1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/sctp.h> 69 #include <net/sctp/structs.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/msg.h> 86 #include <linux/shm.h> 87 #include <uapi/linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring/cmd.h> 95 #include <uapi/linux/lsm.h> 96 97 #include "avc.h" 98 #include "objsec.h" 99 #include "netif.h" 100 #include "netnode.h" 101 #include "netport.h" 102 #include "ibpkey.h" 103 #include "xfrm.h" 104 #include "netlabel.h" 105 #include "audit.h" 106 #include "avc_ss.h" 107 108 #define SELINUX_INODE_INIT_XATTRS 1 109 110 struct selinux_state selinux_state; 111 112 /* SECMARK reference count */ 113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 114 115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 116 static int selinux_enforcing_boot __initdata; 117 118 static int __init enforcing_setup(char *str) 119 { 120 unsigned long enforcing; 121 if (!kstrtoul(str, 0, &enforcing)) 122 selinux_enforcing_boot = enforcing ? 1 : 0; 123 return 1; 124 } 125 __setup("enforcing=", enforcing_setup); 126 #else 127 #define selinux_enforcing_boot 1 128 #endif 129 130 int selinux_enabled_boot __initdata = 1; 131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 132 static int __init selinux_enabled_setup(char *str) 133 { 134 unsigned long enabled; 135 if (!kstrtoul(str, 0, &enabled)) 136 selinux_enabled_boot = enabled ? 1 : 0; 137 return 1; 138 } 139 __setup("selinux=", selinux_enabled_setup); 140 #endif 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 if (checkreqprot) 148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 149 } 150 return 1; 151 } 152 __setup("checkreqprot=", checkreqprot_setup); 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct task_security_struct *tsec; 214 215 /* NOTE: the lsm framework zeros out the buffer on allocation */ 216 217 tsec = selinux_cred(unrcu_pointer(current->real_cred)); 218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 static void __ad_net_init(struct common_audit_data *ad, 233 struct lsm_network_audit *net, 234 int ifindex, struct sock *sk, u16 family) 235 { 236 ad->type = LSM_AUDIT_DATA_NET; 237 ad->u.net = net; 238 net->netif = ifindex; 239 net->sk = sk; 240 net->family = family; 241 } 242 243 static void ad_net_init_from_sk(struct common_audit_data *ad, 244 struct lsm_network_audit *net, 245 struct sock *sk) 246 { 247 __ad_net_init(ad, net, 0, sk, 0); 248 } 249 250 static void ad_net_init_from_iif(struct common_audit_data *ad, 251 struct lsm_network_audit *net, 252 int ifindex, u16 family) 253 { 254 __ad_net_init(ad, net, ifindex, NULL, family); 255 } 256 257 /* 258 * get the objective security ID of a task 259 */ 260 static inline u32 task_sid_obj(const struct task_struct *task) 261 { 262 u32 sid; 263 264 rcu_read_lock(); 265 sid = cred_sid(__task_cred(task)); 266 rcu_read_unlock(); 267 return sid; 268 } 269 270 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 271 272 /* 273 * Try reloading inode security labels that have been marked as invalid. The 274 * @may_sleep parameter indicates when sleeping and thus reloading labels is 275 * allowed; when set to false, returns -ECHILD when the label is 276 * invalid. The @dentry parameter should be set to a dentry of the inode. 277 */ 278 static int __inode_security_revalidate(struct inode *inode, 279 struct dentry *dentry, 280 bool may_sleep) 281 { 282 if (!selinux_initialized()) 283 return 0; 284 285 if (may_sleep) 286 might_sleep(); 287 else 288 return -ECHILD; 289 290 /* 291 * Check to ensure that an inode's SELinux state is valid and try 292 * reloading the inode security label if necessary. This will fail if 293 * @dentry is NULL and no dentry for this inode can be found; in that 294 * case, continue using the old label. 295 */ 296 inode_doinit_with_dentry(inode, dentry); 297 return 0; 298 } 299 300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 301 { 302 return selinux_inode(inode); 303 } 304 305 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 306 bool rcu) 307 { 308 int rc; 309 struct inode_security_struct *isec = selinux_inode(inode); 310 311 /* check below is racy, but revalidate will recheck with lock held */ 312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 313 return isec; 314 rc = __inode_security_revalidate(inode, NULL, !rcu); 315 if (rc) 316 return ERR_PTR(rc); 317 return isec; 318 } 319 320 /* 321 * Get the security label of an inode. 322 */ 323 static inline struct inode_security_struct *inode_security(struct inode *inode) 324 { 325 struct inode_security_struct *isec = selinux_inode(inode); 326 327 /* check below is racy, but revalidate will recheck with lock held */ 328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 329 return isec; 330 __inode_security_revalidate(inode, NULL, true); 331 return isec; 332 } 333 334 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 335 { 336 return selinux_inode(d_backing_inode(dentry)); 337 } 338 339 /* 340 * Get the security label of a dentry's backing inode. 341 */ 342 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 343 { 344 struct inode *inode = d_backing_inode(dentry); 345 struct inode_security_struct *isec = selinux_inode(inode); 346 347 /* check below is racy, but revalidate will recheck with lock held */ 348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 349 return isec; 350 __inode_security_revalidate(inode, dentry, true); 351 return isec; 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 u32 fscontext_sid; 381 u32 context_sid; 382 u32 rootcontext_sid; 383 u32 defcontext_sid; 384 }; 385 386 static void selinux_free_mnt_opts(void *mnt_opts) 387 { 388 kfree(mnt_opts); 389 } 390 391 enum { 392 Opt_error = -1, 393 Opt_context = 0, 394 Opt_defcontext = 1, 395 Opt_fscontext = 2, 396 Opt_rootcontext = 3, 397 Opt_seclabel = 4, 398 }; 399 400 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 401 static const struct { 402 const char *name; 403 int len; 404 int opt; 405 bool has_arg; 406 } tokens[] = { 407 A(context, true), 408 A(fscontext, true), 409 A(defcontext, true), 410 A(rootcontext, true), 411 A(seclabel, false), 412 }; 413 #undef A 414 415 static int match_opt_prefix(char *s, int l, char **arg) 416 { 417 unsigned int i; 418 419 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 420 size_t len = tokens[i].len; 421 if (len > l || memcmp(s, tokens[i].name, len)) 422 continue; 423 if (tokens[i].has_arg) { 424 if (len == l || s[len] != '=') 425 continue; 426 *arg = s + len + 1; 427 } else if (len != l) 428 continue; 429 return tokens[i].opt; 430 } 431 return Opt_error; 432 } 433 434 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 435 436 static int may_context_mount_sb_relabel(u32 sid, 437 struct superblock_security_struct *sbsec, 438 const struct cred *cred) 439 { 440 const struct task_security_struct *tsec = selinux_cred(cred); 441 int rc; 442 443 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 444 FILESYSTEM__RELABELFROM, NULL); 445 if (rc) 446 return rc; 447 448 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELTO, NULL); 450 return rc; 451 } 452 453 static int may_context_mount_inode_relabel(u32 sid, 454 struct superblock_security_struct *sbsec, 455 const struct cred *cred) 456 { 457 const struct task_security_struct *tsec = selinux_cred(cred); 458 int rc; 459 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 460 FILESYSTEM__RELABELFROM, NULL); 461 if (rc) 462 return rc; 463 464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__ASSOCIATE, NULL); 466 return rc; 467 } 468 469 static int selinux_is_genfs_special_handling(struct super_block *sb) 470 { 471 /* Special handling. Genfs but also in-core setxattr handler */ 472 return !strcmp(sb->s_type->name, "sysfs") || 473 !strcmp(sb->s_type->name, "pstore") || 474 !strcmp(sb->s_type->name, "debugfs") || 475 !strcmp(sb->s_type->name, "tracefs") || 476 !strcmp(sb->s_type->name, "rootfs") || 477 (selinux_policycap_cgroupseclabel() && 478 (!strcmp(sb->s_type->name, "cgroup") || 479 !strcmp(sb->s_type->name, "cgroup2"))) || 480 (selinux_policycap_functionfs_seclabel() && 481 !strcmp(sb->s_type->name, "functionfs")); 482 } 483 484 static int selinux_is_sblabel_mnt(struct super_block *sb) 485 { 486 struct superblock_security_struct *sbsec = selinux_superblock(sb); 487 488 /* 489 * IMPORTANT: Double-check logic in this function when adding a new 490 * SECURITY_FS_USE_* definition! 491 */ 492 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 493 494 switch (sbsec->behavior) { 495 case SECURITY_FS_USE_XATTR: 496 case SECURITY_FS_USE_TRANS: 497 case SECURITY_FS_USE_TASK: 498 case SECURITY_FS_USE_NATIVE: 499 return 1; 500 501 case SECURITY_FS_USE_GENFS: 502 return selinux_is_genfs_special_handling(sb); 503 504 /* Never allow relabeling on context mounts */ 505 case SECURITY_FS_USE_MNTPOINT: 506 case SECURITY_FS_USE_NONE: 507 default: 508 return 0; 509 } 510 } 511 512 static int sb_check_xattr_support(struct super_block *sb) 513 { 514 struct superblock_security_struct *sbsec = selinux_superblock(sb); 515 struct dentry *root = sb->s_root; 516 struct inode *root_inode = d_backing_inode(root); 517 u32 sid; 518 int rc; 519 520 /* 521 * Make sure that the xattr handler exists and that no 522 * error other than -ENODATA is returned by getxattr on 523 * the root directory. -ENODATA is ok, as this may be 524 * the first boot of the SELinux kernel before we have 525 * assigned xattr values to the filesystem. 526 */ 527 if (!(root_inode->i_opflags & IOP_XATTR)) { 528 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 529 sb->s_id, sb->s_type->name); 530 goto fallback; 531 } 532 533 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 534 if (rc < 0 && rc != -ENODATA) { 535 if (rc == -EOPNOTSUPP) { 536 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 537 sb->s_id, sb->s_type->name); 538 goto fallback; 539 } else { 540 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 541 sb->s_id, sb->s_type->name, -rc); 542 return rc; 543 } 544 } 545 return 0; 546 547 fallback: 548 /* No xattr support - try to fallback to genfs if possible. */ 549 rc = security_genfs_sid(sb->s_type->name, "/", 550 SECCLASS_DIR, &sid); 551 if (rc) 552 return -EOPNOTSUPP; 553 554 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 555 sb->s_id, sb->s_type->name); 556 sbsec->behavior = SECURITY_FS_USE_GENFS; 557 sbsec->sid = sid; 558 return 0; 559 } 560 561 static int sb_finish_set_opts(struct super_block *sb) 562 { 563 struct superblock_security_struct *sbsec = selinux_superblock(sb); 564 struct dentry *root = sb->s_root; 565 struct inode *root_inode = d_backing_inode(root); 566 int rc = 0; 567 568 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 569 rc = sb_check_xattr_support(sb); 570 if (rc) 571 return rc; 572 } 573 574 sbsec->flags |= SE_SBINITIALIZED; 575 576 /* 577 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 578 * leave the flag untouched because sb_clone_mnt_opts might be handing 579 * us a superblock that needs the flag to be cleared. 580 */ 581 if (selinux_is_sblabel_mnt(sb)) 582 sbsec->flags |= SBLABEL_MNT; 583 else 584 sbsec->flags &= ~SBLABEL_MNT; 585 586 /* Initialize the root inode. */ 587 rc = inode_doinit_with_dentry(root_inode, root); 588 589 /* Initialize any other inodes associated with the superblock, e.g. 590 inodes created prior to initial policy load or inodes created 591 during get_sb by a pseudo filesystem that directly 592 populates itself. */ 593 spin_lock(&sbsec->isec_lock); 594 while (!list_empty(&sbsec->isec_head)) { 595 struct inode_security_struct *isec = 596 list_first_entry(&sbsec->isec_head, 597 struct inode_security_struct, list); 598 struct inode *inode = isec->inode; 599 list_del_init(&isec->list); 600 spin_unlock(&sbsec->isec_lock); 601 inode = igrab(inode); 602 if (inode) { 603 if (!IS_PRIVATE(inode)) 604 inode_doinit_with_dentry(inode, NULL); 605 iput(inode); 606 } 607 spin_lock(&sbsec->isec_lock); 608 } 609 spin_unlock(&sbsec->isec_lock); 610 return rc; 611 } 612 613 static int bad_option(struct superblock_security_struct *sbsec, char flag, 614 u32 old_sid, u32 new_sid) 615 { 616 char mnt_flags = sbsec->flags & SE_MNTMASK; 617 618 /* check if the old mount command had the same options */ 619 if (sbsec->flags & SE_SBINITIALIZED) 620 if (!(sbsec->flags & flag) || 621 (old_sid != new_sid)) 622 return 1; 623 624 /* check if we were passed the same options twice, 625 * aka someone passed context=a,context=b 626 */ 627 if (!(sbsec->flags & SE_SBINITIALIZED)) 628 if (mnt_flags & flag) 629 return 1; 630 return 0; 631 } 632 633 /* 634 * Allow filesystems with binary mount data to explicitly set mount point 635 * labeling information. 636 */ 637 static int selinux_set_mnt_opts(struct super_block *sb, 638 void *mnt_opts, 639 unsigned long kern_flags, 640 unsigned long *set_kern_flags) 641 { 642 const struct cred *cred = current_cred(); 643 struct superblock_security_struct *sbsec = selinux_superblock(sb); 644 struct dentry *root = sb->s_root; 645 struct selinux_mnt_opts *opts = mnt_opts; 646 struct inode_security_struct *root_isec; 647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 648 u32 defcontext_sid = 0; 649 int rc = 0; 650 651 /* 652 * Specifying internal flags without providing a place to 653 * place the results is not allowed 654 */ 655 if (kern_flags && !set_kern_flags) 656 return -EINVAL; 657 658 mutex_lock(&sbsec->lock); 659 660 if (!selinux_initialized()) { 661 if (!opts) { 662 /* Defer initialization until selinux_complete_init, 663 after the initial policy is loaded and the security 664 server is ready to handle calls. */ 665 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 666 sbsec->flags |= SE_SBNATIVE; 667 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 668 } 669 goto out; 670 } 671 rc = -EINVAL; 672 pr_warn("SELinux: Unable to set superblock options " 673 "before the security server is initialized\n"); 674 goto out; 675 } 676 677 /* 678 * Binary mount data FS will come through this function twice. Once 679 * from an explicit call and once from the generic calls from the vfs. 680 * Since the generic VFS calls will not contain any security mount data 681 * we need to skip the double mount verification. 682 * 683 * This does open a hole in which we will not notice if the first 684 * mount using this sb set explicit options and a second mount using 685 * this sb does not set any security options. (The first options 686 * will be used for both mounts) 687 */ 688 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 689 && !opts) 690 goto out; 691 692 root_isec = backing_inode_security_novalidate(root); 693 694 /* 695 * parse the mount options, check if they are valid sids. 696 * also check if someone is trying to mount the same sb more 697 * than once with different security options. 698 */ 699 if (opts) { 700 if (opts->fscontext_sid) { 701 fscontext_sid = opts->fscontext_sid; 702 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 703 fscontext_sid)) 704 goto out_double_mount; 705 sbsec->flags |= FSCONTEXT_MNT; 706 } 707 if (opts->context_sid) { 708 context_sid = opts->context_sid; 709 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 710 context_sid)) 711 goto out_double_mount; 712 sbsec->flags |= CONTEXT_MNT; 713 } 714 if (opts->rootcontext_sid) { 715 rootcontext_sid = opts->rootcontext_sid; 716 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 717 rootcontext_sid)) 718 goto out_double_mount; 719 sbsec->flags |= ROOTCONTEXT_MNT; 720 } 721 if (opts->defcontext_sid) { 722 defcontext_sid = opts->defcontext_sid; 723 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 724 defcontext_sid)) 725 goto out_double_mount; 726 sbsec->flags |= DEFCONTEXT_MNT; 727 } 728 } 729 730 if (sbsec->flags & SE_SBINITIALIZED) { 731 /* previously mounted with options, but not on this attempt? */ 732 if ((sbsec->flags & SE_MNTMASK) && !opts) 733 goto out_double_mount; 734 rc = 0; 735 goto out; 736 } 737 738 if (strcmp(sb->s_type->name, "proc") == 0) 739 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 740 741 if (!strcmp(sb->s_type->name, "debugfs") || 742 !strcmp(sb->s_type->name, "tracefs") || 743 !strcmp(sb->s_type->name, "binder") || 744 !strcmp(sb->s_type->name, "bpf") || 745 !strcmp(sb->s_type->name, "pstore") || 746 !strcmp(sb->s_type->name, "securityfs") || 747 (selinux_policycap_functionfs_seclabel() && 748 !strcmp(sb->s_type->name, "functionfs"))) 749 sbsec->flags |= SE_SBGENFS; 750 751 if (!strcmp(sb->s_type->name, "sysfs") || 752 !strcmp(sb->s_type->name, "cgroup") || 753 !strcmp(sb->s_type->name, "cgroup2")) 754 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 755 756 if (!sbsec->behavior) { 757 /* 758 * Determine the labeling behavior to use for this 759 * filesystem type. 760 */ 761 rc = security_fs_use(sb); 762 if (rc) { 763 pr_warn("%s: security_fs_use(%s) returned %d\n", 764 __func__, sb->s_type->name, rc); 765 goto out; 766 } 767 } 768 769 /* 770 * If this is a user namespace mount and the filesystem type is not 771 * explicitly whitelisted, then no contexts are allowed on the command 772 * line and security labels must be ignored. 773 */ 774 if (sb->s_user_ns != &init_user_ns && 775 strcmp(sb->s_type->name, "tmpfs") && 776 strcmp(sb->s_type->name, "ramfs") && 777 strcmp(sb->s_type->name, "devpts") && 778 strcmp(sb->s_type->name, "overlay")) { 779 if (context_sid || fscontext_sid || rootcontext_sid || 780 defcontext_sid) { 781 rc = -EACCES; 782 goto out; 783 } 784 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 785 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 786 rc = security_transition_sid(current_sid(), 787 current_sid(), 788 SECCLASS_FILE, NULL, 789 &sbsec->mntpoint_sid); 790 if (rc) 791 goto out; 792 } 793 goto out_set_opts; 794 } 795 796 /* sets the context of the superblock for the fs being mounted. */ 797 if (fscontext_sid) { 798 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 799 if (rc) 800 goto out; 801 802 sbsec->sid = fscontext_sid; 803 } 804 805 /* 806 * Switch to using mount point labeling behavior. 807 * sets the label used on all file below the mountpoint, and will set 808 * the superblock context if not already set. 809 */ 810 if (sbsec->flags & SE_SBNATIVE) { 811 /* 812 * This means we are initializing a superblock that has been 813 * mounted before the SELinux was initialized and the 814 * filesystem requested native labeling. We had already 815 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 816 * in the original mount attempt, so now we just need to set 817 * the SECURITY_FS_USE_NATIVE behavior. 818 */ 819 sbsec->behavior = SECURITY_FS_USE_NATIVE; 820 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 821 sbsec->behavior = SECURITY_FS_USE_NATIVE; 822 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 823 } 824 825 if (context_sid) { 826 if (!fscontext_sid) { 827 rc = may_context_mount_sb_relabel(context_sid, sbsec, 828 cred); 829 if (rc) 830 goto out; 831 sbsec->sid = context_sid; 832 } else { 833 rc = may_context_mount_inode_relabel(context_sid, sbsec, 834 cred); 835 if (rc) 836 goto out; 837 } 838 if (!rootcontext_sid) 839 rootcontext_sid = context_sid; 840 841 sbsec->mntpoint_sid = context_sid; 842 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 843 } 844 845 if (rootcontext_sid) { 846 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 847 cred); 848 if (rc) 849 goto out; 850 851 root_isec->sid = rootcontext_sid; 852 root_isec->initialized = LABEL_INITIALIZED; 853 } 854 855 if (defcontext_sid) { 856 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 857 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 858 rc = -EINVAL; 859 pr_warn("SELinux: defcontext option is " 860 "invalid for this filesystem type\n"); 861 goto out; 862 } 863 864 if (defcontext_sid != sbsec->def_sid) { 865 rc = may_context_mount_inode_relabel(defcontext_sid, 866 sbsec, cred); 867 if (rc) 868 goto out; 869 } 870 871 sbsec->def_sid = defcontext_sid; 872 } 873 874 out_set_opts: 875 rc = sb_finish_set_opts(sb); 876 out: 877 mutex_unlock(&sbsec->lock); 878 return rc; 879 out_double_mount: 880 rc = -EINVAL; 881 pr_warn("SELinux: mount invalid. Same superblock, different " 882 "security settings for (dev %s, type %s)\n", sb->s_id, 883 sb->s_type->name); 884 goto out; 885 } 886 887 static int selinux_cmp_sb_context(const struct super_block *oldsb, 888 const struct super_block *newsb) 889 { 890 struct superblock_security_struct *old = selinux_superblock(oldsb); 891 struct superblock_security_struct *new = selinux_superblock(newsb); 892 char oldflags = old->flags & SE_MNTMASK; 893 char newflags = new->flags & SE_MNTMASK; 894 895 if (oldflags != newflags) 896 goto mismatch; 897 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 898 goto mismatch; 899 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 900 goto mismatch; 901 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 902 goto mismatch; 903 if (oldflags & ROOTCONTEXT_MNT) { 904 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 905 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 906 if (oldroot->sid != newroot->sid) 907 goto mismatch; 908 } 909 return 0; 910 mismatch: 911 pr_warn("SELinux: mount invalid. Same superblock, " 912 "different security settings for (dev %s, " 913 "type %s)\n", newsb->s_id, newsb->s_type->name); 914 return -EBUSY; 915 } 916 917 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 918 struct super_block *newsb, 919 unsigned long kern_flags, 920 unsigned long *set_kern_flags) 921 { 922 int rc = 0; 923 const struct superblock_security_struct *oldsbsec = 924 selinux_superblock(oldsb); 925 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 926 927 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 928 int set_context = (oldsbsec->flags & CONTEXT_MNT); 929 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 930 931 /* 932 * Specifying internal flags without providing a place to 933 * place the results is not allowed. 934 */ 935 if (kern_flags && !set_kern_flags) 936 return -EINVAL; 937 938 mutex_lock(&newsbsec->lock); 939 940 /* 941 * if the parent was able to be mounted it clearly had no special lsm 942 * mount options. thus we can safely deal with this superblock later 943 */ 944 if (!selinux_initialized()) { 945 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 946 newsbsec->flags |= SE_SBNATIVE; 947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 948 } 949 goto out; 950 } 951 952 /* how can we clone if the old one wasn't set up?? */ 953 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 954 955 /* if fs is reusing a sb, make sure that the contexts match */ 956 if (newsbsec->flags & SE_SBINITIALIZED) { 957 mutex_unlock(&newsbsec->lock); 958 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 959 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 960 return selinux_cmp_sb_context(oldsb, newsb); 961 } 962 963 newsbsec->flags = oldsbsec->flags; 964 965 newsbsec->sid = oldsbsec->sid; 966 newsbsec->def_sid = oldsbsec->def_sid; 967 newsbsec->behavior = oldsbsec->behavior; 968 969 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 970 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 971 rc = security_fs_use(newsb); 972 if (rc) 973 goto out; 974 } 975 976 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 977 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 978 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 979 } 980 981 if (set_context) { 982 u32 sid = oldsbsec->mntpoint_sid; 983 984 if (!set_fscontext) 985 newsbsec->sid = sid; 986 if (!set_rootcontext) { 987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 988 newisec->sid = sid; 989 } 990 newsbsec->mntpoint_sid = sid; 991 } 992 if (set_rootcontext) { 993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 995 996 newisec->sid = oldisec->sid; 997 } 998 999 sb_finish_set_opts(newsb); 1000 out: 1001 mutex_unlock(&newsbsec->lock); 1002 return rc; 1003 } 1004 1005 /* 1006 * NOTE: the caller is responsible for freeing the memory even if on error. 1007 */ 1008 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1009 { 1010 struct selinux_mnt_opts *opts = *mnt_opts; 1011 u32 *dst_sid; 1012 int rc; 1013 1014 if (token == Opt_seclabel) 1015 /* eaten and completely ignored */ 1016 return 0; 1017 if (!s) 1018 return -EINVAL; 1019 1020 if (!selinux_initialized()) { 1021 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1022 return -EINVAL; 1023 } 1024 1025 if (!opts) { 1026 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1027 if (!opts) 1028 return -ENOMEM; 1029 *mnt_opts = opts; 1030 } 1031 1032 switch (token) { 1033 case Opt_context: 1034 if (opts->context_sid || opts->defcontext_sid) 1035 goto err; 1036 dst_sid = &opts->context_sid; 1037 break; 1038 case Opt_fscontext: 1039 if (opts->fscontext_sid) 1040 goto err; 1041 dst_sid = &opts->fscontext_sid; 1042 break; 1043 case Opt_rootcontext: 1044 if (opts->rootcontext_sid) 1045 goto err; 1046 dst_sid = &opts->rootcontext_sid; 1047 break; 1048 case Opt_defcontext: 1049 if (opts->context_sid || opts->defcontext_sid) 1050 goto err; 1051 dst_sid = &opts->defcontext_sid; 1052 break; 1053 default: 1054 WARN_ON(1); 1055 return -EINVAL; 1056 } 1057 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1058 if (rc) 1059 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1060 s, rc); 1061 return rc; 1062 1063 err: 1064 pr_warn(SEL_MOUNT_FAIL_MSG); 1065 return -EINVAL; 1066 } 1067 1068 static int show_sid(struct seq_file *m, u32 sid) 1069 { 1070 char *context = NULL; 1071 u32 len; 1072 int rc; 1073 1074 rc = security_sid_to_context(sid, &context, &len); 1075 if (!rc) { 1076 bool has_comma = strchr(context, ','); 1077 1078 seq_putc(m, '='); 1079 if (has_comma) 1080 seq_putc(m, '\"'); 1081 seq_escape(m, context, "\"\n\\"); 1082 if (has_comma) 1083 seq_putc(m, '\"'); 1084 } 1085 kfree(context); 1086 return rc; 1087 } 1088 1089 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1090 { 1091 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1092 int rc; 1093 1094 if (!