid = current_sid(); 4208 int ret; 4209 4210 ret = avc_has_perm(sid, isec->sid, 4211 SECCLASS_KERNEL_SERVICE, 4212 KERNEL_SERVICE__CREATE_FILES_AS, 4213 NULL); 4214 4215 if (ret == 0) 4216 tsec->create_sid = isec->sid; 4217 return ret; 4218 } 4219 4220 static int selinux_kernel_module_request(char *kmod_name) 4221 { 4222 struct common_audit_data ad; 4223 4224 ad.type = LSM_AUDIT_DATA_KMOD; 4225 ad.u.kmod_name = kmod_name; 4226 4227 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4228 SYSTEM__MODULE_REQUEST, &ad); 4229 } 4230 4231 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4232 { 4233 struct common_audit_data ad; 4234 struct inode_security_struct *isec; 4235 struct file_security_struct *fsec; 4236 u32 sid = current_sid(); 4237 int rc; 4238 4239 if (file == NULL) 4240 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4241 4242 ad.type = LSM_AUDIT_DATA_FILE; 4243 ad.u.file = file; 4244 4245 fsec = selinux_file(file); 4246 if (sid != fsec->sid) { 4247 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4248 if (rc) 4249 return rc; 4250 } 4251 4252 isec = inode_security(file_inode(file)); 4253 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4254 } 4255 4256 static int selinux_kernel_read_file(struct file *file, 4257 enum kernel_read_file_id id, 4258 bool contents) 4259 { 4260 int rc = 0; 4261 4262 BUILD_BUG_ON_MSG(READING_MAX_ID > 7, 4263 "New kernel_read_file_id introduced; update SELinux!"); 4264 4265 switch (id) { 4266 case READING_FIRMWARE: 4267 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4268 break; 4269 case READING_MODULE: 4270 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4271 break; 4272 case READING_KEXEC_IMAGE: 4273 rc = selinux_kernel_load_from_file(file, 4274 SYSTEM__KEXEC_IMAGE_LOAD); 4275 break; 4276 case READING_KEXEC_INITRAMFS: 4277 rc = selinux_kernel_load_from_file(file, 4278 SYSTEM__KEXEC_INITRAMFS_LOAD); 4279 break; 4280 case READING_POLICY: 4281 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4282 break; 4283 case READING_X509_CERTIFICATE: 4284 rc = selinux_kernel_load_from_file(file, 4285 SYSTEM__X509_CERTIFICATE_LOAD); 4286 break; 4287 default: 4288 break; 4289 } 4290 4291 return rc; 4292 } 4293 4294 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4295 { 4296 int rc = 0; 4297 4298 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7, 4299 "New kernel_load_data_id introduced; update SELinux!"); 4300 4301 switch (id) { 4302 case LOADING_FIRMWARE: 4303 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4304 break; 4305 case LOADING_MODULE: 4306 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4307 break; 4308 case LOADING_KEXEC_IMAGE: 4309 rc = selinux_kernel_load_from_file(NULL, 4310 SYSTEM__KEXEC_IMAGE_LOAD); 4311 break; 4312 case LOADING_KEXEC_INITRAMFS: 4313 rc = selinux_kernel_load_from_file(NULL, 4314 SYSTEM__KEXEC_INITRAMFS_LOAD); 4315 break; 4316 case LOADING_POLICY: 4317 rc = selinux_kernel_load_from_file(NULL, 4318 SYSTEM__POLICY_LOAD); 4319 break; 4320 case LOADING_X509_CERTIFICATE: 4321 rc = selinux_kernel_load_from_file(NULL, 4322 SYSTEM__X509_CERTIFICATE_LOAD); 4323 break; 4324 default: 4325 break; 4326 } 4327 4328 return rc; 4329 } 4330 4331 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4332 { 4333 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4334 PROCESS__SETPGID, NULL); 4335 } 4336 4337 static int selinux_task_getpgid(struct task_struct *p) 4338 { 4339 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4340 PROCESS__GETPGID, NULL); 4341 } 4342 4343 static int selinux_task_getsid(struct task_struct *p) 4344 { 4345 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4346 PROCESS__GETSESSION, NULL); 4347 } 4348 4349 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4350 { 4351 prop->selinux.secid = current_sid(); 4352 } 4353 4354 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4355 struct lsm_prop *prop) 4356 { 4357 prop->selinux.secid = task_sid_obj(p); 4358 } 4359 4360 static int selinux_task_setnice(struct task_struct *p, int nice) 4361 { 4362 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4363 PROCESS__SETSCHED, NULL); 4364 } 4365 4366 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4367 { 4368 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4369 PROCESS__SETSCHED, NULL); 4370 } 4371 4372 static int selinux_task_getioprio(struct task_struct *p) 4373 { 4374 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4375 PROCESS__GETSCHED, NULL); 4376 } 4377 4378 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4379 unsigned int flags) 4380 { 4381 u32 av = 0; 4382 4383 if (!flags) 4384 return 0; 4385 if (flags & LSM_PRLIMIT_WRITE) 4386 av |= PROCESS__SETRLIMIT; 4387 if (flags & LSM_PRLIMIT_READ) 4388 av |= PROCESS__GETRLIMIT; 4389 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4390 SECCLASS_PROCESS, av, NULL); 4391 } 4392 4393 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4394 struct rlimit *new_rlim) 4395 { 4396 struct rlimit *old_rlim = p->signal->rlim + resource; 4397 4398 /* Control the ability to change the hard limit (whether 4399 lowering or raising it), so that the hard limit can 4400 later be used as a safe reset point for the soft limit 4401 upon context transitions. See selinux_bprm_committing_creds. */ 4402 if (old_rlim->rlim_max != new_rlim->rlim_max) 4403 return avc_has_perm(current_sid(), task_sid_obj(p), 4404 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4405 4406 return 0; 4407 } 4408 4409 static int selinux_task_setscheduler(struct task_struct *p) 4410 { 4411 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4412 PROCESS__SETSCHED, NULL); 4413 } 4414 4415 static int selinux_task_getscheduler(struct task_struct *p) 4416 { 4417 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4418 PROCESS__GETSCHED, NULL); 4419 } 4420 4421 static int selinux_task_movememory(struct task_struct *p) 4422 { 4423 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4424 PROCESS__SETSCHED, NULL); 4425 } 4426 4427 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4428 int sig, const struct cred *cred) 4429 { 4430 u32 secid; 4431 u32 perm; 4432 4433 if (!sig) 4434 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4435 else 4436 perm = signal_to_av(sig); 4437 if (!cred) 4438 secid = current_sid(); 4439 else 4440 secid = cred_sid(cred); 4441 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4442 } 4443 4444 static void selinux_task_to_inode(struct task_struct *p, 4445 struct inode *inode) 4446 { 4447 struct inode_security_struct *isec = selinux_inode(inode); 4448 u32 sid = task_sid_obj(p); 4449 4450 spin_lock(&isec->lock); 4451 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4452 isec->sid = sid; 4453 isec->initialized = LABEL_INITIALIZED; 4454 spin_unlock(&isec->lock); 4455 } 4456 4457 static int selinux_userns_create(const struct cred *cred) 4458 { 4459 u32 sid = current_sid(); 4460 4461 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4462 USER_NAMESPACE__CREATE, NULL); 4463 } 4464 4465 /* Returns error only if unable to parse addresses */ 4466 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4467 struct common_audit_data *ad, u8 *proto) 4468 { 4469 int offset, ihlen, ret = -EINVAL; 4470 struct iphdr _iph, *ih; 4471 4472 offset = skb_network_offset(skb); 4473 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4474 if (ih == NULL) 4475 goto out; 4476 4477 ihlen = ih->ihl * 4; 4478 if (ihlen < sizeof(_iph)) 4479 goto out; 4480 4481 ad->u.net->v4info.saddr = ih->saddr; 4482 ad->u.net->v4info.daddr = ih->daddr; 4483 ret = 0; 4484 4485 if (proto) 4486 *proto = ih->protocol; 4487 4488 switch (ih->protocol) { 4489 case IPPROTO_TCP: { 4490 struct tcphdr _tcph, *th; 4491 4492 if (ntohs(ih->frag_off) & IP_OFFSET) 4493 break; 4494 4495 offset += ihlen; 4496 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4497 if (th == NULL) 4498 break; 4499 4500 ad->u.net->sport = th->source; 4501 ad->u.net->dport = th->dest; 4502 break; 4503 } 4504 4505 case IPPROTO_UDP: { 4506 struct udphdr _udph, *uh; 4507 4508 if (ntohs(ih->frag_off) & IP_OFFSET) 4509 break; 4510 4511 offset += ihlen; 4512 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4513 if (uh == NULL) 4514 break; 4515 4516 ad->u.net->sport = uh->source; 4517 ad->u.net->dport = uh->dest; 4518 break; 4519 } 4520 4521 #if IS_ENABLED(CONFIG_IP_SCTP) 4522 case IPPROTO_SCTP: { 4523 struct sctphdr _sctph, *sh; 4524 4525 if (ntohs(ih->frag_off) & IP_OFFSET) 4526 break; 4527 4528 offset += ihlen; 4529 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4530 if (sh == NULL) 4531 break; 4532 4533 ad->u.net->sport = sh->source; 4534 ad->u.net->dport = sh->dest; 4535 break; 4536 } 4537 #endif 4538 default: 4539 break; 4540 } 4541 out: 4542 return ret; 4543 } 4544 4545 #if IS_ENABLED(CONFIG_IPV6) 4546 4547 /* Returns error only if unable to parse addresses */ 4548 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4549 struct common_audit_data *ad, u8 *proto) 4550 { 4551 u8 nexthdr; 4552 int ret = -EINVAL, offset; 4553 struct ipv6hdr _ipv6h, *ip6; 4554 __be16 frag_off; 4555 4556 offset = skb_network_offset(skb); 4557 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4558 if (ip6 == NULL) 4559 goto out; 4560 4561 ad->u.net->v6info.saddr = ip6->saddr; 4562 ad->u.net->v6info.daddr = ip6->daddr; 4563 ret = 0; 4564 4565 nexthdr = ip6->nexthdr; 4566 offset += sizeof(_ipv6h); 4567 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4568 if (offset < 0) 4569 goto out; 4570 4571 if (proto) 4572 *proto = nexthdr; 4573 4574 switch (nexthdr) { 4575 case IPPROTO_TCP: { 4576 struct tcphdr _tcph, *th; 4577 4578 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4579 if (th == NULL) 4580 break; 4581 4582 ad->u.net->sport = th->source; 4583 ad->u.net->dport = th->dest; 4584 break; 4585 } 4586 4587 case IPPROTO_UDP: { 4588 struct udphdr _udph, *uh; 4589 4590 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4591 if (uh == NULL) 4592 break; 4593 4594 ad->u.net->sport = uh->source; 4595 ad->u.net->dport = uh->dest; 4596 break; 4597 } 4598 4599 #if IS_ENABLED(CONFIG_IP_SCTP) 4600 case IPPROTO_SCTP: { 4601 struct sctphdr _sctph, *sh; 4602 4603 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4604 if (sh == NULL) 4605 break; 4606 4607 ad->u.net->sport = sh->source; 4608 ad->u.net->dport = sh->dest; 4609 break; 4610 } 4611 #endif 4612 /* includes fragments */ 4613 default: 4614 break; 4615 } 4616 out: 4617 return ret; 4618 } 4619 4620 #endif /* IPV6 */ 4621 4622 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4623 char **_addrp, int src, u8 *proto) 4624 { 4625 char *addrp; 4626 int ret; 4627 4628 switch (ad->u.net->family) { 4629 case PF_INET: 4630 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4631 if (ret) 4632 goto parse_error; 4633 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4634 &ad->u.net->v4info.daddr); 4635 goto okay; 4636 4637 #if IS_ENABLED(CONFIG_IPV6) 4638 case PF_INET6: 4639 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4640 if (ret) 4641 goto parse_error; 4642 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4643 &ad->u.net->v6info.daddr); 4644 goto okay; 4645 #endif /* IPV6 */ 4646 default: 4647 addrp = NULL; 4648 goto okay; 4649 } 4650 4651 parse_error: 4652 pr_warn( 4653 "SELinux: failure in selinux_parse_skb()," 4654 " unable to parse packet\n"); 4655 return ret; 4656 4657 okay: 4658 if (_addrp) 4659 *_addrp = addrp; 4660 return 0; 4661 } 4662 4663 /** 4664 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4665 * @skb: the packet 4666 * @family: protocol family 4667 * @sid: the packet's peer label SID 4668 * 4669 * Description: 4670 * Check the various different forms of network peer labeling and determine 4671 * the peer label/SID for the packet; most of the magic actually occurs in 4672 * the security server function security_net_peersid_cmp(). The function 4673 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4674 * or -EACCES if @sid is invalid due to inconsistencies with the different 4675 * peer labels. 4676 * 4677 */ 4678 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4679 { 4680 int err; 4681 u32 xfrm_sid; 4682 u32 nlbl_sid; 4683 u32 nlbl_type; 4684 4685 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4686 if (unlikely(err)) 4687 return -EACCES; 4688 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4689 if (unlikely(err)) 4690 return -EACCES; 4691 4692 err = security_net_peersid_resolve(nlbl_sid, 4693 nlbl_type, xfrm_sid, sid); 4694 if (unlikely(err)) { 4695 pr_warn( 4696 "SELinux: failure in selinux_skb_peerlbl_sid()," 4697 " unable to determine packet's peer label\n"); 4698 return -EACCES; 4699 } 4700 4701 return 0; 4702 } 4703 4704 /** 4705 * selinux_conn_sid - Determine the child socket label for a connection 4706 * @sk_sid: the parent socket's SID 4707 * @skb_sid: the packet's SID 4708 * @conn_sid: the resulting connection SID 4709 * 4710 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4711 * combined with the MLS information from @skb_sid in order to create 4712 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4713 * of @sk_sid. Returns zero on success, negative values on failure. 