1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 125 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #else 135 int selinux_enabled = 1; 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 static struct kmem_cache *sel_inode_cache; 152 static struct kmem_cache *file_security_cache; 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred *cred = (struct cred *) current->real_cred; 214 struct task_security_struct *tsec; 215 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 217 if (!tsec) 218 panic("SELinux: Failed to initialize initial task.\n"); 219 220 tsec->osid = tsec->sid = SECINITSID_KERNEL; 221 cred->security = tsec; 222 } 223 224 /* 225 * get the security ID of a set of credentials 226 */ 227 static inline u32 cred_sid(const struct cred *cred) 228 { 229 const struct task_security_struct *tsec; 230 231 tsec = cred->security; 232 return tsec->sid; 233 } 234 235 /* 236 * get the objective security ID of a task 237 */ 238 static inline u32 task_sid(const struct task_struct *task) 239 { 240 u32 sid; 241 242 rcu_read_lock(); 243 sid = cred_sid(__task_cred(task)); 244 rcu_read_unlock(); 245 return sid; 246 } 247 248 /* Allocate and free functions for each kind of security blob. */ 249 250 static int inode_alloc_security(struct inode *inode) 251 { 252 struct inode_security_struct *isec; 253 u32 sid = current_sid(); 254 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 256 if (!isec) 257 return -ENOMEM; 258 259 spin_lock_init(&isec->lock); 260 INIT_LIST_HEAD(&isec->list); 261 isec->inode = inode; 262 isec->sid = SECINITSID_UNLABELED; 263 isec->sclass = SECCLASS_FILE; 264 isec->task_sid = sid; 265 isec->initialized = LABEL_INVALID; 266 inode->i_security = isec; 267 268 return 0; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 278 * when no dentry is available, set it to NULL instead. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *opt_dentry, 282 bool may_sleep) 283 { 284 struct inode_security_struct *isec = inode->i_security; 285 286 might_sleep_if(may_sleep); 287 288 if (selinux_state.initialized && 289 isec->initialized != LABEL_INITIALIZED) { 290 if (!may_sleep) 291 return -ECHILD; 292 293 /* 294 * Try reloading the inode security label. This will fail if 295 * @opt_dentry is NULL and no dentry for this inode can be 296 * found; in that case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, opt_dentry); 299 } 300 return 0; 301 } 302 303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 304 { 305 return inode->i_security; 306 } 307 308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 309 { 310 int error; 311 312 error = __inode_security_revalidate(inode, NULL, !rcu); 313 if (error) 314 return ERR_PTR(error); 315 return inode->i_security; 316 } 317 318 /* 319 * Get the security label of an inode. 320 */ 321 static struct inode_security_struct *inode_security(struct inode *inode) 322 { 323 __inode_security_revalidate(inode, NULL, true); 324 return inode->i_security; 325 } 326 327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 328 { 329 struct inode *inode = d_backing_inode(dentry); 330 331 return inode->i_security; 332 } 333 334 /* 335 * Get the security label of a dentry's backing inode. 336 */ 337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 338 { 339 struct inode *inode = d_backing_inode(dentry); 340 341 __inode_security_revalidate(inode, dentry, true); 342 return inode->i_security; 343 } 344 345 static void inode_free_rcu(struct rcu_head *head) 346 { 347 struct inode_security_struct *isec; 348 349 isec = container_of(head, struct inode_security_struct, rcu); 350 kmem_cache_free(sel_inode_cache, isec); 351 } 352 353 static void inode_free_security(struct inode *inode) 354 { 355 struct inode_security_struct *isec = inode->i_security; 356 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 357 358 /* 359 * As not all inode security structures are in a list, we check for 360 * empty list outside of the lock to make sure that we won't waste 361 * time taking a lock doing nothing. 362 * 363 * The list_del_init() function can be safely called more than once. 364 * It should not be possible for this function to be called with 365 * concurrent list_add(), but for better safety against future changes 366 * in the code, we use list_empty_careful() here. 367 */ 368 if (!list_empty_careful(&isec->list)) { 369 spin_lock(&sbsec->isec_lock); 370 list_del_init(&isec->list); 371 spin_unlock(&sbsec->isec_lock); 372 } 373 374 /* 375 * The inode may still be referenced in a path walk and 376 * a call to selinux_inode_permission() can be made 377 * after inode_free_security() is called. Ideally, the VFS 378 * wouldn't do this, but fixing that is a much harder 379 * job. For now, simply free the i_security via RCU, and 380 * leave the current inode->i_security pointer intact. 381 * The inode will be freed after the RCU grace period too. 382 */ 383 call_rcu(&isec->rcu, inode_free_rcu); 384 } 385 386 static int file_alloc_security(struct file *file) 387 { 388 struct file_security_struct *fsec; 389 u32 sid = current_sid(); 390 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 392 if (!fsec) 393 return -ENOMEM; 394 395 fsec->sid = sid; 396 fsec->fown_sid = sid; 397 file->f_security = fsec; 398 399 return 0; 400 } 401 402 static void file_free_security(struct file *file) 403 { 404 struct file_security_struct *fsec = file->f_security; 405 file->f_security = NULL; 406 kmem_cache_free(file_security_cache, fsec); 407 } 408 409 static int superblock_alloc_security(struct super_block *sb) 410 { 411 struct superblock_security_struct *sbsec; 412 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 414 if (!sbsec) 415 return -ENOMEM; 416 417 mutex_init(&sbsec->lock); 418 INIT_LIST_HEAD(&sbsec->isec_head); 419 spin_lock_init(&sbsec->isec_lock); 420 sbsec->sb = sb; 421 sbsec->sid = SECINITSID_UNLABELED; 422 sbsec->def_sid = SECINITSID_FILE; 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 424 sb->s_security = sbsec; 425 426 return 0; 427 } 428 429 static void superblock_free_security(struct super_block *sb) 430 { 431 struct superblock_security_struct *sbsec = sb->s_security; 432 sb->s_security = NULL; 433 kfree(sbsec); 434 } 435 436 static inline int inode_doinit(struct inode *inode) 437 { 438 return inode_doinit_with_dentry(inode, NULL); 439 } 440 441 enum { 442 Opt_error = -1, 443 Opt_context = 1, 444 Opt_fscontext = 2, 445 Opt_defcontext = 3, 446 Opt_rootcontext = 4, 447 Opt_labelsupport = 5, 448 Opt_nextmntopt = 6, 449 }; 450 451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 452 453 static const match_table_t tokens = { 454 {Opt_context, CONTEXT_STR "%s"}, 455 {Opt_fscontext, FSCONTEXT_STR "%s"}, 456 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 458 {Opt_labelsupport, LABELSUPP_STR}, 459 {Opt_error, NULL}, 460 }; 461 462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 463 464 static int may_context_mount_sb_relabel(u32 sid, 465 struct superblock_security_struct *sbsec, 466 const struct cred *cred) 467 { 468 const struct task_security_struct *tsec = cred->security; 469 int rc; 470 471 rc = avc_has_perm(&selinux_state, 472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 473 FILESYSTEM__RELABELFROM, NULL); 474 if (rc) 475 return rc; 476 477 rc = avc_has_perm(&selinux_state, 478 tsec->sid, sid, SECCLASS_FILESYSTEM, 479 FILESYSTEM__RELABELTO, NULL); 480 return rc; 481 } 482 483 static int may_context_mount_inode_relabel(u32 sid, 484 struct superblock_security_struct *sbsec, 485 const struct cred *cred) 486 { 487 const struct task_security_struct *tsec = cred->security; 488 int rc; 489 rc = avc_has_perm(&selinux_state, 490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 491 FILESYSTEM__RELABELFROM, NULL); 492 if (rc) 493 return rc; 494 495 rc = avc_has_perm(&selinux_state, 496 sid, sbsec->sid, SECCLASS_FILESYSTEM, 497 FILESYSTEM__ASSOCIATE, NULL); 498 return rc; 499 } 500 501 static int selinux_is_sblabel_mnt(struct super_block *sb) 502 { 503 struct superblock_security_struct *sbsec = sb->s_security; 504 505 return sbsec->behavior == SECURITY_FS_USE_XATTR || 506 sbsec->behavior == SECURITY_FS_USE_TRANS || 507 sbsec->behavior == SECURITY_FS_USE_TASK || 508 sbsec->behavior == SECURITY_FS_USE_NATIVE || 509 /* Special handling. Genfs but also in-core setxattr handler */ 510 !strcmp(sb->s_type->name, "sysfs") || 511 !strcmp(sb->s_type->name, "pstore") || 512 !strcmp(sb->s_type->name, "debugfs") || 513 !strcmp(sb->s_type->name, "tracefs") || 514 !strcmp(sb->s_type->name, "rootfs") || 515 (selinux_policycap_cgroupseclabel() && 516 (!strcmp(sb->s_type->name, "cgroup") || 517 !strcmp(sb->s_type->name, "cgroup2"))); 518 } 519 520 static int sb_finish_set_opts(struct super_block *sb) 521 { 522 struct superblock_security_struct *sbsec = sb->s_security; 523 struct dentry *root = sb->s_root; 524 struct inode *root_inode = d_backing_inode(root); 525 int rc = 0; 526 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 528 /* Make sure that the xattr handler exists and that no 529 error other than -ENODATA is returned by getxattr on 530 the root directory. -ENODATA is ok, as this may be 531 the first boot of the SELinux kernel before we have 532 assigned xattr values to the filesystem. */ 533 if (!(root_inode->i_opflags & IOP_XATTR)) { 534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 535 "xattr support\n", sb->s_id, sb->s_type->name); 536 rc = -EOPNOTSUPP; 537 goto out; 538 } 539 540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 541 if (rc < 0 && rc != -ENODATA) { 542 if (rc == -EOPNOTSUPP) 543 printk(KERN_WARNING "SELinux: (dev %s, type " 544 "%s) has no security xattr handler\n", 545 sb->s_id, sb->s_type->name); 546 else 547 printk(KERN_WARNING "SELinux: (dev %s, type " 548 "%s) getxattr errno %d\n", sb->s_id, 549 sb->s_type->name, -rc); 550 goto out; 551 } 552 } 553 554 sbsec->flags |= SE_SBINITIALIZED; 555 556 /* 557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 558 * leave the flag untouched because sb_clone_mnt_opts might be handing 559 * us a superblock that needs the flag to be cleared. 560 */ 561 if (selinux_is_sblabel_mnt(sb)) 562 sbsec->flags |= SBLABEL_MNT; 563 else 564 sbsec->flags &= ~SBLABEL_MNT; 565 566 /* Initialize the root inode. */ 567 rc = inode_doinit_with_dentry(root_inode, root); 568 569 /* Initialize any other inodes associated with the superblock, e.g. 570 inodes created prior to initial policy load or inodes created 571 during get_sb by a pseudo filesystem that directly 572 populates itself. */ 573 spin_lock(&sbsec->isec_lock); 574 next_inode: 575 if (!list_empty(&sbsec->isec_head)) { 576 struct inode_security_struct *isec = 577 list_entry(sbsec->isec_head.next, 578 struct inode_security_struct, list); 579 struct inode *inode = isec->inode; 580 list_del_init(&isec->list); 581 spin_unlock(&sbsec->isec_lock); 582 inode = igrab(inode); 583 if (inode) { 584 if (!IS_PRIVATE(inode)) 585 inode_doinit(inode); 586 iput(inode); 587 } 588 spin_lock(&sbsec->isec_lock); 589 goto next_inode; 590 } 591 spin_unlock(&sbsec->isec_lock); 592 out: 593 return rc; 594 } 595 596 /* 597 * This function should allow an FS to ask what it's mount security 598 * options were so it can use those later for submounts, displaying 599 * mount options, or whatever. 600 */ 601 static int selinux_get_mnt_opts(const struct super_block *sb, 602 struct security_mnt_opts *opts) 603 { 604 int rc = 0, i; 605 struct superblock_security_struct *sbsec = sb->s_security; 606 char *context = NULL; 607 u32 len; 608 char tmp; 609 610 security_init_mnt_opts(opts); 611 612 if (!(sbsec->flags & SE_SBINITIALIZED)) 613 return -EINVAL; 614 615 if (!selinux_state.initialized) 616 return -EINVAL; 617 618 /* make sure we always check enough bits to cover the mask */ 619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 620 621 tmp = sbsec->flags & SE_MNTMASK; 622 /* count the number of mount options for this sb */ 623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 624 if (tmp & 0x01) 625 opts->num_mnt_opts++; 626 tmp >>= 1; 627 } 628 /* Check if the Label support flag is set */ 629 if (sbsec->flags & SBLABEL_MNT) 630 opts->num_mnt_opts++; 631 632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 633 if (!opts->mnt_opts) { 634 rc = -ENOMEM; 635 goto out_free; 636 } 637 638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 639 if (!opts->mnt_opts_flags) { 640 rc = -ENOMEM; 641 goto out_free; 642 } 643 644 i = 0; 645 if (sbsec->flags & FSCONTEXT_MNT) { 646 rc = security_sid_to_context(&selinux_state, sbsec->sid, 647 &context, &len); 648 if (rc) 649 goto out_free; 650 opts->mnt_opts[i] = context; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 652 } 653 if (sbsec->flags & CONTEXT_MNT) { 654 rc = security_sid_to_context(&selinux_state, 655 sbsec->mntpoint_sid, 656 &context, &len); 657 if (rc) 658 goto out_free; 659 opts->mnt_opts[i] = context; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 661 } 662 if (sbsec->flags & DEFCONTEXT_MNT) { 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid, 664 &context, &len); 665 if (rc) 666 goto out_free; 667 opts->mnt_opts[i] = context; 668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 669 } 670 if (sbsec->flags & ROOTCONTEXT_MNT) { 671 struct dentry *root = sbsec->sb->s_root; 672 struct inode_security_struct *isec = backing_inode_security(root); 673 674 rc = security_sid_to_context(&selinux_state, isec->sid, 675 &context, &len); 676 if (rc) 677 goto out_free; 678 opts->mnt_opts[i] = context; 679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 680 } 681 if (sbsec->flags & SBLABEL_MNT) { 682 opts->mnt_opts[i] = NULL; 683 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 684 } 685 686 BUG_ON(i != opts->num_mnt_opts); 687 688 return 0; 689 690 out_free: 691 security_free_mnt_opts(opts); 692 return rc; 693 } 694 695 static int bad_option(struct superblock_security_struct *sbsec, char flag, 696 u32 old_sid, u32 new_sid) 697 { 698 char mnt_flags = sbsec->flags & SE_MNTMASK; 699 700 /* check if the old mount command had the same options */ 701 if (sbsec->flags & SE_SBINITIALIZED) 702 if (!(sbsec->flags & flag) || 703 (old_sid != new_sid)) 704 return 1; 705 706 /* check if we were passed the same options twice, 707 * aka someone passed context=a,context=b 708 */ 709 if (!(sbsec->flags & SE_SBINITIALIZED)) 710 if (mnt_flags & flag) 711 return 1; 712 return 0; 713 } 714 715 /* 716 * Allow filesystems with binary mount data to explicitly set mount point 717 * labeling information. 718 */ 719 static int selinux_set_mnt_opts(struct super_block *sb, 720 struct security_mnt_opts *opts, 721 unsigned long kern_flags, 722 unsigned long *set_kern_flags) 723 { 724 const struct cred *cred = current_cred(); 725 int rc = 0, i; 726 struct superblock_security_struct *sbsec = sb->s_security; 727 const char *name = sb->s_type->name; 728 struct dentry *root = sbsec->sb->s_root; 729 struct inode_security_struct *root_isec; 730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 731 u32 defcontext_sid = 0; 732 char **mount_options = opts->mnt_opts; 733 int *flags = opts->mnt_opts_flags; 734 int num_opts = opts->num_mnt_opts; 735 736 mutex_lock(&sbsec->lock); 737 738 if (!selinux_state.initialized) { 739 if (!num_opts) { 740 /* Defer initialization until selinux_complete_init, 741 after the initial policy is loaded and the security 742 server is ready to handle calls. */ 743 goto out; 744 } 745 rc = -EINVAL; 746 printk(KERN_WARNING "SELinux: Unable to set superblock options " 747 "before the security server is initialized\n"); 748 goto out; 749 } 750 if (kern_flags && !set_kern_flags) { 751 /* Specifying internal flags without providing a place to 752 * place the results is not allowed */ 753 rc = -EINVAL; 754 goto out; 755 } 756 757 /* 758 * Binary mount data FS will come through this function twice. Once 759 * from an explicit call and once from the generic calls from the vfs. 760 * Since the generic VFS calls will not contain any security mount data 761 * we need to skip the double mount verification. 762 * 763 * This does open a hole in which we will not notice if the first 764 * mount using this sb set explict options and a second mount using 765 * this sb does not set any security options. (The first options 766 * will be used for both mounts) 767 */ 768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 769 && (num_opts == 0)) 770 goto out; 771 772 root_isec = backing_inode_security_novalidate(root); 773 774 /* 775 * parse the mount options, check if they are valid sids. 776 * also check if someone is trying to mount the same sb more 777 * than once with different security options. 778 */ 779 for (i = 0; i < num_opts; i++) { 780 u32 sid; 781 782 if (flags[i] == SBLABEL_MNT) 783 continue; 784 rc = security_context_str_to_sid(&selinux_state, 785 mount_options[i], &sid, 786 GFP_KERNEL); 787 if (rc) { 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 789 "(%s) failed for (dev %s, type %s) errno=%d\n", 790 mount_options[i], sb->s_id, name, rc); 791 goto out; 792 } 793 switch (flags[i]) { 794 case FSCONTEXT_MNT: 795 fscontext_sid = sid; 796 797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 798 fscontext_sid)) 799 goto out_double_mount; 800 801 sbsec->flags |= FSCONTEXT_MNT; 802 break; 803 case CONTEXT_MNT: 804 context_sid = sid; 805 806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 807 context_sid)) 808 goto out_double_mount; 809 810 sbsec->flags |= CONTEXT_MNT; 811 break; 812 case ROOTCONTEXT_MNT: 813 rootcontext_sid = sid; 814 815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 816 rootcontext_sid)) 817 goto out_double_mount; 818 819 sbsec->flags |= ROOTCONTEXT_MNT; 820 821 break; 822 case DEFCONTEXT_MNT: 823 defcontext_sid = sid; 824 825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 826 defcontext_sid)) 827 goto out_double_mount; 828 829 sbsec->flags |= DEFCONTEXT_MNT; 830 831 break; 832 default: 833 rc = -EINVAL; 834 goto out; 835 } 836 } 837 838 if (sbsec->flags & SE_SBINITIALIZED) { 839 /* previously mounted with options, but not on this attempt? */ 840 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 841 goto out_double_mount; 842 rc = 0; 843 goto out; 844 } 845 846 if (strcmp(sb->s_type->name, "proc") == 0) 847 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 848 849 if (!strcmp(sb->s_type->name, "debugfs") || 850 !strcmp(sb->s_type->name, "tracefs") || 851 !strcmp(sb->s_type->name, "sysfs") || 852 !strcmp(sb->s_type->name, "pstore") || 853 !strcmp(sb->s_type->name, "cgroup") || 854 !strcmp(sb->s_type->name, "cgroup2")) 855 sbsec->flags |= SE_SBGENFS; 856 857 if (!sbsec->behavior) { 858 /* 859 * Determine the labeling behavior to use for this 860 * filesystem type. 861 */ 862 rc = security_fs_use(&selinux_state, sb); 863 if (rc) { 864 printk(KERN_WARNING 865 "%s: security_fs_use(%s) returned %d\n", 866 __func__, sb->s_type->name, rc); 867 goto out; 868 } 869 } 870 871 /* 872 * If this is a user namespace mount and the filesystem type is not 873 * explicitly whitelisted, then no contexts are allowed on the command 874 * line and security labels must be ignored. 875 */ 876 if (sb->s_user_ns != &init_user_ns && 877 strcmp(sb->s_type->name, "tmpfs") && 878 strcmp(sb->s_type->name, "ramfs") && 879 strcmp(sb->s_type->name, "devpts")) { 880 if (context_sid || fscontext_sid || rootcontext_sid || 881 defcontext_sid) { 882 rc = -EACCES; 883 goto out; 884 } 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 887 rc = security_transition_sid(&selinux_state, 888 current_sid(), 889 current_sid(), 890 SECCLASS_FILE, NULL, 891 &sbsec->mntpoint_sid); 892 if (rc) 893 goto out; 894 } 895 goto out_set_opts; 896 } 897 898 /* sets the context of the superblock for the fs being mounted. */ 899 if (fscontext_sid) { 900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 901 if (rc) 902 goto out; 903 904 sbsec->sid = fscontext_sid; 905 } 906 907 /* 908 * Switch to using mount point labeling behavior. 909 * sets the label used on all file below the mountpoint, and will set 910 * the superblock context if not already set. 911 */ 912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 913 sbsec->behavior = SECURITY_FS_USE_NATIVE; 914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 915 } 916 917 if (context_sid) { 918 if (!fscontext_sid) { 919 rc = may_context_mount_sb_relabel(context_sid, sbsec, 920 cred); 921 if (rc) 922 goto out; 923 sbsec->sid = context_sid; 924 } else { 925 rc = may_context_mount_inode_relabel(context_sid, sbsec, 926 cred); 927 if (rc) 928 goto out; 929 } 930 if (!rootcontext_sid) 931 rootcontext_sid = context_sid; 932 933 sbsec->mntpoint_sid = context_sid; 934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 935 } 936 937 if (rootcontext_sid) { 938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 939 cred); 940 if (rc) 941 goto out; 942 943 root_isec->sid = rootcontext_sid; 944 root_isec->initialized = LABEL_INITIALIZED; 945 } 946 947 if (defcontext_sid) { 948 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 949 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 950 rc = -EINVAL; 951 printk(KERN_WARNING "SELinux: defcontext option is " 952 "invalid for this filesystem type\n"); 953 goto out; 954 } 955 956 if (defcontext_sid != sbsec->def_sid) { 957 rc = may_context_mount_inode_relabel(defcontext_sid, 958 sbsec, cred); 959 if (rc) 960 goto out; 961 } 962 963 sbsec->def_sid = defcontext_sid; 964 } 965 966 out_set_opts: 967 rc = sb_finish_set_opts(sb); 968 out: 969 mutex_unlock(&sbsec->lock); 970 return rc; 971 out_double_mount: 972 rc = -EINVAL; 973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 974 "security settings for (dev %s, type %s)\n", sb->s_id, name); 975 goto out; 976 } 977 978 static int selinux_cmp_sb_context(const struct super_block *oldsb, 979 const struct super_block *newsb) 980 { 981 struct superblock_security_struct *old = oldsb->s_security; 982 struct superblock_security_struct *new = newsb->s_security; 983 char oldflags = old->flags & SE_MNTMASK; 984 char newflags = new->flags & SE_MNTMASK; 985 986 if (oldflags != newflags) 987 goto mismatch; 988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 989 goto mismatch; 990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 991 goto mismatch; 992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 993 goto mismatch; 994 if (oldflags & ROOTCONTEXT_MNT) { 995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 997 if (oldroot->sid != newroot->sid) 998 goto mismatch; 999 } 1000 return 0; 1001 mismatch: 1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 1003 "different security settings for (dev %s, " 1004 "type %s)\n", newsb->s_id, newsb->s_type->name); 1005 return -EBUSY; 1006 } 1007 1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 1009 struct super_block *newsb, 1010 unsigned long kern_flags, 1011 unsigned long *set_kern_flags) 1012 { 1013 int rc = 0; 1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 1015 struct superblock_security_struct *newsbsec = newsb->s_security; 1016 1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 1018 int set_context = (oldsbsec->flags & CONTEXT_MNT); 1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 1020 1021 /* 1022 * if the parent was able to be mounted it clearly had no special lsm 1023 * mount options. thus we can safely deal with this superblock later 1024 */ 1025 if (!selinux_state.initialized) 1026 return 0; 1027 1028 /* 1029 * Specifying internal flags without providing a place to 1030 * place the results is not allowed. 1031 */ 1032 if (kern_flags && !set_kern_flags) 1033 return -EINVAL; 1034 1035 /* how can we clone if the old one wasn't set up?? */ 1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1037 1038 /* if fs is reusing a sb, make sure that the contexts match */ 1039 if (newsbsec->flags & SE_SBINITIALIZED) 1040 return selinux_cmp_sb_context(oldsb, newsb); 1041 1042 mutex_lock(&newsbsec->lock); 1043 1044 newsbsec->flags = oldsbsec->flags; 1045 1046 newsbsec->sid = oldsbsec->sid; 1047 newsbsec->def_sid = oldsbsec->def_sid; 1048 newsbsec->behavior = oldsbsec->behavior; 1049 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1052 rc = security_fs_use(&selinux_state, newsb); 1053 if (rc) 1054 goto out; 1055 } 1056 1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1060 } 1061 1062 if (set_context) { 1063 u32 sid = oldsbsec->mntpoint_sid; 1064 1065 if (!set_fscontext) 1066 newsbsec->sid = sid; 1067 if (!set_rootcontext) { 1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1069 newisec->sid = sid; 1070 } 1071 newsbsec->mntpoint_sid = sid; 1072 } 1073 if (set_rootcontext) { 1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1076 1077 newisec->sid = oldisec->sid; 1078 } 1079 1080 sb_finish_set_opts(newsb); 1081 out: 1082 mutex_unlock(&newsbsec->lock); 1083 return rc; 1084 } 1085 1086 static int selinux_parse_opts_str(char *options, 1087 struct security_mnt_opts *opts) 1088 { 1089 char *p; 1090 char *context = NULL, *defcontext = NULL; 1091 char *fscontext = NULL, *rootcontext = NULL; 1092 int rc, num_mnt_opts = 0; 1093 1094 opts->num_mnt_opts = 0; 1095 1096 /* Standard string-based options. */ 1097 while ((p = strsep(&options, "|")) != NULL) { 1098 int token; 1099 substring_t args[MAX_OPT_ARGS]; 1100 1101 if (!