1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Updated: Karl MacMillan <kmacmillan@tresys.com> 3 * 4 * Added conditional policy language extensions 5 * 6 * Updated: Hewlett-Packard <paul@paul-moore.com> 7 * 8 * Added support for the policy capability bitmap 9 * 10 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 11 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 12 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 */ 14 15 #include <linux/kernel.h> 16 #include <linux/pagemap.h> 17 #include <linux/slab.h> 18 #include <linux/vmalloc.h> 19 #include <linux/fs.h> 20 #include <linux/fs_context.h> 21 #include <linux/mount.h> 22 #include <linux/mutex.h> 23 #include <linux/namei.h> 24 #include <linux/init.h> 25 #include <linux/string.h> 26 #include <linux/security.h> 27 #include <linux/major.h> 28 #include <linux/seq_file.h> 29 #include <linux/percpu.h> 30 #include <linux/audit.h> 31 #include <linux/uaccess.h> 32 #include <linux/kobject.h> 33 #include <linux/ctype.h> 34 35 /* selinuxfs pseudo filesystem for exporting the security policy API. 36 Based on the proc code and the fs/nfsd/nfsctl.c code. */ 37 38 #include "initcalls.h" 39 #include "flask.h" 40 #include "avc.h" 41 #include "avc_ss.h" 42 #include "security.h" 43 #include "objsec.h" 44 #include "conditional.h" 45 #include "ima.h" 46 47 enum sel_inos { 48 SEL_ROOT_INO = 2, 49 SEL_LOAD, /* load policy */ 50 SEL_ENFORCE, /* get or set enforcing status */ 51 SEL_CONTEXT, /* validate context */ 52 SEL_ACCESS, /* compute access decision */ 53 SEL_CREATE, /* compute create labeling decision */ 54 SEL_RELABEL, /* compute relabeling decision */ 55 SEL_USER, /* compute reachable user contexts */ 56 SEL_POLICYVERS, /* return policy version for this kernel */ 57 SEL_COMMIT_BOOLS, /* commit new boolean values */ 58 SEL_MLS, /* return if MLS policy is enabled */ 59 SEL_DISABLE, /* disable SELinux until next reboot */ 60 SEL_MEMBER, /* compute polyinstantiation membership decision */ 61 SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */ 62 SEL_COMPAT_NET, /* whether to use old compat network packet controls */ 63 SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */ 64 SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */ 65 SEL_STATUS, /* export current status using mmap() */ 66 SEL_POLICY, /* allow userspace to read the in kernel policy */ 67 SEL_VALIDATE_TRANS, /* compute validatetrans decision */ 68 SEL_INO_NEXT, /* The next inode number to use */ 69 }; 70 71 struct selinux_fs_info { 72 struct dentry *bool_dir; 73 unsigned int bool_num; 74 char **bool_pending_names; 75 int *bool_pending_values; 76 struct dentry *class_dir; 77 unsigned long last_class_ino; 78 bool policy_opened; 79 unsigned long last_ino; 80 struct super_block *sb; 81 }; 82 83 static int selinux_fs_info_create(struct super_block *sb) 84 { 85 struct selinux_fs_info *fsi; 86 87 fsi = kzalloc(sizeof(*fsi), GFP_KERNEL); 88 if (!fsi) 89 return -ENOMEM; 90 91 fsi->last_ino = SEL_INO_NEXT - 1; 92 fsi->sb = sb; 93 sb->s_fs_info = fsi; 94 return 0; 95 } 96 97 static void selinux_fs_info_free(struct super_block *sb) 98 { 99 struct selinux_fs_info *fsi = sb->s_fs_info; 100 unsigned int i; 101 102 if (fsi) { 103 for (i = 0; i < fsi->bool_num; i++) 104 kfree(fsi->bool_pending_names[i]); 105 kfree(fsi->bool_pending_names); 106 kfree(fsi->bool_pending_values); 107 } 108 kfree(sb->s_fs_info); 109 sb->s_fs_info = NULL; 110 } 111 112 #define SEL_INITCON_INO_OFFSET 0x01000000 113 #define SEL_BOOL_INO_OFFSET 0x02000000 114 #define SEL_CLASS_INO_OFFSET 0x04000000 115 #define SEL_POLICYCAP_INO_OFFSET 0x08000000 116 #define SEL_INO_MASK 0x00ffffff 117 118 #define BOOL_DIR_NAME "booleans" 119 #define CLASS_DIR_NAME "class" 120 121 #define TMPBUFLEN 12 122 static ssize_t sel_read_enforce(struct file *filp, char __user *buf, 123 size_t count, loff_t *ppos) 124 { 125 char tmpbuf[TMPBUFLEN]; 126 ssize_t length; 127 128 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", 129 enforcing_enabled()); 130 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 131 } 132 133 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 134 static ssize_t sel_write_enforce(struct file *file, const char __user *buf, 135 size_t count, loff_t *ppos) 136 137 { 138 char *page = NULL; 139 ssize_t length; 140 int scan_value; 141 bool old_value, new_value; 142 143 if (count >= PAGE_SIZE) 144 return -ENOMEM; 145 146 /* No partial writes. */ 147 if (*ppos != 0) 148 return -EINVAL; 149 150 page = memdup_user_nul(buf, count); 151 if (IS_ERR(page)) 152 return PTR_ERR(page); 153 154 length = -EINVAL; 155 if (sscanf(page, "%d", &scan_value) != 1) 156 goto out; 157 158 new_value = !!scan_value; 159 160 old_value = enforcing_enabled(); 161 if (new_value != old_value) { 162 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 163 SECCLASS_SECURITY, SECURITY__SETENFORCE, 164 NULL); 165 if (length) 166 goto out; 167 audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 168 "enforcing=%d old_enforcing=%d auid=%u ses=%u" 169 " enabled=1 old-enabled=1 lsm=selinux res=1", 170 new_value, old_value, 171 from_kuid(&init_user_ns, audit_get_loginuid(current)), 172 audit_get_sessionid(current)); 173 enforcing_set(new_value); 174 if (new_value) 175 avc_ss_reset(0); 176 selnl_notify_setenforce(new_value); 177 selinux_status_update_setenforce(new_value); 178 if (!new_value) 179 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 180 181 selinux_ima_measure_state(); 182 } 183 length = count; 184 out: 185 kfree(page); 186 return length; 187 } 188 #else 189 #define sel_write_enforce NULL 190 #endif 191 192 static const struct file_operations sel_enforce_ops = { 193 .read = sel_read_enforce, 194 .write = sel_write_enforce, 195 .llseek = generic_file_llseek, 196 }; 197 198 static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf, 199 size_t count, loff_t *ppos) 200 { 201 char tmpbuf[TMPBUFLEN]; 202 ssize_t length; 203 ino_t ino = file_inode(filp)->i_ino; 204 int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ? 