4714 * 4715 */ 4716 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4717 { 4718 int err = 0; 4719 4720 if (skb_sid != SECSID_NULL) 4721 err = security_sid_mls_copy(sk_sid, skb_sid, 4722 conn_sid); 4723 else 4724 *conn_sid = sk_sid; 4725 4726 return err; 4727 } 4728 4729 /* socket security operations */ 4730 4731 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4732 u16 secclass, u32 *socksid) 4733 { 4734 if (tsec->sockcreate_sid > SECSID_NULL) { 4735 *socksid = tsec->sockcreate_sid; 4736 return 0; 4737 } 4738 4739 return security_transition_sid(tsec->sid, tsec->sid, 4740 secclass, NULL, socksid); 4741 } 4742 4743 static bool sock_skip_has_perm(u32 sid) 4744 { 4745 if (sid == SECINITSID_KERNEL) 4746 return true; 4747 4748 /* 4749 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4750 * inherited the kernel context from early boot used to be skipped 4751 * here, so preserve that behavior unless the capability is set. 4752 * 4753 * By setting the capability the policy signals that it is ready 4754 * for this quirk to be fixed. Note that sockets created by a kernel 4755 * thread or a usermode helper executed without a transition will 4756 * still be skipped in this check regardless of the policycap 4757 * setting. 4758 */ 4759 if (!selinux_policycap_userspace_initial_context() && 4760 sid == SECINITSID_INIT) 4761 return true; 4762 return false; 4763 } 4764 4765 4766 static int sock_has_perm(struct sock *sk, u32 perms) 4767 { 4768 struct sk_security_struct *sksec = sk->sk_security; 4769 struct common_audit_data ad; 4770 struct lsm_network_audit net; 4771 4772 if (sock_skip_has_perm(sksec->sid)) 4773 return 0; 4774 4775 ad_net_init_from_sk(&ad, &net, sk); 4776 4777 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4778 &ad); 4779 } 4780 4781 static int selinux_socket_create(int family, int type, 4782 int protocol, int kern) 4783 { 4784 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4785 u32 newsid; 4786 u16 secclass; 4787 int rc; 4788 4789 if (kern) 4790 return 0; 4791 4792 secclass = socket_type_to_security_class(family, type, protocol); 4793 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4794 if (rc) 4795 return rc; 4796 4797 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4798 } 4799 4800 static int selinux_socket_post_create(struct socket *sock, int family, 4801 int type, int protocol, int kern) 4802 { 4803 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4804 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4805 struct sk_security_struct *sksec; 4806 u16 sclass = socket_type_to_security_class(family, type, protocol); 4807 u32 sid = SECINITSID_KERNEL; 4808 int err = 0; 4809 4810 if (!kern) { 4811 err = socket_sockcreate_sid(tsec, sclass, &sid); 4812 if (err) 4813 return err; 4814 } 4815 4816 isec->sclass = sclass; 4817 isec->sid = sid; 4818 isec->initialized = LABEL_INITIALIZED; 4819 4820 if (sock->sk) { 4821 sksec = selinux_sock(sock->sk); 4822 sksec->sclass = sclass; 4823 sksec->sid = sid; 4824 /* Allows detection of the first association on this socket */ 4825 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4826 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4827 4828 err = selinux_netlbl_socket_post_create(sock->sk, family); 4829 } 4830 4831 return err; 4832 } 4833 4834 static int selinux_socket_socketpair(struct socket *socka, 4835 struct socket *sockb) 4836 { 4837 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4838 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4839 4840 sksec_a->peer_sid = sksec_b->sid; 4841 sksec_b->peer_sid = sksec_a->sid; 4842 4843 return 0; 4844 } 4845 4846 /* Range of port numbers used to automatically bind. 4847 Need to determine whether we should perform a name_bind 4848 permission check between the socket and the port number. */ 4849 4850 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4851 { 4852 struct sock *sk = sock->sk; 4853 struct sk_security_struct *sksec = selinux_sock(sk); 4854 u16 family; 4855 int err; 4856 4857 err = sock_has_perm(sk, SOCKET__BIND); 4858 if (err) 4859 goto out; 4860 4861 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4862 family = sk->sk_family; 4863 if (family == PF_INET || family == PF_INET6) { 4864 char *addrp; 4865 struct common_audit_data ad; 4866 struct lsm_network_audit net = {0,}; 4867 struct sockaddr_in *addr4 = NULL; 4868 struct sockaddr_in6 *addr6 = NULL; 4869 u16 family_sa; 4870 unsigned short snum; 4871 u32 sid, node_perm; 4872 4873 /* 4874 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4875 * that validates multiple binding addresses. Because of this 4876 * need to check address->sa_family as it is possible to have 4877 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4878 */ 4879 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4880 return -EINVAL; 4881 family_sa = address->sa_family; 4882 switch (family_sa) { 4883 case AF_UNSPEC: 4884 case AF_INET: 4885 if (addrlen < sizeof(struct sockaddr_in)) 4886 return -EINVAL; 4887 addr4 = (struct sockaddr_in *)address; 4888 if (family_sa == AF_UNSPEC) { 4889 if (family == PF_INET6) { 4890 /* Length check from inet6_bind_sk() */ 4891 if (addrlen < SIN6_LEN_RFC2133) 4892 return -EINVAL; 4893 /* Family check from __inet6_bind() */ 4894 goto err_af; 4895 } 4896 /* see __inet_bind(), we only want to allow 4897 * AF_UNSPEC if the address is INADDR_ANY 4898 */ 4899 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4900 goto err_af; 4901 family_sa = AF_INET; 4902 } 4903 snum = ntohs(addr4->sin_port); 4904 addrp = (char *)&addr4->sin_addr.s_addr; 4905 break; 4906 case AF_INET6: 4907 if (addrlen < SIN6_LEN_RFC2133) 4908 return -EINVAL; 4909 addr6 = (struct sockaddr_in6 *)address; 4910 snum = ntohs(addr6->sin6_port); 4911 addrp = (char *)&addr6->sin6_addr.s6_addr; 4912 break; 4913 default: 4914 goto err_af; 4915 } 4916 4917 ad.type = LSM_AUDIT_DATA_NET; 4918 ad.u.net = &net; 4919 ad.u.net->sport = htons(snum); 4920 ad.u.net->family = family_sa; 4921 4922 if (snum) { 4923 int low, high; 4924 4925 inet_get_local_port_range(sock_net(sk), &low, &high); 4926 4927 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4928 snum < low || snum > high) { 4929 err = sel_netport_sid(sk->sk_protocol, 4930 snum, &sid); 4931 if (err) 4932 goto out; 4933 err = avc_has_perm(sksec->sid, sid, 4934 sksec->sclass, 4935 SOCKET__NAME_BIND, &ad); 4936 if (err) 4937 goto out; 4938 } 4939 } 4940 4941 switch (sksec->sclass) { 4942 case SECCLASS_TCP_SOCKET: 4943 node_perm = TCP_SOCKET__NODE_BIND; 4944 break; 4945 4946 case SECCLASS_UDP_SOCKET: 4947 node_perm = UDP_SOCKET__NODE_BIND; 4948 break; 4949 4950 case SECCLASS_SCTP_SOCKET: 4951 node_perm = SCTP_SOCKET__NODE_BIND; 4952 break; 4953 4954 default: 4955 node_perm = RAWIP_SOCKET__NODE_BIND; 4956 break; 4957 } 4958 4959 err = sel_netnode_sid(addrp, family_sa, &sid); 4960 if (err) 4961 goto out; 4962 4963 if (family_sa == AF_INET) 4964 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4965 else 4966 ad.u.net->v6info.saddr = addr6->sin6_addr; 4967 4968 err = avc_has_perm(sksec->sid, sid, 4969 sksec->sclass, node_perm, &ad); 4970 if (err) 4971 goto out; 4972 } 4973 out: 4974 return err; 4975 err_af: 4976 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4977 if (sk->sk_protocol == IPPROTO_SCTP) 4978 return -EINVAL; 4979 return -EAFNOSUPPORT; 4980 } 4981 4982 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4983 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4984 */ 4985 static int selinux_socket_connect_helper(struct socket *sock, 4986 struct sockaddr *address, int addrlen) 4987 { 4988 struct sock *sk = sock->sk; 4989 struct sk_security_struct *sksec = selinux_sock(sk); 4990 int err; 4991 4992 err = sock_has_perm(sk, SOCKET__CONNECT); 4993 if (err) 4994 return err; 4995 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4996 return -EINVAL; 4997 4998 /* connect(AF_UNSPEC) has special handling, as it is a documented 4999 * way to disconnect the socket 5000 */ 5001 if (address->sa_family == AF_UNSPEC) 5002 return 0; 5003 5004 /* 5005 * If a TCP or SCTP socket, check name_connect permission 5006 * for the port. 5007 */ 5008 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5009 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5010 struct common_audit_data ad; 5011 struct lsm_network_audit net = {0,}; 5012 struct sockaddr_in *addr4 = NULL; 5013 struct sockaddr_in6 *addr6 = NULL; 5014 unsigned short snum; 5015 u32 sid, perm; 5016 5017 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5018 * that validates multiple connect addresses. Because of this 5019 * need to check address->sa_family as it is possible to have 5020 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5021 */ 5022 switch (address->sa_family) { 5023 case AF_INET: 5024 addr4 = (struct sockaddr_in *)address; 5025 if (addrlen < sizeof(struct sockaddr_in)) 5026 return -EINVAL; 5027 snum = ntohs(addr4->sin_port); 5028 break; 5029 case AF_INET6: 5030 addr6 = (struct sockaddr_in6 *)address; 5031 if (addrlen < SIN6_LEN_RFC2133) 5032 return -EINVAL; 5033 snum = ntohs(addr6->sin6_port); 5034 break; 5035 default: 5036 /* Note that SCTP services expect -EINVAL, whereas 5037 * others expect -EAFNOSUPPORT. 5038 */ 5039 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5040 return -EINVAL; 5041 else 5042 return -EAFNOSUPPORT; 5043 } 5044 5045 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5046 if (err) 5047 return err; 5048 5049 switch (sksec->sclass) { 5050 case SECCLASS_TCP_SOCKET: 5051 perm = TCP_SOCKET__NAME_CONNECT; 5052 break; 5053 case SECCLASS_SCTP_SOCKET: 5054 perm = SCTP_SOCKET__NAME_CONNECT; 5055 break; 5056 } 5057 5058 ad.type = LSM_AUDIT_DATA_NET; 5059 ad.u.net = &net; 5060 ad.u.net->dport = htons(snum); 5061 ad.u.net->family = address->sa_family; 5062 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5063 if (err) 5064 return err; 5065 } 5066 5067 return 0; 5068 } 5069 5070 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5071 static int selinux_socket_connect(struct socket *sock, 5072 struct sockaddr *address, int addrlen) 5073 { 5074 int err; 5075 struct sock *sk = sock->sk; 5076 5077 err = selinux_socket_connect_helper(sock, address, addrlen); 5078 if (err) 5079 return err; 5080 5081 return selinux_netlbl_socket_connect(sk, address); 5082 } 5083 5084 static int selinux_socket_listen(struct socket *sock, int backlog) 5085 { 5086 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5087 } 5088 5089 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5090 { 5091 int err; 5092 struct inode_security_struct *isec; 5093 struct inode_security_struct *newisec; 5094 u16 sclass; 5095 u32 sid; 5096 5097 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5098 if (err) 5099 return err; 5100 5101 isec = inode_security_novalidate(SOCK_INODE(sock)); 5102 spin_lock(&isec->lock); 5103 sclass = isec->sclass; 5104 sid = isec->sid; 5105 spin_unlock(&isec->lock); 5106 5107 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5108 newisec->sclass = sclass; 5109 newisec->sid = sid; 5110 newisec->initialized = LABEL_INITIALIZED; 5111 5112 return 0; 5113 } 5114 5115 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5116 int size) 5117 { 5118 return sock_has_perm(sock->sk, SOCKET__WRITE); 5119 } 5120 5121 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5122 int size, int flags) 5123 { 5124 return sock_has_perm(sock->sk, SOCKET__READ); 5125 } 5126 5127 static int selinux_socket_getsockname(struct socket *sock) 5128 { 5129 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5130 } 5131 5132 static int selinux_socket_getpeername(struct socket *sock) 5133 { 5134 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5135 } 5136 5137 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5138 { 5139 int err; 5140 5141 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5142 if (err) 5143 return err; 5144 5145 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5146 } 5147 5148 static int selinux_socket_getsockopt(struct socket *sock, int level, 5149 int optname) 5150 { 5151 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5152 } 5153 5154 static int selinux_socket_shutdown(struct socket *sock, int how) 5155 { 5156 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5157 } 5158 5159 static int selinux_socket_unix_stream_connect(struct sock *sock, 5160 struct sock *other, 5161 struct sock *newsk) 5162 { 5163 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5164 struct sk_security_struct *sksec_other = selinux_sock(other); 5165 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5166 struct common_audit_data ad; 5167 struct lsm_network_audit net; 5168 int err; 5169 5170 ad_net_init_from_sk(&ad, &net, other); 5171 5172 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5173 sksec_other->sclass, 5174 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5175 if (err) 5176 return err; 5177 