1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 125 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #else 135 int selinux_enabled = 1; 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 static struct kmem_cache *sel_inode_cache; 152 static struct kmem_cache *file_security_cache; 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred *cred = (struct cred *) current->real_cred; 214 struct task_security_struct *tsec; 215 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 217 if (!tsec) 218 panic("SELinux: Failed to initialize initial task.\n"); 219 220 tsec->osid = tsec->sid = SECINITSID_KERNEL; 221 cred->security = tsec; 222 } 223 224 /* 225 * get the security ID of a set of credentials 226 */ 227 static inline u32 cred_sid(const struct cred *cred) 228 { 229 const struct task_security_struct *tsec; 230 231 tsec = cred->security; 232 return tsec->sid; 233 } 234 235 /* 236 * get the objective security ID of a task 237 */ 238 static inline u32 task_sid(const struct task_struct *task) 239 { 240 u32 sid; 241 242 rcu_read_lock(); 243 sid = cred_sid(__task_cred(task)); 244 rcu_read_unlock(); 245 return sid; 246 } 247 248 /* Allocate and free functions for each kind of security blob. */ 249 250 static int inode_alloc_security(struct inode *inode) 251 { 252 struct inode_security_struct *isec; 253 u32 sid = current_sid(); 254 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 256 if (!isec) 257 return -ENOMEM; 258 259 spin_lock_init(&isec->lock); 260 INIT_LIST_HEAD(&isec->list); 261 isec->inode = inode; 262 isec->sid = SECINITSID_UNLABELED; 263 isec->sclass = SECCLASS_FILE; 264 isec->task_sid = sid; 265 isec->initialized = LABEL_INVALID; 266 inode->i_security = isec; 267 268 return 0; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 278 * when no dentry is available, set it to NULL instead. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *opt_dentry, 282 bool may_sleep) 283 { 284 struct inode_security_struct *isec = inode->i_security; 285 286 might_sleep_if(may_sleep); 287 288 if (selinux_state.initialized && 289 isec->initialized != LABEL_INITIALIZED) { 290 if (!may_sleep) 291 return -ECHILD; 292 293 /* 294 * Try reloading the inode security label. This will fail if 295 * @opt_dentry is NULL and no dentry for this inode can be 296 * found; in that case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, opt_dentry); 299 } 300 return 0; 301 } 302 303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 304 { 305 return inode->i_security; 306 } 307 308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 309 { 310 int error; 311 312 error = __inode_security_revalidate(inode, NULL, !rcu); 313 if (error) 314 return ERR_PTR(error); 315 return inode->i_security; 316 } 317 318 /* 319 * Get the security label of an inode. 320 */ 321 static struct inode_security_struct *inode_security(struct inode *inode) 322 { 323 __inode_security_revalidate(inode, NULL, true); 324 return inode->i_security; 325 } 326 327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 328 { 329 struct inode *inode = d_backing_inode(dentry); 330 331 return inode->i_security; 332 } 333 334 /* 335 * Get the security label of a dentry's backing inode. 336 */ 337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 338 { 339 struct inode *inode = d_backing_inode(dentry); 340 341 __inode_security_revalidate(inode, dentry, true); 342 return inode->i_security; 343 } 344 345 static void inode_free_rcu(struct rcu_head *head) 346 { 347 struct inode_security_struct *isec; 348 349 isec = container_of(head, struct inode_security_struct, rcu); 350 kmem_cache_free(sel_inode_cache, isec); 351 } 352 353 static void inode_free_security(struct inode *inode) 354 { 355 struct inode_security_struct *isec = inode->i_security; 356 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 357 358 /* 359 * As not all inode security structures are in a list, we check for 360 * empty list outside of the lock to make sure that we won't waste 361 * time taking a lock doing nothing. 362 * 363 * The list_del_init() function can be safely called more than once. 364 * It should not be possible for this function to be called with 365 * concurrent list_add(), but for better safety against future changes 366 * in the code, we use list_empty_careful() here. 367 */ 368 if (!list_empty_careful(&isec->list)) { 369 spin_lock(&sbsec->isec_lock); 370 list_del_init(&isec->list); 371 spin_unlock(&sbsec->isec_lock); 372 } 373 374 /* 375 * The inode may still be referenced in a path walk and 376 * a call to selinux_inode_permission() can be made 377 * after inode_free_security() is called. Ideally, the VFS 378 * wouldn't do this, but fixing that is a much harder 379 * job. For now, simply free the i_security via RCU, and 380 * leave the current inode->i_security pointer intact. 381 * The inode will be freed after the RCU grace period too. 382 */ 383 call_rcu(&isec->rcu, inode_free_rcu); 384 } 385 386 static int file_alloc_security(struct file *file) 387 { 388 struct file_security_struct *fsec; 389 u32 sid = current_sid(); 390 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 392 if (!fsec) 393 return -ENOMEM; 394 395 fsec->sid = sid; 396 fsec->fown_sid = sid; 397 file->f_security = fsec; 398 399 return 0; 400 } 401 402 static void file_free_security(struct file *file) 403 { 404 struct file_security_struct *fsec = file->f_security; 405 file->f_security = NULL; 406 kmem_cache_free(file_security_cache, fsec); 407 } 408 409 static int superblock_alloc_security(struct super_block *sb) 410 { 411 struct superblock_security_struct *sbsec; 412 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 414 if (!sbsec) 415 return -ENOMEM; 416 417 mutex_init(&sbsec->lock); 418 INIT_LIST_HEAD(&sbsec->isec_head); 419 spin_lock_init(&sbsec->isec_lock); 420 sbsec->sb = sb; 421 sbsec->sid = SECINITSID_UNLABELED; 422 sbsec->def_sid = SECINITSID_FILE; 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 424 sb->s_security = sbsec; 425 426 return 0; 427 } 428 429 static void superblock_free_security(struct super_block *sb) 430 { 431 struct superblock_security_struct *sbsec = sb->s_security; 432 sb->s_security = NULL; 433 kfree(sbsec); 434 } 435 436 static inline int inode_doinit(struct inode *inode) 437 { 438 return inode_doinit_with_dentry(inode, NULL); 439 } 440 441 enum { 442 Opt_error = -1, 443 Opt_context = 1, 444 Opt_fscontext = 2, 445 Opt_defcontext = 3, 446 Opt_rootcontext = 4, 447 Opt_labelsupport = 5, 448 Opt_nextmntopt = 6, 449 }; 450 451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 452 453 static const match_table_t tokens = { 454 {Opt_context, CONTEXT_STR "%s"}, 455 {Opt_fscontext, FSCONTEXT_STR "%s"}, 456 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 458 {Opt_labelsupport, LABELSUPP_STR}, 459 {Opt_error, NULL}, 460 }; 461 462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 463 464 static int may_context_mount_sb_relabel(u32 sid, 465 struct superblock_security_struct *sbsec, 466 const struct cred *cred) 467 { 468 const struct task_security_struct *tsec = cred->security; 469 int rc; 470 471 rc = avc_has_perm(&selinux_state, 472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 473 FILESYSTEM__RELABELFROM, NULL); 474 if (rc) 475 return rc; 476 477 rc = avc_has_perm(&selinux_state, 478 tsec->sid, sid, SECCLASS_FILESYSTEM, 479 FILESYSTEM__RELABELTO, NULL); 480 return rc; 481 } 482 483 static int may_context_mount_inode_relabel(u32 sid, 484 struct superblock_security_struct *sbsec, 485 const struct cred *cred) 486 { 487 const struct task_security_struct *tsec = cred->security; 488 int rc; 489 rc = avc_has_perm(&selinux_state, 490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 491 FILESYSTEM__RELABELFROM, NULL); 492 if (rc) 493 return rc; 494 495 rc = avc_has_perm(&selinux_state, 496 sid, sbsec->sid, SECCLASS_FILESYSTEM, 497 FILESYSTEM__ASSOCIATE, NULL); 498 return rc; 499 } 500 501 static int selinux_is_sblabel_mnt(struct super_block *sb) 502 { 503 struct superblock_security_struct *sbsec = sb->s_security; 504 505 return sbsec->behavior == SECURITY_FS_USE_XATTR || 506 sbsec->behavior == SECURITY_FS_USE_TRANS || 507 sbsec->behavior == SECURITY_FS_USE_TASK || 508 sbsec->behavior == SECURITY_FS_USE_NATIVE || 509 /* Special handling. Genfs but also in-core setxattr handler */ 510 !strcmp(sb->s_type->name, "sysfs") || 511 !strcmp(sb->s_type->name, "pstore") || 512 !strcmp(sb->s_type->name, "debugfs") || 513 !strcmp(sb->s_type->name, "tracefs") || 514 !strcmp(sb->s_type->name, "rootfs") || 515 (selinux_policycap_cgroupseclabel() && 516 (!strcmp(sb->s_type->name, "cgroup") || 517 !strcmp(sb->s_type->name, "cgroup2"))); 518 } 519 520 static int sb_finish_set_opts(struct super_block *sb) 521 { 522 struct superblock_security_struct *sbsec = sb->s_security; 523 struct dentry *root = sb->s_root; 524 struct inode *root_inode = d_backing_inode(root); 525 int rc = 0; 526 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 528 /* Make sure that the xattr handler exists and that no 529 error other than -ENODATA is returned by getxattr on 530 the root directory. -ENODATA is ok, as this may be 531 the first boot of the SELinux kernel before we have 532 assigned xattr values to the filesystem. */ 533 if (!(root_inode->i_opflags & IOP_XATTR)) { 534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 535 "xattr support\n", sb->s_id, sb->s_type->name); 536 rc = -EOPNOTSUPP; 537 goto out; 538 } 539 540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 541 if (rc < 0 && rc != -ENODATA) { 542 if (rc == -EOPNOTSUPP) 543 printk(KERN_WARNING "SELinux: (dev %s, type " 544 "%s) has no security xattr handler\n", 545 sb->s_id, sb->s_type->name); 546 else 547 printk(KERN_WARNING "SELinux: (dev %s, type " 548 "%s) getxattr errno %d\n", sb->s_id, 549 sb->s_type->name, -rc); 550 goto out; 551 } 552 } 553 554 sbsec->flags |= SE_SBINITIALIZED; 555 556 /* 557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 558 * leave the flag untouched because sb_clone_mnt_opts might be handing 559 * us a superblock that needs the flag to be cleared. 560 */ 561 if (selinux_is_sblabel_mnt(sb)) 562 sbsec->flags |= SBLABEL_MNT; 563 else 564 sbsec->flags &= ~SBLABEL_MNT; 565 566 /* Initialize the root inode. */ 567 rc = inode_doinit_with_dentry(root_inode, root); 568 569 /* Initialize any other inodes associated with the superblock, e.g. 570 inodes created prior to initial policy load or inodes created 571 during get_sb by a pseudo filesystem that directly 572 populates itself. */ 573 spin_lock(&sbsec->isec_lock); 574 next_inode: 575 if (!list_empty(&sbsec->isec_head)) { 576 struct inode_security_struct *isec = 577 list_entry(sbsec->isec_head.next, 578 struct inode_security_struct, list); 579 struct inode *inode = isec->inode; 580 list_del_init(&isec->list); 581 spin_unlock(&sbsec->isec_lock); 582 inode = igrab(inode); 583 if (inode) { 584 if (!IS_PRIVATE(inode)) 585 inode_doinit(inode); 586 iput(inode); 587 } 588 spin_lock(&sbsec->isec_lock); 589 goto next_inode; 590 } 591 spin_unlock(&sbsec->isec_lock); 592 out: 593 return rc; 594 } 595 596 /* 597 * This function should allow an FS to ask what it's mount security 598 * options were so it can use those later for submounts, displaying 599 * mount options, or whatever. 600 */ 601 static int selinux_get_mnt_opts(const struct super_block *sb, 602 struct security_mnt_opts *opts) 603 { 604 int rc = 0, i; 605 struct superblock_security_struct *sbsec = sb->s_security; 606 char *context = NULL; 607 u32 len; 608 char tmp; 609 610 security_init_mnt_opts(opts); 611 612 if (!(sbsec->flags & SE_SBINITIALIZED)) 613 return -EINVAL; 614 615 if (!selinux_state.initialized) 616 return -EINVAL; 617 618 /* make sure we always check enough bits to cover the mask */ 619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 620 621 tmp = sbsec->flags & SE_MNTMASK; 622 /* count the number of mount options for this sb */ 623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 624 if (tmp & 0x01) 625 opts->num_mnt_opts++; 626 tmp >>= 1; 627 } 628 /* Check if the Label support flag is set */ 629 if (sbsec->flags & SBLABEL_MNT) 630 opts->num_mnt_opts++; 631 632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 633 if (!opts->mnt_opts) { 634 rc = -ENOMEM; 635 goto out_free; 636 } 637 638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 639 if (!opts->mnt_opts_flags) { 640 rc = -ENOMEM; 641 goto out_free; 642 } 643 644 i = 0; 645 if (sbsec->flags & FSCONTEXT_MNT) { 646 rc = security_sid_to_context(&selinux_state, sbsec->sid, 647 &context, &len); 648 if (rc) 649 goto out_free; 650 opts->mnt_opts[i] = context; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 652 } 653 if (sbsec->flags & CONTEXT_MNT) { 654 rc = security_sid_to_context(&selinux_state, 655 sbsec->mntpoint_sid, 656 &context, &len); 657 if (rc) 658 goto out_free; 659 opts->mnt_opts[i] = context; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 661 } 662 if (sbsec->flags & DEFCONTEXT_MNT) { 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid, 664 &context, &len); 665 if (rc) 666 goto out_free; 667 opts->mnt_opts[i] = context; 668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 669 } 670 if (sbsec->flags & ROOTCONTEXT_MNT) { 671 struct dentry *root = sbsec->sb->s_root; 672 struct inode_security_struct *isec = backing_inode_security(root); 673 674 rc = security_sid_to_context(&selinux_state, isec->sid, 675 &context, &len); 676 if (rc) 677 goto out_free; 678 opts->mnt_opts[i] = context; 679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 680 } 681 if (sbsec->flags & SBLABEL_MNT) { 682 opts->mnt_opts[i] = NULL; 683 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 684 } 685 686 BUG_ON(i != opts->num_mnt_opts); 687 688 return 0; 689 690 out_free: 691 security_free_mnt_opts(opts); 692 return rc; 693 } 694 695 static int bad_option(struct superblock_security_struct *sbsec, char flag, 696 u32 old_sid, u32 new_sid) 697 { 698 char mnt_flags = sbsec->flags & SE_MNTMASK; 699 700 /* check if the old mount command had the same options */ 701 if (sbsec->flags & SE_SBINITIALIZED) 702 if (!(sbsec->flags & flag) || 703 (old_sid != new_sid)) 704 return 1; 705 706 /* check if we were passed the same options twice, 707 * aka someone passed context=a,context=b 708 */ 709 if (!(sbsec->flags & SE_SBINITIALIZED)) 710 if (mnt_flags & flag) 711 return 1; 712 return 0; 713 } 714 715 /* 716 * Allow filesystems with binary mount data to explicitly set mount point 717 * labeling information. 718 */ 719 static int selinux_set_mnt_opts(struct super_block *sb, 720 struct security_mnt_opts *opts, 721 unsigned long kern_flags, 722 unsigned long *set_kern_flags) 723 { 724 const struct cred *cred = current_cred(); 725 int rc = 0, i; 726 struct superblock_security_struct *sbsec = sb->s_security; 727 const char *name = sb->s_type->name; 728 struct dentry *root = sbsec->sb->s_root; 729 struct inode_security_struct *root_isec; 730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 731 u32 defcontext_sid = 0; 732 char **mount_options = opts->mnt_opts; 733 int *flags = opts->mnt_opts_flags; 734 int num_opts = opts->num_mnt_opts; 735 736 mutex_lock(&sbsec->lock); 737 738 if (!selinux_state.initialized) { 739 if (!num_opts) { 740 /* Defer initialization until selinux_complete_init, 741 after the initial policy is loaded and the security 742 server is ready to handle calls. */ 743 goto out; 744 } 745 rc = -EINVAL; 746 printk(KERN_WARNING "SELinux: Unable to set superblock options " 747 "before the security server is initialized\n"); 748 goto out; 749 } 750 if (kern_flags && !set_kern_flags) { 751 /* Specifying internal flags without providing a place to 752 * place the results is not allowed */ 753 rc = -EINVAL; 754 goto out; 755 } 756 757 /* 758 * Binary mount data FS will come through this function twice. Once 759 * from an explicit call and once from the generic calls from the vfs. 760 * Since the generic VFS calls will not contain any security mount data 761 * we need to skip the double mount verification. 762 * 763 * This does open a hole in which we will not notice if the first 764 * mount using this sb set explict options and a second mount using 765 * this sb does not set any security options. (The first options 766 * will be used for both mounts) 767 */ 768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 769 && (num_opts == 0)) 770 goto out; 771 772 root_isec = backing_inode_security_novalidate(root); 773 774 /* 775 * parse the mount options, check if they are valid sids. 776 * also check if someone is trying to mount the same sb more 777 * than once with different security options. 778 */ 779 for (i = 0; i < num_opts; i++) { 780 u32 sid; 781 782 if (flags[i] == SBLABEL_MNT) 783 continue; 784 rc = security_context_str_to_sid(&selinux_state, 785 mount_options[i], &sid, 786 GFP_KERNEL); 787 if (rc) { 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 789 "(%s) failed for (dev %s, type %s) errno=%d\n", 790 mount_options[i], sb->s_id, name, rc); 791 goto out; 792 } 793 switch (flags[i]) { 794 case FSCONTEXT_MNT: 795 fscontext_sid = sid; 796 797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 798 fscontext_sid)) 799 goto out_double_mount; 800 801 sbsec->flags |= FSCONTEXT_MNT; 802 break; 803 case CONTEXT_MNT: 804 context_sid = sid; 805 806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 807 context_sid)) 808 goto out_double_mount; 809 810 sbsec->flags |= CONTEXT_MNT; 811 break; 812 case ROOTCONTEXT_MNT: 813 rootcontext_sid = sid; 814 815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 816 rootcontext_sid)) 817 goto out_double_mount; 818 819 sbsec->flags |= ROOTCONTEXT_MNT; 820 821 break; 822 case DEFCONTEXT_MNT: 823 defcontext_sid = sid; 824 825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 826 defcontext_sid)) 827 goto out_double_mount; 828 829 sbsec->flags |= DEFCONTEXT_MNT; 830 831 break; 832 default: 833 rc = -EINVAL; 834 goto out; 835 } 836 } 837 838 if (sbsec->flags & SE_SBINITIALIZED) { 839 /* previously mounted with options, but not on this attempt? */ 840 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 841 goto out_double_mount; 842 rc = 0; 843 goto out; 844 } 845 846 if (strcmp(sb->s_type->name, "proc") == 0) 847 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 848 849 if (!strcmp(sb->s_type->name, "debugfs") || 850 !strcmp(sb->s_type->name, "tracefs") || 851 !strcmp(sb->s_type->name, "sysfs") || 852 !strcmp(sb->s_type->name, "pstore") || 853 !strcmp(sb->s_type->name, "cgroup") || 854 !strcmp(sb->s_type->name, "cgroup2")) 855 sbsec->flags |= SE_SBGENFS; 856 857 if (!sbsec->behavior) { 858 /* 859 * Determine the labeling behavior to use for this 860 * filesystem type. 861 */ 862 rc = security_fs_use(&selinux_state, sb); 863 if (rc) { 864 printk(KERN_WARNING 865 "%s: security_fs_use(%s) returned %d\n", 866 __func__, sb->s_type->name, rc); 867 goto out; 868 } 869 } 870 871 /* 872 * If this is a user namespace mount and the filesystem type is not 873 * explicitly whitelisted, then no contexts are allowed on the command 874 * line and security labels must be ignored. 875 */ 876 if (sb->s_user_ns != &init_user_ns && 877 strcmp(sb->s_type->name, "tmpfs") && 878 strcmp(sb->s_type->name, "ramfs") && 879 strcmp(sb->s_type->name, "devpts")) { 880 if (context_sid || fscontext_sid || rootcontext_sid || 881 defcontext_sid) { 882 rc = -EACCES; 883 goto out; 884 } 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 887 rc = security_transition_sid(&selinux_state, 888 current_sid(), 889 current_sid(), 890 SECCLASS_FILE, NULL, 891 &sbsec->mntpoint_sid); 892 if (rc) 893 goto out; 894 } 895 goto out_set_opts; 896 } 897 898 /* sets the context of the superblock for the fs being mounted. */ 899 if (fscontext_sid) { 900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 901 if (rc) 902 goto out; 903 904 sbsec->sid = fscontext_sid; 905 } 906 907 /* 908 * Switch to using mount point labeling behavior. 909 * sets the label used on all file below the mountpoint, and will set 910 * the superblock context if not already set. 911 */ 912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 913 sbsec->behavior = SECURITY_FS_USE_NATIVE; 914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 915 } 916 917 if (context_sid) { 918 if (!fscontext_sid) { 919 rc = may_context_mount_sb_relabel(context_sid, sbsec, 920 cred); 921 if (rc) 922 goto out; 923 sbsec->sid = context_sid; 924 } else { 925 rc = may_context_mount_inode_relabel(context_sid, sbsec, 926 cred); 927 if (rc) 928 goto out; 929 } 930 if (!rootcontext_sid) 931 rootcontext_sid = context_sid; 932 933 sbsec->mntpoint_sid = context_sid; 934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 935 } 936 937 if (rootcontext_sid) { 938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 939 cred); 940 if (rc) 941 goto out; 942 943 root_isec->sid = rootcontext_sid; 944 root_isec->initialized = LABEL_INITIALIZED; 945 } 946 947 if (defcontext_sid) { 948 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 949 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 950 rc = -EINVAL; 951 printk(KERN_WARNING "SELinux: defcontext option is " 952 "invalid for this filesystem type\n"); 953 goto out; 954 } 955 956 if (defcontext_sid != sbsec->def_sid) { 957 rc = may_context_mount_inode_relabel(defcontext_sid, 958 sbsec, cred); 959 if (rc) 960 goto out; 961 } 962 963 sbsec->def_sid = defcontext_sid; 964 } 965 966 out_set_opts: 967 rc = sb_finish_set_opts(sb); 968 out: 969 mutex_unlock(&sbsec->lock); 970 return rc; 971 out_double_mount: 972 rc = -EINVAL; 973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 974 "security settings for (dev %s, type %s)\n", sb->s_id, name); 975 goto out; 976 } 977 978 static int selinux_cmp_sb_context(const struct super_block *oldsb, 979 const struct super_block *newsb) 980 { 981 struct superblock_security_struct *old = oldsb->s_security; 982 struct superblock_security_struct *new = newsb->s_security; 983 char oldflags = old->flags & SE_MNTMASK; 984 char newflags = new->flags & SE_MNTMASK; 985 986 if (oldflags != newflags) 987 goto mismatch; 988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 989 goto mismatch; 990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 991 goto mismatch; 992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 993 goto mismatch; 994 if (oldflags & ROOTCONTEXT_MNT) { 995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 997 if (oldroot->sid != newroot->sid) 998 goto mismatch; 999 } 1000 return 0; 1001 mismatch: 1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 1003 "different security settings for (dev %s, " 1004 "type %s)\n", newsb->s_id, newsb->s_type->name); 1005 return -EBUSY; 1006 } 1007 1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 1009 struct super_block *newsb, 1010 unsigned long kern_flags, 1011 unsigned long *set_kern_flags) 1012 { 1013 int rc = 0; 1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 1015 struct superblock_security_struct *newsbsec = newsb->s_security; 1016 1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 1018 int set_context = (oldsbsec->flags & CONTEXT_MNT); 1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 1020 1021 /* 1022 * if the parent was able to be mounted it clearly had no special lsm 1023 * mount options. thus we can safely deal with this superblock later 1024 */ 1025 if (!selinux_state.initialized) 1026 return 0; 1027 1028 /* 1029 * Specifying internal flags without providing a place to 1030 * place the results is not allowed. 1031 */ 1032 if (kern_flags && !set_kern_flags) 1033 return -EINVAL; 1034 1035 /* how can we clone if the old one wasn't set up?? */ 1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1037 1038 /* if fs is reusing a sb, make sure that the contexts match */ 1039 if (newsbsec->flags & SE_SBINITIALIZED) 1040 return selinux_cmp_sb_context(oldsb, newsb); 1041 1042 mutex_lock(&newsbsec->lock); 1043 1044 newsbsec->flags = oldsbsec->flags; 1045 1046 newsbsec->sid = oldsbsec->sid; 1047 newsbsec->def_sid = oldsbsec->def_sid; 1048 newsbsec->behavior = oldsbsec->behavior; 1049 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1052 rc = security_fs_use(&selinux_state, newsb); 1053 if (rc) 1054 goto out; 1055 } 1056 1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1060 } 1061 1062 if (set_context) { 1063 u32 sid = oldsbsec->mntpoint_sid; 1064 1065 if (!set_fscontext) 1066 newsbsec->sid = sid; 1067 if (!set_rootcontext) { 1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1069 newisec->sid = sid; 1070 } 1071 newsbsec->mntpoint_sid = sid; 1072 } 1073 if (set_rootcontext) { 1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1076 1077 newisec->sid = oldisec->sid; 1078 } 1079 1080 sb_finish_set_opts(newsb); 1081 out: 1082 mutex_unlock(&newsbsec->lock); 1083 return rc; 1084 } 1085 1086 static int selinux_parse_opts_str(char *options, 1087 struct security_mnt_opts *opts) 1088 { 1089 char *p; 1090 char *context = NULL, *defcontext = NULL; 1091 char *fscontext = NULL, *rootcontext = NULL; 1092 int rc, num_mnt_opts = 0; 1093 1094 opts->num_mnt_opts = 0; 1095 1096 /* Standard string-based options. */ 1097 while ((p = strsep(&options, "|")) != NULL) { 1098 int token; 1099 substring_t args[MAX_OPT_ARGS]; 1100 1101 if (!