1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 125 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #else 135 int selinux_enabled = 1; 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 static struct kmem_cache *sel_inode_cache; 152 static struct kmem_cache *file_security_cache; 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred *cred = (struct cred *) current->real_cred; 214 struct task_security_struct *tsec; 215 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 217 if (!tsec) 218 panic("SELinux: Failed to initialize initial task.\n"); 219 220 tsec->osid = tsec->sid = SECINITSID_KERNEL; 221 cred->security = tsec; 222 } 223 224 /* 225 * get the security ID of a set of credentials 226 */ 227 static inline u32 cred_sid(const struct cred *cred) 228 { 229 const struct task_security_struct *tsec; 230 231 tsec = cred->security; 232 return tsec->sid; 233 } 234 235 /* 236 * get the objective security ID of a task 237 */ 238 static inline u32 task_sid(const struct task_struct *task) 239 { 240 u32 sid; 241 242 rcu_read_lock(); 243 sid = cred_sid(__task_cred(task)); 244 rcu_read_unlock(); 245 return sid; 246 } 247 248 /* Allocate and free functions for each kind of security blob. */ 249 250 static int inode_alloc_security(struct inode *inode) 251 { 252 struct inode_security_struct *isec; 253 u32 sid = current_sid(); 254 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 256 if (!isec) 257 return -ENOMEM; 258 259 spin_lock_init(&isec->lock); 260 INIT_LIST_HEAD(&isec->list); 261 isec->inode = inode; 262 isec->sid = SECINITSID_UNLABELED; 263 isec->sclass = SECCLASS_FILE; 264 isec->task_sid = sid; 265 isec->initialized = LABEL_INVALID; 266 inode->i_security = isec; 267 268 return 0; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 278 * when no dentry is available, set it to NULL instead. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *opt_dentry, 282 bool may_sleep) 283 { 284 struct inode_security_struct *isec = inode->i_security; 285 286 might_sleep_if(may_sleep); 287 288 if (selinux_state.initialized && 289 isec->initialized != LABEL_INITIALIZED) { 290 if (!may_sleep) 291 return -ECHILD; 292 293 /* 294 * Try reloading the inode security label. This will fail if 295 * @opt_dentry is NULL and no dentry for this inode can be 296 * found; in that case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, opt_dentry); 299 } 300 return 0; 301 } 302 303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 304 { 305 return inode->i_security; 306 } 307 308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 309 { 310 int error; 311 312 error = __inode_security_revalidate(inode, NULL, !rcu); 313 if (error) 314 return ERR_PTR(error); 315 return inode->i_security; 316 } 317 318 /* 319 * Get the security label of an inode. 320 */ 321 static struct inode_security_struct *inode_security(struct inode *inode) 322 { 323 __inode_security_revalidate(inode, NULL, true); 324 return inode->i_security; 325 } 326 327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 328 { 329 struct inode *inode = d_backing_inode(dentry); 330 331 return inode->i_security; 332 } 333 334 /* 335 * Get the security label of a dentry's backing inode. 336 */ 337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 338 { 339 struct inode *inode = d_backing_inode(dentry); 340 341 __inode_security_revalidate(inode, dentry, true); 342 return inode->i_security; 343 } 344 345 static void inode_free_rcu(struct rcu_head *head) 346 { 347 struct inode_security_struct *isec; 348 349 isec = container_of(head, struct inode_security_struct, rcu); 350 kmem_cache_free(sel_inode_cache, isec); 351 } 352 353 static void inode_free_security(struct inode *inode) 354 { 355 struct inode_security_struct *isec = inode->i_security; 356 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 357 358 /* 359 * As not all inode security structures are in a list, we check for 360 * empty list outside of the lock to make sure that we won't waste 361 * time taking a lock doing nothing. 362 * 363 * The list_del_init() function can be safely called more than once. 364 * It should not be possible for this function to be called with 365 * concurrent list_add(), but for better safety against future changes 366 * in the code, we use list_empty_careful() here. 367 */ 368 if (!list_empty_careful(&isec->list)) { 369 spin_lock(&sbsec->isec_lock); 370 list_del_init(&isec->list); 371 spin_unlock(&sbsec->isec_lock); 372 } 373 374 /* 375 * The inode may still be referenced in a path walk and 376 * a call to selinux_inode_permission() can be made 377 * after inode_free_security() is called. Ideally, the VFS 378 * wouldn't do this, but fixing that is a much harder 379 * job. For now, simply free the i_security via RCU, and 380 * leave the current inode->i_security pointer intact. 381 * The inode will be freed after the RCU grace period too. 382 */ 383 call_rcu(&isec->rcu, inode_free_rcu); 384 } 385 386 static int file_alloc_security(struct file *file) 387 { 388 struct file_security_struct *fsec; 389 u32 sid = current_sid(); 390 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 392 if (!fsec) 393 return -ENOMEM; 394 395 fsec->sid = sid; 396 fsec->fown_sid = sid; 397 file->f_security = fsec; 398 399 return 0; 400 } 401 402 static void file_free_security(struct file *file) 403 { 404 struct file_security_struct *fsec = file->f_security; 405 file->f_security = NULL; 406 kmem_cache_free(file_security_cache, fsec); 407 } 408 409 static int superblock_alloc_security(struct super_block *sb) 410 { 411 struct superblock_security_struct *sbsec; 412 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 414 if (!sbsec) 415 return -ENOMEM; 416 417 mutex_init(&sbsec->lock); 418 INIT_LIST_HEAD(&sbsec->isec_head); 419 spin_lock_init(&sbsec->isec_lock); 420 sbsec->sb = sb; 421 sbsec->sid = SECINITSID_UNLABELED; 422 sbsec->def_sid = SECINITSID_FILE; 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 424 sb->s_security = sbsec; 425 426 return 0; 427 } 428 429 static void superblock_free_security(struct super_block *sb) 430 { 431 struct superblock_security_struct *sbsec = sb->s_security; 432 sb->s_security = NULL; 433 kfree(sbsec); 434 } 435 436 static inline int inode_doinit(struct inode *inode) 437 { 438 return inode_doinit_with_dentry(inode, NULL); 439 } 440 441 enum { 442 Opt_error = -1, 443 Opt_context = 1, 444 Opt_fscontext = 2, 445 Opt_defcontext = 3, 446 Opt_rootcontext = 4, 447 Opt_labelsupport = 5, 448 Opt_nextmntopt = 6, 449 }; 450 451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 452 453 static const match_table_t tokens = { 454 {Opt_context, CONTEXT_STR "%s"}, 455 {Opt_fscontext, FSCONTEXT_STR "%s"}, 456 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 458 {Opt_labelsupport, LABELSUPP_STR}, 459 {Opt_error, NULL}, 460 }; 461 462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 463 464 static int may_context_mount_sb_relabel(u32 sid, 465 struct superblock_security_struct *sbsec, 466 const struct cred *cred) 467 { 468 const struct task_security_struct *tsec = cred->security; 469 int rc; 470 471 rc = avc_has_perm(&selinux_state, 472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 473 FILESYSTEM__RELABELFROM, NULL); 474 if (rc) 475 return rc; 476 477 rc = avc_has_perm(&selinux_state, 478 tsec->sid, sid, SECCLASS_FILESYSTEM, 479 FILESYSTEM__RELABELTO, NULL); 480 return rc; 481 } 482 483 static int may_context_mount_inode_relabel(u32 sid, 484 struct superblock_security_struct *sbsec, 485 const struct cred *cred) 486 { 487 const struct task_security_struct *tsec = cred->security; 488 int rc; 489 rc = avc_has_perm(&selinux_state, 490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 491 FILESYSTEM__RELABELFROM, NULL); 492 if (rc) 493 return rc; 494 495 rc = avc_has_perm(&selinux_state, 496 sid, sbsec->sid, SECCLASS_FILESYSTEM, 497 FILESYSTEM__ASSOCIATE, NULL); 498 return rc; 499 } 500 501 static int selinux_is_sblabel_mnt(struct super_block *sb) 502 { 503 struct superblock_security_struct *sbsec = sb->s_security; 504 505 return sbsec->behavior == SECURITY_FS_USE_XATTR || 506 sbsec->behavior == SECURITY_FS_USE_TRANS || 507 sbsec->behavior == SECURITY_FS_USE_TASK || 508 sbsec->behavior == SECURITY_FS_USE_NATIVE || 509 /* Special handling. Genfs but also in-core setxattr handler */ 510 !strcmp(sb->s_type->name, "sysfs") || 511 !strcmp(sb->s_type->name, "pstore") || 512 !strcmp(sb->s_type->name, "debugfs") || 513 !strcmp(sb->s_type->name, "tracefs") || 514 !strcmp(sb->s_type->name, "rootfs") || 515 (selinux_policycap_cgroupseclabel() && 516 (!strcmp(sb->s_type->name, "cgroup") || 517 !strcmp(sb->s_type->name, "cgroup2"))); 518 } 519 520 static int sb_finish_set_opts(struct super_block *sb) 521 { 522 struct superblock_security_struct *sbsec = sb->s_security; 523 struct dentry *root = sb->s_root; 524 struct inode *root_inode = d_backing_inode(root); 525 int rc = 0; 526 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 528 /* Make sure that the xattr handler exists and that no 529 error other than -ENODATA is returned by getxattr on 530 the root directory. -ENODATA is ok, as this may be 531 the first boot of the SELinux kernel before we have 532 assigned xattr values to the filesystem. */ 533 if (!(root_inode->i_opflags & IOP_XATTR)) { 534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 535 "xattr support\n", sb->s_id, sb->s_type->name); 536 rc = -EOPNOTSUPP; 537 goto out; 538 } 539 540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 541 if (rc < 0 && rc != -ENODATA) { 542 if (rc == -EOPNOTSUPP) 543 printk(KERN_WARNING "SELinux: (dev %s, type " 544 "%s) has no security xattr handler\n", 545 sb->s_id, sb->s_type->name); 546 else 547 printk(KERN_WARNING "SELinux: (dev %s, type " 548 "%s) getxattr errno %d\n", sb->s_id, 549 sb->s_type->name, -rc); 550 goto out; 551 } 552 } 553 554 sbsec->flags |= SE_SBINITIALIZED; 555 556 /* 557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 558 * leave the flag untouched because sb_clone_mnt_opts might be handing 559 * us a superblock that needs the flag to be cleared. 560 */ 561 if (selinux_is_sblabel_mnt(sb)) 562 sbsec->flags |= SBLABEL_MNT; 563 else 564 sbsec->flags &= ~SBLABEL_MNT; 565 566 /* Initialize the root inode. */ 567 rc = inode_doinit_with_dentry(root_inode, root); 568 569 /* Initialize any other inodes associated with the superblock, e.g. 570 inodes created prior to initial policy load or inodes created 571 during get_sb by a pseudo filesystem that directly 572 populates itself. */ 573 spin_lock(&sbsec->isec_lock); 574 next_inode: 575 if (!list_empty(&sbsec->isec_head)) { 576 struct inode_security_struct *isec = 577 list_entry(sbsec->isec_head.next, 578 struct inode_security_struct, list); 579 struct inode *inode = isec->inode; 580 list_del_init(&isec->list); 581 spin_unlock(&sbsec->isec_lock); 582 inode = igrab(inode); 583 if (inode) { 584 if (!IS_PRIVATE(inode)) 585 inode_doinit(inode); 586 iput(inode); 587 } 588 spin_lock(&sbsec->isec_lock); 589 goto next_inode; 590 } 591 spin_unlock(&sbsec->isec_lock); 592 out: 593 return rc; 594 } 595 596 /* 597 * This function should allow an FS to ask what it's mount security 598 * options were so it can use those later for submounts, displaying 599 * mount options, or whatever. 600 */ 601 static int selinux_get_mnt_opts(const struct super_block *sb, 602 struct security_mnt_opts *opts) 603 { 604 int rc = 0, i; 605 struct superblock_security_struct *sbsec = sb->s_security; 606 char *context = NULL; 607 u32 len; 608 char tmp; 609 610 security_init_mnt_opts(opts); 611 612 if (!(sbsec->flags & SE_SBINITIALIZED)) 613 return -EINVAL; 614 615 if (!selinux_state.initialized) 616 return -EINVAL; 617 618 /* make sure we always check enough bits to cover the mask */ 619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 620 621 tmp = sbsec->flags & SE_MNTMASK; 622 /* count the number of mount options for this sb */ 623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 624 if (tmp & 0x01) 625 opts->num_mnt_opts++; 626 tmp >>= 1; 627 } 628 /* Check if the Label support flag is set */ 629 if (sbsec->flags & SBLABEL_MNT) 630 opts->num_mnt_opts++; 631 632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 633 if (!opts->mnt_opts) { 634 rc = -ENOMEM; 635 goto out_free; 636 } 637 638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 639 if (!opts->mnt_opts_flags) { 640 rc = -ENOMEM; 641 goto out_free; 642 } 643 644 i = 0; 645 if (sbsec->flags & FSCONTEXT_MNT) { 646 rc = security_sid_to_context(&selinux_state, sbsec->sid, 647 &context, &len); 648 if (rc) 649 goto out_free; 650 opts->mnt_opts[i] = context; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 652 } 653 if (sbsec->flags & CONTEXT_MNT) { 654 rc = security_sid_to_context(&selinux_state, 655 sbsec->mntpoint_sid, 656 &context, &len); 657 if (rc) 658 goto out_free; 659 opts->mnt_opts[i] = context; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 661 } 662 if (sbsec->flags & DEFCONTEXT_MNT) { 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid, 664 &context, &len); 665 if (rc) 666 goto out_free; 667 opts->mnt_opts[i] = context; 668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 669 } 670 if (sbsec->flags & ROOTCONTEXT_MNT) { 671 struct dentry *root = sbsec->sb->s_root; 672 struct inode_security_struct *isec = backing_inode_security(root); 673 674 rc = security_sid_to_context(&selinux_state, isec->sid, 675 &context, &len); 676 if (rc) 677 goto out_free; 678 opts->mnt_opts[i] = context; 679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 680 } 681 if (sbsec->flags & SBLABEL_MNT) { 682 opts->mnt_opts[i] = NULL; 683 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 684 } 685 686 BUG_ON(i != opts->num_mnt_opts); 687 688 return 0; 689 690 out_free: 691 security_free_mnt_opts(opts); 692 return rc; 693 } 694 695 static int bad_option(struct superblock_security_struct *sbsec, char flag, 696 u32 old_sid, u32 new_sid) 697 { 698 char mnt_flags = sbsec->flags & SE_MNTMASK; 699 700 /* check if the old mount command had the same options */ 701 if (sbsec->flags & SE_SBINITIALIZED) 702 if (!(sbsec->flags & flag) || 703 (old_sid != new_sid)) 704 return 1; 705 706 /* check if we were passed the same options twice, 707 * aka someone passed context=a,context=b 708 */ 709 if (!(sbsec->flags & SE_SBINITIALIZED)) 710 if (mnt_flags & flag) 711 return 1; 712 return 0; 713 } 714 715 /* 716 * Allow filesystems with binary mount data to explicitly set mount point 717 * labeling information. 718 */ 719 static int selinux_set_mnt_opts(struct super_block *sb, 720 struct security_mnt_opts *opts, 721 unsigned long kern_flags, 722 unsigned long *set_kern_flags) 723 { 724 const struct cred *cred = current_cred(); 725 int rc = 0, i; 726 struct superblock_security_struct *sbsec = sb->s_security; 727 const char *name = sb->s_type->name; 728 struct dentry *root = sbsec->sb->s_root; 729 struct inode_security_struct *root_isec; 730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 731 u32 defcontext_sid = 0; 732 char **mount_options = opts->mnt_opts; 733 int *flags = opts->mnt_opts_flags; 734 int num_opts = opts->num_mnt_opts; 735 736 mutex_lock(&sbsec->lock); 737 738 if (!selinux_state.initialized) { 739 if (!num_opts) { 740 /* Defer initialization until selinux_complete_init, 741 after the initial policy is loaded and the security 742 server is ready to handle calls. */ 743 goto out; 744 } 745 rc = -EINVAL; 746 printk(KERN_WARNING "SELinux: Unable to set superblock options " 747 "before the security server is initialized\n"); 748 goto out; 749 } 750 if (kern_flags && !set_kern_flags) { 751 /* Specifying internal flags without providing a place to 752 * place the results is not allowed */ 753 rc = -EINVAL; 754 goto out; 755 } 756 757 /* 758 * Binary mount data FS will come through this function twice. Once 759 * from an explicit call and once from the generic calls from the vfs. 760 * Since the generic VFS calls will not contain any security mount data 761 * we need to skip the double mount verification. 762 * 763 * This does open a hole in which we will not notice if the first 764 * mount using this sb set explict options and a second mount using 765 * this sb does not set any security options. (The first options 766 * will be used for both mounts) 767 */ 768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 769 && (num_opts == 0)) 770 goto out; 771 772 root_isec = backing_inode_security_novalidate(root); 773 774 /* 775 * parse the mount options, check if they are valid sids. 776 * also check if someone is trying to mount the same sb more 777 * than once with different security options. 778 */ 779 for (i = 0; i < num_opts; i++) { 780 u32 sid; 781 782 if (flags[i] == SBLABEL_MNT) 783 continue; 784 rc = security_context_str_to_sid(&selinux_state, 785 mount_options[i], &sid, 786 GFP_KERNEL); 787 if (rc) { 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 789 "(%s) failed for (dev %s, type %s) errno=%d\n", 790 mount_options[i], sb->s_id, name, rc); 791 goto out; 792 } 793 switch (flags[i]) { 794 case FSCONTEXT_MNT: 795 fscontext_sid = sid; 796 797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 798 fscontext_sid)) 799 goto out_double_mount; 800 801 sbsec->flags |= FSCONTEXT_MNT; 802 break; 803 case CONTEXT_MNT: 804 context_sid = sid; 805 806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 807 context_sid)) 808 goto out_double_mount; 809 810 sbsec->flags |= CONTEXT_MNT; 811 break; 812 case ROOTCONTEXT_MNT: 813 rootcontext_sid = sid; 814 815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 816 rootcontext_sid)) 817 goto out_double_mount; 818 819 sbsec->flags |= ROOTCONTEXT_MNT; 820 821 break; 822 case DEFCONTEXT_MNT: 823 defcontext_sid = sid; 824 825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 826 defcontext_sid)) 827 goto out_double_mount; 828 829 sbsec->flags |= DEFCONTEXT_MNT; 830 831 break; 832 default: 833 rc = -EINVAL; 834 goto out; 835 } 836 } 837 838 if (sbsec->flags & SE_SBINITIALIZED) { 839 /* previously mounted with options, but not on this attempt? */ 840 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 841 goto out_double_mount; 842 rc = 0; 843 goto out; 844 } 845 846 if (strcmp(sb->s_type->name, "proc") == 0) 847 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 848 849 if (!strcmp(sb->s_type->name, "debugfs") || 850 !strcmp(sb->s_type->name, "tracefs") || 851 !strcmp(sb->s_type->name, "sysfs") || 852 !strcmp(sb->s_type->name, "pstore") || 853 !strcmp(sb->s_type->name, "cgroup") || 854 !strcmp(sb->s_type->name, "cgroup2")) 855 sbsec->flags |= SE_SBGENFS; 856 857 if (!sbsec->behavior) { 858 /* 859 * Determine the labeling behavior to use for this 860 * filesystem type. 861 */ 862 rc = security_fs_use(&selinux_state, sb); 863 if (rc) { 864 printk(KERN_WARNING 865 "%s: security_fs_use(%s) returned %d\n", 866 __func__, sb->s_type->name, rc); 867 goto out; 868 } 869 } 870 871 /* 872 * If this is a user namespace mount and the filesystem type is not 873 * explicitly whitelisted, then no contexts are allowed on the command 874 * line and security labels must be ignored. 875 */ 876 if (sb->s_user_ns != &init_user_ns && 877 strcmp(sb->s_type->name, "tmpfs") && 878 strcmp(sb->s_type->name, "ramfs") && 879 strcmp(sb->s_type->name, "devpts")) { 880 if (context_sid || fscontext_sid || rootcontext_sid || 881 defcontext_sid) { 882 rc = -EACCES; 883 goto out; 884 } 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 887 rc = security_transition_sid(&selinux_state, 888 current_sid(), 889 current_sid(), 890 SECCLASS_FILE, NULL, 891 &sbsec->mntpoint_sid); 892 if (rc) 893 goto out; 894 } 895 goto out_set_opts; 896 } 897 898 /* sets the context of the superblock for the fs being mounted. */ 899 if (fscontext_sid) { 900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 901 if (rc) 902 goto out; 903 904 sbsec->sid = fscontext_sid; 905 } 906 907 /* 908 * Switch to using mount point labeling behavior. 909 * sets the label used on all file below the mountpoint, and will set 910 * the superblock context if not already set. 911 */ 912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 913 sbsec->behavior = SECURITY_FS_USE_NATIVE; 914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 915 } 916 917 if (context_sid) { 918 if (!fscontext_sid) { 919 rc = may_context_mount_sb_relabel(context_sid, sbsec, 920 cred); 921 if (rc) 922 goto out; 923 sbsec->sid = context_sid; 924 } else { 925 rc = may_context_mount_inode_relabel(context_sid, sbsec, 926 cred); 927 if (rc) 928 goto out; 929 } 930 if (!rootcontext_sid) 931 rootcontext_sid = context_sid; 932 933 sbsec->mntpoint_sid = context_sid; 934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 935 } 936 937 if (rootcontext_sid) { 938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 939 cred); 940 if (rc) 941 goto out; 942 943 root_isec->sid = rootcontext_sid; 944 root_isec->initialized = LABEL_INITIALIZED; 945 } 946 947 if (defcontext_sid) { 948 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 949 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 950 rc = -EINVAL; 951 printk(KERN_WARNING "SELinux: defcontext option is " 952 "invalid for this filesystem type\n"); 953 goto out; 954 } 955 956 if (defcontext_sid != sbsec->def_sid) { 957 rc = may_context_mount_inode_relabel(defcontext_sid, 958 sbsec, cred); 959 if (rc) 960 goto out; 961 } 962 963 sbsec->def_sid = defcontext_sid; 964 } 965 966 out_set_opts: 967 rc = sb_finish_set_opts(sb); 968 out: 969 mutex_unlock(&sbsec->lock); 970 return rc; 971 out_double_mount: 972 rc = -EINVAL; 973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 974 "security settings for (dev %s, type %s)\n", sb->s_id, name); 975 goto out; 976 } 977 978 static int selinux_cmp_sb_context(const struct super_block *oldsb, 979 const struct super_block *newsb) 980 { 981 struct superblock_security_struct *old = oldsb->s_security; 982 struct superblock_security_struct *new = newsb->s_security; 983 char oldflags = old->flags & SE_MNTMASK; 984 char newflags = new->flags & SE_MNTMASK; 985 986 if (oldflags != newflags) 987 goto mismatch; 988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 989 goto mismatch; 990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 991 goto mismatch; 992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 993 goto mismatch; 994 if (oldflags & ROOTCONTEXT_MNT) { 995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 997 if (oldroot->sid != newroot->sid) 998 goto mismatch; 999 } 1000 return 0; 1001 mismatch: 1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 1003 "different security settings for (dev %s, " 1004 "type %s)\n", newsb->s_id, newsb->s_type->name); 1005 return -EBUSY; 1006 } 1007 1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 1009 struct super_block *newsb, 1010 unsigned long kern_flags, 1011 unsigned long *set_kern_flags) 1012 { 1013 int rc = 0; 1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 1015 struct superblock_security_struct *newsbsec = newsb->s_security; 1016 1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 1018 int set_context = (oldsbsec->flags & CONTEXT_MNT); 1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 1020 1021 /* 1022 * if the parent was able to be mounted it clearly had no special lsm 1023 * mount options. thus we can safely deal with this superblock later 1024 */ 1025 if (!selinux_state.initialized) 1026 return 0; 1027 1028 /* 1029 * Specifying internal flags without providing a place to 1030 * place the results is not allowed. 1031 */ 1032 if (kern_flags && !set_kern_flags) 1033 return -EINVAL; 1034 1035 /* how can we clone if the old one wasn't set up?? */ 1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1037 1038 /* if fs is reusing a sb, make sure that the contexts match */ 1039 if (newsbsec->flags & SE_SBINITIALIZED) 1040 return selinux_cmp_sb_context(oldsb, newsb); 1041 1042 mutex_lock(&newsbsec->lock); 1043 1044 newsbsec->flags = oldsbsec->flags; 1045 1046 newsbsec->sid = oldsbsec->sid; 1047 newsbsec->def_sid = oldsbsec->def_sid; 1048 newsbsec->behavior = oldsbsec->behavior; 1049 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1052 rc = security_fs_use(&selinux_state, newsb); 1053 if (rc) 1054 goto out; 1055 } 1056 1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1060 } 1061 1062 if (set_context) { 1063 u32 sid = oldsbsec->mntpoint_sid; 1064 1065 if (!set_fscontext) 1066 newsbsec->sid = sid; 1067 if (!set_rootcontext) { 1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1069 newisec->sid = sid; 1070 } 1071 newsbsec->mntpoint_sid = sid; 1072 } 1073 if (set_rootcontext) { 1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1076 1077 newisec->sid = oldisec->sid; 1078 } 1079 1080 sb_finish_set_opts(newsb); 1081 out: 1082 mutex_unlock(&newsbsec->lock); 1083 return rc; 1084 } 1085 1086 static int selinux_parse_opts_str(char *options, 1087 struct security_mnt_opts *opts) 1088 { 1089 char *p; 1090 char *context = NULL, *defcontext = NULL; 1091 char *fscontext = NULL, *rootcontext = NULL; 1092 int rc, num_mnt_opts = 0; 1093 1094 opts->num_mnt_opts = 0; 1095 1096 /* Standard string-based options. */ 1097 while ((p = strsep(&options, "|")) != NULL) { 1098 int token; 1099 substring_t args[MAX_OPT_ARGS]; 1100 1101 if (!