205 security_get_reject_unknown() : 206 !security_get_allow_unknown(); 207 208 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown); 209 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 210 } 211 212 static const struct file_operations sel_handle_unknown_ops = { 213 .read = sel_read_handle_unknown, 214 .llseek = generic_file_llseek, 215 }; 216 217 static int sel_open_handle_status(struct inode *inode, struct file *filp) 218 { 219 struct page *status = selinux_kernel_status_page(); 220 221 if (!status) 222 return -ENOMEM; 223 224 filp->private_data = status; 225 226 return 0; 227 } 228 229 static ssize_t sel_read_handle_status(struct file *filp, char __user *buf, 230 size_t count, loff_t *ppos) 231 { 232 struct page *status = filp->private_data; 233 234 BUG_ON(!status); 235 236 return simple_read_from_buffer(buf, count, ppos, 237 page_address(status), 238 sizeof(struct selinux_kernel_status)); 239 } 240 241 static int sel_mmap_handle_status(struct file *filp, 242 struct vm_area_struct *vma) 243 { 244 struct page *status = filp->private_data; 245 unsigned long size = vma->vm_end - vma->vm_start; 246 247 BUG_ON(!status); 248 249 /* only allows one page from the head */ 250 if (vma->vm_pgoff > 0 || size != PAGE_SIZE) 251 return -EIO; 252 /* disallow writable mapping */ 253 if (vma->vm_flags & VM_WRITE) 254 return -EPERM; 255 /* disallow mprotect() turns it into writable */ 256 vm_flags_clear(vma, VM_MAYWRITE); 257 258 return remap_pfn_range(vma, vma->vm_start, 259 page_to_pfn(status), 260 size, vma->vm_page_prot); 261 } 262 263 static const struct file_operations sel_handle_status_ops = { 264 .open = sel_open_handle_status, 265 .read = sel_read_handle_status, 266 .mmap = sel_mmap_handle_status, 267 .llseek = generic_file_llseek, 268 }; 269 270 static ssize_t sel_write_disable(struct file *file, const char __user *buf, 271 size_t count, loff_t *ppos) 272 273 { 274 char *page; 275 ssize_t length; 276 int new_value; 277 278 if (count >= PAGE_SIZE) 279 return -ENOMEM; 280 281 /* No partial writes. */ 282 if (*ppos != 0) 283 return -EINVAL; 284 285 page = memdup_user_nul(buf, count); 286 if (IS_ERR(page)) 287 return PTR_ERR(page); 288 289 if (sscanf(page, "%d", &new_value) != 1) { 290 length = -EINVAL; 291 goto out; 292 } 293 length = count; 294 295 if (new_value) { 296 pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); 297 pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n"); 298 } 299 300 out: 301 kfree(page); 302 return length; 303 } 304 305 static const struct file_operations sel_disable_ops = { 306 .write = sel_write_disable, 307 .llseek = generic_file_llseek, 308 }; 309 310 static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, 311 size_t count, loff_t *ppos) 312 { 313 char tmpbuf[TMPBUFLEN]; 314 ssize_t length; 315 316 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", POLICYDB_VERSION_MAX); 317 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 318 } 319 320 static const struct file_operations sel_policyvers_ops = { 321 .read = sel_read_policyvers, 322 .llseek = generic_file_llseek, 323 }; 324 325 /* declaration for sel_write_load */ 326 static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir, 327 unsigned int *bool_num, char ***bool_pending_names, 328 int **bool_pending_values); 329 static int sel_make_classes(struct selinux_policy *newpolicy, 330 struct dentry *class_dir, 331 unsigned long *last_class_ino); 332 333 /* declaration for sel_make_class_dirs */ 334 static struct dentry *sel_make_dir(struct dentry *dir, const char *name, 335 unsigned long *ino); 336 337 /* declaration for sel_make_policy_nodes */ 338 static struct dentry *sel_make_swapover_dir(struct super_block *sb, 339 unsigned long *ino); 340 341 static ssize_t sel_read_mls(struct file *filp, char __user *buf, 342 size_t count, loff_t *ppos) 343 { 344 char tmpbuf[TMPBUFLEN]; 345 ssize_t length; 346 347 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", 348 security_mls_enabled()); 349 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 350 } 351 352 static const struct file_operations sel_mls_ops = { 353 .read = sel_read_mls, 354 .llseek = generic_file_llseek, 355 }; 356 357 struct policy_load_memory { 358 size_t len; 359 void *data; 360 }; 361 362 static int sel_open_policy(struct inode *inode, struct file *filp) 363 { 364 struct selinux_fs_info *fsi = inode->i_sb->s_fs_info; 365 struct policy_load_memory *plm = NULL; 366 int rc; 367 368 BUG_ON(filp->private_data); 369 370 mutex_lock(&selinux_state.policy_mutex); 371 372 rc = avc_has_perm(current_sid(), SECINITSID_SECURITY, 373 SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL); 374 if (rc) 375 goto err; 376 377 rc = -EBUSY; 378 if (fsi->policy_opened) 379 goto err; 380 381 rc = -ENOMEM; 382 plm = kzalloc(sizeof(*plm), GFP_KERNEL); 383 if (!plm) 384 goto err; 385 386 rc = security_read_policy(&plm->data, &plm->len); 387 if (rc) 388 goto err; 389 390 if ((size_t)i_size_read(inode) != plm->len) { 391 inode_lock(inode); 392 i_size_write(inode, plm->len); 393 inode_unlock(inode); 394 } 395 396 fsi->policy_opened = 1; 397 398 filp->private_data = plm; 399 400 mutex_unlock(&selinux_state.policy_mutex); 401 402 return 0; 403 err: 404 mutex_unlock(&selinux_state.policy_mutex); 405 406 if (plm) 407 vfree(plm->data); 408 kfree(plm); 409 return rc; 410 } 411 412 static int sel_release_policy(struct inode *inode, struct file *filp) 413 { 414 struct selinux_fs_info *fsi = inode->i_sb->s_fs_info; 415 struct policy_load_memory *plm = filp->private_data; 416 417 BUG_ON(!plm); 418 419 fsi->policy_opened = 0; 420 421 vfree(plm->data); 422 kfree(plm); 423 424 return 0; 425 } 426 427 static ssize_t sel_read_policy(struct file *filp, char __user *buf, 428 size_t count, loff_t *ppos) 429 { 430 struct policy_load_memory *plm = filp->private_data; 431 int ret; 432 433 ret = avc_has_perm(current_sid(), SECINITSID_SECURITY, 434 SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL); 435 if (ret) 436 return ret; 437 438 return simple_read_from_buffer(buf, count, ppos, plm->data, plm->len); 439 } 440 441 static vm_fault_t sel_mmap_policy_fault(struct vm_fault *vmf) 442 { 443 struct policy_load_memory *plm = vmf->vma->vm_file->private_data; 444 unsigned long offset; 445 struct page *page; 446 447 if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE)) 448 return VM_FAULT_SIGBUS; 449 450 offset = vmf->pgoff << PAGE_SHIFT; 451 if (offset >= roundup(plm->len, PAGE_SIZE)) 452 return VM_FAULT_SIGBUS; 453 454 page = vmalloc_to_page(plm->data + offset); 455 get_page(page); 456 457 vmf->page = page; 458 459 return 0; 460 } 461 462 static const struct vm_operations_struct sel_mmap_policy_ops = { 463 .fault = sel_mmap_policy_fault, 464 .page_mkwrite = sel_mmap_policy_fault, 465 }; 466 467 static int sel_mmap_policy(struct file *filp, struct vm_area_struct *vma) 468 { 469 if (vma->vm_flags & VM_SHARED) { 470 /* do not allow mprotect to make mapping writable */ 471 vm_flags_clear(vma, VM_MAYWRITE); 472 473 if (vma->vm_flags & VM_WRITE) 474 return -EACCES; 475 } 476 477 vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); 478 vma->vm_ops = &sel_mmap_policy_ops; 479 480 return 0; 481 } 482 483 static const struct file_operations sel_policy_ops = { 484 .open = sel_open_policy, 485 .read = sel_read_policy, 