*p) 1102 continue; 1103 1104 token = match_token(p, tokens, args); 1105 1106 switch (token) { 1107 case Opt_context: 1108 if (context || defcontext) { 1109 rc = -EINVAL; 1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1111 goto out_err; 1112 } 1113 context = match_strdup(&args[0]); 1114 if (!context) { 1115 rc = -ENOMEM; 1116 goto out_err; 1117 } 1118 break; 1119 1120 case Opt_fscontext: 1121 if (fscontext) { 1122 rc = -EINVAL; 1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1124 goto out_err; 1125 } 1126 fscontext = match_strdup(&args[0]); 1127 if (!fscontext) { 1128 rc = -ENOMEM; 1129 goto out_err; 1130 } 1131 break; 1132 1133 case Opt_rootcontext: 1134 if (rootcontext) { 1135 rc = -EINVAL; 1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1137 goto out_err; 1138 } 1139 rootcontext = match_strdup(&args[0]); 1140 if (!rootcontext) { 1141 rc = -ENOMEM; 1142 goto out_err; 1143 } 1144 break; 1145 1146 case Opt_defcontext: 1147 if (context || defcontext) { 1148 rc = -EINVAL; 1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1150 goto out_err; 1151 } 1152 defcontext = match_strdup(&args[0]); 1153 if (!defcontext) { 1154 rc = -ENOMEM; 1155 goto out_err; 1156 } 1157 break; 1158 case Opt_labelsupport: 1159 break; 1160 default: 1161 rc = -EINVAL; 1162 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1163 goto out_err; 1164 1165 } 1166 } 1167 1168 rc = -ENOMEM; 1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1170 if (!opts->mnt_opts) 1171 goto out_err; 1172 1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1174 GFP_KERNEL); 1175 if (!opts->mnt_opts_flags) 1176 goto out_err; 1177 1178 if (fscontext) { 1179 opts->mnt_opts[num_mnt_opts] = fscontext; 1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1181 } 1182 if (context) { 1183 opts->mnt_opts[num_mnt_opts] = context; 1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1185 } 1186 if (rootcontext) { 1187 opts->mnt_opts[num_mnt_opts] = rootcontext; 1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1189 } 1190 if (defcontext) { 1191 opts->mnt_opts[num_mnt_opts] = defcontext; 1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1193 } 1194 1195 opts->num_mnt_opts = num_mnt_opts; 1196 return 0; 1197 1198 out_err: 1199 security_free_mnt_opts(opts); 1200 kfree(context); 1201 kfree(defcontext); 1202 kfree(fscontext); 1203 kfree(rootcontext); 1204 return rc; 1205 } 1206 /* 1207 * string mount options parsing and call set the sbsec 1208 */ 1209 static int superblock_doinit(struct super_block *sb, void *data) 1210 { 1211 int rc = 0; 1212 char *options = data; 1213 struct security_mnt_opts opts; 1214 1215 security_init_mnt_opts(&opts); 1216 1217 if (!data) 1218 goto out; 1219 1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1221 1222 rc = selinux_parse_opts_str(options, &opts); 1223 if (rc) 1224 goto out_err; 1225 1226 out: 1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1228 1229 out_err: 1230 security_free_mnt_opts(&opts); 1231 return rc; 1232 } 1233 1234 static void selinux_write_opts(struct seq_file *m, 1235 struct security_mnt_opts *opts) 1236 { 1237 int i; 1238 char *prefix; 1239 1240 for (i = 0; i < opts->num_mnt_opts; i++) { 1241 char *has_comma; 1242 1243 if (opts->mnt_opts[i]) 1244 has_comma = strchr(opts->mnt_opts[i], ','); 1245 else 1246 has_comma = NULL; 1247 1248 switch (opts->mnt_opts_flags[i]) { 1249 case CONTEXT_MNT: 1250 prefix = CONTEXT_STR; 1251 break; 1252 case FSCONTEXT_MNT: 1253 prefix = FSCONTEXT_STR; 1254 break; 1255 case ROOTCONTEXT_MNT: 1256 prefix = ROOTCONTEXT_STR; 1257 break; 1258 case DEFCONTEXT_MNT: 1259 prefix = DEFCONTEXT_STR; 1260 break; 1261 case SBLABEL_MNT: 1262 seq_putc(m, ','); 1263 seq_puts(m, LABELSUPP_STR); 1264 continue; 1265 default: 1266 BUG(); 1267 return; 1268 }; 1269 /* we need a comma before each option */ 1270 seq_putc(m, ','); 1271 seq_puts(m, prefix); 1272 if (has_comma) 1273 seq_putc(m, '\"'); 1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1275 if (has_comma) 1276 seq_putc(m, '\"'); 1277 } 1278 } 1279 1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1281 { 1282 struct security_mnt_opts opts; 1283 int rc; 1284 1285 rc = selinux_get_mnt_opts(sb, &opts); 1286 if (rc) { 1287 /* before policy load we may get EINVAL, don't show anything */ 1288 if (rc == -EINVAL) 1289 rc = 0; 1290 return rc; 1291 } 1292 1293 selinux_write_opts(m, &opts); 1294 1295 security_free_mnt_opts(&opts); 1296 1297 return rc; 1298 } 1299 1300 static inline u16 inode_mode_to_security_class(umode_t mode) 1301 { 1302 switch (mode & S_IFMT) { 1303 case S_IFSOCK: 1304 return SECCLASS_SOCK_FILE; 1305 case S_IFLNK: 1306 return SECCLASS_LNK_FILE; 1307 case S_IFREG: 1308 return SECCLASS_FILE; 1309 case S_IFBLK: 1310 return SECCLASS_BLK_FILE; 1311 case S_IFDIR: 1312 return SECCLASS_DIR; 1313 case S_IFCHR: 1314 return SECCLASS_CHR_FILE; 1315 case S_IFIFO: 1316 return SECCLASS_FIFO_FILE; 1317 1318 } 1319 1320 return SECCLASS_FILE; 1321 } 1322 1323 static inline int default_protocol_stream(int protocol) 1324 { 1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1326 } 1327 1328 static inline int default_protocol_dgram(int protocol) 1329 { 1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1331 } 1332 1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1334 { 1335 int extsockclass = selinux_policycap_extsockclass(); 1336 1337 switch (family) { 1338 case PF_UNIX: 1339 switch (type) { 1340 case SOCK_STREAM: 1341 case SOCK_SEQPACKET: 1342 return SECCLASS_UNIX_STREAM_SOCKET; 1343 case SOCK_DGRAM: 1344 case SOCK_RAW: 1345 return SECCLASS_UNIX_DGRAM_SOCKET; 1346 } 1347 break; 1348 case PF_INET: 1349 case PF_INET6: 1350 switch (type) { 1351 case SOCK_STREAM: 1352 case SOCK_SEQPACKET: 1353 if (default_protocol_stream(protocol)) 1354 return SECCLASS_TCP_SOCKET; 1355 else if (extsockclass && protocol == IPPROTO_SCTP) 1356 return SECCLASS_SCTP_SOCKET; 1357 else 1358 return SECCLASS_RAWIP_SOCKET; 1359 case SOCK_DGRAM: 1360 if (default_protocol_dgram(protocol)) 1361 return SECCLASS_UDP_SOCKET; 1362 else if (extsockclass && (protocol == IPPROTO_ICMP || 1363 protocol == IPPROTO_ICMPV6)) 1364 return SECCLASS_ICMP_SOCKET; 1365 else 1366 return SECCLASS_RAWIP_SOCKET; 1367 case SOCK_DCCP: 1368 return SECCLASS_DCCP_SOCKET; 1369 default: 1370 return SECCLASS_RAWIP_SOCKET; 1371 } 1372 break; 1373 case PF_NETLINK: 1374 switch (protocol) { 1375 case NETLINK_ROUTE: 1376 return SECCLASS_NETLINK_ROUTE_SOCKET; 1377 case NETLINK_SOCK_DIAG: 1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1379 case NETLINK_NFLOG: 1380 return SECCLASS_NETLINK_NFLOG_SOCKET; 1381 case NETLINK_XFRM: 1382 return SECCLASS_NETLINK_XFRM_SOCKET; 1383 case NETLINK_SELINUX: 1384 return SECCLASS_NETLINK_SELINUX_SOCKET; 1385 case NETLINK_ISCSI: 1386 return SECCLASS_NETLINK_ISCSI_SOCKET; 1387 case NETLINK_AUDIT: 1388 return SECCLASS_NETLINK_AUDIT_SOCKET; 1389 case NETLINK_FIB_LOOKUP: 1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1391 case NETLINK_CONNECTOR: 1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1393 case NETLINK_NETFILTER: 1394 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1395 case NETLINK_DNRTMSG: 1396 return SECCLASS_NETLINK_DNRT_SOCKET; 1397 case NETLINK_KOBJECT_UEVENT: 1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1399 case NETLINK_GENERIC: 1400 return SECCLASS_NETLINK_GENERIC_SOCKET; 1401 case NETLINK_SCSITRANSPORT: 1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1403 case NETLINK_RDMA: 1404 return SECCLASS_NETLINK_RDMA_SOCKET; 1405 case NETLINK_CRYPTO: 1406 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1407 default: 1408 return SECCLASS_NETLINK_SOCKET; 1409 } 1410 case PF_PACKET: 1411 return SECCLASS_PACKET_SOCKET; 1412 case PF_KEY: 1413 return SECCLASS_KEY_SOCKET; 1414 case PF_APPLETALK: 1415 return SECCLASS_APPLETALK_SOCKET; 1416 } 1417 1418 if (extsockclass) { 1419 switch (family) { 1420 case PF_AX25: 1421 return SECCLASS_AX25_SOCKET; 1422 case PF_IPX: 1423 return SECCLASS_IPX_SOCKET; 1424 case PF_NETROM: 1425 return SECCLASS_NETROM_SOCKET; 1426 case PF_ATMPVC: 1427 return SECCLASS_ATMPVC_SOCKET; 1428 case PF_X25: 1429 return SECCLASS_X25_SOCKET; 1430 case PF_ROSE: 1431 return SECCLASS_ROSE_SOCKET; 1432 case PF_DECnet: 1433 return SECCLASS_DECNET_SOCKET; 1434 case PF_ATMSVC: 1435 return SECCLASS_ATMSVC_SOCKET; 1436 case PF_RDS: 1437 return SECCLASS_RDS_SOCKET; 1438 case PF_IRDA: 1439 return SECCLASS_IRDA_SOCKET; 1440 case PF_PPPOX: 1441 return SECCLASS_PPPOX_SOCKET; 1442 case PF_LLC: 1443 return SECCLASS_LLC_SOCKET; 1444 case PF_CAN: 1445 return SECCLASS_CAN_SOCKET; 1446 case PF_TIPC: 1447 return SECCLASS_TIPC_SOCKET; 1448 case PF_BLUETOOTH: 1449 return SECCLASS_BLUETOOTH_SOCKET; 1450 case PF_IUCV: 1451 return SECCLASS_IUCV_SOCKET; 1452 case PF_RXRPC: 1453 return SECCLASS_RXRPC_SOCKET; 1454 case PF_ISDN: 1455 return SECCLASS_ISDN_SOCKET; 1456 case PF_PHONET: 1457 return SECCLASS_PHONET_SOCKET; 1458 case PF_IEEE802154: 1459 return SECCLASS_IEEE802154_SOCKET; 1460 case PF_CAIF: 1461 return SECCLASS_CAIF_SOCKET; 1462 case PF_ALG: 1463 return SECCLASS_ALG_SOCKET; 1464 case PF_NFC: 1465 return SECCLASS_NFC_SOCKET; 1466 case PF_VSOCK: 1467 return SECCLASS_VSOCK_SOCKET; 1468 case PF_KCM: 1469 return SECCLASS_KCM_SOCKET; 1470 case PF_QIPCRTR: 1471 return SECCLASS_QIPCRTR_SOCKET; 1472 case PF_SMC: 1473 return SECCLASS_SMC_SOCKET; 1474 #if PF_MAX > 44 1475 #error New address family defined, please update this function. 1476 #endif 1477 } 1478 } 1479 1480 return SECCLASS_SOCKET; 1481 } 1482 1483 static int selinux_genfs_get_sid(struct dentry *dentry, 1484 u16 tclass, 1485 u16 flags, 1486 u32 *sid) 1487 { 1488 int rc; 1489 struct super_block *sb = dentry->d_sb; 1490 char *buffer, *path; 1491 1492 buffer = (char *)__get_free_page(GFP_KERNEL); 1493 if (!buffer) 1494 return -ENOMEM; 1495 1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1497 if (IS_ERR(path)) 1498 rc = PTR_ERR(path); 1499 else { 1500 if (flags & SE_SBPROC) { 1501 /* each process gets a /proc/PID/ entry. Strip off the 1502 * PID part to get a valid selinux labeling. 1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1504 while (path[1] >= '0' && path[1] <= '9') { 1505 path[1] = '/'; 1506 path++; 1507 } 1508 } 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1510 path, tclass, sid); 1511 } 1512 free_page((unsigned long)buffer); 1513 return rc; 1514 } 1515 1516 /* The inode's security attributes must be initialized before first use. */ 1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1518 { 1519 struct superblock_security_struct *sbsec = NULL; 1520 struct inode_security_struct *isec = inode->i_security; 1521 u32 task_sid, sid = 0; 1522 u16 sclass; 1523 struct dentry *dentry; 1524 #define INITCONTEXTLEN 255 1525 char *context = NULL; 1526 unsigned len = 0; 1527 int rc = 0; 1528 1529 if (isec->initialized == LABEL_INITIALIZED) 1530 return 0; 1531 1532 spin_lock(&isec->lock); 1533 if (isec->initialized == LABEL_INITIALIZED) 1534 goto out_unlock; 1535 1536 if (isec->sclass == SECCLASS_FILE) 1537 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1538 1539 sbsec = inode->i_sb->s_security; 1540 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1541 /* Defer initialization until selinux_complete_init, 1542 after the initial policy is loaded and the security 1543 server is ready to handle calls. */ 1544 spin_lock(&sbsec->isec_lock); 1545 if (list_empty(&isec->list)) 1546 list_add(&isec->list, &sbsec->isec_head); 1547 spin_unlock(&sbsec->isec_lock); 1548 goto out_unlock; 1549 } 1550 1551 sclass = isec->sclass; 1552 task_sid = isec->task_sid; 1553 sid = isec->sid; 1554 isec->initialized = LABEL_PENDING; 1555 spin_unlock(&isec->lock); 1556 1557 switch (sbsec->behavior) { 1558 case SECURITY_FS_USE_NATIVE: 1559 break; 1560 case SECURITY_FS_USE_XATTR: 1561 if (!(inode->i_opflags & IOP_XATTR)) { 1562 sid = sbsec->def_sid; 1563 break; 1564 } 1565 /* Need a dentry, since the xattr API requires one. 1566 Life would be simpler if we could just pass the inode. */ 1567 if (opt_dentry) { 1568 /* Called from d_instantiate or d_splice_alias. */ 1569 dentry = dget(opt_dentry); 1570 } else { 1571 /* 1572 * Called from selinux_complete_init, try to find a dentry. 1573 * Some filesystems really want a connected one, so try 1574 * that first. We could split SECURITY_FS_USE_XATTR in 1575 * two, depending upon that... 1576 */ 1577 dentry = d_find_alias(inode); 1578 if (!dentry) 1579 dentry = d_find_any_alias(inode); 1580 } 1581 if (!dentry) { 1582 /* 1583 * this is can be hit on boot when a file is accessed 1584 * before the policy is loaded. When we load policy we 1585 * may find inodes that have no dentry on the 1586 * sbsec->isec_head list. No reason to complain as these 1587 * will get fixed up the next time we go through 1588 * inode_doinit with a dentry, before these inodes could 1589 * be used again by userspace. 1590 */ 1591 goto out; 1592 } 1593 1594 len = INITCONTEXTLEN; 1595 context = kmalloc(len+1, GFP_NOFS); 1596 if (!context) { 1597 rc = -ENOMEM; 1598 dput(dentry); 1599 goto out; 1600 } 1601 context[len] = '\0'; 1602 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1603 if (rc == -ERANGE) { 1604 kfree(context); 1605 1606 /* Need a larger buffer. Query for the right size. */ 1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1608 if (rc < 0) { 1609 dput(dentry); 1610 goto out; 1611 } 1612 len = rc; 1613 context = kmalloc(len+1, GFP_NOFS); 1614 if (!context) { 1615 rc = -ENOMEM; 1616 dput(dentry); 1617 goto out; 1618 } 1619 context[len] = '\0'; 1620 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1621 } 1622 dput(dentry); 1623 if (rc < 0) { 1624 if (rc != -ENODATA) { 1625 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1626 "%d for dev=%s ino=%ld\n", __func__, 1627 -rc, inode->i_sb->s_id, inode->i_ino); 1628 kfree(context); 1629 goto out; 1630 } 1631 /* Map ENODATA to the default file SID */ 1632 sid = sbsec->def_sid; 1633 rc = 0; 1634 } else { 1635 rc = security_context_to_sid_default(&selinux_state, 1636 context, rc, &sid, 1637 sbsec->def_sid, 1638 GFP_NOFS); 1639 if (rc) { 1640 char *dev = inode->i_sb->s_id; 1641 unsigned long ino = inode->i_ino; 1642 1643 if (rc == -EINVAL) { 1644 if (printk_ratelimit()) 1645 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1646 "context=%s. This indicates you may need to relabel the inode or the " 1647 "filesystem in question.\n", ino, dev, context); 1648 } else { 1649 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1650 "returned %d for dev=%s ino=%ld\n", 1651 __func__, context, -rc, dev, ino); 1652 } 1653 kfree(context); 1654 /* Leave with the unlabeled SID */ 1655 rc = 0; 1656 break; 1657 } 1658 } 1659 kfree(context); 1660 break; 1661 case SECURITY_FS_USE_TASK: 1662 sid = task_sid; 1663 break; 1664 case SECURITY_FS_USE_TRANS: 1665 /* Default to the fs SID. */ 1666 sid = sbsec->sid; 1667 1668 /* Try to obtain a transition SID. */ 1669 rc = security_transition_sid(&selinux_state, task_sid, sid, 1670 sclass, NULL, &sid); 1671 if (rc) 1672 goto out; 1673 break; 1674 case SECURITY_FS_USE_MNTPOINT: 1675 sid = sbsec->mntpoint_sid; 1676 break; 1677 default: 1678 /* Default to the fs superblock SID. */ 1679 sid = sbsec->sid; 1680 1681 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1682 /* We must have a dentry to determine the label on 1683 * procfs inodes */ 1684 if (opt_dentry) { 1685 /* Called from d_instantiate or 1686 * d_splice_alias. */ 1687 dentry = dget(opt_dentry); 1688 } else { 1689 /* Called from selinux_complete_init, try to 1690 * find a dentry. Some filesystems really want 1691 * a connected one, so try that first. 1692 */ 1693 dentry = d_find_alias(inode); 1694 if (!dentry) 1695 dentry = d_find_any_alias(inode); 1696 } 1697 /* 1698 * This can be hit on boot when a file is accessed 1699 * before the policy is loaded. When we load policy we 1700 * may find inodes that have no dentry on the 1701 * sbsec->isec_head list. No reason to complain as 1702 * these will get fixed up the next time we go through 1703 * inode_doinit() with a dentry, before these inodes 1704 * could be used again by userspace. 1705 */ 1706 if (!dentry) 1707 goto out; 1708 rc = selinux_genfs_get_sid(dentry, sclass, 1709 sbsec->flags, &sid); 1710 dput(dentry); 1711 if (rc) 1712 goto out; 1713 } 1714 break; 1715 } 1716 1717 out: 1718 spin_lock(&isec->lock); 1719 if (isec->initialized == LABEL_PENDING) { 1720 if (!sid || rc) { 1721 isec->initialized = LABEL_INVALID; 1722 goto out_unlock; 1723 } 1724 1725 isec->initialized = LABEL_INITIALIZED; 1726 isec->sid = sid; 1727 } 1728 1729 out_unlock: 1730 spin_unlock(&isec->lock); 1731 return rc; 1732 } 1733 1734 /* Convert a Linux signal to an access vector. */ 1735 static inline u32 signal_to_av(int sig) 1736 { 1737 u32 perm = 0; 1738 1739 switch (sig) { 1740 case SIGCHLD: 1741 /* Commonly granted from child to parent. */ 1742 perm = PROCESS__SIGCHLD; 1743 break; 1744 case SIGKILL: 1745 /* Cannot be caught or ignored */ 1746 perm = PROCESS__SIGKILL; 1747 break; 1748 case SIGSTOP: 1749 /* Cannot be caught or ignored */ 1750 perm = PROCESS__SIGSTOP; 1751 break; 1752 default: 1753 /* All other signals. */ 1754 perm = PROCESS__SIGNAL; 1755 break; 1756 } 1757 1758 return perm; 1759 } 1760 1761 #if CAP_LAST_CAP > 63 1762 #error Fix SELinux to handle capabilities > 63. 1763 #endif 1764 1765 /* Check whether a task is allowed to use a capability. */ 1766 static int cred_has_capability(const struct cred *cred, 1767 int cap, int audit, bool initns) 1768 { 1769 struct common_audit_data ad; 1770 struct av_decision avd; 1771 u16 sclass; 1772 u32 sid = cred_sid(cred); 1773 u32 av = CAP_TO_MASK(cap); 1774 int rc; 1775 1776 ad.type = LSM_AUDIT_DATA_CAP; 1777 ad.u.cap = cap; 1778 1779 switch (CAP_TO_INDEX(cap)) { 1780 case 0: 1781 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1782 break; 1783 case 1: 1784 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1785 break; 1786 default: 1787 printk(KERN_ERR 1788 "SELinux: out of range capability %d\n", cap); 1789 BUG(); 1790 return -EINVAL; 1791 } 1792 1793 rc = avc_has_perm_noaudit(&selinux_state, 1794 sid, sid, sclass, av, 0, &avd); 1795 if (audit == SECURITY_CAP_AUDIT) { 1796 int rc2 = avc_audit(&selinux_state, 1797 sid, sid, sclass, av, &avd, rc, &ad, 0); 1798 if (rc2) 1799 return rc2; 1800 } 1801 return rc; 1802 } 1803 1804 /* Check whether a task has a particular permission to an inode. 1805 The 'adp' parameter is optional and allows other audit 1806 data to be passed (e.g. the dentry). */ 1807 static int inode_has_perm(const struct cred *cred, 1808 struct inode *inode, 1809 u32 perms, 1810 struct common_audit_data *adp) 1811 { 1812 struct inode_security_struct *isec; 1813 u32 sid; 1814 1815 validate_creds(cred); 1816 1817 if (unlikely(IS_PRIVATE(inode))) 1818 return 0; 1819 1820 sid = cred_sid(cred); 1821 isec = inode->i_security; 1822 1823 return avc_has_perm(&selinux_state, 1824 sid, isec->sid, isec->sclass, perms, adp); 1825 } 1826 1827 /* Same as inode_has_perm, but pass explicit audit data containing 1828 the dentry to help the auditing code to more easily generate the 1829 pathname if needed. */ 1830 static inline int dentry_has_perm(const struct cred *cred, 1831 struct dentry *dentry, 1832 u32 av) 1833 { 1834 struct inode *inode = d_backing_inode(dentry); 1835 struct common_audit_data ad; 1836 1837 ad.type = LSM_AUDIT_DATA_DENTRY; 1838 ad.u.dentry = dentry; 1839 __inode_security_revalidate(inode, dentry, true); 1840 return inode_has_perm(cred, inode, av, &ad); 1841 } 1842 1843 /* Same as inode_has_perm, but pass explicit audit data containing 1844 the path to help the auditing code to more easily generate the 1845 pathname if needed. */ 1846 static inline int path_has_perm(const struct cred *cred, 1847 const struct path *path, 1848 u32 av) 1849 { 1850 struct inode *inode = d_backing_inode(path->dentry); 1851 struct common_audit_data ad; 1852 1853 ad.type = LSM_AUDIT_DATA_PATH; 1854 ad.u.path = *path; 1855 __inode_security_revalidate(inode, path->dentry, true); 1856 return inode_has_perm(cred, inode, av, &ad); 1857 } 1858 1859 /* Same as path_has_perm, but uses the inode from the file struct. */ 1860 static inline int file_path_has_perm(const struct cred *cred, 1861 struct file *file, 1862 u32 av) 1863 { 1864 struct common_audit_data ad; 1865 1866 ad.type = LSM_AUDIT_DATA_FILE; 1867 ad.u.file = file; 1868 return inode_has_perm(cred, file_inode(file), av, &ad); 1869 } 1870 1871 #ifdef CONFIG_BPF_SYSCALL 1872 static int bpf_fd_pass(struct file *file, u32 sid); 1873 #endif 1874 1875 /* Check whether a task can use an open file descriptor to 1876 access an inode in a given way. Check access to the 1877 descriptor itself, and then use dentry_has_perm to 1878 check a particular permission to the file. 1879 Access to the descriptor is implicitly granted if it 1880 has the same SID as the process. If av is zero, then 1881 access to the file is not checked, e.g. for cases 1882 where only the descriptor is affected like seek. */ 1883 static int file_has_perm(const struct cred *cred, 1884 struct file *file, 1885 u32 av) 1886 { 1887 struct file_security_struct *fsec = file->f_security; 1888 struct inode *inode = file_inode(file); 1889 struct common_audit_data ad; 1890 u32 sid = cred_sid(cred); 1891 int rc; 1892 1893 ad.type = LSM_AUDIT_DATA_FILE; 1894 ad.u.file = file; 1895 1896 if (sid != fsec->sid) { 1897 rc = avc_has_perm(&selinux_state, 1898 sid, fsec->sid, 1899 SECCLASS_FD, 1900 FD__USE, 1901 &ad); 1902 if (rc) 1903 goto out; 1904 } 1905 1906 #ifdef CONFIG_BPF_SYSCALL 1907 rc = bpf_fd_pass(file, cred_sid(cred)); 1908 if (rc) 1909 return rc; 1910 #endif 1911 1912 /* av is zero if only checking access to the descriptor. */ 1913 rc = 0; 1914 if (av) 1915 rc = inode_has_perm(cred, inode, av, &ad); 1916 1917 out: 1918 return rc; 1919 } 1920 1921 /* 1922 * Determine the label for an inode that might be unioned. 