(sbsec->flags & SE_SBINITIALIZED)) 1095 return 0; 1096 1097 if (!selinux_initialized()) 1098 return 0; 1099 1100 if (sbsec->flags & FSCONTEXT_MNT) { 1101 seq_putc(m, ','); 1102 seq_puts(m, FSCONTEXT_STR); 1103 rc = show_sid(m, sbsec->sid); 1104 if (rc) 1105 return rc; 1106 } 1107 if (sbsec->flags & CONTEXT_MNT) { 1108 seq_putc(m, ','); 1109 seq_puts(m, CONTEXT_STR); 1110 rc = show_sid(m, sbsec->mntpoint_sid); 1111 if (rc) 1112 return rc; 1113 } 1114 if (sbsec->flags & DEFCONTEXT_MNT) { 1115 seq_putc(m, ','); 1116 seq_puts(m, DEFCONTEXT_STR); 1117 rc = show_sid(m, sbsec->def_sid); 1118 if (rc) 1119 return rc; 1120 } 1121 if (sbsec->flags & ROOTCONTEXT_MNT) { 1122 struct dentry *root = sb->s_root; 1123 struct inode_security_struct *isec = backing_inode_security(root); 1124 seq_putc(m, ','); 1125 seq_puts(m, ROOTCONTEXT_STR); 1126 rc = show_sid(m, isec->sid); 1127 if (rc) 1128 return rc; 1129 } 1130 if (sbsec->flags & SBLABEL_MNT) { 1131 seq_putc(m, ','); 1132 seq_puts(m, SECLABEL_STR); 1133 } 1134 return 0; 1135 } 1136 1137 static inline u16 inode_mode_to_security_class(umode_t mode) 1138 { 1139 switch (mode & S_IFMT) { 1140 case S_IFSOCK: 1141 return SECCLASS_SOCK_FILE; 1142 case S_IFLNK: 1143 return SECCLASS_LNK_FILE; 1144 case S_IFREG: 1145 return SECCLASS_FILE; 1146 case S_IFBLK: 1147 return SECCLASS_BLK_FILE; 1148 case S_IFDIR: 1149 return SECCLASS_DIR; 1150 case S_IFCHR: 1151 return SECCLASS_CHR_FILE; 1152 case S_IFIFO: 1153 return SECCLASS_FIFO_FILE; 1154 1155 } 1156 1157 return SECCLASS_FILE; 1158 } 1159 1160 static inline int default_protocol_stream(int protocol) 1161 { 1162 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1163 protocol == IPPROTO_MPTCP); 1164 } 1165 1166 static inline int default_protocol_dgram(int protocol) 1167 { 1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1169 } 1170 1171 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1172 { 1173 bool extsockclass = selinux_policycap_extsockclass(); 1174 1175 switch (family) { 1176 case PF_UNIX: 1177 switch (type) { 1178 case SOCK_STREAM: 1179 case SOCK_SEQPACKET: 1180 return SECCLASS_UNIX_STREAM_SOCKET; 1181 case SOCK_DGRAM: 1182 case SOCK_RAW: 1183 return SECCLASS_UNIX_DGRAM_SOCKET; 1184 } 1185 break; 1186 case PF_INET: 1187 case PF_INET6: 1188 switch (type) { 1189 case SOCK_STREAM: 1190 case SOCK_SEQPACKET: 1191 if (default_protocol_stream(protocol)) 1192 return SECCLASS_TCP_SOCKET; 1193 else if (extsockclass && protocol == IPPROTO_SCTP) 1194 return SECCLASS_SCTP_SOCKET; 1195 else 1196 return SECCLASS_RAWIP_SOCKET; 1197 case SOCK_DGRAM: 1198 if (default_protocol_dgram(protocol)) 1199 return SECCLASS_UDP_SOCKET; 1200 else if (extsockclass && (protocol == IPPROTO_ICMP || 1201 protocol == IPPROTO_ICMPV6)) 1202 return SECCLASS_ICMP_SOCKET; 1203 else 1204 return SECCLASS_RAWIP_SOCKET; 1205 default: 1206 return SECCLASS_RAWIP_SOCKET; 1207 } 1208 break; 1209 case PF_NETLINK: 1210 switch (protocol) { 1211 case NETLINK_ROUTE: 1212 return SECCLASS_NETLINK_ROUTE_SOCKET; 1213 case NETLINK_SOCK_DIAG: 1214 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1215 case NETLINK_NFLOG: 1216 return SECCLASS_NETLINK_NFLOG_SOCKET; 1217 case NETLINK_XFRM: 1218 return SECCLASS_NETLINK_XFRM_SOCKET; 1219 case NETLINK_SELINUX: 1220 return SECCLASS_NETLINK_SELINUX_SOCKET; 1221 case NETLINK_ISCSI: 1222 return SECCLASS_NETLINK_ISCSI_SOCKET; 1223 case NETLINK_AUDIT: 1224 return SECCLASS_NETLINK_AUDIT_SOCKET; 1225 case NETLINK_FIB_LOOKUP: 1226 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1227 case NETLINK_CONNECTOR: 1228 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1229 case NETLINK_NETFILTER: 1230 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1231 case NETLINK_DNRTMSG: 1232 return SECCLASS_NETLINK_DNRT_SOCKET; 1233 case NETLINK_KOBJECT_UEVENT: 1234 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1235 case NETLINK_GENERIC: 1236 return SECCLASS_NETLINK_GENERIC_SOCKET; 1237 case NETLINK_SCSITRANSPORT: 1238 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1239 case NETLINK_RDMA: 1240 return SECCLASS_NETLINK_RDMA_SOCKET; 1241 case NETLINK_CRYPTO: 1242 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1243 default: 1244 return SECCLASS_NETLINK_SOCKET; 1245 } 1246 case PF_PACKET: 1247 return SECCLASS_PACKET_SOCKET; 1248 case PF_KEY: 1249 return SECCLASS_KEY_SOCKET; 1250 case PF_APPLETALK: 1251 return SECCLASS_APPLETALK_SOCKET; 1252 } 1253 1254 if (extsockclass) { 1255 switch (family) { 1256 case PF_AX25: 1257 return SECCLASS_AX25_SOCKET; 1258 case PF_IPX: 1259 return SECCLASS_IPX_SOCKET; 1260 case PF_NETROM: 1261 return SECCLASS_NETROM_SOCKET; 1262 case PF_ATMPVC: 1263 return SECCLASS_ATMPVC_SOCKET; 1264 case PF_X25: 1265 return SECCLASS_X25_SOCKET; 1266 case PF_ROSE: 1267 return SECCLASS_ROSE_SOCKET; 1268 case PF_DECnet: 1269 return SECCLASS_DECNET_SOCKET; 1270 case PF_ATMSVC: 1271 return SECCLASS_ATMSVC_SOCKET; 1272 case PF_RDS: 1273 return SECCLASS_RDS_SOCKET; 1274 case PF_IRDA: 1275 return SECCLASS_IRDA_SOCKET; 1276 case PF_PPPOX: 1277 return SECCLASS_PPPOX_SOCKET; 1278 case PF_LLC: 1279 return SECCLASS_LLC_SOCKET; 1280 case PF_CAN: 1281 return SECCLASS_CAN_SOCKET; 1282 case PF_TIPC: 1283 return SECCLASS_TIPC_SOCKET; 1284 case PF_BLUETOOTH: 1285 return SECCLASS_BLUETOOTH_SOCKET; 1286 case PF_IUCV: 1287 return SECCLASS_IUCV_SOCKET; 1288 case PF_RXRPC: 1289 return SECCLASS_RXRPC_SOCKET; 1290 case PF_ISDN: 1291 return SECCLASS_ISDN_SOCKET; 1292 case PF_PHONET: 1293 return SECCLASS_PHONET_SOCKET; 1294 case PF_IEEE802154: 1295 return SECCLASS_IEEE802154_SOCKET; 1296 case PF_CAIF: 1297 return SECCLASS_CAIF_SOCKET; 1298 case PF_ALG: 1299 return SECCLASS_ALG_SOCKET; 1300 case PF_NFC: 1301 return SECCLASS_NFC_SOCKET; 1302 case PF_VSOCK: 1303 return SECCLASS_VSOCK_SOCKET; 1304 case PF_KCM: 1305 return SECCLASS_KCM_SOCKET; 1306 case PF_QIPCRTR: 1307 return SECCLASS_QIPCRTR_SOCKET; 1308 case PF_SMC: 1309 return SECCLASS_SMC_SOCKET; 1310 case PF_XDP: 1311 return SECCLASS_XDP_SOCKET; 1312 case PF_MCTP: 1313 return SECCLASS_MCTP_SOCKET; 1314 #if PF_MAX > 46 1315 #error New address family defined, please update this function. 1316 #endif 1317 } 1318 } 1319 1320 return SECCLASS_SOCKET; 1321 } 1322 1323 static int selinux_genfs_get_sid(struct dentry *dentry, 1324 u16 tclass, 1325 u16 flags, 1326 u32 *sid) 1327 { 1328 int rc; 1329 struct super_block *sb = dentry->d_sb; 1330 char *buffer, *path; 1331 1332 buffer = (char *)__get_free_page(GFP_KERNEL); 1333 if (!buffer) 1334 return -ENOMEM; 1335 1336 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1337 if (IS_ERR(path)) 1338 rc = PTR_ERR(path); 1339 else { 1340 if (flags & SE_SBPROC) { 1341 /* each process gets a /proc/PID/ entry. Strip off the 1342 * PID part to get a valid selinux labeling. 1343 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1344 while (path[1] >= '0' && path[1] <= '9') { 1345 path[1] = '/'; 1346 path++; 1347 } 1348 } 1349 rc = security_genfs_sid(sb->s_type->name, 1350 path, tclass, sid); 1351 if (rc == -ENOENT) { 1352 /* No match in policy, mark as unlabeled. */ 1353 *sid = SECINITSID_UNLABELED; 1354 rc = 0; 1355 } 1356 } 1357 free_page((unsigned long)buffer); 1358 return rc; 1359 } 1360 1361 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1362 u32 def_sid, u32 *sid) 1363 { 1364 #define INITCONTEXTLEN 255 1365 char *context; 1366 unsigned int len; 1367 int rc; 1368 1369 len = INITCONTEXTLEN; 1370 context = kmalloc(len + 1, GFP_NOFS); 1371 if (!context) 1372 return -ENOMEM; 1373 1374 context[len] = '\0'; 1375 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1376 if (rc == -ERANGE) { 1377 kfree(context); 1378 1379 /* Need a larger buffer. Query for the right size. */ 1380 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1381 if (rc < 0) 1382 return rc; 1383 1384 len = rc; 1385 context = kmalloc(len + 1, GFP_NOFS); 1386 if (!context) 1387 return -ENOMEM; 1388 1389 context[len] = '\0'; 1390 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1391 context, len); 1392 } 1393 if (rc < 0) { 1394 kfree(context); 1395 if (rc != -ENODATA) { 1396 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1397 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1398 return rc; 1399 } 1400 *sid = def_sid; 1401 return 0; 1402 } 1403 1404 rc = security_context_to_sid_default(context, rc, sid, 1405 def_sid, GFP_NOFS); 1406 if (rc) { 1407 char *dev = inode->i_sb->s_id; 1408 unsigned long ino = inode->i_ino; 1409 1410 if (rc == -EINVAL) { 1411 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1412 ino, dev, context); 1413 } else { 1414 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1415 __func__, context, -rc, dev, ino); 1416 } 1417 } 1418 kfree(context); 1419 return 0; 1420 } 1421 1422 /* The inode's security attributes must be initialized before first use. */ 1423 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1424 { 1425 struct superblock_security_struct *sbsec = NULL; 1426 struct inode_security_struct *isec = selinux_inode(inode); 1427 u32 task_sid, sid = 0; 1428 u16 sclass; 1429 struct dentry *dentry; 1430 int rc = 0; 1431 1432 if (isec->initialized == LABEL_INITIALIZED) 1433 return 0; 1434 1435 spin_lock(&isec->lock); 1436 if (isec->initialized == LABEL_INITIALIZED) 1437 goto out_unlock; 1438 1439 if (isec->sclass == SECCLASS_FILE) 1440 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1441 1442 sbsec = selinux_superblock(inode->i_sb); 1443 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1444 /* Defer initialization until selinux_complete_init, 1445 after the initial policy is loaded and the security 1446 server is ready to handle calls. */ 1447 spin_lock(&sbsec->isec_lock); 1448 if (list_empty(&isec->list)) 1449 list_add(&isec->list, &sbsec->isec_head); 1450 spin_unlock(&sbsec->isec_lock); 1451 goto out_unlock; 1452 } 1453 1454 sclass = isec->sclass; 1455 task_sid = isec->task_sid; 1456 sid = isec->sid; 1457 isec->initialized = LABEL_PENDING; 1458 spin_unlock(&isec->lock); 1459 1460 switch (sbsec->behavior) { 1461 /* 1462 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1463 * via xattr when called from delayed_superblock_init(). 1464 */ 1465 case SECURITY_FS_USE_NATIVE: 1466 case SECURITY_FS_USE_XATTR: 1467 if (!(inode->i_opflags & IOP_XATTR)) { 1468 sid = sbsec->def_sid; 1469 break; 1470 } 1471 /* Need a dentry, since the xattr API requires one. 1472 Life would be simpler if we could just pass the inode. */ 1473 if (opt_dentry) { 1474 /* Called from d_instantiate or d_splice_alias. */ 1475 dentry = dget(opt_dentry); 1476 } else { 1477 /* 1478 * Called from selinux_complete_init, try to find a dentry. 1479 * Some filesystems really want a connected one, so try 1480 * that first. We could split SECURITY_FS_USE_XATTR in 1481 * two, depending upon that... 1482 */ 1483 dentry = d_find_alias(inode); 1484 if (!dentry) 1485 dentry = d_find_any_alias(inode); 1486 } 1487 if (!dentry) { 1488 /* 1489 * this is can be hit on boot when a file is accessed 1490 * before the policy is loaded. When we load policy we 1491 * may find inodes that have no dentry on the 1492 * sbsec->isec_head list. No reason to complain as these 1493 * will get fixed up the next time we go through 1494 * inode_doinit with a dentry, before these inodes could 1495 * be used again by userspace. 1496 */ 1497 goto out_invalid; 1498 } 1499 1500 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1501 &sid); 1502 dput(dentry); 1503 if (rc) 1504 goto out; 1505 break; 1506 case SECURITY_FS_USE_TASK: 1507 sid = task_sid; 1508 break; 1509 case SECURITY_FS_USE_TRANS: 1510 /* Default to the fs SID. */ 1511 sid = sbsec->sid; 1512 1513 /* Try to obtain a transition SID. */ 1514 rc = security_transition_sid(task_sid, sid, 1515 sclass, NULL, &sid); 1516 if (rc) 1517 goto out; 1518 break; 1519 case SECURITY_FS_USE_MNTPOINT: 1520 sid = sbsec->mntpoint_sid; 1521 break; 1522 default: 1523 /* Default to the fs superblock SID. */ 1524 sid = sbsec->sid; 1525 1526 if ((sbsec->flags & SE_SBGENFS) && 1527 (!S_ISLNK(inode->i_mode) || 1528 selinux_policycap_genfs_seclabel_symlinks())) { 1529 /* We must have a dentry to determine the label on 1530 * procfs inodes */ 1531 if (opt_dentry) { 1532 /* Called from d_instantiate or 1533 * d_splice_alias. */ 1534 dentry = dget(opt_dentry); 1535 } else { 1536 /* Called from selinux_complete_init, try to 1537 * find a dentry. Some filesystems really want 1538 * a connected one, so try that first. 1539 */ 1540 dentry = d_find_alias(inode); 1541 if (!dentry) 1542 dentry = d_find_any_alias(inode); 1543 } 1544 /* 1545 * This can be hit on boot when a file is accessed 1546 * before the policy is loaded. When we load policy we 1547 * may find inodes that have no dentry on the 1548 * sbsec->isec_head list. No reason to complain as 1549 * these will get fixed up the next time we go through 1550 * inode_doinit() with a dentry, before these inodes 1551 * could be used again by userspace. 1552 */ 1553 if (!dentry) 1554 goto out_invalid; 1555 rc = selinux_genfs_get_sid(dentry, sclass, 1556 sbsec->flags, &sid); 1557 if (rc) { 1558 dput(dentry); 1559 goto out; 1560 } 1561 1562 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1563 (inode->i_opflags & IOP_XATTR)) { 1564 rc = inode_doinit_use_xattr(inode, dentry, 1565 sid, &sid); 1566 if (rc) { 1567 dput(dentry); 1568 goto out; 1569 } 1570 } 1571 dput(dentry); 1572 } 1573 break; 1574 } 1575 1576 out: 1577 spin_lock(&isec->lock); 1578 if (isec->initialized == LABEL_PENDING) { 1579 if (rc) { 1580 isec->initialized = LABEL_INVALID; 1581 goto out_unlock; 1582 } 1583 isec->initialized = LABEL_INITIALIZED; 1584 isec->sid = sid; 1585 } 1586 1587 out_unlock: 1588 spin_unlock(&isec->lock); 1589 return rc; 1590 1591 out_invalid: 1592 spin_lock(&isec->lock); 1593 if (isec->initialized == LABEL_PENDING) { 1594 isec->initialized = LABEL_INVALID; 1595 isec->sid = sid; 1596 } 1597 spin_unlock(&isec->lock); 1598 return 0; 1599 } 1600 1601 /* Convert a Linux signal to an access vector. */ 1602 static inline u32 signal_to_av(int sig) 1603 { 1604 u32 perm = 0; 1605 1606 switch (sig) { 1607 case SIGCHLD: 1608 /* Commonly granted from child to parent. */ 1609 perm = PROCESS__SIGCHLD; 1610 break; 1611 case SIGKILL: 1612 /* Cannot be caught or ignored */ 1613 perm = PROCESS__SIGKILL; 1614 break; 1615 case SIGSTOP: 1616 /* Cannot be caught or ignored */ 1617 perm = PROCESS__SIGSTOP; 1618 break; 1619 default: 1620 /* All other signals. */ 1621 perm = PROCESS__SIGNAL; 1622 break; 1623 } 1624 1625 return perm; 1626 } 1627 1628 #if CAP_LAST_CAP > 63 1629 #error Fix SELinux to handle capabilities > 63. 1630 #endif 1631 1632 /* Check whether a task is allowed to use a capability. */ 1633 static int cred_has_capability(const struct cred *cred, 1634 int cap, unsigned int opts, bool initns) 1635 { 1636 struct common_audit_data ad; 1637 struct av_decision avd; 1638 u16 sclass; 1639 u32 sid = cred_sid(cred); 1640 u32 av = CAP_TO_MASK(cap); 1641 int rc; 1642 1643 ad.type = LSM_AUDIT_DATA_CAP; 1644 ad.u.cap = cap; 1645 1646 switch (CAP_TO_INDEX(cap)) { 1647 case 0: 1648 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1649 break; 1650 case 1: 1651 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1652 break; 1653 default: 1654 pr_err("SELinux: out of range capability %d\n", cap); 1655 BUG(); 1656 return -EINVAL; 1657 } 1658 1659 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1660 if (!(opts & CAP_OPT_NOAUDIT)) { 1661 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1662 if (rc2) 1663 return rc2; 1664 } 1665 return rc; 1666 } 1667 1668 /* Check whether a task has a particular permission to an inode. 1669 The 'adp' parameter is optional and allows other audit 1670 data to be passed (e.g. the dentry). */ 1671 static int inode_has_perm(const struct cred *cred, 1672 struct inode *inode, 1673 u32 perms, 1674 struct common_audit_data *adp) 1675 { 1676 struct inode_security_struct *isec; 1677 u32 sid; 1678 1679 if (unlikely(IS_PRIVATE(inode))) 1680 return 0; 1681 1682 sid = cred_sid(cred); 1683 isec = selinux_inode(inode); 1684 1685 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1686 } 1687 1688 /* Same as inode_has_perm, but pass explicit audit data containing 1689 the dentry to help the auditing code to more easily generate the 1690 pathname if needed. */ 1691 static inline int dentry_has_perm(const struct cred *cred, 1692 struct dentry *dentry, 1693 u32 av) 1694 { 1695 struct common_audit_data ad; 1696 struct inode *inode = d_backing_inode(dentry); 1697 struct inode_security_struct *isec = selinux_inode(inode); 1698 1699 ad.type = LSM_AUDIT_DATA_DENTRY; 1700 ad.u.dentry = dentry; 1701 /* check below is racy, but revalidate will recheck with lock held */ 1702 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1703 __inode_security_revalidate(inode, dentry, true); 1704 return inode_has_perm(cred, inode, av, &ad); 1705 } 1706 1707 /* Same as inode_has_perm, but pass explicit audit data containing 1708 the path to help the auditing code to more easily generate the 1709 pathname if needed. */ 1710 static inline int path_has_perm(const struct cred *cred, 1711 const struct path *path, 1712 u32 av) 1713 { 1714 struct common_audit_data ad; 1715 struct inode *inode = d_backing_inode(path->dentry); 1716 struct inode_security_struct *isec = selinux_inode(inode); 1717 1718 ad.type = LSM_AUDIT_DATA_PATH; 1719 ad.u.path = *path; 1720 /* check below is racy, but revalidate will recheck with lock held */ 1721 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1722 __inode_security_revalidate(inode, path->dentry, true); 1723 return inode_has_perm(cred, inode, av, &ad); 1724 } 1725 1726 /* Same as path_has_perm, but uses the inode from the file struct. */ 1727 static inline int file_path_has_perm(const struct cred *cred, 1728 struct file *file, 1729 u32 av) 1730 { 1731 struct common_audit_data ad; 1732 1733 ad.type = LSM_AUDIT_DATA_FILE; 1734 ad.u.file = file; 1735 return inode_has_perm(cred, file_inode(file), av, &ad); 1736 } 1737 1738 #ifdef CONFIG_BPF_SYSCALL 1739 static int bpf_fd_pass(const struct file *file, u32 sid); 1740 #endif 1741 1742 /* Check whether a task can use an open file descriptor to 1743 access an inode in a given way. Check access to the 1744 descriptor itself, and then use dentry_has_perm to 1745 check a particular permission to the file. 1746 Access to the descriptor is implicitly granted if it 1747 has the same SID as the process. If av is zero, then 1748 access to the file is not checked, e.g. for cases 1749 where only the descriptor is affected like seek. */ 1750 static int file_has_perm(const struct cred *cred, 1751 struct file *file, 1752 u32 av) 1753 { 1754 struct file_security_struct *fsec = selinux_file(file); 1755 struct inode *inode = file_inode(file); 1756 struct common_audit_data ad; 1757 u32 sid = cred_sid(cred); 1758 int rc; 1759 1760 ad.type = LSM_AUDIT_DATA_FILE; 1761 ad.u.file = file; 1762 1763 if (sid != fsec->sid) { 1764 rc = avc_has_perm(sid, fsec->sid, 1765 SECCLASS_FD, 1766 FD__USE, 1767 &ad); 1768 if (rc) 1769 goto out; 1770 } 1771 1772 #ifdef CONFIG_BPF_SYSCALL 1773 rc = bpf_fd_pass(file, cred_sid(cred)); 1774 if (rc) 1775 return rc; 1776 #endif 1777 1778 /* av is zero if only checking access to the descriptor. */ 1779 rc = 0; 1780 if (av) 1781 rc = inode_has_perm(cred, inode, av, &ad); 1782 1783 out: 1784 return rc; 1785 } 1786 1787 /* 1788 * Determine the label for an inode that might be unioned. 1789 */ 1790 static int 1791 selinux_determine_inode_label(const struct task_security_struct *tsec, 1792 struct inode *dir, 1793 const struct qstr *name, u16 tclass, 1794 u32 *_new_isid) 1795 { 1796 const struct superblock_security_struct *sbsec = 1797 selinux_superblock(dir->i_sb); 1798 1799 if ((sbsec->flags & SE_SBINITIALIZED) && 1800 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1801 *_new_isid = sbsec->mntpoint_sid; 1802 } else if ((sbsec->flags & SBLABEL_MNT) && 1803 tsec->create_sid) { 1804 *_new_isid = tsec->create_sid; 1805 } else { 1806 const struct inode_security_struct *dsec = inode_security(dir); 1807 return security_transition_sid(tsec->sid, 1808 dsec->sid, tclass, 1809 name, _new_isid); 1810 } 1811 1812 return 0; 1813 } 1814 1815 /* Check whether a task can create a file. */ 1816 static int may_create(struct inode *dir, 1817 struct dentry *dentry, 1818 u16 tclass) 1819 { 1820 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1821 struct inode_security_struct *dsec; 1822 struct superblock_security_struct *sbsec; 1823 u32 sid, newsid; 1824 struct common_audit_data ad; 1825 int rc; 1826 1827 dsec = inode_security(dir); 1828 sbsec = selinux_superblock(dir->i_sb); 1829 1830 sid = tsec->sid; 1831 1832 ad.type = LSM_AUDIT_DATA_DENTRY; 1833 ad.u.dentry = dentry; 1834 1835 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1836 DIR__ADD_NAME | DIR__SEARCH, 1837 &ad); 1838 if (rc) 1839 return rc; 1840 1841 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1842 &newsid); 1843 if (rc) 1844 return rc; 1845 1846 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1847 if (rc) 1848 return rc; 1849 1850 return avc_has_perm(newsid, sbsec->sid, 1851 SECCLASS_FILESYSTEM, 1852 FILESYSTEM__ASSOCIATE, &ad); 1853 } 1854 1855 #define MAY_LINK 0 1856 #define MAY_UNLINK 1 1857 #define MAY_RMDIR 2 1858 1859 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1860 static int may_link(struct inode *dir, 1861 struct dentry *dentry, 1862 int kind) 1863 1864 { 1865 struct inode_security_struct *dsec, *isec; 1866 struct common_audit_data ad; 1867 u32 sid = current_sid(); 1868 u32 av; 1869 int rc; 1870 1871 dsec = inode_security(dir); 1872 isec = backing_inode_security(dentry); 1873 1874 ad.type = LSM_AUDIT_DATA_DENTRY; 1875 ad.u.dentry = dentry; 1876 1877 av = DIR__SEARCH; 1878 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1879 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1880 if (rc) 1881 return rc; 1882 1883 switch (kind) { 1884 case MAY_LINK: 1885 av = FILE__LINK; 1886 break; 1887 case MAY_UNLINK: 1888 av = FILE__UNLINK; 1889 break; 1890 case MAY_RMDIR: 1891 av = DIR__RMDIR; 1892 break; 1893 default: 1894 pr_warn("SELinux: %s: unrecognized kind %d\n", 1895 __func__, kind); 1896 return 0; 1897 } 1898 1899 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1900 return rc; 1901 } 1902 1903 static inline int may_rename(struct inode *old_dir, 1904 struct dentry *old_dentry, 1905 struct inode *new_dir, 1906 struct dentry *new_dentry) 1907 { 1908 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1909 struct common_audit_data ad; 1910 u32 sid = current_sid(); 1911 u32 av; 1912 int old_is_dir, new_is_dir; 1913 int rc; 1914 1915 old_dsec = inode_security(old_dir); 1916 old_isec = backing_inode_security(old_dentry); 1917 old_is_dir = d_is_dir(old_dentry); 1918 new_dsec = inode_security(new_dir); 1919 1920 ad.type = LSM_AUDIT_DATA_DENTRY; 1921 1922 ad.u.dentry = old_dentry; 1923 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1925 if (rc) 1926 return rc; 1927 rc = avc_has_perm(sid, old_isec->sid, 1928 old_isec->sclass, FILE__RENAME, &ad); 1929 if (rc) 1930 return rc; 1931 if (old_is_dir && new_dir != old_dir) { 1932 rc = avc_has_perm(sid, old_isec->sid, 1933 old_isec->sclass, DIR__REPARENT, &ad); 1934 if (rc) 1935 return rc; 1936 } 1937 1938 ad.u.dentry = new_dentry; 1939 av = DIR__ADD_NAME | DIR__SEARCH; 1940 if (d_is_positive(new_dentry)) 1941 av |= DIR__REMOVE_NAME; 1942 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1943 if (rc) 1944 return rc; 1945 if (d_is_positive(new_dentry)) { 1946 new_isec = backing_inode_security(new_dentry); 1947 new_is_dir = d_is_dir(new_dentry); 1948 rc = avc_has_perm(sid, new_isec->sid, 1949 new_isec->sclass, 1950 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1951 if (rc) 1952 return rc; 1953 } 1954 1955 return 0; 1956 } 1957 1958 /* Check whether a task can perform a filesystem operation. */ 1959 static int superblock_has_perm(const struct cred *cred, 1960 const struct super_block *sb, 1961 u32 perms, 1962 struct common_audit_data *ad) 1963 { 1964 struct superblock_security_struct *sbsec; 1965 u32 sid = cred_sid(cred); 1966 1967 sbsec = selinux_superblock(sb); 1968 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1969 } 1970 1971 /* Convert a Linux mode and permission mask to an access vector. */ 1972 static inline u32 file_mask_to_av(int mode, int mask) 1973 { 1974 u32 av = 0; 1975 1976 if (!S_ISDIR(mode)) { 1977 if (mask & MAY_EXEC) 1978 av |= FILE__EXECUTE; 1979 if (mask & MAY_READ) 1980 av |= FILE__READ; 1981 1982 if (mask & MAY_APPEND) 1983 av |= FILE__APPEND; 1984 else if (mask & MAY_WRITE) 1985 av |= FILE__WRITE; 1986 1987 } else { 1988 if (mask & MAY_EXEC) 1989 av |= DIR__SEARCH; 1990 if (mask & MAY_WRITE) 1991 av |= DIR__WRITE; 1992 if (mask & MAY_READ) 1993 av |= DIR__READ; 1994 } 1995 1996 return av; 1997 } 1998 1999 /* Convert a Linux file to an access vector. */ 2000 static inline u32 file_to_av(const struct file *file) 2001 { 2002 u32 av = 0; 2003 2004 if (file->f_mode & FMODE_READ) 2005 av |= FILE__READ; 2006 if (file->f_mode & FMODE_WRITE) { 2007 if (file->f_flags & O_APPEND) 2008 av |= FILE__APPEND; 2009 else 2010 av |= FILE__WRITE; 2011 } 2012 if (!av) { 2013 /* 2014 * Special file opened with flags 3 for ioctl-only use. 2015 */ 2016 av = FILE__IOCTL; 2017 } 2018 2019 return av; 2020 } 2021 2022 /* 2023 * Convert a file to an access vector and include the correct 2024 * open permission. 2025 */ 2026 static inline u32 open_file_to_av(struct file *file) 2027 { 2028 u32 av = file_to_av(file); 2029 struct inode *inode = file_inode(file); 2030 2031 if (selinux_policycap_openperm() && 2032 inode->i_sb->s_magic != SOCKFS_MAGIC) 2033 av |= FILE__OPEN; 2034 2035 return av; 2036 } 2037 2038 /* Hook functions begin here. */ 2039 2040 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2041 { 2042 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2043 BINDER__SET_CONTEXT_MGR, NULL); 2044 } 2045 2046 static int selinux_binder_transaction(const struct cred *from, 2047 const struct cred *to) 2048 { 2049 u32 mysid = current_sid(); 2050 u32 fromsid = cred_sid(from); 2051 u32 tosid = cred_sid(to); 2052 int rc; 2053 2054 if (mysid != fromsid) { 2055 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2056 BINDER__IMPERSONATE, NULL); 2057 if (rc) 2058 return rc; 2059 } 2060 2061 return avc_has_perm(fromsid, tosid, 2062 SECCLASS_BINDER, BINDER__CALL, NULL); 2063 } 2064 2065 static int selinux_binder_transfer_binder(const struct cred *from, 2066 const struct cred *to) 2067 { 2068 return avc_has_perm(cred_sid(from), cred_sid(to), 2069 SECCLASS_BINDER, BINDER__TRANSFER, 2070 NULL); 2071 } 2072 2073 static int selinux_binder_transfer_file(const struct cred *from, 2074 const struct cred *to, 2075 const struct file *file) 2076 { 2077 u32 sid = cred_sid(to); 2078 struct file_security_struct *fsec = selinux_file(file); 2079 struct dentry *dentry = file->f_path.dentry; 2080 struct inode_security_struct *isec; 2081 struct common_audit_data ad; 2082 int rc; 2083 2084 ad.type = LSM_AUDIT_DATA_PATH; 2085 ad.u.path = file->f_path; 2086 2087 if (sid != fsec->sid) { 2088 rc = avc_has_perm(sid, fsec->sid, 2089 SECCLASS_FD, 2090 FD__USE, 2091 &ad); 2092 if (rc) 2093 return rc; 2094 } 2095 2096 #ifdef CONFIG_BPF_SYSCALL 2097 rc = bpf_fd_pass(file, sid); 2098 if (rc) 2099 return rc; 2100 #endif 2101 2102 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2103 return 0; 2104 2105 isec = backing_inode_security(dentry); 2106 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2107 &ad); 2108 } 2109 2110 static int selinux_ptrace_access_check(struct task_struct *child, 2111 unsigned int mode) 2112 { 2113 u32 sid = current_sid(); 2114 u32 csid = task_sid_obj(child); 2115 2116 if (mode & PTRACE_MODE_READ) 2117 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2118 NULL); 2119 2120 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2121 NULL); 2122 } 2123 2124 static int selinux_ptrace_traceme(struct task_struct *parent) 2125 { 2126 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2127 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2128 } 2129 2130 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2131 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2132 { 2133 return avc_has_perm(current_sid(), task_sid_obj(target), 2134 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2135 } 2136 2137 static int selinux_capset(struct cred *new, const struct cred *old, 2138 const kernel_cap_t *effective, 2139 const kernel_cap_t *inheritable, 2140 const kernel_cap_t *permitted) 2141 { 2142 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2143 PROCESS__SETCAP, NULL); 2144 } 2145 2146 /* 2147 * (This comment used to live with the selinux_task_setuid hook, 2148 * which was removed). 