5178 /* server child socket */ 5179 sksec_new->peer_sid = sksec_sock->sid; 5180 err = security_sid_mls_copy(sksec_other->sid, 5181 sksec_sock->sid, &sksec_new->sid); 5182 if (err) 5183 return err; 5184 5185 /* connecting socket */ 5186 sksec_sock->peer_sid = sksec_new->sid; 5187 5188 return 0; 5189 } 5190 5191 static int selinux_socket_unix_may_send(struct socket *sock, 5192 struct socket *other) 5193 { 5194 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5195 struct sk_security_struct *osec = selinux_sock(other->sk); 5196 struct common_audit_data ad; 5197 struct lsm_network_audit net; 5198 5199 ad_net_init_from_sk(&ad, &net, other->sk); 5200 5201 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5202 &ad); 5203 } 5204 5205 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5206 char *addrp, u16 family, u32 peer_sid, 5207 struct common_audit_data *ad) 5208 { 5209 int err; 5210 u32 if_sid; 5211 u32 node_sid; 5212 5213 err = sel_netif_sid(ns, ifindex, &if_sid); 5214 if (err) 5215 return err; 5216 err = avc_has_perm(peer_sid, if_sid, 5217 SECCLASS_NETIF, NETIF__INGRESS, ad); 5218 if (err) 5219 return err; 5220 5221 err = sel_netnode_sid(addrp, family, &node_sid); 5222 if (err) 5223 return err; 5224 return avc_has_perm(peer_sid, node_sid, 5225 SECCLASS_NODE, NODE__RECVFROM, ad); 5226 } 5227 5228 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5229 u16 family) 5230 { 5231 int err = 0; 5232 struct sk_security_struct *sksec = selinux_sock(sk); 5233 u32 sk_sid = sksec->sid; 5234 struct common_audit_data ad; 5235 struct lsm_network_audit net; 5236 char *addrp; 5237 5238 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5239 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5240 if (err) 5241 return err; 5242 5243 if (selinux_secmark_enabled()) { 5244 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5245 PACKET__RECV, &ad); 5246 if (err) 5247 return err; 5248 } 5249 5250 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5251 if (err) 5252 return err; 5253 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5254 5255 return err; 5256 } 5257 5258 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5259 { 5260 int err, peerlbl_active, secmark_active; 5261 struct sk_security_struct *sksec = selinux_sock(sk); 5262 u16 family = sk->sk_family; 5263 u32 sk_sid = sksec->sid; 5264 struct common_audit_data ad; 5265 struct lsm_network_audit net; 5266 char *addrp; 5267 5268 if (family != PF_INET && family != PF_INET6) 5269 return 0; 5270 5271 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5272 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5273 family = PF_INET; 5274 5275 /* If any sort of compatibility mode is enabled then handoff processing 5276 * to the selinux_sock_rcv_skb_compat() function to deal with the 5277 * special handling. We do this in an attempt to keep this function 5278 * as fast and as clean as possible. */ 5279 if (!selinux_policycap_netpeer()) 5280 return selinux_sock_rcv_skb_compat(sk, skb, family); 5281 5282 secmark_active = selinux_secmark_enabled(); 5283 peerlbl_active = selinux_peerlbl_enabled(); 5284 if (!secmark_active && !peerlbl_active) 5285 return 0; 5286 5287 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5288 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5289 if (err) 5290 return err; 5291 5292 if (peerlbl_active) { 5293 u32 peer_sid; 5294 5295 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5296 if (err) 5297 return err; 5298 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5299 addrp, family, peer_sid, &ad); 5300 if (err) { 5301 selinux_netlbl_err(skb, family, err, 0); 5302 return err; 5303 } 5304 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5305 PEER__RECV, &ad); 5306 if (err) { 5307 selinux_netlbl_err(skb, family, err, 0); 5308 return err; 5309 } 5310 } 5311 5312 if (secmark_active) { 5313 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5314 PACKET__RECV, &ad); 5315 if (err) 5316 return err; 5317 } 5318 5319 return err; 5320 } 5321 5322 static int selinux_socket_getpeersec_stream(struct socket *sock, 5323 sockptr_t optval, sockptr_t optlen, 5324 unsigned int len) 5325 { 5326 int err = 0; 5327 char *scontext = NULL; 5328 u32 scontext_len; 5329 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5330 u32 peer_sid = SECSID_NULL; 5331 5332 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5333 sksec->sclass == SECCLASS_TCP_SOCKET || 5334 sksec->sclass == SECCLASS_SCTP_SOCKET) 5335 peer_sid = sksec->peer_sid; 5336 if (peer_sid == SECSID_NULL) 5337 return -ENOPROTOOPT; 5338 5339 err = security_sid_to_context(peer_sid, &scontext, 5340 &scontext_len); 5341 if (err) 5342 return err; 5343 if (scontext_len > len) { 5344 err = -ERANGE; 5345 goto out_len; 5346 } 5347 5348 if (copy_to_sockptr(optval, scontext, scontext_len)) 5349 err = -EFAULT; 5350 out_len: 5351 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5352 err = -EFAULT; 5353 kfree(scontext); 5354 return err; 5355 } 5356 5357 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5358 struct sk_buff *skb, u32 *secid) 5359 { 5360 u32 peer_secid = SECSID_NULL; 5361 u16 family; 5362 5363 if (skb && skb->protocol == htons(ETH_P_IP)) 5364 family = PF_INET; 5365 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5366 family = PF_INET6; 5367 else if (sock) 5368 family = sock->sk->sk_family; 5369 else { 5370 *secid = SECSID_NULL; 5371 return -EINVAL; 5372 } 5373 5374 if (sock && family == PF_UNIX) { 5375 struct inode_security_struct *isec; 5376 isec = inode_security_novalidate(SOCK_INODE(sock)); 5377 peer_secid = isec->sid; 5378 } else if (skb) 5379 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5380 5381 *secid = peer_secid; 5382 if (peer_secid == SECSID_NULL) 5383 return -ENOPROTOOPT; 5384 return 0; 5385 } 5386 5387 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5388 { 5389 struct sk_security_struct *sksec = selinux_sock(sk); 5390 5391 sksec->peer_sid = SECINITSID_UNLABELED; 5392 sksec->sid = SECINITSID_UNLABELED; 5393 sksec->sclass = SECCLASS_SOCKET; 5394 selinux_netlbl_sk_security_reset(sksec); 5395 5396 return 0; 5397 } 5398 5399 static void selinux_sk_free_security(struct sock *sk) 5400 { 5401 struct sk_security_struct *sksec = selinux_sock(sk); 5402 5403 selinux_netlbl_sk_security_free(sksec); 5404 } 5405 5406 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5407 { 5408 struct sk_security_struct *sksec = selinux_sock(sk); 5409 struct sk_security_struct *newsksec = selinux_sock(newsk); 5410 5411 newsksec->sid = sksec->sid; 5412 newsksec->peer_sid = sksec->peer_sid; 5413 newsksec->sclass = sksec->sclass; 5414 5415 selinux_netlbl_sk_security_reset(newsksec); 5416 } 5417 5418 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5419 { 5420 if (!sk) 5421 *secid = SECINITSID_ANY_SOCKET; 5422 else { 5423 const struct sk_security_struct *sksec = selinux_sock(sk); 5424 5425 *secid = sksec->sid; 5426 } 5427 } 5428 5429 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5430 { 5431 struct inode_security_struct *isec = 5432 inode_security_novalidate(SOCK_INODE(parent)); 5433 struct sk_security_struct *sksec = selinux_sock(sk); 5434 5435 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5436 sk->sk_family == PF_UNIX) 5437 isec->sid = sksec->sid; 5438 sksec->sclass = isec->sclass; 5439 } 5440 5441 /* 5442 * Determines peer_secid for the asoc and updates socket's peer label 5443 * if it's the first association on the socket. 5444 */ 5445 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5446 struct sk_buff *skb) 5447 { 5448 struct sock *sk = asoc->base.sk; 5449 u16 family = sk->sk_family; 5450 struct sk_security_struct *sksec = selinux_sock(sk); 5451 struct common_audit_data ad; 5452 struct lsm_network_audit net; 5453 int err; 5454 5455 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5456 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5457 family = PF_INET; 5458 5459 if (selinux_peerlbl_enabled()) { 5460 asoc->peer_secid = SECSID_NULL; 5461 5462 /* This will return peer_sid = SECSID_NULL if there are 5463 * no peer labels, see security_net_peersid_resolve(). 5464 */ 5465 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5466 if (err) 5467 return err; 5468 5469 if (asoc->peer_secid == SECSID_NULL) 5470 asoc->peer_secid = SECINITSID_UNLABELED; 5471 } else { 5472 asoc->peer_secid = SECINITSID_UNLABELED; 5473 } 5474 5475 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5476 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5477 5478 /* Here as first association on socket. As the peer SID 5479 * was allowed by peer recv (and the netif/node checks), 5480 * then it is approved by policy and used as the primary 5481 * peer SID for getpeercon(3). 5482 */ 5483 sksec->peer_sid = asoc->peer_secid; 5484 } else if (sksec->peer_sid != asoc->peer_secid) { 5485 /* Other association peer SIDs are checked to enforce 5486 * consistency among the peer SIDs. 5487 */ 5488 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5489 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5490 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5491 &ad); 5492 if (err) 5493 return err; 5494 } 5495 return 0; 5496 } 5497 5498 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5499 * happens on an incoming connect(2), sctp_connectx(3) or 5500 * sctp_sendmsg(3) (with no association already present). 5501 */ 5502 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5503 struct sk_buff *skb) 5504 { 5505 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5506 u32 conn_sid; 5507 int err; 5508 5509 if (!selinux_policycap_extsockclass()) 5510 return 0; 5511 5512 err = selinux_sctp_process_new_assoc(asoc, skb); 5513 if (err) 5514 return err; 5515 5516 /* Compute the MLS component for the connection and store 5517 * the information in asoc. This will be used by SCTP TCP type 5518 * sockets and peeled off connections as they cause a new 5519 * socket to be generated. selinux_sctp_sk_clone() will then 5520 * plug this into the new socket. 5521 */ 5522 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5523 if (err) 5524 return err; 5525 5526 asoc->secid = conn_sid; 5527 5528 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5529 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5530 } 5531 5532 /* Called when SCTP receives a COOKIE ACK chunk as the final 5533 * response to an association request (initited by us). 5534 */ 5535 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5536 struct sk_buff *skb) 5537 { 5538 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5539 5540 if (!selinux_policycap_extsockclass()) 5541 return 0; 5542 5543 /* Inherit secid from the parent socket - this will be picked up 5544 * by selinux_sctp_sk_clone() if the association gets peeled off 5545 * into a new socket. 5546 */ 5547 asoc->secid = sksec->sid; 5548 5549 return selinux_sctp_process_new_assoc(asoc, skb); 5550 } 5551 5552 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5553 * based on their @optname. 5554 */ 5555 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5556 struct sockaddr *address, 5557 int addrlen) 5558 { 5559 int len, err = 0, walk_size = 0; 5560 void *addr_buf; 5561 struct sockaddr *addr; 5562 struct socket *sock; 5563 5564 if (!selinux_policycap_extsockclass()) 5565 return 0; 5566 5567 /* Process one or more addresses that may be IPv4 or IPv6 */ 5568 sock = sk->sk_socket; 5569 addr_buf = address; 5570 5571 while (walk_size < addrlen) { 5572 if (walk_size + sizeof(sa_family_t) > addrlen) 5573 return -EINVAL; 5574 5575 addr = addr_buf; 5576 switch (addr->sa_family) { 5577 case AF_UNSPEC: 5578 case AF_INET: 5579 len = sizeof(struct sockaddr_in); 5580 break; 5581 case AF_INET6: 5582 len = sizeof(struct sockaddr_in6); 5583 break; 5584 default: 5585 return -EINVAL; 5586 } 5587 5588 if (walk_size + len > addrlen) 5589 return -EINVAL; 5590 5591 err = -EINVAL; 5592 switch (optname) { 5593 /* Bind checks */ 5594 case SCTP_PRIMARY_ADDR: 5595 case SCTP_SET_PEER_PRIMARY_ADDR: 5596 case SCTP_SOCKOPT_BINDX_ADD: 5597 err = selinux_socket_bind(sock, addr, len); 5598 break; 5599 /* Connect checks */ 5600 case SCTP_SOCKOPT_CONNECTX: 5601 case SCTP_PARAM_SET_PRIMARY: 5602 case SCTP_PARAM_ADD_IP: 5603 case SCTP_SENDMSG_CONNECT: 5604 err = selinux_socket_connect_helper(sock, addr, len); 5605 if (err) 5606 return err; 5607 5608 /* As selinux_sctp_bind_connect() is called by the 5609 * SCTP protocol layer, the socket is already locked, 5610 * therefore selinux_netlbl_socket_connect_locked() 5611 * is called here. The situations handled are: 5612 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5613 * whenever a new IP address is added or when a new 5614 * primary address is selected. 5615 * Note that an SCTP connect(2) call happens before 5616 * the SCTP protocol layer and is handled via 5617 * selinux_socket_connect(). 