1923 */ 1924 static int 1925 selinux_determine_inode_label(const struct task_security_struct *tsec, 1926 struct inode *dir, 1927 const struct qstr *name, u16 tclass, 1928 u32 *_new_isid) 1929 { 1930 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1931 1932 if ((sbsec->flags & SE_SBINITIALIZED) && 1933 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1934 *_new_isid = sbsec->mntpoint_sid; 1935 } else if ((sbsec->flags & SBLABEL_MNT) && 1936 tsec->create_sid) { 1937 *_new_isid = tsec->create_sid; 1938 } else { 1939 const struct inode_security_struct *dsec = inode_security(dir); 1940 return security_transition_sid(&selinux_state, tsec->sid, 1941 dsec->sid, tclass, 1942 name, _new_isid); 1943 } 1944 1945 return 0; 1946 } 1947 1948 /* Check whether a task can create a file. */ 1949 static int may_create(struct inode *dir, 1950 struct dentry *dentry, 1951 u16 tclass) 1952 { 1953 const struct task_security_struct *tsec = current_security(); 1954 struct inode_security_struct *dsec; 1955 struct superblock_security_struct *sbsec; 1956 u32 sid, newsid; 1957 struct common_audit_data ad; 1958 int rc; 1959 1960 dsec = inode_security(dir); 1961 sbsec = dir->i_sb->s_security; 1962 1963 sid = tsec->sid; 1964 1965 ad.type = LSM_AUDIT_DATA_DENTRY; 1966 ad.u.dentry = dentry; 1967 1968 rc = avc_has_perm(&selinux_state, 1969 sid, dsec->sid, SECCLASS_DIR, 1970 DIR__ADD_NAME | DIR__SEARCH, 1971 &ad); 1972 if (rc) 1973 return rc; 1974 1975 rc = selinux_determine_inode_label(current_security(), dir, 1976 &dentry->d_name, tclass, &newsid); 1977 if (rc) 1978 return rc; 1979 1980 rc = avc_has_perm(&selinux_state, 1981 sid, newsid, tclass, FILE__CREATE, &ad); 1982 if (rc) 1983 return rc; 1984 1985 return avc_has_perm(&selinux_state, 1986 newsid, sbsec->sid, 1987 SECCLASS_FILESYSTEM, 1988 FILESYSTEM__ASSOCIATE, &ad); 1989 } 1990 1991 #define MAY_LINK 0 1992 #define MAY_UNLINK 1 1993 #define MAY_RMDIR 2 1994 1995 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1996 static int may_link(struct inode *dir, 1997 struct dentry *dentry, 1998 int kind) 1999 2000 { 2001 struct inode_security_struct *dsec, *isec; 2002 struct common_audit_data ad; 2003 u32 sid = current_sid(); 2004 u32 av; 2005 int rc; 2006 2007 dsec = inode_security(dir); 2008 isec = backing_inode_security(dentry); 2009 2010 ad.type = LSM_AUDIT_DATA_DENTRY; 2011 ad.u.dentry = dentry; 2012 2013 av = DIR__SEARCH; 2014 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2015 rc = avc_has_perm(&selinux_state, 2016 sid, dsec->sid, SECCLASS_DIR, av, &ad); 2017 if (rc) 2018 return rc; 2019 2020 switch (kind) { 2021 case MAY_LINK: 2022 av = FILE__LINK; 2023 break; 2024 case MAY_UNLINK: 2025 av = FILE__UNLINK; 2026 break; 2027 case MAY_RMDIR: 2028 av = DIR__RMDIR; 2029 break; 2030 default: 2031 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 2032 __func__, kind); 2033 return 0; 2034 } 2035 2036 rc = avc_has_perm(&selinux_state, 2037 sid, isec->sid, isec->sclass, av, &ad); 2038 return rc; 2039 } 2040 2041 static inline int may_rename(struct inode *old_dir, 2042 struct dentry *old_dentry, 2043 struct inode *new_dir, 2044 struct dentry *new_dentry) 2045 { 2046 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 2047 struct common_audit_data ad; 2048 u32 sid = current_sid(); 2049 u32 av; 2050 int old_is_dir, new_is_dir; 2051 int rc; 2052 2053 old_dsec = inode_security(old_dir); 2054 old_isec = backing_inode_security(old_dentry); 2055 old_is_dir = d_is_dir(old_dentry); 2056 new_dsec = inode_security(new_dir); 2057 2058 ad.type = LSM_AUDIT_DATA_DENTRY; 2059 2060 ad.u.dentry = old_dentry; 2061 rc = avc_has_perm(&selinux_state, 2062 sid, old_dsec->sid, SECCLASS_DIR, 2063 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2064 if (rc) 2065 return rc; 2066 rc = avc_has_perm(&selinux_state, 2067 sid, old_isec->sid, 2068 old_isec->sclass, FILE__RENAME, &ad); 2069 if (rc) 2070 return rc; 2071 if (old_is_dir && new_dir != old_dir) { 2072 rc = avc_has_perm(&selinux_state, 2073 sid, old_isec->sid, 2074 old_isec->sclass, DIR__REPARENT, &ad); 2075 if (rc) 2076 return rc; 2077 } 2078 2079 ad.u.dentry = new_dentry; 2080 av = DIR__ADD_NAME | DIR__SEARCH; 2081 if (d_is_positive(new_dentry)) 2082 av |= DIR__REMOVE_NAME; 2083 rc = avc_has_perm(&selinux_state, 2084 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2085 if (rc) 2086 return rc; 2087 if (d_is_positive(new_dentry)) { 2088 new_isec = backing_inode_security(new_dentry); 2089 new_is_dir = d_is_dir(new_dentry); 2090 rc = avc_has_perm(&selinux_state, 2091 sid, new_isec->sid, 2092 new_isec->sclass, 2093 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2094 if (rc) 2095 return rc; 2096 } 2097 2098 return 0; 2099 } 2100 2101 /* Check whether a task can perform a filesystem operation. */ 2102 static int superblock_has_perm(const struct cred *cred, 2103 struct super_block *sb, 2104 u32 perms, 2105 struct common_audit_data *ad) 2106 { 2107 struct superblock_security_struct *sbsec; 2108 u32 sid = cred_sid(cred); 2109 2110 sbsec = sb->s_security; 2111 return avc_has_perm(&selinux_state, 2112 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2113 } 2114 2115 /* Convert a Linux mode and permission mask to an access vector. */ 2116 static inline u32 file_mask_to_av(int mode, int mask) 2117 { 2118 u32 av = 0; 2119 2120 if (!S_ISDIR(mode)) { 2121 if (mask & MAY_EXEC) 2122 av |= FILE__EXECUTE; 2123 if (mask & MAY_READ) 2124 av |= FILE__READ; 2125 2126 if (mask & MAY_APPEND) 2127 av |= FILE__APPEND; 2128 else if (mask & MAY_WRITE) 2129 av |= FILE__WRITE; 2130 2131 } else { 2132 if (mask & MAY_EXEC) 2133 av |= DIR__SEARCH; 2134 if (mask & MAY_WRITE) 2135 av |= DIR__WRITE; 2136 if (mask & MAY_READ) 2137 av |= DIR__READ; 2138 } 2139 2140 return av; 2141 } 2142 2143 /* Convert a Linux file to an access vector. */ 2144 static inline u32 file_to_av(struct file *file) 2145 { 2146 u32 av = 0; 2147 2148 if (file->f_mode & FMODE_READ) 2149 av |= FILE__READ; 2150 if (file->f_mode & FMODE_WRITE) { 2151 if (file->f_flags & O_APPEND) 2152 av |= FILE__APPEND; 2153 else 2154 av |= FILE__WRITE; 2155 } 2156 if (!av) { 2157 /* 2158 * Special file opened with flags 3 for ioctl-only use. 2159 */ 2160 av = FILE__IOCTL; 2161 } 2162 2163 return av; 2164 } 2165 2166 /* 2167 * Convert a file to an access vector and include the correct open 2168 * open permission. 2169 */ 2170 static inline u32 open_file_to_av(struct file *file) 2171 { 2172 u32 av = file_to_av(file); 2173 struct inode *inode = file_inode(file); 2174 2175 if (selinux_policycap_openperm() && 2176 inode->i_sb->s_magic != SOCKFS_MAGIC) 2177 av |= FILE__OPEN; 2178 2179 return av; 2180 } 2181 2182 /* Hook functions begin here. */ 2183 2184 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2185 { 2186 u32 mysid = current_sid(); 2187 u32 mgrsid = task_sid(mgr); 2188 2189 return avc_has_perm(&selinux_state, 2190 mysid, mgrsid, SECCLASS_BINDER, 2191 BINDER__SET_CONTEXT_MGR, NULL); 2192 } 2193 2194 static int selinux_binder_transaction(struct task_struct *from, 2195 struct task_struct *to) 2196 { 2197 u32 mysid = current_sid(); 2198 u32 fromsid = task_sid(from); 2199 u32 tosid = task_sid(to); 2200 int rc; 2201 2202 if (mysid != fromsid) { 2203 rc = avc_has_perm(&selinux_state, 2204 mysid, fromsid, SECCLASS_BINDER, 2205 BINDER__IMPERSONATE, NULL); 2206 if (rc) 2207 return rc; 2208 } 2209 2210 return avc_has_perm(&selinux_state, 2211 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2212 NULL); 2213 } 2214 2215 static int selinux_binder_transfer_binder(struct task_struct *from, 2216 struct task_struct *to) 2217 { 2218 u32 fromsid = task_sid(from); 2219 u32 tosid = task_sid(to); 2220 2221 return avc_has_perm(&selinux_state, 2222 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2223 NULL); 2224 } 2225 2226 static int selinux_binder_transfer_file(struct task_struct *from, 2227 struct task_struct *to, 2228 struct file *file) 2229 { 2230 u32 sid = task_sid(to); 2231 struct file_security_struct *fsec = file->f_security; 2232 struct dentry *dentry = file->f_path.dentry; 2233 struct inode_security_struct *isec; 2234 struct common_audit_data ad; 2235 int rc; 2236 2237 ad.type = LSM_AUDIT_DATA_PATH; 2238 ad.u.path = file->f_path; 2239 2240 if (sid != fsec->sid) { 2241 rc = avc_has_perm(&selinux_state, 2242 sid, fsec->sid, 2243 SECCLASS_FD, 2244 FD__USE, 2245 &ad); 2246 if (rc) 2247 return rc; 2248 } 2249 2250 #ifdef CONFIG_BPF_SYSCALL 2251 rc = bpf_fd_pass(file, sid); 2252 if (rc) 2253 return rc; 2254 #endif 2255 2256 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2257 return 0; 2258 2259 isec = backing_inode_security(dentry); 2260 return avc_has_perm(&selinux_state, 2261 sid, isec->sid, isec->sclass, file_to_av(file), 2262 &ad); 2263 } 2264 2265 static int selinux_ptrace_access_check(struct task_struct *child, 2266 unsigned int mode) 2267 { 2268 u32 sid = current_sid(); 2269 u32 csid = task_sid(child); 2270 2271 if (mode & PTRACE_MODE_READ) 2272 return avc_has_perm(&selinux_state, 2273 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2274 2275 return avc_has_perm(&selinux_state, 2276 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2277 } 2278 2279 static int selinux_ptrace_traceme(struct task_struct *parent) 2280 { 2281 return avc_has_perm(&selinux_state, 2282 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2283 PROCESS__PTRACE, NULL); 2284 } 2285 2286 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2287 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2288 { 2289 return avc_has_perm(&selinux_state, 2290 current_sid(), task_sid(target), SECCLASS_PROCESS, 2291 PROCESS__GETCAP, NULL); 2292 } 2293 2294 static int selinux_capset(struct cred *new, const struct cred *old, 2295 const kernel_cap_t *effective, 2296 const kernel_cap_t *inheritable, 2297 const kernel_cap_t *permitted) 2298 { 2299 return avc_has_perm(&selinux_state, 2300 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2301 PROCESS__SETCAP, NULL); 2302 } 2303 2304 /* 2305 * (This comment used to live with the selinux_task_setuid hook, 2306 * which was removed). 2307 * 2308 * Since setuid only affects the current process, and since the SELinux 2309 * controls are not based on the Linux identity attributes, SELinux does not 2310 * need to control this operation. However, SELinux does control the use of 2311 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2312 */ 2313 2314 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2315 int cap, int audit) 2316 { 2317 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2318 } 2319 2320 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2321 { 2322 const struct cred *cred = current_cred(); 2323 int rc = 0; 2324 2325 if (!sb) 2326 return 0; 2327 2328 switch (cmds) { 2329 case Q_SYNC: 2330 case Q_QUOTAON: 2331 case Q_QUOTAOFF: 2332 case Q_SETINFO: 2333 case Q_SETQUOTA: 2334 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2335 break; 2336 case Q_GETFMT: 2337 case Q_GETINFO: 2338 case Q_GETQUOTA: 2339 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2340 break; 2341 default: 2342 rc = 0; /* let the kernel handle invalid cmds */ 2343 break; 2344 } 2345 return rc; 2346 } 2347 2348 static int selinux_quota_on(struct dentry *dentry) 2349 { 2350 const struct cred *cred = current_cred(); 2351 2352 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2353 } 2354 2355 static int selinux_syslog(int type) 2356 { 2357 switch (type) { 2358 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2359 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2360 return avc_has_perm(&selinux_state, 2361 current_sid(), SECINITSID_KERNEL, 2362 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2363 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2364 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2365 /* Set level of messages printed to console */ 2366 case SYSLOG_ACTION_CONSOLE_LEVEL: 2367 return avc_has_perm(&selinux_state, 2368 current_sid(), SECINITSID_KERNEL, 2369 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2370 NULL); 2371 } 2372 /* All other syslog types */ 2373 return avc_has_perm(&selinux_state, 2374 current_sid(), SECINITSID_KERNEL, 2375 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2376 } 2377 2378 /* 2379 * Check that a process has enough memory to allocate a new virtual 2380 * mapping. 0 means there is enough memory for the allocation to 2381 * succeed and -ENOMEM implies there is not. 2382 * 2383 * Do not audit the selinux permission check, as this is applied to all 2384 * processes that allocate mappings. 2385 */ 2386 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2387 { 2388 int rc, cap_sys_admin = 0; 2389 2390 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2391 SECURITY_CAP_NOAUDIT, true); 2392 if (rc == 0) 2393 cap_sys_admin = 1; 2394 2395 return cap_sys_admin; 2396 } 2397 2398 /* binprm security operations */ 2399 2400 static u32 ptrace_parent_sid(void) 2401 { 2402 u32 sid = 0; 2403 struct task_struct *tracer; 2404 2405 rcu_read_lock(); 2406 tracer = ptrace_parent(current); 2407 if (tracer) 2408 sid = task_sid(tracer); 2409 rcu_read_unlock(); 2410 2411 return sid; 2412 } 2413 2414 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2415 const struct task_security_struct *old_tsec, 2416 const struct task_security_struct *new_tsec) 2417 { 2418 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2419 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2420 int rc; 2421 u32 av; 2422 2423 if (!nnp && !nosuid) 2424 return 0; /* neither NNP nor nosuid */ 2425 2426 if (new_tsec->sid == old_tsec->sid) 2427 return 0; /* No change in credentials */ 2428 2429 /* 2430 * If the policy enables the nnp_nosuid_transition policy capability, 2431 * then we permit transitions under NNP or nosuid if the 2432 * policy allows the corresponding permission between 2433 * the old and new contexts. 2434 */ 2435 if (selinux_policycap_nnp_nosuid_transition()) { 2436 av = 0; 2437 if (nnp) 2438 av |= PROCESS2__NNP_TRANSITION; 2439 if (nosuid) 2440 av |= PROCESS2__NOSUID_TRANSITION; 2441 rc = avc_has_perm(&selinux_state, 2442 old_tsec->sid, new_tsec->sid, 2443 SECCLASS_PROCESS2, av, NULL); 2444 if (!rc) 2445 return 0; 2446 } 2447 2448 /* 2449 * We also permit NNP or nosuid transitions to bounded SIDs, 2450 * i.e. SIDs that are guaranteed to only be allowed a subset 2451 * of the permissions of the current SID. 2452 */ 2453 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2454 new_tsec->sid); 2455 if (!rc) 2456 return 0; 2457 2458 /* 2459 * On failure, preserve the errno values for NNP vs nosuid. 2460 * NNP: Operation not permitted for caller. 2461 * nosuid: Permission denied to file. 2462 */ 2463 if (nnp) 2464 return -EPERM; 2465 return -EACCES; 2466 } 2467 2468 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2469 { 2470 const struct task_security_struct *old_tsec; 2471 struct task_security_struct *new_tsec; 2472 struct inode_security_struct *isec; 2473 struct common_audit_data ad; 2474 struct inode *inode = file_inode(bprm->file); 2475 int rc; 2476 2477 /* SELinux context only depends on initial program or script and not 2478 * the script interpreter */ 2479 if (bprm->called_set_creds) 2480 return 0; 2481 2482 old_tsec = current_security(); 2483 new_tsec = bprm->cred->security; 2484 isec = inode_security(inode); 2485 2486 /* Default to the current task SID. */ 2487 new_tsec->sid = old_tsec->sid; 2488 new_tsec->osid = old_tsec->sid; 2489 2490 /* Reset fs, key, and sock SIDs on execve. */ 2491 new_tsec->create_sid = 0; 2492 new_tsec->keycreate_sid = 0; 2493 new_tsec->sockcreate_sid = 0; 2494 2495 if (old_tsec->exec_sid) { 2496 new_tsec->sid = old_tsec->exec_sid; 2497 /* Reset exec SID on execve. */ 2498 new_tsec->exec_sid = 0; 2499 2500 /* Fail on NNP or nosuid if not an allowed transition. */ 2501 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2502 if (rc) 2503 return rc; 2504 } else { 2505 /* Check for a default transition on this program. */ 2506 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2507 isec->sid, SECCLASS_PROCESS, NULL, 2508 &new_tsec->sid); 2509 if (rc) 2510 return rc; 2511 2512 /* 2513 * Fallback to old SID on NNP or nosuid if not an allowed 2514 * transition. 2515 */ 2516 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2517 if (rc) 2518 new_tsec->sid = old_tsec->sid; 2519 } 2520 2521 ad.type = LSM_AUDIT_DATA_FILE; 2522 ad.u.file = bprm->file; 2523 2524 if (new_tsec->sid == old_tsec->sid) { 2525 rc = avc_has_perm(&selinux_state, 2526 old_tsec->sid, isec->sid, 2527 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2528 if (rc) 2529 return rc; 2530 } else { 2531 /* Check permissions for the transition. */ 2532 rc = avc_has_perm(&selinux_state, 2533 old_tsec->sid, new_tsec->sid, 2534 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2535 if (rc) 2536 return rc; 2537 2538 rc = avc_has_perm(&selinux_state, 2539 new_tsec->sid, isec->sid, 2540 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2541 if (rc) 2542 return rc; 2543 2544 /* Check for shared state */ 2545 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2546 rc = avc_has_perm(&selinux_state, 2547 old_tsec->sid, new_tsec->sid, 2548 SECCLASS_PROCESS, PROCESS__SHARE, 2549 NULL); 2550 if (rc) 2551 return -EPERM; 2552 } 2553 2554 /* Make sure that anyone attempting to ptrace over a task that 2555 * changes its SID has the appropriate permit */ 2556 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2557 u32 ptsid = ptrace_parent_sid(); 2558 if (ptsid != 0) { 2559 rc = avc_has_perm(&selinux_state, 2560 ptsid, new_tsec->sid, 2561 SECCLASS_PROCESS, 2562 PROCESS__PTRACE, NULL); 2563 if (rc) 2564 return -EPERM; 2565 } 2566 } 2567 2568 /* Clear any possibly unsafe personality bits on exec: */ 2569 bprm->per_clear |= PER_CLEAR_ON_SETID; 2570 2571 /* Enable secure mode for SIDs transitions unless 2572 the noatsecure permission is granted between 2573 the two SIDs, i.e. ahp returns 0. */ 2574 rc = avc_has_perm(&selinux_state, 2575 old_tsec->sid, new_tsec->sid, 2576 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2577 NULL); 2578 bprm->secureexec |= !!rc; 2579 } 2580 2581 return 0; 2582 } 2583 2584 static int match_file(const void *p, struct file *file, unsigned fd) 2585 { 2586 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2587 } 2588 2589 /* Derived from fs/exec.c:flush_old_files. */ 2590 static inline void flush_unauthorized_files(const struct cred *cred, 2591 struct files_struct *files) 2592 { 2593 struct file *file, *devnull = NULL; 2594 struct tty_struct *tty; 2595 int drop_tty = 0; 2596 unsigned n; 2597 2598 tty = get_current_tty(); 2599 if (tty) { 2600 spin_lock(&tty->files_lock); 2601 if (!list_empty(&tty->tty_files)) { 2602 struct tty_file_private *file_priv; 2603 2604 /* Revalidate access to controlling tty. 2605 Use file_path_has_perm on the tty path directly 2606 rather than using file_has_perm, as this particular 2607 open file may belong to another process and we are 2608 only interested in the inode-based check here. */ 2609 file_priv = list_first_entry(&tty->tty_files, 2610 struct tty_file_private, list); 2611 file = file_priv->file; 2612 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2613 drop_tty = 1; 2614 } 2615 spin_unlock(&tty->files_lock); 2616 tty_kref_put(tty); 2617 } 2618 /* Reset controlling tty. */ 2619 if (drop_tty) 2620 no_tty(); 2621 2622 /* Revalidate access to inherited open files. */ 2623 n = iterate_fd(files, 0, match_file, cred); 2624 if (!n) /* none found? */ 2625 return; 2626 2627 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2628 if (IS_ERR(devnull)) 2629 devnull = NULL; 2630 /* replace all the matching ones with this */ 2631 do { 2632 replace_fd(n - 1, devnull, 0); 2633 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2634 if (devnull) 2635 fput(devnull); 2636 } 2637 2638 /* 2639 * Prepare a process for imminent new credential changes due to exec 2640 */ 2641 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2642 { 2643 struct task_security_struct *new_tsec; 2644 struct rlimit *rlim, *initrlim; 2645 int rc, i; 2646 2647 new_tsec = bprm->cred->security; 2648 if (new_tsec->sid == new_tsec->osid) 2649 return; 2650 2651 /* Close files for which the new task SID is not authorized. */ 2652 flush_unauthorized_files(bprm->cred, current->files); 2653 2654 /* Always clear parent death signal on SID transitions. */ 2655 current->pdeath_signal = 0; 2656 2657 /* Check whether the new SID can inherit resource limits from the old 2658 * SID. If not, reset all soft limits to the lower of the current 2659 * task's hard limit and the init task's soft limit. 2660 * 2661 * Note that the setting of hard limits (even to lower them) can be 2662 * controlled by the setrlimit check. The inclusion of the init task's 2663 * soft limit into the computation is to avoid resetting soft limits 2664 * higher than the default soft limit for cases where the default is 2665 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2666 */ 2667 rc = avc_has_perm(&selinux_state, 2668 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2669 PROCESS__RLIMITINH, NULL); 2670 if (rc) { 2671 /* protect against do_prlimit() */ 2672 task_lock(current); 2673 for (i = 0; i < RLIM_NLIMITS; i++) { 2674 rlim = current->signal->rlim + i; 2675 initrlim = init_task.signal->rlim + i; 2676 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2677 } 2678 task_unlock(current); 2679 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2680 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2681 } 2682 } 2683 2684 /* 2685 * Clean up the process immediately after the installation of new credentials 2686 * due to exec 2687 */ 2688 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2689 { 2690 const struct task_security_struct *tsec = current_security(); 2691 struct itimerval itimer; 2692 u32 osid, sid; 2693 int rc, i; 2694 2695 osid = tsec->osid; 2696 sid = tsec->sid; 2697 2698 if (sid == osid) 2699 return; 2700 2701 /* Check whether the new SID can inherit signal state from the old SID. 2702 * If not, clear itimers to avoid subsequent signal generation and 2703 * flush and unblock signals. 2704 * 2705 * This must occur _after_ the task SID has been updated so that any 2706 * kill done after the flush will be checked against the new SID. 2707 */ 2708 rc = avc_has_perm(&selinux_state, 2709 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2710 if (rc) { 2711 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2712 memset(&itimer, 0, sizeof itimer); 2713 for (i = 0; i < 3; i++) 2714 do_setitimer(i, &itimer, NULL); 2715 } 2716 spin_lock_irq(¤t->sighand->siglock); 2717 if (!fatal_signal_pending(current)) { 2718 flush_sigqueue(¤t->pending); 2719 flush_sigqueue(¤t->signal->shared_pending); 2720 flush_signal_handlers(current, 1); 2721 sigemptyset(¤t->blocked); 2722 recalc_sigpending(); 2723 } 2724 spin_unlock_irq(¤t->sighand->siglock); 2725 } 2726 2727 /* Wake up the parent if it is waiting so that it can recheck 2728 * wait permission to the new task SID. */ 2729 read_lock(&tasklist_lock); 2730 __wake_up_parent(current, current->real_parent); 2731 read_unlock(&tasklist_lock); 2732 } 2733 2734 /* superblock security operations */ 2735 2736 static int selinux_sb_alloc_security(struct super_block *sb) 2737 { 2738 return superblock_alloc_security(sb); 2739 } 2740 2741 static void selinux_sb_free_security(struct super_block *sb) 2742 { 2743 superblock_free_security(sb); 2744 } 2745 2746 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2747 { 2748 if (plen > olen) 2749 return 0; 2750 2751 return !memcmp(prefix, option, plen); 2752 } 2753 2754 static inline int selinux_option(char *option, int len) 2755 { 2756 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2757 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2758 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2759 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2760 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2761 } 2762 2763 static inline void take_option(char **to, char *from, int *first, int len) 2764 { 2765 if (!*first) { 2766 **to = ','; 2767 *to += 1; 2768 } else 2769 *first = 0; 2770 memcpy(*to, from, len); 2771 *to += len; 2772 } 2773 2774 static inline void take_selinux_option(char **to, char *from, int *first, 2775 int len) 2776 { 2777 int current_size = 0; 2778 2779 if (!*first) { 2780 **to = '|'; 2781 *to += 1; 2782 } else 2783 *first = 0; 2784 2785 while (current_size < len) { 2786 if (*from != '"') { 2787 **to = *from; 2788 *to += 1; 2789 } 2790 from += 1; 2791 current_size += 1; 2792 } 2793 } 2794 2795 static int selinux_sb_copy_data(char *orig, char *copy) 2796 { 2797 int fnosec, fsec, rc = 0; 2798 char *in_save, *in_curr, *in_end; 2799 char *sec_curr, *nosec_save, *nosec; 2800 int open_quote = 0; 2801 2802 in_curr = orig; 2803 sec_curr = copy; 2804 2805 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2806 if (!nosec) { 2807 rc = -ENOMEM; 2808 goto out; 2809 } 2810 2811 nosec_save = nosec; 2812 fnosec = fsec = 1; 2813 in_save = in_end = orig; 2814 2815 do { 2816 if (*in_end == '"') 2817 open_quote = !open_quote; 2818 if ((*in_end == ',' && open_quote == 0) || 2819 *in_end == '\0') { 2820 int len = in_end - in_curr; 2821 2822 if (selinux_option(in_curr, len)) 2823 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2824 else 2825 take_option(&nosec, in_curr, &fnosec, len); 2826 2827 in_curr = in_end + 1; 2828 } 2829 } while (*in_end++); 2830 2831 strcpy(in_save, nosec_save); 2832 free_page((unsigned long)nosec_save); 2833 out: 2834 return rc; 2835 } 2836 2837 static int selinux_sb_remount(struct super_block *sb, void *data) 2838 { 2839 int rc, i, *flags; 2840 struct security_mnt_opts opts; 2841 char *secdata, **mount_options; 2842 struct superblock_security_struct *sbsec = sb->s_security; 2843 2844 if (!