*p) 1102 continue; 1103 1104 token = match_token(p, tokens, args); 1105 1106 switch (token) { 1107 case Opt_context: 1108 if (context || defcontext) { 1109 rc = -EINVAL; 1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1111 goto out_err; 1112 } 1113 context = match_strdup(&args[0]); 1114 if (!context) { 1115 rc = -ENOMEM; 1116 goto out_err; 1117 } 1118 break; 1119 1120 case Opt_fscontext: 1121 if (fscontext) { 1122 rc = -EINVAL; 1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1124 goto out_err; 1125 } 1126 fscontext = match_strdup(&args[0]); 1127 if (!fscontext) { 1128 rc = -ENOMEM; 1129 goto out_err; 1130 } 1131 break; 1132 1133 case Opt_rootcontext: 1134 if (rootcontext) { 1135 rc = -EINVAL; 1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1137 goto out_err; 1138 } 1139 rootcontext = match_strdup(&args[0]); 1140 if (!rootcontext) { 1141 rc = -ENOMEM; 1142 goto out_err; 1143 } 1144 break; 1145 1146 case Opt_defcontext: 1147 if (context || defcontext) { 1148 rc = -EINVAL; 1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1150 goto out_err; 1151 } 1152 defcontext = match_strdup(&args[0]); 1153 if (!defcontext) { 1154 rc = -ENOMEM; 1155 goto out_err; 1156 } 1157 break; 1158 case Opt_labelsupport: 1159 break; 1160 default: 1161 rc = -EINVAL; 1162 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1163 goto out_err; 1164 1165 } 1166 } 1167 1168 rc = -ENOMEM; 1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1170 if (!opts->mnt_opts) 1171 goto out_err; 1172 1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1174 GFP_KERNEL); 1175 if (!opts->mnt_opts_flags) 1176 goto out_err; 1177 1178 if (fscontext) { 1179 opts->mnt_opts[num_mnt_opts] = fscontext; 1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1181 } 1182 if (context) { 1183 opts->mnt_opts[num_mnt_opts] = context; 1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1185 } 1186 if (rootcontext) { 1187 opts->mnt_opts[num_mnt_opts] = rootcontext; 1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1189 } 1190 if (defcontext) { 1191 opts->mnt_opts[num_mnt_opts] = defcontext; 1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1193 } 1194 1195 opts->num_mnt_opts = num_mnt_opts; 1196 return 0; 1197 1198 out_err: 1199 security_free_mnt_opts(opts); 1200 kfree(context); 1201 kfree(defcontext); 1202 kfree(fscontext); 1203 kfree(rootcontext); 1204 return rc; 1205 } 1206 /* 1207 * string mount options parsing and call set the sbsec 1208 */ 1209 static int superblock_doinit(struct super_block *sb, void *data) 1210 { 1211 int rc = 0; 1212 char *options = data; 1213 struct security_mnt_opts opts; 1214 1215 security_init_mnt_opts(&opts); 1216 1217 if (!data) 1218 goto out; 1219 1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1221 1222 rc = selinux_parse_opts_str(options, &opts); 1223 if (rc) 1224 goto out_err; 1225 1226 out: 1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1228 1229 out_err: 1230 security_free_mnt_opts(&opts); 1231 return rc; 1232 } 1233 1234 static void selinux_write_opts(struct seq_file *m, 1235 struct security_mnt_opts *opts) 1236 { 1237 int i; 1238 char *prefix; 1239 1240 for (i = 0; i < opts->num_mnt_opts; i++) { 1241 char *has_comma; 1242 1243 if (opts->mnt_opts[i]) 1244 has_comma = strchr(opts->mnt_opts[i], ','); 1245 else 1246 has_comma = NULL; 1247 1248 switch (opts->mnt_opts_flags[i]) { 1249 case CONTEXT_MNT: 1250 prefix = CONTEXT_STR; 1251 break; 1252 case FSCONTEXT_MNT: 1253 prefix = FSCONTEXT_STR; 1254 break; 1255 case ROOTCONTEXT_MNT: 1256 prefix = ROOTCONTEXT_STR; 1257 break; 1258 case DEFCONTEXT_MNT: 1259 prefix = DEFCONTEXT_STR; 1260 break; 1261 case SBLABEL_MNT: 1262 seq_putc(m, ','); 1263 seq_puts(m, LABELSUPP_STR); 1264 continue; 1265 default: 1266 BUG(); 1267 return; 1268 }; 1269 /* we need a comma before each option */ 1270 seq_putc(m, ','); 1271 seq_puts(m, prefix); 1272 if (has_comma) 1273 seq_putc(m, '\"'); 1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1275 if (has_comma) 1276 seq_putc(m, '\"'); 1277 } 1278 } 1279 1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1281 { 1282 struct security_mnt_opts opts; 1283 int rc; 1284 1285 rc = selinux_get_mnt_opts(sb, &opts); 1286 if (rc) { 1287 /* before policy load we may get EINVAL, don't show anything */ 1288 if (rc == -EINVAL) 1289 rc = 0; 1290 return rc; 1291 } 1292 1293 selinux_write_opts(m, &opts); 1294 1295 security_free_mnt_opts(&opts); 1296 1297 return rc; 1298 } 1299 1300 static inline u16 inode_mode_to_security_class(umode_t mode) 1301 { 1302 switch (mode & S_IFMT) { 1303 case S_IFSOCK: 1304 return SECCLASS_SOCK_FILE; 1305 case S_IFLNK: 1306 return SECCLASS_LNK_FILE; 1307 case S_IFREG: 1308 return SECCLASS_FILE; 1309 case S_IFBLK: 1310 return SECCLASS_BLK_FILE; 1311 case S_IFDIR: 1312 return SECCLASS_DIR; 1313 case S_IFCHR: 1314 return SECCLASS_CHR_FILE; 1315 case S_IFIFO: 1316 return SECCLASS_FIFO_FILE; 1317 1318 } 1319 1320 return SECCLASS_FILE; 1321 } 1322 1323 static inline int default_protocol_stream(int protocol) 1324 { 1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1326 } 1327 1328 static inline int default_protocol_dgram(int protocol) 1329 { 1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1331 } 1332 1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1334 { 1335 int extsockclass = selinux_policycap_extsockclass(); 1336 1337 switch (family) { 1338 case PF_UNIX: 1339 switch (type) { 1340 case SOCK_STREAM: 1341 case SOCK_SEQPACKET: 1342 return SECCLASS_UNIX_STREAM_SOCKET; 1343 case SOCK_DGRAM: 1344 case SOCK_RAW: 1345 return SECCLASS_UNIX_DGRAM_SOCKET; 1346 } 1347 break; 1348 case PF_INET: 1349 case PF_INET6: 1350 switch (type) { 1351 case SOCK_STREAM: 1352 case SOCK_SEQPACKET: 1353 if (default_protocol_stream(protocol)) 1354 return SECCLASS_TCP_SOCKET; 1355 else if (extsockclass && protocol == IPPROTO_SCTP) 1356 return SECCLASS_SCTP_SOCKET; 1357 else 1358 return SECCLASS_RAWIP_SOCKET; 1359 case SOCK_DGRAM: 1360 if (default_protocol_dgram(protocol)) 1361 return SECCLASS_UDP_SOCKET; 1362 else if (extsockclass && (protocol == IPPROTO_ICMP || 1363 protocol == IPPROTO_ICMPV6)) 1364 return SECCLASS_ICMP_SOCKET; 1365 else 1366 return SECCLASS_RAWIP_SOCKET; 1367 case SOCK_DCCP: 1368 return SECCLASS_DCCP_SOCKET; 1369 default: 1370 return SECCLASS_RAWIP_SOCKET; 1371 } 1372 break; 1373 case PF_NETLINK: 1374 switch (protocol) { 1375 case NETLINK_ROUTE: 1376 return SECCLASS_NETLINK_ROUTE_SOCKET; 1377 case NETLINK_SOCK_DIAG: 1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1379 case NETLINK_NFLOG: 1380 return SECCLASS_NETLINK_NFLOG_SOCKET; 1381 case NETLINK_XFRM: 1382 return SECCLASS_NETLINK_XFRM_SOCKET; 1383 case NETLINK_SELINUX: 1384 return SECCLASS_NETLINK_SELINUX_SOCKET; 1385 case NETLINK_ISCSI: 1386 return SECCLASS_NETLINK_ISCSI_SOCKET; 1387 case NETLINK_AUDIT: 1388 return SECCLASS_NETLINK_AUDIT_SOCKET; 1389 case NETLINK_FIB_LOOKUP: 1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1391 case NETLINK_CONNECTOR: 1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1393 case NETLINK_NETFILTER: 1394 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1395 case NETLINK_DNRTMSG: 1396 return SECCLASS_NETLINK_DNRT_SOCKET; 1397 case NETLINK_KOBJECT_UEVENT: 1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1399 case NETLINK_GENERIC: 1400 return SECCLASS_NETLINK_GENERIC_SOCKET; 1401 case NETLINK_SCSITRANSPORT: 1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1403 case NETLINK_RDMA: 1404 return SECCLASS_NETLINK_RDMA_SOCKET; 1405 case NETLINK_CRYPTO: 1406 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1407 default: 1408 return SECCLASS_NETLINK_SOCKET; 1409 } 1410 case PF_PACKET: 1411 return SECCLASS_PACKET_SOCKET; 1412 case PF_KEY: 1413 return SECCLASS_KEY_SOCKET; 1414 case PF_APPLETALK: 1415 return SECCLASS_APPLETALK_SOCKET; 1416 } 1417 1418 if (extsockclass) { 1419 switch (family) { 1420 case PF_AX25: 1421 return SECCLASS_AX25_SOCKET; 1422 case PF_IPX: 1423 return SECCLASS_IPX_SOCKET; 1424 case PF_NETROM: 1425 return SECCLASS_NETROM_SOCKET; 1426 case PF_ATMPVC: 1427 return SECCLASS_ATMPVC_SOCKET; 1428 case PF_X25: 1429 return SECCLASS_X25_SOCKET; 1430 case PF_ROSE: 1431 return SECCLASS_ROSE_SOCKET; 1432 case PF_DECnet: 1433 return SECCLASS_DECNET_SOCKET; 1434 case PF_ATMSVC: 1435 return SECCLASS_ATMSVC_SOCKET; 1436 case PF_RDS: 1437 return SECCLASS_RDS_SOCKET; 1438 case PF_IRDA: 1439 return SECCLASS_IRDA_SOCKET; 1440 case PF_PPPOX: 1441 return SECCLASS_PPPOX_SOCKET; 1442 case PF_LLC: 1443 return SECCLASS_LLC_SOCKET; 1444 case PF_CAN: 1445 return SECCLASS_CAN_SOCKET; 1446 case PF_TIPC: 1447 return SECCLASS_TIPC_SOCKET; 1448 case PF_BLUETOOTH: 1449 return SECCLASS_BLUETOOTH_SOCKET; 1450 case PF_IUCV: 1451 return SECCLASS_IUCV_SOCKET; 1452 case PF_RXRPC: 1453 return SECCLASS_RXRPC_SOCKET; 1454 case PF_ISDN: 1455 return SECCLASS_ISDN_SOCKET; 1456 case PF_PHONET: 1457 return SECCLASS_PHONET_SOCKET; 1458 case PF_IEEE802154: 1459 return SECCLASS_IEEE802154_SOCKET; 1460 case PF_CAIF: 1461 return SECCLASS_CAIF_SOCKET; 1462 case PF_ALG: 1463 return SECCLASS_ALG_SOCKET; 1464 case PF_NFC: 1465 return SECCLASS_NFC_SOCKET; 1466 case PF_VSOCK: 1467 return SECCLASS_VSOCK_SOCKET; 1468 case PF_KCM: 1469 return SECCLASS_KCM_SOCKET; 1470 case PF_QIPCRTR: 1471 return SECCLASS_QIPCRTR_SOCKET; 1472 case PF_SMC: 1473 return SECCLASS_SMC_SOCKET; 1474 #if PF_MAX > 44 1475 #error New address family defined, please update this function. 1476 #endif 1477 } 1478 } 1479 1480 return SECCLASS_SOCKET; 1481 } 1482 1483 static int selinux_genfs_get_sid(struct dentry *dentry, 1484 u16 tclass, 1485 u16 flags, 1486 u32 *sid) 1487 { 1488 int rc; 1489 struct super_block *sb = dentry->d_sb; 1490 char *buffer, *path; 1491 1492 buffer = (char *)__get_free_page(GFP_KERNEL); 1493 if (!buffer) 1494 return -ENOMEM; 1495 1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1497 if (IS_ERR(path)) 1498 rc = PTR_ERR(path); 1499 else { 1500 if (flags & SE_SBPROC) { 1501 /* each process gets a /proc/PID/ entry. Strip off the 1502 * PID part to get a valid selinux labeling. 1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1504 while (path[1] >= '0' && path[1] <= '9') { 1505 path[1] = '/'; 1506 path++; 1507 } 1508 } 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1510 path, tclass, sid); 1511 } 1512 free_page((unsigned long)buffer); 1513 return rc; 1514 } 1515 1516 /* The inode's security attributes must be initialized before first use. */ 1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1518 { 1519 struct superblock_security_struct *sbsec = NULL; 1520 struct inode_security_struct *isec = inode->i_security; 1521 u32 task_sid, sid = 0; 1522 u16 sclass; 1523 struct dentry *dentry; 1524 #define INITCONTEXTLEN 255 1525 char *context = NULL; 1526 unsigned len = 0; 1527 int rc = 0; 1528 1529 if (isec->initialized == LABEL_INITIALIZED) 1530 return 0; 1531 1532 spin_lock(&isec->lock); 1533 if (isec->initialized == LABEL_INITIALIZED) 1534 goto out_unlock; 1535 1536 if (isec->sclass == SECCLASS_FILE) 1537 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1538 1539 sbsec = inode->i_sb->s_security; 1540 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1541 /* Defer initialization until selinux_complete_init, 1542 after the initial policy is loaded and the security 1543 server is ready to handle calls. */ 1544 spin_lock(&sbsec->isec_lock); 1545 if (list_empty(&isec->list)) 1546 list_add(&isec->list, &sbsec->isec_head); 1547 spin_unlock(&sbsec->isec_lock); 1548 goto out_unlock; 1549 } 1550 1551 sclass = isec->sclass; 1552 task_sid = isec->task_sid; 1553 sid = isec->sid; 1554 isec->initialized = LABEL_PENDING; 1555 spin_unlock(&isec->lock); 1556 1557 switch (sbsec->behavior) { 1558 case SECURITY_FS_USE_NATIVE: 1559 break; 1560 case SECURITY_FS_USE_XATTR: 1561 if (!(inode->i_opflags & IOP_XATTR)) { 1562 sid = sbsec->def_sid; 1563 break; 1564 } 1565 /* Need a dentry, since the xattr API requires one. 1566 Life would be simpler if we could just pass the inode. */ 1567 if (opt_dentry) { 1568 /* Called from d_instantiate or d_splice_alias. */ 1569 dentry = dget(opt_dentry); 1570 } else { 1571 /* Called from selinux_complete_init, try to find a dentry. */ 1572 dentry = d_find_alias(inode); 1573 } 1574 if (!dentry) { 1575 /* 1576 * this is can be hit on boot when a file is accessed 1577 * before the policy is loaded. When we load policy we 1578 * may find inodes that have no dentry on the 1579 * sbsec->isec_head list. No reason to complain as these 1580 * will get fixed up the next time we go through 1581 * inode_doinit with a dentry, before these inodes could 1582 * be used again by userspace. 1583 */ 1584 goto out; 1585 } 1586 1587 len = INITCONTEXTLEN; 1588 context = kmalloc(len+1, GFP_NOFS); 1589 if (!context) { 1590 rc = -ENOMEM; 1591 dput(dentry); 1592 goto out; 1593 } 1594 context[len] = '\0'; 1595 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1596 if (rc == -ERANGE) { 1597 kfree(context); 1598 1599 /* Need a larger buffer. Query for the right size. */ 1600 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1601 if (rc < 0) { 1602 dput(dentry); 1603 goto out; 1604 } 1605 len = rc; 1606 context = kmalloc(len+1, GFP_NOFS); 1607 if (!context) { 1608 rc = -ENOMEM; 1609 dput(dentry); 1610 goto out; 1611 } 1612 context[len] = '\0'; 1613 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1614 } 1615 dput(dentry); 1616 if (rc < 0) { 1617 if (rc != -ENODATA) { 1618 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1619 "%d for dev=%s ino=%ld\n", __func__, 1620 -rc, inode->i_sb->s_id, inode->i_ino); 1621 kfree(context); 1622 goto out; 1623 } 1624 /* Map ENODATA to the default file SID */ 1625 sid = sbsec->def_sid; 1626 rc = 0; 1627 } else { 1628 rc = security_context_to_sid_default(&selinux_state, 1629 context, rc, &sid, 1630 sbsec->def_sid, 1631 GFP_NOFS); 1632 if (rc) { 1633 char *dev = inode->i_sb->s_id; 1634 unsigned long ino = inode->i_ino; 1635 1636 if (rc == -EINVAL) { 1637 if (printk_ratelimit()) 1638 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1639 "context=%s. This indicates you may need to relabel the inode or the " 1640 "filesystem in question.\n", ino, dev, context); 1641 } else { 1642 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1643 "returned %d for dev=%s ino=%ld\n", 1644 __func__, context, -rc, dev, ino); 1645 } 1646 kfree(context); 1647 /* Leave with the unlabeled SID */ 1648 rc = 0; 1649 break; 1650 } 1651 } 1652 kfree(context); 1653 break; 1654 case SECURITY_FS_USE_TASK: 1655 sid = task_sid; 1656 break; 1657 case SECURITY_FS_USE_TRANS: 1658 /* Default to the fs SID. */ 1659 sid = sbsec->sid; 1660 1661 /* Try to obtain a transition SID. */ 1662 rc = security_transition_sid(&selinux_state, task_sid, sid, 1663 sclass, NULL, &sid); 1664 if (rc) 1665 goto out; 1666 break; 1667 case SECURITY_FS_USE_MNTPOINT: 1668 sid = sbsec->mntpoint_sid; 1669 break; 1670 default: 1671 /* Default to the fs superblock SID. */ 1672 sid = sbsec->sid; 1673 1674 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1675 /* We must have a dentry to determine the label on 1676 * procfs inodes */ 1677 if (opt_dentry) 1678 /* Called from d_instantiate or 1679 * d_splice_alias. */ 1680 dentry = dget(opt_dentry); 1681 else 1682 /* Called from selinux_complete_init, try to 1683 * find a dentry. */ 1684 dentry = d_find_alias(inode); 1685 /* 1686 * This can be hit on boot when a file is accessed 1687 * before the policy is loaded. When we load policy we 1688 * may find inodes that have no dentry on the 1689 * sbsec->isec_head list. No reason to complain as 1690 * these will get fixed up the next time we go through 1691 * inode_doinit() with a dentry, before these inodes 1692 * could be used again by userspace. 1693 */ 1694 if (!dentry) 1695 goto out; 1696 rc = selinux_genfs_get_sid(dentry, sclass, 1697 sbsec->flags, &sid); 1698 dput(dentry); 1699 if (rc) 1700 goto out; 1701 } 1702 break; 1703 } 1704 1705 out: 1706 spin_lock(&isec->lock); 1707 if (isec->initialized == LABEL_PENDING) { 1708 if (!sid || rc) { 1709 isec->initialized = LABEL_INVALID; 1710 goto out_unlock; 1711 } 1712 1713 isec->initialized = LABEL_INITIALIZED; 1714 isec->sid = sid; 1715 } 1716 1717 out_unlock: 1718 spin_unlock(&isec->lock); 1719 return rc; 1720 } 1721 1722 /* Convert a Linux signal to an access vector. */ 1723 static inline u32 signal_to_av(int sig) 1724 { 1725 u32 perm = 0; 1726 1727 switch (sig) { 1728 case SIGCHLD: 1729 /* Commonly granted from child to parent. */ 1730 perm = PROCESS__SIGCHLD; 1731 break; 1732 case SIGKILL: 1733 /* Cannot be caught or ignored */ 1734 perm = PROCESS__SIGKILL; 1735 break; 1736 case SIGSTOP: 1737 /* Cannot be caught or ignored */ 1738 perm = PROCESS__SIGSTOP; 1739 break; 1740 default: 1741 /* All other signals. */ 1742 perm = PROCESS__SIGNAL; 1743 break; 1744 } 1745 1746 return perm; 1747 } 1748 1749 #if CAP_LAST_CAP > 63 1750 #error Fix SELinux to handle capabilities > 63. 1751 #endif 1752 1753 /* Check whether a task is allowed to use a capability. */ 1754 static int cred_has_capability(const struct cred *cred, 1755 int cap, int audit, bool initns) 1756 { 1757 struct common_audit_data ad; 1758 struct av_decision avd; 1759 u16 sclass; 1760 u32 sid = cred_sid(cred); 1761 u32 av = CAP_TO_MASK(cap); 1762 int rc; 1763 1764 ad.type = LSM_AUDIT_DATA_CAP; 1765 ad.u.cap = cap; 1766 1767 switch (CAP_TO_INDEX(cap)) { 1768 case 0: 1769 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1770 break; 1771 case 1: 1772 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1773 break; 1774 default: 1775 printk(KERN_ERR 1776 "SELinux: out of range capability %d\n", cap); 1777 BUG(); 1778 return -EINVAL; 1779 } 1780 1781 rc = avc_has_perm_noaudit(&selinux_state, 1782 sid, sid, sclass, av, 0, &avd); 1783 if (audit == SECURITY_CAP_AUDIT) { 1784 int rc2 = avc_audit(&selinux_state, 1785 sid, sid, sclass, av, &avd, rc, &ad, 0); 1786 if (rc2) 1787 return rc2; 1788 } 1789 return rc; 1790 } 1791 1792 /* Check whether a task has a particular permission to an inode. 1793 The 'adp' parameter is optional and allows other audit 1794 data to be passed (e.g. the dentry). */ 1795 static int inode_has_perm(const struct cred *cred, 1796 struct inode *inode, 1797 u32 perms, 1798 struct common_audit_data *adp) 1799 { 1800 struct inode_security_struct *isec; 1801 u32 sid; 1802 1803 validate_creds(cred); 1804 1805 if (unlikely(IS_PRIVATE(inode))) 1806 return 0; 1807 1808 sid = cred_sid(cred); 1809 isec = inode->i_security; 1810 1811 return avc_has_perm(&selinux_state, 1812 sid, isec->sid, isec->sclass, perms, adp); 1813 } 1814 1815 /* Same as inode_has_perm, but pass explicit audit data containing 1816 the dentry to help the auditing code to more easily generate the 1817 pathname if needed. */ 1818 static inline int dentry_has_perm(const struct cred *cred, 1819 struct dentry *dentry, 1820 u32 av) 1821 { 1822 struct inode *inode = d_backing_inode(dentry); 1823 struct common_audit_data ad; 1824 1825 ad.type = LSM_AUDIT_DATA_DENTRY; 1826 ad.u.dentry = dentry; 1827 __inode_security_revalidate(inode, dentry, true); 1828 return inode_has_perm(cred, inode, av, &ad); 1829 } 1830 1831 /* Same as inode_has_perm, but pass explicit audit data containing 1832 the path to help the auditing code to more easily generate the 1833 pathname if needed. */ 1834 static inline int path_has_perm(const struct cred *cred, 1835 const struct path *path, 1836 u32 av) 1837 { 1838 struct inode *inode = d_backing_inode(path->dentry); 1839 struct common_audit_data ad; 1840 1841 ad.type = LSM_AUDIT_DATA_PATH; 1842 ad.u.path = *path; 1843 __inode_security_revalidate(inode, path->dentry, true); 1844 return inode_has_perm(cred, inode, av, &ad); 1845 } 1846 1847 /* Same as path_has_perm, but uses the inode from the file struct. */ 1848 static inline int file_path_has_perm(const struct cred *cred, 1849 struct file *file, 1850 u32 av) 1851 { 1852 struct common_audit_data ad; 1853 1854 ad.type = LSM_AUDIT_DATA_FILE; 1855 ad.u.file = file; 1856 return inode_has_perm(cred, file_inode(file), av, &ad); 1857 } 1858 1859 #ifdef CONFIG_BPF_SYSCALL 1860 static int bpf_fd_pass(struct file *file, u32 sid); 1861 #endif 1862 1863 /* Check whether a task can use an open file descriptor to 1864 access an inode in a given way. Check access to the 1865 descriptor itself, and then use dentry_has_perm to 1866 check a particular permission to the file. 1867 Access to the descriptor is implicitly granted if it 1868 has the same SID as the process. If av is zero, then 1869 access to the file is not checked, e.g. for cases 1870 where only the descriptor is affected like seek. */ 1871 static int file_has_perm(const struct cred *cred, 1872 struct file *file, 1873 u32 av) 1874 { 1875 struct file_security_struct *fsec = file->f_security; 1876 struct inode *inode = file_inode(file); 1877 struct common_audit_data ad; 1878 u32 sid = cred_sid(cred); 1879 int rc; 1880 1881 ad.type = LSM_AUDIT_DATA_FILE; 1882 ad.u.file = file; 1883 1884 if (sid != fsec->sid) { 1885 rc = avc_has_perm(&selinux_state, 1886 sid, fsec->sid, 1887 SECCLASS_FD, 1888 FD__USE, 1889 &ad); 1890 if (rc) 1891 goto out; 1892 } 1893 1894 #ifdef CONFIG_BPF_SYSCALL 1895 rc = bpf_fd_pass(file, cred_sid(cred)); 1896 if (rc) 1897 return rc; 1898 #endif 1899 1900 /* av is zero if only checking access to the descriptor. */ 1901 rc = 0; 1902 if (av) 1903 rc = inode_has_perm(cred, inode, av, &ad); 1904 1905 out: 1906 return rc; 1907 } 1908 1909 /* 1910 * Determine the label for an inode that might be unioned. 