486 .mmap = sel_mmap_policy, 487 .release = sel_release_policy, 488 .llseek = generic_file_llseek, 489 }; 490 491 static void sel_remove_old_bool_data(unsigned int bool_num, char **bool_names, 492 int *bool_values) 493 { 494 u32 i; 495 496 /* bool_dir cleanup */ 497 for (i = 0; i < bool_num; i++) 498 kfree(bool_names[i]); 499 kfree(bool_names); 500 kfree(bool_values); 501 } 502 503 static int sel_make_policy_nodes(struct selinux_fs_info *fsi, 504 struct selinux_policy *newpolicy) 505 { 506 int ret = 0; 507 struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir; 508 struct renamedata rd = {}; 509 unsigned int bool_num = 0; 510 char **bool_names = NULL; 511 int *bool_values = NULL; 512 unsigned long tmp_ino = fsi->last_ino; /* Don't increment last_ino in this function */ 513 514 tmp_parent = sel_make_swapover_dir(fsi->sb, &tmp_ino); 515 if (IS_ERR(tmp_parent)) 516 return PTR_ERR(tmp_parent); 517 518 tmp_ino = fsi->bool_dir->d_inode->i_ino - 1; /* sel_make_dir will increment and set */ 519 tmp_bool_dir = sel_make_dir(tmp_parent, BOOL_DIR_NAME, &tmp_ino); 520 if (IS_ERR(tmp_bool_dir)) { 521 ret = PTR_ERR(tmp_bool_dir); 522 goto out; 523 } 524 525 tmp_ino = fsi->class_dir->d_inode->i_ino - 1; /* sel_make_dir will increment and set */ 526 tmp_class_dir = sel_make_dir(tmp_parent, CLASS_DIR_NAME, &tmp_ino); 527 if (IS_ERR(tmp_class_dir)) { 528 ret = PTR_ERR(tmp_class_dir); 529 goto out; 530 } 531 532 ret = sel_make_bools(newpolicy, tmp_bool_dir, &bool_num, 533 &bool_names, &bool_values); 534 if (ret) 535 goto out; 536 537 ret = sel_make_classes(newpolicy, tmp_class_dir, 538 &fsi->last_class_ino); 539 if (ret) 540 goto out; 541 542 rd.old_parent = tmp_parent; 543 rd.new_parent = fsi->sb->s_root; 544 545 /* booleans */ 546 ret = start_renaming_two_dentries(&rd, tmp_bool_dir, fsi->bool_dir); 547 if (ret) 548 goto out; 549 550 d_exchange(tmp_bool_dir, fsi->bool_dir); 551 552 swap(fsi->bool_num, bool_num); 553 swap(fsi->bool_pending_names, bool_names); 554 swap(fsi->bool_pending_values, bool_values); 555 556 fsi->bool_dir = tmp_bool_dir; 557 end_renaming(&rd); 558 559 /* classes */ 560 ret = start_renaming_two_dentries(&rd, tmp_class_dir, fsi->class_dir); 561 if (ret) 562 goto out; 563 564 d_exchange(tmp_class_dir, fsi->class_dir); 565 fsi->class_dir = tmp_class_dir; 566 567 end_renaming(&rd); 568 569 out: 570 sel_remove_old_bool_data(bool_num, bool_names, bool_values); 571 /* Since the other temporary dirs are children of tmp_parent 572 * this will handle all the cleanup in the case of a failure before 573 * the swapover 574 */ 575 simple_recursive_removal(tmp_parent, NULL); 576 577 return ret; 578 } 579 580 static ssize_t sel_write_load(struct file *file, const char __user *buf, 581 size_t count, loff_t *ppos) 582 583 { 584 struct selinux_fs_info *fsi; 585 struct selinux_load_state load_state; 586 ssize_t length; 587 void *data = NULL; 588 589 /* no partial writes */ 590 if (*ppos) 591 return -EINVAL; 592 /* no empty policies */ 593 if (!count) 594 return -EINVAL; 595 596 mutex_lock(&selinux_state.policy_mutex); 597 598 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 599 SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL); 600 if (length) 601 goto out; 602 603 data = vmalloc(count); 604 if (!data) { 605 length = -ENOMEM; 606 goto out; 607 } 608 if (copy_from_user(data, buf, count) != 0) { 609 length = -EFAULT; 610 goto out; 611 } 612 613 length = security_load_policy(data, count, &load_state); 614 if (length) { 615 pr_warn_ratelimited("SELinux: failed to load policy\n"); 616 goto out; 617 } 618 fsi = file_inode(file)->i_sb->s_fs_info; 619 length = sel_make_policy_nodes(fsi, load_state.policy); 620 if (length) { 621 pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n"); 622 selinux_policy_cancel(&load_state); 623 goto out; 624 } 625 626 selinux_policy_commit(&load_state); 627 length = count; 628 audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, 629 "auid=%u ses=%u lsm=selinux res=1", 630 from_kuid(&init_user_ns, audit_get_loginuid(current)), 631 audit_get_sessionid(current)); 632 633 out: 634 mutex_unlock(&selinux_state.policy_mutex); 635 vfree(data); 636 return length; 637 } 638 639 static const struct file_operations sel_load_ops = { 640 .write = sel_write_load, 641 .llseek = generic_file_llseek, 642 }; 643 644 static ssize_t sel_write_context(struct file *file, char *buf, size_t size) 645 { 646 char *canon = NULL; 647 u32 sid, len; 648 ssize_t length; 649 650 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 651 SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, NULL); 652 if (length) 653 goto out; 654 655 length = security_context_to_sid(buf, size, &sid, GFP_KERNEL); 656 if (length) 657 goto out; 658 659 length = security_sid_to_context(sid, &canon, &len); 660 if (length) 661 goto out; 662 663 length = -ERANGE; 664 if (len > SIMPLE_TRANSACTION_LIMIT) { 665 pr_err("SELinux: %s: context size (%u) exceeds " 666 "payload max\n", __func__, len); 667 goto out; 668 } 669 670 memcpy(buf, canon, len); 671 length = len; 672 out: 673 kfree(canon); 674 return length; 675 } 676 677 static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, 678 size_t count, loff_t *ppos) 679 { 680 char tmpbuf[TMPBUFLEN]; 681 ssize_t length; 682 683 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", 684 checkreqprot_get()); 685 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 686 } 687 688 static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, 689 size_t count, loff_t *ppos) 690 { 691 char *page; 692 ssize_t length; 693 unsigned int new_value; 694 695 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 696 SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, 697 NULL); 698 if (length) 699 return length; 700 701 if (count >= PAGE_SIZE) 702 return -ENOMEM; 703 704 /* No partial writes. */ 705 if (*ppos != 0) 706 return -EINVAL; 707 708 page = memdup_user_nul(buf, count); 709 if (IS_ERR(page)) 710 return PTR_ERR(page); 711 712 if (sscanf(page, "%u", &new_value) != 1) { 713 length = -EINVAL; 714 goto out; 715 } 716 length = count; 717 718 if (new_value) { 719 char comm[sizeof(current->comm)]; 720 721 strscpy(comm, current->comm); 722 pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n", 723 comm, current->pid); 724 } 725 726 selinux_ima_measure_state(); 727 728 out: 729 kfree(page); 730 return length; 731 } 732 static const struct file_operations sel_checkreqprot_ops = { 733 .read = sel_read_checkreqprot, 734 .write = sel_write_checkreqprot, 735 .llseek = generic_file_llseek, 736 }; 737 738 static ssize_t sel_write_validatetrans(struct file *file, 739 const char __user *buf, 740 size_t