(sbsec->flags & SE_SBINITIALIZED)) 2845 return 0; 2846 2847 if (!data) 2848 return 0; 2849 2850 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2851 return 0; 2852 2853 security_init_mnt_opts(&opts); 2854 secdata = alloc_secdata(); 2855 if (!secdata) 2856 return -ENOMEM; 2857 rc = selinux_sb_copy_data(data, secdata); 2858 if (rc) 2859 goto out_free_secdata; 2860 2861 rc = selinux_parse_opts_str(secdata, &opts); 2862 if (rc) 2863 goto out_free_secdata; 2864 2865 mount_options = opts.mnt_opts; 2866 flags = opts.mnt_opts_flags; 2867 2868 for (i = 0; i < opts.num_mnt_opts; i++) { 2869 u32 sid; 2870 2871 if (flags[i] == SBLABEL_MNT) 2872 continue; 2873 rc = security_context_str_to_sid(&selinux_state, 2874 mount_options[i], &sid, 2875 GFP_KERNEL); 2876 if (rc) { 2877 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2878 "(%s) failed for (dev %s, type %s) errno=%d\n", 2879 mount_options[i], sb->s_id, sb->s_type->name, rc); 2880 goto out_free_opts; 2881 } 2882 rc = -EINVAL; 2883 switch (flags[i]) { 2884 case FSCONTEXT_MNT: 2885 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2886 goto out_bad_option; 2887 break; 2888 case CONTEXT_MNT: 2889 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2890 goto out_bad_option; 2891 break; 2892 case ROOTCONTEXT_MNT: { 2893 struct inode_security_struct *root_isec; 2894 root_isec = backing_inode_security(sb->s_root); 2895 2896 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2897 goto out_bad_option; 2898 break; 2899 } 2900 case DEFCONTEXT_MNT: 2901 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2902 goto out_bad_option; 2903 break; 2904 default: 2905 goto out_free_opts; 2906 } 2907 } 2908 2909 rc = 0; 2910 out_free_opts: 2911 security_free_mnt_opts(&opts); 2912 out_free_secdata: 2913 free_secdata(secdata); 2914 return rc; 2915 out_bad_option: 2916 printk(KERN_WARNING "SELinux: unable to change security options " 2917 "during remount (dev %s, type=%s)\n", sb->s_id, 2918 sb->s_type->name); 2919 goto out_free_opts; 2920 } 2921 2922 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2923 { 2924 const struct cred *cred = current_cred(); 2925 struct common_audit_data ad; 2926 int rc; 2927 2928 rc = superblock_doinit(sb, data); 2929 if (rc) 2930 return rc; 2931 2932 /* Allow all mounts performed by the kernel */ 2933 if (flags & MS_KERNMOUNT) 2934 return 0; 2935 2936 ad.type = LSM_AUDIT_DATA_DENTRY; 2937 ad.u.dentry = sb->s_root; 2938 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2939 } 2940 2941 static int selinux_sb_statfs(struct dentry *dentry) 2942 { 2943 const struct cred *cred = current_cred(); 2944 struct common_audit_data ad; 2945 2946 ad.type = LSM_AUDIT_DATA_DENTRY; 2947 ad.u.dentry = dentry->d_sb->s_root; 2948 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2949 } 2950 2951 static int selinux_mount(const char *dev_name, 2952 const struct path *path, 2953 const char *type, 2954 unsigned long flags, 2955 void *data) 2956 { 2957 const struct cred *cred = current_cred(); 2958 2959 if (flags & MS_REMOUNT) 2960 return superblock_has_perm(cred, path->dentry->d_sb, 2961 FILESYSTEM__REMOUNT, NULL); 2962 else 2963 return path_has_perm(cred, path, FILE__MOUNTON); 2964 } 2965 2966 static int selinux_umount(struct vfsmount *mnt, int flags) 2967 { 2968 const struct cred *cred = current_cred(); 2969 2970 return superblock_has_perm(cred, mnt->mnt_sb, 2971 FILESYSTEM__UNMOUNT, NULL); 2972 } 2973 2974 /* inode security operations */ 2975 2976 static int selinux_inode_alloc_security(struct inode *inode) 2977 { 2978 return inode_alloc_security(inode); 2979 } 2980 2981 static void selinux_inode_free_security(struct inode *inode) 2982 { 2983 inode_free_security(inode); 2984 } 2985 2986 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2987 const struct qstr *name, void **ctx, 2988 u32 *ctxlen) 2989 { 2990 u32 newsid; 2991 int rc; 2992 2993 rc = selinux_determine_inode_label(current_security(), 2994 d_inode(dentry->d_parent), name, 2995 inode_mode_to_security_class(mode), 2996 &newsid); 2997 if (rc) 2998 return rc; 2999 3000 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 3001 ctxlen); 3002 } 3003 3004 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 3005 struct qstr *name, 3006 const struct cred *old, 3007 struct cred *new) 3008 { 3009 u32 newsid; 3010 int rc; 3011 struct task_security_struct *tsec; 3012 3013 rc = selinux_determine_inode_label(old->security, 3014 d_inode(dentry->d_parent), name, 3015 inode_mode_to_security_class(mode), 3016 &newsid); 3017 if (rc) 3018 return rc; 3019 3020 tsec = new->security; 3021 tsec->create_sid = newsid; 3022 return 0; 3023 } 3024 3025 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 3026 const struct qstr *qstr, 3027 const char **name, 3028 void **value, size_t *len) 3029 { 3030 const struct task_security_struct *tsec = current_security(); 3031 struct superblock_security_struct *sbsec; 3032 u32 newsid, clen; 3033 int rc; 3034 char *context; 3035 3036 sbsec = dir->i_sb->s_security; 3037 3038 newsid = tsec->create_sid; 3039 3040 rc = selinux_determine_inode_label(current_security(), 3041 dir, qstr, 3042 inode_mode_to_security_class(inode->i_mode), 3043 &newsid); 3044 if (rc) 3045 return rc; 3046 3047 /* Possibly defer initialization to selinux_complete_init. */ 3048 if (sbsec->flags & SE_SBINITIALIZED) { 3049 struct inode_security_struct *isec = inode->i_security; 3050 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3051 isec->sid = newsid; 3052 isec->initialized = LABEL_INITIALIZED; 3053 } 3054 3055 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 3056 return -EOPNOTSUPP; 3057 3058 if (name) 3059 *name = XATTR_SELINUX_SUFFIX; 3060 3061 if (value && len) { 3062 rc = security_sid_to_context_force(&selinux_state, newsid, 3063 &context, &clen); 3064 if (rc) 3065 return rc; 3066 *value = context; 3067 *len = clen; 3068 } 3069 3070 return 0; 3071 } 3072 3073 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3074 { 3075 return may_create(dir, dentry, SECCLASS_FILE); 3076 } 3077 3078 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3079 { 3080 return may_link(dir, old_dentry, MAY_LINK); 3081 } 3082 3083 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3084 { 3085 return may_link(dir, dentry, MAY_UNLINK); 3086 } 3087 3088 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3089 { 3090 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3091 } 3092 3093 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3094 { 3095 return may_create(dir, dentry, SECCLASS_DIR); 3096 } 3097 3098 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3099 { 3100 return may_link(dir, dentry, MAY_RMDIR); 3101 } 3102 3103 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3104 { 3105 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3106 } 3107 3108 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3109 struct inode *new_inode, struct dentry *new_dentry) 3110 { 3111 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3112 } 3113 3114 static int selinux_inode_readlink(struct dentry *dentry) 3115 { 3116 const struct cred *cred = current_cred(); 3117 3118 return dentry_has_perm(cred, dentry, FILE__READ); 3119 } 3120 3121 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3122 bool rcu) 3123 { 3124 const struct cred *cred = current_cred(); 3125 struct common_audit_data ad; 3126 struct inode_security_struct *isec; 3127 u32 sid; 3128 3129 validate_creds(cred); 3130 3131 ad.type = LSM_AUDIT_DATA_DENTRY; 3132 ad.u.dentry = dentry; 3133 sid = cred_sid(cred); 3134 isec = inode_security_rcu(inode, rcu); 3135 if (IS_ERR(isec)) 3136 return PTR_ERR(isec); 3137 3138 return avc_has_perm_flags(&selinux_state, 3139 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3140 rcu ? MAY_NOT_BLOCK : 0); 3141 } 3142 3143 static noinline int audit_inode_permission(struct inode *inode, 3144 u32 perms, u32 audited, u32 denied, 3145 int result, 3146 unsigned flags) 3147 { 3148 struct common_audit_data ad; 3149 struct inode_security_struct *isec = inode->i_security; 3150 int rc; 3151 3152 ad.type = LSM_AUDIT_DATA_INODE; 3153 ad.u.inode = inode; 3154 3155 rc = slow_avc_audit(&selinux_state, 3156 current_sid(), isec->sid, isec->sclass, perms, 3157 audited, denied, result, &ad, flags); 3158 if (rc) 3159 return rc; 3160 return 0; 3161 } 3162 3163 static int selinux_inode_permission(struct inode *inode, int mask) 3164 { 3165 const struct cred *cred = current_cred(); 3166 u32 perms; 3167 bool from_access; 3168 unsigned flags = mask & MAY_NOT_BLOCK; 3169 struct inode_security_struct *isec; 3170 u32 sid; 3171 struct av_decision avd; 3172 int rc, rc2; 3173 u32 audited, denied; 3174 3175 from_access = mask & MAY_ACCESS; 3176 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3177 3178 /* No permission to check. Existence test. */ 3179 if (!mask) 3180 return 0; 3181 3182 validate_creds(cred); 3183 3184 if (unlikely(IS_PRIVATE(inode))) 3185 return 0; 3186 3187 perms = file_mask_to_av(inode->i_mode, mask); 3188 3189 sid = cred_sid(cred); 3190 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3191 if (IS_ERR(isec)) 3192 return PTR_ERR(isec); 3193 3194 rc = avc_has_perm_noaudit(&selinux_state, 3195 sid, isec->sid, isec->sclass, perms, 0, &avd); 3196 audited = avc_audit_required(perms, &avd, rc, 3197 from_access ? FILE__AUDIT_ACCESS : 0, 3198 &denied); 3199 if (likely(!audited)) 3200 return rc; 3201 3202 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3203 if (rc2) 3204 return rc2; 3205 return rc; 3206 } 3207 3208 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3209 { 3210 const struct cred *cred = current_cred(); 3211 struct inode *inode = d_backing_inode(dentry); 3212 unsigned int ia_valid = iattr->ia_valid; 3213 __u32 av = FILE__WRITE; 3214 3215 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3216 if (ia_valid & ATTR_FORCE) { 3217 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3218 ATTR_FORCE); 3219 if (!ia_valid) 3220 return 0; 3221 } 3222 3223 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3224 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3225 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3226 3227 if (selinux_policycap_openperm() && 3228 inode->i_sb->s_magic != SOCKFS_MAGIC && 3229 (ia_valid & ATTR_SIZE) && 3230 !(ia_valid & ATTR_FILE)) 3231 av |= FILE__OPEN; 3232 3233 return dentry_has_perm(cred, dentry, av); 3234 } 3235 3236 static int selinux_inode_getattr(const struct path *path) 3237 { 3238 return path_has_perm(current_cred(), path, FILE__GETATTR); 3239 } 3240 3241 static bool has_cap_mac_admin(bool audit) 3242 { 3243 const struct cred *cred = current_cred(); 3244 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3245 3246 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3247 return false; 3248 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3249 return false; 3250 return true; 3251 } 3252 3253 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3254 const void *value, size_t size, int flags) 3255 { 3256 struct inode *inode = d_backing_inode(dentry); 3257 struct inode_security_struct *isec; 3258 struct superblock_security_struct *sbsec; 3259 struct common_audit_data ad; 3260 u32 newsid, sid = current_sid(); 3261 int rc = 0; 3262 3263 if (strcmp(name, XATTR_NAME_SELINUX)) { 3264 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3265 if (rc) 3266 return rc; 3267 3268 /* Not an attribute we recognize, so just check the 3269 ordinary setattr permission. */ 3270 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3271 } 3272 3273 sbsec = inode->i_sb->s_security; 3274 if (!(sbsec->flags & SBLABEL_MNT)) 3275 return -EOPNOTSUPP; 3276 3277 if (!inode_owner_or_capable(inode)) 3278 return -EPERM; 3279 3280 ad.type = LSM_AUDIT_DATA_DENTRY; 3281 ad.u.dentry = dentry; 3282 3283 isec = backing_inode_security(dentry); 3284 rc = avc_has_perm(&selinux_state, 3285 sid, isec->sid, isec->sclass, 3286 FILE__RELABELFROM, &ad); 3287 if (rc) 3288 return rc; 3289 3290 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3291 GFP_KERNEL); 3292 if (rc == -EINVAL) { 3293 if (!has_cap_mac_admin(true)) { 3294 struct audit_buffer *ab; 3295 size_t audit_size; 3296 3297 /* We strip a nul only if it is at the end, otherwise the 3298 * context contains a nul and we should audit that */ 3299 if (value) { 3300 const char *str = value; 3301 3302 if (str[size - 1] == '\0') 3303 audit_size = size - 1; 3304 else 3305 audit_size = size; 3306 } else { 3307 audit_size = 0; 3308 } 3309 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3310 audit_log_format(ab, "op=setxattr invalid_context="); 3311 audit_log_n_untrustedstring(ab, value, audit_size); 3312 audit_log_end(ab); 3313 3314 return rc; 3315 } 3316 rc = security_context_to_sid_force(&selinux_state, value, 3317 size, &newsid); 3318 } 3319 if (rc) 3320 return rc; 3321 3322 rc = avc_has_perm(&selinux_state, 3323 sid, newsid, isec->sclass, 3324 FILE__RELABELTO, &ad); 3325 if (rc) 3326 return rc; 3327 3328 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3329 sid, isec->sclass); 3330 if (rc) 3331 return rc; 3332 3333 return avc_has_perm(&selinux_state, 3334 newsid, 3335 sbsec->sid, 3336 SECCLASS_FILESYSTEM, 3337 FILESYSTEM__ASSOCIATE, 3338 &ad); 3339 } 3340 3341 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3342 const void *value, size_t size, 3343 int flags) 3344 { 3345 struct inode *inode = d_backing_inode(dentry); 3346 struct inode_security_struct *isec; 3347 u32 newsid; 3348 int rc; 3349 3350 if (strcmp(name, XATTR_NAME_SELINUX)) { 3351 /* Not an attribute we recognize, so nothing to do. */ 3352 return; 3353 } 3354 3355 rc = security_context_to_sid_force(&selinux_state, value, size, 3356 &newsid); 3357 if (rc) { 3358 printk(KERN_ERR "SELinux: unable to map context to SID" 3359 "for (%s, %lu), rc=%d\n", 3360 inode->i_sb->s_id, inode->i_ino, -rc); 3361 return; 3362 } 3363 3364 isec = backing_inode_security(dentry); 3365 spin_lock(&isec->lock); 3366 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3367 isec->sid = newsid; 3368 isec->initialized = LABEL_INITIALIZED; 3369 spin_unlock(&isec->lock); 3370 3371 return; 3372 } 3373 3374 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3375 { 3376 const struct cred *cred = current_cred(); 3377 3378 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3379 } 3380 3381 static int selinux_inode_listxattr(struct dentry *dentry) 3382 { 3383 const struct cred *cred = current_cred(); 3384 3385 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3386 } 3387 3388 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3389 { 3390 if (strcmp(name, XATTR_NAME_SELINUX)) { 3391 int rc = cap_inode_removexattr(dentry, name); 3392 if (rc) 3393 return rc; 3394 3395 /* Not an attribute we recognize, so just check the 3396 ordinary setattr permission. */ 3397 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3398 } 3399 3400 /* No one is allowed to remove a SELinux security label. 3401 You can change the label, but all data must be labeled. */ 3402 return -EACCES; 3403 } 3404 3405 /* 3406 * Copy the inode security context value to the user. 3407 * 3408 * Permission check is handled by selinux_inode_getxattr hook. 3409 */ 3410 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3411 { 3412 u32 size; 3413 int error; 3414 char *context = NULL; 3415 struct inode_security_struct *isec; 3416 3417 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3418 return -EOPNOTSUPP; 3419 3420 /* 3421 * If the caller has CAP_MAC_ADMIN, then get the raw context 3422 * value even if it is not defined by current policy; otherwise, 3423 * use the in-core value under current policy. 3424 * Use the non-auditing forms of the permission checks since 3425 * getxattr may be called by unprivileged processes commonly 3426 * and lack of permission just means that we fall back to the 3427 * in-core context value, not a denial. 3428 */ 3429 isec = inode_security(inode); 3430 if (has_cap_mac_admin(false)) 3431 error = security_sid_to_context_force(&selinux_state, 3432 isec->sid, &context, 3433 &size); 3434 else 3435 error = security_sid_to_context(&selinux_state, isec->sid, 3436 &context, &size); 3437 if (error) 3438 return error; 3439 error = size; 3440 if (alloc) { 3441 *buffer = context; 3442 goto out_nofree; 3443 } 3444 kfree(context); 3445 out_nofree: 3446 return error; 3447 } 3448 3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3450 const void *value, size_t size, int flags) 3451 { 3452 struct inode_security_struct *isec = inode_security_novalidate(inode); 3453 u32 newsid; 3454 int rc; 3455 3456 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3457 return -EOPNOTSUPP; 3458 3459 if (!value || !size) 3460 return -EACCES; 3461 3462 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3463 GFP_KERNEL); 3464 if (rc) 3465 return rc; 3466 3467 spin_lock(&isec->lock); 3468 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3469 isec->sid = newsid; 3470 isec->initialized = LABEL_INITIALIZED; 3471 spin_unlock(&isec->lock); 3472 return 0; 3473 } 3474 3475 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3476 { 3477 const int len = sizeof(XATTR_NAME_SELINUX); 3478 if (buffer && len <= buffer_size) 3479 memcpy(buffer, XATTR_NAME_SELINUX, len); 3480 return len; 3481 } 3482 3483 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3484 { 3485 struct inode_security_struct *isec = inode_security_novalidate(inode); 3486 *secid = isec->sid; 3487 } 3488 3489 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3490 { 3491 u32 sid; 3492 struct task_security_struct *tsec; 3493 struct cred *new_creds = *new; 3494 3495 if (new_creds == NULL) { 3496 new_creds = prepare_creds(); 3497 if (!new_creds) 3498 return -ENOMEM; 3499 } 3500 3501 tsec = new_creds->security; 3502 /* Get label from overlay inode and set it in create_sid */ 3503 selinux_inode_getsecid(d_inode(src), &sid); 3504 tsec->create_sid = sid; 3505 *new = new_creds; 3506 return 0; 3507 } 3508 3509 static int selinux_inode_copy_up_xattr(const char *name) 3510 { 3511 /* The copy_up hook above sets the initial context on an inode, but we 3512 * don't then want to overwrite it by blindly copying all the lower 3513 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3514 */ 3515 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3516 return 1; /* Discard */ 3517 /* 3518 * Any other attribute apart from SELINUX is not claimed, supported 3519 * by selinux. 3520 */ 3521 return -EOPNOTSUPP; 3522 } 3523 3524 /* file security operations */ 3525 3526 static int selinux_revalidate_file_permission(struct file *file, int mask) 3527 { 3528 const struct cred *cred = current_cred(); 3529 struct inode *inode = file_inode(file); 3530 3531 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3532 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3533 mask |= MAY_APPEND; 3534 3535 return file_has_perm(cred, file, 3536 file_mask_to_av(inode->i_mode, mask)); 3537 } 3538 3539 static int selinux_file_permission(struct file *file, int mask) 3540 { 3541 struct inode *inode = file_inode(file); 3542 struct file_security_struct *fsec = file->f_security; 3543 struct inode_security_struct *isec; 3544 u32 sid = current_sid(); 3545 3546 if (!mask) 3547 /* No permission to check. Existence test. */ 3548 return 0; 3549 3550 isec = inode_security(inode); 3551 if (sid == fsec->sid && fsec->isid == isec->sid && 3552 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3553 /* No change since file_open check. */ 3554 return 0; 3555 3556 return selinux_revalidate_file_permission(file, mask); 3557 } 3558 3559 static int selinux_file_alloc_security(struct file *file) 3560 { 3561 return file_alloc_security(file); 3562 } 3563 3564 static void selinux_file_free_security(struct file *file) 3565 { 3566 file_free_security(file); 3567 } 3568 3569 /* 3570 * Check whether a task has the ioctl permission and cmd 3571 * operation to an inode. 3572 */ 3573 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3574 u32 requested, u16 cmd) 3575 { 3576 struct common_audit_data ad; 3577 struct file_security_struct *fsec = file->f_security; 3578 struct inode *inode = file_inode(file); 3579 struct inode_security_struct *isec; 3580 struct lsm_ioctlop_audit ioctl; 3581 u32 ssid = cred_sid(cred); 3582 int rc; 3583 u8 driver = cmd >> 8; 3584 u8 xperm = cmd & 0xff; 3585 3586 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3587 ad.u.op = &ioctl; 3588 ad.u.op->cmd = cmd; 3589 ad.u.op->path = file->f_path; 3590 3591 if (ssid != fsec->sid) { 3592 rc = avc_has_perm(&selinux_state, 3593 ssid, fsec->sid, 3594 SECCLASS_FD, 3595 FD__USE, 3596 &ad); 3597 if (rc) 3598 goto out; 3599 } 3600 3601 if (unlikely(IS_PRIVATE(inode))) 3602 return 0; 3603 3604 isec = inode_security(inode); 3605 rc = avc_has_extended_perms(&selinux_state, 3606 ssid, isec->sid, isec->sclass, 3607 requested, driver, xperm, &ad); 3608 out: 3609 return rc; 3610 } 3611 3612 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3613 unsigned long arg) 3614 { 3615 const struct cred *cred = current_cred(); 3616 int error = 0; 3617 3618 switch (cmd) { 3619 case FIONREAD: 3620 /* fall through */ 3621 case FIBMAP: 3622 /* fall through */ 3623 case FIGETBSZ: 3624 /* fall through */ 3625 case FS_IOC_GETFLAGS: 3626 /* fall through */ 3627 case FS_IOC_GETVERSION: 3628 error = file_has_perm(cred, file, FILE__GETATTR); 3629 break; 3630 3631 case FS_IOC_SETFLAGS: 3632 /* fall through */ 3633 case FS_IOC_SETVERSION: 3634 error = file_has_perm(cred, file, FILE__SETATTR); 3635 break; 3636 3637 /* sys_ioctl() checks */ 3638 case FIONBIO: 3639 /* fall through */ 3640 case FIOASYNC: 3641 error = file_has_perm(cred, file, 0); 3642 break; 3643 3644 case KDSKBENT: 3645 case KDSKBSENT: 3646 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3647 SECURITY_CAP_AUDIT, true); 3648 break; 3649 3650 /* default case assumes that the command will go 3651 * to the file's ioctl() function. 3652 */ 3653 default: 3654 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3655 } 3656 return error; 3657 } 3658 3659 static int default_noexec; 3660 3661 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3662 { 3663 const struct cred *cred = current_cred(); 3664 u32 sid = cred_sid(cred); 3665 int rc = 0; 3666 3667 if (default_noexec && 3668 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3669 (!shared && (prot & PROT_WRITE)))) { 3670 /* 3671 * We are making executable an anonymous mapping or a 3672 * private file mapping that will also be writable. 3673 * This has an additional check. 3674 */ 3675 rc = avc_has_perm(&selinux_state, 3676 sid, sid, SECCLASS_PROCESS, 3677 PROCESS__EXECMEM, NULL); 3678 if (rc) 3679 goto error; 3680 } 3681 3682 if (file) { 3683 /* read access is always possible with a mapping */ 3684 u32 av = FILE__READ; 3685 3686 /* write access only matters if the mapping is shared */ 3687 if (shared && (prot & PROT_WRITE)) 3688 av |= FILE__WRITE; 3689 3690 if (prot & PROT_EXEC) 3691 av |= FILE__EXECUTE; 3692 3693 return file_has_perm(cred, file, av); 3694 } 3695 3696 error: 3697 return rc; 3698 } 3699 3700 static int selinux_mmap_addr(unsigned long addr) 3701 { 3702 int rc = 0; 3703 3704 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3705 u32 sid = current_sid(); 3706 rc = avc_has_perm(&selinux_state, 3707 sid, sid, SECCLASS_MEMPROTECT, 3708 MEMPROTECT__MMAP_ZERO, NULL); 3709 } 3710 3711 return rc; 3712 } 3713 3714 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3715 unsigned long prot, unsigned long flags) 3716 { 3717 struct common_audit_data ad; 3718 int rc; 3719 3720 if (file) { 3721 ad.type = LSM_AUDIT_DATA_FILE; 3722 ad.u.file = file; 3723 rc = inode_has_perm(current_cred(), file_inode(file), 3724 FILE__MAP, &ad); 3725 if (rc) 3726 return rc; 3727 } 3728 3729 if (selinux_state.checkreqprot) 3730 prot = reqprot; 3731 3732 return file_map_prot_check(file, prot, 3733 (flags & MAP_TYPE) == MAP_SHARED); 3734 } 3735 3736 static int selinux_file_mprotect(struct vm_area_struct *vma, 3737 unsigned long reqprot, 3738 unsigned long prot) 3739 { 3740 const struct cred *cred = current_cred(); 3741 u32 sid = cred_sid(cred); 3742 3743 if (selinux_state.checkreqprot) 3744 prot = reqprot; 3745 3746 if (default_noexec && 3747 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3748 int rc = 0; 3749 if (vma->vm_start >= vma->vm_mm->start_brk && 3750 vma->vm_end <= vma->vm_mm->brk) { 3751 rc = avc_has_perm(&selinux_state, 3752 sid, sid, SECCLASS_PROCESS, 3753 PROCESS__EXECHEAP, NULL); 3754 } else if (!vma->vm_file && 3755 ((vma->vm_start <= vma->vm_mm->start_stack && 3756 vma->vm_end >= vma->vm_mm->start_stack) || 3757 vma_is_stack_for_current(vma))) { 3758 rc = avc_has_perm(&selinux_state, 3759 sid, sid, SECCLASS_PROCESS, 3760 PROCESS__EXECSTACK, NULL); 3761 } else if (vma->vm_file && vma->anon_vma) { 3762 /* 3763 * We are making executable a file mapping that has 3764 * had some COW done. Since pages might have been 3765 * written, check ability to execute the possibly 3766 * modified content. This typically should only 3767 * occur for text relocations. 3768 */ 3769 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3770 } 3771 if (rc) 3772 return rc; 3773 } 3774 3775 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3776 } 3777 3778 static int selinux_file_lock(struct file *file, unsigned int cmd) 3779 { 3780 const struct cred *cred = current_cred(); 3781 3782 return file_has_perm(cred, file, FILE__LOCK); 3783 } 3784 3785 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3786 unsigned long arg) 3787 { 3788 const struct cred *cred = current_cred(); 3789 int err = 0; 3790 3791 switch (cmd) { 3792 case F_SETFL: 3793 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3794 err = file_has_perm(cred, file, FILE__WRITE); 3795 break; 3796 } 3797 /* fall through */ 3798 case F_SETOWN: 3799 case F_SETSIG: 3800 case F_GETFL: 3801 case F_GETOWN: 3802 case F_GETSIG: 3803 case F_GETOWNER_UIDS: 3804 /* Just check FD__USE permission */ 3805 err = file_has_perm(cred, file, 0); 3806 break; 3807 case F_GETLK: 3808 case F_SETLK: 3809 case F_SETLKW: 3810 case F_OFD_GETLK: 3811 case F_OFD_SETLK: 3812 case F_OFD_SETLKW: 3813 #if BITS_PER_LONG == 32 3814 case F_GETLK64: 3815 case F_SETLK64: 3816 case F_SETLKW64: 3817 #endif 3818 err = file_has_perm(cred, file, FILE__LOCK); 3819 break; 3820 } 3821 3822 return err; 3823 } 3824 3825 static void selinux_file_set_fowner(struct file *file) 3826 { 3827 struct file_security_struct *fsec; 3828 3829 fsec = file->f_security; 3830 fsec->fown_sid = current_sid(); 3831 } 3832 3833 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3834 struct fown_struct *fown, int signum) 3835 { 3836 struct file *file; 3837 u32 sid = task_sid(tsk); 3838 u32 perm; 3839 struct file_security_struct *fsec; 3840 3841 /* struct fown_struct is never outside the context of a struct file */ 3842 file = container_of(fown, struct file, f_owner); 3843 3844 fsec = file->f_security; 3845 3846 if (!signum) 3847 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3848 else 3849 perm = signal_to_av(signum); 3850 3851 return avc_has_perm(&selinux_state, 3852 fsec->fown_sid, sid, 3853 SECCLASS_PROCESS, perm, NULL); 3854 } 3855 3856 static int selinux_file_receive(struct file *file) 3857 { 3858 const struct cred *cred = current_cred(); 3859 3860 return file_has_perm(cred, file, file_to_av(file)); 3861 } 3862 3863 static int selinux_file_open(struct file *file, const struct cred *cred) 3864 { 3865 struct file_security_struct *fsec; 3866 struct inode_security_struct *isec; 3867 3868 fsec = file->f_security; 3869 isec = inode_security(file_inode(file)); 3870 /* 3871 * Save inode label and policy sequence number 3872 * at open-time so that selinux_file_permission 3873 * can determine whether revalidation is necessary. 