1911 */ 1912 static int 1913 selinux_determine_inode_label(const struct task_security_struct *tsec, 1914 struct inode *dir, 1915 const struct qstr *name, u16 tclass, 1916 u32 *_new_isid) 1917 { 1918 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1919 1920 if ((sbsec->flags & SE_SBINITIALIZED) && 1921 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1922 *_new_isid = sbsec->mntpoint_sid; 1923 } else if ((sbsec->flags & SBLABEL_MNT) && 1924 tsec->create_sid) { 1925 *_new_isid = tsec->create_sid; 1926 } else { 1927 const struct inode_security_struct *dsec = inode_security(dir); 1928 return security_transition_sid(&selinux_state, tsec->sid, 1929 dsec->sid, tclass, 1930 name, _new_isid); 1931 } 1932 1933 return 0; 1934 } 1935 1936 /* Check whether a task can create a file. */ 1937 static int may_create(struct inode *dir, 1938 struct dentry *dentry, 1939 u16 tclass) 1940 { 1941 const struct task_security_struct *tsec = current_security(); 1942 struct inode_security_struct *dsec; 1943 struct superblock_security_struct *sbsec; 1944 u32 sid, newsid; 1945 struct common_audit_data ad; 1946 int rc; 1947 1948 dsec = inode_security(dir); 1949 sbsec = dir->i_sb->s_security; 1950 1951 sid = tsec->sid; 1952 1953 ad.type = LSM_AUDIT_DATA_DENTRY; 1954 ad.u.dentry = dentry; 1955 1956 rc = avc_has_perm(&selinux_state, 1957 sid, dsec->sid, SECCLASS_DIR, 1958 DIR__ADD_NAME | DIR__SEARCH, 1959 &ad); 1960 if (rc) 1961 return rc; 1962 1963 rc = selinux_determine_inode_label(current_security(), dir, 1964 &dentry->d_name, tclass, &newsid); 1965 if (rc) 1966 return rc; 1967 1968 rc = avc_has_perm(&selinux_state, 1969 sid, newsid, tclass, FILE__CREATE, &ad); 1970 if (rc) 1971 return rc; 1972 1973 return avc_has_perm(&selinux_state, 1974 newsid, sbsec->sid, 1975 SECCLASS_FILESYSTEM, 1976 FILESYSTEM__ASSOCIATE, &ad); 1977 } 1978 1979 #define MAY_LINK 0 1980 #define MAY_UNLINK 1 1981 #define MAY_RMDIR 2 1982 1983 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1984 static int may_link(struct inode *dir, 1985 struct dentry *dentry, 1986 int kind) 1987 1988 { 1989 struct inode_security_struct *dsec, *isec; 1990 struct common_audit_data ad; 1991 u32 sid = current_sid(); 1992 u32 av; 1993 int rc; 1994 1995 dsec = inode_security(dir); 1996 isec = backing_inode_security(dentry); 1997 1998 ad.type = LSM_AUDIT_DATA_DENTRY; 1999 ad.u.dentry = dentry; 2000 2001 av = DIR__SEARCH; 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2003 rc = avc_has_perm(&selinux_state, 2004 sid, dsec->sid, SECCLASS_DIR, av, &ad); 2005 if (rc) 2006 return rc; 2007 2008 switch (kind) { 2009 case MAY_LINK: 2010 av = FILE__LINK; 2011 break; 2012 case MAY_UNLINK: 2013 av = FILE__UNLINK; 2014 break; 2015 case MAY_RMDIR: 2016 av = DIR__RMDIR; 2017 break; 2018 default: 2019 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 2020 __func__, kind); 2021 return 0; 2022 } 2023 2024 rc = avc_has_perm(&selinux_state, 2025 sid, isec->sid, isec->sclass, av, &ad); 2026 return rc; 2027 } 2028 2029 static inline int may_rename(struct inode *old_dir, 2030 struct dentry *old_dentry, 2031 struct inode *new_dir, 2032 struct dentry *new_dentry) 2033 { 2034 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 2035 struct common_audit_data ad; 2036 u32 sid = current_sid(); 2037 u32 av; 2038 int old_is_dir, new_is_dir; 2039 int rc; 2040 2041 old_dsec = inode_security(old_dir); 2042 old_isec = backing_inode_security(old_dentry); 2043 old_is_dir = d_is_dir(old_dentry); 2044 new_dsec = inode_security(new_dir); 2045 2046 ad.type = LSM_AUDIT_DATA_DENTRY; 2047 2048 ad.u.dentry = old_dentry; 2049 rc = avc_has_perm(&selinux_state, 2050 sid, old_dsec->sid, SECCLASS_DIR, 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2052 if (rc) 2053 return rc; 2054 rc = avc_has_perm(&selinux_state, 2055 sid, old_isec->sid, 2056 old_isec->sclass, FILE__RENAME, &ad); 2057 if (rc) 2058 return rc; 2059 if (old_is_dir && new_dir != old_dir) { 2060 rc = avc_has_perm(&selinux_state, 2061 sid, old_isec->sid, 2062 old_isec->sclass, DIR__REPARENT, &ad); 2063 if (rc) 2064 return rc; 2065 } 2066 2067 ad.u.dentry = new_dentry; 2068 av = DIR__ADD_NAME | DIR__SEARCH; 2069 if (d_is_positive(new_dentry)) 2070 av |= DIR__REMOVE_NAME; 2071 rc = avc_has_perm(&selinux_state, 2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2073 if (rc) 2074 return rc; 2075 if (d_is_positive(new_dentry)) { 2076 new_isec = backing_inode_security(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry); 2078 rc = avc_has_perm(&selinux_state, 2079 sid, new_isec->sid, 2080 new_isec->sclass, 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2082 if (rc) 2083 return rc; 2084 } 2085 2086 return 0; 2087 } 2088 2089 /* Check whether a task can perform a filesystem operation. */ 2090 static int superblock_has_perm(const struct cred *cred, 2091 struct super_block *sb, 2092 u32 perms, 2093 struct common_audit_data *ad) 2094 { 2095 struct superblock_security_struct *sbsec; 2096 u32 sid = cred_sid(cred); 2097 2098 sbsec = sb->s_security; 2099 return avc_has_perm(&selinux_state, 2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2101 } 2102 2103 /* Convert a Linux mode and permission mask to an access vector. */ 2104 static inline u32 file_mask_to_av(int mode, int mask) 2105 { 2106 u32 av = 0; 2107 2108 if (!S_ISDIR(mode)) { 2109 if (mask & MAY_EXEC) 2110 av |= FILE__EXECUTE; 2111 if (mask & MAY_READ) 2112 av |= FILE__READ; 2113 2114 if (mask & MAY_APPEND) 2115 av |= FILE__APPEND; 2116 else if (mask & MAY_WRITE) 2117 av |= FILE__WRITE; 2118 2119 } else { 2120 if (mask & MAY_EXEC) 2121 av |= DIR__SEARCH; 2122 if (mask & MAY_WRITE) 2123 av |= DIR__WRITE; 2124 if (mask & MAY_READ) 2125 av |= DIR__READ; 2126 } 2127 2128 return av; 2129 } 2130 2131 /* Convert a Linux file to an access vector. */ 2132 static inline u32 file_to_av(struct file *file) 2133 { 2134 u32 av = 0; 2135 2136 if (file->f_mode & FMODE_READ) 2137 av |= FILE__READ; 2138 if (file->f_mode & FMODE_WRITE) { 2139 if (file->f_flags & O_APPEND) 2140 av |= FILE__APPEND; 2141 else 2142 av |= FILE__WRITE; 2143 } 2144 if (!av) { 2145 /* 2146 * Special file opened with flags 3 for ioctl-only use. 2147 */ 2148 av = FILE__IOCTL; 2149 } 2150 2151 return av; 2152 } 2153 2154 /* 2155 * Convert a file to an access vector and include the correct open 2156 * open permission. 2157 */ 2158 static inline u32 open_file_to_av(struct file *file) 2159 { 2160 u32 av = file_to_av(file); 2161 struct inode *inode = file_inode(file); 2162 2163 if (selinux_policycap_openperm() && 2164 inode->i_sb->s_magic != SOCKFS_MAGIC) 2165 av |= FILE__OPEN; 2166 2167 return av; 2168 } 2169 2170 /* Hook functions begin here. */ 2171 2172 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2173 { 2174 u32 mysid = current_sid(); 2175 u32 mgrsid = task_sid(mgr); 2176 2177 return avc_has_perm(&selinux_state, 2178 mysid, mgrsid, SECCLASS_BINDER, 2179 BINDER__SET_CONTEXT_MGR, NULL); 2180 } 2181 2182 static int selinux_binder_transaction(struct task_struct *from, 2183 struct task_struct *to) 2184 { 2185 u32 mysid = current_sid(); 2186 u32 fromsid = task_sid(from); 2187 u32 tosid = task_sid(to); 2188 int rc; 2189 2190 if (mysid != fromsid) { 2191 rc = avc_has_perm(&selinux_state, 2192 mysid, fromsid, SECCLASS_BINDER, 2193 BINDER__IMPERSONATE, NULL); 2194 if (rc) 2195 return rc; 2196 } 2197 2198 return avc_has_perm(&selinux_state, 2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2200 NULL); 2201 } 2202 2203 static int selinux_binder_transfer_binder(struct task_struct *from, 2204 struct task_struct *to) 2205 { 2206 u32 fromsid = task_sid(from); 2207 u32 tosid = task_sid(to); 2208 2209 return avc_has_perm(&selinux_state, 2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2211 NULL); 2212 } 2213 2214 static int selinux_binder_transfer_file(struct task_struct *from, 2215 struct task_struct *to, 2216 struct file *file) 2217 { 2218 u32 sid = task_sid(to); 2219 struct file_security_struct *fsec = file->f_security; 2220 struct dentry *dentry = file->f_path.dentry; 2221 struct inode_security_struct *isec; 2222 struct common_audit_data ad; 2223 int rc; 2224 2225 ad.type = LSM_AUDIT_DATA_PATH; 2226 ad.u.path = file->f_path; 2227 2228 if (sid != fsec->sid) { 2229 rc = avc_has_perm(&selinux_state, 2230 sid, fsec->sid, 2231 SECCLASS_FD, 2232 FD__USE, 2233 &ad); 2234 if (rc) 2235 return rc; 2236 } 2237 2238 #ifdef CONFIG_BPF_SYSCALL 2239 rc = bpf_fd_pass(file, sid); 2240 if (rc) 2241 return rc; 2242 #endif 2243 2244 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2245 return 0; 2246 2247 isec = backing_inode_security(dentry); 2248 return avc_has_perm(&selinux_state, 2249 sid, isec->sid, isec->sclass, file_to_av(file), 2250 &ad); 2251 } 2252 2253 static int selinux_ptrace_access_check(struct task_struct *child, 2254 unsigned int mode) 2255 { 2256 u32 sid = current_sid(); 2257 u32 csid = task_sid(child); 2258 2259 if (mode & PTRACE_MODE_READ) 2260 return avc_has_perm(&selinux_state, 2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2262 2263 return avc_has_perm(&selinux_state, 2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2265 } 2266 2267 static int selinux_ptrace_traceme(struct task_struct *parent) 2268 { 2269 return avc_has_perm(&selinux_state, 2270 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2271 PROCESS__PTRACE, NULL); 2272 } 2273 2274 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2276 { 2277 return avc_has_perm(&selinux_state, 2278 current_sid(), task_sid(target), SECCLASS_PROCESS, 2279 PROCESS__GETCAP, NULL); 2280 } 2281 2282 static int selinux_capset(struct cred *new, const struct cred *old, 2283 const kernel_cap_t *effective, 2284 const kernel_cap_t *inheritable, 2285 const kernel_cap_t *permitted) 2286 { 2287 return avc_has_perm(&selinux_state, 2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2289 PROCESS__SETCAP, NULL); 2290 } 2291 2292 /* 2293 * (This comment used to live with the selinux_task_setuid hook, 2294 * which was removed). 2295 * 2296 * Since setuid only affects the current process, and since the SELinux 2297 * controls are not based on the Linux identity attributes, SELinux does not 2298 * need to control this operation. However, SELinux does control the use of 2299 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2300 */ 2301 2302 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2303 int cap, int audit) 2304 { 2305 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2306 } 2307 2308 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2309 { 2310 const struct cred *cred = current_cred(); 2311 int rc = 0; 2312 2313 if (!sb) 2314 return 0; 2315 2316 switch (cmds) { 2317 case Q_SYNC: 2318 case Q_QUOTAON: 2319 case Q_QUOTAOFF: 2320 case Q_SETINFO: 2321 case Q_SETQUOTA: 2322 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2323 break; 2324 case Q_GETFMT: 2325 case Q_GETINFO: 2326 case Q_GETQUOTA: 2327 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2328 break; 2329 default: 2330 rc = 0; /* let the kernel handle invalid cmds */ 2331 break; 2332 } 2333 return rc; 2334 } 2335 2336 static int selinux_quota_on(struct dentry *dentry) 2337 { 2338 const struct cred *cred = current_cred(); 2339 2340 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2341 } 2342 2343 static int selinux_syslog(int type) 2344 { 2345 switch (type) { 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2348 return avc_has_perm(&selinux_state, 2349 current_sid(), SECINITSID_KERNEL, 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2353 /* Set level of messages printed to console */ 2354 case SYSLOG_ACTION_CONSOLE_LEVEL: 2355 return avc_has_perm(&selinux_state, 2356 current_sid(), SECINITSID_KERNEL, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2358 NULL); 2359 } 2360 /* All other syslog types */ 2361 return avc_has_perm(&selinux_state, 2362 current_sid(), SECINITSID_KERNEL, 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2364 } 2365 2366 /* 2367 * Check that a process has enough memory to allocate a new virtual 2368 * mapping. 0 means there is enough memory for the allocation to 2369 * succeed and -ENOMEM implies there is not. 2370 * 2371 * Do not audit the selinux permission check, as this is applied to all 2372 * processes that allocate mappings. 2373 */ 2374 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2375 { 2376 int rc, cap_sys_admin = 0; 2377 2378 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2379 SECURITY_CAP_NOAUDIT, true); 2380 if (rc == 0) 2381 cap_sys_admin = 1; 2382 2383 return cap_sys_admin; 2384 } 2385 2386 /* binprm security operations */ 2387 2388 static u32 ptrace_parent_sid(void) 2389 { 2390 u32 sid = 0; 2391 struct task_struct *tracer; 2392 2393 rcu_read_lock(); 2394 tracer = ptrace_parent(current); 2395 if (tracer) 2396 sid = task_sid(tracer); 2397 rcu_read_unlock(); 2398 2399 return sid; 2400 } 2401 2402 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2403 const struct task_security_struct *old_tsec, 2404 const struct task_security_struct *new_tsec) 2405 { 2406 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2407 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2408 int rc; 2409 u32 av; 2410 2411 if (!nnp && !nosuid) 2412 return 0; /* neither NNP nor nosuid */ 2413 2414 if (new_tsec->sid == old_tsec->sid) 2415 return 0; /* No change in credentials */ 2416 2417 /* 2418 * If the policy enables the nnp_nosuid_transition policy capability, 2419 * then we permit transitions under NNP or nosuid if the 2420 * policy allows the corresponding permission between 2421 * the old and new contexts. 2422 */ 2423 if (selinux_policycap_nnp_nosuid_transition()) { 2424 av = 0; 2425 if (nnp) 2426 av |= PROCESS2__NNP_TRANSITION; 2427 if (nosuid) 2428 av |= PROCESS2__NOSUID_TRANSITION; 2429 rc = avc_has_perm(&selinux_state, 2430 old_tsec->sid, new_tsec->sid, 2431 SECCLASS_PROCESS2, av, NULL); 2432 if (!rc) 2433 return 0; 2434 } 2435 2436 /* 2437 * We also permit NNP or nosuid transitions to bounded SIDs, 2438 * i.e. SIDs that are guaranteed to only be allowed a subset 2439 * of the permissions of the current SID. 2440 */ 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2442 new_tsec->sid); 2443 if (!rc) 2444 return 0; 2445 2446 /* 2447 * On failure, preserve the errno values for NNP vs nosuid. 2448 * NNP: Operation not permitted for caller. 2449 * nosuid: Permission denied to file. 2450 */ 2451 if (nnp) 2452 return -EPERM; 2453 return -EACCES; 2454 } 2455 2456 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2457 { 2458 const struct task_security_struct *old_tsec; 2459 struct task_security_struct *new_tsec; 2460 struct inode_security_struct *isec; 2461 struct common_audit_data ad; 2462 struct inode *inode = file_inode(bprm->file); 2463 int rc; 2464 2465 /* SELinux context only depends on initial program or script and not 2466 * the script interpreter */ 2467 if (bprm->called_set_creds) 2468 return 0; 2469 2470 old_tsec = current_security(); 2471 new_tsec = bprm->cred->security; 2472 isec = inode_security(inode); 2473 2474 /* Default to the current task SID. */ 2475 new_tsec->sid = old_tsec->sid; 2476 new_tsec->osid = old_tsec->sid; 2477 2478 /* Reset fs, key, and sock SIDs on execve. */ 2479 new_tsec->create_sid = 0; 2480 new_tsec->keycreate_sid = 0; 2481 new_tsec->sockcreate_sid = 0; 2482 2483 if (old_tsec->exec_sid) { 2484 new_tsec->sid = old_tsec->exec_sid; 2485 /* Reset exec SID on execve. */ 2486 new_tsec->exec_sid = 0; 2487 2488 /* Fail on NNP or nosuid if not an allowed transition. */ 2489 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2490 if (rc) 2491 return rc; 2492 } else { 2493 /* Check for a default transition on this program. */ 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2495 isec->sid, SECCLASS_PROCESS, NULL, 2496 &new_tsec->sid); 2497 if (rc) 2498 return rc; 2499 2500 /* 2501 * Fallback to old SID on NNP or nosuid if not an allowed 2502 * transition. 2503 */ 2504 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2505 if (rc) 2506 new_tsec->sid = old_tsec->sid; 2507 } 2508 2509 ad.type = LSM_AUDIT_DATA_FILE; 2510 ad.u.file = bprm->file; 2511 2512 if (new_tsec->sid == old_tsec->sid) { 2513 rc = avc_has_perm(&selinux_state, 2514 old_tsec->sid, isec->sid, 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2516 if (rc) 2517 return rc; 2518 } else { 2519 /* Check permissions for the transition. */ 2520 rc = avc_has_perm(&selinux_state, 2521 old_tsec->sid, new_tsec->sid, 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2523 if (rc) 2524 return rc; 2525 2526 rc = avc_has_perm(&selinux_state, 2527 new_tsec->sid, isec->sid, 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2529 if (rc) 2530 return rc; 2531 2532 /* Check for shared state */ 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2534 rc = avc_has_perm(&selinux_state, 2535 old_tsec->sid, new_tsec->sid, 2536 SECCLASS_PROCESS, PROCESS__SHARE, 2537 NULL); 2538 if (rc) 2539 return -EPERM; 2540 } 2541 2542 /* Make sure that anyone attempting to ptrace over a task that 2543 * changes its SID has the appropriate permit */ 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2545 u32 ptsid = ptrace_parent_sid(); 2546 if (ptsid != 0) { 2547 rc = avc_has_perm(&selinux_state, 2548 ptsid, new_tsec->sid, 2549 SECCLASS_PROCESS, 2550 PROCESS__PTRACE, NULL); 2551 if (rc) 2552 return -EPERM; 2553 } 2554 } 2555 2556 /* Clear any possibly unsafe personality bits on exec: */ 2557 bprm->per_clear |= PER_CLEAR_ON_SETID; 2558 2559 /* Enable secure mode for SIDs transitions unless 2560 the noatsecure permission is granted between 2561 the two SIDs, i.e. ahp returns 0. */ 2562 rc = avc_has_perm(&selinux_state, 2563 old_tsec->sid, new_tsec->sid, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2565 NULL); 2566 bprm->secureexec |= !!rc; 2567 } 2568 2569 return 0; 2570 } 2571 2572 static int match_file(const void *p, struct file *file, unsigned fd) 2573 { 2574 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2575 } 2576 2577 /* Derived from fs/exec.c:flush_old_files. */ 2578 static inline void flush_unauthorized_files(const struct cred *cred, 2579 struct files_struct *files) 2580 { 2581 struct file *file, *devnull = NULL; 2582 struct tty_struct *tty; 2583 int drop_tty = 0; 2584 unsigned n; 2585 2586 tty = get_current_tty(); 2587 if (tty) { 2588 spin_lock(&tty->files_lock); 2589 if (!list_empty(&tty->tty_files)) { 2590 struct tty_file_private *file_priv; 2591 2592 /* Revalidate access to controlling tty. 2593 Use file_path_has_perm on the tty path directly 2594 rather than using file_has_perm, as this particular 2595 open file may belong to another process and we are 2596 only interested in the inode-based check here. */ 2597 file_priv = list_first_entry(&tty->tty_files, 2598 struct tty_file_private, list); 2599 file = file_priv->file; 2600 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2601 drop_tty = 1; 2602 } 2603 spin_unlock(&tty->files_lock); 2604 tty_kref_put(tty); 2605 } 2606 /* Reset controlling tty. */ 2607 if (drop_tty) 2608 no_tty(); 2609 2610 /* Revalidate access to inherited open files. */ 2611 n = iterate_fd(files, 0, match_file, cred); 2612 if (!n) /* none found? */ 2613 return; 2614 2615 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2616 if (IS_ERR(devnull)) 2617 devnull = NULL; 2618 /* replace all the matching ones with this */ 2619 do { 2620 replace_fd(n - 1, devnull, 0); 2621 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2622 if (devnull) 2623 fput(devnull); 2624 } 2625 2626 /* 2627 * Prepare a process for imminent new credential changes due to exec 2628 */ 2629 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2630 { 2631 struct task_security_struct *new_tsec; 2632 struct rlimit *rlim, *initrlim; 2633 int rc, i; 2634 2635 new_tsec = bprm->cred->security; 2636 if (new_tsec->sid == new_tsec->osid) 2637 return; 2638 2639 /* Close files for which the new task SID is not authorized. */ 2640 flush_unauthorized_files(bprm->cred, current->files); 2641 2642 /* Always clear parent death signal on SID transitions. */ 2643 current->pdeath_signal = 0; 2644 2645 /* Check whether the new SID can inherit resource limits from the old 2646 * SID. If not, reset all soft limits to the lower of the current 2647 * task's hard limit and the init task's soft limit. 2648 * 2649 * Note that the setting of hard limits (even to lower them) can be 2650 * controlled by the setrlimit check. The inclusion of the init task's 2651 * soft limit into the computation is to avoid resetting soft limits 2652 * higher than the default soft limit for cases where the default is 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2654 */ 2655 rc = avc_has_perm(&selinux_state, 2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2657 PROCESS__RLIMITINH, NULL); 2658 if (rc) { 2659 /* protect against do_prlimit() */ 2660 task_lock(current); 2661 for (i = 0; i < RLIM_NLIMITS; i++) { 2662 rlim = current->signal->rlim + i; 2663 initrlim = init_task.signal->rlim + i; 2664 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2665 } 2666 task_unlock(current); 2667 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2668 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2669 } 2670 } 2671 2672 /* 2673 * Clean up the process immediately after the installation of new credentials 2674 * due to exec 2675 */ 2676 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2677 { 2678 const struct task_security_struct *tsec = current_security(); 2679 struct itimerval itimer; 2680 u32 osid, sid; 2681 int rc, i; 2682 2683 osid = tsec->osid; 2684 sid = tsec->sid; 2685 2686 if (sid == osid) 2687 return; 2688 2689 /* Check whether the new SID can inherit signal state from the old SID. 2690 * If not, clear itimers to avoid subsequent signal generation and 2691 * flush and unblock signals. 2692 * 2693 * This must occur _after_ the task SID has been updated so that any 2694 * kill done after the flush will be checked against the new SID. 2695 */ 2696 rc = avc_has_perm(&selinux_state, 2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2698 if (rc) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2700 memset(&itimer, 0, sizeof itimer); 2701 for (i = 0; i < 3; i++) 2702 do_setitimer(i, &itimer, NULL); 2703 } 2704 spin_lock_irq(¤t->sighand->siglock); 2705 if (!fatal_signal_pending(current)) { 2706 flush_sigqueue(¤t->pending); 2707 flush_sigqueue(¤t->signal->shared_pending); 2708 flush_signal_handlers(current, 1); 2709 sigemptyset(¤t->blocked); 2710 recalc_sigpending(); 2711 } 2712 spin_unlock_irq(¤t->sighand->siglock); 2713 } 2714 2715 /* Wake up the parent if it is waiting so that it can recheck 2716 * wait permission to the new task SID. */ 2717 read_lock(&tasklist_lock); 2718 __wake_up_parent(current, current->real_parent); 2719 read_unlock(&tasklist_lock); 2720 } 2721 2722 /* superblock security operations */ 2723 2724 static int selinux_sb_alloc_security(struct super_block *sb) 2725 { 2726 return superblock_alloc_security(sb); 2727 } 2728 2729 static void selinux_sb_free_security(struct super_block *sb) 2730 { 2731 superblock_free_security(sb); 2732 } 2733 2734 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2735 { 2736 if (plen > olen) 2737 return 0; 2738 2739 return !memcmp(prefix, option, plen); 2740 } 2741 2742 static inline int selinux_option(char *option, int len) 2743 { 2744 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2745 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2746 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2747 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2748 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2749 } 2750 2751 static inline void take_option(char **to, char *from, int *first, int len) 2752 { 2753 if (!*first) { 2754 **to = ','; 2755 *to += 1; 2756 } else 2757 *first = 0; 2758 memcpy(*to, from, len); 2759 *to += len; 2760 } 2761 2762 static inline void take_selinux_option(char **to, char *from, int *first, 2763 int len) 2764 { 2765 int current_size = 0; 2766 2767 if (!*first) { 2768 **to = '|'; 2769 *to += 1; 2770 } else 2771 *first = 0; 2772 2773 while (current_size < len) { 2774 if (*from != '"') { 2775 **to = *from; 2776 *to += 1; 2777 } 2778 from += 1; 2779 current_size += 1; 2780 } 2781 } 2782 2783 static int selinux_sb_copy_data(char *orig, char *copy) 2784 { 2785 int fnosec, fsec, rc = 0; 2786 char *in_save, *in_curr, *in_end; 2787 char *sec_curr, *nosec_save, *nosec; 2788 int open_quote = 0; 2789 2790 in_curr = orig; 2791 sec_curr = copy; 2792 2793 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2794 if (!nosec) { 2795 rc = -ENOMEM; 2796 goto out; 2797 } 2798 2799 nosec_save = nosec; 2800 fnosec = fsec = 1; 2801 in_save = in_end = orig; 2802 2803 do { 2804 if (*in_end == '"') 2805 open_quote = !open_quote; 2806 if ((*in_end == ',' && open_quote == 0) || 2807 *in_end == '\0') { 2808 int len = in_end - in_curr; 2809 2810 if (selinux_option(in_curr, len)) 2811 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2812 else 2813 take_option(&nosec, in_curr, &fnosec, len); 2814 2815 in_curr = in_end + 1; 2816 } 2817 } while (*in_end++); 2818 2819 strcpy(in_save, nosec_save); 2820 free_page((unsigned long)nosec_save); 2821 out: 2822 return rc; 2823 } 2824 2825 static int selinux_sb_remount(struct super_block *sb, void *data) 2826 { 2827 int rc, i, *flags; 2828 struct security_mnt_opts opts; 2829 char *secdata, **mount_options; 2830 struct superblock_security_struct *sbsec = sb->s_security; 2831 2832 if (!