5618 */ 5619 err = selinux_netlbl_socket_connect_locked(sk, addr); 5620 break; 5621 } 5622 5623 if (err) 5624 return err; 5625 5626 addr_buf += len; 5627 walk_size += len; 5628 } 5629 5630 return 0; 5631 } 5632 5633 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5634 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5635 struct sock *newsk) 5636 { 5637 struct sk_security_struct *sksec = selinux_sock(sk); 5638 struct sk_security_struct *newsksec = selinux_sock(newsk); 5639 5640 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5641 * the non-sctp clone version. 5642 */ 5643 if (!selinux_policycap_extsockclass()) 5644 return selinux_sk_clone_security(sk, newsk); 5645 5646 newsksec->sid = asoc->secid; 5647 newsksec->peer_sid = asoc->peer_secid; 5648 newsksec->sclass = sksec->sclass; 5649 selinux_netlbl_sctp_sk_clone(sk, newsk); 5650 } 5651 5652 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5653 { 5654 struct sk_security_struct *ssksec = selinux_sock(ssk); 5655 struct sk_security_struct *sksec = selinux_sock(sk); 5656 5657 ssksec->sclass = sksec->sclass; 5658 ssksec->sid = sksec->sid; 5659 5660 /* replace the existing subflow label deleting the existing one 5661 * and re-recreating a new label using the updated context 5662 */ 5663 selinux_netlbl_sk_security_free(ssksec); 5664 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5665 } 5666 5667 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5668 struct request_sock *req) 5669 { 5670 struct sk_security_struct *sksec = selinux_sock(sk); 5671 int err; 5672 u16 family = req->rsk_ops->family; 5673 u32 connsid; 5674 u32 peersid; 5675 5676 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5677 if (err) 5678 return err; 5679 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5680 if (err) 5681 return err; 5682 req->secid = connsid; 5683 req->peer_secid = peersid; 5684 5685 return selinux_netlbl_inet_conn_request(req, family); 5686 } 5687 5688 static void selinux_inet_csk_clone(struct sock *newsk, 5689 const struct request_sock *req) 5690 { 5691 struct sk_security_struct *newsksec = selinux_sock(newsk); 5692 5693 newsksec->sid = req->secid; 5694 newsksec->peer_sid = req->peer_secid; 5695 /* NOTE: Ideally, we should also get the isec->sid for the 5696 new socket in sync, but we don't have the isec available yet. 5697 So we will wait until sock_graft to do it, by which 5698 time it will have been created and available. */ 5699 5700 /* We don't need to take any sort of lock here as we are the only 5701 * thread with access to newsksec */ 5702 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5703 } 5704 5705 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5706 { 5707 u16 family = sk->sk_family; 5708 struct sk_security_struct *sksec = selinux_sock(sk); 5709 5710 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5711 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5712 family = PF_INET; 5713 5714 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5715 } 5716 5717 static int selinux_secmark_relabel_packet(u32 sid) 5718 { 5719 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5720 NULL); 5721 } 5722 5723 static void selinux_secmark_refcount_inc(void) 5724 { 5725 atomic_inc(&selinux_secmark_refcount); 5726 } 5727 5728 static void selinux_secmark_refcount_dec(void) 5729 { 5730 atomic_dec(&selinux_secmark_refcount); 5731 } 5732 5733 static void selinux_req_classify_flow(const struct request_sock *req, 5734 struct flowi_common *flic) 5735 { 5736 flic->flowic_secid = req->secid; 5737 } 5738 5739 static int selinux_tun_dev_alloc_security(void *security) 5740 { 5741 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5742 5743 tunsec->sid = current_sid(); 5744 return 0; 5745 } 5746 5747 static int selinux_tun_dev_create(void) 5748 { 5749 u32 sid = current_sid(); 5750 5751 /* we aren't taking into account the "sockcreate" SID since the socket 5752 * that is being created here is not a socket in the traditional sense, 5753 * instead it is a private sock, accessible only to the kernel, and 5754 * representing a wide range of network traffic spanning multiple 5755 * connections unlike traditional sockets - check the TUN driver to 5756 * get a better understanding of why this socket is special */ 5757 5758 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5759 NULL); 5760 } 5761 5762 static int selinux_tun_dev_attach_queue(void *security) 5763 { 5764 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5765 5766 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5767 TUN_SOCKET__ATTACH_QUEUE, NULL); 5768 } 5769 5770 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5771 { 5772 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5773 struct sk_security_struct *sksec = selinux_sock(sk); 5774 5775 /* we don't currently perform any NetLabel based labeling here and it 5776 * isn't clear that we would want to do so anyway; while we could apply 5777 * labeling without the support of the TUN user the resulting labeled 5778 * traffic from the other end of the connection would almost certainly 5779 * cause confusion to the TUN user that had no idea network labeling 5780 * protocols were being used */ 5781 5782 sksec->sid = tunsec->sid; 5783 sksec->sclass = SECCLASS_TUN_SOCKET; 5784 5785 return 0; 5786 } 5787 5788 static int selinux_tun_dev_open(void *security) 5789 { 5790 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5791 u32 sid = current_sid(); 5792 int err; 5793 5794 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5795 TUN_SOCKET__RELABELFROM, NULL); 5796 if (err) 5797 return err; 5798 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5799 TUN_SOCKET__RELABELTO, NULL); 5800 if (err) 5801 return err; 5802 tunsec->sid = sid; 5803 5804 return 0; 5805 } 5806 5807 #ifdef CONFIG_NETFILTER 5808 5809 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5810 const struct nf_hook_state *state) 5811 { 5812 int ifindex; 5813 u16 family; 5814 char *addrp; 5815 u32 peer_sid; 5816 struct common_audit_data ad; 5817 struct lsm_network_audit net; 5818 int secmark_active, peerlbl_active; 5819 5820 if (!selinux_policycap_netpeer()) 5821 return NF_ACCEPT; 5822 5823 secmark_active = selinux_secmark_enabled(); 5824 peerlbl_active = selinux_peerlbl_enabled(); 5825 if (!secmark_active && !peerlbl_active) 5826 return NF_ACCEPT; 5827 5828 family = state->pf; 5829 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5830 return NF_DROP; 5831 5832 ifindex = state->in->ifindex; 5833 ad_net_init_from_iif(&ad, &net, ifindex, family); 5834 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5835 return NF_DROP; 5836 5837 if (peerlbl_active) { 5838 int err; 5839 5840 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5841 addrp, family, peer_sid, &ad); 5842 if (err) { 5843 selinux_netlbl_err(skb, family, err, 1); 5844 return NF_DROP; 5845 } 5846 } 5847 5848 if (secmark_active) 5849 if (avc_has_perm(peer_sid, skb->secmark, 5850 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5851 return NF_DROP; 5852 5853 if (netlbl_enabled()) 5854 /* we do this in the FORWARD path and not the POST_ROUTING 5855 * path because we want to make sure we apply the necessary 5856 * labeling before IPsec is applied so we can leverage AH 5857 * protection */ 5858 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5859 return NF_DROP; 5860 5861 return NF_ACCEPT; 5862 } 5863 5864 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5865 const struct nf_hook_state *state) 5866 { 5867 struct sock *sk; 5868 u32 sid; 5869 5870 if (!netlbl_enabled()) 5871 return NF_ACCEPT; 5872 5873 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5874 * because we want to make sure we apply the necessary labeling 5875 * before IPsec is applied so we can leverage AH protection */ 5876 sk = sk_to_full_sk(skb->sk); 5877 if (sk) { 5878 struct sk_security_struct *sksec; 5879 5880 if (sk_listener(sk)) 5881 /* if the socket is the listening state then this 5882 * packet is a SYN-ACK packet which means it needs to 5883 * be labeled based on the connection/request_sock and 5884 * not the parent socket. unfortunately, we can't 5885 * lookup the request_sock yet as it isn't queued on 5886 * the parent socket until after the SYN-ACK is sent. 5887 * the "solution" is to simply pass the packet as-is 5888 * as any IP option based labeling should be copied 5889 * from the initial connection request (in the IP 5890 * layer). it is far from ideal, but until we get a 5891 * security label in the packet itself this is the 5892 * best we can do. */ 5893 return NF_ACCEPT; 5894 5895 /* standard practice, label using the parent socket */ 5896 sksec = selinux_sock(sk); 5897 sid = sksec->sid; 5898 } else 5899 sid = SECINITSID_KERNEL; 5900 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5901 return NF_DROP; 5902 5903 return NF_ACCEPT; 5904 } 5905 5906 5907 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5908 const struct nf_hook_state *state) 5909 { 5910 struct sock *sk; 5911 struct sk_security_struct *sksec; 5912 struct common_audit_data ad; 5913 struct lsm_network_audit net; 5914 u8 proto = 0; 5915 5916 sk = skb_to_full_sk(skb); 5917 if (sk == NULL) 5918 return NF_ACCEPT; 5919 sksec = selinux_sock(sk); 5920 5921 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5922 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5923 return NF_DROP; 5924 5925 if (selinux_secmark_enabled()) 5926 if (avc_has_perm(sksec->sid, skb->secmark, 5927 SECCLASS_PACKET, PACKET__SEND, &ad)) 5928 return NF_DROP_ERR(-ECONNREFUSED); 5929 5930 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5931 return NF_DROP_ERR(-ECONNREFUSED); 5932 5933 return NF_ACCEPT; 5934 } 5935 5936 static unsigned int selinux_ip_postroute(void *priv, 5937 struct sk_buff *skb, 5938 const struct nf_hook_state *state) 5939 { 5940 u16 family; 5941 u32 secmark_perm; 5942 u32 peer_sid; 5943 int ifindex; 5944 struct sock *sk; 5945 struct common_audit_data ad; 5946 struct lsm_network_audit net; 5947 char *addrp; 5948 int secmark_active, peerlbl_active; 5949 5950 /* If any sort of compatibility mode is enabled then handoff processing 5951 * to the selinux_ip_postroute_compat() function to deal with the 5952 * special handling. We do this in an attempt to keep this function 5953 * as fast and as clean as possible. */ 5954 if (!selinux_policycap_netpeer()) 5955 return selinux_ip_postroute_compat(skb, state); 5956 5957 secmark_active = selinux_secmark_enabled(); 5958 peerlbl_active = selinux_peerlbl_enabled(); 5959 if (!secmark_active && !peerlbl_active) 5960 return NF_ACCEPT; 5961 5962 sk = skb_to_full_sk(skb); 5963 5964 #ifdef CONFIG_XFRM 5965 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5966 * packet transformation so allow the packet to pass without any checks 5967 * since we'll have another chance to perform access control checks 5968 * when the packet is on it's final way out. 5969 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5970 * is NULL, in this case go ahead and apply access control. 5971 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5972 * TCP listening state we cannot wait until the XFRM processing 5973 * is done as we will miss out on the SA label if we do; 5974 * unfortunately, this means more work, but it is only once per 5975 * connection. */ 5976 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5977 !