3874 * Task label is already saved in the file security 3875 * struct as its SID. 3876 */ 3877 fsec->isid = isec->sid; 3878 fsec->pseqno = avc_policy_seqno(&selinux_state); 3879 /* 3880 * Since the inode label or policy seqno may have changed 3881 * between the selinux_inode_permission check and the saving 3882 * of state above, recheck that access is still permitted. 3883 * Otherwise, access might never be revalidated against the 3884 * new inode label or new policy. 3885 * This check is not redundant - do not remove. 3886 */ 3887 return file_path_has_perm(cred, file, open_file_to_av(file)); 3888 } 3889 3890 /* task security operations */ 3891 3892 static int selinux_task_alloc(struct task_struct *task, 3893 unsigned long clone_flags) 3894 { 3895 u32 sid = current_sid(); 3896 3897 return avc_has_perm(&selinux_state, 3898 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3899 } 3900 3901 /* 3902 * allocate the SELinux part of blank credentials 3903 */ 3904 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3905 { 3906 struct task_security_struct *tsec; 3907 3908 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3909 if (!tsec) 3910 return -ENOMEM; 3911 3912 cred->security = tsec; 3913 return 0; 3914 } 3915 3916 /* 3917 * detach and free the LSM part of a set of credentials 3918 */ 3919 static void selinux_cred_free(struct cred *cred) 3920 { 3921 struct task_security_struct *tsec = cred->security; 3922 3923 /* 3924 * cred->security == NULL if security_cred_alloc_blank() or 3925 * security_prepare_creds() returned an error. 3926 */ 3927 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3928 cred->security = (void *) 0x7UL; 3929 kfree(tsec); 3930 } 3931 3932 /* 3933 * prepare a new set of credentials for modification 3934 */ 3935 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3936 gfp_t gfp) 3937 { 3938 const struct task_security_struct *old_tsec; 3939 struct task_security_struct *tsec; 3940 3941 old_tsec = old->security; 3942 3943 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3944 if (!tsec) 3945 return -ENOMEM; 3946 3947 new->security = tsec; 3948 return 0; 3949 } 3950 3951 /* 3952 * transfer the SELinux data to a blank set of creds 3953 */ 3954 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3955 { 3956 const struct task_security_struct *old_tsec = old->security; 3957 struct task_security_struct *tsec = new->security; 3958 3959 *tsec = *old_tsec; 3960 } 3961 3962 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3963 { 3964 *secid = cred_sid(c); 3965 } 3966 3967 /* 3968 * set the security data for a kernel service 3969 * - all the creation contexts are set to unlabelled 3970 */ 3971 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3972 { 3973 struct task_security_struct *tsec = new->security; 3974 u32 sid = current_sid(); 3975 int ret; 3976 3977 ret = avc_has_perm(&selinux_state, 3978 sid, secid, 3979 SECCLASS_KERNEL_SERVICE, 3980 KERNEL_SERVICE__USE_AS_OVERRIDE, 3981 NULL); 3982 if (ret == 0) { 3983 tsec->sid = secid; 3984 tsec->create_sid = 0; 3985 tsec->keycreate_sid = 0; 3986 tsec->sockcreate_sid = 0; 3987 } 3988 return ret; 3989 } 3990 3991 /* 3992 * set the file creation context in a security record to the same as the 3993 * objective context of the specified inode 3994 */ 3995 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3996 { 3997 struct inode_security_struct *isec = inode_security(inode); 3998 struct task_security_struct *tsec = new->security; 3999 u32 sid = current_sid(); 4000 int ret; 4001 4002 ret = avc_has_perm(&selinux_state, 4003 sid, isec->sid, 4004 SECCLASS_KERNEL_SERVICE, 4005 KERNEL_SERVICE__CREATE_FILES_AS, 4006 NULL); 4007 4008 if (ret == 0) 4009 tsec->create_sid = isec->sid; 4010 return ret; 4011 } 4012 4013 static int selinux_kernel_module_request(char *kmod_name) 4014 { 4015 struct common_audit_data ad; 4016 4017 ad.type = LSM_AUDIT_DATA_KMOD; 4018 ad.u.kmod_name = kmod_name; 4019 4020 return avc_has_perm(&selinux_state, 4021 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4022 SYSTEM__MODULE_REQUEST, &ad); 4023 } 4024 4025 static int selinux_kernel_module_from_file(struct file *file) 4026 { 4027 struct common_audit_data ad; 4028 struct inode_security_struct *isec; 4029 struct file_security_struct *fsec; 4030 u32 sid = current_sid(); 4031 int rc; 4032 4033 /* init_module */ 4034 if (file == NULL) 4035 return avc_has_perm(&selinux_state, 4036 sid, sid, SECCLASS_SYSTEM, 4037 SYSTEM__MODULE_LOAD, NULL); 4038 4039 /* finit_module */ 4040 4041 ad.type = LSM_AUDIT_DATA_FILE; 4042 ad.u.file = file; 4043 4044 fsec = file->f_security; 4045 if (sid != fsec->sid) { 4046 rc = avc_has_perm(&selinux_state, 4047 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4048 if (rc) 4049 return rc; 4050 } 4051 4052 isec = inode_security(file_inode(file)); 4053 return avc_has_perm(&selinux_state, 4054 sid, isec->sid, SECCLASS_SYSTEM, 4055 SYSTEM__MODULE_LOAD, &ad); 4056 } 4057 4058 static int selinux_kernel_read_file(struct file *file, 4059 enum kernel_read_file_id id) 4060 { 4061 int rc = 0; 4062 4063 switch (id) { 4064 case READING_MODULE: 4065 rc = selinux_kernel_module_from_file(file); 4066 break; 4067 default: 4068 break; 4069 } 4070 4071 return rc; 4072 } 4073 4074 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4075 { 4076 return avc_has_perm(&selinux_state, 4077 current_sid(), task_sid(p), SECCLASS_PROCESS, 4078 PROCESS__SETPGID, NULL); 4079 } 4080 4081 static int selinux_task_getpgid(struct task_struct *p) 4082 { 4083 return avc_has_perm(&selinux_state, 4084 current_sid(), task_sid(p), SECCLASS_PROCESS, 4085 PROCESS__GETPGID, NULL); 4086 } 4087 4088 static int selinux_task_getsid(struct task_struct *p) 4089 { 4090 return avc_has_perm(&selinux_state, 4091 current_sid(), task_sid(p), SECCLASS_PROCESS, 4092 PROCESS__GETSESSION, NULL); 4093 } 4094 4095 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4096 { 4097 *secid = task_sid(p); 4098 } 4099 4100 static int selinux_task_setnice(struct task_struct *p, int nice) 4101 { 4102 return avc_has_perm(&selinux_state, 4103 current_sid(), task_sid(p), SECCLASS_PROCESS, 4104 PROCESS__SETSCHED, NULL); 4105 } 4106 4107 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4108 { 4109 return avc_has_perm(&selinux_state, 4110 current_sid(), task_sid(p), SECCLASS_PROCESS, 4111 PROCESS__SETSCHED, NULL); 4112 } 4113 4114 static int selinux_task_getioprio(struct task_struct *p) 4115 { 4116 return avc_has_perm(&selinux_state, 4117 current_sid(), task_sid(p), SECCLASS_PROCESS, 4118 PROCESS__GETSCHED, NULL); 4119 } 4120 4121 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4122 unsigned int flags) 4123 { 4124 u32 av = 0; 4125 4126 if (!flags) 4127 return 0; 4128 if (flags & LSM_PRLIMIT_WRITE) 4129 av |= PROCESS__SETRLIMIT; 4130 if (flags & LSM_PRLIMIT_READ) 4131 av |= PROCESS__GETRLIMIT; 4132 return avc_has_perm(&selinux_state, 4133 cred_sid(cred), cred_sid(tcred), 4134 SECCLASS_PROCESS, av, NULL); 4135 } 4136 4137 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4138 struct rlimit *new_rlim) 4139 { 4140 struct rlimit *old_rlim = p->signal->rlim + resource; 4141 4142 /* Control the ability to change the hard limit (whether 4143 lowering or raising it), so that the hard limit can 4144 later be used as a safe reset point for the soft limit 4145 upon context transitions. See selinux_bprm_committing_creds. */ 4146 if (old_rlim->rlim_max != new_rlim->rlim_max) 4147 return avc_has_perm(&selinux_state, 4148 current_sid(), task_sid(p), 4149 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4150 4151 return 0; 4152 } 4153 4154 static int selinux_task_setscheduler(struct task_struct *p) 4155 { 4156 return avc_has_perm(&selinux_state, 4157 current_sid(), task_sid(p), SECCLASS_PROCESS, 4158 PROCESS__SETSCHED, NULL); 4159 } 4160 4161 static int selinux_task_getscheduler(struct task_struct *p) 4162 { 4163 return avc_has_perm(&selinux_state, 4164 current_sid(), task_sid(p), SECCLASS_PROCESS, 4165 PROCESS__GETSCHED, NULL); 4166 } 4167 4168 static int selinux_task_movememory(struct task_struct *p) 4169 { 4170 return avc_has_perm(&selinux_state, 4171 current_sid(), task_sid(p), SECCLASS_PROCESS, 4172 PROCESS__SETSCHED, NULL); 4173 } 4174 4175 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4176 int sig, const struct cred *cred) 4177 { 4178 u32 secid; 4179 u32 perm; 4180 4181 if (!sig) 4182 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4183 else 4184 perm = signal_to_av(sig); 4185 if (!cred) 4186 secid = current_sid(); 4187 else 4188 secid = cred_sid(cred); 4189 return avc_has_perm(&selinux_state, 4190 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4191 } 4192 4193 static void selinux_task_to_inode(struct task_struct *p, 4194 struct inode *inode) 4195 { 4196 struct inode_security_struct *isec = inode->i_security; 4197 u32 sid = task_sid(p); 4198 4199 spin_lock(&isec->lock); 4200 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4201 isec->sid = sid; 4202 isec->initialized = LABEL_INITIALIZED; 4203 spin_unlock(&isec->lock); 4204 } 4205 4206 /* Returns error only if unable to parse addresses */ 4207 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4208 struct common_audit_data *ad, u8 *proto) 4209 { 4210 int offset, ihlen, ret = -EINVAL; 4211 struct iphdr _iph, *ih; 4212 4213 offset = skb_network_offset(skb); 4214 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4215 if (ih == NULL) 4216 goto out; 4217 4218 ihlen = ih->ihl * 4; 4219 if (ihlen < sizeof(_iph)) 4220 goto out; 4221 4222 ad->u.net->v4info.saddr = ih->saddr; 4223 ad->u.net->v4info.daddr = ih->daddr; 4224 ret = 0; 4225 4226 if (proto) 4227 *proto = ih->protocol; 4228 4229 switch (ih->protocol) { 4230 case IPPROTO_TCP: { 4231 struct tcphdr _tcph, *th; 4232 4233 if (ntohs(ih->frag_off) & IP_OFFSET) 4234 break; 4235 4236 offset += ihlen; 4237 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4238 if (th == NULL) 4239 break; 4240 4241 ad->u.net->sport = th->source; 4242 ad->u.net->dport = th->dest; 4243 break; 4244 } 4245 4246 case IPPROTO_UDP: { 4247 struct udphdr _udph, *uh; 4248 4249 if (ntohs(ih->frag_off) & IP_OFFSET) 4250 break; 4251 4252 offset += ihlen; 4253 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4254 if (uh == NULL) 4255 break; 4256 4257 ad->u.net->sport = uh->source; 4258 ad->u.net->dport = uh->dest; 4259 break; 4260 } 4261 4262 case IPPROTO_DCCP: { 4263 struct dccp_hdr _dccph, *dh; 4264 4265 if (ntohs(ih->frag_off) & IP_OFFSET) 4266 break; 4267 4268 offset += ihlen; 4269 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4270 if (dh == NULL) 4271 break; 4272 4273 ad->u.net->sport = dh->dccph_sport; 4274 ad->u.net->dport = dh->dccph_dport; 4275 break; 4276 } 4277 4278 #if IS_ENABLED(CONFIG_IP_SCTP) 4279 case IPPROTO_SCTP: { 4280 struct sctphdr _sctph, *sh; 4281 4282 if (ntohs(ih->frag_off) & IP_OFFSET) 4283 break; 4284 4285 offset += ihlen; 4286 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4287 if (sh == NULL) 4288 break; 4289 4290 ad->u.net->sport = sh->source; 4291 ad->u.net->dport = sh->dest; 4292 break; 4293 } 4294 #endif 4295 default: 4296 break; 4297 } 4298 out: 4299 return ret; 4300 } 4301 4302 #if IS_ENABLED(CONFIG_IPV6) 4303 4304 /* Returns error only if unable to parse addresses */ 4305 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4306 struct common_audit_data *ad, u8 *proto) 4307 { 4308 u8 nexthdr; 4309 int ret = -EINVAL, offset; 4310 struct ipv6hdr _ipv6h, *ip6; 4311 __be16 frag_off; 4312 4313 offset = skb_network_offset(skb); 4314 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4315 if (ip6 == NULL) 4316 goto out; 4317 4318 ad->u.net->v6info.saddr = ip6->saddr; 4319 ad->u.net->v6info.daddr = ip6->daddr; 4320 ret = 0; 4321 4322 nexthdr = ip6->nexthdr; 4323 offset += sizeof(_ipv6h); 4324 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4325 if (offset < 0) 4326 goto out; 4327 4328 if (proto) 4329 *proto = nexthdr; 4330 4331 switch (nexthdr) { 4332 case IPPROTO_TCP: { 4333 struct tcphdr _tcph, *th; 4334 4335 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4336 if (th == NULL) 4337 break; 4338 4339 ad->u.net->sport = th->source; 4340 ad->u.net->dport = th->dest; 4341 break; 4342 } 4343 4344 case IPPROTO_UDP: { 4345 struct udphdr _udph, *uh; 4346 4347 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4348 if (uh == NULL) 4349 break; 4350 4351 ad->u.net->sport = uh->source; 4352 ad->u.net->dport = uh->dest; 4353 break; 4354 } 4355 4356 case IPPROTO_DCCP: { 4357 struct dccp_hdr _dccph, *dh; 4358 4359 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4360 if (dh == NULL) 4361 break; 4362 4363 ad->u.net->sport = dh->dccph_sport; 4364 ad->u.net->dport = dh->dccph_dport; 4365 break; 4366 } 4367 4368 #if IS_ENABLED(CONFIG_IP_SCTP) 4369 case IPPROTO_SCTP: { 4370 struct sctphdr _sctph, *sh; 4371 4372 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4373 if (sh == NULL) 4374 break; 4375 4376 ad->u.net->sport = sh->source; 4377 ad->u.net->dport = sh->dest; 4378 break; 4379 } 4380 #endif 4381 /* includes fragments */ 4382 default: 4383 break; 4384 } 4385 out: 4386 return ret; 4387 } 4388 4389 #endif /* IPV6 */ 4390 4391 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4392 char **_addrp, int src, u8 *proto) 4393 { 4394 char *addrp; 4395 int ret; 4396 4397 switch (ad->u.net->family) { 4398 case PF_INET: 4399 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4400 if (ret) 4401 goto parse_error; 4402 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4403 &ad->u.net->v4info.daddr); 4404 goto okay; 4405 4406 #if IS_ENABLED(CONFIG_IPV6) 4407 case PF_INET6: 4408 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4409 if (ret) 4410 goto parse_error; 4411 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4412 &ad->u.net->v6info.daddr); 4413 goto okay; 4414 #endif /* IPV6 */ 4415 default: 4416 addrp = NULL; 4417 goto okay; 4418 } 4419 4420 parse_error: 4421 printk(KERN_WARNING 4422 "SELinux: failure in selinux_parse_skb()," 4423 " unable to parse packet\n"); 4424 return ret; 4425 4426 okay: 4427 if (_addrp) 4428 *_addrp = addrp; 4429 return 0; 4430 } 4431 4432 /** 4433 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4434 * @skb: the packet 4435 * @family: protocol family 4436 * @sid: the packet's peer label SID 4437 * 4438 * Description: 4439 * Check the various different forms of network peer labeling and determine 4440 * the peer label/SID for the packet; most of the magic actually occurs in 4441 * the security server function security_net_peersid_cmp(). The function 4442 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4443 * or -EACCES if @sid is invalid due to inconsistencies with the different 4444 * peer labels. 4445 * 4446 */ 4447 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4448 { 4449 int err; 4450 u32 xfrm_sid; 4451 u32 nlbl_sid; 4452 u32 nlbl_type; 4453 4454 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4455 if (unlikely(err)) 4456 return -EACCES; 4457 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4458 if (unlikely(err)) 4459 return -EACCES; 4460 4461 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4462 nlbl_type, xfrm_sid, sid); 4463 if (unlikely(err)) { 4464 printk(KERN_WARNING 4465 "SELinux: failure in selinux_skb_peerlbl_sid()," 4466 " unable to determine packet's peer label\n"); 4467 return -EACCES; 4468 } 4469 4470 return 0; 4471 } 4472 4473 /** 4474 * selinux_conn_sid - Determine the child socket label for a connection 4475 * @sk_sid: the parent socket's SID 4476 * @skb_sid: the packet's SID 4477 * @conn_sid: the resulting connection SID 4478 * 4479 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4480 * combined with the MLS information from @skb_sid in order to create 4481 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4482 * of @sk_sid. Returns zero on success, negative values on failure. 4483 * 4484 */ 4485 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4486 { 4487 int err = 0; 4488 4489 if (skb_sid != SECSID_NULL) 4490 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4491 conn_sid); 4492 else 4493 *conn_sid = sk_sid; 4494 4495 return err; 4496 } 4497 4498 /* socket security operations */ 4499 4500 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4501 u16 secclass, u32 *socksid) 4502 { 4503 if (tsec->sockcreate_sid > SECSID_NULL) { 4504 *socksid = tsec->sockcreate_sid; 4505 return 0; 4506 } 4507 4508 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4509 secclass, NULL, socksid); 4510 } 4511 4512 static int sock_has_perm(struct sock *sk, u32 perms) 4513 { 4514 struct sk_security_struct *sksec = sk->sk_security; 4515 struct common_audit_data ad; 4516 struct lsm_network_audit net = {0,}; 4517 4518 if (sksec->sid == SECINITSID_KERNEL) 4519 return 0; 4520 4521 ad.type = LSM_AUDIT_DATA_NET; 4522 ad.u.net = &net; 4523 ad.u.net->sk = sk; 4524 4525 return avc_has_perm(&selinux_state, 4526 current_sid(), sksec->sid, sksec->sclass, perms, 4527 &ad); 4528 } 4529 4530 static int selinux_socket_create(int family, int type, 4531 int protocol, int kern) 4532 { 4533 const struct task_security_struct *tsec = current_security(); 4534 u32 newsid; 4535 u16 secclass; 4536 int rc; 4537 4538 if (kern) 4539 return 0; 4540 4541 secclass = socket_type_to_security_class(family, type, protocol); 4542 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4543 if (rc) 4544 return rc; 4545 4546 return avc_has_perm(&selinux_state, 4547 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4548 } 4549 4550 static int selinux_socket_post_create(struct socket *sock, int family, 4551 int type, int protocol, int kern) 4552 { 4553 const struct task_security_struct *tsec = current_security(); 4554 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4555 struct sk_security_struct *sksec; 4556 u16 sclass = socket_type_to_security_class(family, type, protocol); 4557 u32 sid = SECINITSID_KERNEL; 4558 int err = 0; 4559 4560 if (!kern) { 4561 err = socket_sockcreate_sid(tsec, sclass, &sid); 4562 if (err) 4563 return err; 4564 } 4565 4566 isec->sclass = sclass; 4567 isec->sid = sid; 4568 isec->initialized = LABEL_INITIALIZED; 4569 4570 if (sock->sk) { 4571 sksec = sock->sk->sk_security; 4572 sksec->sclass = sclass; 4573 sksec->sid = sid; 4574 /* Allows detection of the first association on this socket */ 4575 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4576 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4577 4578 err = selinux_netlbl_socket_post_create(sock->sk, family); 4579 } 4580 4581 return err; 4582 } 4583 4584 /* Range of port numbers used to automatically bind. 4585 Need to determine whether we should perform a name_bind 4586 permission check between the socket and the port number. */ 4587 4588 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4589 { 4590 struct sock *sk = sock->sk; 4591 u16 family; 4592 int err; 4593 4594 err = sock_has_perm(sk, SOCKET__BIND); 4595 if (err) 4596 goto out; 4597 4598 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4599 family = sk->sk_family; 4600 if (family == PF_INET || family == PF_INET6) { 4601 char *addrp; 4602 struct sk_security_struct *sksec = sk->sk_security; 4603 struct common_audit_data ad; 4604 struct lsm_network_audit net = {0,}; 4605 struct sockaddr_in *addr4 = NULL; 4606 struct sockaddr_in6 *addr6 = NULL; 4607 unsigned short snum; 4608 u32 sid, node_perm; 4609 4610 /* 4611 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4612 * that validates multiple binding addresses. Because of this 4613 * need to check address->sa_family as it is possible to have 4614 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4615 */ 4616 switch (address->sa_family) { 4617 case AF_INET: 4618 if (addrlen < sizeof(struct sockaddr_in)) 4619 return -EINVAL; 4620 addr4 = (struct sockaddr_in *)address; 4621 snum = ntohs(addr4->sin_port); 4622 addrp = (char *)&addr4->sin_addr.s_addr; 4623 break; 4624 case AF_INET6: 4625 if (addrlen < SIN6_LEN_RFC2133) 4626 return -EINVAL; 4627 addr6 = (struct sockaddr_in6 *)address; 4628 snum = ntohs(addr6->sin6_port); 4629 addrp = (char *)&addr6->sin6_addr.s6_addr; 4630 break; 4631 default: 4632 /* Note that SCTP services expect -EINVAL, whereas 4633 * others expect -EAFNOSUPPORT. 4634 */ 4635 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4636 return -EINVAL; 4637 else 4638 return -EAFNOSUPPORT; 4639 } 4640 4641 if (snum) { 4642 int low, high; 4643 4644 inet_get_local_port_range(sock_net(sk), &low, &high); 4645 4646 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4647 snum > high) { 4648 err = sel_netport_sid(sk->sk_protocol, 4649 snum, &sid); 4650 if (err) 4651 goto out; 4652 ad.type = LSM_AUDIT_DATA_NET; 4653 ad.u.net = &net; 4654 ad.u.net->sport = htons(snum); 4655 ad.u.net->family = family; 4656 err = avc_has_perm(&selinux_state, 4657 sksec->sid, sid, 4658 sksec->sclass, 4659 SOCKET__NAME_BIND, &ad); 4660 if (err) 4661 goto out; 4662 } 4663 } 4664 4665 switch (sksec->sclass) { 4666 case SECCLASS_TCP_SOCKET: 4667 node_perm = TCP_SOCKET__NODE_BIND; 4668 break; 4669 4670 case SECCLASS_UDP_SOCKET: 4671 node_perm = UDP_SOCKET__NODE_BIND; 4672 break; 4673 4674 case SECCLASS_DCCP_SOCKET: 4675 node_perm = DCCP_SOCKET__NODE_BIND; 4676 break; 4677 4678 case SECCLASS_SCTP_SOCKET: 4679 node_perm = SCTP_SOCKET__NODE_BIND; 4680 break; 4681 4682 default: 4683 node_perm = RAWIP_SOCKET__NODE_BIND; 4684 break; 4685 } 4686 4687 err = sel_netnode_sid(addrp, family, &sid); 4688 if (err) 4689 goto out; 4690 4691 ad.type = LSM_AUDIT_DATA_NET; 4692 ad.u.net = &net; 4693 ad.u.net->sport = htons(snum); 4694 ad.u.net->family = family; 4695 4696 if (address->sa_family == AF_INET) 4697 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4698 else 4699 ad.u.net->v6info.saddr = addr6->sin6_addr; 4700 4701 err = avc_has_perm(&selinux_state, 4702 sksec->sid, sid, 4703 sksec->sclass, node_perm, &ad); 4704 if (err) 4705 goto out; 4706 } 4707 out: 4708 return err; 4709 } 4710 4711 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4712 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt 4713 */ 4714 static int selinux_socket_connect_helper(struct socket *sock, 4715 struct sockaddr *address, int addrlen) 4716 { 4717 struct sock *sk = sock->sk; 4718 struct sk_security_struct *sksec = sk->sk_security; 4719 int err; 4720 4721 err = sock_has_perm(sk, SOCKET__CONNECT); 4722 if (err) 4723 return err; 4724 4725 /* 4726 * If a TCP, DCCP or SCTP socket, check name_connect permission 4727 * for the port. 4728 */ 4729 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4730 sksec->sclass == SECCLASS_DCCP_SOCKET || 4731 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4732 struct common_audit_data ad; 4733 struct lsm_network_audit net = {0,}; 4734 struct sockaddr_in *addr4 = NULL; 4735 struct sockaddr_in6 *addr6 = NULL; 4736 unsigned short snum; 4737 u32 sid, perm; 4738 4739 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4740 * that validates multiple connect addresses. Because of this 4741 * need to check address->sa_family as it is possible to have 4742 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4743 */ 4744 switch (address->sa_family) { 4745 case AF_INET: 4746 addr4 = (struct sockaddr_in *)address; 4747 if (addrlen < sizeof(struct sockaddr_in)) 4748 return -EINVAL; 4749 snum = ntohs(addr4->sin_port); 4750 break; 4751 case AF_INET6: 4752 addr6 = (struct sockaddr_in6 *)address; 4753 if (addrlen < SIN6_LEN_RFC2133) 4754 return -EINVAL; 4755 snum = ntohs(addr6->sin6_port); 4756 break; 4757 default: 4758 /* Note that SCTP services expect -EINVAL, whereas 4759 * others expect -EAFNOSUPPORT. 