(sbsec->flags & SE_SBINITIALIZED)) 2833 return 0; 2834 2835 if (!data) 2836 return 0; 2837 2838 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2839 return 0; 2840 2841 security_init_mnt_opts(&opts); 2842 secdata = alloc_secdata(); 2843 if (!secdata) 2844 return -ENOMEM; 2845 rc = selinux_sb_copy_data(data, secdata); 2846 if (rc) 2847 goto out_free_secdata; 2848 2849 rc = selinux_parse_opts_str(secdata, &opts); 2850 if (rc) 2851 goto out_free_secdata; 2852 2853 mount_options = opts.mnt_opts; 2854 flags = opts.mnt_opts_flags; 2855 2856 for (i = 0; i < opts.num_mnt_opts; i++) { 2857 u32 sid; 2858 2859 if (flags[i] == SBLABEL_MNT) 2860 continue; 2861 rc = security_context_str_to_sid(&selinux_state, 2862 mount_options[i], &sid, 2863 GFP_KERNEL); 2864 if (rc) { 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2866 "(%s) failed for (dev %s, type %s) errno=%d\n", 2867 mount_options[i], sb->s_id, sb->s_type->name, rc); 2868 goto out_free_opts; 2869 } 2870 rc = -EINVAL; 2871 switch (flags[i]) { 2872 case FSCONTEXT_MNT: 2873 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2874 goto out_bad_option; 2875 break; 2876 case CONTEXT_MNT: 2877 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2878 goto out_bad_option; 2879 break; 2880 case ROOTCONTEXT_MNT: { 2881 struct inode_security_struct *root_isec; 2882 root_isec = backing_inode_security(sb->s_root); 2883 2884 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2885 goto out_bad_option; 2886 break; 2887 } 2888 case DEFCONTEXT_MNT: 2889 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2890 goto out_bad_option; 2891 break; 2892 default: 2893 goto out_free_opts; 2894 } 2895 } 2896 2897 rc = 0; 2898 out_free_opts: 2899 security_free_mnt_opts(&opts); 2900 out_free_secdata: 2901 free_secdata(secdata); 2902 return rc; 2903 out_bad_option: 2904 printk(KERN_WARNING "SELinux: unable to change security options " 2905 "during remount (dev %s, type=%s)\n", sb->s_id, 2906 sb->s_type->name); 2907 goto out_free_opts; 2908 } 2909 2910 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2911 { 2912 const struct cred *cred = current_cred(); 2913 struct common_audit_data ad; 2914 int rc; 2915 2916 rc = superblock_doinit(sb, data); 2917 if (rc) 2918 return rc; 2919 2920 /* Allow all mounts performed by the kernel */ 2921 if (flags & MS_KERNMOUNT) 2922 return 0; 2923 2924 ad.type = LSM_AUDIT_DATA_DENTRY; 2925 ad.u.dentry = sb->s_root; 2926 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2927 } 2928 2929 static int selinux_sb_statfs(struct dentry *dentry) 2930 { 2931 const struct cred *cred = current_cred(); 2932 struct common_audit_data ad; 2933 2934 ad.type = LSM_AUDIT_DATA_DENTRY; 2935 ad.u.dentry = dentry->d_sb->s_root; 2936 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2937 } 2938 2939 static int selinux_mount(const char *dev_name, 2940 const struct path *path, 2941 const char *type, 2942 unsigned long flags, 2943 void *data) 2944 { 2945 const struct cred *cred = current_cred(); 2946 2947 if (flags & MS_REMOUNT) 2948 return superblock_has_perm(cred, path->dentry->d_sb, 2949 FILESYSTEM__REMOUNT, NULL); 2950 else 2951 return path_has_perm(cred, path, FILE__MOUNTON); 2952 } 2953 2954 static int selinux_umount(struct vfsmount *mnt, int flags) 2955 { 2956 const struct cred *cred = current_cred(); 2957 2958 return superblock_has_perm(cred, mnt->mnt_sb, 2959 FILESYSTEM__UNMOUNT, NULL); 2960 } 2961 2962 /* inode security operations */ 2963 2964 static int selinux_inode_alloc_security(struct inode *inode) 2965 { 2966 return inode_alloc_security(inode); 2967 } 2968 2969 static void selinux_inode_free_security(struct inode *inode) 2970 { 2971 inode_free_security(inode); 2972 } 2973 2974 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2975 const struct qstr *name, void **ctx, 2976 u32 *ctxlen) 2977 { 2978 u32 newsid; 2979 int rc; 2980 2981 rc = selinux_determine_inode_label(current_security(), 2982 d_inode(dentry->d_parent), name, 2983 inode_mode_to_security_class(mode), 2984 &newsid); 2985 if (rc) 2986 return rc; 2987 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2989 ctxlen); 2990 } 2991 2992 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2993 struct qstr *name, 2994 const struct cred *old, 2995 struct cred *new) 2996 { 2997 u32 newsid; 2998 int rc; 2999 struct task_security_struct *tsec; 3000 3001 rc = selinux_determine_inode_label(old->security, 3002 d_inode(dentry->d_parent), name, 3003 inode_mode_to_security_class(mode), 3004 &newsid); 3005 if (rc) 3006 return rc; 3007 3008 tsec = new->security; 3009 tsec->create_sid = newsid; 3010 return 0; 3011 } 3012 3013 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 3014 const struct qstr *qstr, 3015 const char **name, 3016 void **value, size_t *len) 3017 { 3018 const struct task_security_struct *tsec = current_security(); 3019 struct superblock_security_struct *sbsec; 3020 u32 newsid, clen; 3021 int rc; 3022 char *context; 3023 3024 sbsec = dir->i_sb->s_security; 3025 3026 newsid = tsec->create_sid; 3027 3028 rc = selinux_determine_inode_label(current_security(), 3029 dir, qstr, 3030 inode_mode_to_security_class(inode->i_mode), 3031 &newsid); 3032 if (rc) 3033 return rc; 3034 3035 /* Possibly defer initialization to selinux_complete_init. */ 3036 if (sbsec->flags & SE_SBINITIALIZED) { 3037 struct inode_security_struct *isec = inode->i_security; 3038 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3039 isec->sid = newsid; 3040 isec->initialized = LABEL_INITIALIZED; 3041 } 3042 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 3044 return -EOPNOTSUPP; 3045 3046 if (name) 3047 *name = XATTR_SELINUX_SUFFIX; 3048 3049 if (value && len) { 3050 rc = security_sid_to_context_force(&selinux_state, newsid, 3051 &context, &clen); 3052 if (rc) 3053 return rc; 3054 *value = context; 3055 *len = clen; 3056 } 3057 3058 return 0; 3059 } 3060 3061 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3062 { 3063 return may_create(dir, dentry, SECCLASS_FILE); 3064 } 3065 3066 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3067 { 3068 return may_link(dir, old_dentry, MAY_LINK); 3069 } 3070 3071 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3072 { 3073 return may_link(dir, dentry, MAY_UNLINK); 3074 } 3075 3076 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3077 { 3078 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3079 } 3080 3081 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3082 { 3083 return may_create(dir, dentry, SECCLASS_DIR); 3084 } 3085 3086 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3087 { 3088 return may_link(dir, dentry, MAY_RMDIR); 3089 } 3090 3091 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3092 { 3093 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3094 } 3095 3096 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3097 struct inode *new_inode, struct dentry *new_dentry) 3098 { 3099 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3100 } 3101 3102 static int selinux_inode_readlink(struct dentry *dentry) 3103 { 3104 const struct cred *cred = current_cred(); 3105 3106 return dentry_has_perm(cred, dentry, FILE__READ); 3107 } 3108 3109 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3110 bool rcu) 3111 { 3112 const struct cred *cred = current_cred(); 3113 struct common_audit_data ad; 3114 struct inode_security_struct *isec; 3115 u32 sid; 3116 3117 validate_creds(cred); 3118 3119 ad.type = LSM_AUDIT_DATA_DENTRY; 3120 ad.u.dentry = dentry; 3121 sid = cred_sid(cred); 3122 isec = inode_security_rcu(inode, rcu); 3123 if (IS_ERR(isec)) 3124 return PTR_ERR(isec); 3125 3126 return avc_has_perm_flags(&selinux_state, 3127 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3128 rcu ? MAY_NOT_BLOCK : 0); 3129 } 3130 3131 static noinline int audit_inode_permission(struct inode *inode, 3132 u32 perms, u32 audited, u32 denied, 3133 int result, 3134 unsigned flags) 3135 { 3136 struct common_audit_data ad; 3137 struct inode_security_struct *isec = inode->i_security; 3138 int rc; 3139 3140 ad.type = LSM_AUDIT_DATA_INODE; 3141 ad.u.inode = inode; 3142 3143 rc = slow_avc_audit(&selinux_state, 3144 current_sid(), isec->sid, isec->sclass, perms, 3145 audited, denied, result, &ad, flags); 3146 if (rc) 3147 return rc; 3148 return 0; 3149 } 3150 3151 static int selinux_inode_permission(struct inode *inode, int mask) 3152 { 3153 const struct cred *cred = current_cred(); 3154 u32 perms; 3155 bool from_access; 3156 unsigned flags = mask & MAY_NOT_BLOCK; 3157 struct inode_security_struct *isec; 3158 u32 sid; 3159 struct av_decision avd; 3160 int rc, rc2; 3161 u32 audited, denied; 3162 3163 from_access = mask & MAY_ACCESS; 3164 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3165 3166 /* No permission to check. Existence test. */ 3167 if (!mask) 3168 return 0; 3169 3170 validate_creds(cred); 3171 3172 if (unlikely(IS_PRIVATE(inode))) 3173 return 0; 3174 3175 perms = file_mask_to_av(inode->i_mode, mask); 3176 3177 sid = cred_sid(cred); 3178 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3179 if (IS_ERR(isec)) 3180 return PTR_ERR(isec); 3181 3182 rc = avc_has_perm_noaudit(&selinux_state, 3183 sid, isec->sid, isec->sclass, perms, 0, &avd); 3184 audited = avc_audit_required(perms, &avd, rc, 3185 from_access ? FILE__AUDIT_ACCESS : 0, 3186 &denied); 3187 if (likely(!audited)) 3188 return rc; 3189 3190 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3191 if (rc2) 3192 return rc2; 3193 return rc; 3194 } 3195 3196 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3197 { 3198 const struct cred *cred = current_cred(); 3199 struct inode *inode = d_backing_inode(dentry); 3200 unsigned int ia_valid = iattr->ia_valid; 3201 __u32 av = FILE__WRITE; 3202 3203 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3204 if (ia_valid & ATTR_FORCE) { 3205 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3206 ATTR_FORCE); 3207 if (!ia_valid) 3208 return 0; 3209 } 3210 3211 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3214 3215 if (selinux_policycap_openperm() && 3216 inode->i_sb->s_magic != SOCKFS_MAGIC && 3217 (ia_valid & ATTR_SIZE) && 3218 !(ia_valid & ATTR_FILE)) 3219 av |= FILE__OPEN; 3220 3221 return dentry_has_perm(cred, dentry, av); 3222 } 3223 3224 static int selinux_inode_getattr(const struct path *path) 3225 { 3226 return path_has_perm(current_cred(), path, FILE__GETATTR); 3227 } 3228 3229 static bool has_cap_mac_admin(bool audit) 3230 { 3231 const struct cred *cred = current_cred(); 3232 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3233 3234 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3235 return false; 3236 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3237 return false; 3238 return true; 3239 } 3240 3241 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3242 const void *value, size_t size, int flags) 3243 { 3244 struct inode *inode = d_backing_inode(dentry); 3245 struct inode_security_struct *isec; 3246 struct superblock_security_struct *sbsec; 3247 struct common_audit_data ad; 3248 u32 newsid, sid = current_sid(); 3249 int rc = 0; 3250 3251 if (strcmp(name, XATTR_NAME_SELINUX)) { 3252 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3253 if (rc) 3254 return rc; 3255 3256 /* Not an attribute we recognize, so just check the 3257 ordinary setattr permission. */ 3258 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3259 } 3260 3261 sbsec = inode->i_sb->s_security; 3262 if (!(sbsec->flags & SBLABEL_MNT)) 3263 return -EOPNOTSUPP; 3264 3265 if (!inode_owner_or_capable(inode)) 3266 return -EPERM; 3267 3268 ad.type = LSM_AUDIT_DATA_DENTRY; 3269 ad.u.dentry = dentry; 3270 3271 isec = backing_inode_security(dentry); 3272 rc = avc_has_perm(&selinux_state, 3273 sid, isec->sid, isec->sclass, 3274 FILE__RELABELFROM, &ad); 3275 if (rc) 3276 return rc; 3277 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3279 GFP_KERNEL); 3280 if (rc == -EINVAL) { 3281 if (!has_cap_mac_admin(true)) { 3282 struct audit_buffer *ab; 3283 size_t audit_size; 3284 3285 /* We strip a nul only if it is at the end, otherwise the 3286 * context contains a nul and we should audit that */ 3287 if (value) { 3288 const char *str = value; 3289 3290 if (str[size - 1] == '\0') 3291 audit_size = size - 1; 3292 else 3293 audit_size = size; 3294 } else { 3295 audit_size = 0; 3296 } 3297 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3298 audit_log_format(ab, "op=setxattr invalid_context="); 3299 audit_log_n_untrustedstring(ab, value, audit_size); 3300 audit_log_end(ab); 3301 3302 return rc; 3303 } 3304 rc = security_context_to_sid_force(&selinux_state, value, 3305 size, &newsid); 3306 } 3307 if (rc) 3308 return rc; 3309 3310 rc = avc_has_perm(&selinux_state, 3311 sid, newsid, isec->sclass, 3312 FILE__RELABELTO, &ad); 3313 if (rc) 3314 return rc; 3315 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3317 sid, isec->sclass); 3318 if (rc) 3319 return rc; 3320 3321 return avc_has_perm(&selinux_state, 3322 newsid, 3323 sbsec->sid, 3324 SECCLASS_FILESYSTEM, 3325 FILESYSTEM__ASSOCIATE, 3326 &ad); 3327 } 3328 3329 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3330 const void *value, size_t size, 3331 int flags) 3332 { 3333 struct inode *inode = d_backing_inode(dentry); 3334 struct inode_security_struct *isec; 3335 u32 newsid; 3336 int rc; 3337 3338 if (strcmp(name, XATTR_NAME_SELINUX)) { 3339 /* Not an attribute we recognize, so nothing to do. */ 3340 return; 3341 } 3342 3343 rc = security_context_to_sid_force(&selinux_state, value, size, 3344 &newsid); 3345 if (rc) { 3346 printk(KERN_ERR "SELinux: unable to map context to SID" 3347 "for (%s, %lu), rc=%d\n", 3348 inode->i_sb->s_id, inode->i_ino, -rc); 3349 return; 3350 } 3351 3352 isec = backing_inode_security(dentry); 3353 spin_lock(&isec->lock); 3354 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3355 isec->sid = newsid; 3356 isec->initialized = LABEL_INITIALIZED; 3357 spin_unlock(&isec->lock); 3358 3359 return; 3360 } 3361 3362 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3363 { 3364 const struct cred *cred = current_cred(); 3365 3366 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3367 } 3368 3369 static int selinux_inode_listxattr(struct dentry *dentry) 3370 { 3371 const struct cred *cred = current_cred(); 3372 3373 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3374 } 3375 3376 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3377 { 3378 if (strcmp(name, XATTR_NAME_SELINUX)) { 3379 int rc = cap_inode_removexattr(dentry, name); 3380 if (rc) 3381 return rc; 3382 3383 /* Not an attribute we recognize, so just check the 3384 ordinary setattr permission. */ 3385 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3386 } 3387 3388 /* No one is allowed to remove a SELinux security label. 3389 You can change the label, but all data must be labeled. */ 3390 return -EACCES; 3391 } 3392 3393 /* 3394 * Copy the inode security context value to the user. 3395 * 3396 * Permission check is handled by selinux_inode_getxattr hook. 3397 */ 3398 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3399 { 3400 u32 size; 3401 int error; 3402 char *context = NULL; 3403 struct inode_security_struct *isec; 3404 3405 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3406 return -EOPNOTSUPP; 3407 3408 /* 3409 * If the caller has CAP_MAC_ADMIN, then get the raw context 3410 * value even if it is not defined by current policy; otherwise, 3411 * use the in-core value under current policy. 3412 * Use the non-auditing forms of the permission checks since 3413 * getxattr may be called by unprivileged processes commonly 3414 * and lack of permission just means that we fall back to the 3415 * in-core context value, not a denial. 3416 */ 3417 isec = inode_security(inode); 3418 if (has_cap_mac_admin(false)) 3419 error = security_sid_to_context_force(&selinux_state, 3420 isec->sid, &context, 3421 &size); 3422 else 3423 error = security_sid_to_context(&selinux_state, isec->sid, 3424 &context, &size); 3425 if (error) 3426 return error; 3427 error = size; 3428 if (alloc) { 3429 *buffer = context; 3430 goto out_nofree; 3431 } 3432 kfree(context); 3433 out_nofree: 3434 return error; 3435 } 3436 3437 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3438 const void *value, size_t size, int flags) 3439 { 3440 struct inode_security_struct *isec = inode_security_novalidate(inode); 3441 u32 newsid; 3442 int rc; 3443 3444 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3445 return -EOPNOTSUPP; 3446 3447 if (!value || !size) 3448 return -EACCES; 3449 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3451 GFP_KERNEL); 3452 if (rc) 3453 return rc; 3454 3455 spin_lock(&isec->lock); 3456 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3457 isec->sid = newsid; 3458 isec->initialized = LABEL_INITIALIZED; 3459 spin_unlock(&isec->lock); 3460 return 0; 3461 } 3462 3463 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3464 { 3465 const int len = sizeof(XATTR_NAME_SELINUX); 3466 if (buffer && len <= buffer_size) 3467 memcpy(buffer, XATTR_NAME_SELINUX, len); 3468 return len; 3469 } 3470 3471 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3472 { 3473 struct inode_security_struct *isec = inode_security_novalidate(inode); 3474 *secid = isec->sid; 3475 } 3476 3477 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3478 { 3479 u32 sid; 3480 struct task_security_struct *tsec; 3481 struct cred *new_creds = *new; 3482 3483 if (new_creds == NULL) { 3484 new_creds = prepare_creds(); 3485 if (!new_creds) 3486 return -ENOMEM; 3487 } 3488 3489 tsec = new_creds->security; 3490 /* Get label from overlay inode and set it in create_sid */ 3491 selinux_inode_getsecid(d_inode(src), &sid); 3492 tsec->create_sid = sid; 3493 *new = new_creds; 3494 return 0; 3495 } 3496 3497 static int selinux_inode_copy_up_xattr(const char *name) 3498 { 3499 /* The copy_up hook above sets the initial context on an inode, but we 3500 * don't then want to overwrite it by blindly copying all the lower 3501 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3502 */ 3503 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3504 return 1; /* Discard */ 3505 /* 3506 * Any other attribute apart from SELINUX is not claimed, supported 3507 * by selinux. 3508 */ 3509 return -EOPNOTSUPP; 3510 } 3511 3512 /* file security operations */ 3513 3514 static int selinux_revalidate_file_permission(struct file *file, int mask) 3515 { 3516 const struct cred *cred = current_cred(); 3517 struct inode *inode = file_inode(file); 3518 3519 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3520 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3521 mask |= MAY_APPEND; 3522 3523 return file_has_perm(cred, file, 3524 file_mask_to_av(inode->i_mode, mask)); 3525 } 3526 3527 static int selinux_file_permission(struct file *file, int mask) 3528 { 3529 struct inode *inode = file_inode(file); 3530 struct file_security_struct *fsec = file->f_security; 3531 struct inode_security_struct *isec; 3532 u32 sid = current_sid(); 3533 3534 if (!mask) 3535 /* No permission to check. Existence test. */ 3536 return 0; 3537 3538 isec = inode_security(inode); 3539 if (sid == fsec->sid && fsec->isid == isec->sid && 3540 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3541 /* No change since file_open check. */ 3542 return 0; 3543 3544 return selinux_revalidate_file_permission(file, mask); 3545 } 3546 3547 static int selinux_file_alloc_security(struct file *file) 3548 { 3549 return file_alloc_security(file); 3550 } 3551 3552 static void selinux_file_free_security(struct file *file) 3553 { 3554 file_free_security(file); 3555 } 3556 3557 /* 3558 * Check whether a task has the ioctl permission and cmd 3559 * operation to an inode. 3560 */ 3561 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3562 u32 requested, u16 cmd) 3563 { 3564 struct common_audit_data ad; 3565 struct file_security_struct *fsec = file->f_security; 3566 struct inode *inode = file_inode(file); 3567 struct inode_security_struct *isec; 3568 struct lsm_ioctlop_audit ioctl; 3569 u32 ssid = cred_sid(cred); 3570 int rc; 3571 u8 driver = cmd >> 8; 3572 u8 xperm = cmd & 0xff; 3573 3574 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3575 ad.u.op = &ioctl; 3576 ad.u.op->cmd = cmd; 3577 ad.u.op->path = file->f_path; 3578 3579 if (ssid != fsec->sid) { 3580 rc = avc_has_perm(&selinux_state, 3581 ssid, fsec->sid, 3582 SECCLASS_FD, 3583 FD__USE, 3584 &ad); 3585 if (rc) 3586 goto out; 3587 } 3588 3589 if (unlikely(IS_PRIVATE(inode))) 3590 return 0; 3591 3592 isec = inode_security(inode); 3593 rc = avc_has_extended_perms(&selinux_state, 3594 ssid, isec->sid, isec->sclass, 3595 requested, driver, xperm, &ad); 3596 out: 3597 return rc; 3598 } 3599 3600 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3601 unsigned long arg) 3602 { 3603 const struct cred *cred = current_cred(); 3604 int error = 0; 3605 3606 switch (cmd) { 3607 case FIONREAD: 3608 /* fall through */ 3609 case FIBMAP: 3610 /* fall through */ 3611 case FIGETBSZ: 3612 /* fall through */ 3613 case FS_IOC_GETFLAGS: 3614 /* fall through */ 3615 case FS_IOC_GETVERSION: 3616 error = file_has_perm(cred, file, FILE__GETATTR); 3617 break; 3618 3619 case FS_IOC_SETFLAGS: 3620 /* fall through */ 3621 case FS_IOC_SETVERSION: 3622 error = file_has_perm(cred, file, FILE__SETATTR); 3623 break; 3624 3625 /* sys_ioctl() checks */ 3626 case FIONBIO: 3627 /* fall through */ 3628 case FIOASYNC: 3629 error = file_has_perm(cred, file, 0); 3630 break; 3631 3632 case KDSKBENT: 3633 case KDSKBSENT: 3634 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3635 SECURITY_CAP_AUDIT, true); 3636 break; 3637 3638 /* default case assumes that the command will go 3639 * to the file's ioctl() function. 3640 */ 3641 default: 3642 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3643 } 3644 return error; 3645 } 3646 3647 static int default_noexec; 3648 3649 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3650 { 3651 const struct cred *cred = current_cred(); 3652 u32 sid = cred_sid(cred); 3653 int rc = 0; 3654 3655 if (default_noexec && 3656 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3657 (!shared && (prot & PROT_WRITE)))) { 3658 /* 3659 * We are making executable an anonymous mapping or a 3660 * private file mapping that will also be writable. 3661 * This has an additional check. 3662 */ 3663 rc = avc_has_perm(&selinux_state, 3664 sid, sid, SECCLASS_PROCESS, 3665 PROCESS__EXECMEM, NULL); 3666 if (rc) 3667 goto error; 3668 } 3669 3670 if (file) { 3671 /* read access is always possible with a mapping */ 3672 u32 av = FILE__READ; 3673 3674 /* write access only matters if the mapping is shared */ 3675 if (shared && (prot & PROT_WRITE)) 3676 av |= FILE__WRITE; 3677 3678 if (prot & PROT_EXEC) 3679 av |= FILE__EXECUTE; 3680 3681 return file_has_perm(cred, file, av); 3682 } 3683 3684 error: 3685 return rc; 3686 } 3687 3688 static int selinux_mmap_addr(unsigned long addr) 3689 { 3690 int rc = 0; 3691 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3693 u32 sid = current_sid(); 3694 rc = avc_has_perm(&selinux_state, 3695 sid, sid, SECCLASS_MEMPROTECT, 3696 MEMPROTECT__MMAP_ZERO, NULL); 3697 } 3698 3699 return rc; 3700 } 3701 3702 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3703 unsigned long prot, unsigned long flags) 3704 { 3705 struct common_audit_data ad; 3706 int rc; 3707 3708 if (file) { 3709 ad.type = LSM_AUDIT_DATA_FILE; 3710 ad.u.file = file; 3711 rc = inode_has_perm(current_cred(), file_inode(file), 3712 FILE__MAP, &ad); 3713 if (rc) 3714 return rc; 3715 } 3716 3717 if (selinux_state.checkreqprot) 3718 prot = reqprot; 3719 3720 return file_map_prot_check(file, prot, 3721 (flags & MAP_TYPE) == MAP_SHARED); 3722 } 3723 3724 static int selinux_file_mprotect(struct vm_area_struct *vma, 3725 unsigned long reqprot, 3726 unsigned long prot) 3727 { 3728 const struct cred *cred = current_cred(); 3729 u32 sid = cred_sid(cred); 3730 3731 if (selinux_state.checkreqprot) 3732 prot = reqprot; 3733 3734 if (default_noexec && 3735 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3736 int rc = 0; 3737 if (vma->vm_start >= vma->vm_mm->start_brk && 3738 vma->vm_end <= vma->vm_mm->brk) { 3739 rc = avc_has_perm(&selinux_state, 3740 sid, sid, SECCLASS_PROCESS, 3741 PROCESS__EXECHEAP, NULL); 3742 } else if (!vma->vm_file && 3743 ((vma->vm_start <= vma->vm_mm->start_stack && 3744 vma->vm_end >= vma->vm_mm->start_stack) || 3745 vma_is_stack_for_current(vma))) { 3746 rc = avc_has_perm(&selinux_state, 3747 sid, sid, SECCLASS_PROCESS, 3748 PROCESS__EXECSTACK, NULL); 3749 } else if (vma->vm_file && vma->anon_vma) { 3750 /* 3751 * We are making executable a file mapping that has 3752 * had some COW done. Since pages might have been 3753 * written, check ability to execute the possibly 3754 * modified content. This typically should only 3755 * occur for text relocations. 3756 */ 3757 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3758 } 3759 if (rc) 3760 return rc; 3761 } 3762 3763 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3764 } 3765 3766 static int selinux_file_lock(struct file *file, unsigned int cmd) 3767 { 3768 const struct cred *cred = current_cred(); 3769 3770 return file_has_perm(cred, file, FILE__LOCK); 3771 } 3772 3773 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3774 unsigned long arg) 3775 { 3776 const struct cred *cred = current_cred(); 3777 int err = 0; 3778 3779 switch (cmd) { 3780 case F_SETFL: 3781 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3782 err = file_has_perm(cred, file, FILE__WRITE); 3783 break; 3784 } 3785 /* fall through */ 3786 case F_SETOWN: 3787 case F_SETSIG: 3788 case F_GETFL: 3789 case F_GETOWN: 3790 case F_GETSIG: 3791 case F_GETOWNER_UIDS: 3792 /* Just check FD__USE permission */ 3793 err = file_has_perm(cred, file, 0); 3794 break; 3795 case F_GETLK: 3796 case F_SETLK: 3797 case F_SETLKW: 3798 case F_OFD_GETLK: 3799 case F_OFD_SETLK: 3800 case F_OFD_SETLKW: 3801 #if BITS_PER_LONG == 32 3802 case F_GETLK64: 3803 case F_SETLK64: 3804 case F_SETLKW64: 3805 #endif 3806 err = file_has_perm(cred, file, FILE__LOCK); 3807 break; 3808 } 3809 3810 return err; 3811 } 3812 3813 static void selinux_file_set_fowner(struct file *file) 3814 { 3815 struct file_security_struct *fsec; 3816 3817 fsec = file->f_security; 3818 fsec->fown_sid = current_sid(); 3819 } 3820 3821 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3822 struct fown_struct *fown, int signum) 3823 { 3824 struct file *file; 3825 u32 sid = task_sid(tsk); 3826 u32 perm; 3827 struct file_security_struct *fsec; 3828 3829 /* struct fown_struct is never outside the context of a struct file */ 3830 file = container_of(fown, struct file, f_owner); 3831 3832 fsec = file->f_security; 3833 3834 if (!signum) 3835 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3836 else 3837 perm = signal_to_av(signum); 3838 3839 return avc_has_perm(&selinux_state, 3840 fsec->fown_sid, sid, 3841 SECCLASS_PROCESS, perm, NULL); 3842 } 3843 3844 static int selinux_file_receive(struct file *file) 3845 { 3846 const struct cred *cred = current_cred(); 3847 3848 return file_has_perm(cred, file, file_to_av(file)); 3849 } 3850 3851 static int selinux_file_open(struct file *file, const struct cred *cred) 3852 { 3853 struct file_security_struct *fsec; 3854 struct inode_security_struct *isec; 3855 3856 fsec = file->f_security; 3857 isec = inode_security(file_inode(file)); 3858 /* 3859 * Save inode label and policy sequence number 3860 * at open-time so that selinux_file_permission 3861 * can determine whether revalidation is necessary. 