(sk && sk_listener(sk))) 5978 return NF_ACCEPT; 5979 #endif 5980 5981 family = state->pf; 5982 if (sk == NULL) { 5983 /* Without an associated socket the packet is either coming 5984 * from the kernel or it is being forwarded; check the packet 5985 * to determine which and if the packet is being forwarded 5986 * query the packet directly to determine the security label. */ 5987 if (skb->skb_iif) { 5988 secmark_perm = PACKET__FORWARD_OUT; 5989 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5990 return NF_DROP; 5991 } else { 5992 secmark_perm = PACKET__SEND; 5993 peer_sid = SECINITSID_KERNEL; 5994 } 5995 } else if (sk_listener(sk)) { 5996 /* Locally generated packet but the associated socket is in the 5997 * listening state which means this is a SYN-ACK packet. In 5998 * this particular case the correct security label is assigned 5999 * to the connection/request_sock but unfortunately we can't 6000 * query the request_sock as it isn't queued on the parent 6001 * socket until after the SYN-ACK packet is sent; the only 6002 * viable choice is to regenerate the label like we do in 6003 * selinux_inet_conn_request(). See also selinux_ip_output() 6004 * for similar problems. */ 6005 u32 skb_sid; 6006 struct sk_security_struct *sksec; 6007 6008 sksec = selinux_sock(sk); 6009 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6010 return NF_DROP; 6011 /* At this point, if the returned skb peerlbl is SECSID_NULL 6012 * and the packet has been through at least one XFRM 6013 * transformation then we must be dealing with the "final" 6014 * form of labeled IPsec packet; since we've already applied 6015 * all of our access controls on this packet we can safely 6016 * pass the packet. */ 6017 if (skb_sid == SECSID_NULL) { 6018 switch (family) { 6019 case PF_INET: 6020 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6021 return NF_ACCEPT; 6022 break; 6023 case PF_INET6: 6024 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6025 return NF_ACCEPT; 6026 break; 6027 default: 6028 return NF_DROP_ERR(-ECONNREFUSED); 6029 } 6030 } 6031 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6032 return NF_DROP; 6033 secmark_perm = PACKET__SEND; 6034 } else { 6035 /* Locally generated packet, fetch the security label from the 6036 * associated socket. */ 6037 struct sk_security_struct *sksec = selinux_sock(sk); 6038 peer_sid = sksec->sid; 6039 secmark_perm = PACKET__SEND; 6040 } 6041 6042 ifindex = state->out->ifindex; 6043 ad_net_init_from_iif(&ad, &net, ifindex, family); 6044 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6045 return NF_DROP; 6046 6047 if (secmark_active) 6048 if (avc_has_perm(peer_sid, skb->secmark, 6049 SECCLASS_PACKET, secmark_perm, &ad)) 6050 return NF_DROP_ERR(-ECONNREFUSED); 6051 6052 if (peerlbl_active) { 6053 u32 if_sid; 6054 u32 node_sid; 6055 6056 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6057 return NF_DROP; 6058 if (avc_has_perm(peer_sid, if_sid, 6059 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6060 return NF_DROP_ERR(-ECONNREFUSED); 6061 6062 if (sel_netnode_sid(addrp, family, &node_sid)) 6063 return NF_DROP; 6064 if (avc_has_perm(peer_sid, node_sid, 6065 SECCLASS_NODE, NODE__SENDTO, &ad)) 6066 return NF_DROP_ERR(-ECONNREFUSED); 6067 } 6068 6069 return NF_ACCEPT; 6070 } 6071 #endif /* CONFIG_NETFILTER */ 6072 6073 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6074 { 6075 struct sk_security_struct *sksec = sk->sk_security; 6076 struct common_audit_data ad; 6077 u8 driver; 6078 u8 xperm; 6079 6080 if (sock_skip_has_perm(sksec->sid)) 6081 return 0; 6082 6083 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6084 ad.u.nlmsg_type = nlmsg_type; 6085 6086 driver = nlmsg_type >> 8; 6087 xperm = nlmsg_type & 0xff; 6088 6089 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6090 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6091 } 6092 6093 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6094 { 6095 int rc = 0; 6096 unsigned int msg_len; 6097 unsigned int data_len = skb->len; 6098 unsigned char *data = skb->data; 6099 struct nlmsghdr *nlh; 6100 struct sk_security_struct *sksec = selinux_sock(sk); 6101 u16 sclass = sksec->sclass; 6102 u32 perm; 6103 6104 while (data_len >= nlmsg_total_size(0)) { 6105 nlh = (struct nlmsghdr *)data; 6106 6107 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6108 * users which means we can't reject skb's with bogus 6109 * length fields; our solution is to follow what 6110 * netlink_rcv_skb() does and simply skip processing at 6111 * messages with length fields that are clearly junk 6112 */ 6113 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6114 return 0; 6115 6116 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6117 if (rc == 0) { 6118 if (selinux_policycap_netlink_xperm()) { 6119 rc = nlmsg_sock_has_extended_perms( 6120 sk, perm, nlh->nlmsg_type); 6121 } else { 6122 rc = sock_has_perm(sk, perm); 6123 } 6124 if (rc) 6125 return rc; 6126 } else if (rc == -EINVAL) { 6127 /* -EINVAL is a missing msg/perm mapping */ 6128 pr_warn_ratelimited("SELinux: unrecognized netlink" 6129 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6130 " pid=%d comm=%s\n", 6131 sk->sk_protocol, nlh->nlmsg_type, 6132 secclass_map[sclass - 1].name, 6133 task_pid_nr(current), current->comm); 6134 if (enforcing_enabled() && 6135 !security_get_allow_unknown()) 6136 return rc; 6137 rc = 0; 6138 } else if (rc == -ENOENT) { 6139 /* -ENOENT is a missing socket/class mapping, ignore */ 6140 rc = 0; 6141 } else { 6142 return rc; 6143 } 6144 6145 /* move to the next message after applying netlink padding */ 6146 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6147 if (msg_len >= data_len) 6148 return 0; 6149 data_len -= msg_len; 6150 data += msg_len; 6151 } 6152 6153 return rc; 6154 } 6155 6156 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6157 { 6158 isec->sclass = sclass; 6159 isec->sid = current_sid(); 6160 } 6161 6162 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6163 u32 perms) 6164 { 6165 struct ipc_security_struct *isec; 6166 struct common_audit_data ad; 6167 u32 sid = current_sid(); 6168 6169 isec = selinux_ipc(ipc_perms); 6170 6171 ad.type = LSM_AUDIT_DATA_IPC; 6172 ad.u.ipc_id = ipc_perms->key; 6173 6174 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6175 } 6176 6177 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6178 { 6179 struct msg_security_struct *msec; 6180 6181 msec = selinux_msg_msg(msg); 6182 msec->sid = SECINITSID_UNLABELED; 6183 6184 return 0; 6185 } 6186 6187 /* message queue security operations */ 6188 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6189 { 6190 struct ipc_security_struct *isec; 6191 struct common_audit_data ad; 6192 u32 sid = current_sid(); 6193 6194 isec = selinux_ipc(msq); 6195 ipc_init_security(isec, SECCLASS_MSGQ); 6196 6197 ad.type = LSM_AUDIT_DATA_IPC; 6198 ad.u.ipc_id = msq->key; 6199 6200 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6201 MSGQ__CREATE, &ad); 6202 } 6203 6204 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6205 { 6206 struct ipc_security_struct *isec; 6207 struct common_audit_data ad; 6208 u32 sid = current_sid(); 6209 6210 isec = selinux_ipc(msq); 6211 6212 ad.type = LSM_AUDIT_DATA_IPC; 6213 ad.u.ipc_id = msq->key; 6214 6215 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6216 MSGQ__ASSOCIATE, &ad); 6217 } 6218 6219 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6220 { 6221 u32 perms; 6222 6223 switch (cmd) { 6224 case IPC_INFO: 6225 case MSG_INFO: 6226 /* No specific object, just general system-wide information. */ 6227 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6228 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6229 case IPC_STAT: 6230 case MSG_STAT: 6231 case MSG_STAT_ANY: 6232 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6233 break; 6234 case IPC_SET: 6235 perms = MSGQ__SETATTR; 6236 break; 6237 case IPC_RMID: 6238 perms = MSGQ__DESTROY; 6239 break; 6240 default: 6241 return 0; 6242 } 6243 6244 return ipc_has_perm(msq, perms); 6245 } 6246 6247 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6248 { 6249 struct ipc_security_struct *isec; 6250 struct msg_security_struct *msec; 6251 struct common_audit_data ad; 6252 u32 sid = current_sid(); 6253 int rc; 6254 6255 isec = selinux_ipc(msq); 6256 msec = selinux_msg_msg(msg); 6257 6258 /* 6259 * First time through, need to assign label to the message 6260 */ 6261 if (msec->sid == SECINITSID_UNLABELED) { 6262 /* 6263 * Compute new sid based on current process and 6264 * message queue this message will be stored in 6265 */ 6266 rc = security_transition_sid(sid, isec->sid, 6267 SECCLASS_MSG, NULL, &msec->sid); 6268 if (rc) 6269 return rc; 6270 } 6271 6272 ad.type = LSM_AUDIT_DATA_IPC; 6273 ad.u.ipc_id = msq->key; 6274 6275 /* Can this process write to the queue? */ 6276 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6277 MSGQ__WRITE, &ad); 6278 if (!rc) 6279 /* Can this process send the message */ 6280 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6281 MSG__SEND, &ad); 6282 if (!rc) 6283 /* Can the message be put in the queue? */ 6284 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6285 MSGQ__ENQUEUE, &ad); 6286 6287 return rc; 6288 } 6289 6290 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6291 struct task_struct *target, 6292 long type, int mode) 6293 { 6294 struct ipc_security_struct *isec; 6295 struct msg_security_struct *msec; 6296 struct common_audit_data ad; 6297 u32 sid = task_sid_obj(target); 6298 int rc; 6299 6300 isec = selinux_ipc(msq); 6301 msec = selinux_msg_msg(msg); 6302 6303 ad.type = LSM_AUDIT_DATA_IPC; 6304 ad.u.ipc_id = msq->key; 6305 6306 rc = avc_has_perm(sid, isec->sid, 6307 SECCLASS_MSGQ, MSGQ__READ, &ad); 6308 if (!rc) 6309 rc = avc_has_perm(sid, msec->sid, 6310 SECCLASS_MSG, MSG__RECEIVE, &ad); 6311 return rc; 6312 } 6313 6314 /* Shared Memory security operations */ 6315 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6316 { 6317 struct ipc_security_struct *isec; 6318 struct common_audit_data ad; 6319 u32 sid = current_sid(); 6320 6321 isec = selinux_ipc(shp); 6322 ipc_init_security(isec, SECCLASS_SHM); 6323 6324 ad.type = LSM_AUDIT_DATA_IPC; 6325 ad.u.ipc_id = shp->key; 6326 6327 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6328 SHM__CREATE, &ad); 6329 } 6330 6331 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6332 { 6333 struct ipc_security_struct *isec; 6334 struct common_audit_data ad; 6335 u32 sid = current_sid(); 6336 6337 isec = selinux_ipc(shp); 6338 6339 ad.type = LSM_AUDIT_DATA_IPC; 6340 ad.u.ipc_id = shp->key; 6341 6342 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6343 SHM__ASSOCIATE, &ad); 6344 } 6345 6346 /* Note, at this point, shp is locked down */ 6347 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6348 { 6349 u32 perms; 6350 6351 switch (cmd) { 6352 case IPC_INFO: 6353 case SHM_INFO: 6354 /* No specific object, just general system-wide information. */ 6355 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6356 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6357 case IPC_STAT: 6358 case SHM_STAT: 6359 case SHM_STAT_ANY: 6360 perms = SHM__GETATTR | SHM__ASSOCIATE; 6361 break; 6362 case IPC_SET: 6363 perms = SHM__SETATTR; 6364 break; 6365 case SHM_LOCK: 6366 case SHM_UNLOCK: 6367 perms = SHM__LOCK; 6368 break; 6369 case IPC_RMID: 6370 perms = SHM__DESTROY; 6371 break; 6372 default: 6373 return 0; 6374 } 6375 6376 return ipc_has_perm(shp, perms); 6377 } 6378 6379 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6380 char __user *shmaddr, int shmflg) 6381 { 6382 u32 perms; 6383 6384 if (shmflg & SHM_RDONLY) 6385 perms = SHM__READ; 6386 else 6387 perms = SHM__READ | SHM__WRITE; 6388 6389 return ipc_has_perm(shp, perms); 6390 } 6391 6392 /* Semaphore security operations */ 6393 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6394 { 6395 struct ipc_security_struct *isec; 6396 struct common_audit_data ad; 6397 u32 sid = current_sid(); 6398 6399 isec = selinux_ipc(sma); 6400 ipc_init_security(isec, SECCLASS_SEM); 6401 6402 ad.type = LSM_AUDIT_DATA_IPC; 6403 ad.u.ipc_id = sma->key; 6404 6405 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6406 SEM__CREATE, &ad); 6407 } 6408 6409 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6410 { 6411 struct ipc_security_struct *isec; 6412 struct common_audit_data ad; 6413 u32 sid = current_sid(); 6414 6415 isec = selinux_ipc(sma); 6416 6417 ad.type = LSM_AUDIT_DATA_IPC; 6418 ad.u.ipc_id = sma->key; 6419 6420 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6421 SEM__ASSOCIATE, &ad); 6422 } 6423 6424 /* Note, at this point, sma is locked down */ 6425 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6426 { 6427 int err; 6428 u32 perms; 6429 6430 switch (cmd) { 6431 case IPC_INFO: 6432 case SEM_INFO: 6433 /* No specific object, just general system-wide information. */ 6434 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6435 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6436 case GETPID: 6437 case GETNCNT: 6438 case GETZCNT: 6439 perms = SEM__GETATTR; 6440 break; 6441 case GETVAL: 6442 case GETALL: 6443 perms = SEM__READ; 6444 break; 6445 case SETVAL: 6446 case SETALL: 6447 perms = SEM__WRITE; 6448 break; 6449 case IPC_RMID: 6450 perms = SEM__DESTROY; 6451 break; 6452 case IPC_SET: 6453 perms = SEM__SETATTR; 6454 break; 6455 case IPC_STAT: 6456 case SEM_STAT: 6457 case SEM_STAT_ANY: 6458 perms = SEM__GETATTR | SEM__ASSOCIATE; 6459 break; 6460 default: 6461 return 0; 6462 } 6463 6464 err = ipc_has_perm(sma, perms); 6465 return err; 6466 } 6467 6468 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6469 struct sembuf *sops, unsigned nsops, int alter) 6470 { 6471 u32 perms; 6472 6473 if (alter) 6474 perms = SEM__READ | SEM__WRITE; 6475 else 6476 perms = SEM__READ; 6477 6478 return ipc_has_perm(sma, perms); 6479 } 6480 6481 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6482 { 6483 u32 av = 0; 6484 6485 av = 0; 6486 if (flag & S_IRUGO) 6487 av |= IPC__UNIX_READ; 6488 if (flag & S_IWUGO) 6489 av |= IPC__UNIX_WRITE; 6490 6491 if (av == 0) 6492 return 0; 6493 6494 return ipc_has_perm(ipcp, av); 6495 } 6496 6497 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6498 struct lsm_prop *prop) 6499 { 6500 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6501 prop->selinux.secid = isec->sid; 6502 } 6503 6504 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6505 { 6506 if (inode) 6507 inode_doinit_with_dentry(inode, dentry); 6508 } 6509 6510 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6511 char **value) 6512 { 6513 const struct task_security_struct *tsec; 6514 int error; 6515 u32 sid; 6516 u32 len; 6517 6518 rcu_read_lock(); 6519 tsec = selinux_cred(__task_cred(p)); 6520 if (p != current) { 6521 error = avc_has_perm(current_sid(), tsec->sid, 6522 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6523 