*p) 1102 continue; 1103 1104 token = match_token(p, tokens, args); 1105 1106 switch (token) { 1107 case Opt_context: 1108 if (context || defcontext) { 1109 rc = -EINVAL; 1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1111 goto out_err; 1112 } 1113 context = match_strdup(&args[0]); 1114 if (!context) { 1115 rc = -ENOMEM; 1116 goto out_err; 1117 } 1118 break; 1119 1120 case Opt_fscontext: 1121 if (fscontext) { 1122 rc = -EINVAL; 1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1124 goto out_err; 1125 } 1126 fscontext = match_strdup(&args[0]); 1127 if (!fscontext) { 1128 rc = -ENOMEM; 1129 goto out_err; 1130 } 1131 break; 1132 1133 case Opt_rootcontext: 1134 if (rootcontext) { 1135 rc = -EINVAL; 1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1137 goto out_err; 1138 } 1139 rootcontext = match_strdup(&args[0]); 1140 if (!rootcontext) { 1141 rc = -ENOMEM; 1142 goto out_err; 1143 } 1144 break; 1145 1146 case Opt_defcontext: 1147 if (context || defcontext) { 1148 rc = -EINVAL; 1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1150 goto out_err; 1151 } 1152 defcontext = match_strdup(&args[0]); 1153 if (!defcontext) { 1154 rc = -ENOMEM; 1155 goto out_err; 1156 } 1157 break; 1158 case Opt_labelsupport: 1159 break; 1160 default: 1161 rc = -EINVAL; 1162 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1163 goto out_err; 1164 1165 } 1166 } 1167 1168 rc = -ENOMEM; 1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1170 if (!opts->mnt_opts) 1171 goto out_err; 1172 1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1174 GFP_KERNEL); 1175 if (!opts->mnt_opts_flags) 1176 goto out_err; 1177 1178 if (fscontext) { 1179 opts->mnt_opts[num_mnt_opts] = fscontext; 1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1181 } 1182 if (context) { 1183 opts->mnt_opts[num_mnt_opts] = context; 1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1185 } 1186 if (rootcontext) { 1187 opts->mnt_opts[num_mnt_opts] = rootcontext; 1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1189 } 1190 if (defcontext) { 1191 opts->mnt_opts[num_mnt_opts] = defcontext; 1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1193 } 1194 1195 opts->num_mnt_opts = num_mnt_opts; 1196 return 0; 1197 1198 out_err: 1199 security_free_mnt_opts(opts); 1200 kfree(context); 1201 kfree(defcontext); 1202 kfree(fscontext); 1203 kfree(rootcontext); 1204 return rc; 1205 } 1206 /* 1207 * string mount options parsing and call set the sbsec 1208 */ 1209 static int superblock_doinit(struct super_block *sb, void *data) 1210 { 1211 int rc = 0; 1212 char *options = data; 1213 struct security_mnt_opts opts; 1214 1215 security_init_mnt_opts(&opts); 1216 1217 if (!data) 1218 goto out; 1219 1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1221 1222 rc = selinux_parse_opts_str(options, &opts); 1223 if (rc) 1224 goto out_err; 1225 1226 out: 1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1228 1229 out_err: 1230 security_free_mnt_opts(&opts); 1231 return rc; 1232 } 1233 1234 static void selinux_write_opts(struct seq_file *m, 1235 struct security_mnt_opts *opts) 1236 { 1237 int i; 1238 char *prefix; 1239 1240 for (i = 0; i < opts->num_mnt_opts; i++) { 1241 char *has_comma; 1242 1243 if (opts->mnt_opts[i]) 1244 has_comma = strchr(opts->mnt_opts[i], ','); 1245 else 1246 has_comma = NULL; 1247 1248 switch (opts->mnt_opts_flags[i]) { 1249 case CONTEXT_MNT: 1250 prefix = CONTEXT_STR; 1251 break; 1252 case FSCONTEXT_MNT: 1253 prefix = FSCONTEXT_STR; 1254 break; 1255 case ROOTCONTEXT_MNT: 1256 prefix = ROOTCONTEXT_STR; 1257 break; 1258 case DEFCONTEXT_MNT: 1259 prefix = DEFCONTEXT_STR; 1260 break; 1261 case SBLABEL_MNT: 1262 seq_putc(m, ','); 1263 seq_puts(m, LABELSUPP_STR); 1264 continue; 1265 default: 1266 BUG(); 1267 return; 1268 }; 1269 /* we need a comma before each option */ 1270 seq_putc(m, ','); 1271 seq_puts(m, prefix); 1272 if (has_comma) 1273 seq_putc(m, '\"'); 1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1275 if (has_comma) 1276 seq_putc(m, '\"'); 1277 } 1278 } 1279 1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1281 { 1282 struct security_mnt_opts opts; 1283 int rc; 1284 1285 rc = selinux_get_mnt_opts(sb, &opts); 1286 if (rc) { 1287 /* before policy load we may get EINVAL, don't show anything */ 1288 if (rc == -EINVAL) 1289 rc = 0; 1290 return rc; 1291 } 1292 1293 selinux_write_opts(m, &opts); 1294 1295 security_free_mnt_opts(&opts); 1296 1297 return rc; 1298 } 1299 1300 static inline u16 inode_mode_to_security_class(umode_t mode) 1301 { 1302 switch (mode & S_IFMT) { 1303 case S_IFSOCK: 1304 return SECCLASS_SOCK_FILE; 1305 case S_IFLNK: 1306 return SECCLASS_LNK_FILE; 1307 case S_IFREG: 1308 return SECCLASS_FILE; 1309 case S_IFBLK: 1310 return SECCLASS_BLK_FILE; 1311 case S_IFDIR: 1312 return SECCLASS_DIR; 1313 case S_IFCHR: 1314 return SECCLASS_CHR_FILE; 1315 case S_IFIFO: 1316 return SECCLASS_FIFO_FILE; 1317 1318 } 1319 1320 return SECCLASS_FILE; 1321 } 1322 1323 static inline int default_protocol_stream(int protocol) 1324 { 1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1326 } 1327 1328 static inline int default_protocol_dgram(int protocol) 1329 { 1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1331 } 1332 1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1334 { 1335 int extsockclass = selinux_policycap_extsockclass(); 1336 1337 switch (family) { 1338 case PF_UNIX: 1339 switch (type) { 1340 case SOCK_STREAM: 1341 case SOCK_SEQPACKET: 1342 return SECCLASS_UNIX_STREAM_SOCKET; 1343 case SOCK_DGRAM: 1344 case SOCK_RAW: 1345 return SECCLASS_UNIX_DGRAM_SOCKET; 1346 } 1347 break; 1348 case PF_INET: 1349 case PF_INET6: 1350 switch (type) { 1351 case SOCK_STREAM: 1352 case SOCK_SEQPACKET: 1353 if (default_protocol_stream(protocol)) 1354 return SECCLASS_TCP_SOCKET; 1355 else if (extsockclass && protocol == IPPROTO_SCTP) 1356 return SECCLASS_SCTP_SOCKET; 1357 else 1358 return SECCLASS_RAWIP_SOCKET; 1359 case SOCK_DGRAM: 1360 if (default_protocol_dgram(protocol)) 1361 return SECCLASS_UDP_SOCKET; 1362 else if (extsockclass && (protocol == IPPROTO_ICMP || 1363 protocol == IPPROTO_ICMPV6)) 1364 return SECCLASS_ICMP_SOCKET; 1365 else 1366 return SECCLASS_RAWIP_SOCKET; 1367 case SOCK_DCCP: 1368 return SECCLASS_DCCP_SOCKET; 1369 default: 1370 return SECCLASS_RAWIP_SOCKET; 1371 } 1372 break; 1373 case PF_NETLINK: 1374 switch (protocol) { 1375 case NETLINK_ROUTE: 1376 return SECCLASS_NETLINK_ROUTE_SOCKET; 1377 case NETLINK_SOCK_DIAG: 1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1379 case NETLINK_NFLOG: 1380 return SECCLASS_NETLINK_NFLOG_SOCKET; 1381 case NETLINK_XFRM: 1382 return SECCLASS_NETLINK_XFRM_SOCKET; 1383 case NETLINK_SELINUX: 1384 return SECCLASS_NETLINK_SELINUX_SOCKET; 1385 case NETLINK_ISCSI: 1386 return SECCLASS_NETLINK_ISCSI_SOCKET; 1387 case NETLINK_AUDIT: 1388 return SECCLASS_NETLINK_AUDIT_SOCKET; 1389 case NETLINK_FIB_LOOKUP: 1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1391 case NETLINK_CONNECTOR: 1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1393 case NETLINK_NETFILTER: 1394 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1395 case NETLINK_DNRTMSG: 1396 return SECCLASS_NETLINK_DNRT_SOCKET; 1397 case NETLINK_KOBJECT_UEVENT: 1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1399 case NETLINK_GENERIC: 1400 return SECCLASS_NETLINK_GENERIC_SOCKET; 1401 case NETLINK_SCSITRANSPORT: 1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1403 case NETLINK_RDMA: 1404 return SECCLASS_NETLINK_RDMA_SOCKET; 1405 case NETLINK_CRYPTO: 1406 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1407 default: 1408 return SECCLASS_NETLINK_SOCKET; 1409 } 1410 case PF_PACKET: 1411 return SECCLASS_PACKET_SOCKET; 1412 case PF_KEY: 1413 return SECCLASS_KEY_SOCKET; 1414 case PF_APPLETALK: 1415 return SECCLASS_APPLETALK_SOCKET; 1416 } 1417 1418 if (extsockclass) { 1419 switch (family) { 1420 case PF_AX25: 1421 return SECCLASS_AX25_SOCKET; 1422 case PF_IPX: 1423 return SECCLASS_IPX_SOCKET; 1424 case PF_NETROM: 1425 return SECCLASS_NETROM_SOCKET; 1426 case PF_ATMPVC: 1427 return SECCLASS_ATMPVC_SOCKET; 1428 case PF_X25: 1429 return SECCLASS_X25_SOCKET; 1430 case PF_ROSE: 1431 return SECCLASS_ROSE_SOCKET; 1432 case PF_DECnet: 1433 return SECCLASS_DECNET_SOCKET; 1434 case PF_ATMSVC: 1435 return SECCLASS_ATMSVC_SOCKET; 1436 case PF_RDS: 1437 return SECCLASS_RDS_SOCKET; 1438 case PF_IRDA: 1439 return SECCLASS_IRDA_SOCKET; 1440 case PF_PPPOX: 1441 return SECCLASS_PPPOX_SOCKET; 1442 case PF_LLC: 1443 return SECCLASS_LLC_SOCKET; 1444 case PF_CAN: 1445 return SECCLASS_CAN_SOCKET; 1446 case PF_TIPC: 1447 return SECCLASS_TIPC_SOCKET; 1448 case PF_BLUETOOTH: 1449 return SECCLASS_BLUETOOTH_SOCKET; 1450 case PF_IUCV: 1451 return SECCLASS_IUCV_SOCKET; 1452 case PF_RXRPC: 1453 return SECCLASS_RXRPC_SOCKET; 1454 case PF_ISDN: 1455 return SECCLASS_ISDN_SOCKET; 1456 case PF_PHONET: 1457 return SECCLASS_PHONET_SOCKET; 1458 case PF_IEEE802154: 1459 return SECCLASS_IEEE802154_SOCKET; 1460 case PF_CAIF: 1461 return SECCLASS_CAIF_SOCKET; 1462 case PF_ALG: 1463 return SECCLASS_ALG_SOCKET; 1464 case PF_NFC: 1465 return SECCLASS_NFC_SOCKET; 1466 case PF_VSOCK: 1467 return SECCLASS_VSOCK_SOCKET; 1468 case PF_KCM: 1469 return SECCLASS_KCM_SOCKET; 1470 case PF_QIPCRTR: 1471 return SECCLASS_QIPCRTR_SOCKET; 1472 case PF_SMC: 1473 return SECCLASS_SMC_SOCKET; 1474 case PF_XDP: 1475 return SECCLASS_XDP_SOCKET; 1476 #if PF_MAX > 45 1477 #error New address family defined, please update this function. 1478 #endif 1479 } 1480 } 1481 1482 return SECCLASS_SOCKET; 1483 } 1484 1485 static int selinux_genfs_get_sid(struct dentry *dentry, 1486 u16 tclass, 1487 u16 flags, 1488 u32 *sid) 1489 { 1490 int rc; 1491 struct super_block *sb = dentry->d_sb; 1492 char *buffer, *path; 1493 1494 buffer = (char *)__get_free_page(GFP_KERNEL); 1495 if (!buffer) 1496 return -ENOMEM; 1497 1498 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1499 if (IS_ERR(path)) 1500 rc = PTR_ERR(path); 1501 else { 1502 if (flags & SE_SBPROC) { 1503 /* each process gets a /proc/PID/ entry. Strip off the 1504 * PID part to get a valid selinux labeling. 1505 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1506 while (path[1] >= '0' && path[1] <= '9') { 1507 path[1] = '/'; 1508 path++; 1509 } 1510 } 1511 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1512 path, tclass, sid); 1513 } 1514 free_page((unsigned long)buffer); 1515 return rc; 1516 } 1517 1518 /* The inode's security attributes must be initialized before first use. */ 1519 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1520 { 1521 struct superblock_security_struct *sbsec = NULL; 1522 struct inode_security_struct *isec = inode->i_security; 1523 u32 task_sid, sid = 0; 1524 u16 sclass; 1525 struct dentry *dentry; 1526 #define INITCONTEXTLEN 255 1527 char *context = NULL; 1528 unsigned len = 0; 1529 int rc = 0; 1530 1531 if (isec->initialized == LABEL_INITIALIZED) 1532 return 0; 1533 1534 spin_lock(&isec->lock); 1535 if (isec->initialized == LABEL_INITIALIZED) 1536 goto out_unlock; 1537 1538 if (isec->sclass == SECCLASS_FILE) 1539 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1540 1541 sbsec = inode->i_sb->s_security; 1542 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1543 /* Defer initialization until selinux_complete_init, 1544 after the initial policy is loaded and the security 1545 server is ready to handle calls. */ 1546 spin_lock(&sbsec->isec_lock); 1547 if (list_empty(&isec->list)) 1548 list_add(&isec->list, &sbsec->isec_head); 1549 spin_unlock(&sbsec->isec_lock); 1550 goto out_unlock; 1551 } 1552 1553 sclass = isec->sclass; 1554 task_sid = isec->task_sid; 1555 sid = isec->sid; 1556 isec->initialized = LABEL_PENDING; 1557 spin_unlock(&isec->lock); 1558 1559 switch (sbsec->behavior) { 1560 case SECURITY_FS_USE_NATIVE: 1561 break; 1562 case SECURITY_FS_USE_XATTR: 1563 if (!(inode->i_opflags & IOP_XATTR)) { 1564 sid = sbsec->def_sid; 1565 break; 1566 } 1567 /* Need a dentry, since the xattr API requires one. 1568 Life would be simpler if we could just pass the inode. */ 1569 if (opt_dentry) { 1570 /* Called from d_instantiate or d_splice_alias. */ 1571 dentry = dget(opt_dentry); 1572 } else { 1573 /* Called from selinux_complete_init, try to find a dentry. */ 1574 dentry = d_find_alias(inode); 1575 } 1576 if (!dentry) { 1577 /* 1578 * this is can be hit on boot when a file is accessed 1579 * before the policy is loaded. When we load policy we 1580 * may find inodes that have no dentry on the 1581 * sbsec->isec_head list. No reason to complain as these 1582 * will get fixed up the next time we go through 1583 * inode_doinit with a dentry, before these inodes could 1584 * be used again by userspace. 1585 */ 1586 goto out; 1587 } 1588 1589 len = INITCONTEXTLEN; 1590 context = kmalloc(len+1, GFP_NOFS); 1591 if (!context) { 1592 rc = -ENOMEM; 1593 dput(dentry); 1594 goto out; 1595 } 1596 context[len] = '\0'; 1597 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1598 if (rc == -ERANGE) { 1599 kfree(context); 1600 1601 /* Need a larger buffer. Query for the right size. */ 1602 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1603 if (rc < 0) { 1604 dput(dentry); 1605 goto out; 1606 } 1607 len = rc; 1608 context = kmalloc(len+1, GFP_NOFS); 1609 if (!context) { 1610 rc = -ENOMEM; 1611 dput(dentry); 1612 goto out; 1613 } 1614 context[len] = '\0'; 1615 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1616 } 1617 dput(dentry); 1618 if (rc < 0) { 1619 if (rc != -ENODATA) { 1620 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1621 "%d for dev=%s ino=%ld\n", __func__, 1622 -rc, inode->i_sb->s_id, inode->i_ino); 1623 kfree(context); 1624 goto out; 1625 } 1626 /* Map ENODATA to the default file SID */ 1627 sid = sbsec->def_sid; 1628 rc = 0; 1629 } else { 1630 rc = security_context_to_sid_default(&selinux_state, 1631 context, rc, &sid, 1632 sbsec->def_sid, 1633 GFP_NOFS); 1634 if (rc) { 1635 char *dev = inode->i_sb->s_id; 1636 unsigned long ino = inode->i_ino; 1637 1638 if (rc == -EINVAL) { 1639 if (printk_ratelimit()) 1640 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1641 "context=%s. This indicates you may need to relabel the inode or the " 1642 "filesystem in question.\n", ino, dev, context); 1643 } else { 1644 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1645 "returned %d for dev=%s ino=%ld\n", 1646 __func__, context, -rc, dev, ino); 1647 } 1648 kfree(context); 1649 /* Leave with the unlabeled SID */ 1650 rc = 0; 1651 break; 1652 } 1653 } 1654 kfree(context); 1655 break; 1656 case SECURITY_FS_USE_TASK: 1657 sid = task_sid; 1658 break; 1659 case SECURITY_FS_USE_TRANS: 1660 /* Default to the fs SID. */ 1661 sid = sbsec->sid; 1662 1663 /* Try to obtain a transition SID. */ 1664 rc = security_transition_sid(&selinux_state, task_sid, sid, 1665 sclass, NULL, &sid); 1666 if (rc) 1667 goto out; 1668 break; 1669 case SECURITY_FS_USE_MNTPOINT: 1670 sid = sbsec->mntpoint_sid; 1671 break; 1672 default: 1673 /* Default to the fs superblock SID. */ 1674 sid = sbsec->sid; 1675 1676 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1677 /* We must have a dentry to determine the label on 1678 * procfs inodes */ 1679 if (opt_dentry) 1680 /* Called from d_instantiate or 1681 * d_splice_alias. */ 1682 dentry = dget(opt_dentry); 1683 else 1684 /* Called from selinux_complete_init, try to 1685 * find a dentry. */ 1686 dentry = d_find_alias(inode); 1687 /* 1688 * This can be hit on boot when a file is accessed 1689 * before the policy is loaded. When we load policy we 1690 * may find inodes that have no dentry on the 1691 * sbsec->isec_head list. No reason to complain as 1692 * these will get fixed up the next time we go through 1693 * inode_doinit() with a dentry, before these inodes 1694 * could be used again by userspace. 1695 */ 1696 if (!dentry) 1697 goto out; 1698 rc = selinux_genfs_get_sid(dentry, sclass, 1699 sbsec->flags, &sid); 1700 dput(dentry); 1701 if (rc) 1702 goto out; 1703 } 1704 break; 1705 } 1706 1707 out: 1708 spin_lock(&isec->lock); 1709 if (isec->initialized == LABEL_PENDING) { 1710 if (!sid || rc) { 1711 isec->initialized = LABEL_INVALID; 1712 goto out_unlock; 1713 } 1714 1715 isec->initialized = LABEL_INITIALIZED; 1716 isec->sid = sid; 1717 } 1718 1719 out_unlock: 1720 spin_unlock(&isec->lock); 1721 return rc; 1722 } 1723 1724 /* Convert a Linux signal to an access vector. */ 1725 static inline u32 signal_to_av(int sig) 1726 { 1727 u32 perm = 0; 1728 1729 switch (sig) { 1730 case SIGCHLD: 1731 /* Commonly granted from child to parent. */ 1732 perm = PROCESS__SIGCHLD; 1733 break; 1734 case SIGKILL: 1735 /* Cannot be caught or ignored */ 1736 perm = PROCESS__SIGKILL; 1737 break; 1738 case SIGSTOP: 1739 /* Cannot be caught or ignored */ 1740 perm = PROCESS__SIGSTOP; 1741 break; 1742 default: 1743 /* All other signals. */ 1744 perm = PROCESS__SIGNAL; 1745 break; 1746 } 1747 1748 return perm; 1749 } 1750 1751 #if CAP_LAST_CAP > 63 1752 #error Fix SELinux to handle capabilities > 63. 1753 #endif 1754 1755 /* Check whether a task is allowed to use a capability. */ 1756 static int cred_has_capability(const struct cred *cred, 1757 int cap, int audit, bool initns) 1758 { 1759 struct common_audit_data ad; 1760 struct av_decision avd; 1761 u16 sclass; 1762 u32 sid = cred_sid(cred); 1763 u32 av = CAP_TO_MASK(cap); 1764 int rc; 1765 1766 ad.type = LSM_AUDIT_DATA_CAP; 1767 ad.u.cap = cap; 1768 1769 switch (CAP_TO_INDEX(cap)) { 1770 case 0: 1771 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1772 break; 1773 case 1: 1774 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1775 break; 1776 default: 1777 printk(KERN_ERR 1778 "SELinux: out of range capability %d\n", cap); 1779 BUG(); 1780 return -EINVAL; 1781 } 1782 1783 rc = avc_has_perm_noaudit(&selinux_state, 1784 sid, sid, sclass, av, 0, &avd); 1785 if (audit == SECURITY_CAP_AUDIT) { 1786 int rc2 = avc_audit(&selinux_state, 1787 sid, sid, sclass, av, &avd, rc, &ad, 0); 1788 if (rc2) 1789 return rc2; 1790 } 1791 return rc; 1792 } 1793 1794 /* Check whether a task has a particular permission to an inode. 1795 The 'adp' parameter is optional and allows other audit 1796 data to be passed (e.g. the dentry). */ 1797 static int inode_has_perm(const struct cred *cred, 1798 struct inode *inode, 1799 u32 perms, 1800 struct common_audit_data *adp) 1801 { 1802 struct inode_security_struct *isec; 1803 u32 sid; 1804 1805 validate_creds(cred); 1806 1807 if (unlikely(IS_PRIVATE(inode))) 1808 return 0; 1809 1810 sid = cred_sid(cred); 1811 isec = inode->i_security; 1812 1813 return avc_has_perm(&selinux_state, 1814 sid, isec->sid, isec->sclass, perms, adp); 1815 } 1816 1817 /* Same as inode_has_perm, but pass explicit audit data containing 1818 the dentry to help the auditing code to more easily generate the 1819 pathname if needed. */ 1820 static inline int dentry_has_perm(const struct cred *cred, 1821 struct dentry *dentry, 1822 u32 av) 1823 { 1824 struct inode *inode = d_backing_inode(dentry); 1825 struct common_audit_data ad; 1826 1827 ad.type = LSM_AUDIT_DATA_DENTRY; 1828 ad.u.dentry = dentry; 1829 __inode_security_revalidate(inode, dentry, true); 1830 return inode_has_perm(cred, inode, av, &ad); 1831 } 1832 1833 /* Same as inode_has_perm, but pass explicit audit data containing 1834 the path to help the auditing code to more easily generate the 1835 pathname if needed. */ 1836 static inline int path_has_perm(const struct cred *cred, 1837 const struct path *path, 1838 u32 av) 1839 { 1840 struct inode *inode = d_backing_inode(path->dentry); 1841 struct common_audit_data ad; 1842 1843 ad.type = LSM_AUDIT_DATA_PATH; 1844 ad.u.path = *path; 1845 __inode_security_revalidate(inode, path->dentry, true); 1846 return inode_has_perm(cred, inode, av, &ad); 1847 } 1848 1849 /* Same as path_has_perm, but uses the inode from the file struct. */ 1850 static inline int file_path_has_perm(const struct cred *cred, 1851 struct file *file, 1852 u32 av) 1853 { 1854 struct common_audit_data ad; 1855 1856 ad.type = LSM_AUDIT_DATA_FILE; 1857 ad.u.file = file; 1858 return inode_has_perm(cred, file_inode(file), av, &ad); 1859 } 1860 1861 #ifdef CONFIG_BPF_SYSCALL 1862 static int bpf_fd_pass(struct file *file, u32 sid); 1863 #endif 1864 1865 /* Check whether a task can use an open file descriptor to 1866 access an inode in a given way. Check access to the 1867 descriptor itself, and then use dentry_has_perm to 1868 check a particular permission to the file. 1869 Access to the descriptor is implicitly granted if it 1870 has the same SID as the process. If av is zero, then 1871 access to the file is not checked, e.g. for cases 1872 where only the descriptor is affected like seek. */ 1873 static int file_has_perm(const struct cred *cred, 1874 struct file *file, 1875 u32 av) 1876 { 1877 struct file_security_struct *fsec = file->f_security; 1878 struct inode *inode = file_inode(file); 1879 struct common_audit_data ad; 1880 u32 sid = cred_sid(cred); 1881 int rc; 1882 1883 ad.type = LSM_AUDIT_DATA_FILE; 1884 ad.u.file = file; 1885 1886 if (sid != fsec->sid) { 1887 rc = avc_has_perm(&selinux_state, 1888 sid, fsec->sid, 1889 SECCLASS_FD, 1890 FD__USE, 1891 &ad); 1892 if (rc) 1893 goto out; 1894 } 1895 1896 #ifdef CONFIG_BPF_SYSCALL 1897 rc = bpf_fd_pass(file, cred_sid(cred)); 1898 if (rc) 1899 return rc; 1900 #endif 1901 1902 /* av is zero if only checking access to the descriptor. */ 1903 rc = 0; 1904 if (av) 1905 rc = inode_has_perm(cred, inode, av, &ad); 1906 1907 out: 1908 return rc; 1909 } 1910 1911 /* 1912 * Determine the label for an inode that might be unioned. 