2149 * 2150 * Since setuid only affects the current process, and since the SELinux 2151 * controls are not based on the Linux identity attributes, SELinux does not 2152 * need to control this operation. However, SELinux does control the use of 2153 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2154 */ 2155 2156 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2157 int cap, unsigned int opts) 2158 { 2159 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2160 } 2161 2162 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2163 { 2164 const struct cred *cred = current_cred(); 2165 int rc = 0; 2166 2167 if (!sb) 2168 return 0; 2169 2170 switch (cmds) { 2171 case Q_SYNC: 2172 case Q_QUOTAON: 2173 case Q_QUOTAOFF: 2174 case Q_SETINFO: 2175 case Q_SETQUOTA: 2176 case Q_XQUOTAOFF: 2177 case Q_XQUOTAON: 2178 case Q_XSETQLIM: 2179 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2180 break; 2181 case Q_GETFMT: 2182 case Q_GETINFO: 2183 case Q_GETQUOTA: 2184 case Q_XGETQUOTA: 2185 case Q_XGETQSTAT: 2186 case Q_XGETQSTATV: 2187 case Q_XGETNEXTQUOTA: 2188 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2189 break; 2190 default: 2191 rc = 0; /* let the kernel handle invalid cmds */ 2192 break; 2193 } 2194 return rc; 2195 } 2196 2197 static int selinux_quota_on(struct dentry *dentry) 2198 { 2199 const struct cred *cred = current_cred(); 2200 2201 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2202 } 2203 2204 static int selinux_syslog(int type) 2205 { 2206 switch (type) { 2207 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2208 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2209 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2210 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2211 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2212 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2213 /* Set level of messages printed to console */ 2214 case SYSLOG_ACTION_CONSOLE_LEVEL: 2215 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2216 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2217 NULL); 2218 } 2219 /* All other syslog types */ 2220 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2221 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2222 } 2223 2224 /* 2225 * Check permission for allocating a new virtual mapping. Returns 2226 * 0 if permission is granted, negative error code if not. 2227 * 2228 * Do not audit the selinux permission check, as this is applied to all 2229 * processes that allocate mappings. 2230 */ 2231 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2232 { 2233 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2234 CAP_OPT_NOAUDIT, true); 2235 } 2236 2237 /* binprm security operations */ 2238 2239 static u32 ptrace_parent_sid(void) 2240 { 2241 u32 sid = 0; 2242 struct task_struct *tracer; 2243 2244 rcu_read_lock(); 2245 tracer = ptrace_parent(current); 2246 if (tracer) 2247 sid = task_sid_obj(tracer); 2248 rcu_read_unlock(); 2249 2250 return sid; 2251 } 2252 2253 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2254 const struct task_security_struct *old_tsec, 2255 const struct task_security_struct *new_tsec) 2256 { 2257 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2258 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2259 int rc; 2260 u32 av; 2261 2262 if (!nnp && !nosuid) 2263 return 0; /* neither NNP nor nosuid */ 2264 2265 if (new_tsec->sid == old_tsec->sid) 2266 return 0; /* No change in credentials */ 2267 2268 /* 2269 * If the policy enables the nnp_nosuid_transition policy capability, 2270 * then we permit transitions under NNP or nosuid if the 2271 * policy allows the corresponding permission between 2272 * the old and new contexts. 2273 */ 2274 if (selinux_policycap_nnp_nosuid_transition()) { 2275 av = 0; 2276 if (nnp) 2277 av |= PROCESS2__NNP_TRANSITION; 2278 if (nosuid) 2279 av |= PROCESS2__NOSUID_TRANSITION; 2280 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2281 SECCLASS_PROCESS2, av, NULL); 2282 if (!rc) 2283 return 0; 2284 } 2285 2286 /* 2287 * We also permit NNP or nosuid transitions to bounded SIDs, 2288 * i.e. SIDs that are guaranteed to only be allowed a subset 2289 * of the permissions of the current SID. 2290 */ 2291 rc = security_bounded_transition(old_tsec->sid, 2292 new_tsec->sid); 2293 if (!rc) 2294 return 0; 2295 2296 /* 2297 * On failure, preserve the errno values for NNP vs nosuid. 2298 * NNP: Operation not permitted for caller. 2299 * nosuid: Permission denied to file. 2300 */ 2301 if (nnp) 2302 return -EPERM; 2303 return -EACCES; 2304 } 2305 2306 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2307 { 2308 const struct task_security_struct *old_tsec; 2309 struct task_security_struct *new_tsec; 2310 struct inode_security_struct *isec; 2311 struct common_audit_data ad; 2312 struct inode *inode = file_inode(bprm->file); 2313 int rc; 2314 2315 /* SELinux context only depends on initial program or script and not 2316 * the script interpreter */ 2317 2318 old_tsec = selinux_cred(current_cred()); 2319 new_tsec = selinux_cred(bprm->cred); 2320 isec = inode_security(inode); 2321 2322 /* Default to the current task SID. */ 2323 new_tsec->sid = old_tsec->sid; 2324 new_tsec->osid = old_tsec->sid; 2325 2326 /* Reset fs, key, and sock SIDs on execve. */ 2327 new_tsec->create_sid = 0; 2328 new_tsec->keycreate_sid = 0; 2329 new_tsec->sockcreate_sid = 0; 2330 2331 /* 2332 * Before policy is loaded, label any task outside kernel space 2333 * as SECINITSID_INIT, so that any userspace tasks surviving from 2334 * early boot end up with a label different from SECINITSID_KERNEL 2335 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2336 */ 2337 if (!selinux_initialized()) { 2338 new_tsec->sid = SECINITSID_INIT; 2339 /* also clear the exec_sid just in case */ 2340 new_tsec->exec_sid = 0; 2341 return 0; 2342 } 2343 2344 if (old_tsec->exec_sid) { 2345 new_tsec->sid = old_tsec->exec_sid; 2346 /* Reset exec SID on execve. */ 2347 new_tsec->exec_sid = 0; 2348 2349 /* Fail on NNP or nosuid if not an allowed transition. */ 2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2351 if (rc) 2352 return rc; 2353 } else { 2354 /* Check for a default transition on this program. */ 2355 rc = security_transition_sid(old_tsec->sid, 2356 isec->sid, SECCLASS_PROCESS, NULL, 2357 &new_tsec->sid); 2358 if (rc) 2359 return rc; 2360 2361 /* 2362 * Fallback to old SID on NNP or nosuid if not an allowed 2363 * transition. 2364 */ 2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2366 if (rc) 2367 new_tsec->sid = old_tsec->sid; 2368 } 2369 2370 ad.type = LSM_AUDIT_DATA_FILE; 2371 ad.u.file = bprm->file; 2372 2373 if (new_tsec->sid == old_tsec->sid) { 2374 rc = avc_has_perm(old_tsec->sid, isec->sid, 2375 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2376 if (rc) 2377 return rc; 2378 } else { 2379 /* Check permissions for the transition. */ 2380 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2381 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2382 if (rc) 2383 return rc; 2384 2385 rc = avc_has_perm(new_tsec->sid, isec->sid, 2386 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2387 if (rc) 2388 return rc; 2389 2390 /* Check for shared state */ 2391 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2392 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2393 SECCLASS_PROCESS, PROCESS__SHARE, 2394 NULL); 2395 if (rc) 2396 return -EPERM; 2397 } 2398 2399 /* Make sure that anyone attempting to ptrace over a task that 2400 * changes its SID has the appropriate permit */ 2401 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2402 u32 ptsid = ptrace_parent_sid(); 2403 if (ptsid != 0) { 2404 rc = avc_has_perm(ptsid, new_tsec->sid, 2405 SECCLASS_PROCESS, 2406 PROCESS__PTRACE, NULL); 2407 if (rc) 2408 return -EPERM; 2409 } 2410 } 2411 2412 /* Clear any possibly unsafe personality bits on exec: */ 2413 bprm->per_clear |= PER_CLEAR_ON_SETID; 2414 2415 /* Enable secure mode for SIDs transitions unless 2416 the noatsecure permission is granted between 2417 the two SIDs, i.e. ahp returns 0. */ 2418 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2419 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2420 NULL); 2421 bprm->secureexec |= !!rc; 2422 } 2423 2424 return 0; 2425 } 2426 2427 static int match_file(const void *p, struct file *file, unsigned fd) 2428 { 2429 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2430 } 2431 2432 /* Derived from fs/exec.c:flush_old_files. */ 2433 static inline void flush_unauthorized_files(const struct cred *cred, 2434 struct files_struct *files) 2435 { 2436 struct file *file, *devnull = NULL; 2437 struct tty_struct *tty; 2438 int drop_tty = 0; 2439 unsigned n; 2440 2441 tty = get_current_tty(); 2442 if (tty) { 2443 spin_lock(&tty->files_lock); 2444 if (!list_empty(&tty->tty_files)) { 2445 struct tty_file_private *file_priv; 2446 2447 /* Revalidate access to controlling tty. 2448 Use file_path_has_perm on the tty path directly 2449 rather than using file_has_perm, as this particular 2450 open file may belong to another process and we are 2451 only interested in the inode-based check here. */ 2452 file_priv = list_first_entry(&tty->tty_files, 2453 struct tty_file_private, list); 2454 file = file_priv->file; 2455 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2456 drop_tty = 1; 2457 } 2458 spin_unlock(&tty->files_lock); 2459 tty_kref_put(tty); 2460 } 2461 /* Reset controlling tty. */ 2462 if (drop_tty) 2463 no_tty(); 2464 2465 /* Revalidate access to inherited open files. */ 2466 n = iterate_fd(files, 0, match_file, cred); 2467 if (!n) /* none found? */ 2468 return; 2469 2470 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2471 if (IS_ERR(devnull)) 2472 devnull = NULL; 2473 /* replace all the matching ones with this */ 2474 do { 2475 replace_fd(n - 1, devnull, 0); 2476 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2477 if (devnull) 2478 fput(devnull); 2479 } 2480 2481 /* 2482 * Prepare a process for imminent new credential changes due to exec 2483 */ 2484 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2485 { 2486 struct task_security_struct *new_tsec; 2487 struct rlimit *rlim, *initrlim; 2488 int rc, i; 2489 2490 new_tsec = selinux_cred(bprm->cred); 2491 if (new_tsec->sid == new_tsec->osid) 2492 return; 2493 2494 /* Close files for which the new task SID is not authorized. */ 2495 flush_unauthorized_files(bprm->cred, current->files); 2496 2497 /* Always clear parent death signal on SID transitions. */ 2498 current->pdeath_signal = 0; 2499 2500 /* Check whether the new SID can inherit resource limits from the old 2501 * SID. If not, reset all soft limits to the lower of the current 2502 * task's hard limit and the init task's soft limit. 2503 * 2504 * Note that the setting of hard limits (even to lower them) can be 2505 * controlled by the setrlimit check. The inclusion of the init task's 2506 * soft limit into the computation is to avoid resetting soft limits 2507 * higher than the default soft limit for cases where the default is 2508 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2509 */ 2510 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2511 PROCESS__RLIMITINH, NULL); 2512 if (rc) { 2513 /* protect against do_prlimit() */ 2514 task_lock(current); 2515 for (i = 0; i < RLIM_NLIMITS; i++) { 2516 rlim = current->signal->rlim + i; 2517 initrlim = init_task.signal->rlim + i; 2518 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2519 } 2520 task_unlock(current); 2521 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2522 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2523 } 2524 } 2525 2526 /* 2527 * Clean up the process immediately after the installation of new credentials 2528 * due to exec 2529 */ 2530 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2531 { 2532 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2533 u32 osid, sid; 2534 int rc; 2535 2536 osid = tsec->osid; 2537 sid = tsec->sid; 2538 2539 if (sid == osid) 2540 return; 2541 2542 /* Check whether the new SID can inherit signal state from the old SID. 2543 * If not, clear itimers to avoid subsequent signal generation and 2544 * flush and unblock signals. 2545 * 2546 * This must occur _after_ the task SID has been updated so that any 2547 * kill done after the flush will be checked against the new SID. 2548 */ 2549 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2550 if (rc) { 2551 clear_itimer(); 2552 2553 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2554 if (!fatal_signal_pending(current)) { 2555 flush_sigqueue(¤t->pending); 2556 flush_sigqueue(¤t->signal->shared_pending); 2557 flush_signal_handlers(current, 1); 2558 sigemptyset(¤t->blocked); 2559 recalc_sigpending(); 2560 } 2561 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2562 } 2563 2564 /* Wake up the parent if it is waiting so that it can recheck 2565 * wait permission to the new task SID. */ 2566 read_lock(&tasklist_lock); 2567 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2568 read_unlock(&tasklist_lock); 2569 } 2570 2571 /* superblock security operations */ 2572 2573 static int selinux_sb_alloc_security(struct super_block *sb) 2574 { 2575 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2576 2577 mutex_init(&sbsec->lock); 2578 INIT_LIST_HEAD(&sbsec->isec_head); 2579 spin_lock_init(&sbsec->isec_lock); 2580 sbsec->sid = SECINITSID_UNLABELED; 2581 sbsec->def_sid = SECINITSID_FILE; 2582 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2583 2584 return 0; 2585 } 2586 2587 static inline int opt_len(const char *s) 2588 { 2589 bool open_quote = false; 2590 int len; 2591 char c; 2592 2593 for (len = 0; (c = s[len]) != '\0'; len++) { 2594 if (c == '"') 2595 open_quote = !open_quote; 2596 if (c == ',' && !open_quote) 2597 break; 2598 } 2599 return len; 2600 } 2601 2602 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2603 { 2604 char *from = options; 2605 char *to = options; 2606 bool first = true; 2607 int rc; 2608 2609 while (1) { 2610 int len = opt_len(from); 2611 int token; 2612 char *arg = NULL; 2613 2614 token = match_opt_prefix(from, len, &arg); 2615 2616 if (token != Opt_error) { 2617 char *p, *q; 2618 2619 /* strip quotes */ 2620 if (arg) { 2621 for (p = q = arg; p < from + len; p++) { 2622 char c = *p; 2623 if (c != '"') 2624 *q++ = c; 2625 } 2626 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2627 if (!arg) { 2628 rc = -ENOMEM; 2629 goto free_opt; 2630 } 2631 } 2632 rc = selinux_add_opt(token, arg, mnt_opts); 2633 kfree(arg); 2634 arg = NULL; 2635 if (unlikely(rc)) { 2636 goto free_opt; 2637 } 2638 } else { 2639 if (!first) { // copy with preceding comma 2640 from--; 2641 len++; 2642 } 2643 if (to != from) 2644 memmove(to, from, len); 2645 to += len; 2646 first = false; 2647 } 2648 if (!from[len]) 2649 break; 2650 from += len + 1; 2651 } 2652 *to = '\0'; 2653 return 0; 2654 2655 free_opt: 2656 if (*mnt_opts) { 2657 selinux_free_mnt_opts(*mnt_opts); 2658 *mnt_opts = NULL; 2659 } 2660 return rc; 2661 } 2662 2663 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2664 { 2665 struct selinux_mnt_opts *opts = mnt_opts; 2666 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2667 2668 /* 2669 * Superblock not initialized (i.e. no options) - reject if any 2670 * options specified, otherwise accept. 2671 */ 2672 if (!(sbsec->flags & SE_SBINITIALIZED)) 2673 return opts ? 1 : 0; 2674 2675 /* 2676 * Superblock initialized and no options specified - reject if 2677 * superblock has any options set, otherwise accept. 2678 */ 2679 if (!opts) 2680 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2681 2682 if (opts->fscontext_sid) { 2683 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2684 opts->fscontext_sid)) 2685 return 1; 2686 } 2687 if (opts->context_sid) { 2688 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2689 opts->context_sid)) 2690 return 1; 2691 } 2692 if (opts->rootcontext_sid) { 2693 struct inode_security_struct *root_isec; 2694 2695 root_isec = backing_inode_security(sb->s_root); 2696 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2697 opts->rootcontext_sid)) 2698 return 1; 2699 } 2700 if (opts->defcontext_sid) { 2701 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2702 opts->defcontext_sid)) 2703 return 1; 2704 } 2705 return 0; 2706 } 2707 2708 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2709 { 2710 struct selinux_mnt_opts *opts = mnt_opts; 2711 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2712 2713 if (!(sbsec->flags & SE_SBINITIALIZED)) 2714 return 0; 2715 2716 if (!opts) 2717 return 0; 2718 2719 if (opts->fscontext_sid) { 2720 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2721 opts->fscontext_sid)) 2722 goto out_bad_option; 2723 } 2724 if (opts->context_sid) { 2725 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2726 opts->context_sid)) 2727 goto out_bad_option; 2728 } 2729 if (opts->rootcontext_sid) { 2730 struct inode_security_struct *root_isec; 2731 root_isec = backing_inode_security(sb->s_root); 2732 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2733 opts->rootcontext_sid)) 2734 goto out_bad_option; 2735 } 2736 if (opts->defcontext_sid) { 2737 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2738 opts->defcontext_sid)) 2739 goto out_bad_option; 2740 } 2741 return 0; 2742 2743 out_bad_option: 2744 pr_warn("SELinux: unable to change security options " 2745 "during remount (dev %s, type=%s)\n", sb->s_id, 2746 sb->s_type->name); 2747 return -EINVAL; 2748 } 2749 2750 static int selinux_sb_kern_mount(const struct super_block *sb) 2751 { 2752 const struct cred *cred = current_cred(); 2753 struct common_audit_data ad; 2754 2755 ad.type = LSM_AUDIT_DATA_DENTRY; 2756 ad.u.dentry = sb->s_root; 2757 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2758 } 2759 2760 static int selinux_sb_statfs(struct dentry *dentry) 2761 { 2762 const struct cred *cred = current_cred(); 2763 struct common_audit_data ad; 2764 2765 ad.type = LSM_AUDIT_DATA_DENTRY; 2766 ad.u.dentry = dentry->d_sb->s_root; 2767 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2768 } 2769 2770 static int selinux_mount(const char *dev_name, 2771 const struct path *path, 2772 const char *type, 2773 unsigned long flags, 2774 void *data) 2775 { 2776 const struct cred *cred = current_cred(); 2777 2778 if (flags & MS_REMOUNT) 2779 return superblock_has_perm(cred, path->dentry->d_sb, 2780 FILESYSTEM__REMOUNT, NULL); 2781 else 2782 return path_has_perm(cred, path, FILE__MOUNTON); 2783 } 2784 2785 static int selinux_move_mount(const struct path *from_path, 2786 const struct path *to_path) 2787 { 2788 const struct cred *cred = current_cred(); 2789 2790 return path_has_perm(cred, to_path, FILE__MOUNTON); 2791 } 2792 2793 static int selinux_umount(struct vfsmount *mnt, int flags) 2794 { 2795 const struct cred *cred = current_cred(); 2796 2797 return superblock_has_perm(cred, mnt->mnt_sb, 2798 FILESYSTEM__UNMOUNT, NULL); 2799 } 2800 2801 static int selinux_fs_context_submount(struct fs_context *fc, 2802 struct super_block *reference) 2803 { 2804 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2805 struct selinux_mnt_opts *opts; 2806 2807 /* 2808 * Ensure that fc->security remains NULL when no options are set 2809 * as expected by selinux_set_mnt_opts(). 2810 */ 2811 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2812 return 0; 2813 2814 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2815 if (!opts) 2816 return -ENOMEM; 2817 2818 if (sbsec->flags & FSCONTEXT_MNT) 2819 opts->fscontext_sid = sbsec->sid; 2820 if (sbsec->flags & CONTEXT_MNT) 2821 opts->context_sid = sbsec->mntpoint_sid; 2822 if (sbsec->flags & DEFCONTEXT_MNT) 2823 opts->defcontext_sid = sbsec->def_sid; 2824 fc->security = opts; 2825 return 0; 2826 } 2827 2828 static int selinux_fs_context_dup(struct fs_context *fc, 2829 struct fs_context *src_fc) 2830 { 2831 const struct selinux_mnt_opts *src = src_fc->security; 2832 2833 if (!src) 2834 return 0; 2835 2836 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2837 return fc->security ? 0 : -ENOMEM; 2838 } 2839 2840 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2841 fsparam_string(CONTEXT_STR, Opt_context), 2842 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2843 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2844 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2845 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2846 {} 2847 }; 2848 2849 static int selinux_fs_context_parse_param(struct fs_context *fc, 2850 struct fs_parameter *param) 2851 { 2852 struct fs_parse_result result; 2853 int opt; 2854 2855 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2856 if (opt < 0) 2857 return opt; 2858 2859 return selinux_add_opt(opt, param->string, &fc->security); 2860 } 2861 2862 /* inode security operations */ 2863 2864 static int selinux_inode_alloc_security(struct inode *inode) 2865 { 2866 struct inode_security_struct *isec = selinux_inode(inode); 2867 u32 sid = current_sid(); 2868 2869 spin_lock_init(&isec->lock); 2870 INIT_LIST_HEAD(&isec->list); 2871 isec->inode = inode; 2872 isec->sid = SECINITSID_UNLABELED; 2873 isec->sclass = SECCLASS_FILE; 2874 isec->task_sid = sid; 2875 isec->initialized = LABEL_INVALID; 2876 2877 return 0; 2878 } 2879 2880 static void selinux_inode_free_security(struct inode *inode) 2881 { 2882 inode_free_security(inode); 2883 } 2884 2885 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2886 const struct qstr *name, 2887 const char **xattr_name, 2888 struct lsm_context *cp) 2889 { 2890 u32 newsid; 2891 int rc; 2892 2893 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2894 d_inode(dentry->d_parent), name, 2895 inode_mode_to_security_class(mode), 2896 &newsid); 2897 if (rc) 2898 return rc; 2899 2900 if (xattr_name) 2901 *xattr_name = XATTR_NAME_SELINUX; 2902 2903 cp->id = LSM_ID_SELINUX; 2904 return security_sid_to_context(newsid, &cp->context, &cp->len); 2905 } 2906 2907 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2908 const struct qstr *name, 2909 const struct cred *old, 2910 struct cred *new) 2911 { 2912 u32 newsid; 2913 int rc; 2914 struct task_security_struct *tsec; 2915 2916 rc = selinux_determine_inode_label(selinux_cred(old), 2917 d_inode(dentry->d_parent), name, 2918 inode_mode_to_security_class(mode), 2919 &newsid); 2920 if (rc) 2921 return rc; 2922 2923 tsec = selinux_cred(new); 2924 tsec->create_sid = newsid; 2925 return 0; 2926 } 2927 2928 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2929 const struct qstr *qstr, 2930 struct xattr *xattrs, int *xattr_count) 2931 { 2932 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2933 struct superblock_security_struct *sbsec; 2934 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2935 u32 newsid, clen; 2936 u16 newsclass; 2937 int rc; 2938 char *context; 2939 2940 sbsec = selinux_superblock(dir->i_sb); 2941 2942 newsid = tsec->create_sid; 2943 newsclass = inode_mode_to_security_class(inode->i_mode); 2944 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); 2945 if (rc) 2946 return rc; 2947 2948 /* Possibly defer initialization to selinux_complete_init. */ 2949 if (sbsec->flags & SE_SBINITIALIZED) { 2950 struct inode_security_struct *isec = selinux_inode(inode); 2951 isec->sclass = newsclass; 2952 isec->sid = newsid; 2953 isec->initialized = LABEL_INITIALIZED; 2954 } 2955 2956 if (!selinux_initialized() || 2957 !(sbsec->flags & SBLABEL_MNT)) 2958 return -EOPNOTSUPP; 2959 2960 if (xattr) { 2961 rc = security_sid_to_context_force(newsid, 2962 &context, &clen); 2963 if (rc) 2964 return rc; 2965 xattr->value = context; 2966 xattr->value_len = clen; 2967 xattr->name = XATTR_SELINUX_SUFFIX; 2968 } 2969 2970 return 0; 2971 } 2972 2973 static int selinux_inode_init_security_anon(struct inode *inode, 2974 const struct qstr *name, 2975 const struct inode *context_inode) 2976 { 2977 u32 sid = current_sid(); 2978 struct common_audit_data ad; 2979 struct inode_security_struct *isec; 2980 int rc; 2981 2982 if (unlikely(!selinux_initialized())) 2983 return 0; 2984 2985 isec = selinux_inode(inode); 2986 2987 /* 2988 * We only get here once per ephemeral inode. The inode has 2989 * been initialized via inode_alloc_security but is otherwise 2990 * untouched. 2991 */ 2992 2993 if (context_inode) { 2994 struct inode_security_struct *context_isec = 2995 selinux_inode(context_inode); 2996 if (context_isec->initialized != LABEL_INITIALIZED) { 2997 pr_err("SELinux: context_inode is not initialized\n"); 2998 return -EACCES; 2999 } 3000 3001 isec->sclass = context_isec->sclass; 3002 isec->sid = context_isec->sid; 3003 } else { 3004 isec->sclass = SECCLASS_ANON_INODE; 3005 rc = security_transition_sid( 3006 sid, sid, 3007 isec->sclass, name, &isec->sid); 3008 if (rc) 3009 return rc; 3010 } 3011 3012 isec->initialized = LABEL_INITIALIZED; 3013 /* 3014 * Now that we've initialized security, check whether we're 3015 * allowed to actually create this type of anonymous inode. 