count, loff_t *ppos) 741 { 742 char *oldcon = NULL, *newcon = NULL, *taskcon = NULL; 743 char *req = NULL; 744 u32 osid, nsid, tsid; 745 u16 tclass; 746 int rc; 747 748 rc = avc_has_perm(current_sid(), SECINITSID_SECURITY, 749 SECCLASS_SECURITY, SECURITY__VALIDATE_TRANS, NULL); 750 if (rc) 751 goto out; 752 753 rc = -ENOMEM; 754 if (count >= PAGE_SIZE) 755 goto out; 756 757 /* No partial writes. */ 758 rc = -EINVAL; 759 if (*ppos != 0) 760 goto out; 761 762 req = memdup_user_nul(buf, count); 763 if (IS_ERR(req)) { 764 rc = PTR_ERR(req); 765 req = NULL; 766 goto out; 767 } 768 769 rc = -ENOMEM; 770 oldcon = kzalloc(count + 1, GFP_KERNEL); 771 if (!oldcon) 772 goto out; 773 774 newcon = kzalloc(count + 1, GFP_KERNEL); 775 if (!newcon) 776 goto out; 777 778 taskcon = kzalloc(count + 1, GFP_KERNEL); 779 if (!taskcon) 780 goto out; 781 782 rc = -EINVAL; 783 if (sscanf(req, "%s %s %hu %s", oldcon, newcon, &tclass, taskcon) != 4) 784 goto out; 785 786 rc = security_context_str_to_sid(oldcon, &osid, GFP_KERNEL); 787 if (rc) 788 goto out; 789 790 rc = security_context_str_to_sid(newcon, &nsid, GFP_KERNEL); 791 if (rc) 792 goto out; 793 794 rc = security_context_str_to_sid(taskcon, &tsid, GFP_KERNEL); 795 if (rc) 796 goto out; 797 798 rc = security_validate_transition_user(osid, nsid, tsid, tclass); 799 if (!rc) 800 rc = count; 801 out: 802 kfree(req); 803 kfree(oldcon); 804 kfree(newcon); 805 kfree(taskcon); 806 return rc; 807 } 808 809 static const struct file_operations sel_transition_ops = { 810 .write = sel_write_validatetrans, 811 .llseek = generic_file_llseek, 812 }; 813 814 /* 815 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c 816 */ 817 static ssize_t sel_write_access(struct file *file, char *buf, size_t size); 818 static ssize_t sel_write_create(struct file *file, char *buf, size_t size); 819 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size); 820 static ssize_t sel_write_user(struct file *file, char *buf, size_t size); 821 static ssize_t sel_write_member(struct file *file, char *buf, size_t size); 822 823 static ssize_t (*const write_op[])(struct file *, char *, size_t) = { 824 [SEL_ACCESS] = sel_write_access, 825 [SEL_CREATE] = sel_write_create, 826 [SEL_RELABEL] = sel_write_relabel, 827 [SEL_USER] = sel_write_user, 828 [SEL_MEMBER] = sel_write_member, 829 [SEL_CONTEXT] = sel_write_context, 830 }; 831 832 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) 833 { 834 ino_t ino = file_inode(file)->i_ino; 835 char *data; 836 ssize_t rv; 837 838 if (ino >= ARRAY_SIZE(write_op) || !write_op[ino]) 839 return -EINVAL; 840 841 data = simple_transaction_get(file, buf, size); 842 if (IS_ERR(data)) 843 return PTR_ERR(data); 844 845 rv = write_op[ino](file, data, size); 846 if (rv > 0) { 847 simple_transaction_set(file, rv); 848 rv = size; 849 } 850 return rv; 851 } 852 853 static const struct file_operations transaction_ops = { 854 .write = selinux_transaction_write, 855 .read = simple_transaction_read, 856 .release = simple_transaction_release, 857 .llseek = generic_file_llseek, 858 }; 859 860 /* 861 * payload - write methods 862 * If the method has a response, the response should be put in buf, 863 * and the length returned. Otherwise return 0 or and -error. 864 */ 865 866 static ssize_t sel_write_access(struct file *file, char *buf, size_t size) 867 { 868 char *scon = NULL, *tcon = NULL; 869 u32 ssid, tsid; 870 u16 tclass; 871 struct av_decision avd; 872 ssize_t length; 873 874 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 875 SECCLASS_SECURITY, SECURITY__COMPUTE_AV, NULL); 876 if (length) 877 goto out; 878 879 length = -ENOMEM; 880 scon = kzalloc(size + 1, GFP_KERNEL); 881 if (!scon) 882 goto out; 883 884 length = -ENOMEM; 885 tcon = kzalloc(size + 1, GFP_KERNEL); 886 if (!tcon) 887 goto out; 888 889 length = -EINVAL; 890 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 891 goto out; 892 893 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 894 if (length) 895 goto out; 896 897 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 898 if (length) 899 goto out; 900 901 security_compute_av_user(ssid, tsid, tclass, &avd); 902 903 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 904 "%x %x %x %x %u %x", 905 avd.allowed, 0xffffffff, 906 avd.auditallow, avd.auditdeny, 907 avd.seqno, avd.flags); 908 out: 909 kfree(tcon); 910 kfree(scon); 911 return length; 912 } 913 914 static ssize_t sel_write_create(struct file *file, char *buf, size_t size) 915 { 916 char *scon = NULL, *tcon = NULL; 917 char *namebuf = NULL, *objname = NULL; 918 u32 ssid, tsid, newsid; 919 u16 tclass; 920 ssize_t length; 921 char *newcon = NULL; 922 u32 len; 923 int nargs; 924 925 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 926 SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, 927 NULL); 928 if (length) 929 goto out; 930 931 length = -ENOMEM; 932 scon = kzalloc(size + 1, GFP_KERNEL); 933 if (!scon) 934 goto out; 935 936 length = -ENOMEM; 937 tcon = kzalloc(size + 1, GFP_KERNEL); 938 if (!tcon) 939 goto out; 940 941 length = -ENOMEM; 942 namebuf = kzalloc(size + 1, GFP_KERNEL); 943 if (!namebuf) 944 goto out; 945 946 length = -EINVAL; 947 nargs = sscanf(buf, "%s %s %hu %s", scon, tcon, &tclass, namebuf); 948 if (nargs < 3 || nargs > 4) 949 goto out; 950 if (nargs == 4) { 951 /* 952 * If and when the name of new object to be queried contains 953 * either whitespace or multibyte characters, they shall be 954 * encoded based on the percentage-encoding rule. 955 * If not encoded, the sscanf logic picks up only left-half 956 * of the supplied name; split by a whitespace unexpectedly. 957 */ 958 char *r, *w; 959 int c1, c2; 960 961 r = w = namebuf; 962 do { 963 c1 = *r++; 964 if (c1 == '+') 965 c1 = ' '; 966 else if (c1 == '%') { 967 c1 = hex_to_bin(*r++); 968 if (c1 < 0) 969 goto out; 970 c2 = hex_to_bin(*r++); 971 if (c2 < 0) 972 goto out; 973 c1 = (c1 << 4) | c2; 974 } 975 *w++ = c1; 976 } while (c1 != '\0'); 977 978 objname = namebuf; 979 } 980 981 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 982 if (length) 983 goto out; 984 985 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 986 if (length) 987 goto out; 988 989 length = security_transition_sid_user(ssid, tsid, tclass, 990 objname, &newsid); 991 if (length) 992 goto out; 993 994 length = security_sid_to_context(newsid, &newcon, &len); 995 if (length) 996 goto out; 997 998 length = -ERANGE; 999 if (len > SIMPLE_TRANSACTION_LIMIT) { 1000 pr_err("SELinux: %s: context size (%u) exceeds " 1001 "payload max\n", __func__, len); 1002 goto out; 1003 } 1004 1005 memcpy(buf, newcon, len); 1006 length = len; 1007 out: 1008 kfree(newcon); 1009 