if (error) 6524 goto err_unlock; 6525 } 6526 switch (attr) { 6527 case LSM_ATTR_CURRENT: 6528 sid = tsec->sid; 6529 break; 6530 case LSM_ATTR_PREV: 6531 sid = tsec->osid; 6532 break; 6533 case LSM_ATTR_EXEC: 6534 sid = tsec->exec_sid; 6535 break; 6536 case LSM_ATTR_FSCREATE: 6537 sid = tsec->create_sid; 6538 break; 6539 case LSM_ATTR_KEYCREATE: 6540 sid = tsec->keycreate_sid; 6541 break; 6542 case LSM_ATTR_SOCKCREATE: 6543 sid = tsec->sockcreate_sid; 6544 break; 6545 default: 6546 error = -EOPNOTSUPP; 6547 goto err_unlock; 6548 } 6549 rcu_read_unlock(); 6550 6551 if (sid == SECSID_NULL) { 6552 *value = NULL; 6553 return 0; 6554 } 6555 6556 error = security_sid_to_context(sid, value, &len); 6557 if (error) 6558 return error; 6559 return len; 6560 6561 err_unlock: 6562 rcu_read_unlock(); 6563 return error; 6564 } 6565 6566 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6567 { 6568 struct task_security_struct *tsec; 6569 struct cred *new; 6570 u32 mysid = current_sid(), sid = 0, ptsid; 6571 int error; 6572 char *str = value; 6573 6574 /* 6575 * Basic control over ability to set these attributes at all. 6576 */ 6577 switch (attr) { 6578 case LSM_ATTR_EXEC: 6579 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6580 PROCESS__SETEXEC, NULL); 6581 break; 6582 case LSM_ATTR_FSCREATE: 6583 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6584 PROCESS__SETFSCREATE, NULL); 6585 break; 6586 case LSM_ATTR_KEYCREATE: 6587 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6588 PROCESS__SETKEYCREATE, NULL); 6589 break; 6590 case LSM_ATTR_SOCKCREATE: 6591 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6592 PROCESS__SETSOCKCREATE, NULL); 6593 break; 6594 case LSM_ATTR_CURRENT: 6595 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6596 PROCESS__SETCURRENT, NULL); 6597 break; 6598 default: 6599 error = -EOPNOTSUPP; 6600 break; 6601 } 6602 if (error) 6603 return error; 6604 6605 /* Obtain a SID for the context, if one was specified. */ 6606 if (size && str[0] && str[0] != '\n') { 6607 if (str[size-1] == '\n') { 6608 str[size-1] = 0; 6609 size--; 6610 } 6611 error = security_context_to_sid(value, size, 6612 &sid, GFP_KERNEL); 6613 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6614 if (!has_cap_mac_admin(true)) { 6615 struct audit_buffer *ab; 6616 size_t audit_size; 6617 6618 /* We strip a nul only if it is at the end, 6619 * otherwise the context contains a nul and 6620 * we should audit that */ 6621 if (str[size - 1] == '\0') 6622 audit_size = size - 1; 6623 else 6624 audit_size = size; 6625 ab = audit_log_start(audit_context(), 6626 GFP_ATOMIC, 6627 AUDIT_SELINUX_ERR); 6628 if (!ab) 6629 return error; 6630 audit_log_format(ab, "op=fscreate invalid_context="); 6631 audit_log_n_untrustedstring(ab, value, 6632 audit_size); 6633 audit_log_end(ab); 6634 6635 return error; 6636 } 6637 error = security_context_to_sid_force(value, size, 6638 &sid); 6639 } 6640 if (error) 6641 return error; 6642 } 6643 6644 new = prepare_creds(); 6645 if (!new) 6646 return -ENOMEM; 6647 6648 /* Permission checking based on the specified context is 6649 performed during the actual operation (execve, 6650 open/mkdir/...), when we know the full context of the 6651 operation. See selinux_bprm_creds_for_exec for the execve 6652 checks and may_create for the file creation checks. The 6653 operation will then fail if the context is not permitted. */ 6654 tsec = selinux_cred(new); 6655 if (attr == LSM_ATTR_EXEC) { 6656 tsec->exec_sid = sid; 6657 } else if (attr == LSM_ATTR_FSCREATE) { 6658 tsec->create_sid = sid; 6659 } else if (attr == LSM_ATTR_KEYCREATE) { 6660 if (sid) { 6661 error = avc_has_perm(mysid, sid, 6662 SECCLASS_KEY, KEY__CREATE, NULL); 6663 if (error) 6664 goto abort_change; 6665 } 6666 tsec->keycreate_sid = sid; 6667 } else if (attr == LSM_ATTR_SOCKCREATE) { 6668 tsec->sockcreate_sid = sid; 6669 } else if (attr == LSM_ATTR_CURRENT) { 6670 error = -EINVAL; 6671 if (sid == 0) 6672 goto abort_change; 6673 6674 if (!current_is_single_threaded()) { 6675 error = security_bounded_transition(tsec->sid, sid); 6676 if (error) 6677 goto abort_change; 6678 } 6679 6680 /* Check permissions for the transition. */ 6681 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6682 PROCESS__DYNTRANSITION, NULL); 6683 if (error) 6684 goto abort_change; 6685 6686 /* Check for ptracing, and update the task SID if ok. 6687 Otherwise, leave SID unchanged and fail. */ 6688 ptsid = ptrace_parent_sid(); 6689 if (ptsid != 0) { 6690 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6691 PROCESS__PTRACE, NULL); 6692 if (error) 6693 goto abort_change; 6694 } 6695 6696 tsec->sid = sid; 6697 } else { 6698 error = -EINVAL; 6699 goto abort_change; 6700 } 6701 6702 commit_creds(new); 6703 return size; 6704 6705 abort_change: 6706 abort_creds(new); 6707 return error; 6708 } 6709 6710 /** 6711 * selinux_getselfattr - Get SELinux current task attributes 6712 * @attr: the requested attribute 6713 * @ctx: buffer to receive the result 6714 * @size: buffer size (input), buffer size used (output) 6715 * @flags: unused 6716 * 6717 * Fill the passed user space @ctx with the details of the requested 6718 * attribute. 6719 * 6720 * Returns the number of attributes on success, an error code otherwise. 6721 * There will only ever be one attribute. 6722 */ 6723 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6724 u32 *size, u32 flags) 6725 { 6726 int rc; 6727 char *val = NULL; 6728 int val_len; 6729 6730 val_len = selinux_lsm_getattr(attr, current, &val); 6731 if (val_len < 0) 6732 return val_len; 6733 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6734 kfree(val); 6735 return (!rc ? 1 : rc); 6736 } 6737 6738 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6739 u32 size, u32 flags) 6740 { 6741 int rc; 6742 6743 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6744 if (rc > 0) 6745 return 0; 6746 return rc; 6747 } 6748 6749 static int selinux_getprocattr(struct task_struct *p, 6750 const char *name, char **value) 6751 { 6752 unsigned int attr = lsm_name_to_attr(name); 6753 int rc; 6754 6755 if (attr) { 6756 rc = selinux_lsm_getattr(attr, p, value); 6757 if (rc != -EOPNOTSUPP) 6758 return rc; 6759 } 6760 6761 return -EINVAL; 6762 } 6763 6764 static int selinux_setprocattr(const char *name, void *value, size_t size) 6765 { 6766 int attr = lsm_name_to_attr(name); 6767 6768 if (attr) 6769 return selinux_lsm_setattr(attr, value, size); 6770 return -EINVAL; 6771 } 6772 6773 static int selinux_ismaclabel(const char *name) 6774 { 6775 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6776 } 6777 6778 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6779 { 6780 u32 seclen; 6781 int ret; 6782 6783 if (cp) { 6784 cp->id = LSM_ID_SELINUX; 6785 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6786 if (ret < 0) 6787 return ret; 6788 return cp->len; 6789 } 6790 ret = security_sid_to_context(secid, NULL, &seclen); 6791 if (ret < 0) 6792 return ret; 6793 return seclen; 6794 } 6795 6796 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6797 struct lsm_context *cp) 6798 { 6799 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6800 } 6801 6802 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6803 { 6804 return security_context_to_sid(secdata, seclen, 6805 secid, GFP_KERNEL); 6806 } 6807 6808 static void selinux_release_secctx(struct lsm_context *cp) 6809 { 6810 if (cp->id == LSM_ID_SELINUX) { 6811 kfree(cp->context); 6812 cp->context = NULL; 6813 cp->id = LSM_ID_UNDEF; 6814 } 6815 } 6816 6817 static void selinux_inode_invalidate_secctx(struct inode *inode) 6818 { 6819 struct inode_security_struct *isec = selinux_inode(inode); 6820 6821 spin_lock(&isec->lock); 6822 isec->initialized = LABEL_INVALID; 6823 spin_unlock(&isec->lock); 6824 } 6825 6826 /* 6827 * called with inode->i_mutex locked 6828 */ 6829 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6830 { 6831 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6832 ctx, ctxlen, 0); 6833 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6834 return rc == -EOPNOTSUPP ? 0 : rc; 6835 } 6836 6837 /* 6838 * called with inode->i_mutex locked 6839 */ 6840 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6841 { 6842 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6843 ctx, ctxlen, 0, NULL); 6844 } 6845 6846 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6847 { 6848 int len; 6849 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6850 XATTR_SELINUX_SUFFIX, 6851 (void **)&cp->context, true); 6852 if (len < 0) 6853 return len; 6854 cp->len = len; 6855 cp->id = LSM_ID_SELINUX; 6856 return 0; 6857 } 6858 #ifdef CONFIG_KEYS 6859 6860 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6861 unsigned long flags) 6862 { 6863 const struct task_security_struct *tsec; 6864 struct key_security_struct *ksec = selinux_key(k); 6865 6866 tsec = selinux_cred(cred); 6867 if (tsec->keycreate_sid) 6868 ksec->sid = tsec->keycreate_sid; 6869 else 6870 ksec->sid = tsec->sid; 6871 6872 return 0; 6873 } 6874 6875 static int selinux_key_permission(key_ref_t key_ref, 6876 const struct cred *cred, 6877 enum key_need_perm need_perm) 6878 { 6879 struct key *key; 6880 struct key_security_struct *ksec; 6881 u32 perm, sid; 6882 6883 switch (need_perm) { 6884 case KEY_NEED_VIEW: 6885 perm = KEY__VIEW; 6886 break; 6887 case KEY_NEED_READ: 6888 perm = KEY__READ; 6889 break; 6890 case KEY_NEED_WRITE: 6891 perm = KEY__WRITE; 6892 break; 6893 case KEY_NEED_SEARCH: 6894 perm = KEY__SEARCH; 6895 break; 6896 case KEY_NEED_LINK: 6897 perm = KEY__LINK; 6898 break; 6899 case KEY_NEED_SETATTR: 6900 perm = KEY__SETATTR; 6901 break; 6902 case KEY_NEED_UNLINK: 6903 case KEY_SYSADMIN_OVERRIDE: 6904 case KEY_AUTHTOKEN_OVERRIDE: 6905 case KEY_DEFER_PERM_CHECK: 6906 return 0; 6907 default: 6908 WARN_ON(1); 6909 return -EPERM; 6910 6911 } 6912 6913 sid = cred_sid(cred); 6914 key = key_ref_to_ptr(key_ref); 6915 ksec = selinux_key(key); 6916 6917 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6918 } 6919 6920 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6921 { 6922 struct key_security_struct *ksec = selinux_key(key); 6923 char *context = NULL; 6924 unsigned len; 6925 int rc; 6926 6927 rc = security_sid_to_context(ksec->sid, 6928 &context, &len); 6929 if (!rc) 6930 rc = len; 6931 *_buffer = context; 6932 return rc; 6933 } 6934 6935 #ifdef CONFIG_KEY_NOTIFICATIONS 6936 static int selinux_watch_key(struct key *key) 6937 { 6938 struct key_security_struct *ksec = selinux_key(key); 6939 u32 sid = current_sid(); 6940 6941 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6942 } 6943 #endif 6944 #endif 6945 6946 #ifdef CONFIG_SECURITY_INFINIBAND 6947 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6948 { 6949 struct common_audit_data ad; 6950 int err; 6951 u32 sid = 0; 6952 struct ib_security_struct *sec = ib_sec; 6953 struct lsm_ibpkey_audit ibpkey; 6954 6955 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6956 if (err) 6957 return err; 6958 6959 ad.type = LSM_AUDIT_DATA_IBPKEY; 6960 ibpkey.subnet_prefix = subnet_prefix; 6961 ibpkey.pkey = pkey_val; 6962 ad.u.ibpkey = &ibpkey; 6963 return avc_has_perm(sec->sid, sid, 6964 SECCLASS_INFINIBAND_PKEY, 6965 INFINIBAND_PKEY__ACCESS, &ad); 6966 } 6967 6968 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6969 u8 port_num) 6970 { 6971 struct common_audit_data ad; 6972 int err; 6973 u32 sid = 0; 6974 struct ib_security_struct *sec = ib_sec; 6975 struct lsm_ibendport_audit ibendport; 6976 6977 err = security_ib_endport_sid(dev_name, port_num, 6978 &sid); 6979 6980 if (err) 6981 return err; 6982 6983 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6984 ibendport.dev_name = dev_name; 6985 ibendport.port = port_num; 6986 ad.u.ibendport = &ibendport; 6987 return avc_has_perm(sec->sid, sid, 6988 SECCLASS_INFINIBAND_ENDPORT, 6989 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6990 } 6991 6992 static int selinux_ib_alloc_security(void *ib_sec) 6993 { 6994 struct ib_security_struct *sec = selinux_ib(ib_sec); 6995 6996 sec->sid = current_sid(); 6997 return 0; 6998 } 6999 #endif 7000 7001 #ifdef CONFIG_BPF_SYSCALL 7002 static int selinux_bpf(int cmd, union bpf_attr *attr, 7003 unsigned int size, bool kernel) 7004 { 7005 u32 sid = current_sid(); 7006 int ret; 7007 7008 switch (cmd) { 7009 case BPF_MAP_CREATE: 7010 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7011 NULL); 7012 break; 7013 case BPF_PROG_LOAD: 7014 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7015 NULL); 7016 break; 7017 default: 7018 ret = 0; 7019 break; 7020 } 7021 7022 return ret; 7023 } 7024 7025 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7026 { 7027 u32 av = 0; 7028 7029 if (fmode & FMODE_READ) 7030 av |= BPF__MAP_READ; 7031 if (fmode & FMODE_WRITE) 7032 av |= BPF__MAP_WRITE; 7033 return av; 7034 } 7035 7036 /* This function will check the file pass through unix socket or binder to see 7037 * if it is a bpf related object. And apply corresponding checks on the bpf 7038 * object based on the type. The bpf maps and programs, not like other files and 7039 * socket, are using a shared anonymous inode inside the kernel as their inode. 