3016 */ 3017 3018 ad.type = LSM_AUDIT_DATA_ANONINODE; 3019 ad.u.anonclass = name ? (const char *)name->name : "?"; 3020 3021 return avc_has_perm(sid, 3022 isec->sid, 3023 isec->sclass, 3024 FILE__CREATE, 3025 &ad); 3026 } 3027 3028 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3029 { 3030 return may_create(dir, dentry, SECCLASS_FILE); 3031 } 3032 3033 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3034 { 3035 return may_link(dir, old_dentry, MAY_LINK); 3036 } 3037 3038 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3039 { 3040 return may_link(dir, dentry, MAY_UNLINK); 3041 } 3042 3043 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3044 { 3045 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3046 } 3047 3048 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3049 { 3050 return may_create(dir, dentry, SECCLASS_DIR); 3051 } 3052 3053 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3054 { 3055 return may_link(dir, dentry, MAY_RMDIR); 3056 } 3057 3058 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3059 { 3060 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3061 } 3062 3063 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3064 struct inode *new_inode, struct dentry *new_dentry) 3065 { 3066 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3067 } 3068 3069 static int selinux_inode_readlink(struct dentry *dentry) 3070 { 3071 const struct cred *cred = current_cred(); 3072 3073 return dentry_has_perm(cred, dentry, FILE__READ); 3074 } 3075 3076 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3077 bool rcu) 3078 { 3079 struct common_audit_data ad; 3080 struct inode_security_struct *isec; 3081 u32 sid = current_sid(); 3082 3083 ad.type = LSM_AUDIT_DATA_DENTRY; 3084 ad.u.dentry = dentry; 3085 isec = inode_security_rcu(inode, rcu); 3086 if (IS_ERR(isec)) 3087 return PTR_ERR(isec); 3088 3089 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3090 } 3091 3092 static noinline int audit_inode_permission(struct inode *inode, 3093 u32 perms, u32 audited, u32 denied, 3094 int result) 3095 { 3096 struct common_audit_data ad; 3097 struct inode_security_struct *isec = selinux_inode(inode); 3098 3099 ad.type = LSM_AUDIT_DATA_INODE; 3100 ad.u.inode = inode; 3101 3102 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3103 audited, denied, result, &ad); 3104 } 3105 3106 /** 3107 * task_avdcache_reset - Reset the task's AVD cache 3108 * @tsec: the task's security state 3109 * 3110 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3111 * and task's info. 3112 */ 3113 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3114 { 3115 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3116 tsec->avdcache.sid = tsec->sid; 3117 tsec->avdcache.seqno = avc_policy_seqno(); 3118 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3119 } 3120 3121 /** 3122 * task_avdcache_search - Search the task's AVD cache 3123 * @tsec: the task's security state 3124 * @isec: the inode to search for in the cache 3125 * @avdc: matching avd cache entry returned to the caller 3126 * 3127 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3128 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3129 */ 3130 static inline int task_avdcache_search(struct task_security_struct *tsec, 3131 struct inode_security_struct *isec, 3132 struct avdc_entry **avdc) 3133 { 3134 int orig, iter; 3135 3136 /* focused on path walk optimization, only cache directories */ 3137 if (isec->sclass != SECCLASS_DIR) 3138 return -ENOENT; 3139 3140 if (unlikely(tsec->sid != tsec->avdcache.sid || 3141 tsec->avdcache.seqno != avc_policy_seqno())) { 3142 task_avdcache_reset(tsec); 3143 return -ENOENT; 3144 } 3145 3146 orig = iter = tsec->avdcache.dir_spot; 3147 do { 3148 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3149 /* cache hit */ 3150 tsec->avdcache.dir_spot = iter; 3151 *avdc = &tsec->avdcache.dir[iter]; 3152 return 0; 3153 } 3154 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3155 } while (iter != orig); 3156 3157 return -ENOENT; 3158 } 3159 3160 /** 3161 * task_avdcache_update - Update the task's AVD cache 3162 * @tsec: the task's security state 3163 * @isec: the inode associated with the cache entry 3164 * @avd: the AVD to cache 3165 * @audited: the permission audit bitmask to cache 3166 * 3167 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3168 * with @isec. 3169 */ 3170 static inline void task_avdcache_update(struct task_security_struct *tsec, 3171 struct inode_security_struct *isec, 3172 struct av_decision *avd, 3173 u32 audited) 3174 { 3175 int spot; 3176 3177 /* focused on path walk optimization, only cache directories */ 3178 if (isec->sclass != SECCLASS_DIR) 3179 return; 3180 3181 /* update cache */ 3182 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3183 tsec->avdcache.dir_spot = spot; 3184 tsec->avdcache.dir[spot].isid = isec->sid; 3185 tsec->avdcache.dir[spot].audited = audited; 3186 tsec->avdcache.dir[spot].allowed = avd->allowed; 3187 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3188 tsec->avdcache.permissive_neveraudit = 3189 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3190 } 3191 3192 /** 3193 * selinux_inode_permission - Check if the current task can access an inode 3194 * @inode: the inode that is being accessed 3195 * @requested: the accesses being requested 3196 * 3197 * Check if the current task is allowed to access @inode according to 3198 * @requested. Returns 0 if allowed, negative values otherwise. 3199 */ 3200 static int selinux_inode_permission(struct inode *inode, int requested) 3201 { 3202 int mask; 3203 u32 perms; 3204 struct task_security_struct *tsec; 3205 struct inode_security_struct *isec; 3206 struct avdc_entry *avdc; 3207 int rc, rc2; 3208 u32 audited, denied; 3209 3210 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3211 3212 /* No permission to check. Existence test. */ 3213 if (!mask) 3214 return 0; 3215 3216 tsec = selinux_cred(current_cred()); 3217 if (task_avdcache_permnoaudit(tsec)) 3218 return 0; 3219 3220 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3221 if (IS_ERR(isec)) 3222 return PTR_ERR(isec); 3223 perms = file_mask_to_av(inode->i_mode, mask); 3224 3225 rc = task_avdcache_search(tsec, isec, &avdc); 3226 if (likely(!rc)) { 3227 /* Cache hit. */ 3228 audited = perms & avdc->audited; 3229 denied = perms & ~avdc->allowed; 3230 if (unlikely(denied && enforcing_enabled() && 3231 !avdc->permissive)) 3232 rc = -EACCES; 3233 } else { 3234 struct av_decision avd; 3235 3236 /* Cache miss. */ 3237 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, 3238 perms, 0, &avd); 3239 audited = avc_audit_required(perms, &avd, rc, 3240 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3241 &denied); 3242 task_avdcache_update(tsec, isec, &avd, audited); 3243 } 3244 3245 if (likely(!audited)) 3246 return rc; 3247 3248 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3249 if (rc2) 3250 return rc2; 3251 3252 return rc; 3253 } 3254 3255 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3256 struct iattr *iattr) 3257 { 3258 const struct cred *cred = current_cred(); 3259 struct inode *inode = d_backing_inode(dentry); 3260 unsigned int ia_valid = iattr->ia_valid; 3261 u32 av = FILE__WRITE; 3262 3263 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3264 if (ia_valid & ATTR_FORCE) { 3265 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3266 ATTR_FORCE); 3267 if (!ia_valid) 3268 return 0; 3269 } 3270 3271 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3272 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3273 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3274 3275 if (selinux_policycap_openperm() && 3276 inode->i_sb->s_magic != SOCKFS_MAGIC && 3277 (ia_valid & ATTR_SIZE) && 3278 !(ia_valid & ATTR_FILE)) 3279 av |= FILE__OPEN; 3280 3281 return dentry_has_perm(cred, dentry, av); 3282 } 3283 3284 static int selinux_inode_getattr(const struct path *path) 3285 { 3286 struct task_security_struct *tsec; 3287 3288 tsec = selinux_cred(current_cred()); 3289 3290 if (task_avdcache_permnoaudit(tsec)) 3291 return 0; 3292 3293 return path_has_perm(current_cred(), path, FILE__GETATTR); 3294 } 3295 3296 static bool has_cap_mac_admin(bool audit) 3297 { 3298 const struct cred *cred = current_cred(); 3299 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3300 3301 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3302 return false; 3303 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3304 return false; 3305 return true; 3306 } 3307 3308 /** 3309 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3310 * @name: name of the xattr 3311 * 3312 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3313 * named @name; the LSM layer should avoid enforcing any traditional 3314 * capability based access controls on this xattr. Returns 0 to indicate that 3315 * SELinux does not "own" the access control rights to xattrs named @name and is 3316 * deferring to the LSM layer for further access controls, including capability 3317 * based controls. 3318 */ 3319 static int selinux_inode_xattr_skipcap(const char *name) 3320 { 3321 /* require capability check if not a selinux xattr */ 3322 return !strcmp(name, XATTR_NAME_SELINUX); 3323 } 3324 3325 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3326 struct dentry *dentry, const char *name, 3327 const void *value, size_t size, int flags) 3328 { 3329 struct inode *inode = d_backing_inode(dentry); 3330 struct inode_security_struct *isec; 3331 struct superblock_security_struct *sbsec; 3332 struct common_audit_data ad; 3333 u32 newsid, sid = current_sid(); 3334 int rc = 0; 3335 3336 /* if not a selinux xattr, only check the ordinary setattr perm */ 3337 if (strcmp(name, XATTR_NAME_SELINUX)) 3338 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3339 3340 if (!selinux_initialized()) 3341 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3342 3343 sbsec = selinux_superblock(inode->i_sb); 3344 if (!(sbsec->flags & SBLABEL_MNT)) 3345 return -EOPNOTSUPP; 3346 3347 if (!inode_owner_or_capable(idmap, inode)) 3348 return -EPERM; 3349 3350 ad.type = LSM_AUDIT_DATA_DENTRY; 3351 ad.u.dentry = dentry; 3352 3353 isec = backing_inode_security(dentry); 3354 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3355 FILE__RELABELFROM, &ad); 3356 if (rc) 3357 return rc; 3358 3359 rc = security_context_to_sid(value, size, &newsid, 3360 GFP_KERNEL); 3361 if (rc == -EINVAL) { 3362 if (!has_cap_mac_admin(true)) { 3363 struct audit_buffer *ab; 3364 size_t audit_size; 3365 3366 /* We strip a nul only if it is at the end, otherwise the 3367 * context contains a nul and we should audit that */ 3368 if (value) { 3369 const char *str = value; 3370 3371 if (str[size - 1] == '\0') 3372 audit_size = size - 1; 3373 else 3374 audit_size = size; 3375 } else { 3376 audit_size = 0; 3377 } 3378 ab = audit_log_start(audit_context(), 3379 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3380 if (!ab) 3381 return rc; 3382 audit_log_format(ab, "op=setxattr invalid_context="); 3383 audit_log_n_untrustedstring(ab, value, audit_size); 3384 audit_log_end(ab); 3385 3386 return rc; 3387 } 3388 rc = security_context_to_sid_force(value, 3389 size, &newsid); 3390 } 3391 if (rc) 3392 return rc; 3393 3394 rc = avc_has_perm(sid, newsid, isec->sclass, 3395 FILE__RELABELTO, &ad); 3396 if (rc) 3397 return rc; 3398 3399 rc = security_validate_transition(isec->sid, newsid, 3400 sid, isec->sclass); 3401 if (rc) 3402 return rc; 3403 3404 return avc_has_perm(newsid, 3405 sbsec->sid, 3406 SECCLASS_FILESYSTEM, 3407 FILESYSTEM__ASSOCIATE, 3408 &ad); 3409 } 3410 3411 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3412 struct dentry *dentry, const char *acl_name, 3413 struct posix_acl *kacl) 3414 { 3415 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3416 } 3417 3418 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3419 struct dentry *dentry, const char *acl_name) 3420 { 3421 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3422 } 3423 3424 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3425 struct dentry *dentry, const char *acl_name) 3426 { 3427 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3428 } 3429 3430 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3431 const void *value, size_t size, 3432 int flags) 3433 { 3434 struct inode *inode = d_backing_inode(dentry); 3435 struct inode_security_struct *isec; 3436 u32 newsid; 3437 int rc; 3438 3439 if (strcmp(name, XATTR_NAME_SELINUX)) { 3440 /* Not an attribute we recognize, so nothing to do. */ 3441 return; 3442 } 3443 3444 if (!selinux_initialized()) { 3445 /* If we haven't even been initialized, then we can't validate 3446 * against a policy, so leave the label as invalid. It may 3447 * resolve to a valid label on the next revalidation try if 3448 * we've since initialized. 3449 */ 3450 return; 3451 } 3452 3453 rc = security_context_to_sid_force(value, size, 3454 &newsid); 3455 if (rc) { 3456 pr_err("SELinux: unable to map context to SID" 3457 "for (%s, %lu), rc=%d\n", 3458 inode->i_sb->s_id, inode->i_ino, -rc); 3459 return; 3460 } 3461 3462 isec = backing_inode_security(dentry); 3463 spin_lock(&isec->lock); 3464 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3465 isec->sid = newsid; 3466 isec->initialized = LABEL_INITIALIZED; 3467 spin_unlock(&isec->lock); 3468 } 3469 3470 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3471 { 3472 const struct cred *cred = current_cred(); 3473 3474 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3475 } 3476 3477 static int selinux_inode_listxattr(struct dentry *dentry) 3478 { 3479 const struct cred *cred = current_cred(); 3480 3481 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3482 } 3483 3484 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3485 struct dentry *dentry, const char *name) 3486 { 3487 /* if not a selinux xattr, only check the ordinary setattr perm */ 3488 if (strcmp(name, XATTR_NAME_SELINUX)) 3489 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3490 3491 if (!selinux_initialized()) 3492 return 0; 3493 3494 /* No one is allowed to remove a SELinux security label. 3495 You can change the label, but all data must be labeled. */ 3496 return -EACCES; 3497 } 3498 3499 static int selinux_inode_file_setattr(struct dentry *dentry, 3500 struct file_kattr *fa) 3501 { 3502 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3503 } 3504 3505 static int selinux_inode_file_getattr(struct dentry *dentry, 3506 struct file_kattr *fa) 3507 { 3508 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3509 } 3510 3511 static int selinux_path_notify(const struct path *path, u64 mask, 3512 unsigned int obj_type) 3513 { 3514 int ret; 3515 u32 perm; 3516 3517 struct common_audit_data ad; 3518 3519 ad.type = LSM_AUDIT_DATA_PATH; 3520 ad.u.path = *path; 3521 3522 /* 3523 * Set permission needed based on the type of mark being set. 3524 * Performs an additional check for sb watches. 3525 */ 3526 switch (obj_type) { 3527 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3528 perm = FILE__WATCH_MOUNT; 3529 break; 3530 case FSNOTIFY_OBJ_TYPE_SB: 3531 perm = FILE__WATCH_SB; 3532 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3533 FILESYSTEM__WATCH, &ad); 3534 if (ret) 3535 return ret; 3536 break; 3537 case FSNOTIFY_OBJ_TYPE_INODE: 3538 perm = FILE__WATCH; 3539 break; 3540 case FSNOTIFY_OBJ_TYPE_MNTNS: 3541 perm = FILE__WATCH_MOUNTNS; 3542 break; 3543 default: 3544 return -EINVAL; 3545 } 3546 3547 /* blocking watches require the file:watch_with_perm permission */ 3548 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3549 perm |= FILE__WATCH_WITH_PERM; 3550 3551 /* watches on read-like events need the file:watch_reads permission */ 3552 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3553 FS_CLOSE_NOWRITE)) 3554 perm |= FILE__WATCH_READS; 3555 3556 return path_has_perm(current_cred(), path, perm); 3557 } 3558 3559 /* 3560 * Copy the inode security context value to the user. 3561 * 3562 * Permission check is handled by selinux_inode_getxattr hook. 3563 */ 3564 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3565 struct inode *inode, const char *name, 3566 void **buffer, bool alloc) 3567 { 3568 u32 size; 3569 int error; 3570 char *context = NULL; 3571 struct inode_security_struct *isec; 3572 3573 /* 3574 * If we're not initialized yet, then we can't validate contexts, so 3575 * just let vfs_getxattr fall back to using the on-disk xattr. 3576 */ 3577 if (!selinux_initialized() || 3578 strcmp(name, XATTR_SELINUX_SUFFIX)) 3579 return -EOPNOTSUPP; 3580 3581 /* 3582 * If the caller has CAP_MAC_ADMIN, then get the raw context 3583 * value even if it is not defined by current policy; otherwise, 3584 * use the in-core value under current policy. 3585 * Use the non-auditing forms of the permission checks since 3586 * getxattr may be called by unprivileged processes commonly 3587 * and lack of permission just means that we fall back to the 3588 * in-core context value, not a denial. 3589 */ 3590 isec = inode_security(inode); 3591 if (has_cap_mac_admin(false)) 3592 error = security_sid_to_context_force(isec->sid, &context, 3593 &size); 3594 else 3595 error = security_sid_to_context(isec->sid, 3596 &context, &size); 3597 if (error) 3598 return error; 3599 error = size; 3600 if (alloc) { 3601 *buffer = context; 3602 goto out_nofree; 3603 } 3604 kfree(context); 3605 out_nofree: 3606 return error; 3607 } 3608 3609 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3610 const void *value, size_t size, int flags) 3611 { 3612 struct inode_security_struct *isec = inode_security_novalidate(inode); 3613 struct superblock_security_struct *sbsec; 3614 u32 newsid; 3615 int rc; 3616 3617 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3618 return -EOPNOTSUPP; 3619 3620 sbsec = selinux_superblock(inode->i_sb); 3621 if (!(sbsec->flags & SBLABEL_MNT)) 3622 return -EOPNOTSUPP; 3623 3624 if (!value || !size) 3625 return -EACCES; 3626 3627 rc = security_context_to_sid(value, size, &newsid, 3628 GFP_KERNEL); 3629 if (rc) 3630 return rc; 3631 3632 spin_lock(&isec->lock); 3633 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3634 isec->sid = newsid; 3635 isec->initialized = LABEL_INITIALIZED; 3636 spin_unlock(&isec->lock); 3637 return 0; 3638 } 3639 3640 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3641 { 3642 const int len = sizeof(XATTR_NAME_SELINUX); 3643 3644 if (!selinux_initialized()) 3645 return 0; 3646 3647 if (buffer && len <= buffer_size) 3648 memcpy(buffer, XATTR_NAME_SELINUX, len); 3649 return len; 3650 } 3651 3652 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3653 { 3654 struct inode_security_struct *isec = inode_security_novalidate(inode); 3655 3656 prop->selinux.secid = isec->sid; 3657 } 3658 3659 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3660 { 3661 struct lsm_prop prop; 3662 struct task_security_struct *tsec; 3663 struct cred *new_creds = *new; 3664 3665 if (new_creds == NULL) { 3666 new_creds = prepare_creds(); 3667 if (!new_creds) 3668 return -ENOMEM; 3669 } 3670 3671 tsec = selinux_cred(new_creds); 3672 /* Get label from overlay inode and set it in create_sid */ 3673 selinux_inode_getlsmprop(d_inode(src), &prop); 3674 tsec->create_sid = prop.selinux.secid; 3675 *new = new_creds; 3676 return 0; 3677 } 3678 3679 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3680 { 3681 /* The copy_up hook above sets the initial context on an inode, but we 3682 * don't then want to overwrite it by blindly copying all the lower 3683 * xattrs up. Instead, filter out SELinux-related xattrs following 3684 * policy load. 3685 */ 3686 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3687 return -ECANCELED; /* Discard */ 3688 /* 3689 * Any other attribute apart from SELINUX is not claimed, supported 3690 * by selinux. 3691 */ 3692 return -EOPNOTSUPP; 3693 } 3694 3695 /* kernfs node operations */ 3696 3697 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3698 struct kernfs_node *kn) 3699 { 3700 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3701 u32 parent_sid, newsid, clen; 3702 int rc; 3703 char *context; 3704 3705 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3706 if (rc == -ENODATA) 3707 return 0; 3708 else if (rc < 0) 3709 return rc; 3710 3711 clen = (u32)rc; 3712 context = kmalloc(clen, GFP_KERNEL); 3713 if (!context) 3714 return -ENOMEM; 3715 3716 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3717 if (rc < 0) { 3718 kfree(context); 3719 return rc; 3720 } 3721 3722 rc = security_context_to_sid(context, clen, &parent_sid, 3723 GFP_KERNEL); 3724 kfree(context); 3725 if (rc) 3726 return rc; 3727 3728 if (tsec->create_sid) { 3729 newsid = tsec->create_sid; 3730 } else { 3731 u16 secclass = inode_mode_to_security_class(kn->mode); 3732 const char *kn_name; 3733 struct qstr q; 3734 3735 /* kn is fresh, can't be renamed, name goes not away */ 3736 kn_name = rcu_dereference_check(kn->name, true); 3737 q.name = kn_name; 3738 q.hash_len = hashlen_string(kn_dir, kn_name); 3739 3740 rc = security_transition_sid(tsec->sid, 3741 parent_sid, secclass, &q, 3742 &newsid); 3743 if (rc) 3744 return rc; 3745 } 3746 3747 rc = security_sid_to_context_force(newsid, 3748 &context, &clen); 3749 if (rc) 3750 return rc; 3751 3752 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3753 XATTR_CREATE); 3754 kfree(context); 3755 return rc; 3756 } 3757 3758 3759 /* file security operations */ 3760 3761 static int selinux_revalidate_file_permission(struct file *file, int mask) 3762 { 3763 const struct cred *cred = current_cred(); 3764 struct inode *inode = file_inode(file); 3765 3766 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3767 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3768 mask |= MAY_APPEND; 3769 3770 return file_has_perm(cred, file, 3771 file_mask_to_av(inode->i_mode, mask)); 3772 } 3773 3774 static int selinux_file_permission(struct file *file, int mask) 3775 { 3776 struct inode *inode = file_inode(file); 3777 struct file_security_struct *fsec = selinux_file(file); 3778 struct inode_security_struct *isec; 3779 u32 sid = current_sid(); 3780 3781 if (!mask) 3782 /* No permission to check. Existence test. */ 3783 return 0; 3784 3785 isec = inode_security(inode); 3786 if (sid == fsec->sid && fsec->isid == isec->sid && 3787 fsec->pseqno == avc_policy_seqno()) 3788 /* No change since file_open check. */ 3789 return 0; 3790 3791 return selinux_revalidate_file_permission(file, mask); 3792 } 3793 3794 static int selinux_file_alloc_security(struct file *file) 3795 { 3796 struct file_security_struct *fsec = selinux_file(file); 3797 u32 sid = current_sid(); 3798 3799 fsec->sid = sid; 3800 fsec->fown_sid = sid; 3801 3802 return 0; 3803 } 3804 3805 /* 3806 * Check whether a task has the ioctl permission and cmd 3807 * operation to an inode. 3808 */ 3809 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3810 u32 requested, u16 cmd) 3811 { 3812 struct common_audit_data ad; 3813 struct file_security_struct *fsec = selinux_file(file); 3814 struct inode *inode = file_inode(file); 3815 struct inode_security_struct *isec; 3816 struct lsm_ioctlop_audit ioctl; 3817 u32 ssid = cred_sid(cred); 3818 int rc; 3819 u8 driver = cmd >> 8; 3820 u8 xperm = cmd & 0xff; 3821 3822 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3823 ad.u.op = &ioctl; 3824 ad.u.op->cmd = cmd; 3825 ad.u.op->path = file->f_path; 3826 3827 if (ssid != fsec->sid) { 3828 rc = avc_has_perm(ssid, fsec->sid, 3829 SECCLASS_FD, 3830 FD__USE, 3831 &ad); 3832 if (rc) 3833 goto out; 3834 } 3835 3836 if (unlikely(IS_PRIVATE(inode))) 3837 return 0; 3838 3839 isec = inode_security(inode); 3840 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3841 driver, AVC_EXT_IOCTL, xperm, &ad); 3842 out: 3843 return rc; 3844 } 3845 3846 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3847 unsigned long arg) 3848 { 3849 const struct cred *cred = current_cred(); 3850 int error = 0; 3851 3852 switch (cmd) { 3853 case FIONREAD: 3854 case FIBMAP: 3855 case FIGETBSZ: 3856 case FS_IOC_GETFLAGS: 3857 case FS_IOC_GETVERSION: 3858 error = file_has_perm(cred, file, FILE__GETATTR); 3859 break; 3860 3861 case FS_IOC_SETFLAGS: 3862 case FS_IOC_SETVERSION: 3863 error = file_has_perm(cred, file, FILE__SETATTR); 3864 break; 3865 3866 /* sys_ioctl() checks */ 3867 case FIONBIO: 3868 case FIOASYNC: 3869 error = file_has_perm(cred, file, 0); 3870 break; 3871 3872 case KDSKBENT: 3873 case KDSKBSENT: 3874 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3875 CAP_OPT_NONE, true); 3876 break; 3877 3878 case FIOCLEX: 3879 case FIONCLEX: 3880 if (!selinux_policycap_ioctl_skip_cloexec()) 3881 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3882 break; 3883 3884 /* default case assumes that the command will go 3885 * to the file's ioctl() function. 3886 */ 3887 default: 3888 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3889 } 3890 return error; 3891 } 3892 3893 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3894 unsigned long arg) 3895 { 3896 /* 3897 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3898 * make sure we don't compare 32-bit flags to 64-bit flags. 3899 */ 3900 switch (cmd) { 3901 case FS_IOC32_GETFLAGS: 3902 cmd = FS_IOC_GETFLAGS; 3903 break; 3904 case FS_IOC32_SETFLAGS: 3905 cmd = FS_IOC_SETFLAGS; 3906 break; 3907 case FS_IOC32_GETVERSION: 3908 cmd = FS_IOC_GETVERSION; 3909 break; 3910 case FS_IOC32_SETVERSION: 3911 cmd = FS_IOC_SETVERSION; 3912 break; 3913 default: 3914 break; 3915 } 3916 3917 return selinux_file_ioctl(file, cmd, arg); 3918 } 3919 3920 static int default_noexec __ro_after_init; 3921 3922 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3923 { 3924 const struct cred *cred = current_cred(); 3925 u32 sid = cred_sid(cred); 3926 int rc = 0; 3927 3928 if (default_noexec && 3929 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3930 (!shared && (prot & PROT_WRITE)))) { 3931 /* 3932 * We are making executable an anonymous mapping or a 3933 * private file mapping that will also be writable. 3934 * This has an additional check. 3935 */ 3936 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3937 PROCESS__EXECMEM, NULL); 3938 if (rc) 3939 goto error; 3940 } 3941 3942 if (file) { 3943 /* read access is always possible with a mapping */ 3944 u32 av = FILE__READ; 3945 3946 /* write access only matters if the mapping is shared */ 3947 if (shared && (prot & PROT_WRITE)) 3948 av |= FILE__WRITE; 3949 3950 if (prot & PROT_EXEC) 3951 av |= FILE__EXECUTE; 3952 3953 return file_has_perm(cred, file, av); 3954 } 3955 3956 error: 3957 return rc; 3958 } 3959 3960 static int selinux_mmap_addr(unsigned long addr) 3961 { 3962 int rc = 0; 3963 3964 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3965 u32 sid = current_sid(); 3966 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3967 MEMPROTECT__MMAP_ZERO, NULL); 3968 } 3969 3970 return rc; 3971 } 3972 3973 static int selinux_mmap_file(struct file *file, 3974 unsigned long reqprot __always_unused, 3975 unsigned long prot, unsigned long flags) 3976 { 3977 struct common_audit_data ad; 3978 int rc; 3979 3980 if (file) { 3981 ad.type = LSM_AUDIT_DATA_FILE; 3982 ad.u.file = file; 3983 rc = inode_has_perm(current_cred(), file_inode(file), 3984 FILE__MAP, &ad); 3985 if (rc) 3986 return rc; 3987 } 3988 3989 return file_map_prot_check(file, prot, 3990 (flags & MAP_TYPE) == MAP_SHARED); 3991 } 3992 3993 static int selinux_file_mprotect(struct vm_area_struct *vma, 3994 unsigned long reqprot __always_unused, 3995 unsigned long prot) 3996 { 3997 const struct cred *cred = current_cred(); 3998 u32 sid = cred_sid(cred); 3999 4000 if (default_noexec && 4001 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 4002 int rc = 0; 4003 /* 4004 * We don't use the vma_is_initial_heap() helper as it has 4005 * a history of problems and is currently broken on systems 4006 * where there is no heap, e.g. brk == start_brk. Before 4007 * replacing the conditional below with vma_is_initial_heap(), 4008 * or something similar, please ensure that the logic is the 4009 * same as what we have below or you have tested every possible 4010 * corner case you can think to test. 4011 */ 4012 if (vma->vm_start >= vma->vm_mm->start_brk && 4013 vma->vm_end <= vma->vm_mm->brk) { 4014 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4015 PROCESS__EXECHEAP, NULL); 4016 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 4017 vma_is_stack_for_current(vma))) { 4018 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4019 PROCESS__EXECSTACK, NULL); 4020 } else if (vma->vm_file && vma->anon_vma) { 4021 /* 4022 * We are making executable a file mapping that has 4023 * had some COW done. Since pages might have been 4024 * written, check ability to execute the possibly 4025 * modified content. This typically should only 4026 * occur for text relocations. 