kfree(namebuf); 1010 kfree(tcon); 1011 kfree(scon); 1012 return length; 1013 } 1014 1015 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) 1016 { 1017 char *scon = NULL, *tcon = NULL; 1018 u32 ssid, tsid, newsid; 1019 u16 tclass; 1020 ssize_t length; 1021 char *newcon = NULL; 1022 u32 len; 1023 1024 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1025 SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, 1026 NULL); 1027 if (length) 1028 goto out; 1029 1030 length = -ENOMEM; 1031 scon = kzalloc(size + 1, GFP_KERNEL); 1032 if (!scon) 1033 goto out; 1034 1035 length = -ENOMEM; 1036 tcon = kzalloc(size + 1, GFP_KERNEL); 1037 if (!tcon) 1038 goto out; 1039 1040 length = -EINVAL; 1041 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 1042 goto out; 1043 1044 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 1045 if (length) 1046 goto out; 1047 1048 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 1049 if (length) 1050 goto out; 1051 1052 length = security_change_sid(ssid, tsid, tclass, &newsid); 1053 if (length) 1054 goto out; 1055 1056 length = security_sid_to_context(newsid, &newcon, &len); 1057 if (length) 1058 goto out; 1059 1060 length = -ERANGE; 1061 if (len > SIMPLE_TRANSACTION_LIMIT) 1062 goto out; 1063 1064 memcpy(buf, newcon, len); 1065 length = len; 1066 out: 1067 kfree(newcon); 1068 kfree(tcon); 1069 kfree(scon); 1070 return length; 1071 } 1072 1073 static ssize_t sel_write_user(struct file *file, char *buf, size_t size) 1074 { 1075 char *con = NULL, *user = NULL, *ptr; 1076 u32 sid, *sids = NULL; 1077 ssize_t length; 1078 char *newcon; 1079 int rc; 1080 u32 i, len, nsids; 1081 1082 pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!" 1083 " This will not be supported in the future; please update your" 1084 " userspace.\n", current->comm, current->pid); 1085 ssleep(5); 1086 1087 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1088 SECCLASS_SECURITY, SECURITY__COMPUTE_USER, 1089 NULL); 1090 if (length) 1091 goto out; 1092 1093 length = -ENOMEM; 1094 con = kzalloc(size + 1, GFP_KERNEL); 1095 if (!con) 1096 goto out; 1097 1098 length = -ENOMEM; 1099 user = kzalloc(size + 1, GFP_KERNEL); 1100 if (!user) 1101 goto out; 1102 1103 length = -EINVAL; 1104 if (sscanf(buf, "%s %s", con, user) != 2) 1105 goto out; 1106 1107 length = security_context_str_to_sid(con, &sid, GFP_KERNEL); 1108 if (length) 1109 goto out; 1110 1111 length = security_get_user_sids(sid, user, &sids, &nsids); 1112 if (length) 1113 goto out; 1114 1115 length = sprintf(buf, "%u", nsids) + 1; 1116 ptr = buf + length; 1117 for (i = 0; i < nsids; i++) { 1118 rc = security_sid_to_context(sids[i], &newcon, &len); 1119 if (rc) { 1120 length = rc; 1121 goto out; 1122 } 1123 if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) { 1124 kfree(newcon); 1125 length = -ERANGE; 1126 goto out; 1127 } 1128 memcpy(ptr, newcon, len); 1129 kfree(newcon); 1130 ptr += len; 1131 length += len; 1132 } 1133 out: 1134 kfree(sids); 1135 kfree(user); 1136 kfree(con); 1137 return length; 1138 } 1139 1140 static ssize_t sel_write_member(struct file *file, char *buf, size_t size) 1141 { 1142 char *scon = NULL, *tcon = NULL; 1143 u32 ssid, tsid, newsid; 1144 u16 tclass; 1145 ssize_t length; 1146 char *newcon = NULL; 1147 u32 len; 1148 1149 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1150 SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, 1151 NULL); 1152 if (length) 1153 goto out; 1154 1155 length = -ENOMEM; 1156 scon = kzalloc(size + 1, GFP_KERNEL); 1157 if (!scon) 1158 goto out; 1159 1160 length = -ENOMEM; 1161 tcon = kzalloc(size + 1, GFP_KERNEL); 1162 if (!tcon) 1163 goto out; 1164 1165 length = -EINVAL; 1166 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 1167 goto out; 1168 1169 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 1170 if (length) 1171 goto out; 1172 1173 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 1174 if (length) 1175 goto out; 1176 1177 length = security_member_sid(ssid, tsid, tclass, &newsid); 1178 if (length) 1179 goto out; 1180 1181 length = security_sid_to_context(newsid, &newcon, &len); 1182 if (length) 1183 goto out; 1184 1185 length = -ERANGE; 1186 if (len > SIMPLE_TRANSACTION_LIMIT) { 1187 pr_err("SELinux: %s: context size (%u) exceeds " 1188 "payload max\n", __func__, len); 1189 goto out; 1190 } 1191 1192 memcpy(buf, newcon, len); 1193 length = len; 1194 out: 1195 kfree(newcon); 1196 kfree(tcon); 1197 kfree(scon); 1198 return length; 1199 } 1200 1201 static struct inode *sel_make_inode(struct super_block *sb, umode_t mode) 1202 { 1203 struct inode *ret = new_inode(sb); 1204 1205 if (ret) { 1206 ret->i_mode = mode; 1207 simple_inode_init_ts(ret); 1208 } 1209 return ret; 1210 } 1211 1212 static struct dentry *sel_attach(struct dentry *parent, const char *name, 1213 struct inode *inode) 1214 { 1215 struct dentry *dentry = d_alloc_name(parent, name); 1216 if (unlikely(!dentry)) { 1217 iput(inode); 1218 return ERR_PTR(-ENOMEM); 1219 } 1220 d_make_persistent(dentry, inode); 1221 dput(dentry); 1222 return dentry; 1223 } 1224 1225 static int sel_attach_file(struct dentry *parent, const char *name, 1226 struct inode *inode) 1227 { 1228 struct dentry *dentry = sel_attach(parent, name, inode); 1229 return PTR_ERR_OR_ZERO(dentry); 1230 } 1231 1232 static ssize_t sel_read_bool(struct file *filep, char __user *buf, 1233 size_t count, loff_t *ppos) 1234 { 1235 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1236 char buffer[4]; 1237 ssize_t length; 1238 ssize_t ret; 1239 int cur_enforcing; 1240 unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK; 1241 const char *name = filep->f_path.dentry->d_name.name; 1242 1243 mutex_lock(&selinux_state.policy_mutex); 1244 1245 ret = -EINVAL; 1246 if (index >= fsi->bool_num || strcmp(name, 1247 fsi->bool_pending_names[index])) 1248 goto out_unlock; 1249 1250 cur_enforcing = security_get_bool_value(index); 1251 if (cur_enforcing < 0) { 1252 ret = cur_enforcing; 1253 goto out_unlock; 1254 } 1255 length = scnprintf(buffer, sizeof(buffer), "%d %d", !!cur_enforcing, 1256 !!fsi->bool_pending_values[index]); 1257 mutex_unlock(&selinux_state.policy_mutex); 1258 return simple_read_from_buffer(buf, count, ppos, buffer, length); 1259 1260 out_unlock: 1261 mutex_unlock(&selinux_state.policy_mutex); 1262 return ret; 1263 } 1264 1265 static ssize_t sel_write_bool(struct file *filep, const char __user *buf, 1266 size_t count, loff_t *ppos) 1267 { 1268 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1269 char *page = NULL; 1270 ssize_t length; 1271 int new_value; 1272 unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK; 1273 const char *name = filep->f_path.dentry->d_name.name; 1274 1275 if (count >= PAGE_SIZE) 1276 return -ENOMEM; 1277 1278 /* No partial writes. */ 1279 if (*ppos != 0) 1280 return -EINVAL; 1281 1282 page = memdup_user_nul(buf, count); 1283 if (IS_ERR(page)) 1284 return PTR_ERR(page); 1285 1286 mutex_lock(&selinux_state.policy_mutex); 1287 1288 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1289 SECCLASS_SECURITY, SECURITY__SETBOOL, 1290 NULL); 1291 if (length) 1292 goto out; 1293 1294 length = -EINVAL; 1295 if (index >= fsi->bool_num || strcmp(name, 1296 fsi->bool_pending_names[index])) 1297 goto out; 1298 1299 length = -EINVAL; 1300 if (sscanf(page, "%d", &new_value) != 1) 1301 goto out; 1302 1303 if (new_value) 1304 new_value = 1; 1305 1306 fsi->bool_pending_values[index] = new_value; 1307 length = count; 1308 1309 out: 1310 mutex_unlock(&selinux_state.policy_mutex); 1311 kfree(page); 1312 return length; 1313 } 1314 1315 static const struct file_operations sel_bool_ops = { 1316 .read = sel_read_bool, 1317 .write = sel_write_bool, 1318 .llseek = generic_file_llseek, 1319 }; 1320 1321 static ssize_t sel_commit_bools_write(struct file *filep, 1322 const char __user *buf, 1323 size_t count, loff_t *ppos) 1324 { 1325 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1326 char *page = NULL; 1327 ssize_t length; 1328 int new_value; 1329 1330 if (count >= PAGE_SIZE) 1331 return -ENOMEM; 1332 1333 /* No partial writes. */ 1334 if (*ppos != 0) 1335 return -EINVAL; 1336 1337 page = memdup_user_nul(buf, count); 1338 if (IS_ERR(page)) 1339 return PTR_ERR(page); 1340 1341 mutex_lock(&selinux_state.policy_mutex); 1342 1343 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1344 SECCLASS_SECURITY, SECURITY__SETBOOL, 1345 NULL); 1346 if (length) 1347 goto out; 1348 1349 length = -EINVAL; 1350 if (sscanf(page, "%d", &new_value) != 1) 1351 goto out; 1352 1353 length = 0; 1354 if (new_value && fsi->bool_pending_values) 1355 length = security_set_bools(fsi->bool_num, 1356 fsi->bool_pending_values); 1357 1358 if (!length) 1359 length = count; 1360 1361 out: 1362 mutex_unlock(&selinux_state.policy_mutex); 1363 kfree(page); 1364 return length; 1365 } 1366 1367 static const struct file_operations sel_commit_bools_ops = { 1368 .write = sel_commit_bools_write, 1369 .llseek = generic_file_llseek, 1370 }; 1371 1372 static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir, 1373 unsigned int *bool_num, char ***bool_pending_names, 1374 int **bool_pending_values) 1375 { 1376 int ret; 1377 char **names, *page; 1378 u32 i, num; 1379 1380 page = (char *)get_zeroed_page(GFP_KERNEL); 1381 if (!page) 1382 return -ENOMEM; 1383 1384 ret = security_get_bools(newpolicy, &num, &names, bool_pending_values); 1385 if (ret) 1386 goto out; 1387 1388 *bool_num = num; 1389 *bool_pending_names = names; 1390 1391 for (i = 0; !ret && i < num; i++) { 1392 struct inode *inode; 1393 struct inode_security_struct *isec; 1394 ssize_t len; 1395 u32 sid; 1396 1397 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); 1398 if (len >= PAGE_SIZE) { 1399 ret = -ENAMETOOLONG; 1400 break; 1401 } 1402 1403 inode = sel_make_inode(bool_dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); 1404 if (!inode) { 1405 ret = -ENOMEM; 1406 break; 1407 } 1408 1409 isec = selinux_inode(inode); 1410 ret = selinux_policy_genfs_sid(newpolicy, "selinuxfs", page, 1411 SECCLASS_FILE, &sid); 1412 if (ret) { 1413 pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n", 1414 page); 1415 sid = SECINITSID_SECURITY; 1416 } 1417 1418 isec->sid = sid; 1419 isec->initialized = LABEL_INITIALIZED; 1420 inode->i_fop = &sel_bool_ops; 1421 inode->i_ino = i|SEL_BOOL_INO_OFFSET; 1422 1423 ret = sel_attach_file(bool_dir, names[i], inode); 1424 } 1425 out: 1426 free_page((unsigned long)page); 1427 return ret; 1428 } 1429 1430 static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, 1431 size_t count, loff_t *ppos) 1432 { 1433 char tmpbuf[TMPBUFLEN]; 1434 ssize_t length; 1435 1436 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", 1437 avc_get_cache_threshold()); 1438 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 1439 } 1440 1441 static ssize_t sel_write_avc_cache_threshold(struct file *file, 1442 const char __user *buf, 1443 size_t count, loff_t *ppos) 1444 1445 { 1446 char *page; 1447 ssize_t ret; 1448 unsigned int new_value; 1449 1450 ret = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1451 SECCLASS_SECURITY, SECURITY__SETSECPARAM, 1452 NULL); 1453 if (ret) 1454 return ret; 1455 1456 if (count >= PAGE_SIZE) 1457 return -ENOMEM; 1458 1459 /* No partial writes. */ 1460 if (*ppos != 0) 1461 return -EINVAL; 1462 1463 page = memdup_user_nul(buf, count); 1464 if (IS_ERR(page)) 1465 return PTR_ERR(page); 1466 1467 ret = -EINVAL; 1468 if (sscanf(page, "%u", &new_value) != 1) 1469 goto out; 1470 1471 avc_set_cache_threshold(new_value); 1472 1473 ret = count; 1474 out: 1475 kfree(page); 1476 return ret; 1477 } 1478 1479 static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf, 1480 size_t count, loff_t *ppos) 1481 { 1482 char *page; 1483 ssize_t length; 1484 1485 page = (char *)__get_free_page(GFP_KERNEL); 1486 if (!page) 1487 return -ENOMEM; 1488 1489 length = avc_get_hash_stats(page); 1490 if (length >= 0) 1491 length = simple_read_from_buffer(buf, count, ppos, page, length); 1492 free_page((unsigned long)page); 1493 1494 return length; 1495 } 1496 1497 static ssize_t sel_read_sidtab_hash_stats(struct file *filp, char __user *buf, 1498 size_t count, loff_t *ppos) 1499 { 1500 char *page; 1501 ssize_t length; 1502 1503 page = (char *)__get_free_page(GFP_KERNEL); 1504 if (!page) 1505 return -ENOMEM; 1506 1507 length = security_sidtab_hash_stats(page); 1508 if (length >= 0) 1509 length = simple_read_from_buffer(buf, count, ppos, page, 1510 length); 1511 free_page((unsigned long)page); 1512 1513 return length; 1514 } 1515 1516 static const struct file_operations sel_sidtab_hash_stats_ops = { 1517 .read = sel_read_sidtab_hash_stats, 1518 .llseek = generic_file_llseek, 1519 }; 1520 1521 static const struct file_operations sel_avc_cache_threshold_ops = { 1522 .read = sel_read_avc_cache_threshold, 1523 .write = sel_write_avc_cache_threshold, 1524 .llseek = generic_file_llseek, 1525 }; 1526 1527 static const struct file_operations sel_avc_hash_stats_ops = { 1528 .read = sel_read_avc_hash_stats, 1529 .llseek = generic_file_llseek, 1530 }; 1531 1532 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 1533 static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) 1534 { 1535 loff_t cpu; 1536 1537 for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) { 1538 if (!cpu_possible(cpu)) 1539 continue; 1540 *idx = cpu + 1; 1541 return &per_cpu(avc_cache_stats, cpu); 1542 } 1543 (*idx)++; 1544 return NULL; 1545 } 1546 1547 static void *sel_avc_stats_seq_start(struct seq_file *seq, loff_t *pos) 1548 { 1549 loff_t n = *pos - 1; 1550 1551 if (*pos == 0) 1552 return SEQ_START_TOKEN; 1553 1554 return sel_avc_get_stat_idx(&n); 1555 } 1556 1557 static void *sel_avc_stats_seq_next(struct seq_file *seq, void *v, loff_t *pos) 1558 { 1559 return sel_avc_get_stat_idx(pos); 1560 } 1561 1562 static int sel_avc_stats_seq_show(struct seq_file *seq, void *v) 1563 { 1564 struct avc_cache_stats *st = v; 1565 1566 if (v == SEQ_START_TOKEN) { 1567 seq_puts(seq, 1568 "lookups hits misses allocations reclaims frees\n"); 1569 } else { 1570 unsigned int lookups = st->lookups; 1571 unsigned int misses = st->misses; 1572 unsigned int hits = lookups - misses; 1573 seq_printf(seq, "%u %u %u %u %u %u\n", lookups, 1574 hits, misses, st->allocations, 1575 st->reclaims, st->frees); 1576 } 1577 return 0; 1578 } 1579 1580 static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v) 1581 { } 1582 1583 static const struct seq_operations sel_avc_cache_stats_seq_ops = { 1584 .start = sel_avc_stats_seq_start, 1585 .next = sel_avc_stats_seq_next, 1586 .show = sel_avc_stats_seq_show, 1587 .stop = sel_avc_stats_seq_stop, 1588 }; 1589 1590 static int sel_open_avc_cache_stats(struct inode *inode, struct file *file) 1591 { 1592 return seq_open(file, &sel_avc_cache_stats_seq_ops); 1593 } 1594 1595 static const struct file_operations sel_avc_cache_stats_ops = { 1596 .open = sel_open_avc_cache_stats, 1597 .read = seq_read, 1598 .llseek = seq_lseek, 1599 .release = seq_release, 1600 }; 1601 #endif 1602 1603 static int sel_make_avc_files(struct dentry *dir) 1604 { 1605 struct super_block *sb = dir->d_sb; 1606 struct selinux_fs_info *fsi = sb->s_fs_info; 1607 unsigned int i; 1608 int err = 0; 1609 static const struct tree_descr files[] = { 1610 { "cache_threshold", 1611 &sel_avc_cache_threshold_ops, S_IRUGO|S_IWUSR }, 1612 { "hash_stats", &sel_avc_hash_stats_ops, S_IRUGO }, 1613 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 1614 { "cache_stats", &sel_avc_cache_stats_ops, S_IRUGO }, 1615 #endif 1616 }; 1617 1618 for (i = 0; !err && i < ARRAY_SIZE(files); i++) { 1619 struct inode *inode; 1620 1621 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); 1622 if (!inode) 1623 return -ENOMEM; 1624 1625 inode->i_fop = files[i].ops; 1626 inode->i_ino = ++fsi->last_ino; 1627 1628 err = sel_attach_file(dir, files[i].name, inode); 1629 } 1630 1631 return err; 1632 } 1633 1634 static int sel_make_ss_files(struct dentry *dir) 1635 { 1636 struct super_block *sb = dir->d_sb; 1637 struct selinux_fs_info *fsi = sb->s_fs_info; 1638 unsigned int i; 1639 int err = 0; 1640 static const struct tree_descr files[] = { 1641 { "sidtab_hash_stats", &sel_sidtab_hash_stats_ops, S_IRUGO }, 1642 }; 1643 1644 for (i = 0; !err && i < ARRAY_SIZE(files); i++) { 1645 struct inode *inode; 1646 1647 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); 1648 if (!inode) 1649 return -ENOMEM; 1650 1651 inode->i_fop = files[i].ops; 1652 inode->i_ino = ++fsi->last_ino; 1653 1654 err = sel_attach_file(dir, files[i].name, inode); 1655 } 1656 1657 return err; 1658 } 1659 1660 static ssize_t sel_read_initcon(struct file *file, char __user *buf, 1661 size_t count, loff_t *ppos) 1662 { 1663 char *con; 1664 u32 sid, len; 1665 ssize_t ret; 1666 1667 sid = file_inode(file)->i_ino&SEL_INO_MASK; 1668 ret = security_sid_to_context(sid, &con, &len); 1669 if (ret) 1670 return ret; 1671 1672 ret = simple_read_from_buffer(buf, count, ppos, con, len); 1673 kfree(con); 1674 return ret; 1675 } 1676 1677 static const struct file_operations sel_initcon_ops = { 1678 .read = sel_read_initcon, 1679 .llseek = generic_file_llseek, 1680 }; 1681 1682 static int sel_make_initcon_files(struct dentry *dir) 1683 { 1684 unsigned int i; 1685 int err = 0; 1686 1687 for (i = 1; !err && i <= SECINITSID_NUM; i++) { 1688 const char *s = security_get_initial_sid_context(i); 1689 struct inode *inode; 1690 1691 if (!s) 1692 continue; 1693 1694 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1695 if (!inode) 1696 return -ENOMEM; 1697 1698 inode->i_fop = &sel_initcon_ops; 1699 inode->i_ino = i|SEL_INITCON_INO_OFFSET; 1700 err = sel_attach_file(dir, s, inode); 1701 } 1702 1703 return err; 1704 } 1705 1706 static inline unsigned long sel_class_to_ino(u16 class) 1707 { 1708 return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET; 1709 } 1710 1711 static inline u16 sel_ino_to_class(unsigned long ino) 1712 { 1713 return (ino & SEL_INO_MASK) / (SEL_VEC_MAX + 1); 1714 } 1715 1716 static inline unsigned long sel_perm_to_ino(u16 class, u32 perm) 1717 { 1718 return (class * (SEL_VEC_MAX + 1) + perm) | SEL_CLASS_INO_OFFSET; 1719 } 1720 1721 static inline u32 sel_ino_to_perm(unsigned long ino) 1722 { 1723 return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); 1724 } 1725 1726 static ssize_t sel_read_class(struct file *file, char __user *buf, 1727 size_t count, loff_t *ppos) 1728 { 1729 unsigned long ino = file_inode(file)->i_ino; 1730 char res[TMPBUFLEN]; 1731 ssize_t len = scnprintf(res, sizeof(res), "%d", sel_ino_to_class(ino)); 1732 return simple_read_from_buffer(buf, count, ppos, res, len); 1733 } 1734 1735 static const struct file_operations sel_class_ops = { 1736 .read = sel_read_class, 1737 .llseek = generic_file_llseek, 1738 }; 1739 1740 static ssize_t sel_read_perm(struct file *file, char __user *buf, 1741 size_t count, loff_t *ppos) 1742 { 1743 unsigned long ino = file_inode(file)->i_ino; 1744 char res[TMPBUFLEN]; 1745 ssize_t len = scnprintf(res, sizeof(res), "%d", sel_ino_to_perm(ino)); 1746 return simple_read_from_buffer(buf, count, ppos, res, len); 1747 } 1748 1749 static const struct file_operations sel_perm_ops = { 1750 .read = sel_read_perm, 1751 .llseek = generic_file_llseek, 1752 }; 1753 1754 static ssize_t sel_read_policycap(struct file *file, char __user *buf, 1755 size_t count, loff_t *ppos) 1756 { 1757 int value; 1758 char tmpbuf[TMPBUFLEN]; 1759 ssize_t length; 1760 unsigned long i_ino = file_inode(file)->i_ino; 1761 1762 value = security_policycap_supported(i_ino & SEL_INO_MASK); 1763 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value); 1764 1765 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 1766 } 1767 1768 static const struct file_operations sel_policycap_ops = { 1769 .read = sel_read_policycap, 1770 .llseek = generic_file_llseek, 1771 }; 1772 1773 static int sel_make_perm_files(struct selinux_policy *newpolicy, 1774 char *objclass, int classvalue, 1775 struct dentry *dir) 1776 { 1777 u32 i, nperms; 