7040 * So checking that inode cannot identify if the process have privilege to 7041 * access the bpf object and that's why we have to add this additional check in 7042 * selinux_file_receive and selinux_binder_transfer_files. 7043 */ 7044 static int bpf_fd_pass(const struct file *file, u32 sid) 7045 { 7046 struct bpf_security_struct *bpfsec; 7047 struct bpf_prog *prog; 7048 struct bpf_map *map; 7049 int ret; 7050 7051 if (file->f_op == &bpf_map_fops) { 7052 map = file->private_data; 7053 bpfsec = map->security; 7054 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7055 bpf_map_fmode_to_av(file->f_mode), NULL); 7056 if (ret) 7057 return ret; 7058 } else if (file->f_op == &bpf_prog_fops) { 7059 prog = file->private_data; 7060 bpfsec = prog->aux->security; 7061 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7062 BPF__PROG_RUN, NULL); 7063 if (ret) 7064 return ret; 7065 } 7066 return 0; 7067 } 7068 7069 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7070 { 7071 u32 sid = current_sid(); 7072 struct bpf_security_struct *bpfsec; 7073 7074 bpfsec = map->security; 7075 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7076 bpf_map_fmode_to_av(fmode), NULL); 7077 } 7078 7079 static int selinux_bpf_prog(struct bpf_prog *prog) 7080 { 7081 u32 sid = current_sid(); 7082 struct bpf_security_struct *bpfsec; 7083 7084 bpfsec = prog->aux->security; 7085 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7086 BPF__PROG_RUN, NULL); 7087 } 7088 7089 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7090 struct bpf_token *token, bool kernel) 7091 { 7092 struct bpf_security_struct *bpfsec; 7093 7094 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7095 if (!bpfsec) 7096 return -ENOMEM; 7097 7098 bpfsec->sid = current_sid(); 7099 map->security = bpfsec; 7100 7101 return 0; 7102 } 7103 7104 static void selinux_bpf_map_free(struct bpf_map *map) 7105 { 7106 struct bpf_security_struct *bpfsec = map->security; 7107 7108 map->security = NULL; 7109 kfree(bpfsec); 7110 } 7111 7112 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7113 struct bpf_token *token, bool kernel) 7114 { 7115 struct bpf_security_struct *bpfsec; 7116 7117 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7118 if (!bpfsec) 7119 return -ENOMEM; 7120 7121 bpfsec->sid = current_sid(); 7122 prog->aux->security = bpfsec; 7123 7124 return 0; 7125 } 7126 7127 static void selinux_bpf_prog_free(struct bpf_prog *prog) 7128 { 7129 struct bpf_security_struct *bpfsec = prog->aux->security; 7130 7131 prog->aux->security = NULL; 7132 kfree(bpfsec); 7133 } 7134 7135 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 7136 const struct path *path) 7137 { 7138 struct bpf_security_struct *bpfsec; 7139 7140 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7141 if (!bpfsec) 7142 return -ENOMEM; 7143 7144 bpfsec->sid = current_sid(); 7145 token->security = bpfsec; 7146 7147 return 0; 7148 } 7149 7150 static void selinux_bpf_token_free(struct bpf_token *token) 7151 { 7152 struct bpf_security_struct *bpfsec = token->security; 7153 7154 token->security = NULL; 7155 kfree(bpfsec); 7156 } 7157 #endif 7158 7159 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7160 .lbs_cred = sizeof(struct task_security_struct), 7161 .lbs_file = sizeof(struct file_security_struct), 7162 .lbs_inode = sizeof(struct inode_security_struct), 7163 .lbs_ipc = sizeof(struct ipc_security_struct), 7164 .lbs_key = sizeof(struct key_security_struct), 7165 .lbs_msg_msg = sizeof(struct msg_security_struct), 7166 #ifdef CONFIG_PERF_EVENTS 7167 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7168 #endif 7169 .lbs_sock = sizeof(struct sk_security_struct), 7170 .lbs_superblock = sizeof(struct superblock_security_struct), 7171 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7172 .lbs_tun_dev = sizeof(struct tun_security_struct), 7173 .lbs_ib = sizeof(struct ib_security_struct), 7174 }; 7175 7176 #ifdef CONFIG_PERF_EVENTS 7177 static int selinux_perf_event_open(int type) 7178 { 7179 u32 requested, sid = current_sid(); 7180 7181 if (type == PERF_SECURITY_OPEN) 7182 requested = PERF_EVENT__OPEN; 7183 else if (type == PERF_SECURITY_CPU) 7184 requested = PERF_EVENT__CPU; 7185 else if (type == PERF_SECURITY_KERNEL) 7186 requested = PERF_EVENT__KERNEL; 7187 else if (type == PERF_SECURITY_TRACEPOINT) 7188 requested = PERF_EVENT__TRACEPOINT; 7189 else 7190 return -EINVAL; 7191 7192 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7193 requested, NULL); 7194 } 7195 7196 static int selinux_perf_event_alloc(struct perf_event *event) 7197 { 7198 struct perf_event_security_struct *perfsec; 7199 7200 perfsec = selinux_perf_event(event->security); 7201 perfsec->sid = current_sid(); 7202 7203 return 0; 7204 } 7205 7206 static int selinux_perf_event_read(struct perf_event *event) 7207 { 7208 struct perf_event_security_struct *perfsec = event->security; 7209 u32 sid = current_sid(); 7210 7211 return avc_has_perm(sid, perfsec->sid, 7212 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7213 } 7214 7215 static int selinux_perf_event_write(struct perf_event *event) 7216 { 7217 struct perf_event_security_struct *perfsec = event->security; 7218 u32 sid = current_sid(); 7219 7220 return avc_has_perm(sid, perfsec->sid, 7221 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7222 } 7223 #endif 7224 7225 #ifdef CONFIG_IO_URING 7226 /** 7227 * selinux_uring_override_creds - check the requested cred override 7228 * @new: the target creds 7229 * 7230 * Check to see if the current task is allowed to override it's credentials 7231 * to service an io_uring operation. 7232 */ 7233 static int selinux_uring_override_creds(const struct cred *new) 7234 { 7235 return avc_has_perm(current_sid(), cred_sid(new), 7236 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7237 } 7238 7239 /** 7240 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7241 * 7242 * Check to see if the current task is allowed to create a new io_uring 7243 * kernel polling thread. 7244 */ 7245 static int selinux_uring_sqpoll(void) 7246 { 7247 u32 sid = current_sid(); 7248 7249 return avc_has_perm(sid, sid, 7250 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7251 } 7252 7253 /** 7254 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7255 * @ioucmd: the io_uring command structure 7256 * 7257 * Check to see if the current domain is allowed to execute an 7258 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7259 * 7260 */ 7261 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7262 { 7263 struct file *file = ioucmd->file; 7264 struct inode *inode = file_inode(file); 7265 struct inode_security_struct *isec = selinux_inode(inode); 7266 struct common_audit_data ad; 7267 7268 ad.type = LSM_AUDIT_DATA_FILE; 7269 ad.u.file = file; 7270 7271 return avc_has_perm(current_sid(), isec->sid, 7272 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7273 } 7274 7275 /** 7276 * selinux_uring_allowed - check if io_uring_setup() can be called 7277 * 7278 * Check to see if the current task is allowed to call io_uring_setup(). 7279 */ 7280 static int selinux_uring_allowed(void) 7281 { 7282 u32 sid = current_sid(); 7283 7284 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7285 NULL); 7286 } 7287 #endif /* CONFIG_IO_URING */ 7288 7289 static const struct lsm_id selinux_lsmid = { 7290 .name = "selinux", 7291 .id = LSM_ID_SELINUX, 7292 }; 7293 7294 /* 7295 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7296 * 1. any hooks that don't belong to (2.) or (3.) below, 7297 * 2. hooks that both access structures allocated by other hooks, and allocate 7298 * structures that can be later accessed by other hooks (mostly "cloning" 7299 * hooks), 7300 * 3. hooks that only allocate structures that can be later accessed by other 7301 * hooks ("allocating" hooks). 7302 * 7303 * Please follow block comment delimiters in the list to keep this order. 7304 */ 7305 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7306 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7307 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7308 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7309 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7310 7311 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7312 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7313 LSM_HOOK_INIT(capget, selinux_capget), 7314 LSM_HOOK_INIT(capset, selinux_capset), 7315 LSM_HOOK_INIT(capable, selinux_capable), 7316 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7317 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7318 LSM_HOOK_INIT(syslog, selinux_syslog), 7319 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7320 7321 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7322 7323 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7324 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7325 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7326 7327 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7328 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7329 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7330 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7331 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7332 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7333 LSM_HOOK_INIT(sb_mount, selinux_mount), 7334 LSM_HOOK_INIT(sb_umount, selinux_umount), 7335 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7336 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7337 7338 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7339 7340 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7341 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7342 7343 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7344 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7345 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7346 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7347 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7348 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7349 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7350 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7351 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7352 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7353 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7354 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7355 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7356 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7357 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7358 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7359 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7360 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7361 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7362 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7363 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7364 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7365 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr), 7366 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr), 7367 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7368 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7369 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7370 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7371 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7372 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7373 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7374 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7375 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7376 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7377 7378 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7379 7380 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7381 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7382 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7383 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7384 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7385 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7386 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7387 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7388 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7389 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7390 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7391 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7392 7393 LSM_HOOK_INIT(file_open, selinux_file_open), 7394 7395 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7396 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7397 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7398 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7399 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7400 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7401 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7402 