4027 */ 4028 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4029 } 4030 if (rc) 4031 return rc; 4032 } 4033 4034 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4035 } 4036 4037 static int selinux_file_lock(struct file *file, unsigned int cmd) 4038 { 4039 const struct cred *cred = current_cred(); 4040 4041 return file_has_perm(cred, file, FILE__LOCK); 4042 } 4043 4044 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4045 unsigned long arg) 4046 { 4047 const struct cred *cred = current_cred(); 4048 int err = 0; 4049 4050 switch (cmd) { 4051 case F_SETFL: 4052 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4053 err = file_has_perm(cred, file, FILE__WRITE); 4054 break; 4055 } 4056 fallthrough; 4057 case F_SETOWN: 4058 case F_SETSIG: 4059 case F_GETFL: 4060 case F_GETOWN: 4061 case F_GETSIG: 4062 case F_GETOWNER_UIDS: 4063 /* Just check FD__USE permission */ 4064 err = file_has_perm(cred, file, 0); 4065 break; 4066 case F_GETLK: 4067 case F_SETLK: 4068 case F_SETLKW: 4069 case F_OFD_GETLK: 4070 case F_OFD_SETLK: 4071 case F_OFD_SETLKW: 4072 #if BITS_PER_LONG == 32 4073 case F_GETLK64: 4074 case F_SETLK64: 4075 case F_SETLKW64: 4076 #endif 4077 err = file_has_perm(cred, file, FILE__LOCK); 4078 break; 4079 } 4080 4081 return err; 4082 } 4083 4084 static void selinux_file_set_fowner(struct file *file) 4085 { 4086 struct file_security_struct *fsec; 4087 4088 fsec = selinux_file(file); 4089 fsec->fown_sid = current_sid(); 4090 } 4091 4092 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4093 struct fown_struct *fown, int signum) 4094 { 4095 struct file *file; 4096 u32 sid = task_sid_obj(tsk); 4097 u32 perm; 4098 struct file_security_struct *fsec; 4099 4100 /* struct fown_struct is never outside the context of a struct file */ 4101 file = fown->file; 4102 4103 fsec = selinux_file(file); 4104 4105 if (!signum) 4106 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4107 else 4108 perm = signal_to_av(signum); 4109 4110 return avc_has_perm(fsec->fown_sid, sid, 4111 SECCLASS_PROCESS, perm, NULL); 4112 } 4113 4114 static int selinux_file_receive(struct file *file) 4115 { 4116 const struct cred *cred = current_cred(); 4117 4118 return file_has_perm(cred, file, file_to_av(file)); 4119 } 4120 4121 static int selinux_file_open(struct file *file) 4122 { 4123 struct file_security_struct *fsec; 4124 struct inode_security_struct *isec; 4125 4126 fsec = selinux_file(file); 4127 isec = inode_security(file_inode(file)); 4128 /* 4129 * Save inode label and policy sequence number 4130 * at open-time so that selinux_file_permission 4131 * can determine whether revalidation is necessary. 4132 * Task label is already saved in the file security 4133 * struct as its SID. 4134 */ 4135 fsec->isid = isec->sid; 4136 fsec->pseqno = avc_policy_seqno(); 4137 /* 4138 * Since the inode label or policy seqno may have changed 4139 * between the selinux_inode_permission check and the saving 4140 * of state above, recheck that access is still permitted. 4141 * Otherwise, access might never be revalidated against the 4142 * new inode label or new policy. 4143 * This check is not redundant - do not remove. 4144 */ 4145 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4146 } 4147 4148 /* task security operations */ 4149 4150 static int selinux_task_alloc(struct task_struct *task, 4151 u64 clone_flags) 4152 { 4153 u32 sid = current_sid(); 4154 4155 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4156 } 4157 4158 /* 4159 * prepare a new set of credentials for modification 4160 */ 4161 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4162 gfp_t gfp) 4163 { 4164 const struct task_security_struct *old_tsec = selinux_cred(old); 4165 struct task_security_struct *tsec = selinux_cred(new); 4166 4167 *tsec = *old_tsec; 4168 return 0; 4169 } 4170 4171 /* 4172 * transfer the SELinux data to a blank set of creds 4173 */ 4174 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4175 { 4176 const struct task_security_struct *old_tsec = selinux_cred(old); 4177 struct task_security_struct *tsec = selinux_cred(new); 4178 4179 *tsec = *old_tsec; 4180 } 4181 4182 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4183 { 4184 *secid = cred_sid(c); 4185 } 4186 4187 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4188 { 4189 prop->selinux.secid = cred_sid(c); 4190 } 4191 4192 /* 4193 * set the security data for a kernel service 4194 * - all the creation contexts are set to unlabelled 4195 */ 4196 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4197 { 4198 struct task_security_struct *tsec = selinux_cred(new); 4199 u32 sid = current_sid(); 4200 int ret; 4201 4202 ret = avc_has_perm(sid, secid, 4203 SECCLASS_KERNEL_SERVICE, 4204 KERNEL_SERVICE__USE_AS_OVERRIDE, 4205 NULL); 4206 if (ret == 0) { 4207 tsec->sid = secid; 4208 tsec->create_sid = 0; 4209 tsec->keycreate_sid = 0; 4210 tsec->sockcreate_sid = 0; 4211 } 4212 return ret; 4213 } 4214 4215 /* 4216 * set the file creation context in a security record to the same as the 4217 * objective context of the specified inode 4218 */ 4219 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4220 { 4221 struct inode_security_struct *isec = inode_security(inode); 4222 struct task_security_struct *tsec = selinux_cred(new); 4223 u32 sid = current_sid(); 4224 int ret; 4225 4226 ret = avc_has_perm(sid, isec->sid, 4227 SECCLASS_KERNEL_SERVICE, 4228 KERNEL_SERVICE__CREATE_FILES_AS, 4229 NULL); 4230 4231 if (ret == 0) 4232 tsec->create_sid = isec->sid; 4233 return ret; 4234 } 4235 4236 static int selinux_kernel_module_request(char *kmod_name) 4237 { 4238 struct common_audit_data ad; 4239 4240 ad.type = LSM_AUDIT_DATA_KMOD; 4241 ad.u.kmod_name = kmod_name; 4242 4243 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4244 SYSTEM__MODULE_REQUEST, &ad); 4245 } 4246 4247 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4248 { 4249 struct common_audit_data ad; 4250 struct inode_security_struct *isec; 4251 struct file_security_struct *fsec; 4252 u32 sid = current_sid(); 4253 int rc; 4254 4255 if (file == NULL) 4256 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4257 4258 ad.type = LSM_AUDIT_DATA_FILE; 4259 ad.u.file = file; 4260 4261 fsec = selinux_file(file); 4262 if (sid != fsec->sid) { 4263 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4264 if (rc) 4265 return rc; 4266 } 4267 4268 isec = inode_security(file_inode(file)); 4269 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4270 } 4271 4272 static int selinux_kernel_read_file(struct file *file, 4273 enum kernel_read_file_id id, 4274 bool contents) 4275 { 4276 int rc = 0; 4277 4278 BUILD_BUG_ON_MSG(READING_MAX_ID > 8, 4279 "New kernel_read_file_id introduced; update SELinux!"); 4280 4281 switch (id) { 4282 case READING_FIRMWARE: 4283 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4284 break; 4285 case READING_MODULE: 4286 case READING_MODULE_COMPRESSED: 4287 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4288 break; 4289 case READING_KEXEC_IMAGE: 4290 rc = selinux_kernel_load_from_file(file, 4291 SYSTEM__KEXEC_IMAGE_LOAD); 4292 break; 4293 case READING_KEXEC_INITRAMFS: 4294 rc = selinux_kernel_load_from_file(file, 4295 SYSTEM__KEXEC_INITRAMFS_LOAD); 4296 break; 4297 case READING_POLICY: 4298 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4299 break; 4300 case READING_X509_CERTIFICATE: 4301 rc = selinux_kernel_load_from_file(file, 4302 SYSTEM__X509_CERTIFICATE_LOAD); 4303 break; 4304 default: 4305 break; 4306 } 4307 4308 return rc; 4309 } 4310 4311 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4312 { 4313 int rc = 0; 4314 4315 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 8, 4316 "New kernel_load_data_id introduced; update SELinux!"); 4317 4318 switch (id) { 4319 case LOADING_FIRMWARE: 4320 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4321 break; 4322 case LOADING_MODULE: 4323 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4324 break; 4325 case LOADING_KEXEC_IMAGE: 4326 rc = selinux_kernel_load_from_file(NULL, 4327 SYSTEM__KEXEC_IMAGE_LOAD); 4328 break; 4329 case LOADING_KEXEC_INITRAMFS: 4330 rc = selinux_kernel_load_from_file(NULL, 4331 SYSTEM__KEXEC_INITRAMFS_LOAD); 4332 break; 4333 case LOADING_POLICY: 4334 rc = selinux_kernel_load_from_file(NULL, 4335 SYSTEM__POLICY_LOAD); 4336 break; 4337 case LOADING_X509_CERTIFICATE: 4338 rc = selinux_kernel_load_from_file(NULL, 4339 SYSTEM__X509_CERTIFICATE_LOAD); 4340 break; 4341 default: 4342 break; 4343 } 4344 4345 return rc; 4346 } 4347 4348 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4349 { 4350 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4351 PROCESS__SETPGID, NULL); 4352 } 4353 4354 static int selinux_task_getpgid(struct task_struct *p) 4355 { 4356 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4357 PROCESS__GETPGID, NULL); 4358 } 4359 4360 static int selinux_task_getsid(struct task_struct *p) 4361 { 4362 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4363 PROCESS__GETSESSION, NULL); 4364 } 4365 4366 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4367 { 4368 prop->selinux.secid = current_sid(); 4369 } 4370 4371 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4372 struct lsm_prop *prop) 4373 { 4374 prop->selinux.secid = task_sid_obj(p); 4375 } 4376 4377 static int selinux_task_setnice(struct task_struct *p, int nice) 4378 { 4379 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4380 PROCESS__SETSCHED, NULL); 4381 } 4382 4383 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4384 { 4385 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4386 PROCESS__SETSCHED, NULL); 4387 } 4388 4389 static int selinux_task_getioprio(struct task_struct *p) 4390 { 4391 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4392 PROCESS__GETSCHED, NULL); 4393 } 4394 4395 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4396 unsigned int flags) 4397 { 4398 u32 av = 0; 4399 4400 if (!flags) 4401 return 0; 4402 if (flags & LSM_PRLIMIT_WRITE) 4403 av |= PROCESS__SETRLIMIT; 4404 if (flags & LSM_PRLIMIT_READ) 4405 av |= PROCESS__GETRLIMIT; 4406 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4407 SECCLASS_PROCESS, av, NULL); 4408 } 4409 4410 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4411 struct rlimit *new_rlim) 4412 { 4413 struct rlimit *old_rlim = p->signal->rlim + resource; 4414 4415 /* Control the ability to change the hard limit (whether 4416 lowering or raising it), so that the hard limit can 4417 later be used as a safe reset point for the soft limit 4418 upon context transitions. See selinux_bprm_committing_creds. */ 4419 if (old_rlim->rlim_max != new_rlim->rlim_max) 4420 return avc_has_perm(current_sid(), task_sid_obj(p), 4421 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4422 4423 return 0; 4424 } 4425 4426 static int selinux_task_setscheduler(struct task_struct *p) 4427 { 4428 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4429 PROCESS__SETSCHED, NULL); 4430 } 4431 4432 static int selinux_task_getscheduler(struct task_struct *p) 4433 { 4434 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4435 PROCESS__GETSCHED, NULL); 4436 } 4437 4438 static int selinux_task_movememory(struct task_struct *p) 4439 { 4440 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4441 PROCESS__SETSCHED, NULL); 4442 } 4443 4444 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4445 int sig, const struct cred *cred) 4446 { 4447 u32 secid; 4448 u32 perm; 4449 4450 if (!sig) 4451 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4452 else 4453 perm = signal_to_av(sig); 4454 if (!cred) 4455 secid = current_sid(); 4456 else 4457 secid = cred_sid(cred); 4458 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4459 } 4460 4461 static void selinux_task_to_inode(struct task_struct *p, 4462 struct inode *inode) 4463 { 4464 struct inode_security_struct *isec = selinux_inode(inode); 4465 u32 sid = task_sid_obj(p); 4466 4467 spin_lock(&isec->lock); 4468 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4469 isec->sid = sid; 4470 isec->initialized = LABEL_INITIALIZED; 4471 spin_unlock(&isec->lock); 4472 } 4473 4474 static int selinux_userns_create(const struct cred *cred) 4475 { 4476 u32 sid = current_sid(); 4477 4478 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4479 USER_NAMESPACE__CREATE, NULL); 4480 } 4481 4482 /* Returns error only if unable to parse addresses */ 4483 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4484 struct common_audit_data *ad, u8 *proto) 4485 { 4486 int offset, ihlen, ret = -EINVAL; 4487 struct iphdr _iph, *ih; 4488 4489 offset = skb_network_offset(skb); 4490 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4491 if (ih == NULL) 4492 goto out; 4493 4494 ihlen = ih->ihl * 4; 4495 if (ihlen < sizeof(_iph)) 4496 goto out; 4497 4498 ad->u.net->v4info.saddr = ih->saddr; 4499 ad->u.net->v4info.daddr = ih->daddr; 4500 ret = 0; 4501 4502 if (proto) 4503 *proto = ih->protocol; 4504 4505 switch (ih->protocol) { 4506 case IPPROTO_TCP: { 4507 struct tcphdr _tcph, *th; 4508 4509 if (ntohs(ih->frag_off) & IP_OFFSET) 4510 break; 4511 4512 offset += ihlen; 4513 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4514 if (th == NULL) 4515 break; 4516 4517 ad->u.net->sport = th->source; 4518 ad->u.net->dport = th->dest; 4519 break; 4520 } 4521 4522 case IPPROTO_UDP: { 4523 struct udphdr _udph, *uh; 4524 4525 if (ntohs(ih->frag_off) & IP_OFFSET) 4526 break; 4527 4528 offset += ihlen; 4529 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4530 if (uh == NULL) 4531 break; 4532 4533 ad->u.net->sport = uh->source; 4534 ad->u.net->dport = uh->dest; 4535 break; 4536 } 4537 4538 #if IS_ENABLED(CONFIG_IP_SCTP) 4539 case IPPROTO_SCTP: { 4540 struct sctphdr _sctph, *sh; 4541 4542 if (ntohs(ih->frag_off) & IP_OFFSET) 4543 break; 4544 4545 offset += ihlen; 4546 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4547 if (sh == NULL) 4548 break; 4549 4550 ad->u.net->sport = sh->source; 4551 ad->u.net->dport = sh->dest; 4552 break; 4553 } 4554 #endif 4555 default: 4556 break; 4557 } 4558 out: 4559 return ret; 4560 } 4561 4562 #if IS_ENABLED(CONFIG_IPV6) 4563 4564 /* Returns error only if unable to parse addresses */ 4565 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4566 struct common_audit_data *ad, u8 *proto) 4567 { 4568 u8 nexthdr; 4569 int ret = -EINVAL, offset; 4570 struct ipv6hdr _ipv6h, *ip6; 4571 __be16 frag_off; 4572 4573 offset = skb_network_offset(skb); 4574 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4575 if (ip6 == NULL) 4576 goto out; 4577 4578 ad->u.net->v6info.saddr = ip6->saddr; 4579 ad->u.net->v6info.daddr = ip6->daddr; 4580 ret = 0; 4581 4582 nexthdr = ip6->nexthdr; 4583 offset += sizeof(_ipv6h); 4584 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4585 if (offset < 0) 4586 goto out; 4587 4588 if (proto) 4589 *proto = nexthdr; 4590 4591 switch (nexthdr) { 4592 case IPPROTO_TCP: { 4593 struct tcphdr _tcph, *th; 4594 4595 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4596 if (th == NULL) 4597 break; 4598 4599 ad->u.net->sport = th->source; 4600 ad->u.net->dport = th->dest; 4601 break; 4602 } 4603 4604 case IPPROTO_UDP: { 4605 struct udphdr _udph, *uh; 4606 4607 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4608 if (uh == NULL) 4609 break; 4610 4611 ad->u.net->sport = uh->source; 4612 ad->u.net->dport = uh->dest; 4613 break; 4614 } 4615 4616 #if IS_ENABLED(CONFIG_IP_SCTP) 4617 case IPPROTO_SCTP: { 4618 struct sctphdr _sctph, *sh; 4619 4620 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4621 if (sh == NULL) 4622 break; 4623 4624 ad->u.net->sport = sh->source; 4625 ad->u.net->dport = sh->dest; 4626 break; 4627 } 4628 #endif 4629 /* includes fragments */ 4630 default: 4631 break; 4632 } 4633 out: 4634 return ret; 4635 } 4636 4637 #endif /* IPV6 */ 4638 4639 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4640 char **_addrp, int src, u8 *proto) 4641 { 4642 char *addrp; 4643 int ret; 4644 4645 switch (ad->u.net->family) { 4646 case PF_INET: 4647 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4648 if (ret) 4649 goto parse_error; 4650 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4651 &ad->u.net->v4info.daddr); 4652 goto okay; 4653 4654 #if IS_ENABLED(CONFIG_IPV6) 4655 case PF_INET6: 4656 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4657 if (ret) 4658 goto parse_error; 4659 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4660 &ad->u.net->v6info.daddr); 4661 goto okay; 4662 #endif /* IPV6 */ 4663 default: 4664 addrp = NULL; 4665 goto okay; 4666 } 4667 4668 parse_error: 4669 pr_warn( 4670 "SELinux: failure in selinux_parse_skb()," 4671 " unable to parse packet\n"); 4672 return ret; 4673 4674 okay: 4675 if (_addrp) 4676 *_addrp = addrp; 4677 return 0; 4678 } 4679 4680 /** 4681 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4682 * @skb: the packet 4683 * @family: protocol family 4684 * @sid: the packet's peer label SID 4685 * 4686 * Description: 4687 * Check the various different forms of network peer labeling and determine 4688 * the peer label/SID for the packet; most of the magic actually occurs in 4689 * the security server function security_net_peersid_cmp(). The function 4690 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4691 * or -EACCES if @sid is invalid due to inconsistencies with the different 4692 * peer labels. 4693 * 4694 */ 4695 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4696 { 4697 int err; 4698 u32 xfrm_sid; 4699 u32 nlbl_sid; 4700 u32 nlbl_type; 4701 4702 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4703 if (unlikely(err)) 4704 return -EACCES; 4705 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4706 if (unlikely(err)) 4707 return -EACCES; 4708 4709 err = security_net_peersid_resolve(nlbl_sid, 4710 nlbl_type, xfrm_sid, sid); 4711 if (unlikely(err)) { 4712 pr_warn( 4713 "SELinux: failure in selinux_skb_peerlbl_sid()," 4714 " unable to determine packet's peer label\n"); 4715 return -EACCES; 4716 } 4717 4718 return 0; 4719 } 4720 4721 /** 4722 * selinux_conn_sid - Determine the child socket label for a connection 4723 * @sk_sid: the parent socket's SID 4724 * @skb_sid: the packet's SID 4725 * @conn_sid: the resulting connection SID 4726 * 4727 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4728 * combined with the MLS information from @skb_sid in order to create 4729 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4730 * of @sk_sid. Returns zero on success, negative values on failure. 4731 * 4732 */ 4733 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4734 { 4735 int err = 0; 4736 4737 if (skb_sid != SECSID_NULL) 4738 err = security_sid_mls_copy(sk_sid, skb_sid, 4739 conn_sid); 4740 else 4741 *conn_sid = sk_sid; 4742 4743 return err; 4744 } 4745 4746 /* socket security operations */ 4747 4748 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4749 u16 secclass, u32 *socksid) 4750 { 4751 if (tsec->sockcreate_sid > SECSID_NULL) { 4752 *socksid = tsec->sockcreate_sid; 4753 return 0; 4754 } 4755 4756 return security_transition_sid(tsec->sid, tsec->sid, 4757 secclass, NULL, socksid); 4758 } 4759 4760 static bool sock_skip_has_perm(u32 sid) 4761 { 4762 if (sid == SECINITSID_KERNEL) 4763 return true; 4764 4765 /* 4766 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4767 * inherited the kernel context from early boot used to be skipped 4768 * here, so preserve that behavior unless the capability is set. 4769 * 4770 * By setting the capability the policy signals that it is ready 4771 * for this quirk to be fixed. Note that sockets created by a kernel 4772 * thread or a usermode helper executed without a transition will 4773 * still be skipped in this check regardless of the policycap 4774 * setting. 4775 */ 4776 if (!selinux_policycap_userspace_initial_context() && 4777 sid == SECINITSID_INIT) 4778 return true; 4779 return false; 4780 } 4781 4782 4783 static int sock_has_perm(struct sock *sk, u32 perms) 4784 { 4785 struct sk_security_struct *sksec = sk->sk_security; 4786 struct common_audit_data ad; 4787 struct lsm_network_audit net; 4788 4789 if (sock_skip_has_perm(sksec->sid)) 4790 return 0; 4791 4792 ad_net_init_from_sk(&ad, &net, sk); 4793 4794 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4795 &ad); 4796 } 4797 4798 static int selinux_socket_create(int family, int type, 4799 int protocol, int kern) 4800 { 4801 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4802 u32 newsid; 4803 u16 secclass; 4804 int rc; 4805 4806 if (kern) 4807 return 0; 4808 4809 secclass = socket_type_to_security_class(family, type, protocol); 4810 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4811 if (rc) 4812 return rc; 4813 4814 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4815 } 4816 4817 static int selinux_socket_post_create(struct socket *sock, int family, 4818 int type, int protocol, int kern) 4819 { 4820 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4821 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4822 struct sk_security_struct *sksec; 4823 u16 sclass = socket_type_to_security_class(family, type, protocol); 4824 u32 sid = SECINITSID_KERNEL; 4825 int err = 0; 4826 4827 if (!kern) { 4828 err = socket_sockcreate_sid(tsec, sclass, &sid); 4829 if (err) 4830 return err; 4831 } 4832 4833 isec->sclass = sclass; 4834 isec->sid = sid; 4835 isec->initialized = LABEL_INITIALIZED; 4836 4837 if (sock->sk) { 4838 sksec = selinux_sock(sock->sk); 4839 sksec->sclass = sclass; 4840 sksec->sid = sid; 4841 /* Allows detection of the first association on this socket */ 4842 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4843 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4844 4845 err = selinux_netlbl_socket_post_create(sock->sk, family); 4846 } 4847 4848 return err; 4849 } 4850 4851 static int selinux_socket_socketpair(struct socket *socka, 4852 struct socket *sockb) 4853 { 4854 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4855 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4856 4857 sksec_a->peer_sid = sksec_b->sid; 4858 sksec_b->peer_sid = sksec_a->sid; 4859 4860 return 0; 4861 } 4862 4863 /* Range of port numbers used to automatically bind. 4864 Need to determine whether we should perform a name_bind 4865 permission check between the socket and the port number. */ 4866 4867 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4868 { 4869 struct sock *sk = sock->sk; 4870 struct sk_security_struct *sksec = selinux_sock(sk); 4871 u16 family; 4872 int err; 4873 4874 err = sock_has_perm(sk, SOCKET__BIND); 4875 if (err) 4876 goto out; 4877 4878 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4879 family = sk->sk_family; 4880 if (family == PF_INET || family == PF_INET6) { 4881 char *addrp; 4882 struct common_audit_data ad; 4883 struct lsm_network_audit net = {0,}; 4884 struct sockaddr_in *addr4 = NULL; 4885 struct sockaddr_in6 *addr6 = NULL; 4886 u16 family_sa; 4887 unsigned short snum; 4888 u32 sid, node_perm; 4889 4890 /* 4891 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4892 * that validates multiple binding addresses. Because of this 4893 * need to check address->sa_family as it is possible to have 4894 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4895 */ 4896 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4897 return -EINVAL; 4898 family_sa = address->sa_family; 4899 switch (family_sa) { 4900 case AF_UNSPEC: 4901 case AF_INET: 4902 if (addrlen < sizeof(struct sockaddr_in)) 4903 return -EINVAL; 4904 addr4 = (struct sockaddr_in *)address; 4905 if (family_sa == AF_UNSPEC) { 4906 if (family == PF_INET6) { 4907 /* Length check from inet6_bind_sk() */ 4908 if (addrlen < SIN6_LEN_RFC2133) 4909 return -EINVAL; 4910 /* Family check from __inet6_bind() */ 4911 goto err_af; 4912 } 4913 /* see __inet_bind(), we only want to allow 4914 * AF_UNSPEC if the address is INADDR_ANY 4915 */ 4916 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4917 goto err_af; 4918 family_sa = AF_INET; 4919 } 4920 snum = ntohs(addr4->sin_port); 4921 addrp = (char *)&addr4->sin_addr.s_addr; 4922 break; 4923 case AF_INET6: 4924 if (addrlen < SIN6_LEN_RFC2133) 4925 return -EINVAL; 4926 addr6 = (struct sockaddr_in6 *)address; 4927 snum = ntohs(addr6->sin6_port); 4928 addrp = (char *)&addr6->sin6_addr.s6_addr; 4929 break; 4930 default: 4931 goto err_af; 4932 } 4933 4934 ad.type = LSM_AUDIT_DATA_NET; 4935 ad.u.net = &net; 4936 ad.u.net->sport = htons(snum); 4937 ad.u.net->family = family_sa; 4938 4939 if (snum) { 4940 int low, high; 4941 4942 inet_get_local_port_range(sock_net(sk), &low, &high); 4943 4944 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4945 snum < low || snum > high) { 4946 err = sel_netport_sid(sk->sk_protocol, 4947 snum, &sid); 4948 if (err) 4949 goto out; 4950 err = avc_has_perm(sksec->sid, sid, 4951 sksec->sclass, 4952 SOCKET__NAME_BIND, &ad); 4953 if (err) 4954 goto out; 4955 } 4956 } 4957 4958 switch (sksec->sclass) { 4959 case SECCLASS_TCP_SOCKET: 4960 node_perm = TCP_SOCKET__NODE_BIND; 4961 break; 4962 4963 case SECCLASS_UDP_SOCKET: 4964 node_perm = UDP_SOCKET__NODE_BIND; 4965 break; 4966 4967 case SECCLASS_SCTP_SOCKET: 4968 node_perm = SCTP_SOCKET__NODE_BIND; 4969 break; 4970 4971 default: 4972 node_perm = RAWIP_SOCKET__NODE_BIND; 4973 break; 4974 } 4975 4976 err = sel_netnode_sid(addrp, family_sa, &sid); 4977 if (err) 4978 goto out; 4979 4980 if (family_sa == AF_INET) 4981 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4982 else 4983 ad.u.net->v6info.saddr = addr6->sin6_addr; 4984 4985 err = avc_has_perm(sksec->sid, sid, 4986 sksec->sclass, node_perm, &ad); 4987 if (err) 4988 goto out; 4989 } 4990 out: 4991 return err; 4992 err_af: 4993 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4994 if (sk->sk_protocol == IPPROTO_SCTP) 4995 return -EINVAL; 4996 return -EAFNOSUPPORT; 4997 } 4998 4999 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 5000 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 5001 */ 5002 static int selinux_socket_connect_helper(struct socket *sock, 5003 struct sockaddr *address, int addrlen) 5004 { 5005 struct sock *sk = sock->sk; 5006 struct sk_security_struct *sksec = selinux_sock(sk); 5007 int err; 5008 5009 err = sock_has_perm(sk, SOCKET__CONNECT); 5010 if (err) 5011 return err; 5012 if (addrlen < offsetofend(struct sockaddr, sa_family)) 5013 return -EINVAL; 5014 5015 /* connect(AF_UNSPEC) has special handling, as it is a documented 5016 * way to disconnect the socket 5017 */ 5018 if (address->sa_family == AF_UNSPEC) 5019 return 0; 5020 5021 /* 5022 * If a TCP or SCTP socket, check name_connect permission 5023 * for the port. 5024 */ 5025 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5026 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5027 struct common_audit_data ad; 5028 struct lsm_network_audit net = {0,}; 5029 struct sockaddr_in *addr4 = NULL; 5030 struct sockaddr_in6 *addr6 = NULL; 5031 unsigned short snum; 5032 u32 sid, perm; 5033 5034 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5035 * that validates multiple connect addresses. Because of this 5036 * need to check address->sa_family as it is possible to have 5037 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5038 */ 5039 switch (address->sa_family) { 5040 case AF_INET: 5041 addr4 = (struct sockaddr_in *)address; 5042 if (addrlen < sizeof(struct sockaddr_in)) 5043 return -EINVAL; 5044 snum = ntohs(addr4->sin_port); 5045 break; 5046 case AF_INET6: 5047 addr6 = (struct sockaddr_in6 *)address; 5048 if (addrlen < SIN6_LEN_RFC2133) 5049 return -EINVAL; 5050 snum = ntohs(addr6->sin6_port); 5051 break; 5052 default: 5053 /* Note that SCTP services expect -EINVAL, whereas 5054 * others expect -EAFNOSUPPORT. 