4760 */ 4761 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4762 return -EINVAL; 4763 else 4764 return -EAFNOSUPPORT; 4765 } 4766 4767 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4768 if (err) 4769 return err; 4770 4771 switch (sksec->sclass) { 4772 case SECCLASS_TCP_SOCKET: 4773 perm = TCP_SOCKET__NAME_CONNECT; 4774 break; 4775 case SECCLASS_DCCP_SOCKET: 4776 perm = DCCP_SOCKET__NAME_CONNECT; 4777 break; 4778 case SECCLASS_SCTP_SOCKET: 4779 perm = SCTP_SOCKET__NAME_CONNECT; 4780 break; 4781 } 4782 4783 ad.type = LSM_AUDIT_DATA_NET; 4784 ad.u.net = &net; 4785 ad.u.net->dport = htons(snum); 4786 ad.u.net->family = sk->sk_family; 4787 err = avc_has_perm(&selinux_state, 4788 sksec->sid, sid, sksec->sclass, perm, &ad); 4789 if (err) 4790 return err; 4791 } 4792 4793 return 0; 4794 } 4795 4796 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4797 static int selinux_socket_connect(struct socket *sock, 4798 struct sockaddr *address, int addrlen) 4799 { 4800 int err; 4801 struct sock *sk = sock->sk; 4802 4803 err = selinux_socket_connect_helper(sock, address, addrlen); 4804 if (err) 4805 return err; 4806 4807 return selinux_netlbl_socket_connect(sk, address); 4808 } 4809 4810 static int selinux_socket_listen(struct socket *sock, int backlog) 4811 { 4812 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4813 } 4814 4815 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4816 { 4817 int err; 4818 struct inode_security_struct *isec; 4819 struct inode_security_struct *newisec; 4820 u16 sclass; 4821 u32 sid; 4822 4823 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4824 if (err) 4825 return err; 4826 4827 isec = inode_security_novalidate(SOCK_INODE(sock)); 4828 spin_lock(&isec->lock); 4829 sclass = isec->sclass; 4830 sid = isec->sid; 4831 spin_unlock(&isec->lock); 4832 4833 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4834 newisec->sclass = sclass; 4835 newisec->sid = sid; 4836 newisec->initialized = LABEL_INITIALIZED; 4837 4838 return 0; 4839 } 4840 4841 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4842 int size) 4843 { 4844 return sock_has_perm(sock->sk, SOCKET__WRITE); 4845 } 4846 4847 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4848 int size, int flags) 4849 { 4850 return sock_has_perm(sock->sk, SOCKET__READ); 4851 } 4852 4853 static int selinux_socket_getsockname(struct socket *sock) 4854 { 4855 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4856 } 4857 4858 static int selinux_socket_getpeername(struct socket *sock) 4859 { 4860 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4861 } 4862 4863 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4864 { 4865 int err; 4866 4867 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4868 if (err) 4869 return err; 4870 4871 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4872 } 4873 4874 static int selinux_socket_getsockopt(struct socket *sock, int level, 4875 int optname) 4876 { 4877 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4878 } 4879 4880 static int selinux_socket_shutdown(struct socket *sock, int how) 4881 { 4882 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4883 } 4884 4885 static int selinux_socket_unix_stream_connect(struct sock *sock, 4886 struct sock *other, 4887 struct sock *newsk) 4888 { 4889 struct sk_security_struct *sksec_sock = sock->sk_security; 4890 struct sk_security_struct *sksec_other = other->sk_security; 4891 struct sk_security_struct *sksec_new = newsk->sk_security; 4892 struct common_audit_data ad; 4893 struct lsm_network_audit net = {0,}; 4894 int err; 4895 4896 ad.type = LSM_AUDIT_DATA_NET; 4897 ad.u.net = &net; 4898 ad.u.net->sk = other; 4899 4900 err = avc_has_perm(&selinux_state, 4901 sksec_sock->sid, sksec_other->sid, 4902 sksec_other->sclass, 4903 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4904 if (err) 4905 return err; 4906 4907 /* server child socket */ 4908 sksec_new->peer_sid = sksec_sock->sid; 4909 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4910 sksec_sock->sid, &sksec_new->sid); 4911 if (err) 4912 return err; 4913 4914 /* connecting socket */ 4915 sksec_sock->peer_sid = sksec_new->sid; 4916 4917 return 0; 4918 } 4919 4920 static int selinux_socket_unix_may_send(struct socket *sock, 4921 struct socket *other) 4922 { 4923 struct sk_security_struct *ssec = sock->sk->sk_security; 4924 struct sk_security_struct *osec = other->sk->sk_security; 4925 struct common_audit_data ad; 4926 struct lsm_network_audit net = {0,}; 4927 4928 ad.type = LSM_AUDIT_DATA_NET; 4929 ad.u.net = &net; 4930 ad.u.net->sk = other->sk; 4931 4932 return avc_has_perm(&selinux_state, 4933 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4934 &ad); 4935 } 4936 4937 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4938 char *addrp, u16 family, u32 peer_sid, 4939 struct common_audit_data *ad) 4940 { 4941 int err; 4942 u32 if_sid; 4943 u32 node_sid; 4944 4945 err = sel_netif_sid(ns, ifindex, &if_sid); 4946 if (err) 4947 return err; 4948 err = avc_has_perm(&selinux_state, 4949 peer_sid, if_sid, 4950 SECCLASS_NETIF, NETIF__INGRESS, ad); 4951 if (err) 4952 return err; 4953 4954 err = sel_netnode_sid(addrp, family, &node_sid); 4955 if (err) 4956 return err; 4957 return avc_has_perm(&selinux_state, 4958 peer_sid, node_sid, 4959 SECCLASS_NODE, NODE__RECVFROM, ad); 4960 } 4961 4962 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4963 u16 family) 4964 { 4965 int err = 0; 4966 struct sk_security_struct *sksec = sk->sk_security; 4967 u32 sk_sid = sksec->sid; 4968 struct common_audit_data ad; 4969 struct lsm_network_audit net = {0,}; 4970 char *addrp; 4971 4972 ad.type = LSM_AUDIT_DATA_NET; 4973 ad.u.net = &net; 4974 ad.u.net->netif = skb->skb_iif; 4975 ad.u.net->family = family; 4976 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4977 if (err) 4978 return err; 4979 4980 if (selinux_secmark_enabled()) { 4981 err = avc_has_perm(&selinux_state, 4982 sk_sid, skb->secmark, SECCLASS_PACKET, 4983 PACKET__RECV, &ad); 4984 if (err) 4985 return err; 4986 } 4987 4988 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4989 if (err) 4990 return err; 4991 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4992 4993 return err; 4994 } 4995 4996 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4997 { 4998 int err; 4999 struct sk_security_struct *sksec = sk->sk_security; 5000 u16 family = sk->sk_family; 5001 u32 sk_sid = sksec->sid; 5002 struct common_audit_data ad; 5003 struct lsm_network_audit net = {0,}; 5004 char *addrp; 5005 u8 secmark_active; 5006 u8 peerlbl_active; 5007 5008 if (family != PF_INET && family != PF_INET6) 5009 return 0; 5010 5011 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5012 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5013 family = PF_INET; 5014 5015 /* If any sort of compatibility mode is enabled then handoff processing 5016 * to the selinux_sock_rcv_skb_compat() function to deal with the 5017 * special handling. We do this in an attempt to keep this function 5018 * as fast and as clean as possible. */ 5019 if (!selinux_policycap_netpeer()) 5020 return selinux_sock_rcv_skb_compat(sk, skb, family); 5021 5022 secmark_active = selinux_secmark_enabled(); 5023 peerlbl_active = selinux_peerlbl_enabled(); 5024 if (!secmark_active && !peerlbl_active) 5025 return 0; 5026 5027 ad.type = LSM_AUDIT_DATA_NET; 5028 ad.u.net = &net; 5029 ad.u.net->netif = skb->skb_iif; 5030 ad.u.net->family = family; 5031 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5032 if (err) 5033 return err; 5034 5035 if (peerlbl_active) { 5036 u32 peer_sid; 5037 5038 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5039 if (err) 5040 return err; 5041 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5042 addrp, family, peer_sid, &ad); 5043 if (err) { 5044 selinux_netlbl_err(skb, family, err, 0); 5045 return err; 5046 } 5047 err = avc_has_perm(&selinux_state, 5048 sk_sid, peer_sid, SECCLASS_PEER, 5049 PEER__RECV, &ad); 5050 if (err) { 5051 selinux_netlbl_err(skb, family, err, 0); 5052 return err; 5053 } 5054 } 5055 5056 if (secmark_active) { 5057 err = avc_has_perm(&selinux_state, 5058 sk_sid, skb->secmark, SECCLASS_PACKET, 5059 PACKET__RECV, &ad); 5060 if (err) 5061 return err; 5062 } 5063 5064 return err; 5065 } 5066 5067 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5068 int __user *optlen, unsigned len) 5069 { 5070 int err = 0; 5071 char *scontext; 5072 u32 scontext_len; 5073 struct sk_security_struct *sksec = sock->sk->sk_security; 5074 u32 peer_sid = SECSID_NULL; 5075 5076 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5077 sksec->sclass == SECCLASS_TCP_SOCKET || 5078 sksec->sclass == SECCLASS_SCTP_SOCKET) 5079 peer_sid = sksec->peer_sid; 5080 if (peer_sid == SECSID_NULL) 5081 return -ENOPROTOOPT; 5082 5083 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5084 &scontext_len); 5085 if (err) 5086 return err; 5087 5088 if (scontext_len > len) { 5089 err = -ERANGE; 5090 goto out_len; 5091 } 5092 5093 if (copy_to_user(optval, scontext, scontext_len)) 5094 err = -EFAULT; 5095 5096 out_len: 5097 if (put_user(scontext_len, optlen)) 5098 err = -EFAULT; 5099 kfree(scontext); 5100 return err; 5101 } 5102 5103 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5104 { 5105 u32 peer_secid = SECSID_NULL; 5106 u16 family; 5107 struct inode_security_struct *isec; 5108 5109 if (skb && skb->protocol == htons(ETH_P_IP)) 5110 family = PF_INET; 5111 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5112 family = PF_INET6; 5113 else if (sock) 5114 family = sock->sk->sk_family; 5115 else 5116 goto out; 5117 5118 if (sock && family == PF_UNIX) { 5119 isec = inode_security_novalidate(SOCK_INODE(sock)); 5120 peer_secid = isec->sid; 5121 } else if (skb) 5122 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5123 5124 out: 5125 *secid = peer_secid; 5126 if (peer_secid == SECSID_NULL) 5127 return -EINVAL; 5128 return 0; 5129 } 5130 5131 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5132 { 5133 struct sk_security_struct *sksec; 5134 5135 sksec = kzalloc(sizeof(*sksec), priority); 5136 if (!sksec) 5137 return -ENOMEM; 5138 5139 sksec->peer_sid = SECINITSID_UNLABELED; 5140 sksec->sid = SECINITSID_UNLABELED; 5141 sksec->sclass = SECCLASS_SOCKET; 5142 selinux_netlbl_sk_security_reset(sksec); 5143 sk->sk_security = sksec; 5144 5145 return 0; 5146 } 5147 5148 static void selinux_sk_free_security(struct sock *sk) 5149 { 5150 struct sk_security_struct *sksec = sk->sk_security; 5151 5152 sk->sk_security = NULL; 5153 selinux_netlbl_sk_security_free(sksec); 5154 kfree(sksec); 5155 } 5156 5157 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5158 { 5159 struct sk_security_struct *sksec = sk->sk_security; 5160 struct sk_security_struct *newsksec = newsk->sk_security; 5161 5162 newsksec->sid = sksec->sid; 5163 newsksec->peer_sid = sksec->peer_sid; 5164 newsksec->sclass = sksec->sclass; 5165 5166 selinux_netlbl_sk_security_reset(newsksec); 5167 } 5168 5169 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5170 { 5171 if (!sk) 5172 *secid = SECINITSID_ANY_SOCKET; 5173 else { 5174 struct sk_security_struct *sksec = sk->sk_security; 5175 5176 *secid = sksec->sid; 5177 } 5178 } 5179 5180 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5181 { 5182 struct inode_security_struct *isec = 5183 inode_security_novalidate(SOCK_INODE(parent)); 5184 struct sk_security_struct *sksec = sk->sk_security; 5185 5186 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5187 sk->sk_family == PF_UNIX) 5188 isec->sid = sksec->sid; 5189 sksec->sclass = isec->sclass; 5190 } 5191 5192 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5193 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5194 * already present). 5195 */ 5196 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5197 struct sk_buff *skb) 5198 { 5199 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5200 struct common_audit_data ad; 5201 struct lsm_network_audit net = {0,}; 5202 u8 peerlbl_active; 5203 u32 peer_sid = SECINITSID_UNLABELED; 5204 u32 conn_sid; 5205 int err = 0; 5206 5207 if (!selinux_policycap_extsockclass()) 5208 return 0; 5209 5210 peerlbl_active = selinux_peerlbl_enabled(); 5211 5212 if (peerlbl_active) { 5213 /* This will return peer_sid = SECSID_NULL if there are 5214 * no peer labels, see security_net_peersid_resolve(). 5215 */ 5216 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5217 &peer_sid); 5218 if (err) 5219 return err; 5220 5221 if (peer_sid == SECSID_NULL) 5222 peer_sid = SECINITSID_UNLABELED; 5223 } 5224 5225 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5226 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5227 5228 /* Here as first association on socket. As the peer SID 5229 * was allowed by peer recv (and the netif/node checks), 5230 * then it is approved by policy and used as the primary 5231 * peer SID for getpeercon(3). 5232 */ 5233 sksec->peer_sid = peer_sid; 5234 } else if (sksec->peer_sid != peer_sid) { 5235 /* Other association peer SIDs are checked to enforce 5236 * consistency among the peer SIDs. 5237 */ 5238 ad.type = LSM_AUDIT_DATA_NET; 5239 ad.u.net = &net; 5240 ad.u.net->sk = ep->base.sk; 5241 err = avc_has_perm(&selinux_state, 5242 sksec->peer_sid, peer_sid, sksec->sclass, 5243 SCTP_SOCKET__ASSOCIATION, &ad); 5244 if (err) 5245 return err; 5246 } 5247 5248 /* Compute the MLS component for the connection and store 5249 * the information in ep. This will be used by SCTP TCP type 5250 * sockets and peeled off connections as they cause a new 5251 * socket to be generated. selinux_sctp_sk_clone() will then 5252 * plug this into the new socket. 5253 */ 5254 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5255 if (err) 5256 return err; 5257 5258 ep->secid = conn_sid; 5259 ep->peer_secid = peer_sid; 5260 5261 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5262 return selinux_netlbl_sctp_assoc_request(ep, skb); 5263 } 5264 5265 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5266 * based on their @optname. 5267 */ 5268 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5269 struct sockaddr *address, 5270 int addrlen) 5271 { 5272 int len, err = 0, walk_size = 0; 5273 void *addr_buf; 5274 struct sockaddr *addr; 5275 struct socket *sock; 5276 5277 if (!selinux_policycap_extsockclass()) 5278 return 0; 5279 5280 /* Process one or more addresses that may be IPv4 or IPv6 */ 5281 sock = sk->sk_socket; 5282 addr_buf = address; 5283 5284 while (walk_size < addrlen) { 5285 addr = addr_buf; 5286 switch (addr->sa_family) { 5287 case AF_INET: 5288 len = sizeof(struct sockaddr_in); 5289 break; 5290 case AF_INET6: 5291 len = sizeof(struct sockaddr_in6); 5292 break; 5293 default: 5294 return -EAFNOSUPPORT; 5295 } 5296 5297 err = -EINVAL; 5298 switch (optname) { 5299 /* Bind checks */ 5300 case SCTP_PRIMARY_ADDR: 5301 case SCTP_SET_PEER_PRIMARY_ADDR: 5302 case SCTP_SOCKOPT_BINDX_ADD: 5303 err = selinux_socket_bind(sock, addr, len); 5304 break; 5305 /* Connect checks */ 5306 case SCTP_SOCKOPT_CONNECTX: 5307 case SCTP_PARAM_SET_PRIMARY: 5308 case SCTP_PARAM_ADD_IP: 5309 case SCTP_SENDMSG_CONNECT: 5310 err = selinux_socket_connect_helper(sock, addr, len); 5311 if (err) 5312 return err; 5313 5314 /* As selinux_sctp_bind_connect() is called by the 5315 * SCTP protocol layer, the socket is already locked, 5316 * therefore selinux_netlbl_socket_connect_locked() is 5317 * is called here. The situations handled are: 5318 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5319 * whenever a new IP address is added or when a new 5320 * primary address is selected. 5321 * Note that an SCTP connect(2) call happens before 5322 * the SCTP protocol layer and is handled via 5323 * selinux_socket_connect(). 5324 */ 5325 err = selinux_netlbl_socket_connect_locked(sk, addr); 5326 break; 5327 } 5328 5329 if (err) 5330 return err; 5331 5332 addr_buf += len; 5333 walk_size += len; 5334 } 5335 5336 return 0; 5337 } 5338 5339 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5340 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5341 struct sock *newsk) 5342 { 5343 struct sk_security_struct *sksec = sk->sk_security; 5344 struct sk_security_struct *newsksec = newsk->sk_security; 5345 5346 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5347 * the non-sctp clone version. 5348 */ 5349 if (!selinux_policycap_extsockclass()) 5350 return selinux_sk_clone_security(sk, newsk); 5351 5352 newsksec->sid = ep->secid; 5353 newsksec->peer_sid = ep->peer_secid; 5354 newsksec->sclass = sksec->sclass; 5355 selinux_netlbl_sctp_sk_clone(sk, newsk); 5356 } 5357 5358 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5359 struct request_sock *req) 5360 { 5361 struct sk_security_struct *sksec = sk->sk_security; 5362 int err; 5363 u16 family = req->rsk_ops->family; 5364 u32 connsid; 5365 u32 peersid; 5366 5367 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5368 if (err) 5369 return err; 5370 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5371 if (err) 5372 return err; 5373 req->secid = connsid; 5374 req->peer_secid = peersid; 5375 5376 return selinux_netlbl_inet_conn_request(req, family); 5377 } 5378 5379 static void selinux_inet_csk_clone(struct sock *newsk, 5380 const struct request_sock *req) 5381 { 5382 struct sk_security_struct *newsksec = newsk->sk_security; 5383 5384 newsksec->sid = req->secid; 5385 newsksec->peer_sid = req->peer_secid; 5386 /* NOTE: Ideally, we should also get the isec->sid for the 5387 new socket in sync, but we don't have the isec available yet. 5388 So we will wait until sock_graft to do it, by which 5389 time it will have been created and available. */ 5390 5391 /* We don't need to take any sort of lock here as we are the only 5392 * thread with access to newsksec */ 5393 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5394 } 5395 5396 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5397 { 5398 u16 family = sk->sk_family; 5399 struct sk_security_struct *sksec = sk->sk_security; 5400 5401 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5402 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5403 family = PF_INET; 5404 5405 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5406 } 5407 5408 static int selinux_secmark_relabel_packet(u32 sid) 5409 { 5410 const struct task_security_struct *__tsec; 5411 u32 tsid; 5412 5413 __tsec = current_security(); 5414 tsid = __tsec->sid; 5415 5416 return avc_has_perm(&selinux_state, 5417 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5418 NULL); 5419 } 5420 5421 static void selinux_secmark_refcount_inc(void) 5422 { 5423 atomic_inc(&selinux_secmark_refcount); 5424 } 5425 5426 static void selinux_secmark_refcount_dec(void) 5427 { 5428 atomic_dec(&selinux_secmark_refcount); 5429 } 5430 5431 static void selinux_req_classify_flow(const struct request_sock *req, 5432 struct flowi *fl) 5433 { 5434 fl->flowi_secid = req->secid; 5435 } 5436 5437 static int selinux_tun_dev_alloc_security(void **security) 5438 { 5439 struct tun_security_struct *tunsec; 5440 5441 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5442 if (!tunsec) 5443 return -ENOMEM; 5444 tunsec->sid = current_sid(); 5445 5446 *security = tunsec; 5447 return 0; 5448 } 5449 5450 static void selinux_tun_dev_free_security(void *security) 5451 { 5452 kfree(security); 5453 } 5454 5455 static int selinux_tun_dev_create(void) 5456 { 5457 u32 sid = current_sid(); 5458 5459 /* we aren't taking into account the "sockcreate" SID since the socket 5460 * that is being created here is not a socket in the traditional sense, 5461 * instead it is a private sock, accessible only to the kernel, and 5462 * representing a wide range of network traffic spanning multiple 5463 * connections unlike traditional sockets - check the TUN driver to 5464 * get a better understanding of why this socket is special */ 5465 5466 return avc_has_perm(&selinux_state, 5467 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5468 NULL); 5469 } 5470 5471 static int selinux_tun_dev_attach_queue(void *security) 5472 { 5473 struct tun_security_struct *tunsec = security; 5474 5475 return avc_has_perm(&selinux_state, 5476 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5477 TUN_SOCKET__ATTACH_QUEUE, NULL); 5478 } 5479 5480 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5481 { 5482 struct tun_security_struct *tunsec = security; 5483 struct sk_security_struct *sksec = sk->sk_security; 5484 5485 /* we don't currently perform any NetLabel based labeling here and it 5486 * isn't clear that we would want to do so anyway; while we could apply 5487 * labeling without the support of the TUN user the resulting labeled 5488 * traffic from the other end of the connection would almost certainly 5489 * cause confusion to the TUN user that had no idea network labeling 5490 * protocols were being used */ 5491 5492 sksec->sid = tunsec->sid; 5493 sksec->sclass = SECCLASS_TUN_SOCKET; 5494 5495 return 0; 5496 } 5497 5498 static int selinux_tun_dev_open(void *security) 5499 { 5500 struct tun_security_struct *tunsec = security; 5501 u32 sid = current_sid(); 5502 int err; 5503 5504 err = avc_has_perm(&selinux_state, 5505 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5506 TUN_SOCKET__RELABELFROM, NULL); 5507 if (err) 5508 return err; 5509 err = avc_has_perm(&selinux_state, 5510 sid, sid, SECCLASS_TUN_SOCKET, 5511 TUN_SOCKET__RELABELTO, NULL); 5512 if (err) 5513 return err; 5514 tunsec->sid = sid; 5515 5516 return 0; 5517 } 5518 5519 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5520 { 5521 int err = 0; 5522 u32 perm; 5523 struct nlmsghdr *nlh; 5524 struct sk_security_struct *sksec = sk->sk_security; 5525 5526 if (skb->len < NLMSG_HDRLEN) { 5527 err = -EINVAL; 5528 goto out; 5529 } 5530 nlh = nlmsg_hdr(skb); 5531 5532 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5533 if (err) { 5534 if (err == -EINVAL) { 5535 pr_warn_ratelimited("SELinux: unrecognized netlink" 5536 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5537 " pig=%d comm=%s\n", 5538 sk->sk_protocol, nlh->nlmsg_type, 5539 secclass_map[sksec->sclass - 1].name, 5540 task_pid_nr(current), current->comm); 5541 if (!enforcing_enabled(&selinux_state) || 5542 security_get_allow_unknown(&selinux_state)) 5543 err = 0; 5544 } 5545 5546 /* Ignore */ 5547 if (err == -ENOENT) 5548 err = 0; 5549 goto out; 5550 } 5551 5552 err = sock_has_perm(sk, perm); 5553 out: 5554 return err; 5555 } 5556 5557 #ifdef CONFIG_NETFILTER 5558 5559 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5560 const struct net_device *indev, 5561 u16 family) 5562 { 5563 int err; 5564 char *addrp; 5565 u32 peer_sid; 5566 struct common_audit_data ad; 5567 struct lsm_network_audit net = {0,}; 5568 u8 secmark_active; 5569 u8 netlbl_active; 5570 u8 peerlbl_active; 5571 5572 if (!selinux_policycap_netpeer()) 5573 return NF_ACCEPT; 5574 5575 secmark_active = selinux_secmark_enabled(); 5576 netlbl_active = netlbl_enabled(); 5577 peerlbl_active = selinux_peerlbl_enabled(); 5578 if (!secmark_active && !peerlbl_active) 5579 return NF_ACCEPT; 5580 5581 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5582 return NF_DROP; 5583 5584 ad.type = LSM_AUDIT_DATA_NET; 5585 ad.u.net = &net; 5586 ad.u.net->netif = indev->ifindex; 5587 ad.u.net->family = family; 5588 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5589 return NF_DROP; 5590 5591 if (peerlbl_active) { 5592 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5593 addrp, family, peer_sid, &ad); 5594 if (err) { 5595 selinux_netlbl_err(skb, family, err, 1); 5596 return NF_DROP; 5597 } 5598 } 5599 5600 if (secmark_active) 5601 if (avc_has_perm(&selinux_state, 5602 peer_sid, skb->secmark, 5603 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5604 return NF_DROP; 5605 5606 if (netlbl_active) 5607 /* we do this in the FORWARD path and not the POST_ROUTING 5608 * path because we want to make sure we apply the necessary 5609 * labeling before IPsec is applied so we can leverage AH 5610 * protection */ 5611 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5612 return NF_DROP; 5613 5614 return NF_ACCEPT; 5615 } 5616 5617 static unsigned int selinux_ipv4_forward(void *priv, 5618 struct sk_buff *skb, 5619 const struct nf_hook_state *state) 5620 { 5621 return selinux_ip_forward(skb, state->in, PF_INET); 5622 } 5623 5624 #if IS_ENABLED(CONFIG_IPV6) 5625 static unsigned int selinux_ipv6_forward(void *priv, 5626 struct sk_buff *skb, 5627 const struct nf_hook_state *state) 5628 { 5629 return selinux_ip_forward(skb, state->in, PF_INET6); 5630 } 5631 #endif /* IPV6 */ 5632 5633 static unsigned int selinux_ip_output(struct sk_buff *skb, 5634 u16 family) 5635 { 5636 struct sock *sk; 5637 u32 sid; 5638 5639 if (!netlbl_enabled()) 5640 return NF_ACCEPT; 5641 5642 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5643 * because we want to make sure we apply the necessary labeling 5644 * before IPsec is applied so we can leverage AH protection */ 5645 sk = skb->sk; 5646 if (sk) { 5647 struct sk_security_struct *sksec; 5648 5649 if (sk_listener(sk)) 5650 /* if the socket is the listening state then this 5651 * packet is a SYN-ACK packet which means it needs to 5652 * be labeled based on the connection/request_sock and 5653 * not the parent socket. unfortunately, we can't 5654 * lookup the request_sock yet as it isn't queued on 5655 * the parent socket until after the SYN-ACK is sent. 5656 * the "solution" is to simply pass the packet as-is 5657 * as any IP option based labeling should be copied 5658 * from the initial connection request (in the IP 5659 * layer). it is far from ideal, but until we get a 5660 * security label in the packet itself this is the 5661 * best we can do. */ 5662 return NF_ACCEPT; 5663 5664 /* standard practice, label using the parent socket */ 5665 sksec = sk->sk_security; 5666 sid = sksec->sid; 5667 } else 5668 sid = SECINITSID_KERNEL; 5669 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5670 return NF_DROP; 5671 5672 return NF_ACCEPT; 5673 } 5674 5675 static unsigned int selinux_ipv4_output(void *priv, 5676 struct sk_buff *skb, 5677 const struct nf_hook_state *state) 5678 { 5679 return selinux_ip_output(skb, PF_INET); 5680 } 5681 5682 #if IS_ENABLED(CONFIG_IPV6) 5683 static unsigned int selinux_ipv6_output(void *priv, 5684 struct sk_buff *skb, 5685 const struct nf_hook_state *state) 5686 { 5687 return selinux_ip_output(skb, PF_INET6); 5688 } 5689 #endif /* IPV6 */ 5690 5691 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5692 int ifindex, 5693 u16 family) 5694 { 5695 struct sock *sk = skb_to_full_sk(skb); 5696 struct sk_security_struct *sksec; 5697 struct common_audit_data ad; 5698 struct lsm_network_audit net = {0,}; 5699 char *addrp; 5700 u8 proto; 5701 5702 if (sk == NULL) 5703 return NF_ACCEPT; 5704 sksec = sk->sk_security; 5705 5706 ad.type = LSM_AUDIT_DATA_NET; 5707 ad.u.net = &net; 5708 ad.u.net->netif = ifindex; 5709 ad.u.net->family = family; 5710 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5711 return NF_DROP; 5712 5713 if (selinux_secmark_enabled()) 5714 if (avc_has_perm(&selinux_state, 5715 sksec->sid, skb->secmark, 5716 SECCLASS_PACKET, PACKET__SEND, &ad)) 5717 return NF_DROP_ERR(-ECONNREFUSED); 5718 5719 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5720 return NF_DROP_ERR(-ECONNREFUSED); 5721 5722 return NF_ACCEPT; 5723 } 5724 5725 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5726 const struct net_device *outdev, 5727 u16 family) 5728 { 5729 u32 secmark_perm; 5730 u32 peer_sid; 5731 int ifindex = outdev->ifindex; 5732 struct sock *sk; 5733 struct common_audit_data ad; 5734 struct lsm_network_audit net = {0,}; 5735 char *addrp; 5736 u8 secmark_active; 5737 u8 peerlbl_active; 5738 5739 /* If any sort of compatibility mode is enabled then handoff processing 5740 * to the selinux_ip_postroute_compat() function to deal with the 5741 * special handling. We do this in an attempt to keep this function 5742 * as fast and as clean as possible. */ 5743 if (!selinux_policycap_netpeer()) 5744 return selinux_ip_postroute_compat(skb, ifindex, family); 5745 5746 secmark_active = selinux_secmark_enabled(); 5747 peerlbl_active = selinux_peerlbl_enabled(); 5748 if (!secmark_active && !peerlbl_active) 5749 return NF_ACCEPT; 5750 5751 sk = skb_to_full_sk(skb); 5752 5753 #ifdef CONFIG_XFRM 5754 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5755 * packet transformation so allow the packet to pass without any checks 5756 * since we'll have another chance to perform access control checks 5757 * when the packet is on it's final way out. 5758 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5759 * is NULL, in this case go ahead and apply access control. 