1913 */ 1914 static int 1915 selinux_determine_inode_label(const struct task_security_struct *tsec, 1916 struct inode *dir, 1917 const struct qstr *name, u16 tclass, 1918 u32 *_new_isid) 1919 { 1920 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1921 1922 if ((sbsec->flags & SE_SBINITIALIZED) && 1923 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1924 *_new_isid = sbsec->mntpoint_sid; 1925 } else if ((sbsec->flags & SBLABEL_MNT) && 1926 tsec->create_sid) { 1927 *_new_isid = tsec->create_sid; 1928 } else { 1929 const struct inode_security_struct *dsec = inode_security(dir); 1930 return security_transition_sid(&selinux_state, tsec->sid, 1931 dsec->sid, tclass, 1932 name, _new_isid); 1933 } 1934 1935 return 0; 1936 } 1937 1938 /* Check whether a task can create a file. */ 1939 static int may_create(struct inode *dir, 1940 struct dentry *dentry, 1941 u16 tclass) 1942 { 1943 const struct task_security_struct *tsec = current_security(); 1944 struct inode_security_struct *dsec; 1945 struct superblock_security_struct *sbsec; 1946 u32 sid, newsid; 1947 struct common_audit_data ad; 1948 int rc; 1949 1950 dsec = inode_security(dir); 1951 sbsec = dir->i_sb->s_security; 1952 1953 sid = tsec->sid; 1954 1955 ad.type = LSM_AUDIT_DATA_DENTRY; 1956 ad.u.dentry = dentry; 1957 1958 rc = avc_has_perm(&selinux_state, 1959 sid, dsec->sid, SECCLASS_DIR, 1960 DIR__ADD_NAME | DIR__SEARCH, 1961 &ad); 1962 if (rc) 1963 return rc; 1964 1965 rc = selinux_determine_inode_label(current_security(), dir, 1966 &dentry->d_name, tclass, &newsid); 1967 if (rc) 1968 return rc; 1969 1970 rc = avc_has_perm(&selinux_state, 1971 sid, newsid, tclass, FILE__CREATE, &ad); 1972 if (rc) 1973 return rc; 1974 1975 return avc_has_perm(&selinux_state, 1976 newsid, sbsec->sid, 1977 SECCLASS_FILESYSTEM, 1978 FILESYSTEM__ASSOCIATE, &ad); 1979 } 1980 1981 #define MAY_LINK 0 1982 #define MAY_UNLINK 1 1983 #define MAY_RMDIR 2 1984 1985 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1986 static int may_link(struct inode *dir, 1987 struct dentry *dentry, 1988 int kind) 1989 1990 { 1991 struct inode_security_struct *dsec, *isec; 1992 struct common_audit_data ad; 1993 u32 sid = current_sid(); 1994 u32 av; 1995 int rc; 1996 1997 dsec = inode_security(dir); 1998 isec = backing_inode_security(dentry); 1999 2000 ad.type = LSM_AUDIT_DATA_DENTRY; 2001 ad.u.dentry = dentry; 2002 2003 av = DIR__SEARCH; 2004 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2005 rc = avc_has_perm(&selinux_state, 2006 sid, dsec->sid, SECCLASS_DIR, av, &ad); 2007 if (rc) 2008 return rc; 2009 2010 switch (kind) { 2011 case MAY_LINK: 2012 av = FILE__LINK; 2013 break; 2014 case MAY_UNLINK: 2015 av = FILE__UNLINK; 2016 break; 2017 case MAY_RMDIR: 2018 av = DIR__RMDIR; 2019 break; 2020 default: 2021 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 2022 __func__, kind); 2023 return 0; 2024 } 2025 2026 rc = avc_has_perm(&selinux_state, 2027 sid, isec->sid, isec->sclass, av, &ad); 2028 return rc; 2029 } 2030 2031 static inline int may_rename(struct inode *old_dir, 2032 struct dentry *old_dentry, 2033 struct inode *new_dir, 2034 struct dentry *new_dentry) 2035 { 2036 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 2037 struct common_audit_data ad; 2038 u32 sid = current_sid(); 2039 u32 av; 2040 int old_is_dir, new_is_dir; 2041 int rc; 2042 2043 old_dsec = inode_security(old_dir); 2044 old_isec = backing_inode_security(old_dentry); 2045 old_is_dir = d_is_dir(old_dentry); 2046 new_dsec = inode_security(new_dir); 2047 2048 ad.type = LSM_AUDIT_DATA_DENTRY; 2049 2050 ad.u.dentry = old_dentry; 2051 rc = avc_has_perm(&selinux_state, 2052 sid, old_dsec->sid, SECCLASS_DIR, 2053 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2054 if (rc) 2055 return rc; 2056 rc = avc_has_perm(&selinux_state, 2057 sid, old_isec->sid, 2058 old_isec->sclass, FILE__RENAME, &ad); 2059 if (rc) 2060 return rc; 2061 if (old_is_dir && new_dir != old_dir) { 2062 rc = avc_has_perm(&selinux_state, 2063 sid, old_isec->sid, 2064 old_isec->sclass, DIR__REPARENT, &ad); 2065 if (rc) 2066 return rc; 2067 } 2068 2069 ad.u.dentry = new_dentry; 2070 av = DIR__ADD_NAME | DIR__SEARCH; 2071 if (d_is_positive(new_dentry)) 2072 av |= DIR__REMOVE_NAME; 2073 rc = avc_has_perm(&selinux_state, 2074 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2075 if (rc) 2076 return rc; 2077 if (d_is_positive(new_dentry)) { 2078 new_isec = backing_inode_security(new_dentry); 2079 new_is_dir = d_is_dir(new_dentry); 2080 rc = avc_has_perm(&selinux_state, 2081 sid, new_isec->sid, 2082 new_isec->sclass, 2083 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2084 if (rc) 2085 return rc; 2086 } 2087 2088 return 0; 2089 } 2090 2091 /* Check whether a task can perform a filesystem operation. */ 2092 static int superblock_has_perm(const struct cred *cred, 2093 struct super_block *sb, 2094 u32 perms, 2095 struct common_audit_data *ad) 2096 { 2097 struct superblock_security_struct *sbsec; 2098 u32 sid = cred_sid(cred); 2099 2100 sbsec = sb->s_security; 2101 return avc_has_perm(&selinux_state, 2102 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2103 } 2104 2105 /* Convert a Linux mode and permission mask to an access vector. */ 2106 static inline u32 file_mask_to_av(int mode, int mask) 2107 { 2108 u32 av = 0; 2109 2110 if (!S_ISDIR(mode)) { 2111 if (mask & MAY_EXEC) 2112 av |= FILE__EXECUTE; 2113 if (mask & MAY_READ) 2114 av |= FILE__READ; 2115 2116 if (mask & MAY_APPEND) 2117 av |= FILE__APPEND; 2118 else if (mask & MAY_WRITE) 2119 av |= FILE__WRITE; 2120 2121 } else { 2122 if (mask & MAY_EXEC) 2123 av |= DIR__SEARCH; 2124 if (mask & MAY_WRITE) 2125 av |= DIR__WRITE; 2126 if (mask & MAY_READ) 2127 av |= DIR__READ; 2128 } 2129 2130 return av; 2131 } 2132 2133 /* Convert a Linux file to an access vector. */ 2134 static inline u32 file_to_av(struct file *file) 2135 { 2136 u32 av = 0; 2137 2138 if (file->f_mode & FMODE_READ) 2139 av |= FILE__READ; 2140 if (file->f_mode & FMODE_WRITE) { 2141 if (file->f_flags & O_APPEND) 2142 av |= FILE__APPEND; 2143 else 2144 av |= FILE__WRITE; 2145 } 2146 if (!av) { 2147 /* 2148 * Special file opened with flags 3 for ioctl-only use. 2149 */ 2150 av = FILE__IOCTL; 2151 } 2152 2153 return av; 2154 } 2155 2156 /* 2157 * Convert a file to an access vector and include the correct open 2158 * open permission. 2159 */ 2160 static inline u32 open_file_to_av(struct file *file) 2161 { 2162 u32 av = file_to_av(file); 2163 struct inode *inode = file_inode(file); 2164 2165 if (selinux_policycap_openperm() && 2166 inode->i_sb->s_magic != SOCKFS_MAGIC) 2167 av |= FILE__OPEN; 2168 2169 return av; 2170 } 2171 2172 /* Hook functions begin here. */ 2173 2174 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2175 { 2176 u32 mysid = current_sid(); 2177 u32 mgrsid = task_sid(mgr); 2178 2179 return avc_has_perm(&selinux_state, 2180 mysid, mgrsid, SECCLASS_BINDER, 2181 BINDER__SET_CONTEXT_MGR, NULL); 2182 } 2183 2184 static int selinux_binder_transaction(struct task_struct *from, 2185 struct task_struct *to) 2186 { 2187 u32 mysid = current_sid(); 2188 u32 fromsid = task_sid(from); 2189 u32 tosid = task_sid(to); 2190 int rc; 2191 2192 if (mysid != fromsid) { 2193 rc = avc_has_perm(&selinux_state, 2194 mysid, fromsid, SECCLASS_BINDER, 2195 BINDER__IMPERSONATE, NULL); 2196 if (rc) 2197 return rc; 2198 } 2199 2200 return avc_has_perm(&selinux_state, 2201 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2202 NULL); 2203 } 2204 2205 static int selinux_binder_transfer_binder(struct task_struct *from, 2206 struct task_struct *to) 2207 { 2208 u32 fromsid = task_sid(from); 2209 u32 tosid = task_sid(to); 2210 2211 return avc_has_perm(&selinux_state, 2212 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2213 NULL); 2214 } 2215 2216 static int selinux_binder_transfer_file(struct task_struct *from, 2217 struct task_struct *to, 2218 struct file *file) 2219 { 2220 u32 sid = task_sid(to); 2221 struct file_security_struct *fsec = file->f_security; 2222 struct dentry *dentry = file->f_path.dentry; 2223 struct inode_security_struct *isec; 2224 struct common_audit_data ad; 2225 int rc; 2226 2227 ad.type = LSM_AUDIT_DATA_PATH; 2228 ad.u.path = file->f_path; 2229 2230 if (sid != fsec->sid) { 2231 rc = avc_has_perm(&selinux_state, 2232 sid, fsec->sid, 2233 SECCLASS_FD, 2234 FD__USE, 2235 &ad); 2236 if (rc) 2237 return rc; 2238 } 2239 2240 #ifdef CONFIG_BPF_SYSCALL 2241 rc = bpf_fd_pass(file, sid); 2242 if (rc) 2243 return rc; 2244 #endif 2245 2246 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2247 return 0; 2248 2249 isec = backing_inode_security(dentry); 2250 return avc_has_perm(&selinux_state, 2251 sid, isec->sid, isec->sclass, file_to_av(file), 2252 &ad); 2253 } 2254 2255 static int selinux_ptrace_access_check(struct task_struct *child, 2256 unsigned int mode) 2257 { 2258 u32 sid = current_sid(); 2259 u32 csid = task_sid(child); 2260 2261 if (mode & PTRACE_MODE_READ) 2262 return avc_has_perm(&selinux_state, 2263 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2264 2265 return avc_has_perm(&selinux_state, 2266 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2267 } 2268 2269 static int selinux_ptrace_traceme(struct task_struct *parent) 2270 { 2271 return avc_has_perm(&selinux_state, 2272 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2273 PROCESS__PTRACE, NULL); 2274 } 2275 2276 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2277 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2278 { 2279 return avc_has_perm(&selinux_state, 2280 current_sid(), task_sid(target), SECCLASS_PROCESS, 2281 PROCESS__GETCAP, NULL); 2282 } 2283 2284 static int selinux_capset(struct cred *new, const struct cred *old, 2285 const kernel_cap_t *effective, 2286 const kernel_cap_t *inheritable, 2287 const kernel_cap_t *permitted) 2288 { 2289 return avc_has_perm(&selinux_state, 2290 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2291 PROCESS__SETCAP, NULL); 2292 } 2293 2294 /* 2295 * (This comment used to live with the selinux_task_setuid hook, 2296 * which was removed). 2297 * 2298 * Since setuid only affects the current process, and since the SELinux 2299 * controls are not based on the Linux identity attributes, SELinux does not 2300 * need to control this operation. However, SELinux does control the use of 2301 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2302 */ 2303 2304 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2305 int cap, int audit) 2306 { 2307 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2308 } 2309 2310 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2311 { 2312 const struct cred *cred = current_cred(); 2313 int rc = 0; 2314 2315 if (!sb) 2316 return 0; 2317 2318 switch (cmds) { 2319 case Q_SYNC: 2320 case Q_QUOTAON: 2321 case Q_QUOTAOFF: 2322 case Q_SETINFO: 2323 case Q_SETQUOTA: 2324 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2325 break; 2326 case Q_GETFMT: 2327 case Q_GETINFO: 2328 case Q_GETQUOTA: 2329 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2330 break; 2331 default: 2332 rc = 0; /* let the kernel handle invalid cmds */ 2333 break; 2334 } 2335 return rc; 2336 } 2337 2338 static int selinux_quota_on(struct dentry *dentry) 2339 { 2340 const struct cred *cred = current_cred(); 2341 2342 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2343 } 2344 2345 static int selinux_syslog(int type) 2346 { 2347 switch (type) { 2348 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2349 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2350 return avc_has_perm(&selinux_state, 2351 current_sid(), SECINITSID_KERNEL, 2352 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2353 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2354 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2355 /* Set level of messages printed to console */ 2356 case SYSLOG_ACTION_CONSOLE_LEVEL: 2357 return avc_has_perm(&selinux_state, 2358 current_sid(), SECINITSID_KERNEL, 2359 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2360 NULL); 2361 } 2362 /* All other syslog types */ 2363 return avc_has_perm(&selinux_state, 2364 current_sid(), SECINITSID_KERNEL, 2365 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2366 } 2367 2368 /* 2369 * Check that a process has enough memory to allocate a new virtual 2370 * mapping. 0 means there is enough memory for the allocation to 2371 * succeed and -ENOMEM implies there is not. 2372 * 2373 * Do not audit the selinux permission check, as this is applied to all 2374 * processes that allocate mappings. 2375 */ 2376 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2377 { 2378 int rc, cap_sys_admin = 0; 2379 2380 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2381 SECURITY_CAP_NOAUDIT, true); 2382 if (rc == 0) 2383 cap_sys_admin = 1; 2384 2385 return cap_sys_admin; 2386 } 2387 2388 /* binprm security operations */ 2389 2390 static u32 ptrace_parent_sid(void) 2391 { 2392 u32 sid = 0; 2393 struct task_struct *tracer; 2394 2395 rcu_read_lock(); 2396 tracer = ptrace_parent(current); 2397 if (tracer) 2398 sid = task_sid(tracer); 2399 rcu_read_unlock(); 2400 2401 return sid; 2402 } 2403 2404 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2405 const struct task_security_struct *old_tsec, 2406 const struct task_security_struct *new_tsec) 2407 { 2408 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2409 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2410 int rc; 2411 u32 av; 2412 2413 if (!nnp && !nosuid) 2414 return 0; /* neither NNP nor nosuid */ 2415 2416 if (new_tsec->sid == old_tsec->sid) 2417 return 0; /* No change in credentials */ 2418 2419 /* 2420 * If the policy enables the nnp_nosuid_transition policy capability, 2421 * then we permit transitions under NNP or nosuid if the 2422 * policy allows the corresponding permission between 2423 * the old and new contexts. 2424 */ 2425 if (selinux_policycap_nnp_nosuid_transition()) { 2426 av = 0; 2427 if (nnp) 2428 av |= PROCESS2__NNP_TRANSITION; 2429 if (nosuid) 2430 av |= PROCESS2__NOSUID_TRANSITION; 2431 rc = avc_has_perm(&selinux_state, 2432 old_tsec->sid, new_tsec->sid, 2433 SECCLASS_PROCESS2, av, NULL); 2434 if (!rc) 2435 return 0; 2436 } 2437 2438 /* 2439 * We also permit NNP or nosuid transitions to bounded SIDs, 2440 * i.e. SIDs that are guaranteed to only be allowed a subset 2441 * of the permissions of the current SID. 2442 */ 2443 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2444 new_tsec->sid); 2445 if (!rc) 2446 return 0; 2447 2448 /* 2449 * On failure, preserve the errno values for NNP vs nosuid. 2450 * NNP: Operation not permitted for caller. 2451 * nosuid: Permission denied to file. 2452 */ 2453 if (nnp) 2454 return -EPERM; 2455 return -EACCES; 2456 } 2457 2458 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2459 { 2460 const struct task_security_struct *old_tsec; 2461 struct task_security_struct *new_tsec; 2462 struct inode_security_struct *isec; 2463 struct common_audit_data ad; 2464 struct inode *inode = file_inode(bprm->file); 2465 int rc; 2466 2467 /* SELinux context only depends on initial program or script and not 2468 * the script interpreter */ 2469 if (bprm->called_set_creds) 2470 return 0; 2471 2472 old_tsec = current_security(); 2473 new_tsec = bprm->cred->security; 2474 isec = inode_security(inode); 2475 2476 /* Default to the current task SID. */ 2477 new_tsec->sid = old_tsec->sid; 2478 new_tsec->osid = old_tsec->sid; 2479 2480 /* Reset fs, key, and sock SIDs on execve. */ 2481 new_tsec->create_sid = 0; 2482 new_tsec->keycreate_sid = 0; 2483 new_tsec->sockcreate_sid = 0; 2484 2485 if (old_tsec->exec_sid) { 2486 new_tsec->sid = old_tsec->exec_sid; 2487 /* Reset exec SID on execve. */ 2488 new_tsec->exec_sid = 0; 2489 2490 /* Fail on NNP or nosuid if not an allowed transition. */ 2491 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2492 if (rc) 2493 return rc; 2494 } else { 2495 /* Check for a default transition on this program. */ 2496 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2497 isec->sid, SECCLASS_PROCESS, NULL, 2498 &new_tsec->sid); 2499 if (rc) 2500 return rc; 2501 2502 /* 2503 * Fallback to old SID on NNP or nosuid if not an allowed 2504 * transition. 2505 */ 2506 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2507 if (rc) 2508 new_tsec->sid = old_tsec->sid; 2509 } 2510 2511 ad.type = LSM_AUDIT_DATA_FILE; 2512 ad.u.file = bprm->file; 2513 2514 if (new_tsec->sid == old_tsec->sid) { 2515 rc = avc_has_perm(&selinux_state, 2516 old_tsec->sid, isec->sid, 2517 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2518 if (rc) 2519 return rc; 2520 } else { 2521 /* Check permissions for the transition. */ 2522 rc = avc_has_perm(&selinux_state, 2523 old_tsec->sid, new_tsec->sid, 2524 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2525 if (rc) 2526 return rc; 2527 2528 rc = avc_has_perm(&selinux_state, 2529 new_tsec->sid, isec->sid, 2530 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2531 if (rc) 2532 return rc; 2533 2534 /* Check for shared state */ 2535 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2536 rc = avc_has_perm(&selinux_state, 2537 old_tsec->sid, new_tsec->sid, 2538 SECCLASS_PROCESS, PROCESS__SHARE, 2539 NULL); 2540 if (rc) 2541 return -EPERM; 2542 } 2543 2544 /* Make sure that anyone attempting to ptrace over a task that 2545 * changes its SID has the appropriate permit */ 2546 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2547 u32 ptsid = ptrace_parent_sid(); 2548 if (ptsid != 0) { 2549 rc = avc_has_perm(&selinux_state, 2550 ptsid, new_tsec->sid, 2551 SECCLASS_PROCESS, 2552 PROCESS__PTRACE, NULL); 2553 if (rc) 2554 return -EPERM; 2555 } 2556 } 2557 2558 /* Clear any possibly unsafe personality bits on exec: */ 2559 bprm->per_clear |= PER_CLEAR_ON_SETID; 2560 2561 /* Enable secure mode for SIDs transitions unless 2562 the noatsecure permission is granted between 2563 the two SIDs, i.e. ahp returns 0. */ 2564 rc = avc_has_perm(&selinux_state, 2565 old_tsec->sid, new_tsec->sid, 2566 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2567 NULL); 2568 bprm->secureexec |= !!rc; 2569 } 2570 2571 return 0; 2572 } 2573 2574 static int match_file(const void *p, struct file *file, unsigned fd) 2575 { 2576 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2577 } 2578 2579 /* Derived from fs/exec.c:flush_old_files. */ 2580 static inline void flush_unauthorized_files(const struct cred *cred, 2581 struct files_struct *files) 2582 { 2583 struct file *file, *devnull = NULL; 2584 struct tty_struct *tty; 2585 int drop_tty = 0; 2586 unsigned n; 2587 2588 tty = get_current_tty(); 2589 if (tty) { 2590 spin_lock(&tty->files_lock); 2591 if (!list_empty(&tty->tty_files)) { 2592 struct tty_file_private *file_priv; 2593 2594 /* Revalidate access to controlling tty. 2595 Use file_path_has_perm on the tty path directly 2596 rather than using file_has_perm, as this particular 2597 open file may belong to another process and we are 2598 only interested in the inode-based check here. */ 2599 file_priv = list_first_entry(&tty->tty_files, 2600 struct tty_file_private, list); 2601 file = file_priv->file; 2602 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2603 drop_tty = 1; 2604 } 2605 spin_unlock(&tty->files_lock); 2606 tty_kref_put(tty); 2607 } 2608 /* Reset controlling tty. */ 2609 if (drop_tty) 2610 no_tty(); 2611 2612 /* Revalidate access to inherited open files. */ 2613 n = iterate_fd(files, 0, match_file, cred); 2614 if (!n) /* none found? */ 2615 return; 2616 2617 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2618 if (IS_ERR(devnull)) 2619 devnull = NULL; 2620 /* replace all the matching ones with this */ 2621 do { 2622 replace_fd(n - 1, devnull, 0); 2623 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2624 if (devnull) 2625 fput(devnull); 2626 } 2627 2628 /* 2629 * Prepare a process for imminent new credential changes due to exec 2630 */ 2631 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2632 { 2633 struct task_security_struct *new_tsec; 2634 struct rlimit *rlim, *initrlim; 2635 int rc, i; 2636 2637 new_tsec = bprm->cred->security; 2638 if (new_tsec->sid == new_tsec->osid) 2639 return; 2640 2641 /* Close files for which the new task SID is not authorized. */ 2642 flush_unauthorized_files(bprm->cred, current->files); 2643 2644 /* Always clear parent death signal on SID transitions. */ 2645 current->pdeath_signal = 0; 2646 2647 /* Check whether the new SID can inherit resource limits from the old 2648 * SID. If not, reset all soft limits to the lower of the current 2649 * task's hard limit and the init task's soft limit. 2650 * 2651 * Note that the setting of hard limits (even to lower them) can be 2652 * controlled by the setrlimit check. The inclusion of the init task's 2653 * soft limit into the computation is to avoid resetting soft limits 2654 * higher than the default soft limit for cases where the default is 2655 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2656 */ 2657 rc = avc_has_perm(&selinux_state, 2658 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2659 PROCESS__RLIMITINH, NULL); 2660 if (rc) { 2661 /* protect against do_prlimit() */ 2662 task_lock(current); 2663 for (i = 0; i < RLIM_NLIMITS; i++) { 2664 rlim = current->signal->rlim + i; 2665 initrlim = init_task.signal->rlim + i; 2666 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2667 } 2668 task_unlock(current); 2669 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2670 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2671 } 2672 } 2673 2674 /* 2675 * Clean up the process immediately after the installation of new credentials 2676 * due to exec 2677 */ 2678 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2679 { 2680 const struct task_security_struct *tsec = current_security(); 2681 struct itimerval itimer; 2682 u32 osid, sid; 2683 int rc, i; 2684 2685 osid = tsec->osid; 2686 sid = tsec->sid; 2687 2688 if (sid == osid) 2689 return; 2690 2691 /* Check whether the new SID can inherit signal state from the old SID. 2692 * If not, clear itimers to avoid subsequent signal generation and 2693 * flush and unblock signals. 2694 * 2695 * This must occur _after_ the task SID has been updated so that any 2696 * kill done after the flush will be checked against the new SID. 2697 */ 2698 rc = avc_has_perm(&selinux_state, 2699 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2700 if (rc) { 2701 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2702 memset(&itimer, 0, sizeof itimer); 2703 for (i = 0; i < 3; i++) 2704 do_setitimer(i, &itimer, NULL); 2705 } 2706 spin_lock_irq(¤t->sighand->siglock); 2707 if (!fatal_signal_pending(current)) { 2708 flush_sigqueue(¤t->pending); 2709 flush_sigqueue(¤t->signal->shared_pending); 2710 flush_signal_handlers(current, 1); 2711 sigemptyset(¤t->blocked); 2712 recalc_sigpending(); 2713 } 2714 spin_unlock_irq(¤t->sighand->siglock); 2715 } 2716 2717 /* Wake up the parent if it is waiting so that it can recheck 2718 * wait permission to the new task SID. */ 2719 read_lock(&tasklist_lock); 2720 __wake_up_parent(current, current->real_parent); 2721 read_unlock(&tasklist_lock); 2722 } 2723 2724 /* superblock security operations */ 2725 2726 static int selinux_sb_alloc_security(struct super_block *sb) 2727 { 2728 return superblock_alloc_security(sb); 2729 } 2730 2731 static void selinux_sb_free_security(struct super_block *sb) 2732 { 2733 superblock_free_security(sb); 2734 } 2735 2736 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2737 { 2738 if (plen > olen) 2739 return 0; 2740 2741 return !memcmp(prefix, option, plen); 2742 } 2743 2744 static inline int selinux_option(char *option, int len) 2745 { 2746 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2747 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2748 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2749 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2750 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2751 } 2752 2753 static inline void take_option(char **to, char *from, int *first, int len) 2754 { 2755 if (!*first) { 2756 **to = ','; 2757 *to += 1; 2758 } else 2759 *first = 0; 2760 memcpy(*to, from, len); 2761 *to += len; 2762 } 2763 2764 static inline void take_selinux_option(char **to, char *from, int *first, 2765 int len) 2766 { 2767 int current_size = 0; 2768 2769 if (!*first) { 2770 **to = '|'; 2771 *to += 1; 2772 } else 2773 *first = 0; 2774 2775 while (current_size < len) { 2776 if (*from != '"') { 2777 **to = *from; 2778 *to += 1; 2779 } 2780 from += 1; 2781 current_size += 1; 2782 } 2783 } 2784 2785 static int selinux_sb_copy_data(char *orig, char *copy) 2786 { 2787 int fnosec, fsec, rc = 0; 2788 char *in_save, *in_curr, *in_end; 2789 char *sec_curr, *nosec_save, *nosec; 2790 int open_quote = 0; 2791 2792 in_curr = orig; 2793 sec_curr = copy; 2794 2795 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2796 if (!nosec) { 2797 rc = -ENOMEM; 2798 goto out; 2799 } 2800 2801 nosec_save = nosec; 2802 fnosec = fsec = 1; 2803 in_save = in_end = orig; 2804 2805 do { 2806 if (*in_end == '"') 2807 open_quote = !open_quote; 2808 if ((*in_end == ',' && open_quote == 0) || 2809 *in_end == '\0') { 2810 int len = in_end - in_curr; 2811 2812 if (selinux_option(in_curr, len)) 2813 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2814 else 2815 take_option(&nosec, in_curr, &fnosec, len); 2816 2817 in_curr = in_end + 1; 2818 } 2819 } while (*in_end++); 2820 2821 strcpy(in_save, nosec_save); 2822 free_page((unsigned long)nosec_save); 2823 out: 2824 return rc; 2825 } 2826 2827 static int selinux_sb_remount(struct super_block *sb, void *data) 2828 { 2829 int rc, i, *flags; 2830 struct security_mnt_opts opts; 2831 char *secdata, **mount_options; 2832 struct superblock_security_struct *sbsec = sb->s_security; 2833 2834 if (!