5055 */ 5056 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5057 return -EINVAL; 5058 else 5059 return -EAFNOSUPPORT; 5060 } 5061 5062 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5063 if (err) 5064 return err; 5065 5066 switch (sksec->sclass) { 5067 case SECCLASS_TCP_SOCKET: 5068 perm = TCP_SOCKET__NAME_CONNECT; 5069 break; 5070 case SECCLASS_SCTP_SOCKET: 5071 perm = SCTP_SOCKET__NAME_CONNECT; 5072 break; 5073 } 5074 5075 ad.type = LSM_AUDIT_DATA_NET; 5076 ad.u.net = &net; 5077 ad.u.net->dport = htons(snum); 5078 ad.u.net->family = address->sa_family; 5079 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5080 if (err) 5081 return err; 5082 } 5083 5084 return 0; 5085 } 5086 5087 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5088 static int selinux_socket_connect(struct socket *sock, 5089 struct sockaddr *address, int addrlen) 5090 { 5091 int err; 5092 struct sock *sk = sock->sk; 5093 5094 err = selinux_socket_connect_helper(sock, address, addrlen); 5095 if (err) 5096 return err; 5097 5098 return selinux_netlbl_socket_connect(sk, address); 5099 } 5100 5101 static int selinux_socket_listen(struct socket *sock, int backlog) 5102 { 5103 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5104 } 5105 5106 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5107 { 5108 int err; 5109 struct inode_security_struct *isec; 5110 struct inode_security_struct *newisec; 5111 u16 sclass; 5112 u32 sid; 5113 5114 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5115 if (err) 5116 return err; 5117 5118 isec = inode_security_novalidate(SOCK_INODE(sock)); 5119 spin_lock(&isec->lock); 5120 sclass = isec->sclass; 5121 sid = isec->sid; 5122 spin_unlock(&isec->lock); 5123 5124 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5125 newisec->sclass = sclass; 5126 newisec->sid = sid; 5127 newisec->initialized = LABEL_INITIALIZED; 5128 5129 return 0; 5130 } 5131 5132 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5133 int size) 5134 { 5135 return sock_has_perm(sock->sk, SOCKET__WRITE); 5136 } 5137 5138 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5139 int size, int flags) 5140 { 5141 return sock_has_perm(sock->sk, SOCKET__READ); 5142 } 5143 5144 static int selinux_socket_getsockname(struct socket *sock) 5145 { 5146 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5147 } 5148 5149 static int selinux_socket_getpeername(struct socket *sock) 5150 { 5151 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5152 } 5153 5154 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5155 { 5156 int err; 5157 5158 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5159 if (err) 5160 return err; 5161 5162 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5163 } 5164 5165 static int selinux_socket_getsockopt(struct socket *sock, int level, 5166 int optname) 5167 { 5168 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5169 } 5170 5171 static int selinux_socket_shutdown(struct socket *sock, int how) 5172 { 5173 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5174 } 5175 5176 static int selinux_socket_unix_stream_connect(struct sock *sock, 5177 struct sock *other, 5178 struct sock *newsk) 5179 { 5180 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5181 struct sk_security_struct *sksec_other = selinux_sock(other); 5182 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5183 struct common_audit_data ad; 5184 struct lsm_network_audit net; 5185 int err; 5186 5187 ad_net_init_from_sk(&ad, &net, other); 5188 5189 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5190 sksec_other->sclass, 5191 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5192 if (err) 5193 return err; 5194 5195 /* server child socket */ 5196 sksec_new->peer_sid = sksec_sock->sid; 5197 err = security_sid_mls_copy(sksec_other->sid, 5198 sksec_sock->sid, &sksec_new->sid); 5199 if (err) 5200 return err; 5201 5202 /* connecting socket */ 5203 sksec_sock->peer_sid = sksec_new->sid; 5204 5205 return 0; 5206 } 5207 5208 static int selinux_socket_unix_may_send(struct socket *sock, 5209 struct socket *other) 5210 { 5211 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5212 struct sk_security_struct *osec = selinux_sock(other->sk); 5213 struct common_audit_data ad; 5214 struct lsm_network_audit net; 5215 5216 ad_net_init_from_sk(&ad, &net, other->sk); 5217 5218 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5219 &ad); 5220 } 5221 5222 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5223 char *addrp, u16 family, u32 peer_sid, 5224 struct common_audit_data *ad) 5225 { 5226 int err; 5227 u32 if_sid; 5228 u32 node_sid; 5229 5230 err = sel_netif_sid(ns, ifindex, &if_sid); 5231 if (err) 5232 return err; 5233 err = avc_has_perm(peer_sid, if_sid, 5234 SECCLASS_NETIF, NETIF__INGRESS, ad); 5235 if (err) 5236 return err; 5237 5238 err = sel_netnode_sid(addrp, family, &node_sid); 5239 if (err) 5240 return err; 5241 return avc_has_perm(peer_sid, node_sid, 5242 SECCLASS_NODE, NODE__RECVFROM, ad); 5243 } 5244 5245 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5246 u16 family) 5247 { 5248 int err = 0; 5249 struct sk_security_struct *sksec = selinux_sock(sk); 5250 u32 sk_sid = sksec->sid; 5251 struct common_audit_data ad; 5252 struct lsm_network_audit net; 5253 char *addrp; 5254 5255 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5256 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5257 if (err) 5258 return err; 5259 5260 if (selinux_secmark_enabled()) { 5261 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5262 PACKET__RECV, &ad); 5263 if (err) 5264 return err; 5265 } 5266 5267 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5268 if (err) 5269 return err; 5270 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5271 5272 return err; 5273 } 5274 5275 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5276 { 5277 int err, peerlbl_active, secmark_active; 5278 struct sk_security_struct *sksec = selinux_sock(sk); 5279 u16 family = sk->sk_family; 5280 u32 sk_sid = sksec->sid; 5281 struct common_audit_data ad; 5282 struct lsm_network_audit net; 5283 char *addrp; 5284 5285 if (family != PF_INET && family != PF_INET6) 5286 return 0; 5287 5288 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5289 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5290 family = PF_INET; 5291 5292 /* If any sort of compatibility mode is enabled then handoff processing 5293 * to the selinux_sock_rcv_skb_compat() function to deal with the 5294 * special handling. We do this in an attempt to keep this function 5295 * as fast and as clean as possible. */ 5296 if (!selinux_policycap_netpeer()) 5297 return selinux_sock_rcv_skb_compat(sk, skb, family); 5298 5299 secmark_active = selinux_secmark_enabled(); 5300 peerlbl_active = selinux_peerlbl_enabled(); 5301 if (!secmark_active && !peerlbl_active) 5302 return 0; 5303 5304 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5305 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5306 if (err) 5307 return err; 5308 5309 if (peerlbl_active) { 5310 u32 peer_sid; 5311 5312 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5313 if (err) 5314 return err; 5315 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5316 addrp, family, peer_sid, &ad); 5317 if (err) { 5318 selinux_netlbl_err(skb, family, err, 0); 5319 return err; 5320 } 5321 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5322 PEER__RECV, &ad); 5323 if (err) { 5324 selinux_netlbl_err(skb, family, err, 0); 5325 return err; 5326 } 5327 } 5328 5329 if (secmark_active) { 5330 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5331 PACKET__RECV, &ad); 5332 if (err) 5333 return err; 5334 } 5335 5336 return err; 5337 } 5338 5339 static int selinux_socket_getpeersec_stream(struct socket *sock, 5340 sockptr_t optval, sockptr_t optlen, 5341 unsigned int len) 5342 { 5343 int err = 0; 5344 char *scontext = NULL; 5345 u32 scontext_len; 5346 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5347 u32 peer_sid = SECSID_NULL; 5348 5349 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5350 sksec->sclass == SECCLASS_TCP_SOCKET || 5351 sksec->sclass == SECCLASS_SCTP_SOCKET) 5352 peer_sid = sksec->peer_sid; 5353 if (peer_sid == SECSID_NULL) 5354 return -ENOPROTOOPT; 5355 5356 err = security_sid_to_context(peer_sid, &scontext, 5357 &scontext_len); 5358 if (err) 5359 return err; 5360 if (scontext_len > len) { 5361 err = -ERANGE; 5362 goto out_len; 5363 } 5364 5365 if (copy_to_sockptr(optval, scontext, scontext_len)) 5366 err = -EFAULT; 5367 out_len: 5368 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5369 err = -EFAULT; 5370 kfree(scontext); 5371 return err; 5372 } 5373 5374 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5375 struct sk_buff *skb, u32 *secid) 5376 { 5377 u32 peer_secid = SECSID_NULL; 5378 u16 family; 5379 5380 if (skb && skb->protocol == htons(ETH_P_IP)) 5381 family = PF_INET; 5382 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5383 family = PF_INET6; 5384 else if (sock) 5385 family = sock->sk->sk_family; 5386 else { 5387 *secid = SECSID_NULL; 5388 return -EINVAL; 5389 } 5390 5391 if (sock && family == PF_UNIX) { 5392 struct inode_security_struct *isec; 5393 isec = inode_security_novalidate(SOCK_INODE(sock)); 5394 peer_secid = isec->sid; 5395 } else if (skb) 5396 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5397 5398 *secid = peer_secid; 5399 if (peer_secid == SECSID_NULL) 5400 return -ENOPROTOOPT; 5401 return 0; 5402 } 5403 5404 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5405 { 5406 struct sk_security_struct *sksec = selinux_sock(sk); 5407 5408 sksec->peer_sid = SECINITSID_UNLABELED; 5409 sksec->sid = SECINITSID_UNLABELED; 5410 sksec->sclass = SECCLASS_SOCKET; 5411 selinux_netlbl_sk_security_reset(sksec); 5412 5413 return 0; 5414 } 5415 5416 static void selinux_sk_free_security(struct sock *sk) 5417 { 5418 struct sk_security_struct *sksec = selinux_sock(sk); 5419 5420 selinux_netlbl_sk_security_free(sksec); 5421 } 5422 5423 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5424 { 5425 struct sk_security_struct *sksec = selinux_sock(sk); 5426 struct sk_security_struct *newsksec = selinux_sock(newsk); 5427 5428 newsksec->sid = sksec->sid; 5429 newsksec->peer_sid = sksec->peer_sid; 5430 newsksec->sclass = sksec->sclass; 5431 5432 selinux_netlbl_sk_security_reset(newsksec); 5433 } 5434 5435 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5436 { 5437 if (!sk) 5438 *secid = SECINITSID_ANY_SOCKET; 5439 else { 5440 const struct sk_security_struct *sksec = selinux_sock(sk); 5441 5442 *secid = sksec->sid; 5443 } 5444 } 5445 5446 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5447 { 5448 struct inode_security_struct *isec = 5449 inode_security_novalidate(SOCK_INODE(parent)); 5450 struct sk_security_struct *sksec = selinux_sock(sk); 5451 5452 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5453 sk->sk_family == PF_UNIX) 5454 isec->sid = sksec->sid; 5455 sksec->sclass = isec->sclass; 5456 } 5457 5458 /* 5459 * Determines peer_secid for the asoc and updates socket's peer label 5460 * if it's the first association on the socket. 5461 */ 5462 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5463 struct sk_buff *skb) 5464 { 5465 struct sock *sk = asoc->base.sk; 5466 u16 family = sk->sk_family; 5467 struct sk_security_struct *sksec = selinux_sock(sk); 5468 struct common_audit_data ad; 5469 struct lsm_network_audit net; 5470 int err; 5471 5472 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5473 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5474 family = PF_INET; 5475 5476 if (selinux_peerlbl_enabled()) { 5477 asoc->peer_secid = SECSID_NULL; 5478 5479 /* This will return peer_sid = SECSID_NULL if there are 5480 * no peer labels, see security_net_peersid_resolve(). 5481 */ 5482 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5483 if (err) 5484 return err; 5485 5486 if (asoc->peer_secid == SECSID_NULL) 5487 asoc->peer_secid = SECINITSID_UNLABELED; 5488 } else { 5489 asoc->peer_secid = SECINITSID_UNLABELED; 5490 } 5491 5492 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5493 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5494 5495 /* Here as first association on socket. As the peer SID 5496 * was allowed by peer recv (and the netif/node checks), 5497 * then it is approved by policy and used as the primary 5498 * peer SID for getpeercon(3). 5499 */ 5500 sksec->peer_sid = asoc->peer_secid; 5501 } else if (sksec->peer_sid != asoc->peer_secid) { 5502 /* Other association peer SIDs are checked to enforce 5503 * consistency among the peer SIDs. 5504 */ 5505 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5506 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5507 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5508 &ad); 5509 if (err) 5510 return err; 5511 } 5512 return 0; 5513 } 5514 5515 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5516 * happens on an incoming connect(2), sctp_connectx(3) or 5517 * sctp_sendmsg(3) (with no association already present). 5518 */ 5519 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5520 struct sk_buff *skb) 5521 { 5522 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5523 u32 conn_sid; 5524 int err; 5525 5526 if (!selinux_policycap_extsockclass()) 5527 return 0; 5528 5529 err = selinux_sctp_process_new_assoc(asoc, skb); 5530 if (err) 5531 return err; 5532 5533 /* Compute the MLS component for the connection and store 5534 * the information in asoc. This will be used by SCTP TCP type 5535 * sockets and peeled off connections as they cause a new 5536 * socket to be generated. selinux_sctp_sk_clone() will then 5537 * plug this into the new socket. 5538 */ 5539 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5540 if (err) 5541 return err; 5542 5543 asoc->secid = conn_sid; 5544 5545 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5546 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5547 } 5548 5549 /* Called when SCTP receives a COOKIE ACK chunk as the final 5550 * response to an association request (initited by us). 5551 */ 5552 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5553 struct sk_buff *skb) 5554 { 5555 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5556 5557 if (!selinux_policycap_extsockclass()) 5558 return 0; 5559 5560 /* Inherit secid from the parent socket - this will be picked up 5561 * by selinux_sctp_sk_clone() if the association gets peeled off 5562 * into a new socket. 5563 */ 5564 asoc->secid = sksec->sid; 5565 5566 return selinux_sctp_process_new_assoc(asoc, skb); 5567 } 5568 5569 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5570 * based on their @optname. 5571 */ 5572 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5573 struct sockaddr *address, 5574 int addrlen) 5575 { 5576 int len, err = 0, walk_size = 0; 5577 void *addr_buf; 5578 struct sockaddr *addr; 5579 struct socket *sock; 5580 5581 if (!selinux_policycap_extsockclass()) 5582 return 0; 5583 5584 /* Process one or more addresses that may be IPv4 or IPv6 */ 5585 sock = sk->sk_socket; 5586 addr_buf = address; 5587 5588 while (walk_size < addrlen) { 5589 if (walk_size + sizeof(sa_family_t) > addrlen) 5590 return -EINVAL; 5591 5592 addr = addr_buf; 5593 switch (addr->sa_family) { 5594 case AF_UNSPEC: 5595 case AF_INET: 5596 len = sizeof(struct sockaddr_in); 5597 break; 5598 case AF_INET6: 5599 len = sizeof(struct sockaddr_in6); 5600 break; 5601 default: 5602 return -EINVAL; 5603 } 5604 5605 if (walk_size + len > addrlen) 5606 return -EINVAL; 5607 5608 err = -EINVAL; 5609 switch (optname) { 5610 /* Bind checks */ 5611 case SCTP_PRIMARY_ADDR: 5612 case SCTP_SET_PEER_PRIMARY_ADDR: 5613 case SCTP_SOCKOPT_BINDX_ADD: 5614 err = selinux_socket_bind(sock, addr, len); 5615 break; 5616 /* Connect checks */ 5617 case SCTP_SOCKOPT_CONNECTX: 5618 case SCTP_PARAM_SET_PRIMARY: 5619 case SCTP_PARAM_ADD_IP: 5620 case SCTP_SENDMSG_CONNECT: 5621 err = selinux_socket_connect_helper(sock, addr, len); 5622 if (err) 5623 return err; 5624 5625 /* As selinux_sctp_bind_connect() is called by the 5626 * SCTP protocol layer, the socket is already locked, 5627 * therefore selinux_netlbl_socket_connect_locked() 5628 * is called here. The situations handled are: 5629 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5630 * whenever a new IP address is added or when a new 5631 * primary address is selected. 5632 * Note that an SCTP connect(2) call happens before 5633 * the SCTP protocol layer and is handled via 5634 * selinux_socket_connect(). 5635 */ 5636 err = selinux_netlbl_socket_connect_locked(sk, addr); 5637 break; 5638 } 5639 5640 if (err) 5641 return err; 5642 5643 addr_buf += len; 5644 walk_size += len; 5645 } 5646 5647 return 0; 5648 } 5649 5650 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5651 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5652 struct sock *newsk) 5653 { 5654 struct sk_security_struct *sksec = selinux_sock(sk); 5655 struct sk_security_struct *newsksec = selinux_sock(newsk); 5656 5657 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5658 * the non-sctp clone version. 5659 */ 5660 if (!selinux_policycap_extsockclass()) 5661 return selinux_sk_clone_security(sk, newsk); 5662 5663 newsksec->sid = asoc->secid; 5664 newsksec->peer_sid = asoc->peer_secid; 5665 newsksec->sclass = sksec->sclass; 5666 selinux_netlbl_sctp_sk_clone(sk, newsk); 5667 } 5668 5669 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5670 { 5671 struct sk_security_struct *ssksec = selinux_sock(ssk); 5672 struct sk_security_struct *sksec = selinux_sock(sk); 5673 5674 ssksec->sclass = sksec->sclass; 5675 ssksec->sid = sksec->sid; 5676 5677 /* replace the existing subflow label deleting the existing one 5678 * and re-recreating a new label using the updated context 5679 */ 5680 selinux_netlbl_sk_security_free(ssksec); 5681 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5682 } 5683 5684 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5685 struct request_sock *req) 5686 { 5687 struct sk_security_struct *sksec = selinux_sock(sk); 5688 int err; 5689 u16 family = req->rsk_ops->family; 5690 u32 connsid; 5691 u32 peersid; 5692 5693 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5694 if (err) 5695 return err; 5696 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5697 if (err) 5698 return err; 5699 req->secid = connsid; 5700 req->peer_secid = peersid; 5701 5702 return selinux_netlbl_inet_conn_request(req, family); 5703 } 5704 5705 static void selinux_inet_csk_clone(struct sock *newsk, 5706 const struct request_sock *req) 5707 { 5708 struct sk_security_struct *newsksec = selinux_sock(newsk); 5709 5710 newsksec->sid = req->secid; 5711 newsksec->peer_sid = req->peer_secid; 5712 /* NOTE: Ideally, we should also get the isec->sid for the 5713 new socket in sync, but we don't have the isec available yet. 5714 So we will wait until sock_graft to do it, by which 5715 time it will have been created and available. */ 5716 5717 /* We don't need to take any sort of lock here as we are the only 5718 * thread with access to newsksec */ 5719 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5720 } 5721 5722 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5723 { 5724 u16 family = sk->sk_family; 5725 struct sk_security_struct *sksec = selinux_sock(sk); 5726 5727 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5728 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5729 family = PF_INET; 5730 5731 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5732 } 5733 5734 static int selinux_secmark_relabel_packet(u32 sid) 5735 { 5736 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5737 NULL); 5738 } 5739 5740 static void selinux_secmark_refcount_inc(void) 5741 { 5742 atomic_inc(&selinux_secmark_refcount); 5743 } 5744 5745 static void selinux_secmark_refcount_dec(void) 5746 { 5747 atomic_dec(&selinux_secmark_refcount); 5748 } 5749 5750 static void selinux_req_classify_flow(const struct request_sock *req, 5751 struct flowi_common *flic) 5752 { 5753 flic->flowic_secid = req->secid; 5754 } 5755 5756 static int selinux_tun_dev_alloc_security(void *security) 5757 { 5758 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5759 5760 tunsec->sid = current_sid(); 5761 return 0; 5762 } 5763 5764 static int selinux_tun_dev_create(void) 5765 { 5766 u32 sid = current_sid(); 5767 5768 /* we aren't taking into account the "sockcreate" SID since the socket 5769 * that is being created here is not a socket in the traditional sense, 5770 * instead it is a private sock, accessible only to the kernel, and 5771 * representing a wide range of network traffic spanning multiple 5772 * connections unlike traditional sockets - check the TUN driver to 5773 * get a better understanding of why this socket is special */ 5774 5775 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5776 NULL); 5777 } 5778 5779 static int selinux_tun_dev_attach_queue(void *security) 5780 { 5781 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5782 5783 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5784 TUN_SOCKET__ATTACH_QUEUE, NULL); 5785 } 5786 5787 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5788 { 5789 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5790 struct sk_security_struct *sksec = selinux_sock(sk); 5791 5792 /* we don't currently perform any NetLabel based labeling here and it 5793 * isn't clear that we would want to do so anyway; while we could apply 5794 * labeling without the support of the TUN user the resulting labeled 5795 * traffic from the other end of the connection would almost certainly 5796 * cause confusion to the TUN user that had no idea network labeling 5797 * protocols were being used */ 5798 5799 sksec->sid = tunsec->sid; 5800 sksec->sclass = SECCLASS_TUN_SOCKET; 5801 5802 return 0; 5803 } 5804 5805 static int selinux_tun_dev_open(void *security) 5806 { 5807 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5808 u32 sid = current_sid(); 5809 int err; 5810 5811 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5812 TUN_SOCKET__RELABELFROM, NULL); 5813 if (err) 5814 return err; 5815 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5816 TUN_SOCKET__RELABELTO, NULL); 5817 if (err) 5818 return err; 5819 tunsec->sid = sid; 5820 5821 return 0; 5822 } 5823 5824 #ifdef CONFIG_NETFILTER 5825 5826 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5827 const struct nf_hook_state *state) 5828 { 5829 int ifindex; 5830 u16 family; 5831 char *addrp; 5832 u32 peer_sid; 5833 struct common_audit_data ad; 5834 struct lsm_network_audit net; 5835 int secmark_active, peerlbl_active; 5836 5837 if (!selinux_policycap_netpeer()) 5838 return NF_ACCEPT; 5839 5840 secmark_active = selinux_secmark_enabled(); 5841 peerlbl_active = selinux_peerlbl_enabled(); 5842 if (!secmark_active && !peerlbl_active) 5843 return NF_ACCEPT; 5844 5845 family = state->pf; 5846 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5847 return NF_DROP; 5848 5849 ifindex = state->in->ifindex; 5850 ad_net_init_from_iif(&ad, &net, ifindex, family); 5851 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5852 return NF_DROP; 5853 5854 if (peerlbl_active) { 5855 int err; 5856 5857 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5858 addrp, family, peer_sid, &ad); 5859 if (err) { 5860 selinux_netlbl_err(skb, family, err, 1); 5861 return NF_DROP; 5862 } 5863 } 5864 5865 if (secmark_active) 5866 if (avc_has_perm(peer_sid, skb->secmark, 5867 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5868 return NF_DROP; 5869 5870 if (netlbl_enabled()) 5871 /* we do this in the FORWARD path and not the POST_ROUTING 5872 * path because we want to make sure we apply the necessary 5873 * labeling before IPsec is applied so we can leverage AH 5874 * protection */ 5875 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5876 return NF_DROP; 5877 5878 return NF_ACCEPT; 5879 } 5880 5881 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5882 const struct nf_hook_state *state) 5883 { 5884 struct sock *sk; 5885 u32 sid; 5886 5887 if (!netlbl_enabled()) 5888 return NF_ACCEPT; 5889 5890 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5891 * because we want to make sure we apply the necessary labeling 5892 * before IPsec is applied so we can leverage AH protection */ 5893 sk = skb_to_full_sk(skb); 5894 if (sk) { 5895 struct sk_security_struct *sksec; 5896 5897 if (sk_listener(sk)) 5898 /* if the socket is the listening state then this 5899 * packet is a SYN-ACK packet which means it needs to 5900 * be labeled based on the connection/request_sock and 5901 * not the parent socket. unfortunately, we can't 5902 * lookup the request_sock yet as it isn't queued on 5903 * the parent socket until after the SYN-ACK is sent. 5904 * the "solution" is to simply pass the packet as-is 5905 * as any IP option based labeling should be copied 5906 * from the initial connection request (in the IP 5907 * layer). it is far from ideal, but until we get a 5908 * security label in the packet itself this is the 5909 * best we can do. */ 5910 return NF_ACCEPT; 5911 5912 /* standard practice, label using the parent socket */ 5913 sksec = selinux_sock(sk); 5914 sid = sksec->sid; 5915 } else 5916 sid = SECINITSID_KERNEL; 5917 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5918 return NF_DROP; 5919 5920 return NF_ACCEPT; 5921 } 5922 5923 5924 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5925 const struct nf_hook_state *state) 5926 { 5927 struct sock *sk; 5928 struct sk_security_struct *sksec; 5929 struct common_audit_data ad; 5930 struct lsm_network_audit net; 5931 u8 proto = 0; 5932 5933 sk = skb_to_full_sk(skb); 5934 if (sk == NULL) 5935 return NF_ACCEPT; 5936 sksec = selinux_sock(sk); 5937 5938 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5939 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5940 return NF_DROP; 5941 5942 if (selinux_secmark_enabled()) 5943 if (avc_has_perm(sksec->sid, skb->secmark, 5944 SECCLASS_PACKET, PACKET__SEND, &ad)) 5945 return NF_DROP_ERR(-ECONNREFUSED); 5946 5947 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5948 return NF_DROP_ERR(-ECONNREFUSED); 5949 5950 return NF_ACCEPT; 5951 } 5952 5953 static unsigned int selinux_ip_postroute(void *priv, 5954 struct sk_buff *skb, 5955 const struct nf_hook_state *state) 5956 { 5957 u16 family; 5958 u32 secmark_perm; 5959 u32 peer_sid; 5960 int ifindex; 5961 struct sock *sk; 5962 struct common_audit_data ad; 5963 struct lsm_network_audit net; 5964 char *addrp; 5965 int secmark_active, peerlbl_active; 5966 5967 /* If any sort of compatibility mode is enabled then handoff processing 5968 * to the selinux_ip_postroute_compat() function to deal with the 5969 * special handling. We do this in an attempt to keep this function 5970 * as fast and as clean as possible. */ 5971 if (!selinux_policycap_netpeer()) 5972 return selinux_ip_postroute_compat(skb, state); 5973 5974 secmark_active = selinux_secmark_enabled(); 5975 peerlbl_active = selinux_peerlbl_enabled(); 5976 if (!secmark_active && !peerlbl_active) 5977 return NF_ACCEPT; 5978 5979 sk = skb_to_full_sk(skb); 5980 5981 #ifdef CONFIG_XFRM 5982 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5983 * packet transformation so allow the packet to pass without any checks 5984 * since we'll have another chance to perform access control checks 5985 * when the packet is on it's final way out. 5986 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5987 * is NULL, in this case go ahead and apply access control. 