5760 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5761 * TCP listening state we cannot wait until the XFRM processing 5762 * is done as we will miss out on the SA label if we do; 5763 * unfortunately, this means more work, but it is only once per 5764 * connection. */ 5765 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5766 !(sk && sk_listener(sk))) 5767 return NF_ACCEPT; 5768 #endif 5769 5770 if (sk == NULL) { 5771 /* Without an associated socket the packet is either coming 5772 * from the kernel or it is being forwarded; check the packet 5773 * to determine which and if the packet is being forwarded 5774 * query the packet directly to determine the security label. */ 5775 if (skb->skb_iif) { 5776 secmark_perm = PACKET__FORWARD_OUT; 5777 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5778 return NF_DROP; 5779 } else { 5780 secmark_perm = PACKET__SEND; 5781 peer_sid = SECINITSID_KERNEL; 5782 } 5783 } else if (sk_listener(sk)) { 5784 /* Locally generated packet but the associated socket is in the 5785 * listening state which means this is a SYN-ACK packet. In 5786 * this particular case the correct security label is assigned 5787 * to the connection/request_sock but unfortunately we can't 5788 * query the request_sock as it isn't queued on the parent 5789 * socket until after the SYN-ACK packet is sent; the only 5790 * viable choice is to regenerate the label like we do in 5791 * selinux_inet_conn_request(). See also selinux_ip_output() 5792 * for similar problems. */ 5793 u32 skb_sid; 5794 struct sk_security_struct *sksec; 5795 5796 sksec = sk->sk_security; 5797 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5798 return NF_DROP; 5799 /* At this point, if the returned skb peerlbl is SECSID_NULL 5800 * and the packet has been through at least one XFRM 5801 * transformation then we must be dealing with the "final" 5802 * form of labeled IPsec packet; since we've already applied 5803 * all of our access controls on this packet we can safely 5804 * pass the packet. */ 5805 if (skb_sid == SECSID_NULL) { 5806 switch (family) { 5807 case PF_INET: 5808 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5809 return NF_ACCEPT; 5810 break; 5811 case PF_INET6: 5812 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5813 return NF_ACCEPT; 5814 break; 5815 default: 5816 return NF_DROP_ERR(-ECONNREFUSED); 5817 } 5818 } 5819 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5820 return NF_DROP; 5821 secmark_perm = PACKET__SEND; 5822 } else { 5823 /* Locally generated packet, fetch the security label from the 5824 * associated socket. */ 5825 struct sk_security_struct *sksec = sk->sk_security; 5826 peer_sid = sksec->sid; 5827 secmark_perm = PACKET__SEND; 5828 } 5829 5830 ad.type = LSM_AUDIT_DATA_NET; 5831 ad.u.net = &net; 5832 ad.u.net->netif = ifindex; 5833 ad.u.net->family = family; 5834 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5835 return NF_DROP; 5836 5837 if (secmark_active) 5838 if (avc_has_perm(&selinux_state, 5839 peer_sid, skb->secmark, 5840 SECCLASS_PACKET, secmark_perm, &ad)) 5841 return NF_DROP_ERR(-ECONNREFUSED); 5842 5843 if (peerlbl_active) { 5844 u32 if_sid; 5845 u32 node_sid; 5846 5847 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5848 return NF_DROP; 5849 if (avc_has_perm(&selinux_state, 5850 peer_sid, if_sid, 5851 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5852 return NF_DROP_ERR(-ECONNREFUSED); 5853 5854 if (sel_netnode_sid(addrp, family, &node_sid)) 5855 return NF_DROP; 5856 if (avc_has_perm(&selinux_state, 5857 peer_sid, node_sid, 5858 SECCLASS_NODE, NODE__SENDTO, &ad)) 5859 return NF_DROP_ERR(-ECONNREFUSED); 5860 } 5861 5862 return NF_ACCEPT; 5863 } 5864 5865 static unsigned int selinux_ipv4_postroute(void *priv, 5866 struct sk_buff *skb, 5867 const struct nf_hook_state *state) 5868 { 5869 return selinux_ip_postroute(skb, state->out, PF_INET); 5870 } 5871 5872 #if IS_ENABLED(CONFIG_IPV6) 5873 static unsigned int selinux_ipv6_postroute(void *priv, 5874 struct sk_buff *skb, 5875 const struct nf_hook_state *state) 5876 { 5877 return selinux_ip_postroute(skb, state->out, PF_INET6); 5878 } 5879 #endif /* IPV6 */ 5880 5881 #endif /* CONFIG_NETFILTER */ 5882 5883 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5884 { 5885 return selinux_nlmsg_perm(sk, skb); 5886 } 5887 5888 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5889 u16 sclass) 5890 { 5891 struct ipc_security_struct *isec; 5892 5893 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5894 if (!isec) 5895 return -ENOMEM; 5896 5897 isec->sclass = sclass; 5898 isec->sid = current_sid(); 5899 perm->security = isec; 5900 5901 return 0; 5902 } 5903 5904 static void ipc_free_security(struct kern_ipc_perm *perm) 5905 { 5906 struct ipc_security_struct *isec = perm->security; 5907 perm->security = NULL; 5908 kfree(isec); 5909 } 5910 5911 static int msg_msg_alloc_security(struct msg_msg *msg) 5912 { 5913 struct msg_security_struct *msec; 5914 5915 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5916 if (!msec) 5917 return -ENOMEM; 5918 5919 msec->sid = SECINITSID_UNLABELED; 5920 msg->security = msec; 5921 5922 return 0; 5923 } 5924 5925 static void msg_msg_free_security(struct msg_msg *msg) 5926 { 5927 struct msg_security_struct *msec = msg->security; 5928 5929 msg->security = NULL; 5930 kfree(msec); 5931 } 5932 5933 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5934 u32 perms) 5935 { 5936 struct ipc_security_struct *isec; 5937 struct common_audit_data ad; 5938 u32 sid = current_sid(); 5939 5940 isec = ipc_perms->security; 5941 5942 ad.type = LSM_AUDIT_DATA_IPC; 5943 ad.u.ipc_id = ipc_perms->key; 5944 5945 return avc_has_perm(&selinux_state, 5946 sid, isec->sid, isec->sclass, perms, &ad); 5947 } 5948 5949 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5950 { 5951 return msg_msg_alloc_security(msg); 5952 } 5953 5954 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5955 { 5956 msg_msg_free_security(msg); 5957 } 5958 5959 /* message queue security operations */ 5960 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5961 { 5962 struct ipc_security_struct *isec; 5963 struct common_audit_data ad; 5964 u32 sid = current_sid(); 5965 int rc; 5966 5967 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5968 if (rc) 5969 return rc; 5970 5971 isec = msq->security; 5972 5973 ad.type = LSM_AUDIT_DATA_IPC; 5974 ad.u.ipc_id = msq->key; 5975 5976 rc = avc_has_perm(&selinux_state, 5977 sid, isec->sid, SECCLASS_MSGQ, 5978 MSGQ__CREATE, &ad); 5979 if (rc) { 5980 ipc_free_security(msq); 5981 return rc; 5982 } 5983 return 0; 5984 } 5985 5986 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 5987 { 5988 ipc_free_security(msq); 5989 } 5990 5991 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5992 { 5993 struct ipc_security_struct *isec; 5994 struct common_audit_data ad; 5995 u32 sid = current_sid(); 5996 5997 isec = msq->security; 5998 5999 ad.type = LSM_AUDIT_DATA_IPC; 6000 ad.u.ipc_id = msq->key; 6001 6002 return avc_has_perm(&selinux_state, 6003 sid, isec->sid, SECCLASS_MSGQ, 6004 MSGQ__ASSOCIATE, &ad); 6005 } 6006 6007 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6008 { 6009 int err; 6010 int perms; 6011 6012 switch (cmd) { 6013 case IPC_INFO: 6014 case MSG_INFO: 6015 /* No specific object, just general system-wide information. */ 6016 return avc_has_perm(&selinux_state, 6017 current_sid(), SECINITSID_KERNEL, 6018 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6019 case IPC_STAT: 6020 case MSG_STAT: 6021 case MSG_STAT_ANY: 6022 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6023 break; 6024 case IPC_SET: 6025 perms = MSGQ__SETATTR; 6026 break; 6027 case IPC_RMID: 6028 perms = MSGQ__DESTROY; 6029 break; 6030 default: 6031 return 0; 6032 } 6033 6034 err = ipc_has_perm(msq, perms); 6035 return err; 6036 } 6037 6038 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6039 { 6040 struct ipc_security_struct *isec; 6041 struct msg_security_struct *msec; 6042 struct common_audit_data ad; 6043 u32 sid = current_sid(); 6044 int rc; 6045 6046 isec = msq->security; 6047 msec = msg->security; 6048 6049 /* 6050 * First time through, need to assign label to the message 6051 */ 6052 if (msec->sid == SECINITSID_UNLABELED) { 6053 /* 6054 * Compute new sid based on current process and 6055 * message queue this message will be stored in 6056 */ 6057 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6058 SECCLASS_MSG, NULL, &msec->sid); 6059 if (rc) 6060 return rc; 6061 } 6062 6063 ad.type = LSM_AUDIT_DATA_IPC; 6064 ad.u.ipc_id = msq->key; 6065 6066 /* Can this process write to the queue? */ 6067 rc = avc_has_perm(&selinux_state, 6068 sid, isec->sid, SECCLASS_MSGQ, 6069 MSGQ__WRITE, &ad); 6070 if (!rc) 6071 /* Can this process send the message */ 6072 rc = avc_has_perm(&selinux_state, 6073 sid, msec->sid, SECCLASS_MSG, 6074 MSG__SEND, &ad); 6075 if (!rc) 6076 /* Can the message be put in the queue? */ 6077 rc = avc_has_perm(&selinux_state, 6078 msec->sid, isec->sid, SECCLASS_MSGQ, 6079 MSGQ__ENQUEUE, &ad); 6080 6081 return rc; 6082 } 6083 6084 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6085 struct task_struct *target, 6086 long type, int mode) 6087 { 6088 struct ipc_security_struct *isec; 6089 struct msg_security_struct *msec; 6090 struct common_audit_data ad; 6091 u32 sid = task_sid(target); 6092 int rc; 6093 6094 isec = msq->security; 6095 msec = msg->security; 6096 6097 ad.type = LSM_AUDIT_DATA_IPC; 6098 ad.u.ipc_id = msq->key; 6099 6100 rc = avc_has_perm(&selinux_state, 6101 sid, isec->sid, 6102 SECCLASS_MSGQ, MSGQ__READ, &ad); 6103 if (!rc) 6104 rc = avc_has_perm(&selinux_state, 6105 sid, msec->sid, 6106 SECCLASS_MSG, MSG__RECEIVE, &ad); 6107 return rc; 6108 } 6109 6110 /* Shared Memory security operations */ 6111 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6112 { 6113 struct ipc_security_struct *isec; 6114 struct common_audit_data ad; 6115 u32 sid = current_sid(); 6116 int rc; 6117 6118 rc = ipc_alloc_security(shp, SECCLASS_SHM); 6119 if (rc) 6120 return rc; 6121 6122 isec = shp->security; 6123 6124 ad.type = LSM_AUDIT_DATA_IPC; 6125 ad.u.ipc_id = shp->key; 6126 6127 rc = avc_has_perm(&selinux_state, 6128 sid, isec->sid, SECCLASS_SHM, 6129 SHM__CREATE, &ad); 6130 if (rc) { 6131 ipc_free_security(shp); 6132 return rc; 6133 } 6134 return 0; 6135 } 6136 6137 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 6138 { 6139 ipc_free_security(shp); 6140 } 6141 6142 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6143 { 6144 struct ipc_security_struct *isec; 6145 struct common_audit_data ad; 6146 u32 sid = current_sid(); 6147 6148 isec = shp->security; 6149 6150 ad.type = LSM_AUDIT_DATA_IPC; 6151 ad.u.ipc_id = shp->key; 6152 6153 return avc_has_perm(&selinux_state, 6154 sid, isec->sid, SECCLASS_SHM, 6155 SHM__ASSOCIATE, &ad); 6156 } 6157 6158 /* Note, at this point, shp is locked down */ 6159 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6160 { 6161 int perms; 6162 int err; 6163 6164 switch (cmd) { 6165 case IPC_INFO: 6166 case SHM_INFO: 6167 /* No specific object, just general system-wide information. */ 6168 return avc_has_perm(&selinux_state, 6169 current_sid(), SECINITSID_KERNEL, 6170 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6171 case IPC_STAT: 6172 case SHM_STAT: 6173 case SHM_STAT_ANY: 6174 perms = SHM__GETATTR | SHM__ASSOCIATE; 6175 break; 6176 case IPC_SET: 6177 perms = SHM__SETATTR; 6178 break; 6179 case SHM_LOCK: 6180 case SHM_UNLOCK: 6181 perms = SHM__LOCK; 6182 break; 6183 case IPC_RMID: 6184 perms = SHM__DESTROY; 6185 break; 6186 default: 6187 return 0; 6188 } 6189 6190 err = ipc_has_perm(shp, perms); 6191 return err; 6192 } 6193 6194 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6195 char __user *shmaddr, int shmflg) 6196 { 6197 u32 perms; 6198 6199 if (shmflg & SHM_RDONLY) 6200 perms = SHM__READ; 6201 else 6202 perms = SHM__READ | SHM__WRITE; 6203 6204 return ipc_has_perm(shp, perms); 6205 } 6206 6207 /* Semaphore security operations */ 6208 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6209 { 6210 struct ipc_security_struct *isec; 6211 struct common_audit_data ad; 6212 u32 sid = current_sid(); 6213 int rc; 6214 6215 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6216 if (rc) 6217 return rc; 6218 6219 isec = sma->security; 6220 6221 ad.type = LSM_AUDIT_DATA_IPC; 6222 ad.u.ipc_id = sma->key; 6223 6224 rc = avc_has_perm(&selinux_state, 6225 sid, isec->sid, SECCLASS_SEM, 6226 SEM__CREATE, &ad); 6227 if (rc) { 6228 ipc_free_security(sma); 6229 return rc; 6230 } 6231 return 0; 6232 } 6233 6234 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6235 { 6236 ipc_free_security(sma); 6237 } 6238 6239 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6240 { 6241 struct ipc_security_struct *isec; 6242 struct common_audit_data ad; 6243 u32 sid = current_sid(); 6244 6245 isec = sma->security; 6246 6247 ad.type = LSM_AUDIT_DATA_IPC; 6248 ad.u.ipc_id = sma->key; 6249 6250 return avc_has_perm(&selinux_state, 6251 sid, isec->sid, SECCLASS_SEM, 6252 SEM__ASSOCIATE, &ad); 6253 } 6254 6255 /* Note, at this point, sma is locked down */ 6256 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6257 { 6258 int err; 6259 u32 perms; 6260 6261 switch (cmd) { 6262 case IPC_INFO: 6263 case SEM_INFO: 6264 /* No specific object, just general system-wide information. */ 6265 return avc_has_perm(&selinux_state, 6266 current_sid(), SECINITSID_KERNEL, 6267 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6268 case GETPID: 6269 case GETNCNT: 6270 case GETZCNT: 6271 perms = SEM__GETATTR; 6272 break; 6273 case GETVAL: 6274 case GETALL: 6275 perms = SEM__READ; 6276 break; 6277 case SETVAL: 6278 case SETALL: 6279 perms = SEM__WRITE; 6280 break; 6281 case IPC_RMID: 6282 perms = SEM__DESTROY; 6283 break; 6284 case IPC_SET: 6285 perms = SEM__SETATTR; 6286 break; 6287 case IPC_STAT: 6288 case SEM_STAT: 6289 case SEM_STAT_ANY: 6290 perms = SEM__GETATTR | SEM__ASSOCIATE; 6291 break; 6292 default: 6293 return 0; 6294 } 6295 6296 err = ipc_has_perm(sma, perms); 6297 return err; 6298 } 6299 6300 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6301 struct sembuf *sops, unsigned nsops, int alter) 6302 { 6303 u32 perms; 6304 6305 if (alter) 6306 perms = SEM__READ | SEM__WRITE; 6307 else 6308 perms = SEM__READ; 6309 6310 return ipc_has_perm(sma, perms); 6311 } 6312 6313 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6314 { 6315 u32 av = 0; 6316 6317 av = 0; 6318 if (flag & S_IRUGO) 6319 av |= IPC__UNIX_READ; 6320 if (flag & S_IWUGO) 6321 av |= IPC__UNIX_WRITE; 6322 6323 if (av == 0) 6324 return 0; 6325 6326 return ipc_has_perm(ipcp, av); 6327 } 6328 6329 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6330 { 6331 struct ipc_security_struct *isec = ipcp->security; 6332 *secid = isec->sid; 6333 } 6334 6335 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6336 { 6337 if (inode) 6338 inode_doinit_with_dentry(inode, dentry); 6339 } 6340 6341 static int selinux_getprocattr(struct task_struct *p, 6342 char *name, char **value) 6343 { 6344 const struct task_security_struct *__tsec; 6345 u32 sid; 6346 int error; 6347 unsigned len; 6348 6349 rcu_read_lock(); 6350 __tsec = __task_cred(p)->security; 6351 6352 if (current != p) { 6353 error = avc_has_perm(&selinux_state, 6354 current_sid(), __tsec->sid, 6355 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6356 if (error) 6357 goto bad; 6358 } 6359 6360 if (!strcmp(name, "current")) 6361 sid = __tsec->sid; 6362 else if (!strcmp(name, "prev")) 6363 sid = __tsec->osid; 6364 else if (!strcmp(name, "exec")) 6365 sid = __tsec->exec_sid; 6366 else if (!strcmp(name, "fscreate")) 6367 sid = __tsec->create_sid; 6368 else if (!strcmp(name, "keycreate")) 6369 sid = __tsec->keycreate_sid; 6370 else if (!strcmp(name, "sockcreate")) 6371 sid = __tsec->sockcreate_sid; 6372 else { 6373 error = -EINVAL; 6374 goto bad; 6375 } 6376 rcu_read_unlock(); 6377 6378 if (!sid) 6379 return 0; 6380 6381 error = security_sid_to_context(&selinux_state, sid, value, &len); 6382 if (error) 6383 return error; 6384 return len; 6385 6386 bad: 6387 rcu_read_unlock(); 6388 return error; 6389 } 6390 6391 static int selinux_setprocattr(const char *name, void *value, size_t size) 6392 { 6393 struct task_security_struct *tsec; 6394 struct cred *new; 6395 u32 mysid = current_sid(), sid = 0, ptsid; 6396 int error; 6397 char *str = value; 6398 6399 /* 6400 * Basic control over ability to set these attributes at all. 6401 */ 6402 if (!strcmp(name, "exec")) 6403 error = avc_has_perm(&selinux_state, 6404 mysid, mysid, SECCLASS_PROCESS, 6405 PROCESS__SETEXEC, NULL); 6406 else if (!strcmp(name, "fscreate")) 6407 error = avc_has_perm(&selinux_state, 6408 mysid, mysid, SECCLASS_PROCESS, 6409 PROCESS__SETFSCREATE, NULL); 6410 else if (!strcmp(name, "keycreate")) 6411 error = avc_has_perm(&selinux_state, 6412 mysid, mysid, SECCLASS_PROCESS, 6413 PROCESS__SETKEYCREATE, NULL); 6414 else if (!strcmp(name, "sockcreate")) 6415 error = avc_has_perm(&selinux_state, 6416 mysid, mysid, SECCLASS_PROCESS, 6417 PROCESS__SETSOCKCREATE, NULL); 6418 else if (!strcmp(name, "current")) 6419 error = avc_has_perm(&selinux_state, 6420 mysid, mysid, SECCLASS_PROCESS, 6421 PROCESS__SETCURRENT, NULL); 6422 else 6423 error = -EINVAL; 6424 if (error) 6425 return error; 6426 6427 /* Obtain a SID for the context, if one was specified. */ 6428 if (size && str[0] && str[0] != '\n') { 6429 if (str[size-1] == '\n') { 6430 str[size-1] = 0; 6431 size--; 6432 } 6433 error = security_context_to_sid(&selinux_state, value, size, 6434 &sid, GFP_KERNEL); 6435 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6436 if (!has_cap_mac_admin(true)) { 6437 struct audit_buffer *ab; 6438 size_t audit_size; 6439 6440 /* We strip a nul only if it is at the end, otherwise the 6441 * context contains a nul and we should audit that */ 6442 if (str[size - 1] == '\0') 6443 audit_size = size - 1; 6444 else 6445 audit_size = size; 6446 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6447 audit_log_format(ab, "op=fscreate invalid_context="); 6448 audit_log_n_untrustedstring(ab, value, audit_size); 6449 audit_log_end(ab); 6450 6451 return error; 6452 } 6453 error = security_context_to_sid_force( 6454 &selinux_state, 6455 value, size, &sid); 6456 } 6457 if (error) 6458 return error; 6459 } 6460 6461 new = prepare_creds(); 6462 if (!new) 6463 return -ENOMEM; 6464 6465 /* Permission checking based on the specified context is 6466 performed during the actual operation (execve, 6467 open/mkdir/...), when we know the full context of the 6468 operation. See selinux_bprm_set_creds for the execve 6469 checks and may_create for the file creation checks. The 6470 operation will then fail if the context is not permitted. */ 6471 tsec = new->security; 6472 if (!strcmp(name, "exec")) { 6473 tsec->exec_sid = sid; 6474 } else if (!strcmp(name, "fscreate")) { 6475 tsec->create_sid = sid; 6476 } else if (!strcmp(name, "keycreate")) { 6477 error = avc_has_perm(&selinux_state, 6478 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6479 NULL); 6480 if (error) 6481 goto abort_change; 6482 tsec->keycreate_sid = sid; 6483 } else if (!strcmp(name, "sockcreate")) { 6484 tsec->sockcreate_sid = sid; 6485 } else if (!strcmp(name, "current")) { 6486 error = -EINVAL; 6487 if (sid == 0) 6488 goto abort_change; 6489 6490 /* Only allow single threaded processes to change context */ 6491 error = -EPERM; 6492 if (!current_is_single_threaded()) { 6493 error = security_bounded_transition(&selinux_state, 6494 tsec->sid, sid); 6495 if (error) 6496 goto abort_change; 6497 } 6498 6499 /* Check permissions for the transition. */ 6500 error = avc_has_perm(&selinux_state, 6501 tsec->sid, sid, SECCLASS_PROCESS, 6502 PROCESS__DYNTRANSITION, NULL); 6503 if (error) 6504 goto abort_change; 6505 6506 /* Check for ptracing, and update the task SID if ok. 6507 Otherwise, leave SID unchanged and fail. */ 6508 ptsid = ptrace_parent_sid(); 6509 if (ptsid != 0) { 6510 error = avc_has_perm(&selinux_state, 6511 ptsid, sid, SECCLASS_PROCESS, 6512 PROCESS__PTRACE, NULL); 6513 if (error) 6514 goto abort_change; 6515 } 6516 6517 tsec->sid = sid; 6518 } else { 6519 error = -EINVAL; 6520 goto abort_change; 6521 } 6522 6523 commit_creds(new); 6524 return size; 6525 6526 abort_change: 6527 abort_creds(new); 6528 return error; 6529 } 6530 6531 static int selinux_ismaclabel(const char *name) 6532 { 6533 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6534 } 6535 6536 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6537 { 6538 return security_sid_to_context(&selinux_state, secid, 6539 secdata, seclen); 6540 } 6541 6542 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6543 { 6544 return security_context_to_sid(&selinux_state, secdata, seclen, 6545 secid, GFP_KERNEL); 6546 } 6547 6548 static void selinux_release_secctx(char *secdata, u32 seclen) 6549 { 6550 kfree(secdata); 6551 } 6552 6553 static void selinux_inode_invalidate_secctx(struct inode *inode) 6554 { 6555 struct inode_security_struct *isec = inode->i_security; 6556 6557 spin_lock(&isec->lock); 6558 isec->initialized = LABEL_INVALID; 6559 spin_unlock(&isec->lock); 