(sbsec->flags & SE_SBINITIALIZED)) 2835 return 0; 2836 2837 if (!data) 2838 return 0; 2839 2840 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2841 return 0; 2842 2843 security_init_mnt_opts(&opts); 2844 secdata = alloc_secdata(); 2845 if (!secdata) 2846 return -ENOMEM; 2847 rc = selinux_sb_copy_data(data, secdata); 2848 if (rc) 2849 goto out_free_secdata; 2850 2851 rc = selinux_parse_opts_str(secdata, &opts); 2852 if (rc) 2853 goto out_free_secdata; 2854 2855 mount_options = opts.mnt_opts; 2856 flags = opts.mnt_opts_flags; 2857 2858 for (i = 0; i < opts.num_mnt_opts; i++) { 2859 u32 sid; 2860 2861 if (flags[i] == SBLABEL_MNT) 2862 continue; 2863 rc = security_context_str_to_sid(&selinux_state, 2864 mount_options[i], &sid, 2865 GFP_KERNEL); 2866 if (rc) { 2867 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2868 "(%s) failed for (dev %s, type %s) errno=%d\n", 2869 mount_options[i], sb->s_id, sb->s_type->name, rc); 2870 goto out_free_opts; 2871 } 2872 rc = -EINVAL; 2873 switch (flags[i]) { 2874 case FSCONTEXT_MNT: 2875 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2876 goto out_bad_option; 2877 break; 2878 case CONTEXT_MNT: 2879 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2880 goto out_bad_option; 2881 break; 2882 case ROOTCONTEXT_MNT: { 2883 struct inode_security_struct *root_isec; 2884 root_isec = backing_inode_security(sb->s_root); 2885 2886 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2887 goto out_bad_option; 2888 break; 2889 } 2890 case DEFCONTEXT_MNT: 2891 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2892 goto out_bad_option; 2893 break; 2894 default: 2895 goto out_free_opts; 2896 } 2897 } 2898 2899 rc = 0; 2900 out_free_opts: 2901 security_free_mnt_opts(&opts); 2902 out_free_secdata: 2903 free_secdata(secdata); 2904 return rc; 2905 out_bad_option: 2906 printk(KERN_WARNING "SELinux: unable to change security options " 2907 "during remount (dev %s, type=%s)\n", sb->s_id, 2908 sb->s_type->name); 2909 goto out_free_opts; 2910 } 2911 2912 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2913 { 2914 const struct cred *cred = current_cred(); 2915 struct common_audit_data ad; 2916 int rc; 2917 2918 rc = superblock_doinit(sb, data); 2919 if (rc) 2920 return rc; 2921 2922 /* Allow all mounts performed by the kernel */ 2923 if (flags & MS_KERNMOUNT) 2924 return 0; 2925 2926 ad.type = LSM_AUDIT_DATA_DENTRY; 2927 ad.u.dentry = sb->s_root; 2928 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2929 } 2930 2931 static int selinux_sb_statfs(struct dentry *dentry) 2932 { 2933 const struct cred *cred = current_cred(); 2934 struct common_audit_data ad; 2935 2936 ad.type = LSM_AUDIT_DATA_DENTRY; 2937 ad.u.dentry = dentry->d_sb->s_root; 2938 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2939 } 2940 2941 static int selinux_mount(const char *dev_name, 2942 const struct path *path, 2943 const char *type, 2944 unsigned long flags, 2945 void *data) 2946 { 2947 const struct cred *cred = current_cred(); 2948 2949 if (flags & MS_REMOUNT) 2950 return superblock_has_perm(cred, path->dentry->d_sb, 2951 FILESYSTEM__REMOUNT, NULL); 2952 else 2953 return path_has_perm(cred, path, FILE__MOUNTON); 2954 } 2955 2956 static int selinux_umount(struct vfsmount *mnt, int flags) 2957 { 2958 const struct cred *cred = current_cred(); 2959 2960 return superblock_has_perm(cred, mnt->mnt_sb, 2961 FILESYSTEM__UNMOUNT, NULL); 2962 } 2963 2964 /* inode security operations */ 2965 2966 static int selinux_inode_alloc_security(struct inode *inode) 2967 { 2968 return inode_alloc_security(inode); 2969 } 2970 2971 static void selinux_inode_free_security(struct inode *inode) 2972 { 2973 inode_free_security(inode); 2974 } 2975 2976 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2977 const struct qstr *name, void **ctx, 2978 u32 *ctxlen) 2979 { 2980 u32 newsid; 2981 int rc; 2982 2983 rc = selinux_determine_inode_label(current_security(), 2984 d_inode(dentry->d_parent), name, 2985 inode_mode_to_security_class(mode), 2986 &newsid); 2987 if (rc) 2988 return rc; 2989 2990 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2991 ctxlen); 2992 } 2993 2994 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2995 struct qstr *name, 2996 const struct cred *old, 2997 struct cred *new) 2998 { 2999 u32 newsid; 3000 int rc; 3001 struct task_security_struct *tsec; 3002 3003 rc = selinux_determine_inode_label(old->security, 3004 d_inode(dentry->d_parent), name, 3005 inode_mode_to_security_class(mode), 3006 &newsid); 3007 if (rc) 3008 return rc; 3009 3010 tsec = new->security; 3011 tsec->create_sid = newsid; 3012 return 0; 3013 } 3014 3015 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 3016 const struct qstr *qstr, 3017 const char **name, 3018 void **value, size_t *len) 3019 { 3020 const struct task_security_struct *tsec = current_security(); 3021 struct superblock_security_struct *sbsec; 3022 u32 newsid, clen; 3023 int rc; 3024 char *context; 3025 3026 sbsec = dir->i_sb->s_security; 3027 3028 newsid = tsec->create_sid; 3029 3030 rc = selinux_determine_inode_label(current_security(), 3031 dir, qstr, 3032 inode_mode_to_security_class(inode->i_mode), 3033 &newsid); 3034 if (rc) 3035 return rc; 3036 3037 /* Possibly defer initialization to selinux_complete_init. */ 3038 if (sbsec->flags & SE_SBINITIALIZED) { 3039 struct inode_security_struct *isec = inode->i_security; 3040 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3041 isec->sid = newsid; 3042 isec->initialized = LABEL_INITIALIZED; 3043 } 3044 3045 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 3046 return -EOPNOTSUPP; 3047 3048 if (name) 3049 *name = XATTR_SELINUX_SUFFIX; 3050 3051 if (value && len) { 3052 rc = security_sid_to_context_force(&selinux_state, newsid, 3053 &context, &clen); 3054 if (rc) 3055 return rc; 3056 *value = context; 3057 *len = clen; 3058 } 3059 3060 return 0; 3061 } 3062 3063 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3064 { 3065 return may_create(dir, dentry, SECCLASS_FILE); 3066 } 3067 3068 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3069 { 3070 return may_link(dir, old_dentry, MAY_LINK); 3071 } 3072 3073 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3074 { 3075 return may_link(dir, dentry, MAY_UNLINK); 3076 } 3077 3078 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3079 { 3080 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3081 } 3082 3083 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3084 { 3085 return may_create(dir, dentry, SECCLASS_DIR); 3086 } 3087 3088 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3089 { 3090 return may_link(dir, dentry, MAY_RMDIR); 3091 } 3092 3093 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3094 { 3095 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3096 } 3097 3098 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3099 struct inode *new_inode, struct dentry *new_dentry) 3100 { 3101 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3102 } 3103 3104 static int selinux_inode_readlink(struct dentry *dentry) 3105 { 3106 const struct cred *cred = current_cred(); 3107 3108 return dentry_has_perm(cred, dentry, FILE__READ); 3109 } 3110 3111 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3112 bool rcu) 3113 { 3114 const struct cred *cred = current_cred(); 3115 struct common_audit_data ad; 3116 struct inode_security_struct *isec; 3117 u32 sid; 3118 3119 validate_creds(cred); 3120 3121 ad.type = LSM_AUDIT_DATA_DENTRY; 3122 ad.u.dentry = dentry; 3123 sid = cred_sid(cred); 3124 isec = inode_security_rcu(inode, rcu); 3125 if (IS_ERR(isec)) 3126 return PTR_ERR(isec); 3127 3128 return avc_has_perm_flags(&selinux_state, 3129 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3130 rcu ? MAY_NOT_BLOCK : 0); 3131 } 3132 3133 static noinline int audit_inode_permission(struct inode *inode, 3134 u32 perms, u32 audited, u32 denied, 3135 int result, 3136 unsigned flags) 3137 { 3138 struct common_audit_data ad; 3139 struct inode_security_struct *isec = inode->i_security; 3140 int rc; 3141 3142 ad.type = LSM_AUDIT_DATA_INODE; 3143 ad.u.inode = inode; 3144 3145 rc = slow_avc_audit(&selinux_state, 3146 current_sid(), isec->sid, isec->sclass, perms, 3147 audited, denied, result, &ad, flags); 3148 if (rc) 3149 return rc; 3150 return 0; 3151 } 3152 3153 static int selinux_inode_permission(struct inode *inode, int mask) 3154 { 3155 const struct cred *cred = current_cred(); 3156 u32 perms; 3157 bool from_access; 3158 unsigned flags = mask & MAY_NOT_BLOCK; 3159 struct inode_security_struct *isec; 3160 u32 sid; 3161 struct av_decision avd; 3162 int rc, rc2; 3163 u32 audited, denied; 3164 3165 from_access = mask & MAY_ACCESS; 3166 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3167 3168 /* No permission to check. Existence test. */ 3169 if (!mask) 3170 return 0; 3171 3172 validate_creds(cred); 3173 3174 if (unlikely(IS_PRIVATE(inode))) 3175 return 0; 3176 3177 perms = file_mask_to_av(inode->i_mode, mask); 3178 3179 sid = cred_sid(cred); 3180 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3181 if (IS_ERR(isec)) 3182 return PTR_ERR(isec); 3183 3184 rc = avc_has_perm_noaudit(&selinux_state, 3185 sid, isec->sid, isec->sclass, perms, 0, &avd); 3186 audited = avc_audit_required(perms, &avd, rc, 3187 from_access ? FILE__AUDIT_ACCESS : 0, 3188 &denied); 3189 if (likely(!audited)) 3190 return rc; 3191 3192 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3193 if (rc2) 3194 return rc2; 3195 return rc; 3196 } 3197 3198 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3199 { 3200 const struct cred *cred = current_cred(); 3201 struct inode *inode = d_backing_inode(dentry); 3202 unsigned int ia_valid = iattr->ia_valid; 3203 __u32 av = FILE__WRITE; 3204 3205 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3206 if (ia_valid & ATTR_FORCE) { 3207 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3208 ATTR_FORCE); 3209 if (!ia_valid) 3210 return 0; 3211 } 3212 3213 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3214 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3215 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3216 3217 if (selinux_policycap_openperm() && 3218 inode->i_sb->s_magic != SOCKFS_MAGIC && 3219 (ia_valid & ATTR_SIZE) && 3220 !(ia_valid & ATTR_FILE)) 3221 av |= FILE__OPEN; 3222 3223 return dentry_has_perm(cred, dentry, av); 3224 } 3225 3226 static int selinux_inode_getattr(const struct path *path) 3227 { 3228 return path_has_perm(current_cred(), path, FILE__GETATTR); 3229 } 3230 3231 static bool has_cap_mac_admin(bool audit) 3232 { 3233 const struct cred *cred = current_cred(); 3234 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3235 3236 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3237 return false; 3238 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3239 return false; 3240 return true; 3241 } 3242 3243 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3244 const void *value, size_t size, int flags) 3245 { 3246 struct inode *inode = d_backing_inode(dentry); 3247 struct inode_security_struct *isec; 3248 struct superblock_security_struct *sbsec; 3249 struct common_audit_data ad; 3250 u32 newsid, sid = current_sid(); 3251 int rc = 0; 3252 3253 if (strcmp(name, XATTR_NAME_SELINUX)) { 3254 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3255 if (rc) 3256 return rc; 3257 3258 /* Not an attribute we recognize, so just check the 3259 ordinary setattr permission. */ 3260 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3261 } 3262 3263 sbsec = inode->i_sb->s_security; 3264 if (!(sbsec->flags & SBLABEL_MNT)) 3265 return -EOPNOTSUPP; 3266 3267 if (!inode_owner_or_capable(inode)) 3268 return -EPERM; 3269 3270 ad.type = LSM_AUDIT_DATA_DENTRY; 3271 ad.u.dentry = dentry; 3272 3273 isec = backing_inode_security(dentry); 3274 rc = avc_has_perm(&selinux_state, 3275 sid, isec->sid, isec->sclass, 3276 FILE__RELABELFROM, &ad); 3277 if (rc) 3278 return rc; 3279 3280 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3281 GFP_KERNEL); 3282 if (rc == -EINVAL) { 3283 if (!has_cap_mac_admin(true)) { 3284 struct audit_buffer *ab; 3285 size_t audit_size; 3286 3287 /* We strip a nul only if it is at the end, otherwise the 3288 * context contains a nul and we should audit that */ 3289 if (value) { 3290 const char *str = value; 3291 3292 if (str[size - 1] == '\0') 3293 audit_size = size - 1; 3294 else 3295 audit_size = size; 3296 } else { 3297 audit_size = 0; 3298 } 3299 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3300 audit_log_format(ab, "op=setxattr invalid_context="); 3301 audit_log_n_untrustedstring(ab, value, audit_size); 3302 audit_log_end(ab); 3303 3304 return rc; 3305 } 3306 rc = security_context_to_sid_force(&selinux_state, value, 3307 size, &newsid); 3308 } 3309 if (rc) 3310 return rc; 3311 3312 rc = avc_has_perm(&selinux_state, 3313 sid, newsid, isec->sclass, 3314 FILE__RELABELTO, &ad); 3315 if (rc) 3316 return rc; 3317 3318 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3319 sid, isec->sclass); 3320 if (rc) 3321 return rc; 3322 3323 return avc_has_perm(&selinux_state, 3324 newsid, 3325 sbsec->sid, 3326 SECCLASS_FILESYSTEM, 3327 FILESYSTEM__ASSOCIATE, 3328 &ad); 3329 } 3330 3331 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3332 const void *value, size_t size, 3333 int flags) 3334 { 3335 struct inode *inode = d_backing_inode(dentry); 3336 struct inode_security_struct *isec; 3337 u32 newsid; 3338 int rc; 3339 3340 if (strcmp(name, XATTR_NAME_SELINUX)) { 3341 /* Not an attribute we recognize, so nothing to do. */ 3342 return; 3343 } 3344 3345 rc = security_context_to_sid_force(&selinux_state, value, size, 3346 &newsid); 3347 if (rc) { 3348 printk(KERN_ERR "SELinux: unable to map context to SID" 3349 "for (%s, %lu), rc=%d\n", 3350 inode->i_sb->s_id, inode->i_ino, -rc); 3351 return; 3352 } 3353 3354 isec = backing_inode_security(dentry); 3355 spin_lock(&isec->lock); 3356 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3357 isec->sid = newsid; 3358 isec->initialized = LABEL_INITIALIZED; 3359 spin_unlock(&isec->lock); 3360 3361 return; 3362 } 3363 3364 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3365 { 3366 const struct cred *cred = current_cred(); 3367 3368 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3369 } 3370 3371 static int selinux_inode_listxattr(struct dentry *dentry) 3372 { 3373 const struct cred *cred = current_cred(); 3374 3375 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3376 } 3377 3378 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3379 { 3380 if (strcmp(name, XATTR_NAME_SELINUX)) { 3381 int rc = cap_inode_removexattr(dentry, name); 3382 if (rc) 3383 return rc; 3384 3385 /* Not an attribute we recognize, so just check the 3386 ordinary setattr permission. */ 3387 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3388 } 3389 3390 /* No one is allowed to remove a SELinux security label. 3391 You can change the label, but all data must be labeled. */ 3392 return -EACCES; 3393 } 3394 3395 /* 3396 * Copy the inode security context value to the user. 3397 * 3398 * Permission check is handled by selinux_inode_getxattr hook. 3399 */ 3400 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3401 { 3402 u32 size; 3403 int error; 3404 char *context = NULL; 3405 struct inode_security_struct *isec; 3406 3407 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3408 return -EOPNOTSUPP; 3409 3410 /* 3411 * If the caller has CAP_MAC_ADMIN, then get the raw context 3412 * value even if it is not defined by current policy; otherwise, 3413 * use the in-core value under current policy. 3414 * Use the non-auditing forms of the permission checks since 3415 * getxattr may be called by unprivileged processes commonly 3416 * and lack of permission just means that we fall back to the 3417 * in-core context value, not a denial. 3418 */ 3419 isec = inode_security(inode); 3420 if (has_cap_mac_admin(false)) 3421 error = security_sid_to_context_force(&selinux_state, 3422 isec->sid, &context, 3423 &size); 3424 else 3425 error = security_sid_to_context(&selinux_state, isec->sid, 3426 &context, &size); 3427 if (error) 3428 return error; 3429 error = size; 3430 if (alloc) { 3431 *buffer = context; 3432 goto out_nofree; 3433 } 3434 kfree(context); 3435 out_nofree: 3436 return error; 3437 } 3438 3439 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3440 const void *value, size_t size, int flags) 3441 { 3442 struct inode_security_struct *isec = inode_security_novalidate(inode); 3443 u32 newsid; 3444 int rc; 3445 3446 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3447 return -EOPNOTSUPP; 3448 3449 if (!value || !size) 3450 return -EACCES; 3451 3452 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3453 GFP_KERNEL); 3454 if (rc) 3455 return rc; 3456 3457 spin_lock(&isec->lock); 3458 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3459 isec->sid = newsid; 3460 isec->initialized = LABEL_INITIALIZED; 3461 spin_unlock(&isec->lock); 3462 return 0; 3463 } 3464 3465 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3466 { 3467 const int len = sizeof(XATTR_NAME_SELINUX); 3468 if (buffer && len <= buffer_size) 3469 memcpy(buffer, XATTR_NAME_SELINUX, len); 3470 return len; 3471 } 3472 3473 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3474 { 3475 struct inode_security_struct *isec = inode_security_novalidate(inode); 3476 *secid = isec->sid; 3477 } 3478 3479 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3480 { 3481 u32 sid; 3482 struct task_security_struct *tsec; 3483 struct cred *new_creds = *new; 3484 3485 if (new_creds == NULL) { 3486 new_creds = prepare_creds(); 3487 if (!new_creds) 3488 return -ENOMEM; 3489 } 3490 3491 tsec = new_creds->security; 3492 /* Get label from overlay inode and set it in create_sid */ 3493 selinux_inode_getsecid(d_inode(src), &sid); 3494 tsec->create_sid = sid; 3495 *new = new_creds; 3496 return 0; 3497 } 3498 3499 static int selinux_inode_copy_up_xattr(const char *name) 3500 { 3501 /* The copy_up hook above sets the initial context on an inode, but we 3502 * don't then want to overwrite it by blindly copying all the lower 3503 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3504 */ 3505 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3506 return 1; /* Discard */ 3507 /* 3508 * Any other attribute apart from SELINUX is not claimed, supported 3509 * by selinux. 3510 */ 3511 return -EOPNOTSUPP; 3512 } 3513 3514 /* file security operations */ 3515 3516 static int selinux_revalidate_file_permission(struct file *file, int mask) 3517 { 3518 const struct cred *cred = current_cred(); 3519 struct inode *inode = file_inode(file); 3520 3521 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3522 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3523 mask |= MAY_APPEND; 3524 3525 return file_has_perm(cred, file, 3526 file_mask_to_av(inode->i_mode, mask)); 3527 } 3528 3529 static int selinux_file_permission(struct file *file, int mask) 3530 { 3531 struct inode *inode = file_inode(file); 3532 struct file_security_struct *fsec = file->f_security; 3533 struct inode_security_struct *isec; 3534 u32 sid = current_sid(); 3535 3536 if (!mask) 3537 /* No permission to check. Existence test. */ 3538 return 0; 3539 3540 isec = inode_security(inode); 3541 if (sid == fsec->sid && fsec->isid == isec->sid && 3542 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3543 /* No change since file_open check. */ 3544 return 0; 3545 3546 return selinux_revalidate_file_permission(file, mask); 3547 } 3548 3549 static int selinux_file_alloc_security(struct file *file) 3550 { 3551 return file_alloc_security(file); 3552 } 3553 3554 static void selinux_file_free_security(struct file *file) 3555 { 3556 file_free_security(file); 3557 } 3558 3559 /* 3560 * Check whether a task has the ioctl permission and cmd 3561 * operation to an inode. 3562 */ 3563 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3564 u32 requested, u16 cmd) 3565 { 3566 struct common_audit_data ad; 3567 struct file_security_struct *fsec = file->f_security; 3568 struct inode *inode = file_inode(file); 3569 struct inode_security_struct *isec; 3570 struct lsm_ioctlop_audit ioctl; 3571 u32 ssid = cred_sid(cred); 3572 int rc; 3573 u8 driver = cmd >> 8; 3574 u8 xperm = cmd & 0xff; 3575 3576 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3577 ad.u.op = &ioctl; 3578 ad.u.op->cmd = cmd; 3579 ad.u.op->path = file->f_path; 3580 3581 if (ssid != fsec->sid) { 3582 rc = avc_has_perm(&selinux_state, 3583 ssid, fsec->sid, 3584 SECCLASS_FD, 3585 FD__USE, 3586 &ad); 3587 if (rc) 3588 goto out; 3589 } 3590 3591 if (unlikely(IS_PRIVATE(inode))) 3592 return 0; 3593 3594 isec = inode_security(inode); 3595 rc = avc_has_extended_perms(&selinux_state, 3596 ssid, isec->sid, isec->sclass, 3597 requested, driver, xperm, &ad); 3598 out: 3599 return rc; 3600 } 3601 3602 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3603 unsigned long arg) 3604 { 3605 const struct cred *cred = current_cred(); 3606 int error = 0; 3607 3608 switch (cmd) { 3609 case FIONREAD: 3610 /* fall through */ 3611 case FIBMAP: 3612 /* fall through */ 3613 case FIGETBSZ: 3614 /* fall through */ 3615 case FS_IOC_GETFLAGS: 3616 /* fall through */ 3617 case FS_IOC_GETVERSION: 3618 error = file_has_perm(cred, file, FILE__GETATTR); 3619 break; 3620 3621 case FS_IOC_SETFLAGS: 3622 /* fall through */ 3623 case FS_IOC_SETVERSION: 3624 error = file_has_perm(cred, file, FILE__SETATTR); 3625 break; 3626 3627 /* sys_ioctl() checks */ 3628 case FIONBIO: 3629 /* fall through */ 3630 case FIOASYNC: 3631 error = file_has_perm(cred, file, 0); 3632 break; 3633 3634 case KDSKBENT: 3635 case KDSKBSENT: 3636 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3637 SECURITY_CAP_AUDIT, true); 3638 break; 3639 3640 /* default case assumes that the command will go 3641 * to the file's ioctl() function. 3642 */ 3643 default: 3644 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3645 } 3646 return error; 3647 } 3648 3649 static int default_noexec; 3650 3651 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3652 { 3653 const struct cred *cred = current_cred(); 3654 u32 sid = cred_sid(cred); 3655 int rc = 0; 3656 3657 if (default_noexec && 3658 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3659 (!shared && (prot & PROT_WRITE)))) { 3660 /* 3661 * We are making executable an anonymous mapping or a 3662 * private file mapping that will also be writable. 3663 * This has an additional check. 3664 */ 3665 rc = avc_has_perm(&selinux_state, 3666 sid, sid, SECCLASS_PROCESS, 3667 PROCESS__EXECMEM, NULL); 3668 if (rc) 3669 goto error; 3670 } 3671 3672 if (file) { 3673 /* read access is always possible with a mapping */ 3674 u32 av = FILE__READ; 3675 3676 /* write access only matters if the mapping is shared */ 3677 if (shared && (prot & PROT_WRITE)) 3678 av |= FILE__WRITE; 3679 3680 if (prot & PROT_EXEC) 3681 av |= FILE__EXECUTE; 3682 3683 return file_has_perm(cred, file, av); 3684 } 3685 3686 error: 3687 return rc; 3688 } 3689 3690 static int selinux_mmap_addr(unsigned long addr) 3691 { 3692 int rc = 0; 3693 3694 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3695 u32 sid = current_sid(); 3696 rc = avc_has_perm(&selinux_state, 3697 sid, sid, SECCLASS_MEMPROTECT, 3698 MEMPROTECT__MMAP_ZERO, NULL); 3699 } 3700 3701 return rc; 3702 } 3703 3704 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3705 unsigned long prot, unsigned long flags) 3706 { 3707 struct common_audit_data ad; 3708 int rc; 3709 3710 if (file) { 3711 ad.type = LSM_AUDIT_DATA_FILE; 3712 ad.u.file = file; 3713 rc = inode_has_perm(current_cred(), file_inode(file), 3714 FILE__MAP, &ad); 3715 if (rc) 3716 return rc; 3717 } 3718 3719 if (selinux_state.checkreqprot) 3720 prot = reqprot; 3721 3722 return file_map_prot_check(file, prot, 3723 (flags & MAP_TYPE) == MAP_SHARED); 3724 } 3725 3726 static int selinux_file_mprotect(struct vm_area_struct *vma, 3727 unsigned long reqprot, 3728 unsigned long prot) 3729 { 3730 const struct cred *cred = current_cred(); 3731 u32 sid = cred_sid(cred); 3732 3733 if (selinux_state.checkreqprot) 3734 prot = reqprot; 3735 3736 if (default_noexec && 3737 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3738 int rc = 0; 3739 if (vma->vm_start >= vma->vm_mm->start_brk && 3740 vma->vm_end <= vma->vm_mm->brk) { 3741 rc = avc_has_perm(&selinux_state, 3742 sid, sid, SECCLASS_PROCESS, 3743 PROCESS__EXECHEAP, NULL); 3744 } else if (!vma->vm_file && 3745 ((vma->vm_start <= vma->vm_mm->start_stack && 3746 vma->vm_end >= vma->vm_mm->start_stack) || 3747 vma_is_stack_for_current(vma))) { 3748 rc = avc_has_perm(&selinux_state, 3749 sid, sid, SECCLASS_PROCESS, 3750 PROCESS__EXECSTACK, NULL); 3751 } else if (vma->vm_file && vma->anon_vma) { 3752 /* 3753 * We are making executable a file mapping that has 3754 * had some COW done. Since pages might have been 3755 * written, check ability to execute the possibly 3756 * modified content. This typically should only 3757 * occur for text relocations. 3758 */ 3759 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3760 } 3761 if (rc) 3762 return rc; 3763 } 3764 3765 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3766 } 3767 3768 static int selinux_file_lock(struct file *file, unsigned int cmd) 3769 { 3770 const struct cred *cred = current_cred(); 3771 3772 return file_has_perm(cred, file, FILE__LOCK); 3773 } 3774 3775 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3776 unsigned long arg) 3777 { 3778 const struct cred *cred = current_cred(); 3779 int err = 0; 3780 3781 switch (cmd) { 3782 case F_SETFL: 3783 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3784 err = file_has_perm(cred, file, FILE__WRITE); 3785 break; 3786 } 3787 /* fall through */ 3788 case F_SETOWN: 3789 case F_SETSIG: 3790 case F_GETFL: 3791 case F_GETOWN: 3792 case F_GETSIG: 3793 case F_GETOWNER_UIDS: 3794 /* Just check FD__USE permission */ 3795 err = file_has_perm(cred, file, 0); 3796 break; 3797 case F_GETLK: 3798 case F_SETLK: 3799 case F_SETLKW: 3800 case F_OFD_GETLK: 3801 case F_OFD_SETLK: 3802 case F_OFD_SETLKW: 3803 #if BITS_PER_LONG == 32 3804 case F_GETLK64: 3805 case F_SETLK64: 3806 case F_SETLKW64: 3807 #endif 3808 err = file_has_perm(cred, file, FILE__LOCK); 3809 break; 3810 } 3811 3812 return err; 3813 } 3814 3815 static void selinux_file_set_fowner(struct file *file) 3816 { 3817 struct file_security_struct *fsec; 3818 3819 fsec = file->f_security; 3820 fsec->fown_sid = current_sid(); 3821 } 3822 3823 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3824 struct fown_struct *fown, int signum) 3825 { 3826 struct file *file; 3827 u32 sid = task_sid(tsk); 3828 u32 perm; 3829 struct file_security_struct *fsec; 3830 3831 /* struct fown_struct is never outside the context of a struct file */ 3832 file = container_of(fown, struct file, f_owner); 3833 3834 fsec = file->f_security; 3835 3836 if (!signum) 3837 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3838 else 3839 perm = signal_to_av(signum); 3840 3841 return avc_has_perm(&selinux_state, 3842 fsec->fown_sid, sid, 3843 SECCLASS_PROCESS, perm, NULL); 3844 } 3845 3846 static int selinux_file_receive(struct file *file) 3847 { 3848 const struct cred *cred = current_cred(); 3849 3850 return file_has_perm(cred, file, file_to_av(file)); 3851 } 3852 3853 static int selinux_file_open(struct file *file, const struct cred *cred) 3854 { 3855 struct file_security_struct *fsec; 3856 struct inode_security_struct *isec; 3857 3858 fsec = file->f_security; 3859 isec = inode_security(file_inode(file)); 3860 /* 3861 * Save inode label and policy sequence number 3862 * at open-time so that selinux_file_permission 3863 * can determine whether revalidation is necessary. 