3862 * Task label is already saved in the file security 3863 * struct as its SID. 3864 */ 3865 fsec->isid = isec->sid; 3866 fsec->pseqno = avc_policy_seqno(&selinux_state); 3867 /* 3868 * Since the inode label or policy seqno may have changed 3869 * between the selinux_inode_permission check and the saving 3870 * of state above, recheck that access is still permitted. 3871 * Otherwise, access might never be revalidated against the 3872 * new inode label or new policy. 3873 * This check is not redundant - do not remove. 3874 */ 3875 return file_path_has_perm(cred, file, open_file_to_av(file)); 3876 } 3877 3878 /* task security operations */ 3879 3880 static int selinux_task_alloc(struct task_struct *task, 3881 unsigned long clone_flags) 3882 { 3883 u32 sid = current_sid(); 3884 3885 return avc_has_perm(&selinux_state, 3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3887 } 3888 3889 /* 3890 * allocate the SELinux part of blank credentials 3891 */ 3892 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3893 { 3894 struct task_security_struct *tsec; 3895 3896 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3897 if (!tsec) 3898 return -ENOMEM; 3899 3900 cred->security = tsec; 3901 return 0; 3902 } 3903 3904 /* 3905 * detach and free the LSM part of a set of credentials 3906 */ 3907 static void selinux_cred_free(struct cred *cred) 3908 { 3909 struct task_security_struct *tsec = cred->security; 3910 3911 /* 3912 * cred->security == NULL if security_cred_alloc_blank() or 3913 * security_prepare_creds() returned an error. 3914 */ 3915 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3916 cred->security = (void *) 0x7UL; 3917 kfree(tsec); 3918 } 3919 3920 /* 3921 * prepare a new set of credentials for modification 3922 */ 3923 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3924 gfp_t gfp) 3925 { 3926 const struct task_security_struct *old_tsec; 3927 struct task_security_struct *tsec; 3928 3929 old_tsec = old->security; 3930 3931 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3932 if (!tsec) 3933 return -ENOMEM; 3934 3935 new->security = tsec; 3936 return 0; 3937 } 3938 3939 /* 3940 * transfer the SELinux data to a blank set of creds 3941 */ 3942 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3943 { 3944 const struct task_security_struct *old_tsec = old->security; 3945 struct task_security_struct *tsec = new->security; 3946 3947 *tsec = *old_tsec; 3948 } 3949 3950 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3951 { 3952 *secid = cred_sid(c); 3953 } 3954 3955 /* 3956 * set the security data for a kernel service 3957 * - all the creation contexts are set to unlabelled 3958 */ 3959 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3960 { 3961 struct task_security_struct *tsec = new->security; 3962 u32 sid = current_sid(); 3963 int ret; 3964 3965 ret = avc_has_perm(&selinux_state, 3966 sid, secid, 3967 SECCLASS_KERNEL_SERVICE, 3968 KERNEL_SERVICE__USE_AS_OVERRIDE, 3969 NULL); 3970 if (ret == 0) { 3971 tsec->sid = secid; 3972 tsec->create_sid = 0; 3973 tsec->keycreate_sid = 0; 3974 tsec->sockcreate_sid = 0; 3975 } 3976 return ret; 3977 } 3978 3979 /* 3980 * set the file creation context in a security record to the same as the 3981 * objective context of the specified inode 3982 */ 3983 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3984 { 3985 struct inode_security_struct *isec = inode_security(inode); 3986 struct task_security_struct *tsec = new->security; 3987 u32 sid = current_sid(); 3988 int ret; 3989 3990 ret = avc_has_perm(&selinux_state, 3991 sid, isec->sid, 3992 SECCLASS_KERNEL_SERVICE, 3993 KERNEL_SERVICE__CREATE_FILES_AS, 3994 NULL); 3995 3996 if (ret == 0) 3997 tsec->create_sid = isec->sid; 3998 return ret; 3999 } 4000 4001 static int selinux_kernel_module_request(char *kmod_name) 4002 { 4003 struct common_audit_data ad; 4004 4005 ad.type = LSM_AUDIT_DATA_KMOD; 4006 ad.u.kmod_name = kmod_name; 4007 4008 return avc_has_perm(&selinux_state, 4009 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4010 SYSTEM__MODULE_REQUEST, &ad); 4011 } 4012 4013 static int selinux_kernel_module_from_file(struct file *file) 4014 { 4015 struct common_audit_data ad; 4016 struct inode_security_struct *isec; 4017 struct file_security_struct *fsec; 4018 u32 sid = current_sid(); 4019 int rc; 4020 4021 /* init_module */ 4022 if (file == NULL) 4023 return avc_has_perm(&selinux_state, 4024 sid, sid, SECCLASS_SYSTEM, 4025 SYSTEM__MODULE_LOAD, NULL); 4026 4027 /* finit_module */ 4028 4029 ad.type = LSM_AUDIT_DATA_FILE; 4030 ad.u.file = file; 4031 4032 fsec = file->f_security; 4033 if (sid != fsec->sid) { 4034 rc = avc_has_perm(&selinux_state, 4035 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4036 if (rc) 4037 return rc; 4038 } 4039 4040 isec = inode_security(file_inode(file)); 4041 return avc_has_perm(&selinux_state, 4042 sid, isec->sid, SECCLASS_SYSTEM, 4043 SYSTEM__MODULE_LOAD, &ad); 4044 } 4045 4046 static int selinux_kernel_read_file(struct file *file, 4047 enum kernel_read_file_id id) 4048 { 4049 int rc = 0; 4050 4051 switch (id) { 4052 case READING_MODULE: 4053 rc = selinux_kernel_module_from_file(file); 4054 break; 4055 default: 4056 break; 4057 } 4058 4059 return rc; 4060 } 4061 4062 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4063 { 4064 return avc_has_perm(&selinux_state, 4065 current_sid(), task_sid(p), SECCLASS_PROCESS, 4066 PROCESS__SETPGID, NULL); 4067 } 4068 4069 static int selinux_task_getpgid(struct task_struct *p) 4070 { 4071 return avc_has_perm(&selinux_state, 4072 current_sid(), task_sid(p), SECCLASS_PROCESS, 4073 PROCESS__GETPGID, NULL); 4074 } 4075 4076 static int selinux_task_getsid(struct task_struct *p) 4077 { 4078 return avc_has_perm(&selinux_state, 4079 current_sid(), task_sid(p), SECCLASS_PROCESS, 4080 PROCESS__GETSESSION, NULL); 4081 } 4082 4083 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4084 { 4085 *secid = task_sid(p); 4086 } 4087 4088 static int selinux_task_setnice(struct task_struct *p, int nice) 4089 { 4090 return avc_has_perm(&selinux_state, 4091 current_sid(), task_sid(p), SECCLASS_PROCESS, 4092 PROCESS__SETSCHED, NULL); 4093 } 4094 4095 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4096 { 4097 return avc_has_perm(&selinux_state, 4098 current_sid(), task_sid(p), SECCLASS_PROCESS, 4099 PROCESS__SETSCHED, NULL); 4100 } 4101 4102 static int selinux_task_getioprio(struct task_struct *p) 4103 { 4104 return avc_has_perm(&selinux_state, 4105 current_sid(), task_sid(p), SECCLASS_PROCESS, 4106 PROCESS__GETSCHED, NULL); 4107 } 4108 4109 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4110 unsigned int flags) 4111 { 4112 u32 av = 0; 4113 4114 if (!flags) 4115 return 0; 4116 if (flags & LSM_PRLIMIT_WRITE) 4117 av |= PROCESS__SETRLIMIT; 4118 if (flags & LSM_PRLIMIT_READ) 4119 av |= PROCESS__GETRLIMIT; 4120 return avc_has_perm(&selinux_state, 4121 cred_sid(cred), cred_sid(tcred), 4122 SECCLASS_PROCESS, av, NULL); 4123 } 4124 4125 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4126 struct rlimit *new_rlim) 4127 { 4128 struct rlimit *old_rlim = p->signal->rlim + resource; 4129 4130 /* Control the ability to change the hard limit (whether 4131 lowering or raising it), so that the hard limit can 4132 later be used as a safe reset point for the soft limit 4133 upon context transitions. See selinux_bprm_committing_creds. */ 4134 if (old_rlim->rlim_max != new_rlim->rlim_max) 4135 return avc_has_perm(&selinux_state, 4136 current_sid(), task_sid(p), 4137 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4138 4139 return 0; 4140 } 4141 4142 static int selinux_task_setscheduler(struct task_struct *p) 4143 { 4144 return avc_has_perm(&selinux_state, 4145 current_sid(), task_sid(p), SECCLASS_PROCESS, 4146 PROCESS__SETSCHED, NULL); 4147 } 4148 4149 static int selinux_task_getscheduler(struct task_struct *p) 4150 { 4151 return avc_has_perm(&selinux_state, 4152 current_sid(), task_sid(p), SECCLASS_PROCESS, 4153 PROCESS__GETSCHED, NULL); 4154 } 4155 4156 static int selinux_task_movememory(struct task_struct *p) 4157 { 4158 return avc_has_perm(&selinux_state, 4159 current_sid(), task_sid(p), SECCLASS_PROCESS, 4160 PROCESS__SETSCHED, NULL); 4161 } 4162 4163 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4164 int sig, const struct cred *cred) 4165 { 4166 u32 secid; 4167 u32 perm; 4168 4169 if (!sig) 4170 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4171 else 4172 perm = signal_to_av(sig); 4173 if (!cred) 4174 secid = current_sid(); 4175 else 4176 secid = cred_sid(cred); 4177 return avc_has_perm(&selinux_state, 4178 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4179 } 4180 4181 static void selinux_task_to_inode(struct task_struct *p, 4182 struct inode *inode) 4183 { 4184 struct inode_security_struct *isec = inode->i_security; 4185 u32 sid = task_sid(p); 4186 4187 spin_lock(&isec->lock); 4188 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4189 isec->sid = sid; 4190 isec->initialized = LABEL_INITIALIZED; 4191 spin_unlock(&isec->lock); 4192 } 4193 4194 /* Returns error only if unable to parse addresses */ 4195 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4196 struct common_audit_data *ad, u8 *proto) 4197 { 4198 int offset, ihlen, ret = -EINVAL; 4199 struct iphdr _iph, *ih; 4200 4201 offset = skb_network_offset(skb); 4202 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4203 if (ih == NULL) 4204 goto out; 4205 4206 ihlen = ih->ihl * 4; 4207 if (ihlen < sizeof(_iph)) 4208 goto out; 4209 4210 ad->u.net->v4info.saddr = ih->saddr; 4211 ad->u.net->v4info.daddr = ih->daddr; 4212 ret = 0; 4213 4214 if (proto) 4215 *proto = ih->protocol; 4216 4217 switch (ih->protocol) { 4218 case IPPROTO_TCP: { 4219 struct tcphdr _tcph, *th; 4220 4221 if (ntohs(ih->frag_off) & IP_OFFSET) 4222 break; 4223 4224 offset += ihlen; 4225 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4226 if (th == NULL) 4227 break; 4228 4229 ad->u.net->sport = th->source; 4230 ad->u.net->dport = th->dest; 4231 break; 4232 } 4233 4234 case IPPROTO_UDP: { 4235 struct udphdr _udph, *uh; 4236 4237 if (ntohs(ih->frag_off) & IP_OFFSET) 4238 break; 4239 4240 offset += ihlen; 4241 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4242 if (uh == NULL) 4243 break; 4244 4245 ad->u.net->sport = uh->source; 4246 ad->u.net->dport = uh->dest; 4247 break; 4248 } 4249 4250 case IPPROTO_DCCP: { 4251 struct dccp_hdr _dccph, *dh; 4252 4253 if (ntohs(ih->frag_off) & IP_OFFSET) 4254 break; 4255 4256 offset += ihlen; 4257 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4258 if (dh == NULL) 4259 break; 4260 4261 ad->u.net->sport = dh->dccph_sport; 4262 ad->u.net->dport = dh->dccph_dport; 4263 break; 4264 } 4265 4266 #if IS_ENABLED(CONFIG_IP_SCTP) 4267 case IPPROTO_SCTP: { 4268 struct sctphdr _sctph, *sh; 4269 4270 if (ntohs(ih->frag_off) & IP_OFFSET) 4271 break; 4272 4273 offset += ihlen; 4274 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4275 if (sh == NULL) 4276 break; 4277 4278 ad->u.net->sport = sh->source; 4279 ad->u.net->dport = sh->dest; 4280 break; 4281 } 4282 #endif 4283 default: 4284 break; 4285 } 4286 out: 4287 return ret; 4288 } 4289 4290 #if IS_ENABLED(CONFIG_IPV6) 4291 4292 /* Returns error only if unable to parse addresses */ 4293 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4294 struct common_audit_data *ad, u8 *proto) 4295 { 4296 u8 nexthdr; 4297 int ret = -EINVAL, offset; 4298 struct ipv6hdr _ipv6h, *ip6; 4299 __be16 frag_off; 4300 4301 offset = skb_network_offset(skb); 4302 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4303 if (ip6 == NULL) 4304 goto out; 4305 4306 ad->u.net->v6info.saddr = ip6->saddr; 4307 ad->u.net->v6info.daddr = ip6->daddr; 4308 ret = 0; 4309 4310 nexthdr = ip6->nexthdr; 4311 offset += sizeof(_ipv6h); 4312 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4313 if (offset < 0) 4314 goto out; 4315 4316 if (proto) 4317 *proto = nexthdr; 4318 4319 switch (nexthdr) { 4320 case IPPROTO_TCP: { 4321 struct tcphdr _tcph, *th; 4322 4323 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4324 if (th == NULL) 4325 break; 4326 4327 ad->u.net->sport = th->source; 4328 ad->u.net->dport = th->dest; 4329 break; 4330 } 4331 4332 case IPPROTO_UDP: { 4333 struct udphdr _udph, *uh; 4334 4335 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4336 if (uh == NULL) 4337 break; 4338 4339 ad->u.net->sport = uh->source; 4340 ad->u.net->dport = uh->dest; 4341 break; 4342 } 4343 4344 case IPPROTO_DCCP: { 4345 struct dccp_hdr _dccph, *dh; 4346 4347 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4348 if (dh == NULL) 4349 break; 4350 4351 ad->u.net->sport = dh->dccph_sport; 4352 ad->u.net->dport = dh->dccph_dport; 4353 break; 4354 } 4355 4356 #if IS_ENABLED(CONFIG_IP_SCTP) 4357 case IPPROTO_SCTP: { 4358 struct sctphdr _sctph, *sh; 4359 4360 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4361 if (sh == NULL) 4362 break; 4363 4364 ad->u.net->sport = sh->source; 4365 ad->u.net->dport = sh->dest; 4366 break; 4367 } 4368 #endif 4369 /* includes fragments */ 4370 default: 4371 break; 4372 } 4373 out: 4374 return ret; 4375 } 4376 4377 #endif /* IPV6 */ 4378 4379 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4380 char **_addrp, int src, u8 *proto) 4381 { 4382 char *addrp; 4383 int ret; 4384 4385 switch (ad->u.net->family) { 4386 case PF_INET: 4387 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4388 if (ret) 4389 goto parse_error; 4390 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4391 &ad->u.net->v4info.daddr); 4392 goto okay; 4393 4394 #if IS_ENABLED(CONFIG_IPV6) 4395 case PF_INET6: 4396 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4397 if (ret) 4398 goto parse_error; 4399 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4400 &ad->u.net->v6info.daddr); 4401 goto okay; 4402 #endif /* IPV6 */ 4403 default: 4404 addrp = NULL; 4405 goto okay; 4406 } 4407 4408 parse_error: 4409 printk(KERN_WARNING 4410 "SELinux: failure in selinux_parse_skb()," 4411 " unable to parse packet\n"); 4412 return ret; 4413 4414 okay: 4415 if (_addrp) 4416 *_addrp = addrp; 4417 return 0; 4418 } 4419 4420 /** 4421 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4422 * @skb: the packet 4423 * @family: protocol family 4424 * @sid: the packet's peer label SID 4425 * 4426 * Description: 4427 * Check the various different forms of network peer labeling and determine 4428 * the peer label/SID for the packet; most of the magic actually occurs in 4429 * the security server function security_net_peersid_cmp(). The function 4430 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4431 * or -EACCES if @sid is invalid due to inconsistencies with the different 4432 * peer labels. 4433 * 4434 */ 4435 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4436 { 4437 int err; 4438 u32 xfrm_sid; 4439 u32 nlbl_sid; 4440 u32 nlbl_type; 4441 4442 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4443 if (unlikely(err)) 4444 return -EACCES; 4445 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4446 if (unlikely(err)) 4447 return -EACCES; 4448 4449 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4450 nlbl_type, xfrm_sid, sid); 4451 if (unlikely(err)) { 4452 printk(KERN_WARNING 4453 "SELinux: failure in selinux_skb_peerlbl_sid()," 4454 " unable to determine packet's peer label\n"); 4455 return -EACCES; 4456 } 4457 4458 return 0; 4459 } 4460 4461 /** 4462 * selinux_conn_sid - Determine the child socket label for a connection 4463 * @sk_sid: the parent socket's SID 4464 * @skb_sid: the packet's SID 4465 * @conn_sid: the resulting connection SID 4466 * 4467 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4468 * combined with the MLS information from @skb_sid in order to create 4469 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4470 * of @sk_sid. Returns zero on success, negative values on failure. 4471 * 4472 */ 4473 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4474 { 4475 int err = 0; 4476 4477 if (skb_sid != SECSID_NULL) 4478 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4479 conn_sid); 4480 else 4481 *conn_sid = sk_sid; 4482 4483 return err; 4484 } 4485 4486 /* socket security operations */ 4487 4488 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4489 u16 secclass, u32 *socksid) 4490 { 4491 if (tsec->sockcreate_sid > SECSID_NULL) { 4492 *socksid = tsec->sockcreate_sid; 4493 return 0; 4494 } 4495 4496 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4497 secclass, NULL, socksid); 4498 } 4499 4500 static int sock_has_perm(struct sock *sk, u32 perms) 4501 { 4502 struct sk_security_struct *sksec = sk->sk_security; 4503 struct common_audit_data ad; 4504 struct lsm_network_audit net = {0,}; 4505 4506 if (sksec->sid == SECINITSID_KERNEL) 4507 return 0; 4508 4509 ad.type = LSM_AUDIT_DATA_NET; 4510 ad.u.net = &net; 4511 ad.u.net->sk = sk; 4512 4513 return avc_has_perm(&selinux_state, 4514 current_sid(), sksec->sid, sksec->sclass, perms, 4515 &ad); 4516 } 4517 4518 static int selinux_socket_create(int family, int type, 4519 int protocol, int kern) 4520 { 4521 const struct task_security_struct *tsec = current_security(); 4522 u32 newsid; 4523 u16 secclass; 4524 int rc; 4525 4526 if (kern) 4527 return 0; 4528 4529 secclass = socket_type_to_security_class(family, type, protocol); 4530 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4531 if (rc) 4532 return rc; 4533 4534 return avc_has_perm(&selinux_state, 4535 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4536 } 4537 4538 static int selinux_socket_post_create(struct socket *sock, int family, 4539 int type, int protocol, int kern) 4540 { 4541 const struct task_security_struct *tsec = current_security(); 4542 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4543 struct sk_security_struct *sksec; 4544 u16 sclass = socket_type_to_security_class(family, type, protocol); 4545 u32 sid = SECINITSID_KERNEL; 4546 int err = 0; 4547 4548 if (!kern) { 4549 err = socket_sockcreate_sid(tsec, sclass, &sid); 4550 if (err) 4551 return err; 4552 } 4553 4554 isec->sclass = sclass; 4555 isec->sid = sid; 4556 isec->initialized = LABEL_INITIALIZED; 4557 4558 if (sock->sk) { 4559 sksec = sock->sk->sk_security; 4560 sksec->sclass = sclass; 4561 sksec->sid = sid; 4562 /* Allows detection of the first association on this socket */ 4563 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4564 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4565 4566 err = selinux_netlbl_socket_post_create(sock->sk, family); 4567 } 4568 4569 return err; 4570 } 4571 4572 /* Range of port numbers used to automatically bind. 4573 Need to determine whether we should perform a name_bind 4574 permission check between the socket and the port number. */ 4575 4576 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4577 { 4578 struct sock *sk = sock->sk; 4579 u16 family; 4580 int err; 4581 4582 err = sock_has_perm(sk, SOCKET__BIND); 4583 if (err) 4584 goto out; 4585 4586 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4587 family = sk->sk_family; 4588 if (family == PF_INET || family == PF_INET6) { 4589 char *addrp; 4590 struct sk_security_struct *sksec = sk->sk_security; 4591 struct common_audit_data ad; 4592 struct lsm_network_audit net = {0,}; 4593 struct sockaddr_in *addr4 = NULL; 4594 struct sockaddr_in6 *addr6 = NULL; 4595 unsigned short snum; 4596 u32 sid, node_perm; 4597 4598 /* 4599 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4600 * that validates multiple binding addresses. Because of this 4601 * need to check address->sa_family as it is possible to have 4602 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4603 */ 4604 switch (address->sa_family) { 4605 case AF_INET: 4606 if (addrlen < sizeof(struct sockaddr_in)) 4607 return -EINVAL; 4608 addr4 = (struct sockaddr_in *)address; 4609 snum = ntohs(addr4->sin_port); 4610 addrp = (char *)&addr4->sin_addr.s_addr; 4611 break; 4612 case AF_INET6: 4613 if (addrlen < SIN6_LEN_RFC2133) 4614 return -EINVAL; 4615 addr6 = (struct sockaddr_in6 *)address; 4616 snum = ntohs(addr6->sin6_port); 4617 addrp = (char *)&addr6->sin6_addr.s6_addr; 4618 break; 4619 default: 4620 /* Note that SCTP services expect -EINVAL, whereas 4621 * others expect -EAFNOSUPPORT. 4622 */ 4623 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4624 return -EINVAL; 4625 else 4626 return -EAFNOSUPPORT; 4627 } 4628 4629 if (snum) { 4630 int low, high; 4631 4632 inet_get_local_port_range(sock_net(sk), &low, &high); 4633 4634 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4635 snum > high) { 4636 err = sel_netport_sid(sk->sk_protocol, 4637 snum, &sid); 4638 if (err) 4639 goto out; 4640 ad.type = LSM_AUDIT_DATA_NET; 4641 ad.u.net = &net; 4642 ad.u.net->sport = htons(snum); 4643 ad.u.net->family = family; 4644 err = avc_has_perm(&selinux_state, 4645 sksec->sid, sid, 4646 sksec->sclass, 4647 SOCKET__NAME_BIND, &ad); 4648 if (err) 4649 goto out; 4650 } 4651 } 4652 4653 switch (sksec->sclass) { 4654 case SECCLASS_TCP_SOCKET: 4655 node_perm = TCP_SOCKET__NODE_BIND; 4656 break; 4657 4658 case SECCLASS_UDP_SOCKET: 4659 node_perm = UDP_SOCKET__NODE_BIND; 4660 break; 4661 4662 case SECCLASS_DCCP_SOCKET: 4663 node_perm = DCCP_SOCKET__NODE_BIND; 4664 break; 4665 4666 case SECCLASS_SCTP_SOCKET: 4667 node_perm = SCTP_SOCKET__NODE_BIND; 4668 break; 4669 4670 default: 4671 node_perm = RAWIP_SOCKET__NODE_BIND; 4672 break; 4673 } 4674 4675 err = sel_netnode_sid(addrp, family, &sid); 4676 if (err) 4677 goto out; 4678 4679 ad.type = LSM_AUDIT_DATA_NET; 4680 ad.u.net = &net; 4681 ad.u.net->sport = htons(snum); 4682 ad.u.net->family = family; 4683 4684 if (address->sa_family == AF_INET) 4685 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4686 else 4687 ad.u.net->v6info.saddr = addr6->sin6_addr; 4688 4689 err = avc_has_perm(&selinux_state, 4690 sksec->sid, sid, 4691 sksec->sclass, node_perm, &ad); 4692 if (err) 4693 goto out; 4694 } 4695 out: 4696 return err; 4697 } 4698 4699 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4700 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt 4701 */ 4702 static int selinux_socket_connect_helper(struct socket *sock, 4703 struct sockaddr *address, int addrlen) 4704 { 4705 struct sock *sk = sock->sk; 4706 struct sk_security_struct *sksec = sk->sk_security; 4707 int err; 4708 4709 err = sock_has_perm(sk, SOCKET__CONNECT); 4710 if (err) 4711 return err; 4712 4713 /* 4714 * If a TCP, DCCP or SCTP socket, check name_connect permission 4715 * for the port. 4716 */ 4717 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4718 sksec->sclass == SECCLASS_DCCP_SOCKET || 4719 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4720 struct common_audit_data ad; 4721 struct lsm_network_audit net = {0,}; 4722 struct sockaddr_in *addr4 = NULL; 4723 struct sockaddr_in6 *addr6 = NULL; 4724 unsigned short snum; 4725 u32 sid, perm; 4726 4727 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4728 * that validates multiple connect addresses. Because of this 4729 * need to check address->sa_family as it is possible to have 4730 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4731 */ 4732 switch (address->sa_family) { 4733 case AF_INET: 4734 addr4 = (struct sockaddr_in *)address; 4735 if (addrlen < sizeof(struct sockaddr_in)) 4736 return -EINVAL; 4737 snum = ntohs(addr4->sin_port); 4738 break; 4739 case AF_INET6: 4740 addr6 = (struct sockaddr_in6 *)address; 4741 if (addrlen < SIN6_LEN_RFC2133) 4742 return -EINVAL; 4743 snum = ntohs(addr6->sin6_port); 4744 break; 4745 default: 4746 /* Note that SCTP services expect -EINVAL, whereas 4747 * others expect -EAFNOSUPPORT. 