5988 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5989 * TCP listening state we cannot wait until the XFRM processing 5990 * is done as we will miss out on the SA label if we do; 5991 * unfortunately, this means more work, but it is only once per 5992 * connection. */ 5993 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5994 !(sk && sk_listener(sk))) 5995 return NF_ACCEPT; 5996 #endif 5997 5998 family = state->pf; 5999 if (sk == NULL) { 6000 /* Without an associated socket the packet is either coming 6001 * from the kernel or it is being forwarded; check the packet 6002 * to determine which and if the packet is being forwarded 6003 * query the packet directly to determine the security label. */ 6004 if (skb->skb_iif) { 6005 secmark_perm = PACKET__FORWARD_OUT; 6006 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 6007 return NF_DROP; 6008 } else { 6009 secmark_perm = PACKET__SEND; 6010 peer_sid = SECINITSID_KERNEL; 6011 } 6012 } else if (sk_listener(sk)) { 6013 /* Locally generated packet but the associated socket is in the 6014 * listening state which means this is a SYN-ACK packet. In 6015 * this particular case the correct security label is assigned 6016 * to the connection/request_sock but unfortunately we can't 6017 * query the request_sock as it isn't queued on the parent 6018 * socket until after the SYN-ACK packet is sent; the only 6019 * viable choice is to regenerate the label like we do in 6020 * selinux_inet_conn_request(). See also selinux_ip_output() 6021 * for similar problems. */ 6022 u32 skb_sid; 6023 struct sk_security_struct *sksec; 6024 6025 sksec = selinux_sock(sk); 6026 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6027 return NF_DROP; 6028 /* At this point, if the returned skb peerlbl is SECSID_NULL 6029 * and the packet has been through at least one XFRM 6030 * transformation then we must be dealing with the "final" 6031 * form of labeled IPsec packet; since we've already applied 6032 * all of our access controls on this packet we can safely 6033 * pass the packet. */ 6034 if (skb_sid == SECSID_NULL) { 6035 switch (family) { 6036 case PF_INET: 6037 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6038 return NF_ACCEPT; 6039 break; 6040 case PF_INET6: 6041 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6042 return NF_ACCEPT; 6043 break; 6044 default: 6045 return NF_DROP_ERR(-ECONNREFUSED); 6046 } 6047 } 6048 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6049 return NF_DROP; 6050 secmark_perm = PACKET__SEND; 6051 } else { 6052 /* Locally generated packet, fetch the security label from the 6053 * associated socket. */ 6054 struct sk_security_struct *sksec = selinux_sock(sk); 6055 peer_sid = sksec->sid; 6056 secmark_perm = PACKET__SEND; 6057 } 6058 6059 ifindex = state->out->ifindex; 6060 ad_net_init_from_iif(&ad, &net, ifindex, family); 6061 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6062 return NF_DROP; 6063 6064 if (secmark_active) 6065 if (avc_has_perm(peer_sid, skb->secmark, 6066 SECCLASS_PACKET, secmark_perm, &ad)) 6067 return NF_DROP_ERR(-ECONNREFUSED); 6068 6069 if (peerlbl_active) { 6070 u32 if_sid; 6071 u32 node_sid; 6072 6073 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6074 return NF_DROP; 6075 if (avc_has_perm(peer_sid, if_sid, 6076 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6077 return NF_DROP_ERR(-ECONNREFUSED); 6078 6079 if (sel_netnode_sid(addrp, family, &node_sid)) 6080 return NF_DROP; 6081 if (avc_has_perm(peer_sid, node_sid, 6082 SECCLASS_NODE, NODE__SENDTO, &ad)) 6083 return NF_DROP_ERR(-ECONNREFUSED); 6084 } 6085 6086 return NF_ACCEPT; 6087 } 6088 #endif /* CONFIG_NETFILTER */ 6089 6090 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6091 { 6092 struct sk_security_struct *sksec = sk->sk_security; 6093 struct common_audit_data ad; 6094 u8 driver; 6095 u8 xperm; 6096 6097 if (sock_skip_has_perm(sksec->sid)) 6098 return 0; 6099 6100 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6101 ad.u.nlmsg_type = nlmsg_type; 6102 6103 driver = nlmsg_type >> 8; 6104 xperm = nlmsg_type & 0xff; 6105 6106 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6107 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6108 } 6109 6110 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6111 { 6112 int rc = 0; 6113 unsigned int msg_len; 6114 unsigned int data_len = skb->len; 6115 unsigned char *data = skb->data; 6116 struct nlmsghdr *nlh; 6117 struct sk_security_struct *sksec = selinux_sock(sk); 6118 u16 sclass = sksec->sclass; 6119 u32 perm; 6120 6121 while (data_len >= nlmsg_total_size(0)) { 6122 nlh = (struct nlmsghdr *)data; 6123 6124 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6125 * users which means we can't reject skb's with bogus 6126 * length fields; our solution is to follow what 6127 * netlink_rcv_skb() does and simply skip processing at 6128 * messages with length fields that are clearly junk 6129 */ 6130 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6131 return 0; 6132 6133 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6134 if (rc == 0) { 6135 if (selinux_policycap_netlink_xperm()) { 6136 rc = nlmsg_sock_has_extended_perms( 6137 sk, perm, nlh->nlmsg_type); 6138 } else { 6139 rc = sock_has_perm(sk, perm); 6140 } 6141 if (rc) 6142 return rc; 6143 } else if (rc == -EINVAL) { 6144 /* -EINVAL is a missing msg/perm mapping */ 6145 pr_warn_ratelimited("SELinux: unrecognized netlink" 6146 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6147 " pid=%d comm=%s\n", 6148 sk->sk_protocol, nlh->nlmsg_type, 6149 secclass_map[sclass - 1].name, 6150 task_pid_nr(current), current->comm); 6151 if (enforcing_enabled() && 6152 !security_get_allow_unknown()) 6153 return rc; 6154 rc = 0; 6155 } else if (rc == -ENOENT) { 6156 /* -ENOENT is a missing socket/class mapping, ignore */ 6157 rc = 0; 6158 } else { 6159 return rc; 6160 } 6161 6162 /* move to the next message after applying netlink padding */ 6163 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6164 if (msg_len >= data_len) 6165 return 0; 6166 data_len -= msg_len; 6167 data += msg_len; 6168 } 6169 6170 return rc; 6171 } 6172 6173 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6174 { 6175 isec->sclass = sclass; 6176 isec->sid = current_sid(); 6177 } 6178 6179 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6180 u32 perms) 6181 { 6182 struct ipc_security_struct *isec; 6183 struct common_audit_data ad; 6184 u32 sid = current_sid(); 6185 6186 isec = selinux_ipc(ipc_perms); 6187 6188 ad.type = LSM_AUDIT_DATA_IPC; 6189 ad.u.ipc_id = ipc_perms->key; 6190 6191 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6192 } 6193 6194 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6195 { 6196 struct msg_security_struct *msec; 6197 6198 msec = selinux_msg_msg(msg); 6199 msec->sid = SECINITSID_UNLABELED; 6200 6201 return 0; 6202 } 6203 6204 /* message queue security operations */ 6205 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6206 { 6207 struct ipc_security_struct *isec; 6208 struct common_audit_data ad; 6209 u32 sid = current_sid(); 6210 6211 isec = selinux_ipc(msq); 6212 ipc_init_security(isec, SECCLASS_MSGQ); 6213 6214 ad.type = LSM_AUDIT_DATA_IPC; 6215 ad.u.ipc_id = msq->key; 6216 6217 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6218 MSGQ__CREATE, &ad); 6219 } 6220 6221 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6222 { 6223 struct ipc_security_struct *isec; 6224 struct common_audit_data ad; 6225 u32 sid = current_sid(); 6226 6227 isec = selinux_ipc(msq); 6228 6229 ad.type = LSM_AUDIT_DATA_IPC; 6230 ad.u.ipc_id = msq->key; 6231 6232 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6233 MSGQ__ASSOCIATE, &ad); 6234 } 6235 6236 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6237 { 6238 u32 perms; 6239 6240 switch (cmd) { 6241 case IPC_INFO: 6242 case MSG_INFO: 6243 /* No specific object, just general system-wide information. */ 6244 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6245 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6246 case IPC_STAT: 6247 case MSG_STAT: 6248 case MSG_STAT_ANY: 6249 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6250 break; 6251 case IPC_SET: 6252 perms = MSGQ__SETATTR; 6253 break; 6254 case IPC_RMID: 6255 perms = MSGQ__DESTROY; 6256 break; 6257 default: 6258 return 0; 6259 } 6260 6261 return ipc_has_perm(msq, perms); 6262 } 6263 6264 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6265 { 6266 struct ipc_security_struct *isec; 6267 struct msg_security_struct *msec; 6268 struct common_audit_data ad; 6269 u32 sid = current_sid(); 6270 int rc; 6271 6272 isec = selinux_ipc(msq); 6273 msec = selinux_msg_msg(msg); 6274 6275 /* 6276 * First time through, need to assign label to the message 6277 */ 6278 if (msec->sid == SECINITSID_UNLABELED) { 6279 /* 6280 * Compute new sid based on current process and 6281 * message queue this message will be stored in 6282 */ 6283 rc = security_transition_sid(sid, isec->sid, 6284 SECCLASS_MSG, NULL, &msec->sid); 6285 if (rc) 6286 return rc; 6287 } 6288 6289 ad.type = LSM_AUDIT_DATA_IPC; 6290 ad.u.ipc_id = msq->key; 6291 6292 /* Can this process write to the queue? */ 6293 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6294 MSGQ__WRITE, &ad); 6295 if (!rc) 6296 /* Can this process send the message */ 6297 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6298 MSG__SEND, &ad); 6299 if (!rc) 6300 /* Can the message be put in the queue? */ 6301 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6302 MSGQ__ENQUEUE, &ad); 6303 6304 return rc; 6305 } 6306 6307 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6308 struct task_struct *target, 6309 long type, int mode) 6310 { 6311 struct ipc_security_struct *isec; 6312 struct msg_security_struct *msec; 6313 struct common_audit_data ad; 6314 u32 sid = task_sid_obj(target); 6315 int rc; 6316 6317 isec = selinux_ipc(msq); 6318 msec = selinux_msg_msg(msg); 6319 6320 ad.type = LSM_AUDIT_DATA_IPC; 6321 ad.u.ipc_id = msq->key; 6322 6323 rc = avc_has_perm(sid, isec->sid, 6324 SECCLASS_MSGQ, MSGQ__READ, &ad); 6325 if (!rc) 6326 rc = avc_has_perm(sid, msec->sid, 6327 SECCLASS_MSG, MSG__RECEIVE, &ad); 6328 return rc; 6329 } 6330 6331 /* Shared Memory security operations */ 6332 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6333 { 6334 struct ipc_security_struct *isec; 6335 struct common_audit_data ad; 6336 u32 sid = current_sid(); 6337 6338 isec = selinux_ipc(shp); 6339 ipc_init_security(isec, SECCLASS_SHM); 6340 6341 ad.type = LSM_AUDIT_DATA_IPC; 6342 ad.u.ipc_id = shp->key; 6343 6344 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6345 SHM__CREATE, &ad); 6346 } 6347 6348 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6349 { 6350 struct ipc_security_struct *isec; 6351 struct common_audit_data ad; 6352 u32 sid = current_sid(); 6353 6354 isec = selinux_ipc(shp); 6355 6356 ad.type = LSM_AUDIT_DATA_IPC; 6357 ad.u.ipc_id = shp->key; 6358 6359 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6360 SHM__ASSOCIATE, &ad); 6361 } 6362 6363 /* Note, at this point, shp is locked down */ 6364 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6365 { 6366 u32 perms; 6367 6368 switch (cmd) { 6369 case IPC_INFO: 6370 case SHM_INFO: 6371 /* No specific object, just general system-wide information. */ 6372 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6373 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6374 case IPC_STAT: 6375 case SHM_STAT: 6376 case SHM_STAT_ANY: 6377 perms = SHM__GETATTR | SHM__ASSOCIATE; 6378 break; 6379 case IPC_SET: 6380 perms = SHM__SETATTR; 6381 break; 6382 case SHM_LOCK: 6383 case SHM_UNLOCK: 6384 perms = SHM__LOCK; 6385 break; 6386 case IPC_RMID: 6387 perms = SHM__DESTROY; 6388 break; 6389 default: 6390 return 0; 6391 } 6392 6393 return ipc_has_perm(shp, perms); 6394 } 6395 6396 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6397 char __user *shmaddr, int shmflg) 6398 { 6399 u32 perms; 6400 6401 if (shmflg & SHM_RDONLY) 6402 perms = SHM__READ; 6403 else 6404 perms = SHM__READ | SHM__WRITE; 6405 6406 return ipc_has_perm(shp, perms); 6407 } 6408 6409 /* Semaphore security operations */ 6410 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6411 { 6412 struct ipc_security_struct *isec; 6413 struct common_audit_data ad; 6414 u32 sid = current_sid(); 6415 6416 isec = selinux_ipc(sma); 6417 ipc_init_security(isec, SECCLASS_SEM); 6418 6419 ad.type = LSM_AUDIT_DATA_IPC; 6420 ad.u.ipc_id = sma->key; 6421 6422 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6423 SEM__CREATE, &ad); 6424 } 6425 6426 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6427 { 6428 struct ipc_security_struct *isec; 6429 struct common_audit_data ad; 6430 u32 sid = current_sid(); 6431 6432 isec = selinux_ipc(sma); 6433 6434 ad.type = LSM_AUDIT_DATA_IPC; 6435 ad.u.ipc_id = sma->key; 6436 6437 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6438 SEM__ASSOCIATE, &ad); 6439 } 6440 6441 /* Note, at this point, sma is locked down */ 6442 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6443 { 6444 int err; 6445 u32 perms; 6446 6447 switch (cmd) { 6448 case IPC_INFO: 6449 case SEM_INFO: 6450 /* No specific object, just general system-wide information. */ 6451 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6452 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6453 case GETPID: 6454 case GETNCNT: 6455 case GETZCNT: 6456 perms = SEM__GETATTR; 6457 break; 6458 case GETVAL: 6459 case GETALL: 6460 perms = SEM__READ; 6461 break; 6462 case SETVAL: 6463 case SETALL: 6464 perms = SEM__WRITE; 6465 break; 6466 case IPC_RMID: 6467 perms = SEM__DESTROY; 6468 break; 6469 case IPC_SET: 6470 perms = SEM__SETATTR; 6471 break; 6472 case IPC_STAT: 6473 case SEM_STAT: 6474 case SEM_STAT_ANY: 6475 perms = SEM__GETATTR | SEM__ASSOCIATE; 6476 break; 6477 default: 6478 return 0; 6479 } 6480 6481 err = ipc_has_perm(sma, perms); 6482 return err; 6483 } 6484 6485 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6486 struct sembuf *sops, unsigned nsops, int alter) 6487 { 6488 u32 perms; 6489 6490 if (alter) 6491 perms = SEM__READ | SEM__WRITE; 6492 else 6493 perms = SEM__READ; 6494 6495 return ipc_has_perm(sma, perms); 6496 } 6497 6498 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6499 { 6500 u32 av = 0; 6501 6502 av = 0; 6503 if (flag & S_IRUGO) 6504 av |= IPC__UNIX_READ; 6505 if (flag & S_IWUGO) 6506 av |= IPC__UNIX_WRITE; 6507 6508 if (av == 0) 6509 return 0; 6510 6511 return ipc_has_perm(ipcp, av); 6512 } 6513 6514 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6515 struct lsm_prop *prop) 6516 { 6517 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6518 prop->selinux.secid = isec->sid; 6519 } 6520 6521 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6522 { 6523 if (inode) 6524 inode_doinit_with_dentry(inode, dentry); 6525 } 6526 6527 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6528 char **value) 6529 { 6530 const struct task_security_struct *tsec; 6531 int error; 6532 u32 sid; 6533 u32 len; 6534 6535 rcu_read_lock(); 6536 tsec = selinux_cred(__task_cred(p)); 6537 if (p != current) { 6538 error = avc_has_perm(current_sid(), tsec->sid, 6539 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6540 if (error) 6541 goto err_unlock; 6542 } 6543 switch (attr) { 6544 case LSM_ATTR_CURRENT: 6545 sid = tsec->sid; 6546 break; 6547 case LSM_ATTR_PREV: 6548 sid = tsec->osid; 6549 break; 6550 case LSM_ATTR_EXEC: 6551 sid = tsec->exec_sid; 6552 break; 6553 case LSM_ATTR_FSCREATE: 6554 sid = tsec->create_sid; 6555 break; 6556 case LSM_ATTR_KEYCREATE: 6557 sid = tsec->keycreate_sid; 6558 break; 6559 case LSM_ATTR_SOCKCREATE: 6560 sid = tsec->sockcreate_sid; 6561 break; 6562 default: 6563 error = -EOPNOTSUPP; 6564 goto err_unlock; 6565 } 6566 rcu_read_unlock(); 6567 6568 if (sid == SECSID_NULL) { 6569 *value = NULL; 6570 return 0; 6571 } 6572 6573 error = security_sid_to_context(sid, value, &len); 6574 if (error) 6575 return error; 6576 return len; 6577 6578 err_unlock: 6579 rcu_read_unlock(); 6580 return error; 6581 } 6582 6583 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6584 { 6585 struct task_security_struct *tsec; 6586 struct cred *new; 6587 u32 mysid = current_sid(), sid = 0, ptsid; 6588 int error; 6589 char *str = value; 6590 6591 /* 6592 * Basic control over ability to set these attributes at all. 6593 */ 6594 switch (attr) { 6595 case LSM_ATTR_EXEC: 6596 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6597 PROCESS__SETEXEC, NULL); 6598 break; 6599 case LSM_ATTR_FSCREATE: 6600 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6601 PROCESS__SETFSCREATE, NULL); 6602 break; 6603 case LSM_ATTR_KEYCREATE: 6604 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6605 PROCESS__SETKEYCREATE, NULL); 6606 break; 6607 case LSM_ATTR_SOCKCREATE: 6608 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6609 PROCESS__SETSOCKCREATE, NULL); 6610 break; 6611 case LSM_ATTR_CURRENT: 6612 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6613 PROCESS__SETCURRENT, NULL); 6614 break; 6615 default: 6616 error = -EOPNOTSUPP; 6617 break; 6618 } 6619 if (error) 6620 return error; 6621 6622 /* Obtain a SID for the context, if one was specified. */ 6623 if (size && str[0] && str[0] != '\n') { 6624 if (str[size-1] == '\n') { 6625 str[size-1] = 0; 6626 size--; 6627 } 6628 error = security_context_to_sid(value, size, 6629 &sid, GFP_KERNEL); 6630 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6631 if (!has_cap_mac_admin(true)) { 6632 struct audit_buffer *ab; 6633 size_t audit_size; 6634 6635 /* We strip a nul only if it is at the end, 6636 * otherwise the context contains a nul and 6637 * we should audit that */ 6638 if (str[size - 1] == '\0') 6639 audit_size = size - 1; 6640 else 6641 audit_size = size; 6642 ab = audit_log_start(audit_context(), 6643 GFP_ATOMIC, 6644 AUDIT_SELINUX_ERR); 6645 if (!ab) 6646 return error; 6647 audit_log_format(ab, "op=fscreate invalid_context="); 6648 audit_log_n_untrustedstring(ab, value, 6649 audit_size); 6650 audit_log_end(ab); 6651 6652 return error; 6653 } 6654 error = security_context_to_sid_force(value, size, 6655 &sid); 6656 } 6657 if (error) 6658 return error; 6659 } 6660 6661 new = prepare_creds(); 6662 if (!new) 6663 return -ENOMEM; 6664 6665 /* Permission checking based on the specified context is 6666 performed during the actual operation (execve, 6667 open/mkdir/...), when we know the full context of the 6668 operation. See selinux_bprm_creds_for_exec for the execve 6669 checks and may_create for the file creation checks. The 6670 operation will then fail if the context is not permitted. */ 6671 tsec = selinux_cred(new); 6672 if (attr == LSM_ATTR_EXEC) { 6673 tsec->exec_sid = sid; 6674 } else if (attr == LSM_ATTR_FSCREATE) { 6675 tsec->create_sid = sid; 6676 } else if (attr == LSM_ATTR_KEYCREATE) { 6677 if (sid) { 6678 error = avc_has_perm(mysid, sid, 6679 SECCLASS_KEY, KEY__CREATE, NULL); 6680 if (error) 6681 goto abort_change; 6682 } 6683 tsec->keycreate_sid = sid; 6684 } else if (attr == LSM_ATTR_SOCKCREATE) { 6685 tsec->sockcreate_sid = sid; 6686 } else if (attr == LSM_ATTR_CURRENT) { 6687 error = -EINVAL; 6688 if (sid == 0) 6689 goto abort_change; 6690 6691 if (!current_is_single_threaded()) { 6692 error = security_bounded_transition(tsec->sid, sid); 6693 if (error) 6694 goto abort_change; 6695 } 6696 6697 /* Check permissions for the transition. */ 6698 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6699 PROCESS__DYNTRANSITION, NULL); 6700 if (error) 6701 goto abort_change; 6702 6703 /* Check for ptracing, and update the task SID if ok. 6704 Otherwise, leave SID unchanged and fail. */ 6705 ptsid = ptrace_parent_sid(); 6706 if (ptsid != 0) { 6707 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6708 PROCESS__PTRACE, NULL); 6709 if (error) 6710 goto abort_change; 6711 } 6712 6713 tsec->sid = sid; 6714 } else { 6715 error = -EINVAL; 6716 goto abort_change; 6717 } 6718 6719 commit_creds(new); 6720 return size; 6721 6722 abort_change: 6723 abort_creds(new); 6724 return error; 6725 } 6726 6727 /** 6728 * selinux_getselfattr - Get SELinux current task attributes 6729 * @attr: the requested attribute 6730 * @ctx: buffer to receive the result 6731 * @size: buffer size (input), buffer size used (output) 6732 * @flags: unused 6733 * 6734 * Fill the passed user space @ctx with the details of the requested 6735 * attribute. 6736 * 6737 * Returns the number of attributes on success, an error code otherwise. 6738 * There will only ever be one attribute. 6739 */ 6740 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6741 u32 *size, u32 flags) 6742 { 6743 int rc; 6744 char *val = NULL; 6745 int val_len; 6746 6747 val_len = selinux_lsm_getattr(attr, current, &val); 6748 if (val_len < 0) 6749 return val_len; 6750 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6751 kfree(val); 6752 return (!rc ? 1 : rc); 6753 } 6754 6755 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6756 u32 size, u32 flags) 6757 { 6758 int rc; 6759 6760 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6761 if (rc > 0) 6762 return 0; 6763 return rc; 6764 } 6765 6766 static int selinux_getprocattr(struct task_struct *p, 6767 const char *name, char **value) 6768 { 6769 unsigned int attr = lsm_name_to_attr(name); 6770 int rc; 6771 6772 if (attr) { 6773 rc = selinux_lsm_getattr(attr, p, value); 6774 if (rc != -EOPNOTSUPP) 6775 return rc; 6776 } 6777 6778 return -EINVAL; 6779 } 6780 6781 static int selinux_setprocattr(const char *name, void *value, size_t size) 6782 { 6783 int attr = lsm_name_to_attr(name); 6784 6785 if (attr) 6786 return selinux_lsm_setattr(attr, value, size); 6787 return -EINVAL; 6788 } 6789 6790 static int selinux_ismaclabel(const char *name) 6791 { 6792 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6793 } 6794 6795 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6796 { 6797 u32 seclen; 6798 int ret; 6799 6800 if (cp) { 6801 cp->id = LSM_ID_SELINUX; 6802 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6803 if (ret < 0) 6804 return ret; 6805 return cp->len; 6806 } 6807 ret = security_sid_to_context(secid, NULL, &seclen); 6808 if (ret < 0) 6809 return ret; 6810 return seclen; 6811 } 6812 6813 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6814 struct lsm_context *cp) 6815 { 6816 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6817 } 6818 6819 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6820 { 6821 return security_context_to_sid(secdata, seclen, 6822 secid, GFP_KERNEL); 6823 } 6824 6825 static void selinux_release_secctx(struct lsm_context *cp) 6826 { 6827 if (cp->id == LSM_ID_SELINUX) { 6828 kfree(cp->context); 6829 cp->context = NULL; 6830 cp->id = LSM_ID_UNDEF; 6831 } 6832 } 6833 6834 static void selinux_inode_invalidate_secctx(struct inode *inode) 6835 { 6836 struct inode_security_struct *isec = selinux_inode(inode); 6837 6838 spin_lock(&isec->lock); 6839 isec->initialized = LABEL_INVALID; 6840 spin_unlock(&isec->lock); 6841 } 6842 6843 /* 6844 * called with inode->i_mutex locked 6845 */ 6846 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6847 { 6848 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6849 ctx, ctxlen, 0); 6850 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6851 return rc == -EOPNOTSUPP ? 0 : rc; 6852 } 6853 6854 /* 6855 * called with inode->i_mutex locked 6856 */ 6857 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6858 { 6859 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6860 ctx, ctxlen, 0, NULL); 6861 } 6862 6863 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6864 { 6865 int len; 6866 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6867 XATTR_SELINUX_SUFFIX, 6868 (void **)&cp->context, true); 6869 if (len < 0) 6870 return len; 6871 cp->len = len; 6872 cp->id = LSM_ID_SELINUX; 6873 return 0; 6874 } 6875 #ifdef CONFIG_KEYS 6876 6877 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6878 unsigned long flags) 6879 { 6880 const struct task_security_struct *tsec; 6881 struct key_security_struct *ksec = selinux_key(k); 6882 6883 tsec = selinux_cred(cred); 6884 if (tsec->keycreate_sid) 6885 ksec->sid = tsec->keycreate_sid; 6886 else 6887 ksec->sid = tsec->sid; 6888 6889 return 0; 6890 } 6891 6892 static int selinux_key_permission(key_ref_t key_ref, 6893 const struct cred *cred, 6894 enum key_need_perm need_perm) 6895 { 6896 struct key *key; 6897 struct key_security_struct *ksec; 6898 u32 perm, sid; 6899 6900 switch (need_perm) { 6901 case KEY_NEED_VIEW: 6902 perm = KEY__VIEW; 6903 break; 6904 case KEY_NEED_READ: 6905 perm = KEY__READ; 6906 break; 6907 case KEY_NEED_WRITE: 6908 perm = KEY__WRITE; 6909 break; 6910 case KEY_NEED_SEARCH: 6911 perm = KEY__SEARCH; 6912 break; 6913 case KEY_NEED_LINK: 6914 perm = KEY__LINK; 6915 break; 6916 case KEY_NEED_SETATTR: 6917 perm = KEY__SETATTR; 6918 break; 6919 case KEY_NEED_UNLINK: 6920 case KEY_SYSADMIN_OVERRIDE: 6921 case KEY_AUTHTOKEN_OVERRIDE: 6922 case KEY_DEFER_PERM_CHECK: 6923 return 0; 6924 default: 6925 WARN_ON(1); 6926 return -EPERM; 6927 6928 } 6929 6930 sid = cred_sid(cred); 6931 key = key_ref_to_ptr(key_ref); 6932 ksec = selinux_key(key); 6933 6934 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6935 } 6936 6937 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6938 { 6939 struct key_security_struct *ksec = selinux_key(key); 6940 char *context = NULL; 6941 unsigned len; 6942 int rc; 6943 6944 rc = security_sid_to_context(ksec->sid, 6945 &context, &len); 6946 if (!rc) 6947 rc = len; 6948 *_buffer = context; 6949 return rc; 6950 } 6951 6952 #ifdef CONFIG_KEY_NOTIFICATIONS 6953 static int selinux_watch_key(struct key *key) 6954 { 6955 struct key_security_struct *ksec = selinux_key(key); 6956 u32 sid = current_sid(); 6957 6958 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6959 } 6960 #endif 6961 #endif 6962 6963 #ifdef CONFIG_SECURITY_INFINIBAND 6964 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6965 { 6966 struct common_audit_data ad; 6967 int err; 6968 u32 sid = 0; 6969 struct ib_security_struct *sec = ib_sec; 6970 struct lsm_ibpkey_audit ibpkey; 6971 6972 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6973 if (err) 6974 return err; 6975 6976 ad.type = LSM_AUDIT_DATA_IBPKEY; 6977 ibpkey.subnet_prefix = subnet_prefix; 6978 ibpkey.pkey = pkey_val; 6979 ad.u.ibpkey = &ibpkey; 6980 return avc_has_perm(sec->sid, sid, 6981 SECCLASS_INFINIBAND_PKEY, 6982 INFINIBAND_PKEY__ACCESS, &ad); 6983 } 6984 6985 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6986 u8 port_num) 6987 { 6988 struct common_audit_data ad; 6989 int err; 6990 u32 sid = 0; 6991 struct ib_security_struct *sec = ib_sec; 6992 struct lsm_ibendport_audit ibendport; 6993 6994 err = security_ib_endport_sid(dev_name, port_num, 6995 &sid); 6996 6997 if (err) 6998 return err; 6999 7000 ad.type = LSM_AUDIT_DATA_IBENDPORT; 7001 ibendport.dev_name = dev_name; 7002 ibendport.port = port_num; 7003 ad.u.ibendport = &ibendport; 7004 return avc_has_perm(sec->sid, sid, 7005 SECCLASS_INFINIBAND_ENDPORT, 7006 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 7007 } 7008 7009 static int selinux_ib_alloc_security(void *ib_sec) 7010 { 7011 struct ib_security_struct *sec = selinux_ib(ib_sec); 7012 7013 sec->sid = current_sid(); 7014 return 0; 7015 } 7016 #endif 7017 7018 #ifdef CONFIG_BPF_SYSCALL 7019 static int selinux_bpf(int cmd, union bpf_attr *attr, 7020 unsigned int size, bool kernel) 7021 { 7022 u32 sid = current_sid(); 7023 int ret; 7024 7025 switch (cmd) { 7026 case BPF_MAP_CREATE: 7027 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7028 NULL); 7029 break; 7030 case BPF_PROG_LOAD: 7031 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7032 NULL); 7033 break; 7034 default: 7035 ret = 0; 7036 break; 7037 } 7038 7039 return ret; 7040 } 7041 7042 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7043 { 7044 u32 av = 0; 7045 7046 if (fmode & FMODE_READ) 7047 av |= BPF__MAP_READ; 7048 if (fmode & FMODE_WRITE) 7049 av |= BPF__MAP_WRITE; 7050 return av; 7051 } 7052 7053 /* This function will check the file pass through unix socket or binder to see 7054 * if it is a bpf related object. And apply corresponding checks on the bpf 7055 * object based on the type. The bpf maps and programs, not like other files and 7056 * socket, are using a shared anonymous inode inside the kernel as their inode. 