3864 * Task label is already saved in the file security 3865 * struct as its SID. 3866 */ 3867 fsec->isid = isec->sid; 3868 fsec->pseqno = avc_policy_seqno(&selinux_state); 3869 /* 3870 * Since the inode label or policy seqno may have changed 3871 * between the selinux_inode_permission check and the saving 3872 * of state above, recheck that access is still permitted. 3873 * Otherwise, access might never be revalidated against the 3874 * new inode label or new policy. 3875 * This check is not redundant - do not remove. 3876 */ 3877 return file_path_has_perm(cred, file, open_file_to_av(file)); 3878 } 3879 3880 /* task security operations */ 3881 3882 static int selinux_task_alloc(struct task_struct *task, 3883 unsigned long clone_flags) 3884 { 3885 u32 sid = current_sid(); 3886 3887 return avc_has_perm(&selinux_state, 3888 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3889 } 3890 3891 /* 3892 * allocate the SELinux part of blank credentials 3893 */ 3894 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3895 { 3896 struct task_security_struct *tsec; 3897 3898 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3899 if (!tsec) 3900 return -ENOMEM; 3901 3902 cred->security = tsec; 3903 return 0; 3904 } 3905 3906 /* 3907 * detach and free the LSM part of a set of credentials 3908 */ 3909 static void selinux_cred_free(struct cred *cred) 3910 { 3911 struct task_security_struct *tsec = cred->security; 3912 3913 /* 3914 * cred->security == NULL if security_cred_alloc_blank() or 3915 * security_prepare_creds() returned an error. 3916 */ 3917 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3918 cred->security = (void *) 0x7UL; 3919 kfree(tsec); 3920 } 3921 3922 /* 3923 * prepare a new set of credentials for modification 3924 */ 3925 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3926 gfp_t gfp) 3927 { 3928 const struct task_security_struct *old_tsec; 3929 struct task_security_struct *tsec; 3930 3931 old_tsec = old->security; 3932 3933 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3934 if (!tsec) 3935 return -ENOMEM; 3936 3937 new->security = tsec; 3938 return 0; 3939 } 3940 3941 /* 3942 * transfer the SELinux data to a blank set of creds 3943 */ 3944 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3945 { 3946 const struct task_security_struct *old_tsec = old->security; 3947 struct task_security_struct *tsec = new->security; 3948 3949 *tsec = *old_tsec; 3950 } 3951 3952 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3953 { 3954 *secid = cred_sid(c); 3955 } 3956 3957 /* 3958 * set the security data for a kernel service 3959 * - all the creation contexts are set to unlabelled 3960 */ 3961 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3962 { 3963 struct task_security_struct *tsec = new->security; 3964 u32 sid = current_sid(); 3965 int ret; 3966 3967 ret = avc_has_perm(&selinux_state, 3968 sid, secid, 3969 SECCLASS_KERNEL_SERVICE, 3970 KERNEL_SERVICE__USE_AS_OVERRIDE, 3971 NULL); 3972 if (ret == 0) { 3973 tsec->sid = secid; 3974 tsec->create_sid = 0; 3975 tsec->keycreate_sid = 0; 3976 tsec->sockcreate_sid = 0; 3977 } 3978 return ret; 3979 } 3980 3981 /* 3982 * set the file creation context in a security record to the same as the 3983 * objective context of the specified inode 3984 */ 3985 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3986 { 3987 struct inode_security_struct *isec = inode_security(inode); 3988 struct task_security_struct *tsec = new->security; 3989 u32 sid = current_sid(); 3990 int ret; 3991 3992 ret = avc_has_perm(&selinux_state, 3993 sid, isec->sid, 3994 SECCLASS_KERNEL_SERVICE, 3995 KERNEL_SERVICE__CREATE_FILES_AS, 3996 NULL); 3997 3998 if (ret == 0) 3999 tsec->create_sid = isec->sid; 4000 return ret; 4001 } 4002 4003 static int selinux_kernel_module_request(char *kmod_name) 4004 { 4005 struct common_audit_data ad; 4006 4007 ad.type = LSM_AUDIT_DATA_KMOD; 4008 ad.u.kmod_name = kmod_name; 4009 4010 return avc_has_perm(&selinux_state, 4011 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4012 SYSTEM__MODULE_REQUEST, &ad); 4013 } 4014 4015 static int selinux_kernel_module_from_file(struct file *file) 4016 { 4017 struct common_audit_data ad; 4018 struct inode_security_struct *isec; 4019 struct file_security_struct *fsec; 4020 u32 sid = current_sid(); 4021 int rc; 4022 4023 /* init_module */ 4024 if (file == NULL) 4025 return avc_has_perm(&selinux_state, 4026 sid, sid, SECCLASS_SYSTEM, 4027 SYSTEM__MODULE_LOAD, NULL); 4028 4029 /* finit_module */ 4030 4031 ad.type = LSM_AUDIT_DATA_FILE; 4032 ad.u.file = file; 4033 4034 fsec = file->f_security; 4035 if (sid != fsec->sid) { 4036 rc = avc_has_perm(&selinux_state, 4037 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4038 if (rc) 4039 return rc; 4040 } 4041 4042 isec = inode_security(file_inode(file)); 4043 return avc_has_perm(&selinux_state, 4044 sid, isec->sid, SECCLASS_SYSTEM, 4045 SYSTEM__MODULE_LOAD, &ad); 4046 } 4047 4048 static int selinux_kernel_read_file(struct file *file, 4049 enum kernel_read_file_id id) 4050 { 4051 int rc = 0; 4052 4053 switch (id) { 4054 case READING_MODULE: 4055 rc = selinux_kernel_module_from_file(file); 4056 break; 4057 default: 4058 break; 4059 } 4060 4061 return rc; 4062 } 4063 4064 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4065 { 4066 return avc_has_perm(&selinux_state, 4067 current_sid(), task_sid(p), SECCLASS_PROCESS, 4068 PROCESS__SETPGID, NULL); 4069 } 4070 4071 static int selinux_task_getpgid(struct task_struct *p) 4072 { 4073 return avc_has_perm(&selinux_state, 4074 current_sid(), task_sid(p), SECCLASS_PROCESS, 4075 PROCESS__GETPGID, NULL); 4076 } 4077 4078 static int selinux_task_getsid(struct task_struct *p) 4079 { 4080 return avc_has_perm(&selinux_state, 4081 current_sid(), task_sid(p), SECCLASS_PROCESS, 4082 PROCESS__GETSESSION, NULL); 4083 } 4084 4085 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4086 { 4087 *secid = task_sid(p); 4088 } 4089 4090 static int selinux_task_setnice(struct task_struct *p, int nice) 4091 { 4092 return avc_has_perm(&selinux_state, 4093 current_sid(), task_sid(p), SECCLASS_PROCESS, 4094 PROCESS__SETSCHED, NULL); 4095 } 4096 4097 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4098 { 4099 return avc_has_perm(&selinux_state, 4100 current_sid(), task_sid(p), SECCLASS_PROCESS, 4101 PROCESS__SETSCHED, NULL); 4102 } 4103 4104 static int selinux_task_getioprio(struct task_struct *p) 4105 { 4106 return avc_has_perm(&selinux_state, 4107 current_sid(), task_sid(p), SECCLASS_PROCESS, 4108 PROCESS__GETSCHED, NULL); 4109 } 4110 4111 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4112 unsigned int flags) 4113 { 4114 u32 av = 0; 4115 4116 if (!flags) 4117 return 0; 4118 if (flags & LSM_PRLIMIT_WRITE) 4119 av |= PROCESS__SETRLIMIT; 4120 if (flags & LSM_PRLIMIT_READ) 4121 av |= PROCESS__GETRLIMIT; 4122 return avc_has_perm(&selinux_state, 4123 cred_sid(cred), cred_sid(tcred), 4124 SECCLASS_PROCESS, av, NULL); 4125 } 4126 4127 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4128 struct rlimit *new_rlim) 4129 { 4130 struct rlimit *old_rlim = p->signal->rlim + resource; 4131 4132 /* Control the ability to change the hard limit (whether 4133 lowering or raising it), so that the hard limit can 4134 later be used as a safe reset point for the soft limit 4135 upon context transitions. See selinux_bprm_committing_creds. */ 4136 if (old_rlim->rlim_max != new_rlim->rlim_max) 4137 return avc_has_perm(&selinux_state, 4138 current_sid(), task_sid(p), 4139 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4140 4141 return 0; 4142 } 4143 4144 static int selinux_task_setscheduler(struct task_struct *p) 4145 { 4146 return avc_has_perm(&selinux_state, 4147 current_sid(), task_sid(p), SECCLASS_PROCESS, 4148 PROCESS__SETSCHED, NULL); 4149 } 4150 4151 static int selinux_task_getscheduler(struct task_struct *p) 4152 { 4153 return avc_has_perm(&selinux_state, 4154 current_sid(), task_sid(p), SECCLASS_PROCESS, 4155 PROCESS__GETSCHED, NULL); 4156 } 4157 4158 static int selinux_task_movememory(struct task_struct *p) 4159 { 4160 return avc_has_perm(&selinux_state, 4161 current_sid(), task_sid(p), SECCLASS_PROCESS, 4162 PROCESS__SETSCHED, NULL); 4163 } 4164 4165 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4166 int sig, const struct cred *cred) 4167 { 4168 u32 secid; 4169 u32 perm; 4170 4171 if (!sig) 4172 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4173 else 4174 perm = signal_to_av(sig); 4175 if (!cred) 4176 secid = current_sid(); 4177 else 4178 secid = cred_sid(cred); 4179 return avc_has_perm(&selinux_state, 4180 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4181 } 4182 4183 static void selinux_task_to_inode(struct task_struct *p, 4184 struct inode *inode) 4185 { 4186 struct inode_security_struct *isec = inode->i_security; 4187 u32 sid = task_sid(p); 4188 4189 spin_lock(&isec->lock); 4190 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4191 isec->sid = sid; 4192 isec->initialized = LABEL_INITIALIZED; 4193 spin_unlock(&isec->lock); 4194 } 4195 4196 /* Returns error only if unable to parse addresses */ 4197 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4198 struct common_audit_data *ad, u8 *proto) 4199 { 4200 int offset, ihlen, ret = -EINVAL; 4201 struct iphdr _iph, *ih; 4202 4203 offset = skb_network_offset(skb); 4204 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4205 if (ih == NULL) 4206 goto out; 4207 4208 ihlen = ih->ihl * 4; 4209 if (ihlen < sizeof(_iph)) 4210 goto out; 4211 4212 ad->u.net->v4info.saddr = ih->saddr; 4213 ad->u.net->v4info.daddr = ih->daddr; 4214 ret = 0; 4215 4216 if (proto) 4217 *proto = ih->protocol; 4218 4219 switch (ih->protocol) { 4220 case IPPROTO_TCP: { 4221 struct tcphdr _tcph, *th; 4222 4223 if (ntohs(ih->frag_off) & IP_OFFSET) 4224 break; 4225 4226 offset += ihlen; 4227 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4228 if (th == NULL) 4229 break; 4230 4231 ad->u.net->sport = th->source; 4232 ad->u.net->dport = th->dest; 4233 break; 4234 } 4235 4236 case IPPROTO_UDP: { 4237 struct udphdr _udph, *uh; 4238 4239 if (ntohs(ih->frag_off) & IP_OFFSET) 4240 break; 4241 4242 offset += ihlen; 4243 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4244 if (uh == NULL) 4245 break; 4246 4247 ad->u.net->sport = uh->source; 4248 ad->u.net->dport = uh->dest; 4249 break; 4250 } 4251 4252 case IPPROTO_DCCP: { 4253 struct dccp_hdr _dccph, *dh; 4254 4255 if (ntohs(ih->frag_off) & IP_OFFSET) 4256 break; 4257 4258 offset += ihlen; 4259 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4260 if (dh == NULL) 4261 break; 4262 4263 ad->u.net->sport = dh->dccph_sport; 4264 ad->u.net->dport = dh->dccph_dport; 4265 break; 4266 } 4267 4268 #if IS_ENABLED(CONFIG_IP_SCTP) 4269 case IPPROTO_SCTP: { 4270 struct sctphdr _sctph, *sh; 4271 4272 if (ntohs(ih->frag_off) & IP_OFFSET) 4273 break; 4274 4275 offset += ihlen; 4276 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4277 if (sh == NULL) 4278 break; 4279 4280 ad->u.net->sport = sh->source; 4281 ad->u.net->dport = sh->dest; 4282 break; 4283 } 4284 #endif 4285 default: 4286 break; 4287 } 4288 out: 4289 return ret; 4290 } 4291 4292 #if IS_ENABLED(CONFIG_IPV6) 4293 4294 /* Returns error only if unable to parse addresses */ 4295 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4296 struct common_audit_data *ad, u8 *proto) 4297 { 4298 u8 nexthdr; 4299 int ret = -EINVAL, offset; 4300 struct ipv6hdr _ipv6h, *ip6; 4301 __be16 frag_off; 4302 4303 offset = skb_network_offset(skb); 4304 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4305 if (ip6 == NULL) 4306 goto out; 4307 4308 ad->u.net->v6info.saddr = ip6->saddr; 4309 ad->u.net->v6info.daddr = ip6->daddr; 4310 ret = 0; 4311 4312 nexthdr = ip6->nexthdr; 4313 offset += sizeof(_ipv6h); 4314 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4315 if (offset < 0) 4316 goto out; 4317 4318 if (proto) 4319 *proto = nexthdr; 4320 4321 switch (nexthdr) { 4322 case IPPROTO_TCP: { 4323 struct tcphdr _tcph, *th; 4324 4325 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4326 if (th == NULL) 4327 break; 4328 4329 ad->u.net->sport = th->source; 4330 ad->u.net->dport = th->dest; 4331 break; 4332 } 4333 4334 case IPPROTO_UDP: { 4335 struct udphdr _udph, *uh; 4336 4337 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4338 if (uh == NULL) 4339 break; 4340 4341 ad->u.net->sport = uh->source; 4342 ad->u.net->dport = uh->dest; 4343 break; 4344 } 4345 4346 case IPPROTO_DCCP: { 4347 struct dccp_hdr _dccph, *dh; 4348 4349 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4350 if (dh == NULL) 4351 break; 4352 4353 ad->u.net->sport = dh->dccph_sport; 4354 ad->u.net->dport = dh->dccph_dport; 4355 break; 4356 } 4357 4358 #if IS_ENABLED(CONFIG_IP_SCTP) 4359 case IPPROTO_SCTP: { 4360 struct sctphdr _sctph, *sh; 4361 4362 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4363 if (sh == NULL) 4364 break; 4365 4366 ad->u.net->sport = sh->source; 4367 ad->u.net->dport = sh->dest; 4368 break; 4369 } 4370 #endif 4371 /* includes fragments */ 4372 default: 4373 break; 4374 } 4375 out: 4376 return ret; 4377 } 4378 4379 #endif /* IPV6 */ 4380 4381 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4382 char **_addrp, int src, u8 *proto) 4383 { 4384 char *addrp; 4385 int ret; 4386 4387 switch (ad->u.net->family) { 4388 case PF_INET: 4389 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4390 if (ret) 4391 goto parse_error; 4392 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4393 &ad->u.net->v4info.daddr); 4394 goto okay; 4395 4396 #if IS_ENABLED(CONFIG_IPV6) 4397 case PF_INET6: 4398 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4399 if (ret) 4400 goto parse_error; 4401 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4402 &ad->u.net->v6info.daddr); 4403 goto okay; 4404 #endif /* IPV6 */ 4405 default: 4406 addrp = NULL; 4407 goto okay; 4408 } 4409 4410 parse_error: 4411 printk(KERN_WARNING 4412 "SELinux: failure in selinux_parse_skb()," 4413 " unable to parse packet\n"); 4414 return ret; 4415 4416 okay: 4417 if (_addrp) 4418 *_addrp = addrp; 4419 return 0; 4420 } 4421 4422 /** 4423 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4424 * @skb: the packet 4425 * @family: protocol family 4426 * @sid: the packet's peer label SID 4427 * 4428 * Description: 4429 * Check the various different forms of network peer labeling and determine 4430 * the peer label/SID for the packet; most of the magic actually occurs in 4431 * the security server function security_net_peersid_cmp(). The function 4432 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4433 * or -EACCES if @sid is invalid due to inconsistencies with the different 4434 * peer labels. 4435 * 4436 */ 4437 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4438 { 4439 int err; 4440 u32 xfrm_sid; 4441 u32 nlbl_sid; 4442 u32 nlbl_type; 4443 4444 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4445 if (unlikely(err)) 4446 return -EACCES; 4447 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4448 if (unlikely(err)) 4449 return -EACCES; 4450 4451 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4452 nlbl_type, xfrm_sid, sid); 4453 if (unlikely(err)) { 4454 printk(KERN_WARNING 4455 "SELinux: failure in selinux_skb_peerlbl_sid()," 4456 " unable to determine packet's peer label\n"); 4457 return -EACCES; 4458 } 4459 4460 return 0; 4461 } 4462 4463 /** 4464 * selinux_conn_sid - Determine the child socket label for a connection 4465 * @sk_sid: the parent socket's SID 4466 * @skb_sid: the packet's SID 4467 * @conn_sid: the resulting connection SID 4468 * 4469 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4470 * combined with the MLS information from @skb_sid in order to create 4471 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4472 * of @sk_sid. Returns zero on success, negative values on failure. 4473 * 4474 */ 4475 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4476 { 4477 int err = 0; 4478 4479 if (skb_sid != SECSID_NULL) 4480 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4481 conn_sid); 4482 else 4483 *conn_sid = sk_sid; 4484 4485 return err; 4486 } 4487 4488 /* socket security operations */ 4489 4490 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4491 u16 secclass, u32 *socksid) 4492 { 4493 if (tsec->sockcreate_sid > SECSID_NULL) { 4494 *socksid = tsec->sockcreate_sid; 4495 return 0; 4496 } 4497 4498 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4499 secclass, NULL, socksid); 4500 } 4501 4502 static int sock_has_perm(struct sock *sk, u32 perms) 4503 { 4504 struct sk_security_struct *sksec = sk->sk_security; 4505 struct common_audit_data ad; 4506 struct lsm_network_audit net = {0,}; 4507 4508 if (sksec->sid == SECINITSID_KERNEL) 4509 return 0; 4510 4511 ad.type = LSM_AUDIT_DATA_NET; 4512 ad.u.net = &net; 4513 ad.u.net->sk = sk; 4514 4515 return avc_has_perm(&selinux_state, 4516 current_sid(), sksec->sid, sksec->sclass, perms, 4517 &ad); 4518 } 4519 4520 static int selinux_socket_create(int family, int type, 4521 int protocol, int kern) 4522 { 4523 const struct task_security_struct *tsec = current_security(); 4524 u32 newsid; 4525 u16 secclass; 4526 int rc; 4527 4528 if (kern) 4529 return 0; 4530 4531 secclass = socket_type_to_security_class(family, type, protocol); 4532 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4533 if (rc) 4534 return rc; 4535 4536 return avc_has_perm(&selinux_state, 4537 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4538 } 4539 4540 static int selinux_socket_post_create(struct socket *sock, int family, 4541 int type, int protocol, int kern) 4542 { 4543 const struct task_security_struct *tsec = current_security(); 4544 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4545 struct sk_security_struct *sksec; 4546 u16 sclass = socket_type_to_security_class(family, type, protocol); 4547 u32 sid = SECINITSID_KERNEL; 4548 int err = 0; 4549 4550 if (!kern) { 4551 err = socket_sockcreate_sid(tsec, sclass, &sid); 4552 if (err) 4553 return err; 4554 } 4555 4556 isec->sclass = sclass; 4557 isec->sid = sid; 4558 isec->initialized = LABEL_INITIALIZED; 4559 4560 if (sock->sk) { 4561 sksec = sock->sk->sk_security; 4562 sksec->sclass = sclass; 4563 sksec->sid = sid; 4564 /* Allows detection of the first association on this socket */ 4565 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4566 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4567 4568 err = selinux_netlbl_socket_post_create(sock->sk, family); 4569 } 4570 4571 return err; 4572 } 4573 4574 /* Range of port numbers used to automatically bind. 4575 Need to determine whether we should perform a name_bind 4576 permission check between the socket and the port number. */ 4577 4578 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4579 { 4580 struct sock *sk = sock->sk; 4581 struct sk_security_struct *sksec = sk->sk_security; 4582 u16 family; 4583 int err; 4584 4585 err = sock_has_perm(sk, SOCKET__BIND); 4586 if (err) 4587 goto out; 4588 4589 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4590 family = sk->sk_family; 4591 if (family == PF_INET || family == PF_INET6) { 4592 char *addrp; 4593 struct common_audit_data ad; 4594 struct lsm_network_audit net = {0,}; 4595 struct sockaddr_in *addr4 = NULL; 4596 struct sockaddr_in6 *addr6 = NULL; 4597 u16 family_sa = address->sa_family; 4598 unsigned short snum; 4599 u32 sid, node_perm; 4600 4601 /* 4602 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4603 * that validates multiple binding addresses. Because of this 4604 * need to check address->sa_family as it is possible to have 4605 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4606 */ 4607 switch (family_sa) { 4608 case AF_UNSPEC: 4609 case AF_INET: 4610 if (addrlen < sizeof(struct sockaddr_in)) 4611 return -EINVAL; 4612 addr4 = (struct sockaddr_in *)address; 4613 if (family_sa == AF_UNSPEC) { 4614 /* see __inet_bind(), we only want to allow 4615 * AF_UNSPEC if the address is INADDR_ANY 4616 */ 4617 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4618 goto err_af; 4619 family_sa = AF_INET; 4620 } 4621 snum = ntohs(addr4->sin_port); 4622 addrp = (char *)&addr4->sin_addr.s_addr; 4623 break; 4624 case AF_INET6: 4625 if (addrlen < SIN6_LEN_RFC2133) 4626 return -EINVAL; 4627 addr6 = (struct sockaddr_in6 *)address; 4628 snum = ntohs(addr6->sin6_port); 4629 addrp = (char *)&addr6->sin6_addr.s6_addr; 4630 break; 4631 default: 4632 goto err_af; 4633 } 4634 4635 ad.type = LSM_AUDIT_DATA_NET; 4636 ad.u.net = &net; 4637 ad.u.net->sport = htons(snum); 4638 ad.u.net->family = family_sa; 4639 4640 if (snum) { 4641 int low, high; 4642 4643 inet_get_local_port_range(sock_net(sk), &low, &high); 4644 4645 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4646 snum > high) { 4647 err = sel_netport_sid(sk->sk_protocol, 4648 snum, &sid); 4649 if (err) 4650 goto out; 4651 err = avc_has_perm(&selinux_state, 4652 sksec->sid, sid, 4653 sksec->sclass, 4654 SOCKET__NAME_BIND, &ad); 4655 if (err) 4656 goto out; 4657 } 4658 } 4659 4660 switch (sksec->sclass) { 4661 case SECCLASS_TCP_SOCKET: 4662 node_perm = TCP_SOCKET__NODE_BIND; 4663 break; 4664 4665 case SECCLASS_UDP_SOCKET: 4666 node_perm = UDP_SOCKET__NODE_BIND; 4667 break; 4668 4669 case SECCLASS_DCCP_SOCKET: 4670 node_perm = DCCP_SOCKET__NODE_BIND; 4671 break; 4672 4673 case SECCLASS_SCTP_SOCKET: 4674 node_perm = SCTP_SOCKET__NODE_BIND; 4675 break; 4676 4677 default: 4678 node_perm = RAWIP_SOCKET__NODE_BIND; 4679 break; 4680 } 4681 4682 err = sel_netnode_sid(addrp, family_sa, &sid); 4683 if (err) 4684 goto out; 4685 4686 if (family_sa == AF_INET) 4687 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4688 else 4689 ad.u.net->v6info.saddr = addr6->sin6_addr; 4690 4691 err = avc_has_perm(&selinux_state, 4692 sksec->sid, sid, 4693 sksec->sclass, node_perm, &ad); 4694 if (err) 4695 goto out; 4696 } 4697 out: 4698 return err; 4699 err_af: 4700 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4701 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4702 return -EINVAL; 4703 return -EAFNOSUPPORT; 4704 } 4705 4706 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4707 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt 4708 */ 4709 static int selinux_socket_connect_helper(struct socket *sock, 4710 struct sockaddr *address, int addrlen) 4711 { 4712 struct sock *sk = sock->sk; 4713 struct sk_security_struct *sksec = sk->sk_security; 4714 int err; 4715 4716 err = sock_has_perm(sk, SOCKET__CONNECT); 4717 if (err) 4718 return err; 4719 4720 /* 4721 * If a TCP, DCCP or SCTP socket, check name_connect permission 4722 * for the port. 4723 */ 4724 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4725 sksec->sclass == SECCLASS_DCCP_SOCKET || 4726 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4727 struct common_audit_data ad; 4728 struct lsm_network_audit net = {0,}; 4729 struct sockaddr_in *addr4 = NULL; 4730 struct sockaddr_in6 *addr6 = NULL; 4731 unsigned short snum; 4732 u32 sid, perm; 4733 4734 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4735 * that validates multiple connect addresses. Because of this 4736 * need to check address->sa_family as it is possible to have 4737 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4738 */ 4739 switch (address->sa_family) { 4740 case AF_INET: 4741 addr4 = (struct sockaddr_in *)address; 4742 if (addrlen < sizeof(struct sockaddr_in)) 4743 return -EINVAL; 4744 snum = ntohs(addr4->sin_port); 4745 break; 4746 case AF_INET6: 4747 addr6 = (struct sockaddr_in6 *)address; 4748 if (addrlen < SIN6_LEN_RFC2133) 4749 return -EINVAL; 4750 snum = ntohs(addr6->sin6_port); 4751 break; 4752 default: 4753 /* Note that SCTP services expect -EINVAL, whereas 4754 * others expect -EAFNOSUPPORT. 