4748 */ 4749 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4750 return -EINVAL; 4751 else 4752 return -EAFNOSUPPORT; 4753 } 4754 4755 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4756 if (err) 4757 return err; 4758 4759 switch (sksec->sclass) { 4760 case SECCLASS_TCP_SOCKET: 4761 perm = TCP_SOCKET__NAME_CONNECT; 4762 break; 4763 case SECCLASS_DCCP_SOCKET: 4764 perm = DCCP_SOCKET__NAME_CONNECT; 4765 break; 4766 case SECCLASS_SCTP_SOCKET: 4767 perm = SCTP_SOCKET__NAME_CONNECT; 4768 break; 4769 } 4770 4771 ad.type = LSM_AUDIT_DATA_NET; 4772 ad.u.net = &net; 4773 ad.u.net->dport = htons(snum); 4774 ad.u.net->family = sk->sk_family; 4775 err = avc_has_perm(&selinux_state, 4776 sksec->sid, sid, sksec->sclass, perm, &ad); 4777 if (err) 4778 return err; 4779 } 4780 4781 return 0; 4782 } 4783 4784 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4785 static int selinux_socket_connect(struct socket *sock, 4786 struct sockaddr *address, int addrlen) 4787 { 4788 int err; 4789 struct sock *sk = sock->sk; 4790 4791 err = selinux_socket_connect_helper(sock, address, addrlen); 4792 if (err) 4793 return err; 4794 4795 return selinux_netlbl_socket_connect(sk, address); 4796 } 4797 4798 static int selinux_socket_listen(struct socket *sock, int backlog) 4799 { 4800 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4801 } 4802 4803 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4804 { 4805 int err; 4806 struct inode_security_struct *isec; 4807 struct inode_security_struct *newisec; 4808 u16 sclass; 4809 u32 sid; 4810 4811 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4812 if (err) 4813 return err; 4814 4815 isec = inode_security_novalidate(SOCK_INODE(sock)); 4816 spin_lock(&isec->lock); 4817 sclass = isec->sclass; 4818 sid = isec->sid; 4819 spin_unlock(&isec->lock); 4820 4821 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4822 newisec->sclass = sclass; 4823 newisec->sid = sid; 4824 newisec->initialized = LABEL_INITIALIZED; 4825 4826 return 0; 4827 } 4828 4829 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4830 int size) 4831 { 4832 return sock_has_perm(sock->sk, SOCKET__WRITE); 4833 } 4834 4835 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4836 int size, int flags) 4837 { 4838 return sock_has_perm(sock->sk, SOCKET__READ); 4839 } 4840 4841 static int selinux_socket_getsockname(struct socket *sock) 4842 { 4843 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4844 } 4845 4846 static int selinux_socket_getpeername(struct socket *sock) 4847 { 4848 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4849 } 4850 4851 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4852 { 4853 int err; 4854 4855 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4856 if (err) 4857 return err; 4858 4859 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4860 } 4861 4862 static int selinux_socket_getsockopt(struct socket *sock, int level, 4863 int optname) 4864 { 4865 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4866 } 4867 4868 static int selinux_socket_shutdown(struct socket *sock, int how) 4869 { 4870 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4871 } 4872 4873 static int selinux_socket_unix_stream_connect(struct sock *sock, 4874 struct sock *other, 4875 struct sock *newsk) 4876 { 4877 struct sk_security_struct *sksec_sock = sock->sk_security; 4878 struct sk_security_struct *sksec_other = other->sk_security; 4879 struct sk_security_struct *sksec_new = newsk->sk_security; 4880 struct common_audit_data ad; 4881 struct lsm_network_audit net = {0,}; 4882 int err; 4883 4884 ad.type = LSM_AUDIT_DATA_NET; 4885 ad.u.net = &net; 4886 ad.u.net->sk = other; 4887 4888 err = avc_has_perm(&selinux_state, 4889 sksec_sock->sid, sksec_other->sid, 4890 sksec_other->sclass, 4891 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4892 if (err) 4893 return err; 4894 4895 /* server child socket */ 4896 sksec_new->peer_sid = sksec_sock->sid; 4897 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4898 sksec_sock->sid, &sksec_new->sid); 4899 if (err) 4900 return err; 4901 4902 /* connecting socket */ 4903 sksec_sock->peer_sid = sksec_new->sid; 4904 4905 return 0; 4906 } 4907 4908 static int selinux_socket_unix_may_send(struct socket *sock, 4909 struct socket *other) 4910 { 4911 struct sk_security_struct *ssec = sock->sk->sk_security; 4912 struct sk_security_struct *osec = other->sk->sk_security; 4913 struct common_audit_data ad; 4914 struct lsm_network_audit net = {0,}; 4915 4916 ad.type = LSM_AUDIT_DATA_NET; 4917 ad.u.net = &net; 4918 ad.u.net->sk = other->sk; 4919 4920 return avc_has_perm(&selinux_state, 4921 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4922 &ad); 4923 } 4924 4925 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4926 char *addrp, u16 family, u32 peer_sid, 4927 struct common_audit_data *ad) 4928 { 4929 int err; 4930 u32 if_sid; 4931 u32 node_sid; 4932 4933 err = sel_netif_sid(ns, ifindex, &if_sid); 4934 if (err) 4935 return err; 4936 err = avc_has_perm(&selinux_state, 4937 peer_sid, if_sid, 4938 SECCLASS_NETIF, NETIF__INGRESS, ad); 4939 if (err) 4940 return err; 4941 4942 err = sel_netnode_sid(addrp, family, &node_sid); 4943 if (err) 4944 return err; 4945 return avc_has_perm(&selinux_state, 4946 peer_sid, node_sid, 4947 SECCLASS_NODE, NODE__RECVFROM, ad); 4948 } 4949 4950 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4951 u16 family) 4952 { 4953 int err = 0; 4954 struct sk_security_struct *sksec = sk->sk_security; 4955 u32 sk_sid = sksec->sid; 4956 struct common_audit_data ad; 4957 struct lsm_network_audit net = {0,}; 4958 char *addrp; 4959 4960 ad.type = LSM_AUDIT_DATA_NET; 4961 ad.u.net = &net; 4962 ad.u.net->netif = skb->skb_iif; 4963 ad.u.net->family = family; 4964 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4965 if (err) 4966 return err; 4967 4968 if (selinux_secmark_enabled()) { 4969 err = avc_has_perm(&selinux_state, 4970 sk_sid, skb->secmark, SECCLASS_PACKET, 4971 PACKET__RECV, &ad); 4972 if (err) 4973 return err; 4974 } 4975 4976 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4977 if (err) 4978 return err; 4979 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4980 4981 return err; 4982 } 4983 4984 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4985 { 4986 int err; 4987 struct sk_security_struct *sksec = sk->sk_security; 4988 u16 family = sk->sk_family; 4989 u32 sk_sid = sksec->sid; 4990 struct common_audit_data ad; 4991 struct lsm_network_audit net = {0,}; 4992 char *addrp; 4993 u8 secmark_active; 4994 u8 peerlbl_active; 4995 4996 if (family != PF_INET && family != PF_INET6) 4997 return 0; 4998 4999 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5000 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5001 family = PF_INET; 5002 5003 /* If any sort of compatibility mode is enabled then handoff processing 5004 * to the selinux_sock_rcv_skb_compat() function to deal with the 5005 * special handling. We do this in an attempt to keep this function 5006 * as fast and as clean as possible. */ 5007 if (!selinux_policycap_netpeer()) 5008 return selinux_sock_rcv_skb_compat(sk, skb, family); 5009 5010 secmark_active = selinux_secmark_enabled(); 5011 peerlbl_active = selinux_peerlbl_enabled(); 5012 if (!secmark_active && !peerlbl_active) 5013 return 0; 5014 5015 ad.type = LSM_AUDIT_DATA_NET; 5016 ad.u.net = &net; 5017 ad.u.net->netif = skb->skb_iif; 5018 ad.u.net->family = family; 5019 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5020 if (err) 5021 return err; 5022 5023 if (peerlbl_active) { 5024 u32 peer_sid; 5025 5026 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5027 if (err) 5028 return err; 5029 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5030 addrp, family, peer_sid, &ad); 5031 if (err) { 5032 selinux_netlbl_err(skb, family, err, 0); 5033 return err; 5034 } 5035 err = avc_has_perm(&selinux_state, 5036 sk_sid, peer_sid, SECCLASS_PEER, 5037 PEER__RECV, &ad); 5038 if (err) { 5039 selinux_netlbl_err(skb, family, err, 0); 5040 return err; 5041 } 5042 } 5043 5044 if (secmark_active) { 5045 err = avc_has_perm(&selinux_state, 5046 sk_sid, skb->secmark, SECCLASS_PACKET, 5047 PACKET__RECV, &ad); 5048 if (err) 5049 return err; 5050 } 5051 5052 return err; 5053 } 5054 5055 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5056 int __user *optlen, unsigned len) 5057 { 5058 int err = 0; 5059 char *scontext; 5060 u32 scontext_len; 5061 struct sk_security_struct *sksec = sock->sk->sk_security; 5062 u32 peer_sid = SECSID_NULL; 5063 5064 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5065 sksec->sclass == SECCLASS_TCP_SOCKET || 5066 sksec->sclass == SECCLASS_SCTP_SOCKET) 5067 peer_sid = sksec->peer_sid; 5068 if (peer_sid == SECSID_NULL) 5069 return -ENOPROTOOPT; 5070 5071 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5072 &scontext_len); 5073 if (err) 5074 return err; 5075 5076 if (scontext_len > len) { 5077 err = -ERANGE; 5078 goto out_len; 5079 } 5080 5081 if (copy_to_user(optval, scontext, scontext_len)) 5082 err = -EFAULT; 5083 5084 out_len: 5085 if (put_user(scontext_len, optlen)) 5086 err = -EFAULT; 5087 kfree(scontext); 5088 return err; 5089 } 5090 5091 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5092 { 5093 u32 peer_secid = SECSID_NULL; 5094 u16 family; 5095 struct inode_security_struct *isec; 5096 5097 if (skb && skb->protocol == htons(ETH_P_IP)) 5098 family = PF_INET; 5099 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5100 family = PF_INET6; 5101 else if (sock) 5102 family = sock->sk->sk_family; 5103 else 5104 goto out; 5105 5106 if (sock && family == PF_UNIX) { 5107 isec = inode_security_novalidate(SOCK_INODE(sock)); 5108 peer_secid = isec->sid; 5109 } else if (skb) 5110 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5111 5112 out: 5113 *secid = peer_secid; 5114 if (peer_secid == SECSID_NULL) 5115 return -EINVAL; 5116 return 0; 5117 } 5118 5119 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5120 { 5121 struct sk_security_struct *sksec; 5122 5123 sksec = kzalloc(sizeof(*sksec), priority); 5124 if (!sksec) 5125 return -ENOMEM; 5126 5127 sksec->peer_sid = SECINITSID_UNLABELED; 5128 sksec->sid = SECINITSID_UNLABELED; 5129 sksec->sclass = SECCLASS_SOCKET; 5130 selinux_netlbl_sk_security_reset(sksec); 5131 sk->sk_security = sksec; 5132 5133 return 0; 5134 } 5135 5136 static void selinux_sk_free_security(struct sock *sk) 5137 { 5138 struct sk_security_struct *sksec = sk->sk_security; 5139 5140 sk->sk_security = NULL; 5141 selinux_netlbl_sk_security_free(sksec); 5142 kfree(sksec); 5143 } 5144 5145 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5146 { 5147 struct sk_security_struct *sksec = sk->sk_security; 5148 struct sk_security_struct *newsksec = newsk->sk_security; 5149 5150 newsksec->sid = sksec->sid; 5151 newsksec->peer_sid = sksec->peer_sid; 5152 newsksec->sclass = sksec->sclass; 5153 5154 selinux_netlbl_sk_security_reset(newsksec); 5155 } 5156 5157 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5158 { 5159 if (!sk) 5160 *secid = SECINITSID_ANY_SOCKET; 5161 else { 5162 struct sk_security_struct *sksec = sk->sk_security; 5163 5164 *secid = sksec->sid; 5165 } 5166 } 5167 5168 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5169 { 5170 struct inode_security_struct *isec = 5171 inode_security_novalidate(SOCK_INODE(parent)); 5172 struct sk_security_struct *sksec = sk->sk_security; 5173 5174 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5175 sk->sk_family == PF_UNIX) 5176 isec->sid = sksec->sid; 5177 sksec->sclass = isec->sclass; 5178 } 5179 5180 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5181 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5182 * already present). 5183 */ 5184 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5185 struct sk_buff *skb) 5186 { 5187 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5188 struct common_audit_data ad; 5189 struct lsm_network_audit net = {0,}; 5190 u8 peerlbl_active; 5191 u32 peer_sid = SECINITSID_UNLABELED; 5192 u32 conn_sid; 5193 int err = 0; 5194 5195 if (!selinux_policycap_extsockclass()) 5196 return 0; 5197 5198 peerlbl_active = selinux_peerlbl_enabled(); 5199 5200 if (peerlbl_active) { 5201 /* This will return peer_sid = SECSID_NULL if there are 5202 * no peer labels, see security_net_peersid_resolve(). 5203 */ 5204 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5205 &peer_sid); 5206 if (err) 5207 return err; 5208 5209 if (peer_sid == SECSID_NULL) 5210 peer_sid = SECINITSID_UNLABELED; 5211 } 5212 5213 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5214 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5215 5216 /* Here as first association on socket. As the peer SID 5217 * was allowed by peer recv (and the netif/node checks), 5218 * then it is approved by policy and used as the primary 5219 * peer SID for getpeercon(3). 5220 */ 5221 sksec->peer_sid = peer_sid; 5222 } else if (sksec->peer_sid != peer_sid) { 5223 /* Other association peer SIDs are checked to enforce 5224 * consistency among the peer SIDs. 5225 */ 5226 ad.type = LSM_AUDIT_DATA_NET; 5227 ad.u.net = &net; 5228 ad.u.net->sk = ep->base.sk; 5229 err = avc_has_perm(&selinux_state, 5230 sksec->peer_sid, peer_sid, sksec->sclass, 5231 SCTP_SOCKET__ASSOCIATION, &ad); 5232 if (err) 5233 return err; 5234 } 5235 5236 /* Compute the MLS component for the connection and store 5237 * the information in ep. This will be used by SCTP TCP type 5238 * sockets and peeled off connections as they cause a new 5239 * socket to be generated. selinux_sctp_sk_clone() will then 5240 * plug this into the new socket. 5241 */ 5242 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5243 if (err) 5244 return err; 5245 5246 ep->secid = conn_sid; 5247 ep->peer_secid = peer_sid; 5248 5249 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5250 return selinux_netlbl_sctp_assoc_request(ep, skb); 5251 } 5252 5253 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5254 * based on their @optname. 5255 */ 5256 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5257 struct sockaddr *address, 5258 int addrlen) 5259 { 5260 int len, err = 0, walk_size = 0; 5261 void *addr_buf; 5262 struct sockaddr *addr; 5263 struct socket *sock; 5264 5265 if (!selinux_policycap_extsockclass()) 5266 return 0; 5267 5268 /* Process one or more addresses that may be IPv4 or IPv6 */ 5269 sock = sk->sk_socket; 5270 addr_buf = address; 5271 5272 while (walk_size < addrlen) { 5273 addr = addr_buf; 5274 switch (addr->sa_family) { 5275 case AF_INET: 5276 len = sizeof(struct sockaddr_in); 5277 break; 5278 case AF_INET6: 5279 len = sizeof(struct sockaddr_in6); 5280 break; 5281 default: 5282 return -EAFNOSUPPORT; 5283 } 5284 5285 err = -EINVAL; 5286 switch (optname) { 5287 /* Bind checks */ 5288 case SCTP_PRIMARY_ADDR: 5289 case SCTP_SET_PEER_PRIMARY_ADDR: 5290 case SCTP_SOCKOPT_BINDX_ADD: 5291 err = selinux_socket_bind(sock, addr, len); 5292 break; 5293 /* Connect checks */ 5294 case SCTP_SOCKOPT_CONNECTX: 5295 case SCTP_PARAM_SET_PRIMARY: 5296 case SCTP_PARAM_ADD_IP: 5297 case SCTP_SENDMSG_CONNECT: 5298 err = selinux_socket_connect_helper(sock, addr, len); 5299 if (err) 5300 return err; 5301 5302 /* As selinux_sctp_bind_connect() is called by the 5303 * SCTP protocol layer, the socket is already locked, 5304 * therefore selinux_netlbl_socket_connect_locked() is 5305 * is called here. The situations handled are: 5306 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5307 * whenever a new IP address is added or when a new 5308 * primary address is selected. 5309 * Note that an SCTP connect(2) call happens before 5310 * the SCTP protocol layer and is handled via 5311 * selinux_socket_connect(). 5312 */ 5313 err = selinux_netlbl_socket_connect_locked(sk, addr); 5314 break; 5315 } 5316 5317 if (err) 5318 return err; 5319 5320 addr_buf += len; 5321 walk_size += len; 5322 } 5323 5324 return 0; 5325 } 5326 5327 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5328 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5329 struct sock *newsk) 5330 { 5331 struct sk_security_struct *sksec = sk->sk_security; 5332 struct sk_security_struct *newsksec = newsk->sk_security; 5333 5334 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5335 * the non-sctp clone version. 5336 */ 5337 if (!selinux_policycap_extsockclass()) 5338 return selinux_sk_clone_security(sk, newsk); 5339 5340 newsksec->sid = ep->secid; 5341 newsksec->peer_sid = ep->peer_secid; 5342 newsksec->sclass = sksec->sclass; 5343 selinux_netlbl_sctp_sk_clone(sk, newsk); 5344 } 5345 5346 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5347 struct request_sock *req) 5348 { 5349 struct sk_security_struct *sksec = sk->sk_security; 5350 int err; 5351 u16 family = req->rsk_ops->family; 5352 u32 connsid; 5353 u32 peersid; 5354 5355 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5356 if (err) 5357 return err; 5358 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5359 if (err) 5360 return err; 5361 req->secid = connsid; 5362 req->peer_secid = peersid; 5363 5364 return selinux_netlbl_inet_conn_request(req, family); 5365 } 5366 5367 static void selinux_inet_csk_clone(struct sock *newsk, 5368 const struct request_sock *req) 5369 { 5370 struct sk_security_struct *newsksec = newsk->sk_security; 5371 5372 newsksec->sid = req->secid; 5373 newsksec->peer_sid = req->peer_secid; 5374 /* NOTE: Ideally, we should also get the isec->sid for the 5375 new socket in sync, but we don't have the isec available yet. 5376 So we will wait until sock_graft to do it, by which 5377 time it will have been created and available. */ 5378 5379 /* We don't need to take any sort of lock here as we are the only 5380 * thread with access to newsksec */ 5381 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5382 } 5383 5384 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5385 { 5386 u16 family = sk->sk_family; 5387 struct sk_security_struct *sksec = sk->sk_security; 5388 5389 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5390 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5391 family = PF_INET; 5392 5393 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5394 } 5395 5396 static int selinux_secmark_relabel_packet(u32 sid) 5397 { 5398 const struct task_security_struct *__tsec; 5399 u32 tsid; 5400 5401 __tsec = current_security(); 5402 tsid = __tsec->sid; 5403 5404 return avc_has_perm(&selinux_state, 5405 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5406 NULL); 5407 } 5408 5409 static void selinux_secmark_refcount_inc(void) 5410 { 5411 atomic_inc(&selinux_secmark_refcount); 5412 } 5413 5414 static void selinux_secmark_refcount_dec(void) 5415 { 5416 atomic_dec(&selinux_secmark_refcount); 5417 } 5418 5419 static void selinux_req_classify_flow(const struct request_sock *req, 5420 struct flowi *fl) 5421 { 5422 fl->flowi_secid = req->secid; 5423 } 5424 5425 static int selinux_tun_dev_alloc_security(void **security) 5426 { 5427 struct tun_security_struct *tunsec; 5428 5429 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5430 if (!tunsec) 5431 return -ENOMEM; 5432 tunsec->sid = current_sid(); 5433 5434 *security = tunsec; 5435 return 0; 5436 } 5437 5438 static void selinux_tun_dev_free_security(void *security) 5439 { 5440 kfree(security); 5441 } 5442 5443 static int selinux_tun_dev_create(void) 5444 { 5445 u32 sid = current_sid(); 5446 5447 /* we aren't taking into account the "sockcreate" SID since the socket 5448 * that is being created here is not a socket in the traditional sense, 5449 * instead it is a private sock, accessible only to the kernel, and 5450 * representing a wide range of network traffic spanning multiple 5451 * connections unlike traditional sockets - check the TUN driver to 5452 * get a better understanding of why this socket is special */ 5453 5454 return avc_has_perm(&selinux_state, 5455 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5456 NULL); 5457 } 5458 5459 static int selinux_tun_dev_attach_queue(void *security) 5460 { 5461 struct tun_security_struct *tunsec = security; 5462 5463 return avc_has_perm(&selinux_state, 5464 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5465 TUN_SOCKET__ATTACH_QUEUE, NULL); 5466 } 5467 5468 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5469 { 5470 struct tun_security_struct *tunsec = security; 5471 struct sk_security_struct *sksec = sk->sk_security; 5472 5473 /* we don't currently perform any NetLabel based labeling here and it 5474 * isn't clear that we would want to do so anyway; while we could apply 5475 * labeling without the support of the TUN user the resulting labeled 5476 * traffic from the other end of the connection would almost certainly 5477 * cause confusion to the TUN user that had no idea network labeling 5478 * protocols were being used */ 5479 5480 sksec->sid = tunsec->sid; 5481 sksec->sclass = SECCLASS_TUN_SOCKET; 5482 5483 return 0; 5484 } 5485 5486 static int selinux_tun_dev_open(void *security) 5487 { 5488 struct tun_security_struct *tunsec = security; 5489 u32 sid = current_sid(); 5490 int err; 5491 5492 err = avc_has_perm(&selinux_state, 5493 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5494 TUN_SOCKET__RELABELFROM, NULL); 5495 if (err) 5496 return err; 5497 err = avc_has_perm(&selinux_state, 5498 sid, sid, SECCLASS_TUN_SOCKET, 5499 TUN_SOCKET__RELABELTO, NULL); 5500 if (err) 5501 return err; 5502 tunsec->sid = sid; 5503 5504 return 0; 5505 } 5506 5507 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5508 { 5509 int err = 0; 5510 u32 perm; 5511 struct nlmsghdr *nlh; 5512 struct sk_security_struct *sksec = sk->sk_security; 5513 5514 if (skb->len < NLMSG_HDRLEN) { 5515 err = -EINVAL; 5516 goto out; 5517 } 5518 nlh = nlmsg_hdr(skb); 5519 5520 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5521 if (err) { 5522 if (err == -EINVAL) { 5523 pr_warn_ratelimited("SELinux: unrecognized netlink" 5524 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5525 " pig=%d comm=%s\n", 5526 sk->sk_protocol, nlh->nlmsg_type, 5527 secclass_map[sksec->sclass - 1].name, 5528 task_pid_nr(current), current->comm); 5529 if (!enforcing_enabled(&selinux_state) || 5530 security_get_allow_unknown(&selinux_state)) 5531 err = 0; 5532 } 5533 5534 /* Ignore */ 5535 if (err == -ENOENT) 5536 err = 0; 5537 goto out; 5538 } 5539 5540 err = sock_has_perm(sk, perm); 5541 out: 5542 return err; 5543 } 5544 5545 #ifdef CONFIG_NETFILTER 5546 5547 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5548 const struct net_device *indev, 5549 u16 family) 5550 { 5551 int err; 5552 char *addrp; 5553 u32 peer_sid; 5554 struct common_audit_data ad; 5555 struct lsm_network_audit net = {0,}; 5556 u8 secmark_active; 5557 u8 netlbl_active; 5558 u8 peerlbl_active; 5559 5560 if (!selinux_policycap_netpeer()) 5561 return NF_ACCEPT; 5562 5563 secmark_active = selinux_secmark_enabled(); 5564 netlbl_active = netlbl_enabled(); 5565 peerlbl_active = selinux_peerlbl_enabled(); 5566 if (!secmark_active && !peerlbl_active) 5567 return NF_ACCEPT; 5568 5569 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5570 return NF_DROP; 5571 5572 ad.type = LSM_AUDIT_DATA_NET; 5573 ad.u.net = &net; 5574 ad.u.net->netif = indev->ifindex; 5575 ad.u.net->family = family; 5576 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5577 return NF_DROP; 5578 5579 if (peerlbl_active) { 5580 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5581 addrp, family, peer_sid, &ad); 5582 if (err) { 5583 selinux_netlbl_err(skb, family, err, 1); 5584 return NF_DROP; 5585 } 5586 } 5587 5588 if (secmark_active) 5589 if (avc_has_perm(&selinux_state, 5590 peer_sid, skb->secmark, 5591 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5592 return NF_DROP; 5593 5594 if (netlbl_active) 5595 /* we do this in the FORWARD path and not the POST_ROUTING 5596 * path because we want to make sure we apply the necessary 5597 * labeling before IPsec is applied so we can leverage AH 5598 * protection */ 5599 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5600 return NF_DROP; 5601 5602 return NF_ACCEPT; 5603 } 5604 5605 static unsigned int selinux_ipv4_forward(void *priv, 5606 struct sk_buff *skb, 5607 const struct nf_hook_state *state) 5608 { 5609 return selinux_ip_forward(skb, state->in, PF_INET); 5610 } 5611 5612 #if IS_ENABLED(CONFIG_IPV6) 5613 static unsigned int selinux_ipv6_forward(void *priv, 5614 struct sk_buff *skb, 5615 const struct nf_hook_state *state) 5616 { 5617 return selinux_ip_forward(skb, state->in, PF_INET6); 5618 } 5619 #endif /* IPV6 */ 5620 5621 static unsigned int selinux_ip_output(struct sk_buff *skb, 5622 u16 family) 5623 { 5624 struct sock *sk; 5625 u32 sid; 5626 5627 if (!netlbl_enabled()) 5628 return NF_ACCEPT; 5629 5630 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5631 * because we want to make sure we apply the necessary labeling 5632 * before IPsec is applied so we can leverage AH protection */ 5633 sk = skb->sk; 5634 if (sk) { 5635 struct sk_security_struct *sksec; 5636 5637 if (sk_listener(sk)) 5638 /* if the socket is the listening state then this 5639 * packet is a SYN-ACK packet which means it needs to 5640 * be labeled based on the connection/request_sock and 5641 * not the parent socket. unfortunately, we can't 5642 * lookup the request_sock yet as it isn't queued on 5643 * the parent socket until after the SYN-ACK is sent. 5644 * the "solution" is to simply pass the packet as-is 5645 * as any IP option based labeling should be copied 5646 * from the initial connection request (in the IP 5647 * layer). it is far from ideal, but until we get a 5648 * security label in the packet itself this is the 5649 * best we can do. */ 5650 return NF_ACCEPT; 5651 5652 /* standard practice, label using the parent socket */ 5653 sksec = sk->sk_security; 5654 sid = sksec->sid; 5655 } else 5656 sid = SECINITSID_KERNEL; 5657 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5658 return NF_DROP; 5659 5660 return NF_ACCEPT; 5661 } 5662 5663 static unsigned int selinux_ipv4_output(void *priv, 5664 struct sk_buff *skb, 5665 const struct nf_hook_state *state) 5666 { 5667 return selinux_ip_output(skb, PF_INET); 5668 } 5669 5670 #if IS_ENABLED(CONFIG_IPV6) 5671 static unsigned int selinux_ipv6_output(void *priv, 5672 struct sk_buff *skb, 5673 const struct nf_hook_state *state) 5674 { 5675 return selinux_ip_output(skb, PF_INET6); 5676 } 5677 #endif /* IPV6 */ 5678 5679 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5680 int ifindex, 5681 u16 family) 5682 { 5683 struct sock *sk = skb_to_full_sk(skb); 5684 struct sk_security_struct *sksec; 5685 struct common_audit_data ad; 5686 struct lsm_network_audit net = {0,}; 5687 char *addrp; 5688 u8 proto; 5689 5690 if (sk == NULL) 5691 return NF_ACCEPT; 5692 sksec = sk->sk_security; 5693 5694 ad.type = LSM_AUDIT_DATA_NET; 5695 ad.u.net = &net; 5696 ad.u.net->netif = ifindex; 5697 ad.u.net->family = family; 5698 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5699 return NF_DROP; 5700 5701 if (selinux_secmark_enabled()) 5702 if (avc_has_perm(&selinux_state, 5703 sksec->sid, skb->secmark, 5704 SECCLASS_PACKET, PACKET__SEND, &ad)) 5705 return NF_DROP_ERR(-ECONNREFUSED); 5706 5707 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5708 return NF_DROP_ERR(-ECONNREFUSED); 5709 5710 return NF_ACCEPT; 5711 } 5712 5713 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5714 const struct net_device *outdev, 5715 u16 family) 5716 { 5717 u32 secmark_perm; 5718 u32 peer_sid; 5719 int ifindex = outdev->ifindex; 5720 struct sock *sk; 5721 struct common_audit_data ad; 5722 struct lsm_network_audit net = {0,}; 5723 char *addrp; 5724 u8 secmark_active; 5725 u8 peerlbl_active; 5726 5727 /* If any sort of compatibility mode is enabled then handoff processing 5728 * to the selinux_ip_postroute_compat() function to deal with the 5729 * special handling. We do this in an attempt to keep this function 5730 * as fast and as clean as possible. */ 5731 if (!selinux_policycap_netpeer()) 5732 return selinux_ip_postroute_compat(skb, ifindex, family); 5733 5734 secmark_active = selinux_secmark_enabled(); 5735 peerlbl_active = selinux_peerlbl_enabled(); 5736 if (!secmark_active && !peerlbl_active) 5737 return NF_ACCEPT; 5738 5739 sk = skb_to_full_sk(skb); 5740 5741 #ifdef CONFIG_XFRM 5742 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5743 * packet transformation so allow the packet to pass without any checks 5744 * since we'll have another chance to perform access control checks 5745 * when the packet is on it's final way out. 5746 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5747 * is NULL, in this case go ahead and apply access control. 