6560 } 6561 6562 /* 6563 * called with inode->i_mutex locked 6564 */ 6565 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6566 { 6567 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6568 } 6569 6570 /* 6571 * called with inode->i_mutex locked 6572 */ 6573 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6574 { 6575 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6576 } 6577 6578 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6579 { 6580 int len = 0; 6581 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6582 ctx, true); 6583 if (len < 0) 6584 return len; 6585 *ctxlen = len; 6586 return 0; 6587 } 6588 #ifdef CONFIG_KEYS 6589 6590 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6591 unsigned long flags) 6592 { 6593 const struct task_security_struct *tsec; 6594 struct key_security_struct *ksec; 6595 6596 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6597 if (!ksec) 6598 return -ENOMEM; 6599 6600 tsec = cred->security; 6601 if (tsec->keycreate_sid) 6602 ksec->sid = tsec->keycreate_sid; 6603 else 6604 ksec->sid = tsec->sid; 6605 6606 k->security = ksec; 6607 return 0; 6608 } 6609 6610 static void selinux_key_free(struct key *k) 6611 { 6612 struct key_security_struct *ksec = k->security; 6613 6614 k->security = NULL; 6615 kfree(ksec); 6616 } 6617 6618 static int selinux_key_permission(key_ref_t key_ref, 6619 const struct cred *cred, 6620 unsigned perm) 6621 { 6622 struct key *key; 6623 struct key_security_struct *ksec; 6624 u32 sid; 6625 6626 /* if no specific permissions are requested, we skip the 6627 permission check. No serious, additional covert channels 6628 appear to be created. */ 6629 if (perm == 0) 6630 return 0; 6631 6632 sid = cred_sid(cred); 6633 6634 key = key_ref_to_ptr(key_ref); 6635 ksec = key->security; 6636 6637 return avc_has_perm(&selinux_state, 6638 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6639 } 6640 6641 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6642 { 6643 struct key_security_struct *ksec = key->security; 6644 char *context = NULL; 6645 unsigned len; 6646 int rc; 6647 6648 rc = security_sid_to_context(&selinux_state, ksec->sid, 6649 &context, &len); 6650 if (!rc) 6651 rc = len; 6652 *_buffer = context; 6653 return rc; 6654 } 6655 #endif 6656 6657 #ifdef CONFIG_SECURITY_INFINIBAND 6658 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6659 { 6660 struct common_audit_data ad; 6661 int err; 6662 u32 sid = 0; 6663 struct ib_security_struct *sec = ib_sec; 6664 struct lsm_ibpkey_audit ibpkey; 6665 6666 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6667 if (err) 6668 return err; 6669 6670 ad.type = LSM_AUDIT_DATA_IBPKEY; 6671 ibpkey.subnet_prefix = subnet_prefix; 6672 ibpkey.pkey = pkey_val; 6673 ad.u.ibpkey = &ibpkey; 6674 return avc_has_perm(&selinux_state, 6675 sec->sid, sid, 6676 SECCLASS_INFINIBAND_PKEY, 6677 INFINIBAND_PKEY__ACCESS, &ad); 6678 } 6679 6680 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6681 u8 port_num) 6682 { 6683 struct common_audit_data ad; 6684 int err; 6685 u32 sid = 0; 6686 struct ib_security_struct *sec = ib_sec; 6687 struct lsm_ibendport_audit ibendport; 6688 6689 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6690 &sid); 6691 6692 if (err) 6693 return err; 6694 6695 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6696 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6697 ibendport.port = port_num; 6698 ad.u.ibendport = &ibendport; 6699 return avc_has_perm(&selinux_state, 6700 sec->sid, sid, 6701 SECCLASS_INFINIBAND_ENDPORT, 6702 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6703 } 6704 6705 static int selinux_ib_alloc_security(void **ib_sec) 6706 { 6707 struct ib_security_struct *sec; 6708 6709 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6710 if (!sec) 6711 return -ENOMEM; 6712 sec->sid = current_sid(); 6713 6714 *ib_sec = sec; 6715 return 0; 6716 } 6717 6718 static void selinux_ib_free_security(void *ib_sec) 6719 { 6720 kfree(ib_sec); 6721 } 6722 #endif 6723 6724 #ifdef CONFIG_BPF_SYSCALL 6725 static int selinux_bpf(int cmd, union bpf_attr *attr, 6726 unsigned int size) 6727 { 6728 u32 sid = current_sid(); 6729 int ret; 6730 6731 switch (cmd) { 6732 case BPF_MAP_CREATE: 6733 ret = avc_has_perm(&selinux_state, 6734 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6735 NULL); 6736 break; 6737 case BPF_PROG_LOAD: 6738 ret = avc_has_perm(&selinux_state, 6739 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6740 NULL); 6741 break; 6742 default: 6743 ret = 0; 6744 break; 6745 } 6746 6747 return ret; 6748 } 6749 6750 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6751 { 6752 u32 av = 0; 6753 6754 if (fmode & FMODE_READ) 6755 av |= BPF__MAP_READ; 6756 if (fmode & FMODE_WRITE) 6757 av |= BPF__MAP_WRITE; 6758 return av; 6759 } 6760 6761 /* This function will check the file pass through unix socket or binder to see 6762 * if it is a bpf related object. And apply correspinding checks on the bpf 6763 * object based on the type. The bpf maps and programs, not like other files and 6764 * socket, are using a shared anonymous inode inside the kernel as their inode. 6765 * So checking that inode cannot identify if the process have privilege to 6766 * access the bpf object and that's why we have to add this additional check in 6767 * selinux_file_receive and selinux_binder_transfer_files. 6768 */ 6769 static int bpf_fd_pass(struct file *file, u32 sid) 6770 { 6771 struct bpf_security_struct *bpfsec; 6772 struct bpf_prog *prog; 6773 struct bpf_map *map; 6774 int ret; 6775 6776 if (file->f_op == &bpf_map_fops) { 6777 map = file->private_data; 6778 bpfsec = map->security; 6779 ret = avc_has_perm(&selinux_state, 6780 sid, bpfsec->sid, SECCLASS_BPF, 6781 bpf_map_fmode_to_av(file->f_mode), NULL); 6782 if (ret) 6783 return ret; 6784 } else if (file->f_op == &bpf_prog_fops) { 6785 prog = file->private_data; 6786 bpfsec = prog->aux->security; 6787 ret = avc_has_perm(&selinux_state, 6788 sid, bpfsec->sid, SECCLASS_BPF, 6789 BPF__PROG_RUN, NULL); 6790 if (ret) 6791 return ret; 6792 } 6793 return 0; 6794 } 6795 6796 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6797 { 6798 u32 sid = current_sid(); 6799 struct bpf_security_struct *bpfsec; 6800 6801 bpfsec = map->security; 6802 return avc_has_perm(&selinux_state, 6803 sid, bpfsec->sid, SECCLASS_BPF, 6804 bpf_map_fmode_to_av(fmode), NULL); 6805 } 6806 6807 static int selinux_bpf_prog(struct bpf_prog *prog) 6808 { 6809 u32 sid = current_sid(); 6810 struct bpf_security_struct *bpfsec; 6811 6812 bpfsec = prog->aux->security; 6813 return avc_has_perm(&selinux_state, 6814 sid, bpfsec->sid, SECCLASS_BPF, 6815 BPF__PROG_RUN, NULL); 6816 } 6817 6818 static int selinux_bpf_map_alloc(struct bpf_map *map) 6819 { 6820 struct bpf_security_struct *bpfsec; 6821 6822 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6823 if (!bpfsec) 6824 return -ENOMEM; 6825 6826 bpfsec->sid = current_sid(); 6827 map->security = bpfsec; 6828 6829 return 0; 6830 } 6831 6832 static void selinux_bpf_map_free(struct bpf_map *map) 6833 { 6834 struct bpf_security_struct *bpfsec = map->security; 6835 6836 map->security = NULL; 6837 kfree(bpfsec); 6838 } 6839 6840 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6841 { 6842 struct bpf_security_struct *bpfsec; 6843 6844 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6845 if (!bpfsec) 6846 return -ENOMEM; 6847 6848 bpfsec->sid = current_sid(); 6849 aux->security = bpfsec; 6850 6851 return 0; 6852 } 6853 6854 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6855 { 6856 struct bpf_security_struct *bpfsec = aux->security; 6857 6858 aux->security = NULL; 6859 kfree(bpfsec); 6860 } 6861 #endif 6862 6863 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6864 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6865 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6866 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6867 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6868 6869 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6870 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6871 LSM_HOOK_INIT(capget, selinux_capget), 6872 LSM_HOOK_INIT(capset, selinux_capset), 6873 LSM_HOOK_INIT(capable, selinux_capable), 6874 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6875 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6876 LSM_HOOK_INIT(syslog, selinux_syslog), 6877 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6878 6879 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6880 6881 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6882 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6883 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6884 6885 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6886 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6887 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6888 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6889 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6890 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6891 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6892 LSM_HOOK_INIT(sb_mount, selinux_mount), 6893 LSM_HOOK_INIT(sb_umount, selinux_umount), 6894 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6895 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6896 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6897 6898 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6899 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6900 6901 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6902 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6903 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6904 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6905 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6906 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6907 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6908 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6909 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6910 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6911 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6912 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6913 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6914 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6915 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6916 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6917 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6918 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6919 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6920 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6921 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6922 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6923 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6924 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6925 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6926 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6927 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6928 6929 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6930 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6931 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6932 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6933 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6934 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6935 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6936 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6937 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6938 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6939 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6940 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6941 6942 LSM_HOOK_INIT(file_open, selinux_file_open), 6943 6944 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6945 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6946 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6947 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6948 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6949 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6950 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6951 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6952 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6953 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6954 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6955 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6956 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6957 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6958 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6959 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6960 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6961 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6962 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6963 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6964 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6965 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6966 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6967 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6968 6969 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6970 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6971 6972 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6973 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6974 6975 LSM_HOOK_INIT(msg_queue_alloc_security, 6976 selinux_msg_queue_alloc_security), 6977 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6978 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6979 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6980 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6981 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6982 6983 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6984 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6985 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6986 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6987 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6988 6989 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6990 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6991 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6992 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6993 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6994 6995 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6996 6997 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6998 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6999 7000 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7001 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7002 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7003 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7004 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7005 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7006 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7007 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7008 7009 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7010 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7011 7012 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7013 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7014 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7015 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7016 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7017 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7018 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7019 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7020 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7021 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7022 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7023 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7024 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7025 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7026 LSM_HOOK_INIT(socket_getpeersec_stream, 7027 selinux_socket_getpeersec_stream), 7028 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7029 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7030 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7031 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7032 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7033 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7034 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7035 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7036 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7037 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7038 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7039 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7040 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7041 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7042 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7043 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7044 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7045 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7046 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7047 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7048 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7049 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7050 #ifdef CONFIG_SECURITY_INFINIBAND 7051 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7052 LSM_HOOK_INIT(ib_endport_manage_subnet, 7053 selinux_ib_endport_manage_subnet), 7054 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7055 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7056 #endif 7057 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7058 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7059 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7060 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7061 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7062 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7063 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7064 selinux_xfrm_state_alloc_acquire), 7065 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7066 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7067 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7068 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7069 selinux_xfrm_state_pol_flow_match), 7070 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7071 #endif 7072 7073 #ifdef CONFIG_KEYS 7074 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7075 LSM_HOOK_INIT(key_free, selinux_key_free), 7076 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7077 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7078 #endif 7079 7080 #ifdef CONFIG_AUDIT 7081 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7082 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7083 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7084 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7085 #endif 7086 7087 #ifdef CONFIG_BPF_SYSCALL 7088 LSM_HOOK_INIT(bpf, selinux_bpf), 7089 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7090 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7091 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7092 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7093 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7094 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7095 #endif 7096 }; 7097 7098 static __init int selinux_init(void) 7099 { 7100 if (!security_module_enable("selinux")) { 7101 selinux_enabled = 0; 7102 return 0; 7103 } 7104 7105 if (!selinux_enabled) { 7106 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 7107 return 0; 7108 } 7109 7110 printk(KERN_INFO "SELinux: Initializing.\n"); 7111 7112 memset(&selinux_state, 0, sizeof(selinux_state)); 7113 enforcing_set(&selinux_state, selinux_enforcing_boot); 7114 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7115 selinux_ss_init(&selinux_state.ss); 7116 selinux_avc_init(&selinux_state.avc); 7117 7118 /* Set the security state for the initial task. */ 7119 cred_init_security(); 7120 7121 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7122 7123 sel_inode_cache = kmem_cache_create("selinux_inode_security", 7124 sizeof(struct inode_security_struct), 7125 0, SLAB_PANIC, NULL); 7126 file_security_cache = kmem_cache_create("selinux_file_security", 7127 sizeof(struct file_security_struct), 7128 0, SLAB_PANIC, NULL); 7129 avc_init(); 7130 7131 avtab_cache_init(); 7132 7133 ebitmap_cache_init(); 7134 7135 hashtab_cache_init(); 7136 7137 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7138 7139 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7140 panic("SELinux: Unable to register AVC netcache callback\n"); 7141 7142 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7143 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7144 7145 if (selinux_enforcing_boot) 7146 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7147 else 7148 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7149 7150 return 0; 7151 } 7152 7153 static void delayed_superblock_init(struct super_block *sb, void *unused) 7154 { 7155 superblock_doinit(sb, NULL); 7156 } 7157 7158 void selinux_complete_init(void) 7159 { 7160 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 7161 7162 /* Set up any superblocks initialized prior to the policy load. */ 7163 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 7164 iterate_supers(delayed_superblock_init, NULL); 7165 } 7166 7167 /* SELinux requires early initialization in order to label 7168 all processes and objects when they are created. */ 7169 security_initcall(selinux_init); 7170 7171 #if defined(CONFIG_NETFILTER) 7172 7173 static const struct nf_hook_ops selinux_nf_ops[] = { 7174 { 7175 .hook = selinux_ipv4_postroute, 7176 .pf = NFPROTO_IPV4, 7177 .hooknum = NF_INET_POST_ROUTING, 7178 .priority = NF_IP_PRI_SELINUX_LAST, 7179 }, 7180 { 7181 .hook = selinux_ipv4_forward, 7182 .pf = NFPROTO_IPV4, 7183 .hooknum = NF_INET_FORWARD, 7184 .priority = NF_IP_PRI_SELINUX_FIRST, 7185 }, 7186 { 7187 .hook = selinux_ipv4_output, 7188 .pf = NFPROTO_IPV4, 7189 .hooknum = NF_INET_LOCAL_OUT, 7190 .priority = NF_IP_PRI_SELINUX_FIRST, 7191 }, 7192 #if IS_ENABLED(CONFIG_IPV6) 7193 { 7194 .hook = selinux_ipv6_postroute, 7195 .pf = NFPROTO_IPV6, 7196 .hooknum = NF_INET_POST_ROUTING, 7197 .priority = NF_IP6_PRI_SELINUX_LAST, 7198 }, 7199 { 7200 .hook = selinux_ipv6_forward, 7201 .pf = NFPROTO_IPV6, 7202 .hooknum = NF_INET_FORWARD, 7203 .priority = NF_IP6_PRI_SELINUX_FIRST, 7204 }, 7205 { 7206 .hook = selinux_ipv6_output, 7207 .pf = NFPROTO_IPV6, 7208 .hooknum = NF_INET_LOCAL_OUT, 7209 .priority = NF_IP6_PRI_SELINUX_FIRST, 7210 }, 7211 #endif /* IPV6 */ 7212 }; 7213 7214 static int __net_init selinux_nf_register(struct net *net) 7215 { 7216 return nf_register_net_hooks(net, selinux_nf_ops, 7217 ARRAY_SIZE(selinux_nf_ops)); 7218 } 7219 7220 static void __net_exit selinux_nf_unregister(struct net *net) 7221 { 7222 nf_unregister_net_hooks(net, selinux_nf_ops, 7223 ARRAY_SIZE(selinux_nf_ops)); 7224 } 7225 7226 static struct pernet_operations selinux_net_ops = { 7227 .init = selinux_nf_register, 7228 .exit = selinux_nf_unregister, 7229 }; 7230 7231 static int __init selinux_nf_ip_init(void) 7232 { 7233 int err; 7234 7235 if (!selinux_enabled) 7236 return 0; 7237 7238 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 7239 7240 err = register_pernet_subsys(&selinux_net_ops); 7241 if (err) 7242 panic("SELinux: register_pernet_subsys: error %d\n", err); 7243 7244 return 0; 7245 } 7246 __initcall(selinux_nf_ip_init); 7247 7248 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7249 static void selinux_nf_ip_exit(void) 7250 { 7251 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 7252 7253 unregister_pernet_subsys(&selinux_net_ops); 7254 } 7255 #endif 7256 7257 #else /* CONFIG_NETFILTER */ 7258 7259 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7260 #define selinux_nf_ip_exit() 7261 #endif 7262 7263 #endif /* CONFIG_NETFILTER */ 7264 7265 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7266 int selinux_disable(struct selinux_state *state) 7267 { 7268 if (state->initialized) { 7269 /* Not permitted after initial policy load. */ 7270 return -EINVAL; 7271 } 7272 7273 if (state->disabled) { 7274 /* Only do this once. */ 7275 return -EINVAL; 7276 } 7277 7278 state->disabled = 1; 7279 7280 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7281 7282 selinux_enabled = 0; 7283 7284 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7285 7286 /* Try to destroy the avc node cache */ 7287 avc_disable(); 7288 7289 /* Unregister netfilter hooks. */ 7290 selinux_nf_ip_exit(); 7291 7292 /* Unregister selinuxfs. */ 7293 exit_sel_fs(); 7294 7295 return 0; 7296 } 7297 #endif 7298