4755 */ 4756 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4757 return -EINVAL; 4758 else 4759 return -EAFNOSUPPORT; 4760 } 4761 4762 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4763 if (err) 4764 return err; 4765 4766 switch (sksec->sclass) { 4767 case SECCLASS_TCP_SOCKET: 4768 perm = TCP_SOCKET__NAME_CONNECT; 4769 break; 4770 case SECCLASS_DCCP_SOCKET: 4771 perm = DCCP_SOCKET__NAME_CONNECT; 4772 break; 4773 case SECCLASS_SCTP_SOCKET: 4774 perm = SCTP_SOCKET__NAME_CONNECT; 4775 break; 4776 } 4777 4778 ad.type = LSM_AUDIT_DATA_NET; 4779 ad.u.net = &net; 4780 ad.u.net->dport = htons(snum); 4781 ad.u.net->family = address->sa_family; 4782 err = avc_has_perm(&selinux_state, 4783 sksec->sid, sid, sksec->sclass, perm, &ad); 4784 if (err) 4785 return err; 4786 } 4787 4788 return 0; 4789 } 4790 4791 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4792 static int selinux_socket_connect(struct socket *sock, 4793 struct sockaddr *address, int addrlen) 4794 { 4795 int err; 4796 struct sock *sk = sock->sk; 4797 4798 err = selinux_socket_connect_helper(sock, address, addrlen); 4799 if (err) 4800 return err; 4801 4802 return selinux_netlbl_socket_connect(sk, address); 4803 } 4804 4805 static int selinux_socket_listen(struct socket *sock, int backlog) 4806 { 4807 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4808 } 4809 4810 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4811 { 4812 int err; 4813 struct inode_security_struct *isec; 4814 struct inode_security_struct *newisec; 4815 u16 sclass; 4816 u32 sid; 4817 4818 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4819 if (err) 4820 return err; 4821 4822 isec = inode_security_novalidate(SOCK_INODE(sock)); 4823 spin_lock(&isec->lock); 4824 sclass = isec->sclass; 4825 sid = isec->sid; 4826 spin_unlock(&isec->lock); 4827 4828 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4829 newisec->sclass = sclass; 4830 newisec->sid = sid; 4831 newisec->initialized = LABEL_INITIALIZED; 4832 4833 return 0; 4834 } 4835 4836 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4837 int size) 4838 { 4839 return sock_has_perm(sock->sk, SOCKET__WRITE); 4840 } 4841 4842 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4843 int size, int flags) 4844 { 4845 return sock_has_perm(sock->sk, SOCKET__READ); 4846 } 4847 4848 static int selinux_socket_getsockname(struct socket *sock) 4849 { 4850 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4851 } 4852 4853 static int selinux_socket_getpeername(struct socket *sock) 4854 { 4855 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4856 } 4857 4858 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4859 { 4860 int err; 4861 4862 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4863 if (err) 4864 return err; 4865 4866 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4867 } 4868 4869 static int selinux_socket_getsockopt(struct socket *sock, int level, 4870 int optname) 4871 { 4872 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4873 } 4874 4875 static int selinux_socket_shutdown(struct socket *sock, int how) 4876 { 4877 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4878 } 4879 4880 static int selinux_socket_unix_stream_connect(struct sock *sock, 4881 struct sock *other, 4882 struct sock *newsk) 4883 { 4884 struct sk_security_struct *sksec_sock = sock->sk_security; 4885 struct sk_security_struct *sksec_other = other->sk_security; 4886 struct sk_security_struct *sksec_new = newsk->sk_security; 4887 struct common_audit_data ad; 4888 struct lsm_network_audit net = {0,}; 4889 int err; 4890 4891 ad.type = LSM_AUDIT_DATA_NET; 4892 ad.u.net = &net; 4893 ad.u.net->sk = other; 4894 4895 err = avc_has_perm(&selinux_state, 4896 sksec_sock->sid, sksec_other->sid, 4897 sksec_other->sclass, 4898 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4899 if (err) 4900 return err; 4901 4902 /* server child socket */ 4903 sksec_new->peer_sid = sksec_sock->sid; 4904 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4905 sksec_sock->sid, &sksec_new->sid); 4906 if (err) 4907 return err; 4908 4909 /* connecting socket */ 4910 sksec_sock->peer_sid = sksec_new->sid; 4911 4912 return 0; 4913 } 4914 4915 static int selinux_socket_unix_may_send(struct socket *sock, 4916 struct socket *other) 4917 { 4918 struct sk_security_struct *ssec = sock->sk->sk_security; 4919 struct sk_security_struct *osec = other->sk->sk_security; 4920 struct common_audit_data ad; 4921 struct lsm_network_audit net = {0,}; 4922 4923 ad.type = LSM_AUDIT_DATA_NET; 4924 ad.u.net = &net; 4925 ad.u.net->sk = other->sk; 4926 4927 return avc_has_perm(&selinux_state, 4928 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4929 &ad); 4930 } 4931 4932 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4933 char *addrp, u16 family, u32 peer_sid, 4934 struct common_audit_data *ad) 4935 { 4936 int err; 4937 u32 if_sid; 4938 u32 node_sid; 4939 4940 err = sel_netif_sid(ns, ifindex, &if_sid); 4941 if (err) 4942 return err; 4943 err = avc_has_perm(&selinux_state, 4944 peer_sid, if_sid, 4945 SECCLASS_NETIF, NETIF__INGRESS, ad); 4946 if (err) 4947 return err; 4948 4949 err = sel_netnode_sid(addrp, family, &node_sid); 4950 if (err) 4951 return err; 4952 return avc_has_perm(&selinux_state, 4953 peer_sid, node_sid, 4954 SECCLASS_NODE, NODE__RECVFROM, ad); 4955 } 4956 4957 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4958 u16 family) 4959 { 4960 int err = 0; 4961 struct sk_security_struct *sksec = sk->sk_security; 4962 u32 sk_sid = sksec->sid; 4963 struct common_audit_data ad; 4964 struct lsm_network_audit net = {0,}; 4965 char *addrp; 4966 4967 ad.type = LSM_AUDIT_DATA_NET; 4968 ad.u.net = &net; 4969 ad.u.net->netif = skb->skb_iif; 4970 ad.u.net->family = family; 4971 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4972 if (err) 4973 return err; 4974 4975 if (selinux_secmark_enabled()) { 4976 err = avc_has_perm(&selinux_state, 4977 sk_sid, skb->secmark, SECCLASS_PACKET, 4978 PACKET__RECV, &ad); 4979 if (err) 4980 return err; 4981 } 4982 4983 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4984 if (err) 4985 return err; 4986 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4987 4988 return err; 4989 } 4990 4991 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4992 { 4993 int err; 4994 struct sk_security_struct *sksec = sk->sk_security; 4995 u16 family = sk->sk_family; 4996 u32 sk_sid = sksec->sid; 4997 struct common_audit_data ad; 4998 struct lsm_network_audit net = {0,}; 4999 char *addrp; 5000 u8 secmark_active; 5001 u8 peerlbl_active; 5002 5003 if (family != PF_INET && family != PF_INET6) 5004 return 0; 5005 5006 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5007 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5008 family = PF_INET; 5009 5010 /* If any sort of compatibility mode is enabled then handoff processing 5011 * to the selinux_sock_rcv_skb_compat() function to deal with the 5012 * special handling. We do this in an attempt to keep this function 5013 * as fast and as clean as possible. */ 5014 if (!selinux_policycap_netpeer()) 5015 return selinux_sock_rcv_skb_compat(sk, skb, family); 5016 5017 secmark_active = selinux_secmark_enabled(); 5018 peerlbl_active = selinux_peerlbl_enabled(); 5019 if (!secmark_active && !peerlbl_active) 5020 return 0; 5021 5022 ad.type = LSM_AUDIT_DATA_NET; 5023 ad.u.net = &net; 5024 ad.u.net->netif = skb->skb_iif; 5025 ad.u.net->family = family; 5026 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5027 if (err) 5028 return err; 5029 5030 if (peerlbl_active) { 5031 u32 peer_sid; 5032 5033 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5034 if (err) 5035 return err; 5036 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5037 addrp, family, peer_sid, &ad); 5038 if (err) { 5039 selinux_netlbl_err(skb, family, err, 0); 5040 return err; 5041 } 5042 err = avc_has_perm(&selinux_state, 5043 sk_sid, peer_sid, SECCLASS_PEER, 5044 PEER__RECV, &ad); 5045 if (err) { 5046 selinux_netlbl_err(skb, family, err, 0); 5047 return err; 5048 } 5049 } 5050 5051 if (secmark_active) { 5052 err = avc_has_perm(&selinux_state, 5053 sk_sid, skb->secmark, SECCLASS_PACKET, 5054 PACKET__RECV, &ad); 5055 if (err) 5056 return err; 5057 } 5058 5059 return err; 5060 } 5061 5062 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5063 int __user *optlen, unsigned len) 5064 { 5065 int err = 0; 5066 char *scontext; 5067 u32 scontext_len; 5068 struct sk_security_struct *sksec = sock->sk->sk_security; 5069 u32 peer_sid = SECSID_NULL; 5070 5071 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5072 sksec->sclass == SECCLASS_TCP_SOCKET || 5073 sksec->sclass == SECCLASS_SCTP_SOCKET) 5074 peer_sid = sksec->peer_sid; 5075 if (peer_sid == SECSID_NULL) 5076 return -ENOPROTOOPT; 5077 5078 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5079 &scontext_len); 5080 if (err) 5081 return err; 5082 5083 if (scontext_len > len) { 5084 err = -ERANGE; 5085 goto out_len; 5086 } 5087 5088 if (copy_to_user(optval, scontext, scontext_len)) 5089 err = -EFAULT; 5090 5091 out_len: 5092 if (put_user(scontext_len, optlen)) 5093 err = -EFAULT; 5094 kfree(scontext); 5095 return err; 5096 } 5097 5098 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5099 { 5100 u32 peer_secid = SECSID_NULL; 5101 u16 family; 5102 struct inode_security_struct *isec; 5103 5104 if (skb && skb->protocol == htons(ETH_P_IP)) 5105 family = PF_INET; 5106 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5107 family = PF_INET6; 5108 else if (sock) 5109 family = sock->sk->sk_family; 5110 else 5111 goto out; 5112 5113 if (sock && family == PF_UNIX) { 5114 isec = inode_security_novalidate(SOCK_INODE(sock)); 5115 peer_secid = isec->sid; 5116 } else if (skb) 5117 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5118 5119 out: 5120 *secid = peer_secid; 5121 if (peer_secid == SECSID_NULL) 5122 return -EINVAL; 5123 return 0; 5124 } 5125 5126 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5127 { 5128 struct sk_security_struct *sksec; 5129 5130 sksec = kzalloc(sizeof(*sksec), priority); 5131 if (!sksec) 5132 return -ENOMEM; 5133 5134 sksec->peer_sid = SECINITSID_UNLABELED; 5135 sksec->sid = SECINITSID_UNLABELED; 5136 sksec->sclass = SECCLASS_SOCKET; 5137 selinux_netlbl_sk_security_reset(sksec); 5138 sk->sk_security = sksec; 5139 5140 return 0; 5141 } 5142 5143 static void selinux_sk_free_security(struct sock *sk) 5144 { 5145 struct sk_security_struct *sksec = sk->sk_security; 5146 5147 sk->sk_security = NULL; 5148 selinux_netlbl_sk_security_free(sksec); 5149 kfree(sksec); 5150 } 5151 5152 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5153 { 5154 struct sk_security_struct *sksec = sk->sk_security; 5155 struct sk_security_struct *newsksec = newsk->sk_security; 5156 5157 newsksec->sid = sksec->sid; 5158 newsksec->peer_sid = sksec->peer_sid; 5159 newsksec->sclass = sksec->sclass; 5160 5161 selinux_netlbl_sk_security_reset(newsksec); 5162 } 5163 5164 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5165 { 5166 if (!sk) 5167 *secid = SECINITSID_ANY_SOCKET; 5168 else { 5169 struct sk_security_struct *sksec = sk->sk_security; 5170 5171 *secid = sksec->sid; 5172 } 5173 } 5174 5175 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5176 { 5177 struct inode_security_struct *isec = 5178 inode_security_novalidate(SOCK_INODE(parent)); 5179 struct sk_security_struct *sksec = sk->sk_security; 5180 5181 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5182 sk->sk_family == PF_UNIX) 5183 isec->sid = sksec->sid; 5184 sksec->sclass = isec->sclass; 5185 } 5186 5187 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5188 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5189 * already present). 5190 */ 5191 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5192 struct sk_buff *skb) 5193 { 5194 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5195 struct common_audit_data ad; 5196 struct lsm_network_audit net = {0,}; 5197 u8 peerlbl_active; 5198 u32 peer_sid = SECINITSID_UNLABELED; 5199 u32 conn_sid; 5200 int err = 0; 5201 5202 if (!selinux_policycap_extsockclass()) 5203 return 0; 5204 5205 peerlbl_active = selinux_peerlbl_enabled(); 5206 5207 if (peerlbl_active) { 5208 /* This will return peer_sid = SECSID_NULL if there are 5209 * no peer labels, see security_net_peersid_resolve(). 5210 */ 5211 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5212 &peer_sid); 5213 if (err) 5214 return err; 5215 5216 if (peer_sid == SECSID_NULL) 5217 peer_sid = SECINITSID_UNLABELED; 5218 } 5219 5220 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5221 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5222 5223 /* Here as first association on socket. As the peer SID 5224 * was allowed by peer recv (and the netif/node checks), 5225 * then it is approved by policy and used as the primary 5226 * peer SID for getpeercon(3). 5227 */ 5228 sksec->peer_sid = peer_sid; 5229 } else if (sksec->peer_sid != peer_sid) { 5230 /* Other association peer SIDs are checked to enforce 5231 * consistency among the peer SIDs. 5232 */ 5233 ad.type = LSM_AUDIT_DATA_NET; 5234 ad.u.net = &net; 5235 ad.u.net->sk = ep->base.sk; 5236 err = avc_has_perm(&selinux_state, 5237 sksec->peer_sid, peer_sid, sksec->sclass, 5238 SCTP_SOCKET__ASSOCIATION, &ad); 5239 if (err) 5240 return err; 5241 } 5242 5243 /* Compute the MLS component for the connection and store 5244 * the information in ep. This will be used by SCTP TCP type 5245 * sockets and peeled off connections as they cause a new 5246 * socket to be generated. selinux_sctp_sk_clone() will then 5247 * plug this into the new socket. 5248 */ 5249 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5250 if (err) 5251 return err; 5252 5253 ep->secid = conn_sid; 5254 ep->peer_secid = peer_sid; 5255 5256 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5257 return selinux_netlbl_sctp_assoc_request(ep, skb); 5258 } 5259 5260 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5261 * based on their @optname. 5262 */ 5263 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5264 struct sockaddr *address, 5265 int addrlen) 5266 { 5267 int len, err = 0, walk_size = 0; 5268 void *addr_buf; 5269 struct sockaddr *addr; 5270 struct socket *sock; 5271 5272 if (!selinux_policycap_extsockclass()) 5273 return 0; 5274 5275 /* Process one or more addresses that may be IPv4 or IPv6 */ 5276 sock = sk->sk_socket; 5277 addr_buf = address; 5278 5279 while (walk_size < addrlen) { 5280 addr = addr_buf; 5281 switch (addr->sa_family) { 5282 case AF_UNSPEC: 5283 case AF_INET: 5284 len = sizeof(struct sockaddr_in); 5285 break; 5286 case AF_INET6: 5287 len = sizeof(struct sockaddr_in6); 5288 break; 5289 default: 5290 return -EINVAL; 5291 } 5292 5293 err = -EINVAL; 5294 switch (optname) { 5295 /* Bind checks */ 5296 case SCTP_PRIMARY_ADDR: 5297 case SCTP_SET_PEER_PRIMARY_ADDR: 5298 case SCTP_SOCKOPT_BINDX_ADD: 5299 err = selinux_socket_bind(sock, addr, len); 5300 break; 5301 /* Connect checks */ 5302 case SCTP_SOCKOPT_CONNECTX: 5303 case SCTP_PARAM_SET_PRIMARY: 5304 case SCTP_PARAM_ADD_IP: 5305 case SCTP_SENDMSG_CONNECT: 5306 err = selinux_socket_connect_helper(sock, addr, len); 5307 if (err) 5308 return err; 5309 5310 /* As selinux_sctp_bind_connect() is called by the 5311 * SCTP protocol layer, the socket is already locked, 5312 * therefore selinux_netlbl_socket_connect_locked() is 5313 * is called here. The situations handled are: 5314 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5315 * whenever a new IP address is added or when a new 5316 * primary address is selected. 5317 * Note that an SCTP connect(2) call happens before 5318 * the SCTP protocol layer and is handled via 5319 * selinux_socket_connect(). 5320 */ 5321 err = selinux_netlbl_socket_connect_locked(sk, addr); 5322 break; 5323 } 5324 5325 if (err) 5326 return err; 5327 5328 addr_buf += len; 5329 walk_size += len; 5330 } 5331 5332 return 0; 5333 } 5334 5335 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5336 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5337 struct sock *newsk) 5338 { 5339 struct sk_security_struct *sksec = sk->sk_security; 5340 struct sk_security_struct *newsksec = newsk->sk_security; 5341 5342 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5343 * the non-sctp clone version. 5344 */ 5345 if (!selinux_policycap_extsockclass()) 5346 return selinux_sk_clone_security(sk, newsk); 5347 5348 newsksec->sid = ep->secid; 5349 newsksec->peer_sid = ep->peer_secid; 5350 newsksec->sclass = sksec->sclass; 5351 selinux_netlbl_sctp_sk_clone(sk, newsk); 5352 } 5353 5354 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5355 struct request_sock *req) 5356 { 5357 struct sk_security_struct *sksec = sk->sk_security; 5358 int err; 5359 u16 family = req->rsk_ops->family; 5360 u32 connsid; 5361 u32 peersid; 5362 5363 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5364 if (err) 5365 return err; 5366 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5367 if (err) 5368 return err; 5369 req->secid = connsid; 5370 req->peer_secid = peersid; 5371 5372 return selinux_netlbl_inet_conn_request(req, family); 5373 } 5374 5375 static void selinux_inet_csk_clone(struct sock *newsk, 5376 const struct request_sock *req) 5377 { 5378 struct sk_security_struct *newsksec = newsk->sk_security; 5379 5380 newsksec->sid = req->secid; 5381 newsksec->peer_sid = req->peer_secid; 5382 /* NOTE: Ideally, we should also get the isec->sid for the 5383 new socket in sync, but we don't have the isec available yet. 5384 So we will wait until sock_graft to do it, by which 5385 time it will have been created and available. */ 5386 5387 /* We don't need to take any sort of lock here as we are the only 5388 * thread with access to newsksec */ 5389 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5390 } 5391 5392 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5393 { 5394 u16 family = sk->sk_family; 5395 struct sk_security_struct *sksec = sk->sk_security; 5396 5397 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5398 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5399 family = PF_INET; 5400 5401 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5402 } 5403 5404 static int selinux_secmark_relabel_packet(u32 sid) 5405 { 5406 const struct task_security_struct *__tsec; 5407 u32 tsid; 5408 5409 __tsec = current_security(); 5410 tsid = __tsec->sid; 5411 5412 return avc_has_perm(&selinux_state, 5413 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5414 NULL); 5415 } 5416 5417 static void selinux_secmark_refcount_inc(void) 5418 { 5419 atomic_inc(&selinux_secmark_refcount); 5420 } 5421 5422 static void selinux_secmark_refcount_dec(void) 5423 { 5424 atomic_dec(&selinux_secmark_refcount); 5425 } 5426 5427 static void selinux_req_classify_flow(const struct request_sock *req, 5428 struct flowi *fl) 5429 { 5430 fl->flowi_secid = req->secid; 5431 } 5432 5433 static int selinux_tun_dev_alloc_security(void **security) 5434 { 5435 struct tun_security_struct *tunsec; 5436 5437 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5438 if (!tunsec) 5439 return -ENOMEM; 5440 tunsec->sid = current_sid(); 5441 5442 *security = tunsec; 5443 return 0; 5444 } 5445 5446 static void selinux_tun_dev_free_security(void *security) 5447 { 5448 kfree(security); 5449 } 5450 5451 static int selinux_tun_dev_create(void) 5452 { 5453 u32 sid = current_sid(); 5454 5455 /* we aren't taking into account the "sockcreate" SID since the socket 5456 * that is being created here is not a socket in the traditional sense, 5457 * instead it is a private sock, accessible only to the kernel, and 5458 * representing a wide range of network traffic spanning multiple 5459 * connections unlike traditional sockets - check the TUN driver to 5460 * get a better understanding of why this socket is special */ 5461 5462 return avc_has_perm(&selinux_state, 5463 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5464 NULL); 5465 } 5466 5467 static int selinux_tun_dev_attach_queue(void *security) 5468 { 5469 struct tun_security_struct *tunsec = security; 5470 5471 return avc_has_perm(&selinux_state, 5472 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5473 TUN_SOCKET__ATTACH_QUEUE, NULL); 5474 } 5475 5476 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5477 { 5478 struct tun_security_struct *tunsec = security; 5479 struct sk_security_struct *sksec = sk->sk_security; 5480 5481 /* we don't currently perform any NetLabel based labeling here and it 5482 * isn't clear that we would want to do so anyway; while we could apply 5483 * labeling without the support of the TUN user the resulting labeled 5484 * traffic from the other end of the connection would almost certainly 5485 * cause confusion to the TUN user that had no idea network labeling 5486 * protocols were being used */ 5487 5488 sksec->sid = tunsec->sid; 5489 sksec->sclass = SECCLASS_TUN_SOCKET; 5490 5491 return 0; 5492 } 5493 5494 static int selinux_tun_dev_open(void *security) 5495 { 5496 struct tun_security_struct *tunsec = security; 5497 u32 sid = current_sid(); 5498 int err; 5499 5500 err = avc_has_perm(&selinux_state, 5501 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5502 TUN_SOCKET__RELABELFROM, NULL); 5503 if (err) 5504 return err; 5505 err = avc_has_perm(&selinux_state, 5506 sid, sid, SECCLASS_TUN_SOCKET, 5507 TUN_SOCKET__RELABELTO, NULL); 5508 if (err) 5509 return err; 5510 tunsec->sid = sid; 5511 5512 return 0; 5513 } 5514 5515 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5516 { 5517 int err = 0; 5518 u32 perm; 5519 struct nlmsghdr *nlh; 5520 struct sk_security_struct *sksec = sk->sk_security; 5521 5522 if (skb->len < NLMSG_HDRLEN) { 5523 err = -EINVAL; 5524 goto out; 5525 } 5526 nlh = nlmsg_hdr(skb); 5527 5528 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5529 if (err) { 5530 if (err == -EINVAL) { 5531 pr_warn_ratelimited("SELinux: unrecognized netlink" 5532 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5533 " pig=%d comm=%s\n", 5534 sk->sk_protocol, nlh->nlmsg_type, 5535 secclass_map[sksec->sclass - 1].name, 5536 task_pid_nr(current), current->comm); 5537 if (!enforcing_enabled(&selinux_state) || 5538 security_get_allow_unknown(&selinux_state)) 5539 err = 0; 5540 } 5541 5542 /* Ignore */ 5543 if (err == -ENOENT) 5544 err = 0; 5545 goto out; 5546 } 5547 5548 err = sock_has_perm(sk, perm); 5549 out: 5550 return err; 5551 } 5552 5553 #ifdef CONFIG_NETFILTER 5554 5555 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5556 const struct net_device *indev, 5557 u16 family) 5558 { 5559 int err; 5560 char *addrp; 5561 u32 peer_sid; 5562 struct common_audit_data ad; 5563 struct lsm_network_audit net = {0,}; 5564 u8 secmark_active; 5565 u8 netlbl_active; 5566 u8 peerlbl_active; 5567 5568 if (!selinux_policycap_netpeer()) 5569 return NF_ACCEPT; 5570 5571 secmark_active = selinux_secmark_enabled(); 5572 netlbl_active = netlbl_enabled(); 5573 peerlbl_active = selinux_peerlbl_enabled(); 5574 if (!secmark_active && !peerlbl_active) 5575 return NF_ACCEPT; 5576 5577 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5578 return NF_DROP; 5579 5580 ad.type = LSM_AUDIT_DATA_NET; 5581 ad.u.net = &net; 5582 ad.u.net->netif = indev->ifindex; 5583 ad.u.net->family = family; 5584 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5585 return NF_DROP; 5586 5587 if (peerlbl_active) { 5588 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5589 addrp, family, peer_sid, &ad); 5590 if (err) { 5591 selinux_netlbl_err(skb, family, err, 1); 5592 return NF_DROP; 5593 } 5594 } 5595 5596 if (secmark_active) 5597 if (avc_has_perm(&selinux_state, 5598 peer_sid, skb->secmark, 5599 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5600 return NF_DROP; 5601 5602 if (netlbl_active) 5603 /* we do this in the FORWARD path and not the POST_ROUTING 5604 * path because we want to make sure we apply the necessary 5605 * labeling before IPsec is applied so we can leverage AH 5606 * protection */ 5607 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5608 return NF_DROP; 5609 5610 return NF_ACCEPT; 5611 } 5612 5613 static unsigned int selinux_ipv4_forward(void *priv, 5614 struct sk_buff *skb, 5615 const struct nf_hook_state *state) 5616 { 5617 return selinux_ip_forward(skb, state->in, PF_INET); 5618 } 5619 5620 #if IS_ENABLED(CONFIG_IPV6) 5621 static unsigned int selinux_ipv6_forward(void *priv, 5622 struct sk_buff *skb, 5623 const struct nf_hook_state *state) 5624 { 5625 return selinux_ip_forward(skb, state->in, PF_INET6); 5626 } 5627 #endif /* IPV6 */ 5628 5629 static unsigned int selinux_ip_output(struct sk_buff *skb, 5630 u16 family) 5631 { 5632 struct sock *sk; 5633 u32 sid; 5634 5635 if (!netlbl_enabled()) 5636 return NF_ACCEPT; 5637 5638 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5639 * because we want to make sure we apply the necessary labeling 5640 * before IPsec is applied so we can leverage AH protection */ 5641 sk = skb->sk; 5642 if (sk) { 5643 struct sk_security_struct *sksec; 5644 5645 if (sk_listener(sk)) 5646 /* if the socket is the listening state then this 5647 * packet is a SYN-ACK packet which means it needs to 5648 * be labeled based on the connection/request_sock and 5649 * not the parent socket. unfortunately, we can't 5650 * lookup the request_sock yet as it isn't queued on 5651 * the parent socket until after the SYN-ACK is sent. 5652 * the "solution" is to simply pass the packet as-is 5653 * as any IP option based labeling should be copied 5654 * from the initial connection request (in the IP 5655 * layer). it is far from ideal, but until we get a 5656 * security label in the packet itself this is the 5657 * best we can do. */ 5658 return NF_ACCEPT; 5659 5660 /* standard practice, label using the parent socket */ 5661 sksec = sk->sk_security; 5662 sid = sksec->sid; 5663 } else 5664 sid = SECINITSID_KERNEL; 5665 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5666 return NF_DROP; 5667 5668 return NF_ACCEPT; 5669 } 5670 5671 static unsigned int selinux_ipv4_output(void *priv, 5672 struct sk_buff *skb, 5673 const struct nf_hook_state *state) 5674 { 5675 return selinux_ip_output(skb, PF_INET); 5676 } 5677 5678 #if IS_ENABLED(CONFIG_IPV6) 5679 static unsigned int selinux_ipv6_output(void *priv, 5680 struct sk_buff *skb, 5681 const struct nf_hook_state *state) 5682 { 5683 return selinux_ip_output(skb, PF_INET6); 5684 } 5685 #endif /* IPV6 */ 5686 5687 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5688 int ifindex, 5689 u16 family) 5690 { 5691 struct sock *sk = skb_to_full_sk(skb); 5692 struct sk_security_struct *sksec; 5693 struct common_audit_data ad; 5694 struct lsm_network_audit net = {0,}; 5695 char *addrp; 5696 u8 proto; 5697 5698 if (sk == NULL) 5699 return NF_ACCEPT; 5700 sksec = sk->sk_security; 5701 5702 ad.type = LSM_AUDIT_DATA_NET; 5703 ad.u.net = &net; 5704 ad.u.net->netif = ifindex; 5705 ad.u.net->family = family; 5706 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5707 return NF_DROP; 5708 5709 if (selinux_secmark_enabled()) 5710 if (avc_has_perm(&selinux_state, 5711 sksec->sid, skb->secmark, 5712 SECCLASS_PACKET, PACKET__SEND, &ad)) 5713 return NF_DROP_ERR(-ECONNREFUSED); 5714 5715 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5716 return NF_DROP_ERR(-ECONNREFUSED); 5717 5718 return NF_ACCEPT; 5719 } 5720 5721 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5722 const struct net_device *outdev, 5723 u16 family) 5724 { 5725 u32 secmark_perm; 5726 u32 peer_sid; 5727 int ifindex = outdev->ifindex; 5728 struct sock *sk; 5729 struct common_audit_data ad; 5730 struct lsm_network_audit net = {0,}; 5731 char *addrp; 5732 u8 secmark_active; 5733 u8 peerlbl_active; 5734 5735 /* If any sort of compatibility mode is enabled then handoff processing 5736 * to the selinux_ip_postroute_compat() function to deal with the 5737 * special handling. We do this in an attempt to keep this function 5738 * as fast and as clean as possible. */ 5739 if (!selinux_policycap_netpeer()) 5740 return selinux_ip_postroute_compat(skb, ifindex, family); 5741 5742 secmark_active = selinux_secmark_enabled(); 5743 peerlbl_active = selinux_peerlbl_enabled(); 5744 if (!secmark_active && !peerlbl_active) 5745 return NF_ACCEPT; 5746 5747 sk = skb_to_full_sk(skb); 5748 5749 #ifdef CONFIG_XFRM 5750 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5751 * packet transformation so allow the packet to pass without any checks 5752 * since we'll have another chance to perform access control checks 5753 * when the packet is on it's final way out. 5754 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5755 * is NULL, in this case go ahead and apply access control. 