7057 * So checking that inode cannot identify if the process have privilege to 7058 * access the bpf object and that's why we have to add this additional check in 7059 * selinux_file_receive and selinux_binder_transfer_files. 7060 */ 7061 static int bpf_fd_pass(const struct file *file, u32 sid) 7062 { 7063 struct bpf_security_struct *bpfsec; 7064 struct bpf_prog *prog; 7065 struct bpf_map *map; 7066 int ret; 7067 7068 if (file->f_op == &bpf_map_fops) { 7069 map = file->private_data; 7070 bpfsec = selinux_bpf_map_security(map); 7071 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7072 bpf_map_fmode_to_av(file->f_mode), NULL); 7073 if (ret) 7074 return ret; 7075 } else if (file->f_op == &bpf_prog_fops) { 7076 prog = file->private_data; 7077 bpfsec = selinux_bpf_prog_security(prog); 7078 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7079 BPF__PROG_RUN, NULL); 7080 if (ret) 7081 return ret; 7082 } 7083 return 0; 7084 } 7085 7086 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7087 { 7088 u32 sid = current_sid(); 7089 struct bpf_security_struct *bpfsec; 7090 7091 bpfsec = selinux_bpf_map_security(map); 7092 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7093 bpf_map_fmode_to_av(fmode), NULL); 7094 } 7095 7096 static int selinux_bpf_prog(struct bpf_prog *prog) 7097 { 7098 u32 sid = current_sid(); 7099 struct bpf_security_struct *bpfsec; 7100 7101 bpfsec = selinux_bpf_prog_security(prog); 7102 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7103 BPF__PROG_RUN, NULL); 7104 } 7105 7106 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7107 struct bpf_token *token, bool kernel) 7108 { 7109 struct bpf_security_struct *bpfsec; 7110 7111 bpfsec = selinux_bpf_map_security(map); 7112 bpfsec->sid = current_sid(); 7113 7114 return 0; 7115 } 7116 7117 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7118 struct bpf_token *token, bool kernel) 7119 { 7120 struct bpf_security_struct *bpfsec; 7121 7122 bpfsec = selinux_bpf_prog_security(prog); 7123 bpfsec->sid = current_sid(); 7124 7125 return 0; 7126 } 7127 7128 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 7129 const struct path *path) 7130 { 7131 struct bpf_security_struct *bpfsec; 7132 7133 bpfsec = selinux_bpf_token_security(token); 7134 bpfsec->sid = current_sid(); 7135 7136 return 0; 7137 } 7138 #endif 7139 7140 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7141 .lbs_cred = sizeof(struct task_security_struct), 7142 .lbs_file = sizeof(struct file_security_struct), 7143 .lbs_inode = sizeof(struct inode_security_struct), 7144 .lbs_ipc = sizeof(struct ipc_security_struct), 7145 .lbs_key = sizeof(struct key_security_struct), 7146 .lbs_msg_msg = sizeof(struct msg_security_struct), 7147 #ifdef CONFIG_PERF_EVENTS 7148 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7149 #endif 7150 .lbs_sock = sizeof(struct sk_security_struct), 7151 .lbs_superblock = sizeof(struct superblock_security_struct), 7152 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7153 .lbs_tun_dev = sizeof(struct tun_security_struct), 7154 .lbs_ib = sizeof(struct ib_security_struct), 7155 .lbs_bpf_map = sizeof(struct bpf_security_struct), 7156 .lbs_bpf_prog = sizeof(struct bpf_security_struct), 7157 .lbs_bpf_token = sizeof(struct bpf_security_struct), 7158 }; 7159 7160 #ifdef CONFIG_PERF_EVENTS 7161 static int selinux_perf_event_open(int type) 7162 { 7163 u32 requested, sid = current_sid(); 7164 7165 if (type == PERF_SECURITY_OPEN) 7166 requested = PERF_EVENT__OPEN; 7167 else if (type == PERF_SECURITY_CPU) 7168 requested = PERF_EVENT__CPU; 7169 else if (type == PERF_SECURITY_KERNEL) 7170 requested = PERF_EVENT__KERNEL; 7171 else if (type == PERF_SECURITY_TRACEPOINT) 7172 requested = PERF_EVENT__TRACEPOINT; 7173 else 7174 return -EINVAL; 7175 7176 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7177 requested, NULL); 7178 } 7179 7180 static int selinux_perf_event_alloc(struct perf_event *event) 7181 { 7182 struct perf_event_security_struct *perfsec; 7183 7184 perfsec = selinux_perf_event(event->security); 7185 perfsec->sid = current_sid(); 7186 7187 return 0; 7188 } 7189 7190 static int selinux_perf_event_read(struct perf_event *event) 7191 { 7192 struct perf_event_security_struct *perfsec = event->security; 7193 u32 sid = current_sid(); 7194 7195 return avc_has_perm(sid, perfsec->sid, 7196 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7197 } 7198 7199 static int selinux_perf_event_write(struct perf_event *event) 7200 { 7201 struct perf_event_security_struct *perfsec = event->security; 7202 u32 sid = current_sid(); 7203 7204 return avc_has_perm(sid, perfsec->sid, 7205 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7206 } 7207 #endif 7208 7209 #ifdef CONFIG_IO_URING 7210 /** 7211 * selinux_uring_override_creds - check the requested cred override 7212 * @new: the target creds 7213 * 7214 * Check to see if the current task is allowed to override it's credentials 7215 * to service an io_uring operation. 7216 */ 7217 static int selinux_uring_override_creds(const struct cred *new) 7218 { 7219 return avc_has_perm(current_sid(), cred_sid(new), 7220 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7221 } 7222 7223 /** 7224 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7225 * 7226 * Check to see if the current task is allowed to create a new io_uring 7227 * kernel polling thread. 7228 */ 7229 static int selinux_uring_sqpoll(void) 7230 { 7231 u32 sid = current_sid(); 7232 7233 return avc_has_perm(sid, sid, 7234 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7235 } 7236 7237 /** 7238 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7239 * @ioucmd: the io_uring command structure 7240 * 7241 * Check to see if the current domain is allowed to execute an 7242 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7243 * 7244 */ 7245 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7246 { 7247 struct file *file = ioucmd->file; 7248 struct inode *inode = file_inode(file); 7249 struct inode_security_struct *isec = selinux_inode(inode); 7250 struct common_audit_data ad; 7251 7252 ad.type = LSM_AUDIT_DATA_FILE; 7253 ad.u.file = file; 7254 7255 return avc_has_perm(current_sid(), isec->sid, 7256 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7257 } 7258 7259 /** 7260 * selinux_uring_allowed - check if io_uring_setup() can be called 7261 * 7262 * Check to see if the current task is allowed to call io_uring_setup(). 7263 */ 7264 static int selinux_uring_allowed(void) 7265 { 7266 u32 sid = current_sid(); 7267 7268 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7269 NULL); 7270 } 7271 #endif /* CONFIG_IO_URING */ 7272 7273 static const struct lsm_id selinux_lsmid = { 7274 .name = "selinux", 7275 .id = LSM_ID_SELINUX, 7276 }; 7277 7278 /* 7279 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7280 * 1. any hooks that don't belong to (2.) or (3.) below, 7281 * 2. hooks that both access structures allocated by other hooks, and allocate 7282 * structures that can be later accessed by other hooks (mostly "cloning" 7283 * hooks), 7284 * 3. hooks that only allocate structures that can be later accessed by other 7285 * hooks ("allocating" hooks). 7286 * 7287 * Please follow block comment delimiters in the list to keep this order. 7288 */ 7289 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7290 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7291 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7292 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7293 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7294 7295 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7296 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7297 LSM_HOOK_INIT(capget, selinux_capget), 7298 LSM_HOOK_INIT(capset, selinux_capset), 7299 LSM_HOOK_INIT(capable, selinux_capable), 7300 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7301 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7302 LSM_HOOK_INIT(syslog, selinux_syslog), 7303 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7304 7305 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7306 7307 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7308 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7309 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7310 7311 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7312 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7313 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7314 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7315 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7316 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7317 LSM_HOOK_INIT(sb_mount, selinux_mount), 7318 LSM_HOOK_INIT(sb_umount, selinux_umount), 7319 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7320 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7321 7322 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7323 7324 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7325 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7326 7327 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7328 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7329 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7330 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7331 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7332 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7333 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7334 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7335 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7336 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7337 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7338 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7339 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7340 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7341 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7342 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7343 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7344 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7345 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7346 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7347 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7348 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7349 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr), 7350 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr), 7351 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7352 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7353 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7354 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7355 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7356 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7357 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7358 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7359 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7360 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7361 7362 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7363 7364 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7365 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7366 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7367 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7368 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7369 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7370 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7371 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7372 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7373 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7374 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7375 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7376 7377 LSM_HOOK_INIT(file_open, selinux_file_open), 7378 7379 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7380 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7381 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7382 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7383 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7384 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7385 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7386 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7387 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7388 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7389 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7390 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7391 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7392 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7393 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7394 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7395 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7396 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7397 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7398 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7399 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7400 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7401 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7402 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7403 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7404 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7405 7406 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7407 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7408 7409 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7410 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7411 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7412 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7413 7414 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7415 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7416 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7417 7418 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7419 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7420 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7421 7422 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7423 7424 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7425 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7426 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7427 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7428 7429 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7430 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7431 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7432 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7433 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7434 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7435 7436 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7437 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7438 7439 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7440 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7441 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7442 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7443 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7444 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7445 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7446 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7447 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7448 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7449 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7450 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7451 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7452 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7453 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7454 LSM_HOOK_INIT(socket_getpeersec_stream, 7455 selinux_socket_getpeersec_stream), 7456 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7457 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7458 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7459 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7460 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7461 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7462 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7463 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7464 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7465 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7466 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7467 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7468 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7469 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7470 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7471 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7472 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7473 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7474 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7475 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7476 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7477 #ifdef CONFIG_SECURITY_INFINIBAND 7478 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7479 LSM_HOOK_INIT(ib_endport_manage_subnet, 7480 selinux_ib_endport_manage_subnet), 7481 #endif 7482 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7483 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7484 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7485 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7486 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7487 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7488 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7489 selinux_xfrm_state_pol_flow_match), 7490 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7491 #endif 7492 7493 #ifdef CONFIG_KEYS 7494 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7495 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7496 #ifdef CONFIG_KEY_NOTIFICATIONS 7497 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7498 #endif 7499 #endif 7500 7501 #ifdef CONFIG_AUDIT 7502 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7503 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7504 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7505 #endif 7506 7507 #ifdef CONFIG_BPF_SYSCALL 7508 LSM_HOOK_INIT(bpf, selinux_bpf), 7509 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7510 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7511 #endif 7512 7513 #ifdef CONFIG_PERF_EVENTS 7514 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7515 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7516 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7517 #endif 7518 7519 #ifdef CONFIG_IO_URING 7520 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7521 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7522 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7523 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7524 #endif 7525 7526 /* 7527 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7528 */ 7529 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7530 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7531 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7532 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7533 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7534 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7535 #endif 7536 7537 /* 7538 * PUT "ALLOCATING" HOOKS HERE 7539 */ 7540 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7541 LSM_HOOK_INIT(msg_queue_alloc_security, 7542 selinux_msg_queue_alloc_security), 7543 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7544 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7545 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7546 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7547 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7548 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7549 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7550 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7551 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7552 #ifdef CONFIG_SECURITY_INFINIBAND 7553 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7554 #endif 7555 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7556 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7557 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7558 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7559 selinux_xfrm_state_alloc_acquire), 7560 #endif 7561 #ifdef CONFIG_KEYS 7562 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7563 #endif 7564 #ifdef CONFIG_AUDIT 7565 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7566 #endif 7567 #ifdef CONFIG_BPF_SYSCALL 7568 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7569 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7570 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7571 #endif 7572 #ifdef CONFIG_PERF_EVENTS 7573 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7574 #endif 7575 }; 7576 7577 static __init int selinux_init(void) 7578 { 7579 pr_info("SELinux: Initializing.\n"); 7580 7581 memset(&selinux_state, 0, sizeof(selinux_state)); 7582 enforcing_set(selinux_enforcing_boot); 7583 selinux_avc_init(); 7584 mutex_init(&selinux_state.status_lock); 7585 mutex_init(&selinux_state.policy_mutex); 7586 7587 /* Set the security state for the initial task. */ 7588 cred_init_security(); 7589 7590 /* Inform the audit system that secctx is used */ 7591 audit_cfg_lsm(&selinux_lsmid, 7592 AUDIT_CFG_LSM_SECCTX_SUBJECT | 7593 AUDIT_CFG_LSM_SECCTX_OBJECT); 7594 7595 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7596 if (!default_noexec) 7597 pr_notice("SELinux: virtual memory is executable by default\n"); 7598 7599 avc_init(); 7600 7601 avtab_cache_init(); 7602 7603 ebitmap_cache_init(); 7604 7605 hashtab_cache_init(); 7606 7607 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7608 &selinux_lsmid); 7609 7610 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7611 panic("SELinux: Unable to register AVC netcache callback\n"); 7612 7613 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7614 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7615 7616 if (selinux_enforcing_boot) 7617 pr_debug("SELinux: Starting in enforcing mode\n"); 7618 else 7619 pr_debug("SELinux: Starting in permissive mode\n"); 7620 7621 fs_validate_description("selinux", selinux_fs_parameters); 7622 7623 return 0; 7624 } 7625 7626 static void delayed_superblock_init(struct super_block *sb, void *unused) 7627 { 7628 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7629 } 7630 7631 void selinux_complete_init(void) 7632 { 7633 pr_debug("SELinux: Completing initialization.\n"); 7634 7635 /* Set up any superblocks initialized prior to the policy load. */ 7636 pr_debug("SELinux: Setting up existing superblocks.\n"); 7637 iterate_supers(delayed_superblock_init, NULL); 7638 } 7639 7640 /* SELinux requires early initialization in order to label 7641 all processes and objects when they are created. */ 7642 DEFINE_LSM(selinux) = { 7643 .name = "selinux", 7644 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7645 .enabled = &selinux_enabled_boot, 7646 .blobs = &selinux_blob_sizes, 7647 .init = selinux_init, 7648 }; 7649 7650 #if defined(CONFIG_NETFILTER) 7651 static const struct nf_hook_ops selinux_nf_ops[] = { 7652 { 7653 .hook = selinux_ip_postroute, 7654 .pf = NFPROTO_IPV4, 7655 .hooknum = NF_INET_POST_ROUTING, 7656 .priority = NF_IP_PRI_SELINUX_LAST, 7657 }, 7658 { 7659 .hook = selinux_ip_forward, 7660 .pf = NFPROTO_IPV4, 7661 .hooknum = NF_INET_FORWARD, 7662 .priority = NF_IP_PRI_SELINUX_FIRST, 7663 }, 7664 { 7665 .hook = selinux_ip_output, 7666 .pf = NFPROTO_IPV4, 7667 .hooknum = NF_INET_LOCAL_OUT, 7668 .priority = NF_IP_PRI_SELINUX_FIRST, 7669 }, 7670 #if IS_ENABLED(CONFIG_IPV6) 7671 { 7672 .hook = selinux_ip_postroute, 7673 .pf = NFPROTO_IPV6, 7674 .hooknum = NF_INET_POST_ROUTING, 7675 .priority = NF_IP6_PRI_SELINUX_LAST, 7676 }, 7677 { 7678 .hook = selinux_ip_forward, 7679 .pf = NFPROTO_IPV6, 7680 .hooknum = NF_INET_FORWARD, 7681 .priority = NF_IP6_PRI_SELINUX_FIRST, 7682 }, 7683 { 7684 .hook = selinux_ip_output, 7685 .pf = NFPROTO_IPV6, 7686 .hooknum = NF_INET_LOCAL_OUT, 7687 .priority = NF_IP6_PRI_SELINUX_FIRST, 7688 }, 7689 #endif /* IPV6 */ 7690 }; 7691 7692 static int __net_init selinux_nf_register(struct net *net) 7693 { 7694 return nf_register_net_hooks(net, selinux_nf_ops, 7695 ARRAY_SIZE(selinux_nf_ops)); 7696 } 7697 7698 static void __net_exit selinux_nf_unregister(struct net *net) 7699 { 7700 nf_unregister_net_hooks(net, selinux_nf_ops, 7701 ARRAY_SIZE(selinux_nf_ops)); 7702 } 7703 7704 static struct pernet_operations selinux_net_ops = { 7705 .init = selinux_nf_register, 7706 .exit = selinux_nf_unregister, 7707 }; 7708 7709 static int __init selinux_nf_ip_init(void) 7710 { 7711 int err; 7712 7713 if (!selinux_enabled_boot) 7714 return 0; 7715 7716 pr_debug("SELinux: Registering netfilter hooks\n"); 7717 7718 err = register_pernet_subsys(&selinux_net_ops); 7719 if (err) 7720 panic("SELinux: register_pernet_subsys: error %d\n", err); 7721 7722 return 0; 7723 } 7724 __initcall(selinux_nf_ip_init); 7725 #endif /* CONFIG_NETFILTER */ 7726