5748 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5749 * TCP listening state we cannot wait until the XFRM processing 5750 * is done as we will miss out on the SA label if we do; 5751 * unfortunately, this means more work, but it is only once per 5752 * connection. */ 5753 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5754 !(sk && sk_listener(sk))) 5755 return NF_ACCEPT; 5756 #endif 5757 5758 if (sk == NULL) { 5759 /* Without an associated socket the packet is either coming 5760 * from the kernel or it is being forwarded; check the packet 5761 * to determine which and if the packet is being forwarded 5762 * query the packet directly to determine the security label. */ 5763 if (skb->skb_iif) { 5764 secmark_perm = PACKET__FORWARD_OUT; 5765 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5766 return NF_DROP; 5767 } else { 5768 secmark_perm = PACKET__SEND; 5769 peer_sid = SECINITSID_KERNEL; 5770 } 5771 } else if (sk_listener(sk)) { 5772 /* Locally generated packet but the associated socket is in the 5773 * listening state which means this is a SYN-ACK packet. In 5774 * this particular case the correct security label is assigned 5775 * to the connection/request_sock but unfortunately we can't 5776 * query the request_sock as it isn't queued on the parent 5777 * socket until after the SYN-ACK packet is sent; the only 5778 * viable choice is to regenerate the label like we do in 5779 * selinux_inet_conn_request(). See also selinux_ip_output() 5780 * for similar problems. */ 5781 u32 skb_sid; 5782 struct sk_security_struct *sksec; 5783 5784 sksec = sk->sk_security; 5785 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5786 return NF_DROP; 5787 /* At this point, if the returned skb peerlbl is SECSID_NULL 5788 * and the packet has been through at least one XFRM 5789 * transformation then we must be dealing with the "final" 5790 * form of labeled IPsec packet; since we've already applied 5791 * all of our access controls on this packet we can safely 5792 * pass the packet. */ 5793 if (skb_sid == SECSID_NULL) { 5794 switch (family) { 5795 case PF_INET: 5796 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5797 return NF_ACCEPT; 5798 break; 5799 case PF_INET6: 5800 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5801 return NF_ACCEPT; 5802 break; 5803 default: 5804 return NF_DROP_ERR(-ECONNREFUSED); 5805 } 5806 } 5807 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5808 return NF_DROP; 5809 secmark_perm = PACKET__SEND; 5810 } else { 5811 /* Locally generated packet, fetch the security label from the 5812 * associated socket. */ 5813 struct sk_security_struct *sksec = sk->sk_security; 5814 peer_sid = sksec->sid; 5815 secmark_perm = PACKET__SEND; 5816 } 5817 5818 ad.type = LSM_AUDIT_DATA_NET; 5819 ad.u.net = &net; 5820 ad.u.net->netif = ifindex; 5821 ad.u.net->family = family; 5822 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5823 return NF_DROP; 5824 5825 if (secmark_active) 5826 if (avc_has_perm(&selinux_state, 5827 peer_sid, skb->secmark, 5828 SECCLASS_PACKET, secmark_perm, &ad)) 5829 return NF_DROP_ERR(-ECONNREFUSED); 5830 5831 if (peerlbl_active) { 5832 u32 if_sid; 5833 u32 node_sid; 5834 5835 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5836 return NF_DROP; 5837 if (avc_has_perm(&selinux_state, 5838 peer_sid, if_sid, 5839 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5840 return NF_DROP_ERR(-ECONNREFUSED); 5841 5842 if (sel_netnode_sid(addrp, family, &node_sid)) 5843 return NF_DROP; 5844 if (avc_has_perm(&selinux_state, 5845 peer_sid, node_sid, 5846 SECCLASS_NODE, NODE__SENDTO, &ad)) 5847 return NF_DROP_ERR(-ECONNREFUSED); 5848 } 5849 5850 return NF_ACCEPT; 5851 } 5852 5853 static unsigned int selinux_ipv4_postroute(void *priv, 5854 struct sk_buff *skb, 5855 const struct nf_hook_state *state) 5856 { 5857 return selinux_ip_postroute(skb, state->out, PF_INET); 5858 } 5859 5860 #if IS_ENABLED(CONFIG_IPV6) 5861 static unsigned int selinux_ipv6_postroute(void *priv, 5862 struct sk_buff *skb, 5863 const struct nf_hook_state *state) 5864 { 5865 return selinux_ip_postroute(skb, state->out, PF_INET6); 5866 } 5867 #endif /* IPV6 */ 5868 5869 #endif /* CONFIG_NETFILTER */ 5870 5871 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5872 { 5873 return selinux_nlmsg_perm(sk, skb); 5874 } 5875 5876 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5877 u16 sclass) 5878 { 5879 struct ipc_security_struct *isec; 5880 5881 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5882 if (!isec) 5883 return -ENOMEM; 5884 5885 isec->sclass = sclass; 5886 isec->sid = current_sid(); 5887 perm->security = isec; 5888 5889 return 0; 5890 } 5891 5892 static void ipc_free_security(struct kern_ipc_perm *perm) 5893 { 5894 struct ipc_security_struct *isec = perm->security; 5895 perm->security = NULL; 5896 kfree(isec); 5897 } 5898 5899 static int msg_msg_alloc_security(struct msg_msg *msg) 5900 { 5901 struct msg_security_struct *msec; 5902 5903 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5904 if (!msec) 5905 return -ENOMEM; 5906 5907 msec->sid = SECINITSID_UNLABELED; 5908 msg->security = msec; 5909 5910 return 0; 5911 } 5912 5913 static void msg_msg_free_security(struct msg_msg *msg) 5914 { 5915 struct msg_security_struct *msec = msg->security; 5916 5917 msg->security = NULL; 5918 kfree(msec); 5919 } 5920 5921 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5922 u32 perms) 5923 { 5924 struct ipc_security_struct *isec; 5925 struct common_audit_data ad; 5926 u32 sid = current_sid(); 5927 5928 isec = ipc_perms->security; 5929 5930 ad.type = LSM_AUDIT_DATA_IPC; 5931 ad.u.ipc_id = ipc_perms->key; 5932 5933 return avc_has_perm(&selinux_state, 5934 sid, isec->sid, isec->sclass, perms, &ad); 5935 } 5936 5937 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5938 { 5939 return msg_msg_alloc_security(msg); 5940 } 5941 5942 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5943 { 5944 msg_msg_free_security(msg); 5945 } 5946 5947 /* message queue security operations */ 5948 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5949 { 5950 struct ipc_security_struct *isec; 5951 struct common_audit_data ad; 5952 u32 sid = current_sid(); 5953 int rc; 5954 5955 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5956 if (rc) 5957 return rc; 5958 5959 isec = msq->security; 5960 5961 ad.type = LSM_AUDIT_DATA_IPC; 5962 ad.u.ipc_id = msq->key; 5963 5964 rc = avc_has_perm(&selinux_state, 5965 sid, isec->sid, SECCLASS_MSGQ, 5966 MSGQ__CREATE, &ad); 5967 if (rc) { 5968 ipc_free_security(msq); 5969 return rc; 5970 } 5971 return 0; 5972 } 5973 5974 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 5975 { 5976 ipc_free_security(msq); 5977 } 5978 5979 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5980 { 5981 struct ipc_security_struct *isec; 5982 struct common_audit_data ad; 5983 u32 sid = current_sid(); 5984 5985 isec = msq->security; 5986 5987 ad.type = LSM_AUDIT_DATA_IPC; 5988 ad.u.ipc_id = msq->key; 5989 5990 return avc_has_perm(&selinux_state, 5991 sid, isec->sid, SECCLASS_MSGQ, 5992 MSGQ__ASSOCIATE, &ad); 5993 } 5994 5995 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5996 { 5997 int err; 5998 int perms; 5999 6000 switch (cmd) { 6001 case IPC_INFO: 6002 case MSG_INFO: 6003 /* No specific object, just general system-wide information. */ 6004 return avc_has_perm(&selinux_state, 6005 current_sid(), SECINITSID_KERNEL, 6006 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6007 case IPC_STAT: 6008 case MSG_STAT: 6009 case MSG_STAT_ANY: 6010 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6011 break; 6012 case IPC_SET: 6013 perms = MSGQ__SETATTR; 6014 break; 6015 case IPC_RMID: 6016 perms = MSGQ__DESTROY; 6017 break; 6018 default: 6019 return 0; 6020 } 6021 6022 err = ipc_has_perm(msq, perms); 6023 return err; 6024 } 6025 6026 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6027 { 6028 struct ipc_security_struct *isec; 6029 struct msg_security_struct *msec; 6030 struct common_audit_data ad; 6031 u32 sid = current_sid(); 6032 int rc; 6033 6034 isec = msq->security; 6035 msec = msg->security; 6036 6037 /* 6038 * First time through, need to assign label to the message 6039 */ 6040 if (msec->sid == SECINITSID_UNLABELED) { 6041 /* 6042 * Compute new sid based on current process and 6043 * message queue this message will be stored in 6044 */ 6045 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6046 SECCLASS_MSG, NULL, &msec->sid); 6047 if (rc) 6048 return rc; 6049 } 6050 6051 ad.type = LSM_AUDIT_DATA_IPC; 6052 ad.u.ipc_id = msq->key; 6053 6054 /* Can this process write to the queue? */ 6055 rc = avc_has_perm(&selinux_state, 6056 sid, isec->sid, SECCLASS_MSGQ, 6057 MSGQ__WRITE, &ad); 6058 if (!rc) 6059 /* Can this process send the message */ 6060 rc = avc_has_perm(&selinux_state, 6061 sid, msec->sid, SECCLASS_MSG, 6062 MSG__SEND, &ad); 6063 if (!rc) 6064 /* Can the message be put in the queue? */ 6065 rc = avc_has_perm(&selinux_state, 6066 msec->sid, isec->sid, SECCLASS_MSGQ, 6067 MSGQ__ENQUEUE, &ad); 6068 6069 return rc; 6070 } 6071 6072 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6073 struct task_struct *target, 6074 long type, int mode) 6075 { 6076 struct ipc_security_struct *isec; 6077 struct msg_security_struct *msec; 6078 struct common_audit_data ad; 6079 u32 sid = task_sid(target); 6080 int rc; 6081 6082 isec = msq->security; 6083 msec = msg->security; 6084 6085 ad.type = LSM_AUDIT_DATA_IPC; 6086 ad.u.ipc_id = msq->key; 6087 6088 rc = avc_has_perm(&selinux_state, 6089 sid, isec->sid, 6090 SECCLASS_MSGQ, MSGQ__READ, &ad); 6091 if (!rc) 6092 rc = avc_has_perm(&selinux_state, 6093 sid, msec->sid, 6094 SECCLASS_MSG, MSG__RECEIVE, &ad); 6095 return rc; 6096 } 6097 6098 /* Shared Memory security operations */ 6099 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6100 { 6101 struct ipc_security_struct *isec; 6102 struct common_audit_data ad; 6103 u32 sid = current_sid(); 6104 int rc; 6105 6106 rc = ipc_alloc_security(shp, SECCLASS_SHM); 6107 if (rc) 6108 return rc; 6109 6110 isec = shp->security; 6111 6112 ad.type = LSM_AUDIT_DATA_IPC; 6113 ad.u.ipc_id = shp->key; 6114 6115 rc = avc_has_perm(&selinux_state, 6116 sid, isec->sid, SECCLASS_SHM, 6117 SHM__CREATE, &ad); 6118 if (rc) { 6119 ipc_free_security(shp); 6120 return rc; 6121 } 6122 return 0; 6123 } 6124 6125 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 6126 { 6127 ipc_free_security(shp); 6128 } 6129 6130 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6131 { 6132 struct ipc_security_struct *isec; 6133 struct common_audit_data ad; 6134 u32 sid = current_sid(); 6135 6136 isec = shp->security; 6137 6138 ad.type = LSM_AUDIT_DATA_IPC; 6139 ad.u.ipc_id = shp->key; 6140 6141 return avc_has_perm(&selinux_state, 6142 sid, isec->sid, SECCLASS_SHM, 6143 SHM__ASSOCIATE, &ad); 6144 } 6145 6146 /* Note, at this point, shp is locked down */ 6147 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6148 { 6149 int perms; 6150 int err; 6151 6152 switch (cmd) { 6153 case IPC_INFO: 6154 case SHM_INFO: 6155 /* No specific object, just general system-wide information. */ 6156 return avc_has_perm(&selinux_state, 6157 current_sid(), SECINITSID_KERNEL, 6158 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6159 case IPC_STAT: 6160 case SHM_STAT: 6161 case SHM_STAT_ANY: 6162 perms = SHM__GETATTR | SHM__ASSOCIATE; 6163 break; 6164 case IPC_SET: 6165 perms = SHM__SETATTR; 6166 break; 6167 case SHM_LOCK: 6168 case SHM_UNLOCK: 6169 perms = SHM__LOCK; 6170 break; 6171 case IPC_RMID: 6172 perms = SHM__DESTROY; 6173 break; 6174 default: 6175 return 0; 6176 } 6177 6178 err = ipc_has_perm(shp, perms); 6179 return err; 6180 } 6181 6182 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6183 char __user *shmaddr, int shmflg) 6184 { 6185 u32 perms; 6186 6187 if (shmflg & SHM_RDONLY) 6188 perms = SHM__READ; 6189 else 6190 perms = SHM__READ | SHM__WRITE; 6191 6192 return ipc_has_perm(shp, perms); 6193 } 6194 6195 /* Semaphore security operations */ 6196 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6197 { 6198 struct ipc_security_struct *isec; 6199 struct common_audit_data ad; 6200 u32 sid = current_sid(); 6201 int rc; 6202 6203 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6204 if (rc) 6205 return rc; 6206 6207 isec = sma->security; 6208 6209 ad.type = LSM_AUDIT_DATA_IPC; 6210 ad.u.ipc_id = sma->key; 6211 6212 rc = avc_has_perm(&selinux_state, 6213 sid, isec->sid, SECCLASS_SEM, 6214 SEM__CREATE, &ad); 6215 if (rc) { 6216 ipc_free_security(sma); 6217 return rc; 6218 } 6219 return 0; 6220 } 6221 6222 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6223 { 6224 ipc_free_security(sma); 6225 } 6226 6227 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6228 { 6229 struct ipc_security_struct *isec; 6230 struct common_audit_data ad; 6231 u32 sid = current_sid(); 6232 6233 isec = sma->security; 6234 6235 ad.type = LSM_AUDIT_DATA_IPC; 6236 ad.u.ipc_id = sma->key; 6237 6238 return avc_has_perm(&selinux_state, 6239 sid, isec->sid, SECCLASS_SEM, 6240 SEM__ASSOCIATE, &ad); 6241 } 6242 6243 /* Note, at this point, sma is locked down */ 6244 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6245 { 6246 int err; 6247 u32 perms; 6248 6249 switch (cmd) { 6250 case IPC_INFO: 6251 case SEM_INFO: 6252 /* No specific object, just general system-wide information. */ 6253 return avc_has_perm(&selinux_state, 6254 current_sid(), SECINITSID_KERNEL, 6255 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6256 case GETPID: 6257 case GETNCNT: 6258 case GETZCNT: 6259 perms = SEM__GETATTR; 6260 break; 6261 case GETVAL: 6262 case GETALL: 6263 perms = SEM__READ; 6264 break; 6265 case SETVAL: 6266 case SETALL: 6267 perms = SEM__WRITE; 6268 break; 6269 case IPC_RMID: 6270 perms = SEM__DESTROY; 6271 break; 6272 case IPC_SET: 6273 perms = SEM__SETATTR; 6274 break; 6275 case IPC_STAT: 6276 case SEM_STAT: 6277 case SEM_STAT_ANY: 6278 perms = SEM__GETATTR | SEM__ASSOCIATE; 6279 break; 6280 default: 6281 return 0; 6282 } 6283 6284 err = ipc_has_perm(sma, perms); 6285 return err; 6286 } 6287 6288 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6289 struct sembuf *sops, unsigned nsops, int alter) 6290 { 6291 u32 perms; 6292 6293 if (alter) 6294 perms = SEM__READ | SEM__WRITE; 6295 else 6296 perms = SEM__READ; 6297 6298 return ipc_has_perm(sma, perms); 6299 } 6300 6301 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6302 { 6303 u32 av = 0; 6304 6305 av = 0; 6306 if (flag & S_IRUGO) 6307 av |= IPC__UNIX_READ; 6308 if (flag & S_IWUGO) 6309 av |= IPC__UNIX_WRITE; 6310 6311 if (av == 0) 6312 return 0; 6313 6314 return ipc_has_perm(ipcp, av); 6315 } 6316 6317 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6318 { 6319 struct ipc_security_struct *isec = ipcp->security; 6320 *secid = isec->sid; 6321 } 6322 6323 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6324 { 6325 if (inode) 6326 inode_doinit_with_dentry(inode, dentry); 6327 } 6328 6329 static int selinux_getprocattr(struct task_struct *p, 6330 char *name, char **value) 6331 { 6332 const struct task_security_struct *__tsec; 6333 u32 sid; 6334 int error; 6335 unsigned len; 6336 6337 rcu_read_lock(); 6338 __tsec = __task_cred(p)->security; 6339 6340 if (current != p) { 6341 error = avc_has_perm(&selinux_state, 6342 current_sid(), __tsec->sid, 6343 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6344 if (error) 6345 goto bad; 6346 } 6347 6348 if (!strcmp(name, "current")) 6349 sid = __tsec->sid; 6350 else if (!strcmp(name, "prev")) 6351 sid = __tsec->osid; 6352 else if (!strcmp(name, "exec")) 6353 sid = __tsec->exec_sid; 6354 else if (!strcmp(name, "fscreate")) 6355 sid = __tsec->create_sid; 6356 else if (!strcmp(name, "keycreate")) 6357 sid = __tsec->keycreate_sid; 6358 else if (!strcmp(name, "sockcreate")) 6359 sid = __tsec->sockcreate_sid; 6360 else { 6361 error = -EINVAL; 6362 goto bad; 6363 } 6364 rcu_read_unlock(); 6365 6366 if (!sid) 6367 return 0; 6368 6369 error = security_sid_to_context(&selinux_state, sid, value, &len); 6370 if (error) 6371 return error; 6372 return len; 6373 6374 bad: 6375 rcu_read_unlock(); 6376 return error; 6377 } 6378 6379 static int selinux_setprocattr(const char *name, void *value, size_t size) 6380 { 6381 struct task_security_struct *tsec; 6382 struct cred *new; 6383 u32 mysid = current_sid(), sid = 0, ptsid; 6384 int error; 6385 char *str = value; 6386 6387 /* 6388 * Basic control over ability to set these attributes at all. 6389 */ 6390 if (!strcmp(name, "exec")) 6391 error = avc_has_perm(&selinux_state, 6392 mysid, mysid, SECCLASS_PROCESS, 6393 PROCESS__SETEXEC, NULL); 6394 else if (!strcmp(name, "fscreate")) 6395 error = avc_has_perm(&selinux_state, 6396 mysid, mysid, SECCLASS_PROCESS, 6397 PROCESS__SETFSCREATE, NULL); 6398 else if (!strcmp(name, "keycreate")) 6399 error = avc_has_perm(&selinux_state, 6400 mysid, mysid, SECCLASS_PROCESS, 6401 PROCESS__SETKEYCREATE, NULL); 6402 else if (!strcmp(name, "sockcreate")) 6403 error = avc_has_perm(&selinux_state, 6404 mysid, mysid, SECCLASS_PROCESS, 6405 PROCESS__SETSOCKCREATE, NULL); 6406 else if (!strcmp(name, "current")) 6407 error = avc_has_perm(&selinux_state, 6408 mysid, mysid, SECCLASS_PROCESS, 6409 PROCESS__SETCURRENT, NULL); 6410 else 6411 error = -EINVAL; 6412 if (error) 6413 return error; 6414 6415 /* Obtain a SID for the context, if one was specified. */ 6416 if (size && str[0] && str[0] != '\n') { 6417 if (str[size-1] == '\n') { 6418 str[size-1] = 0; 6419 size--; 6420 } 6421 error = security_context_to_sid(&selinux_state, value, size, 6422 &sid, GFP_KERNEL); 6423 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6424 if (!has_cap_mac_admin(true)) { 6425 struct audit_buffer *ab; 6426 size_t audit_size; 6427 6428 /* We strip a nul only if it is at the end, otherwise the 6429 * context contains a nul and we should audit that */ 6430 if (str[size - 1] == '\0') 6431 audit_size = size - 1; 6432 else 6433 audit_size = size; 6434 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6435 audit_log_format(ab, "op=fscreate invalid_context="); 6436 audit_log_n_untrustedstring(ab, value, audit_size); 6437 audit_log_end(ab); 6438 6439 return error; 6440 } 6441 error = security_context_to_sid_force( 6442 &selinux_state, 6443 value, size, &sid); 6444 } 6445 if (error) 6446 return error; 6447 } 6448 6449 new = prepare_creds(); 6450 if (!new) 6451 return -ENOMEM; 6452 6453 /* Permission checking based on the specified context is 6454 performed during the actual operation (execve, 6455 open/mkdir/...), when we know the full context of the 6456 operation. See selinux_bprm_set_creds for the execve 6457 checks and may_create for the file creation checks. The 6458 operation will then fail if the context is not permitted. */ 6459 tsec = new->security; 6460 if (!strcmp(name, "exec")) { 6461 tsec->exec_sid = sid; 6462 } else if (!strcmp(name, "fscreate")) { 6463 tsec->create_sid = sid; 6464 } else if (!strcmp(name, "keycreate")) { 6465 error = avc_has_perm(&selinux_state, 6466 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6467 NULL); 6468 if (error) 6469 goto abort_change; 6470 tsec->keycreate_sid = sid; 6471 } else if (!strcmp(name, "sockcreate")) { 6472 tsec->sockcreate_sid = sid; 6473 } else if (!strcmp(name, "current")) { 6474 error = -EINVAL; 6475 if (sid == 0) 6476 goto abort_change; 6477 6478 /* Only allow single threaded processes to change context */ 6479 error = -EPERM; 6480 if (!current_is_single_threaded()) { 6481 error = security_bounded_transition(&selinux_state, 6482 tsec->sid, sid); 6483 if (error) 6484 goto abort_change; 6485 } 6486 6487 /* Check permissions for the transition. */ 6488 error = avc_has_perm(&selinux_state, 6489 tsec->sid, sid, SECCLASS_PROCESS, 6490 PROCESS__DYNTRANSITION, NULL); 6491 if (error) 6492 goto abort_change; 6493 6494 /* Check for ptracing, and update the task SID if ok. 6495 Otherwise, leave SID unchanged and fail. */ 6496 ptsid = ptrace_parent_sid(); 6497 if (ptsid != 0) { 6498 error = avc_has_perm(&selinux_state, 6499 ptsid, sid, SECCLASS_PROCESS, 6500 PROCESS__PTRACE, NULL); 6501 if (error) 6502 goto abort_change; 6503 } 6504 6505 tsec->sid = sid; 6506 } else { 6507 error = -EINVAL; 6508 goto abort_change; 6509 } 6510 6511 commit_creds(new); 6512 return size; 6513 6514 abort_change: 6515 abort_creds(new); 6516 return error; 6517 } 6518 6519 static int selinux_ismaclabel(const char *name) 6520 { 6521 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6522 } 6523 6524 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6525 { 6526 return security_sid_to_context(&selinux_state, secid, 6527 secdata, seclen); 6528 } 6529 6530 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6531 { 6532 return security_context_to_sid(&selinux_state, secdata, seclen, 6533 secid, GFP_KERNEL); 6534 } 6535 6536 static void selinux_release_secctx(char *secdata, u32 seclen) 6537 { 6538 kfree(secdata); 6539 } 6540 6541 static void selinux_inode_invalidate_secctx(struct inode *inode) 6542 { 6543 struct inode_security_struct *isec = inode->i_security; 6544 6545 spin_lock(&isec->lock); 6546 isec->initialized = LABEL_INVALID; 6547 spin_unlock(&isec->lock); 6548 } 6549 6550 /* 6551 * called with inode->i_mutex locked 6552 */ 6553 