5756 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5757 * TCP listening state we cannot wait until the XFRM processing 5758 * is done as we will miss out on the SA label if we do; 5759 * unfortunately, this means more work, but it is only once per 5760 * connection. */ 5761 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5762 !(sk && sk_listener(sk))) 5763 return NF_ACCEPT; 5764 #endif 5765 5766 if (sk == NULL) { 5767 /* Without an associated socket the packet is either coming 5768 * from the kernel or it is being forwarded; check the packet 5769 * to determine which and if the packet is being forwarded 5770 * query the packet directly to determine the security label. */ 5771 if (skb->skb_iif) { 5772 secmark_perm = PACKET__FORWARD_OUT; 5773 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5774 return NF_DROP; 5775 } else { 5776 secmark_perm = PACKET__SEND; 5777 peer_sid = SECINITSID_KERNEL; 5778 } 5779 } else if (sk_listener(sk)) { 5780 /* Locally generated packet but the associated socket is in the 5781 * listening state which means this is a SYN-ACK packet. In 5782 * this particular case the correct security label is assigned 5783 * to the connection/request_sock but unfortunately we can't 5784 * query the request_sock as it isn't queued on the parent 5785 * socket until after the SYN-ACK packet is sent; the only 5786 * viable choice is to regenerate the label like we do in 5787 * selinux_inet_conn_request(). See also selinux_ip_output() 5788 * for similar problems. */ 5789 u32 skb_sid; 5790 struct sk_security_struct *sksec; 5791 5792 sksec = sk->sk_security; 5793 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5794 return NF_DROP; 5795 /* At this point, if the returned skb peerlbl is SECSID_NULL 5796 * and the packet has been through at least one XFRM 5797 * transformation then we must be dealing with the "final" 5798 * form of labeled IPsec packet; since we've already applied 5799 * all of our access controls on this packet we can safely 5800 * pass the packet. */ 5801 if (skb_sid == SECSID_NULL) { 5802 switch (family) { 5803 case PF_INET: 5804 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5805 return NF_ACCEPT; 5806 break; 5807 case PF_INET6: 5808 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5809 return NF_ACCEPT; 5810 break; 5811 default: 5812 return NF_DROP_ERR(-ECONNREFUSED); 5813 } 5814 } 5815 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5816 return NF_DROP; 5817 secmark_perm = PACKET__SEND; 5818 } else { 5819 /* Locally generated packet, fetch the security label from the 5820 * associated socket. */ 5821 struct sk_security_struct *sksec = sk->sk_security; 5822 peer_sid = sksec->sid; 5823 secmark_perm = PACKET__SEND; 5824 } 5825 5826 ad.type = LSM_AUDIT_DATA_NET; 5827 ad.u.net = &net; 5828 ad.u.net->netif = ifindex; 5829 ad.u.net->family = family; 5830 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5831 return NF_DROP; 5832 5833 if (secmark_active) 5834 if (avc_has_perm(&selinux_state, 5835 peer_sid, skb->secmark, 5836 SECCLASS_PACKET, secmark_perm, &ad)) 5837 return NF_DROP_ERR(-ECONNREFUSED); 5838 5839 if (peerlbl_active) { 5840 u32 if_sid; 5841 u32 node_sid; 5842 5843 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5844 return NF_DROP; 5845 if (avc_has_perm(&selinux_state, 5846 peer_sid, if_sid, 5847 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5848 return NF_DROP_ERR(-ECONNREFUSED); 5849 5850 if (sel_netnode_sid(addrp, family, &node_sid)) 5851 return NF_DROP; 5852 if (avc_has_perm(&selinux_state, 5853 peer_sid, node_sid, 5854 SECCLASS_NODE, NODE__SENDTO, &ad)) 5855 return NF_DROP_ERR(-ECONNREFUSED); 5856 } 5857 5858 return NF_ACCEPT; 5859 } 5860 5861 static unsigned int selinux_ipv4_postroute(void *priv, 5862 struct sk_buff *skb, 5863 const struct nf_hook_state *state) 5864 { 5865 return selinux_ip_postroute(skb, state->out, PF_INET); 5866 } 5867 5868 #if IS_ENABLED(CONFIG_IPV6) 5869 static unsigned int selinux_ipv6_postroute(void *priv, 5870 struct sk_buff *skb, 5871 const struct nf_hook_state *state) 5872 { 5873 return selinux_ip_postroute(skb, state->out, PF_INET6); 5874 } 5875 #endif /* IPV6 */ 5876 5877 #endif /* CONFIG_NETFILTER */ 5878 5879 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5880 { 5881 return selinux_nlmsg_perm(sk, skb); 5882 } 5883 5884 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5885 u16 sclass) 5886 { 5887 struct ipc_security_struct *isec; 5888 5889 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5890 if (!isec) 5891 return -ENOMEM; 5892 5893 isec->sclass = sclass; 5894 isec->sid = current_sid(); 5895 perm->security = isec; 5896 5897 return 0; 5898 } 5899 5900 static void ipc_free_security(struct kern_ipc_perm *perm) 5901 { 5902 struct ipc_security_struct *isec = perm->security; 5903 perm->security = NULL; 5904 kfree(isec); 5905 } 5906 5907 static int msg_msg_alloc_security(struct msg_msg *msg) 5908 { 5909 struct msg_security_struct *msec; 5910 5911 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5912 if (!msec) 5913 return -ENOMEM; 5914 5915 msec->sid = SECINITSID_UNLABELED; 5916 msg->security = msec; 5917 5918 return 0; 5919 } 5920 5921 static void msg_msg_free_security(struct msg_msg *msg) 5922 { 5923 struct msg_security_struct *msec = msg->security; 5924 5925 msg->security = NULL; 5926 kfree(msec); 5927 } 5928 5929 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5930 u32 perms) 5931 { 5932 struct ipc_security_struct *isec; 5933 struct common_audit_data ad; 5934 u32 sid = current_sid(); 5935 5936 isec = ipc_perms->security; 5937 5938 ad.type = LSM_AUDIT_DATA_IPC; 5939 ad.u.ipc_id = ipc_perms->key; 5940 5941 return avc_has_perm(&selinux_state, 5942 sid, isec->sid, isec->sclass, perms, &ad); 5943 } 5944 5945 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5946 { 5947 return msg_msg_alloc_security(msg); 5948 } 5949 5950 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5951 { 5952 msg_msg_free_security(msg); 5953 } 5954 5955 /* message queue security operations */ 5956 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5957 { 5958 struct ipc_security_struct *isec; 5959 struct common_audit_data ad; 5960 u32 sid = current_sid(); 5961 int rc; 5962 5963 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5964 if (rc) 5965 return rc; 5966 5967 isec = msq->security; 5968 5969 ad.type = LSM_AUDIT_DATA_IPC; 5970 ad.u.ipc_id = msq->key; 5971 5972 rc = avc_has_perm(&selinux_state, 5973 sid, isec->sid, SECCLASS_MSGQ, 5974 MSGQ__CREATE, &ad); 5975 if (rc) { 5976 ipc_free_security(msq); 5977 return rc; 5978 } 5979 return 0; 5980 } 5981 5982 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 5983 { 5984 ipc_free_security(msq); 5985 } 5986 5987 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5988 { 5989 struct ipc_security_struct *isec; 5990 struct common_audit_data ad; 5991 u32 sid = current_sid(); 5992 5993 isec = msq->security; 5994 5995 ad.type = LSM_AUDIT_DATA_IPC; 5996 ad.u.ipc_id = msq->key; 5997 5998 return avc_has_perm(&selinux_state, 5999 sid, isec->sid, SECCLASS_MSGQ, 6000 MSGQ__ASSOCIATE, &ad); 6001 } 6002 6003 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6004 { 6005 int err; 6006 int perms; 6007 6008 switch (cmd) { 6009 case IPC_INFO: 6010 case MSG_INFO: 6011 /* No specific object, just general system-wide information. */ 6012 return avc_has_perm(&selinux_state, 6013 current_sid(), SECINITSID_KERNEL, 6014 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6015 case IPC_STAT: 6016 case MSG_STAT: 6017 case MSG_STAT_ANY: 6018 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6019 break; 6020 case IPC_SET: 6021 perms = MSGQ__SETATTR; 6022 break; 6023 case IPC_RMID: 6024 perms = MSGQ__DESTROY; 6025 break; 6026 default: 6027 return 0; 6028 } 6029 6030 err = ipc_has_perm(msq, perms); 6031 return err; 6032 } 6033 6034 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6035 { 6036 struct ipc_security_struct *isec; 6037 struct msg_security_struct *msec; 6038 struct common_audit_data ad; 6039 u32 sid = current_sid(); 6040 int rc; 6041 6042 isec = msq->security; 6043 msec = msg->security; 6044 6045 /* 6046 * First time through, need to assign label to the message 6047 */ 6048 if (msec->sid == SECINITSID_UNLABELED) { 6049 /* 6050 * Compute new sid based on current process and 6051 * message queue this message will be stored in 6052 */ 6053 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6054 SECCLASS_MSG, NULL, &msec->sid); 6055 if (rc) 6056 return rc; 6057 } 6058 6059 ad.type = LSM_AUDIT_DATA_IPC; 6060 ad.u.ipc_id = msq->key; 6061 6062 /* Can this process write to the queue? */ 6063 rc = avc_has_perm(&selinux_state, 6064 sid, isec->sid, SECCLASS_MSGQ, 6065 MSGQ__WRITE, &ad); 6066 if (!rc) 6067 /* Can this process send the message */ 6068 rc = avc_has_perm(&selinux_state, 6069 sid, msec->sid, SECCLASS_MSG, 6070 MSG__SEND, &ad); 6071 if (!rc) 6072 /* Can the message be put in the queue? */ 6073 rc = avc_has_perm(&selinux_state, 6074 msec->sid, isec->sid, SECCLASS_MSGQ, 6075 MSGQ__ENQUEUE, &ad); 6076 6077 return rc; 6078 } 6079 6080 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6081 struct task_struct *target, 6082 long type, int mode) 6083 { 6084 struct ipc_security_struct *isec; 6085 struct msg_security_struct *msec; 6086 struct common_audit_data ad; 6087 u32 sid = task_sid(target); 6088 int rc; 6089 6090 isec = msq->security; 6091 msec = msg->security; 6092 6093 ad.type = LSM_AUDIT_DATA_IPC; 6094 ad.u.ipc_id = msq->key; 6095 6096 rc = avc_has_perm(&selinux_state, 6097 sid, isec->sid, 6098 SECCLASS_MSGQ, MSGQ__READ, &ad); 6099 if (!rc) 6100 rc = avc_has_perm(&selinux_state, 6101 sid, msec->sid, 6102 SECCLASS_MSG, MSG__RECEIVE, &ad); 6103 return rc; 6104 } 6105 6106 /* Shared Memory security operations */ 6107 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6108 { 6109 struct ipc_security_struct *isec; 6110 struct common_audit_data ad; 6111 u32 sid = current_sid(); 6112 int rc; 6113 6114 rc = ipc_alloc_security(shp, SECCLASS_SHM); 6115 if (rc) 6116 return rc; 6117 6118 isec = shp->security; 6119 6120 ad.type = LSM_AUDIT_DATA_IPC; 6121 ad.u.ipc_id = shp->key; 6122 6123 rc = avc_has_perm(&selinux_state, 6124 sid, isec->sid, SECCLASS_SHM, 6125 SHM__CREATE, &ad); 6126 if (rc) { 6127 ipc_free_security(shp); 6128 return rc; 6129 } 6130 return 0; 6131 } 6132 6133 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 6134 { 6135 ipc_free_security(shp); 6136 } 6137 6138 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6139 { 6140 struct ipc_security_struct *isec; 6141 struct common_audit_data ad; 6142 u32 sid = current_sid(); 6143 6144 isec = shp->security; 6145 6146 ad.type = LSM_AUDIT_DATA_IPC; 6147 ad.u.ipc_id = shp->key; 6148 6149 return avc_has_perm(&selinux_state, 6150 sid, isec->sid, SECCLASS_SHM, 6151 SHM__ASSOCIATE, &ad); 6152 } 6153 6154 /* Note, at this point, shp is locked down */ 6155 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6156 { 6157 int perms; 6158 int err; 6159 6160 switch (cmd) { 6161 case IPC_INFO: 6162 case SHM_INFO: 6163 /* No specific object, just general system-wide information. */ 6164 return avc_has_perm(&selinux_state, 6165 current_sid(), SECINITSID_KERNEL, 6166 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6167 case IPC_STAT: 6168 case SHM_STAT: 6169 case SHM_STAT_ANY: 6170 perms = SHM__GETATTR | SHM__ASSOCIATE; 6171 break; 6172 case IPC_SET: 6173 perms = SHM__SETATTR; 6174 break; 6175 case SHM_LOCK: 6176 case SHM_UNLOCK: 6177 perms = SHM__LOCK; 6178 break; 6179 case IPC_RMID: 6180 perms = SHM__DESTROY; 6181 break; 6182 default: 6183 return 0; 6184 } 6185 6186 err = ipc_has_perm(shp, perms); 6187 return err; 6188 } 6189 6190 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6191 char __user *shmaddr, int shmflg) 6192 { 6193 u32 perms; 6194 6195 if (shmflg & SHM_RDONLY) 6196 perms = SHM__READ; 6197 else 6198 perms = SHM__READ | SHM__WRITE; 6199 6200 return ipc_has_perm(shp, perms); 6201 } 6202 6203 /* Semaphore security operations */ 6204 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6205 { 6206 struct ipc_security_struct *isec; 6207 struct common_audit_data ad; 6208 u32 sid = current_sid(); 6209 int rc; 6210 6211 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6212 if (rc) 6213 return rc; 6214 6215 isec = sma->security; 6216 6217 ad.type = LSM_AUDIT_DATA_IPC; 6218 ad.u.ipc_id = sma->key; 6219 6220 rc = avc_has_perm(&selinux_state, 6221 sid, isec->sid, SECCLASS_SEM, 6222 SEM__CREATE, &ad); 6223 if (rc) { 6224 ipc_free_security(sma); 6225 return rc; 6226 } 6227 return 0; 6228 } 6229 6230 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6231 { 6232 ipc_free_security(sma); 6233 } 6234 6235 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6236 { 6237 struct ipc_security_struct *isec; 6238 struct common_audit_data ad; 6239 u32 sid = current_sid(); 6240 6241 isec = sma->security; 6242 6243 ad.type = LSM_AUDIT_DATA_IPC; 6244 ad.u.ipc_id = sma->key; 6245 6246 return avc_has_perm(&selinux_state, 6247 sid, isec->sid, SECCLASS_SEM, 6248 SEM__ASSOCIATE, &ad); 6249 } 6250 6251 /* Note, at this point, sma is locked down */ 6252 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6253 { 6254 int err; 6255 u32 perms; 6256 6257 switch (cmd) { 6258 case IPC_INFO: 6259 case SEM_INFO: 6260 /* No specific object, just general system-wide information. */ 6261 return avc_has_perm(&selinux_state, 6262 current_sid(), SECINITSID_KERNEL, 6263 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6264 case GETPID: 6265 case GETNCNT: 6266 case GETZCNT: 6267 perms = SEM__GETATTR; 6268 break; 6269 case GETVAL: 6270 case GETALL: 6271 perms = SEM__READ; 6272 break; 6273 case SETVAL: 6274 case SETALL: 6275 perms = SEM__WRITE; 6276 break; 6277 case IPC_RMID: 6278 perms = SEM__DESTROY; 6279 break; 6280 case IPC_SET: 6281 perms = SEM__SETATTR; 6282 break; 6283 case IPC_STAT: 6284 case SEM_STAT: 6285 case SEM_STAT_ANY: 6286 perms = SEM__GETATTR | SEM__ASSOCIATE; 6287 break; 6288 default: 6289 return 0; 6290 } 6291 6292 err = ipc_has_perm(sma, perms); 6293 return err; 6294 } 6295 6296 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6297 struct sembuf *sops, unsigned nsops, int alter) 6298 { 6299 u32 perms; 6300 6301 if (alter) 6302 perms = SEM__READ | SEM__WRITE; 6303 else 6304 perms = SEM__READ; 6305 6306 return ipc_has_perm(sma, perms); 6307 } 6308 6309 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6310 { 6311 u32 av = 0; 6312 6313 av = 0; 6314 if (flag & S_IRUGO) 6315 av |= IPC__UNIX_READ; 6316 if (flag & S_IWUGO) 6317 av |= IPC__UNIX_WRITE; 6318 6319 if (av == 0) 6320 return 0; 6321 6322 return ipc_has_perm(ipcp, av); 6323 } 6324 6325 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6326 { 6327 struct ipc_security_struct *isec = ipcp->security; 6328 *secid = isec->sid; 6329 } 6330 6331 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6332 { 6333 if (inode) 6334 inode_doinit_with_dentry(inode, dentry); 6335 } 6336 6337 static int selinux_getprocattr(struct task_struct *p, 6338 char *name, char **value) 6339 { 6340 const struct task_security_struct *__tsec; 6341 u32 sid; 6342 int error; 6343 unsigned len; 6344 6345 rcu_read_lock(); 6346 __tsec = __task_cred(p)->security; 6347 6348 if (current != p) { 6349 error = avc_has_perm(&selinux_state, 6350 current_sid(), __tsec->sid, 6351 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6352 if (error) 6353 goto bad; 6354 } 6355 6356 if (!strcmp(name, "current")) 6357 sid = __tsec->sid; 6358 else if (!strcmp(name, "prev")) 6359 sid = __tsec->osid; 6360 else if (!strcmp(name, "exec")) 6361 sid = __tsec->exec_sid; 6362 else if (!strcmp(name, "fscreate")) 6363 sid = __tsec->create_sid; 6364 else if (!strcmp(name, "keycreate")) 6365 sid = __tsec->keycreate_sid; 6366 else if (!strcmp(name, "sockcreate")) 6367 sid = __tsec->sockcreate_sid; 6368 else { 6369 error = -EINVAL; 6370 goto bad; 6371 } 6372 rcu_read_unlock(); 6373 6374 if (!sid) 6375 return 0; 6376 6377 error = security_sid_to_context(&selinux_state, sid, value, &len); 6378 if (error) 6379 return error; 6380 return len; 6381 6382 bad: 6383 rcu_read_unlock(); 6384 return error; 6385 } 6386 6387 static int selinux_setprocattr(const char *name, void *value, size_t size) 6388 { 6389 struct task_security_struct *tsec; 6390 struct cred *new; 6391 u32 mysid = current_sid(), sid = 0, ptsid; 6392 int error; 6393 char *str = value; 6394 6395 /* 6396 * Basic control over ability to set these attributes at all. 6397 */ 6398 if (!strcmp(name, "exec")) 6399 error = avc_has_perm(&selinux_state, 6400 mysid, mysid, SECCLASS_PROCESS, 6401 PROCESS__SETEXEC, NULL); 6402 else if (!strcmp(name, "fscreate")) 6403 error = avc_has_perm(&selinux_state, 6404 mysid, mysid, SECCLASS_PROCESS, 6405 PROCESS__SETFSCREATE, NULL); 6406 else if (!strcmp(name, "keycreate")) 6407 error = avc_has_perm(&selinux_state, 6408 mysid, mysid, SECCLASS_PROCESS, 6409 PROCESS__SETKEYCREATE, NULL); 6410 else if (!strcmp(name, "sockcreate")) 6411 error = avc_has_perm(&selinux_state, 6412 mysid, mysid, SECCLASS_PROCESS, 6413 PROCESS__SETSOCKCREATE, NULL); 6414 else if (!strcmp(name, "current")) 6415 error = avc_has_perm(&selinux_state, 6416 mysid, mysid, SECCLASS_PROCESS, 6417 PROCESS__SETCURRENT, NULL); 6418 else 6419 error = -EINVAL; 6420 if (error) 6421 return error; 6422 6423 /* Obtain a SID for the context, if one was specified. */ 6424 if (size && str[0] && str[0] != '\n') { 6425 if (str[size-1] == '\n') { 6426 str[size-1] = 0; 6427 size--; 6428 } 6429 error = security_context_to_sid(&selinux_state, value, size, 6430 &sid, GFP_KERNEL); 6431 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6432 if (!has_cap_mac_admin(true)) { 6433 struct audit_buffer *ab; 6434 size_t audit_size; 6435 6436 /* We strip a nul only if it is at the end, otherwise the 6437 * context contains a nul and we should audit that */ 6438 if (str[size - 1] == '\0') 6439 audit_size = size - 1; 6440 else 6441 audit_size = size; 6442 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6443 audit_log_format(ab, "op=fscreate invalid_context="); 6444 audit_log_n_untrustedstring(ab, value, audit_size); 6445 audit_log_end(ab); 6446 6447 return error; 6448 } 6449 error = security_context_to_sid_force( 6450 &selinux_state, 6451 value, size, &sid); 6452 } 6453 if (error) 6454 return error; 6455 } 6456 6457 new = prepare_creds(); 6458 if (!new) 6459 return -ENOMEM; 6460 6461 /* Permission checking based on the specified context is 6462 performed during the actual operation (execve, 6463 open/mkdir/...), when we know the full context of the 6464 operation. See selinux_bprm_set_creds for the execve 6465 checks and may_create for the file creation checks. The 6466 operation will then fail if the context is not permitted. */ 6467 tsec = new->security; 6468 if (!strcmp(name, "exec")) { 6469 tsec->exec_sid = sid; 6470 } else if (!strcmp(name, "fscreate")) { 6471 tsec->create_sid = sid; 6472 } else if (!strcmp(name, "keycreate")) { 6473 error = avc_has_perm(&selinux_state, 6474 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6475 NULL); 6476 if (error) 6477 goto abort_change; 6478 tsec->keycreate_sid = sid; 6479 } else if (!strcmp(name, "sockcreate")) { 6480 tsec->sockcreate_sid = sid; 6481 } else if (!strcmp(name, "current")) { 6482 error = -EINVAL; 6483 if (sid == 0) 6484 goto abort_change; 6485 6486 /* Only allow single threaded processes to change context */ 6487 error = -EPERM; 6488 if (!current_is_single_threaded()) { 6489 error = security_bounded_transition(&selinux_state, 6490 tsec->sid, sid); 6491 if (error) 6492 goto abort_change; 6493 } 6494 6495 /* Check permissions for the transition. */ 6496 error = avc_has_perm(&selinux_state, 6497 tsec->sid, sid, SECCLASS_PROCESS, 6498 PROCESS__DYNTRANSITION, NULL); 6499 if (error) 6500 goto abort_change; 6501 6502 /* Check for ptracing, and update the task SID if ok. 6503 Otherwise, leave SID unchanged and fail. */ 6504 ptsid = ptrace_parent_sid(); 6505 if (ptsid != 0) { 6506 error = avc_has_perm(&selinux_state, 6507 ptsid, sid, SECCLASS_PROCESS, 6508 PROCESS__PTRACE, NULL); 6509 if (error) 6510 goto abort_change; 6511 } 6512 6513 tsec->sid = sid; 6514 } else { 6515 error = -EINVAL; 6516 goto abort_change; 6517 } 6518 6519 commit_creds(new); 6520 return size; 6521 6522 abort_change: 6523 abort_creds(new); 6524 return error; 6525 } 6526 6527 static int selinux_ismaclabel(const char *name) 6528 { 6529 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6530 } 6531 6532 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6533 { 6534 return security_sid_to_context(&selinux_state, secid, 6535 secdata, seclen); 6536 } 6537 6538 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6539 { 6540 return security_context_to_sid(&selinux_state, secdata, seclen, 6541 secid, GFP_KERNEL); 6542 } 6543 6544 static void selinux_release_secctx(char *secdata, u32 seclen) 6545 { 6546 kfree(secdata); 6547 } 6548 6549 static void selinux_inode_invalidate_secctx(struct inode *inode) 6550 { 6551 struct inode_security_struct *isec = inode->i_security; 6552 6553 spin_lock(&isec->lock); 6554 isec->initialized = LABEL_INVALID; 6555 spin_unlock(&isec->lock); 6556 } 