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7403 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7404 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7405 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7406 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7407 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7408 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7409 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7410 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7411 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7412 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7413 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7414 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7415 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7416 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7417 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7418 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7419 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7420 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7421 7422 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7423 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7424 7425 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7426 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7427 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7428 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7429 7430 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7431 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7432 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7433 7434 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7435 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7436 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7437 7438 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7439 7440 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7441 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7442 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7443 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7444 7445 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7446 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7447 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7448 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7449 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7450 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7451 7452 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7453 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7454 7455 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7456 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7457 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7458 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7459 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7460 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7461 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7462 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7463 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7464 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7465 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7466 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7467 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7468 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7469 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7470 LSM_HOOK_INIT(socket_getpeersec_stream, 7471 selinux_socket_getpeersec_stream), 7472 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7473 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7474 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7475 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7476 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7477 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7478 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7479 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7480 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7481 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7482 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7483 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7484 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7485 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7486 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7487 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7488 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7489 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7490 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7491 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7492 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7493 #ifdef CONFIG_SECURITY_INFINIBAND 7494 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7495 LSM_HOOK_INIT(ib_endport_manage_subnet, 7496 selinux_ib_endport_manage_subnet), 7497 #endif 7498 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7499 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7500 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7501 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7502 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7503 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7504 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7505 selinux_xfrm_state_pol_flow_match), 7506 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7507 #endif 7508 7509 #ifdef CONFIG_KEYS 7510 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7511 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7512 #ifdef CONFIG_KEY_NOTIFICATIONS 7513 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7514 #endif 7515 #endif 7516 7517 #ifdef CONFIG_AUDIT 7518 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7519 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7520 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7521 #endif 7522 7523 #ifdef CONFIG_BPF_SYSCALL 7524 LSM_HOOK_INIT(bpf, selinux_bpf), 7525 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7526 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7527 LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), 7528 LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), 7529 LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free), 7530 #endif 7531 7532 #ifdef CONFIG_PERF_EVENTS 7533 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7534 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7535 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7536 #endif 7537 7538 #ifdef CONFIG_IO_URING 7539 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7540 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7541 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7542 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7543 #endif 7544 7545 /* 7546 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7547 */ 7548 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7549 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7550 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7551 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7552 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7553 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7554 #endif 7555 7556 /* 7557 * PUT "ALLOCATING" HOOKS HERE 7558 */ 7559 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7560 LSM_HOOK_INIT(msg_queue_alloc_security, 7561 selinux_msg_queue_alloc_security), 7562 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7563 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7564 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7565 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7566 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7567 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7568 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7569 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7570 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7571 #ifdef CONFIG_SECURITY_INFINIBAND 7572 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7573 #endif 7574 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7575 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7576 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7577 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7578 selinux_xfrm_state_alloc_acquire), 7579 #endif 7580 #ifdef CONFIG_KEYS 7581 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7582 #endif 7583 #ifdef CONFIG_AUDIT 7584 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7585 #endif 7586 #ifdef CONFIG_BPF_SYSCALL 7587 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7588 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7589 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7590 #endif 7591 #ifdef CONFIG_PERF_EVENTS 7592 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7593 #endif 7594 }; 7595 7596 static __init int selinux_init(void) 7597 { 7598 pr_info("SELinux: Initializing.\n"); 7599 7600 memset(&selinux_state, 0, sizeof(selinux_state)); 7601 enforcing_set(selinux_enforcing_boot); 7602 selinux_avc_init(); 7603 mutex_init(&selinux_state.status_lock); 7604 mutex_init(&selinux_state.policy_mutex); 7605 7606 /* Set the security state for the initial task. */ 7607 cred_init_security(); 7608 7609 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7610 if (!default_noexec) 7611 pr_notice("SELinux: virtual memory is executable by default\n"); 7612 7613 avc_init(); 7614 7615 avtab_cache_init(); 7616 7617 ebitmap_cache_init(); 7618 7619 hashtab_cache_init(); 7620 7621 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7622 &selinux_lsmid); 7623 7624 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7625 panic("SELinux: Unable to register AVC netcache callback\n"); 7626 7627 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7628 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7629 7630 if (selinux_enforcing_boot) 7631 pr_debug("SELinux: Starting in enforcing mode\n"); 7632 else 7633 pr_debug("SELinux: Starting in permissive mode\n"); 7634 7635 fs_validate_description("selinux", selinux_fs_parameters); 7636 7637 return 0; 7638 } 7639 7640 static void delayed_superblock_init(struct super_block *sb, void *unused) 7641 { 7642 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7643 } 7644 7645 void selinux_complete_init(void) 7646 { 7647 pr_debug("SELinux: Completing initialization.\n"); 7648 7649 /* Set up any superblocks initialized prior to the policy load. */ 7650 pr_debug("SELinux: Setting up existing superblocks.\n"); 7651 iterate_supers(delayed_superblock_init, NULL); 7652 } 7653 7654 /* SELinux requires early initialization in order to label 7655 all processes and objects when they are created. */ 7656 DEFINE_LSM(selinux) = { 7657 .name = "selinux", 7658 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7659 .enabled = &selinux_enabled_boot, 7660 .blobs = &selinux_blob_sizes, 7661 .init = selinux_init, 7662 }; 7663 7664 #if defined(CONFIG_NETFILTER) 7665 static const struct nf_hook_ops selinux_nf_ops[] = { 7666 { 7667 .hook = selinux_ip_postroute, 7668 .pf = NFPROTO_IPV4, 7669 .hooknum = NF_INET_POST_ROUTING, 7670 .priority = NF_IP_PRI_SELINUX_LAST, 7671 }, 7672 { 7673 .hook = selinux_ip_forward, 7674 .pf = NFPROTO_IPV4, 7675 .hooknum = NF_INET_FORWARD, 7676 .priority = NF_IP_PRI_SELINUX_FIRST, 7677 }, 7678 { 7679 .hook = selinux_ip_output, 7680 .pf = NFPROTO_IPV4, 7681 .hooknum = NF_INET_LOCAL_OUT, 7682 .priority = NF_IP_PRI_SELINUX_FIRST, 7683 }, 7684 #if IS_ENABLED(CONFIG_IPV6) 7685 { 7686 .hook = selinux_ip_postroute, 7687 .pf = NFPROTO_IPV6, 7688 .hooknum = NF_INET_POST_ROUTING, 7689 .priority = NF_IP6_PRI_SELINUX_LAST, 7690 }, 7691 { 7692 .hook = selinux_ip_forward, 7693 .pf = NFPROTO_IPV6, 7694 .hooknum = NF_INET_FORWARD, 7695 .priority = NF_IP6_PRI_SELINUX_FIRST, 7696 }, 7697 { 7698 .hook = selinux_ip_output, 7699 .pf = NFPROTO_IPV6, 7700 .hooknum = NF_INET_LOCAL_OUT, 7701 .priority = NF_IP6_PRI_SELINUX_FIRST, 7702 }, 7703 #endif /* IPV6 */ 7704 }; 7705 7706 static int __net_init selinux_nf_register(struct net *net) 7707 { 7708 return nf_register_net_hooks(net, selinux_nf_ops, 7709 ARRAY_SIZE(selinux_nf_ops)); 7710 } 7711 7712 static void __net_exit selinux_nf_unregister(struct net *net) 7713 { 7714 nf_unregister_net_hooks(net, selinux_nf_ops, 7715 ARRAY_SIZE(selinux_nf_ops)); 7716 } 7717 7718 static struct pernet_operations selinux_net_ops = { 7719 .init = selinux_nf_register, 7720 .exit = selinux_nf_unregister, 7721 }; 7722 7723 static int __init selinux_nf_ip_init(void) 7724 { 7725 int err; 7726 7727 if (!selinux_enabled_boot) 7728 return 0; 7729 7730 pr_debug("SELinux: Registering netfilter hooks\n"); 7731 7732 err = register_pernet_subsys(&selinux_net_ops); 7733 if (err) 7734 panic("SELinux: register_pernet_subsys: error %d\n", err); 7735 7736 return 0; 7737 } 7738 __initcall(selinux_nf_ip_init); 7739 #endif /* CONFIG_NETFILTER */ 7740