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6554 { 6555 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6556 } 6557 6558 /* 6559 * called with inode->i_mutex locked 6560 */ 6561 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6562 { 6563 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6564 } 6565 6566 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6567 { 6568 int len = 0; 6569 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6570 ctx, true); 6571 if (len < 0) 6572 return len; 6573 *ctxlen = len; 6574 return 0; 6575 } 6576 #ifdef CONFIG_KEYS 6577 6578 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6579 unsigned long flags) 6580 { 6581 const struct task_security_struct *tsec; 6582 struct key_security_struct *ksec; 6583 6584 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6585 if (!ksec) 6586 return -ENOMEM; 6587 6588 tsec = cred->security; 6589 if (tsec->keycreate_sid) 6590 ksec->sid = tsec->keycreate_sid; 6591 else 6592 ksec->sid = tsec->sid; 6593 6594 k->security = ksec; 6595 return 0; 6596 } 6597 6598 static void selinux_key_free(struct key *k) 6599 { 6600 struct key_security_struct *ksec = k->security; 6601 6602 k->security = NULL; 6603 kfree(ksec); 6604 } 6605 6606 static int selinux_key_permission(key_ref_t key_ref, 6607 const struct cred *cred, 6608 unsigned perm) 6609 { 6610 struct key *key; 6611 struct key_security_struct *ksec; 6612 u32 sid; 6613 6614 /* if no specific permissions are requested, we skip the 6615 permission check. No serious, additional covert channels 6616 appear to be created. */ 6617 if (perm == 0) 6618 return 0; 6619 6620 sid = cred_sid(cred); 6621 6622 key = key_ref_to_ptr(key_ref); 6623 ksec = key->security; 6624 6625 return avc_has_perm(&selinux_state, 6626 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6627 } 6628 6629 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6630 { 6631 struct key_security_struct *ksec = key->security; 6632 char *context = NULL; 6633 unsigned len; 6634 int rc; 6635 6636 rc = security_sid_to_context(&selinux_state, ksec->sid, 6637 &context, &len); 6638 if (!rc) 6639 rc = len; 6640 *_buffer = context; 6641 return rc; 6642 } 6643 #endif 6644 6645 #ifdef CONFIG_SECURITY_INFINIBAND 6646 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6647 { 6648 struct common_audit_data ad; 6649 int err; 6650 u32 sid = 0; 6651 struct ib_security_struct *sec = ib_sec; 6652 struct lsm_ibpkey_audit ibpkey; 6653 6654 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6655 if (err) 6656 return err; 6657 6658 ad.type = LSM_AUDIT_DATA_IBPKEY; 6659 ibpkey.subnet_prefix = subnet_prefix; 6660 ibpkey.pkey = pkey_val; 6661 ad.u.ibpkey = &ibpkey; 6662 return avc_has_perm(&selinux_state, 6663 sec->sid, sid, 6664 SECCLASS_INFINIBAND_PKEY, 6665 INFINIBAND_PKEY__ACCESS, &ad); 6666 } 6667 6668 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6669 u8 port_num) 6670 { 6671 struct common_audit_data ad; 6672 int err; 6673 u32 sid = 0; 6674 struct ib_security_struct *sec = ib_sec; 6675 struct lsm_ibendport_audit ibendport; 6676 6677 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6678 &sid); 6679 6680 if (err) 6681 return err; 6682 6683 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6684 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6685 ibendport.port = port_num; 6686 ad.u.ibendport = &ibendport; 6687 return avc_has_perm(&selinux_state, 6688 sec->sid, sid, 6689 SECCLASS_INFINIBAND_ENDPORT, 6690 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6691 } 6692 6693 static int selinux_ib_alloc_security(void **ib_sec) 6694 { 6695 struct ib_security_struct *sec; 6696 6697 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6698 if (!sec) 6699 return -ENOMEM; 6700 sec->sid = current_sid(); 6701 6702 *ib_sec = sec; 6703 return 0; 6704 } 6705 6706 static void selinux_ib_free_security(void *ib_sec) 6707 { 6708 kfree(ib_sec); 6709 } 6710 #endif 6711 6712 #ifdef CONFIG_BPF_SYSCALL 6713 static int selinux_bpf(int cmd, union bpf_attr *attr, 6714 unsigned int size) 6715 { 6716 u32 sid = current_sid(); 6717 int ret; 6718 6719 switch (cmd) { 6720 case BPF_MAP_CREATE: 6721 ret = avc_has_perm(&selinux_state, 6722 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6723 NULL); 6724 break; 6725 case BPF_PROG_LOAD: 6726 ret = avc_has_perm(&selinux_state, 6727 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6728 NULL); 6729 break; 6730 default: 6731 ret = 0; 6732 break; 6733 } 6734 6735 return ret; 6736 } 6737 6738 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6739 { 6740 u32 av = 0; 6741 6742 if (fmode & FMODE_READ) 6743 av |= BPF__MAP_READ; 6744 if (fmode & FMODE_WRITE) 6745 av |= BPF__MAP_WRITE; 6746 return av; 6747 } 6748 6749 /* This function will check the file pass through unix socket or binder to see 6750 * if it is a bpf related object. And apply correspinding checks on the bpf 6751 * object based on the type. The bpf maps and programs, not like other files and 6752 * socket, are using a shared anonymous inode inside the kernel as their inode. 6753 * So checking that inode cannot identify if the process have privilege to 6754 * access the bpf object and that's why we have to add this additional check in 6755 * selinux_file_receive and selinux_binder_transfer_files. 6756 */ 6757 static int bpf_fd_pass(struct file *file, u32 sid) 6758 { 6759 struct bpf_security_struct *bpfsec; 6760 struct bpf_prog *prog; 6761 struct bpf_map *map; 6762 int ret; 6763 6764 if (file->f_op == &bpf_map_fops) { 6765 map = file->private_data; 6766 bpfsec = map->security; 6767 ret = avc_has_perm(&selinux_state, 6768 sid, bpfsec->sid, SECCLASS_BPF, 6769 bpf_map_fmode_to_av(file->f_mode), NULL); 6770 if (ret) 6771 return ret; 6772 } else if (file->f_op == &bpf_prog_fops) { 6773 prog = file->private_data; 6774 bpfsec = prog->aux->security; 6775 ret = avc_has_perm(&selinux_state, 6776 sid, bpfsec->sid, SECCLASS_BPF, 6777 BPF__PROG_RUN, NULL); 6778 if (ret) 6779 return ret; 6780 } 6781 return 0; 6782 } 6783 6784 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6785 { 6786 u32 sid = current_sid(); 6787 struct bpf_security_struct *bpfsec; 6788 6789 bpfsec = map->security; 6790 return avc_has_perm(&selinux_state, 6791 sid, bpfsec->sid, SECCLASS_BPF, 6792 bpf_map_fmode_to_av(fmode), NULL); 6793 } 6794 6795 static int selinux_bpf_prog(struct bpf_prog *prog) 6796 { 6797 u32 sid = current_sid(); 6798 struct bpf_security_struct *bpfsec; 6799 6800 bpfsec = prog->aux->security; 6801 return avc_has_perm(&selinux_state, 6802 sid, bpfsec->sid, SECCLASS_BPF, 6803 BPF__PROG_RUN, NULL); 6804 } 6805 6806 static int selinux_bpf_map_alloc(struct bpf_map *map) 6807 { 6808 struct bpf_security_struct *bpfsec; 6809 6810 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6811 if (!bpfsec) 6812 return -ENOMEM; 6813 6814 bpfsec->sid = current_sid(); 6815 map->security = bpfsec; 6816 6817 return 0; 6818 } 6819 6820 static void selinux_bpf_map_free(struct bpf_map *map) 6821 { 6822 struct bpf_security_struct *bpfsec = map->security; 6823 6824 map->security = NULL; 6825 kfree(bpfsec); 6826 } 6827 6828 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6829 { 6830 struct bpf_security_struct *bpfsec; 6831 6832 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6833 if (!bpfsec) 6834 return -ENOMEM; 6835 6836 bpfsec->sid = current_sid(); 6837 aux->security = bpfsec; 6838 6839 return 0; 6840 } 6841 6842 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6843 { 6844 struct bpf_security_struct *bpfsec = aux->security; 6845 6846 aux->security = NULL; 6847 kfree(bpfsec); 6848 } 6849 #endif 6850 6851 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6852 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6853 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6854 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6855 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6856 6857 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6858 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6859 LSM_HOOK_INIT(capget, selinux_capget), 6860 LSM_HOOK_INIT(capset, selinux_capset), 6861 LSM_HOOK_INIT(capable, selinux_capable), 6862 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6863 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6864 LSM_HOOK_INIT(syslog, selinux_syslog), 6865 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6866 6867 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6868 6869 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6870 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6871 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6872 6873 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6874 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6875 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6876 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6877 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6878 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6879 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6880 LSM_HOOK_INIT(sb_mount, selinux_mount), 6881 LSM_HOOK_INIT(sb_umount, selinux_umount), 6882 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6883 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6884 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6885 6886 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6887 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6888 6889 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6890 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6891 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6892 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6893 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6894 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6895 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6896 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6897 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6898 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6899 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6900 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6901 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6902 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6903 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6904 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6905 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6906 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6907 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6908 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6909 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6910 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6911 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6912 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6913 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6914 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6915 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6916 6917 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6918 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6919 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6920 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6921 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6922 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6923 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6924 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6925 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6926 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6927 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6928 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6929 6930 LSM_HOOK_INIT(file_open, selinux_file_open), 6931 6932 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6933 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6934 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6935 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6936 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6937 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6938 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6939 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6940 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6941 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6942 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6943 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6944 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6945 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6946 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6947 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6948 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6949 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6950 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6951 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6952 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6953 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6954 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6955 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6956 6957 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6958 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6959 6960 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6961 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6962 6963 LSM_HOOK_INIT(msg_queue_alloc_security, 6964 selinux_msg_queue_alloc_security), 6965 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6966 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6967 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6968 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6969 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6970 6971 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6972 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6973 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6974 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6975 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6976 6977 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6978 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6979 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6980 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6981 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6982 6983 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6984 6985 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6986 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6987 6988 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6989 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6990 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6991 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6992 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6993 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6994 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6995 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6996 6997 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6998 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6999 7000 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7001 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7002 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7003 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7004 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7005 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7006 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7007 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7008 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7009 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7010 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7011 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7012 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7013 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7014 LSM_HOOK_INIT(socket_getpeersec_stream, 7015 selinux_socket_getpeersec_stream), 7016 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7017 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7018 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7019 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7020 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7021 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7022 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7023 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7024 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7025 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7026 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7027 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7028 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7029 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7030 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7031 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7032 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7033 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7034 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7035 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7036 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7037 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7038 #ifdef CONFIG_SECURITY_INFINIBAND 7039 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7040 LSM_HOOK_INIT(ib_endport_manage_subnet, 7041 selinux_ib_endport_manage_subnet), 7042 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7043 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7044 #endif 7045 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7046 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7047 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7048 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7049 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7050 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7051 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7052 selinux_xfrm_state_alloc_acquire), 7053 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7054 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7055 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7056 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7057 selinux_xfrm_state_pol_flow_match), 7058 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7059 #endif 7060 7061 #ifdef CONFIG_KEYS 7062 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7063 LSM_HOOK_INIT(key_free, selinux_key_free), 7064 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7065 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7066 #endif 7067 7068 #ifdef CONFIG_AUDIT 7069 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7070 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7071 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7072 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7073 #endif 7074 7075 #ifdef CONFIG_BPF_SYSCALL 7076 LSM_HOOK_INIT(bpf, selinux_bpf), 7077 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7078 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7079 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7080 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7081 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7082 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7083 #endif 7084 }; 7085 7086 static __init int selinux_init(void) 7087 { 7088 if (!security_module_enable("selinux")) { 7089 selinux_enabled = 0; 7090 return 0; 7091 } 7092 7093 if (!selinux_enabled) { 7094 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 7095 return 0; 7096 } 7097 7098 printk(KERN_INFO "SELinux: Initializing.\n"); 7099 7100 memset(&selinux_state, 0, sizeof(selinux_state)); 7101 enforcing_set(&selinux_state, selinux_enforcing_boot); 7102 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7103 selinux_ss_init(&selinux_state.ss); 7104 selinux_avc_init(&selinux_state.avc); 7105 7106 /* Set the security state for the initial task. */ 7107 cred_init_security(); 7108 7109 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7110 7111 sel_inode_cache = kmem_cache_create("selinux_inode_security", 7112 sizeof(struct inode_security_struct), 7113 0, SLAB_PANIC, NULL); 7114 file_security_cache = kmem_cache_create("selinux_file_security", 7115 sizeof(struct file_security_struct), 7116 0, SLAB_PANIC, NULL); 7117 avc_init(); 7118 7119 avtab_cache_init(); 7120 7121 ebitmap_cache_init(); 7122 7123 hashtab_cache_init(); 7124 7125 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7126 7127 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7128 panic("SELinux: Unable to register AVC netcache callback\n"); 7129 7130 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7131 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7132 7133 if (selinux_enforcing_boot) 7134 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7135 else 7136 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7137 7138 return 0; 7139 } 7140 7141 static void delayed_superblock_init(struct super_block *sb, void *unused) 7142 { 7143 superblock_doinit(sb, NULL); 7144 } 7145 7146 void selinux_complete_init(void) 7147 { 7148 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 7149 7150 /* Set up any superblocks initialized prior to the policy load. */ 7151 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 7152 iterate_supers(delayed_superblock_init, NULL); 7153 } 7154 7155 /* SELinux requires early initialization in order to label 7156 all processes and objects when they are created. */ 7157 security_initcall(selinux_init); 7158 7159 #if defined(CONFIG_NETFILTER) 7160 7161 static const struct nf_hook_ops selinux_nf_ops[] = { 7162 { 7163 .hook = selinux_ipv4_postroute, 7164 .pf = NFPROTO_IPV4, 7165 .hooknum = NF_INET_POST_ROUTING, 7166 .priority = NF_IP_PRI_SELINUX_LAST, 7167 }, 7168 { 7169 .hook = selinux_ipv4_forward, 7170 .pf = NFPROTO_IPV4, 7171 .hooknum = NF_INET_FORWARD, 7172 .priority = NF_IP_PRI_SELINUX_FIRST, 7173 }, 7174 { 7175 .hook = selinux_ipv4_output, 7176 .pf = NFPROTO_IPV4, 7177 .hooknum = NF_INET_LOCAL_OUT, 7178 .priority = NF_IP_PRI_SELINUX_FIRST, 7179 }, 7180 #if IS_ENABLED(CONFIG_IPV6) 7181 { 7182 .hook = selinux_ipv6_postroute, 7183 .pf = NFPROTO_IPV6, 7184 .hooknum = NF_INET_POST_ROUTING, 7185 .priority = NF_IP6_PRI_SELINUX_LAST, 7186 }, 7187 { 7188 .hook = selinux_ipv6_forward, 7189 .pf = NFPROTO_IPV6, 7190 .hooknum = NF_INET_FORWARD, 7191 .priority = NF_IP6_PRI_SELINUX_FIRST, 7192 }, 7193 { 7194 .hook = selinux_ipv6_output, 7195 .pf = NFPROTO_IPV6, 7196 .hooknum = NF_INET_LOCAL_OUT, 7197 .priority = NF_IP6_PRI_SELINUX_FIRST, 7198 }, 7199 #endif /* IPV6 */ 7200 }; 7201 7202 static int __net_init selinux_nf_register(struct net *net) 7203 { 7204 return nf_register_net_hooks(net, selinux_nf_ops, 7205 ARRAY_SIZE(selinux_nf_ops)); 7206 } 7207 7208 static void __net_exit selinux_nf_unregister(struct net *net) 7209 { 7210 nf_unregister_net_hooks(net, selinux_nf_ops, 7211 ARRAY_SIZE(selinux_nf_ops)); 7212 } 7213 7214 static struct pernet_operations selinux_net_ops = { 7215 .init = selinux_nf_register, 7216 .exit = selinux_nf_unregister, 7217 }; 7218 7219 static int __init selinux_nf_ip_init(void) 7220 { 7221 int err; 7222 7223 if (!selinux_enabled) 7224 return 0; 7225 7226 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 7227 7228 err = register_pernet_subsys(&selinux_net_ops); 7229 if (err) 7230 panic("SELinux: register_pernet_subsys: error %d\n", err); 7231 7232 return 0; 7233 } 7234 __initcall(selinux_nf_ip_init); 7235 7236 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7237 static void selinux_nf_ip_exit(void) 7238 { 7239 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 7240 7241 unregister_pernet_subsys(&selinux_net_ops); 7242 } 7243 #endif 7244 7245 #else /* CONFIG_NETFILTER */ 7246 7247 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7248 #define selinux_nf_ip_exit() 7249 #endif 7250 7251 #endif /* CONFIG_NETFILTER */ 7252 7253 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7254 int selinux_disable(struct selinux_state *state) 7255 { 7256 if (state->initialized) { 7257 /* Not permitted after initial policy load. */ 7258 return -EINVAL; 7259 } 7260 7261 if (state->disabled) { 7262 /* Only do this once. */ 7263 return -EINVAL; 7264 } 7265 7266 state->disabled = 1; 7267 7268 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7269 7270 selinux_enabled = 0; 7271 7272 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7273 7274 /* Try to destroy the avc node cache */ 7275 avc_disable(); 7276 7277 /* Unregister netfilter hooks. */ 7278 selinux_nf_ip_exit(); 7279 7280 /* Unregister selinuxfs. */ 7281 exit_sel_fs(); 7282 7283 return 0; 7284 } 7285 #endif 7286