6557 6558 /* 6559 * called with inode->i_mutex locked 6560 */ 6561 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6562 { 6563 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6564 } 6565 6566 /* 6567 * called with inode->i_mutex locked 6568 */ 6569 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6570 { 6571 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6572 } 6573 6574 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6575 { 6576 int len = 0; 6577 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6578 ctx, true); 6579 if (len < 0) 6580 return len; 6581 *ctxlen = len; 6582 return 0; 6583 } 6584 #ifdef CONFIG_KEYS 6585 6586 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6587 unsigned long flags) 6588 { 6589 const struct task_security_struct *tsec; 6590 struct key_security_struct *ksec; 6591 6592 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6593 if (!ksec) 6594 return -ENOMEM; 6595 6596 tsec = cred->security; 6597 if (tsec->keycreate_sid) 6598 ksec->sid = tsec->keycreate_sid; 6599 else 6600 ksec->sid = tsec->sid; 6601 6602 k->security = ksec; 6603 return 0; 6604 } 6605 6606 static void selinux_key_free(struct key *k) 6607 { 6608 struct key_security_struct *ksec = k->security; 6609 6610 k->security = NULL; 6611 kfree(ksec); 6612 } 6613 6614 static int selinux_key_permission(key_ref_t key_ref, 6615 const struct cred *cred, 6616 unsigned perm) 6617 { 6618 struct key *key; 6619 struct key_security_struct *ksec; 6620 u32 sid; 6621 6622 /* if no specific permissions are requested, we skip the 6623 permission check. No serious, additional covert channels 6624 appear to be created. */ 6625 if (perm == 0) 6626 return 0; 6627 6628 sid = cred_sid(cred); 6629 6630 key = key_ref_to_ptr(key_ref); 6631 ksec = key->security; 6632 6633 return avc_has_perm(&selinux_state, 6634 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6635 } 6636 6637 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6638 { 6639 struct key_security_struct *ksec = key->security; 6640 char *context = NULL; 6641 unsigned len; 6642 int rc; 6643 6644 rc = security_sid_to_context(&selinux_state, ksec->sid, 6645 &context, &len); 6646 if (!rc) 6647 rc = len; 6648 *_buffer = context; 6649 return rc; 6650 } 6651 #endif 6652 6653 #ifdef CONFIG_SECURITY_INFINIBAND 6654 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6655 { 6656 struct common_audit_data ad; 6657 int err; 6658 u32 sid = 0; 6659 struct ib_security_struct *sec = ib_sec; 6660 struct lsm_ibpkey_audit ibpkey; 6661 6662 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6663 if (err) 6664 return err; 6665 6666 ad.type = LSM_AUDIT_DATA_IBPKEY; 6667 ibpkey.subnet_prefix = subnet_prefix; 6668 ibpkey.pkey = pkey_val; 6669 ad.u.ibpkey = &ibpkey; 6670 return avc_has_perm(&selinux_state, 6671 sec->sid, sid, 6672 SECCLASS_INFINIBAND_PKEY, 6673 INFINIBAND_PKEY__ACCESS, &ad); 6674 } 6675 6676 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6677 u8 port_num) 6678 { 6679 struct common_audit_data ad; 6680 int err; 6681 u32 sid = 0; 6682 struct ib_security_struct *sec = ib_sec; 6683 struct lsm_ibendport_audit ibendport; 6684 6685 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6686 &sid); 6687 6688 if (err) 6689 return err; 6690 6691 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6692 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6693 ibendport.port = port_num; 6694 ad.u.ibendport = &ibendport; 6695 return avc_has_perm(&selinux_state, 6696 sec->sid, sid, 6697 SECCLASS_INFINIBAND_ENDPORT, 6698 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6699 } 6700 6701 static int selinux_ib_alloc_security(void **ib_sec) 6702 { 6703 struct ib_security_struct *sec; 6704 6705 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6706 if (!sec) 6707 return -ENOMEM; 6708 sec->sid = current_sid(); 6709 6710 *ib_sec = sec; 6711 return 0; 6712 } 6713 6714 static void selinux_ib_free_security(void *ib_sec) 6715 { 6716 kfree(ib_sec); 6717 } 6718 #endif 6719 6720 #ifdef CONFIG_BPF_SYSCALL 6721 static int selinux_bpf(int cmd, union bpf_attr *attr, 6722 unsigned int size) 6723 { 6724 u32 sid = current_sid(); 6725 int ret; 6726 6727 switch (cmd) { 6728 case BPF_MAP_CREATE: 6729 ret = avc_has_perm(&selinux_state, 6730 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6731 NULL); 6732 break; 6733 case BPF_PROG_LOAD: 6734 ret = avc_has_perm(&selinux_state, 6735 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6736 NULL); 6737 break; 6738 default: 6739 ret = 0; 6740 break; 6741 } 6742 6743 return ret; 6744 } 6745 6746 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6747 { 6748 u32 av = 0; 6749 6750 if (fmode & FMODE_READ) 6751 av |= BPF__MAP_READ; 6752 if (fmode & FMODE_WRITE) 6753 av |= BPF__MAP_WRITE; 6754 return av; 6755 } 6756 6757 /* This function will check the file pass through unix socket or binder to see 6758 * if it is a bpf related object. And apply correspinding checks on the bpf 6759 * object based on the type. The bpf maps and programs, not like other files and 6760 * socket, are using a shared anonymous inode inside the kernel as their inode. 6761 * So checking that inode cannot identify if the process have privilege to 6762 * access the bpf object and that's why we have to add this additional check in 6763 * selinux_file_receive and selinux_binder_transfer_files. 6764 */ 6765 static int bpf_fd_pass(struct file *file, u32 sid) 6766 { 6767 struct bpf_security_struct *bpfsec; 6768 struct bpf_prog *prog; 6769 struct bpf_map *map; 6770 int ret; 6771 6772 if (file->f_op == &bpf_map_fops) { 6773 map = file->private_data; 6774 bpfsec = map->security; 6775 ret = avc_has_perm(&selinux_state, 6776 sid, bpfsec->sid, SECCLASS_BPF, 6777 bpf_map_fmode_to_av(file->f_mode), NULL); 6778 if (ret) 6779 return ret; 6780 } else if (file->f_op == &bpf_prog_fops) { 6781 prog = file->private_data; 6782 bpfsec = prog->aux->security; 6783 ret = avc_has_perm(&selinux_state, 6784 sid, bpfsec->sid, SECCLASS_BPF, 6785 BPF__PROG_RUN, NULL); 6786 if (ret) 6787 return ret; 6788 } 6789 return 0; 6790 } 6791 6792 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6793 { 6794 u32 sid = current_sid(); 6795 struct bpf_security_struct *bpfsec; 6796 6797 bpfsec = map->security; 6798 return avc_has_perm(&selinux_state, 6799 sid, bpfsec->sid, SECCLASS_BPF, 6800 bpf_map_fmode_to_av(fmode), NULL); 6801 } 6802 6803 static int selinux_bpf_prog(struct bpf_prog *prog) 6804 { 6805 u32 sid = current_sid(); 6806 struct bpf_security_struct *bpfsec; 6807 6808 bpfsec = prog->aux->security; 6809 return avc_has_perm(&selinux_state, 6810 sid, bpfsec->sid, SECCLASS_BPF, 6811 BPF__PROG_RUN, NULL); 6812 } 6813 6814 static int selinux_bpf_map_alloc(struct bpf_map *map) 6815 { 6816 struct bpf_security_struct *bpfsec; 6817 6818 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6819 if (!bpfsec) 6820 return -ENOMEM; 6821 6822 bpfsec->sid = current_sid(); 6823 map->security = bpfsec; 6824 6825 return 0; 6826 } 6827 6828 static void selinux_bpf_map_free(struct bpf_map *map) 6829 { 6830 struct bpf_security_struct *bpfsec = map->security; 6831 6832 map->security = NULL; 6833 kfree(bpfsec); 6834 } 6835 6836 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6837 { 6838 struct bpf_security_struct *bpfsec; 6839 6840 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6841 if (!bpfsec) 6842 return -ENOMEM; 6843 6844 bpfsec->sid = current_sid(); 6845 aux->security = bpfsec; 6846 6847 return 0; 6848 } 6849 6850 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6851 { 6852 struct bpf_security_struct *bpfsec = aux->security; 6853 6854 aux->security = NULL; 6855 kfree(bpfsec); 6856 } 6857 #endif 6858 6859 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6860 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6861 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6862 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6863 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6864 6865 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6866 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6867 LSM_HOOK_INIT(capget, selinux_capget), 6868 LSM_HOOK_INIT(capset, selinux_capset), 6869 LSM_HOOK_INIT(capable, selinux_capable), 6870 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6871 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6872 LSM_HOOK_INIT(syslog, selinux_syslog), 6873 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6874 6875 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6876 6877 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6878 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6879 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6880 6881 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6882 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6883 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6884 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6885 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6886 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6887 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6888 LSM_HOOK_INIT(sb_mount, selinux_mount), 6889 LSM_HOOK_INIT(sb_umount, selinux_umount), 6890 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6891 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6892 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6893 6894 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6895 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6896 6897 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6898 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6899 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6900 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6901 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6902 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6903 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6904 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6905 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6906 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6907 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6908 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6909 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6910 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6911 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6912 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6913 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6914 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6915 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6916 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6917 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6918 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6919 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6920 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6921 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6922 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6923 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6924 6925 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6926 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6927 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6928 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6929 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6930 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6931 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6932 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6933 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6934 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6935 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6936 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6937 6938 LSM_HOOK_INIT(file_open, selinux_file_open), 6939 6940 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6941 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6942 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6943 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6944 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6945 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6946 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6947 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6948 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6949 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6950 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6951 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6952 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6953 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6954 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6955 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6956 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6957 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6958 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6959 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6960 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6961 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6962 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6963 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6964 6965 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6966 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6967 6968 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6969 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6970 6971 LSM_HOOK_INIT(msg_queue_alloc_security, 6972 selinux_msg_queue_alloc_security), 6973 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6974 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6975 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6976 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6977 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6978 6979 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6980 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6981 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6982 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6983 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6984 6985 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6986 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6987 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6988 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6989 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6990 6991 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6992 6993 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6994 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6995 6996 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6997 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6998 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6999 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7000 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7001 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7002 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7003 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7004 7005 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7006 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7007 7008 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7009 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7010 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7011 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7012 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7013 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7014 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7015 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7016 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7017 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7018 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7019 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7020 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7021 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7022 LSM_HOOK_INIT(socket_getpeersec_stream, 7023 selinux_socket_getpeersec_stream), 7024 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7025 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7026 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7027 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7028 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7029 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7030 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7031 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7032 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7033 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7034 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7035 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7036 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7037 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7038 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7039 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7040 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7041 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7042 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7043 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7044 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7045 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7046 #ifdef CONFIG_SECURITY_INFINIBAND 7047 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7048 LSM_HOOK_INIT(ib_endport_manage_subnet, 7049 selinux_ib_endport_manage_subnet), 7050 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7051 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7052 #endif 7053 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7054 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7055 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7056 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7057 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7058 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7059 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7060 selinux_xfrm_state_alloc_acquire), 7061 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7062 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7063 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7064 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7065 selinux_xfrm_state_pol_flow_match), 7066 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7067 #endif 7068 7069 #ifdef CONFIG_KEYS 7070 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7071 LSM_HOOK_INIT(key_free, selinux_key_free), 7072 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7073 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7074 #endif 7075 7076 #ifdef CONFIG_AUDIT 7077 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7078 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7079 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7080 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7081 #endif 7082 7083 #ifdef CONFIG_BPF_SYSCALL 7084 LSM_HOOK_INIT(bpf, selinux_bpf), 7085 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7086 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7087 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7088 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7089 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7090 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7091 #endif 7092 }; 7093 7094 static __init int selinux_init(void) 7095 { 7096 if (!security_module_enable("selinux")) { 7097 selinux_enabled = 0; 7098 return 0; 7099 } 7100 7101 if (!selinux_enabled) { 7102 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 7103 return 0; 7104 } 7105 7106 printk(KERN_INFO "SELinux: Initializing.\n"); 7107 7108 memset(&selinux_state, 0, sizeof(selinux_state)); 7109 enforcing_set(&selinux_state, selinux_enforcing_boot); 7110 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7111 selinux_ss_init(&selinux_state.ss); 7112 selinux_avc_init(&selinux_state.avc); 7113 7114 /* Set the security state for the initial task. */ 7115 cred_init_security(); 7116 7117 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7118 7119 sel_inode_cache = kmem_cache_create("selinux_inode_security", 7120 sizeof(struct inode_security_struct), 7121 0, SLAB_PANIC, NULL); 7122 file_security_cache = kmem_cache_create("selinux_file_security", 7123 sizeof(struct file_security_struct), 7124 0, SLAB_PANIC, NULL); 7125 avc_init(); 7126 7127 avtab_cache_init(); 7128 7129 ebitmap_cache_init(); 7130 7131 hashtab_cache_init(); 7132 7133 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7134 7135 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7136 panic("SELinux: Unable to register AVC netcache callback\n"); 7137 7138 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7139 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7140 7141 if (selinux_enforcing_boot) 7142 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7143 else 7144 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7145 7146 return 0; 7147 } 7148 7149 static void delayed_superblock_init(struct super_block *sb, void *unused) 7150 { 7151 superblock_doinit(sb, NULL); 7152 } 7153 7154 void selinux_complete_init(void) 7155 { 7156 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 7157 7158 /* Set up any superblocks initialized prior to the policy load. */ 7159 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 7160 iterate_supers(delayed_superblock_init, NULL); 7161 } 7162 7163 /* SELinux requires early initialization in order to label 7164 all processes and objects when they are created. */ 7165 security_initcall(selinux_init); 7166 7167 #if defined(CONFIG_NETFILTER) 7168 7169 static const struct nf_hook_ops selinux_nf_ops[] = { 7170 { 7171 .hook = selinux_ipv4_postroute, 7172 .pf = NFPROTO_IPV4, 7173 .hooknum = NF_INET_POST_ROUTING, 7174 .priority = NF_IP_PRI_SELINUX_LAST, 7175 }, 7176 { 7177 .hook = selinux_ipv4_forward, 7178 .pf = NFPROTO_IPV4, 7179 .hooknum = NF_INET_FORWARD, 7180 .priority = NF_IP_PRI_SELINUX_FIRST, 7181 }, 7182 { 7183 .hook = selinux_ipv4_output, 7184 .pf = NFPROTO_IPV4, 7185 .hooknum = NF_INET_LOCAL_OUT, 7186 .priority = NF_IP_PRI_SELINUX_FIRST, 7187 }, 7188 #if IS_ENABLED(CONFIG_IPV6) 7189 { 7190 .hook = selinux_ipv6_postroute, 7191 .pf = NFPROTO_IPV6, 7192 .hooknum = NF_INET_POST_ROUTING, 7193 .priority = NF_IP6_PRI_SELINUX_LAST, 7194 }, 7195 { 7196 .hook = selinux_ipv6_forward, 7197 .pf = NFPROTO_IPV6, 7198 .hooknum = NF_INET_FORWARD, 7199 .priority = NF_IP6_PRI_SELINUX_FIRST, 7200 }, 7201 { 7202 .hook = selinux_ipv6_output, 7203 .pf = NFPROTO_IPV6, 7204 .hooknum = NF_INET_LOCAL_OUT, 7205 .priority = NF_IP6_PRI_SELINUX_FIRST, 7206 }, 7207 #endif /* IPV6 */ 7208 }; 7209 7210 static int __net_init selinux_nf_register(struct net *net) 7211 { 7212 return nf_register_net_hooks(net, selinux_nf_ops, 7213 ARRAY_SIZE(selinux_nf_ops)); 7214 } 7215 7216 static void __net_exit selinux_nf_unregister(struct net *net) 7217 { 7218 nf_unregister_net_hooks(net, selinux_nf_ops, 7219 ARRAY_SIZE(selinux_nf_ops)); 7220 } 7221 7222 static struct pernet_operations selinux_net_ops = { 7223 .init = selinux_nf_register, 7224 .exit = selinux_nf_unregister, 7225 }; 7226 7227 static int __init selinux_nf_ip_init(void) 7228 { 7229 int err; 7230 7231 if (!selinux_enabled) 7232 return 0; 7233 7234 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 7235 7236 err = register_pernet_subsys(&selinux_net_ops); 7237 if (err) 7238 panic("SELinux: register_pernet_subsys: error %d\n", err); 7239 7240 return 0; 7241 } 7242 __initcall(selinux_nf_ip_init); 7243 7244 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7245 static void selinux_nf_ip_exit(void) 7246 { 7247 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 7248 7249 unregister_pernet_subsys(&selinux_net_ops); 7250 } 7251 #endif 7252 7253 #else /* CONFIG_NETFILTER */ 7254 7255 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7256 #define selinux_nf_ip_exit() 7257 #endif 7258 7259 #endif /* CONFIG_NETFILTER */ 7260 7261 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7262 int selinux_disable(struct selinux_state *state) 7263 { 7264 if (state->initialized) { 7265 /* Not permitted after initial policy load. */ 7266 return -EINVAL; 7267 } 7268 7269 if (state->disabled) { 7270 /* Only do this once. */ 7271 return -EINVAL; 7272 } 7273 7274 state->disabled = 1; 7275 7276 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7277 7278 selinux_enabled = 0; 7279 7280 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7281 7282 /* Try to destroy the avc node cache */ 7283 avc_disable(); 7284 7285 /* Unregister netfilter hooks. */ 7286 selinux_nf_ip_exit(); 7287 7288 /* Unregister selinuxfs. */ 7289 exit_sel_fs(); 7290 7291 return 0; 7292 } 7293 #endif 7294