1778 int rc; 1779 char **perms; 1780 1781 rc = security_get_permissions(newpolicy, objclass, &perms, &nperms); 1782 if (rc) 1783 return rc; 1784 1785 for (i = 0; !rc && i < nperms; i++) { 1786 struct inode *inode; 1787 1788 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1789 if (!inode) { 1790 rc = -ENOMEM; 1791 break; 1792 } 1793 1794 inode->i_fop = &sel_perm_ops; 1795 /* i+1 since perm values are 1-indexed */ 1796 inode->i_ino = sel_perm_to_ino(classvalue, i + 1); 1797 1798 rc = sel_attach_file(dir, perms[i], inode); 1799 } 1800 for (i = 0; i < nperms; i++) 1801 kfree(perms[i]); 1802 kfree(perms); 1803 return rc; 1804 } 1805 1806 static int sel_make_class_dir_entries(struct selinux_policy *newpolicy, 1807 char *classname, int index, 1808 struct dentry *dir) 1809 { 1810 struct super_block *sb = dir->d_sb; 1811 struct selinux_fs_info *fsi = sb->s_fs_info; 1812 struct dentry *dentry = NULL; 1813 struct inode *inode = NULL; 1814 int err; 1815 1816 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1817 if (!inode) 1818 return -ENOMEM; 1819 1820 inode->i_fop = &sel_class_ops; 1821 inode->i_ino = sel_class_to_ino(index); 1822 1823 err = sel_attach_file(dir, "index", inode); 1824 if (err) 1825 return err; 1826 1827 dentry = sel_make_dir(dir, "perms", &fsi->last_class_ino); 1828 if (IS_ERR(dentry)) 1829 return PTR_ERR(dentry); 1830 1831 return sel_make_perm_files(newpolicy, classname, index, dentry); 1832 } 1833 1834 static int sel_make_classes(struct selinux_policy *newpolicy, 1835 struct dentry *class_dir, 1836 unsigned long *last_class_ino) 1837 { 1838 u32 i, nclasses; 1839 int rc; 1840 char **classes; 1841 1842 rc = security_get_classes(newpolicy, &classes, &nclasses); 1843 if (rc) 1844 return rc; 1845 1846 /* +2 since classes are 1-indexed */ 1847 *last_class_ino = sel_class_to_ino(nclasses + 2); 1848 1849 for (i = 0; i < nclasses; i++) { 1850 struct dentry *class_name_dir; 1851 1852 class_name_dir = sel_make_dir(class_dir, classes[i], 1853 last_class_ino); 1854 if (IS_ERR(class_name_dir)) { 1855 rc = PTR_ERR(class_name_dir); 1856 goto out; 1857 } 1858 1859 /* i+1 since class values are 1-indexed */ 1860 rc = sel_make_class_dir_entries(newpolicy, classes[i], i + 1, 1861 class_name_dir); 1862 if (rc) 1863 goto out; 1864 } 1865 rc = 0; 1866 out: 1867 for (i = 0; i < nclasses; i++) 1868 kfree(classes[i]); 1869 kfree(classes); 1870 return rc; 1871 } 1872 1873 static int sel_make_policycap(struct dentry *dir) 1874 { 1875 struct super_block *sb = dir->d_sb; 1876 unsigned int iter; 1877 struct inode *inode = NULL; 1878 int err = 0; 1879 1880 for (iter = 0; !err && iter <= POLICYDB_CAP_MAX; iter++) { 1881 const char *name; 1882 1883 if (iter < ARRAY_SIZE(selinux_policycap_names)) 1884 name = selinux_policycap_names[iter]; 1885 else 1886 name = "unknown"; 1887 1888 inode = sel_make_inode(sb, S_IFREG | 0444); 1889 if (!inode) 1890 return -ENOMEM; 1891 1892 inode->i_fop = &sel_policycap_ops; 1893 inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET; 1894 err = sel_attach_file(dir, name, inode); 1895 } 1896 1897 return err; 1898 } 1899 1900 static struct dentry *sel_make_dir(struct dentry *dir, const char *name, 1901 unsigned long *ino) 1902 { 1903 struct inode *inode; 1904 1905 inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO); 1906 if (!inode) 1907 return ERR_PTR(-ENOMEM); 1908 1909 inode->i_op = &simple_dir_inode_operations; 1910 inode->i_fop = &simple_dir_operations; 1911 inode->i_ino = ++(*ino); 1912 /* directory inodes start off with i_nlink == 2 (for "." entry) */ 1913 inc_nlink(inode); 1914 /* bump link count on parent directory, too */ 1915 inc_nlink(d_inode(dir)); 1916 1917 return sel_attach(dir, name, inode); 1918 } 1919 1920 static int reject_all(struct mnt_idmap *idmap, struct inode *inode, int mask) 1921 { 1922 return -EPERM; // no access for anyone, root or no root. 1923 } 1924 1925 static const struct inode_operations swapover_dir_inode_operations = { 1926 .lookup = simple_lookup, 1927 .permission = reject_all, 1928 }; 1929 1930 static struct dentry *sel_make_swapover_dir(struct super_block *sb, 1931 unsigned long *ino) 1932 { 1933 struct dentry *dentry = d_alloc_name(sb->s_root, ".swapover"); 1934 struct inode *inode; 1935 1936 if (!dentry) 1937 return ERR_PTR(-ENOMEM); 1938 1939 inode = sel_make_inode(sb, S_IFDIR); 1940 if (!inode) { 1941 dput(dentry); 1942 return ERR_PTR(-ENOMEM); 1943 } 1944 1945 inode->i_op = &swapover_dir_inode_operations; 1946 inode->i_ino = ++(*ino); 1947 /* directory inodes start off with i_nlink == 2 (for "." entry) */ 1948 inc_nlink(inode); 1949 inode_lock(sb->s_root->d_inode); 1950 d_make_persistent(dentry, inode); 1951 inc_nlink(sb->s_root->d_inode); 1952 inode_unlock(sb->s_root->d_inode); 1953 dput(dentry); 1954 return dentry; // borrowed 1955 } 1956 1957 #define NULL_FILE_NAME "null" 1958 1959 static int sel_fill_super(struct super_block *sb, struct fs_context *fc) 1960 { 1961 struct selinux_fs_info *fsi; 1962 int ret; 1963 struct dentry *dentry; 1964 struct inode *inode; 1965 struct inode_security_struct *isec; 1966 1967 static const struct tree_descr selinux_files[] = { 1968 [SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR}, 1969 [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR}, 1970 [SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO}, 1971 [SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO}, 1972 [SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO}, 1973 [SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO}, 1974 [SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO}, 1975 [SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO}, 1976 [SEL_COMMIT_BOOLS] = {"commit_pending_bools", &sel_commit_bools_ops, S_IWUSR}, 1977 [SEL_MLS] = {"mls", &sel_mls_ops, S_IRUGO}, 1978 [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, 1979 [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, 1980 [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, 1981 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1982 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1983 [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO}, 1984 [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO}, 1985 [SEL_VALIDATE_TRANS] = {"validatetrans", &sel_transition_ops, 1986 S_IWUGO}, 1987 /* last one */ {"", NULL, 0} 1988 }; 1989 1990 ret = selinux_fs_info_create(sb); 1991 if (ret) 1992 goto err; 1993 1994 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files); 1995 if (ret) 1996 goto err; 1997 1998 fsi = sb->s_fs_info; 1999 fsi->bool_dir = sel_make_dir(sb->s_root, BOOL_DIR_NAME, &fsi->last_ino); 2000 if (IS_ERR(fsi->bool_dir)) { 2001 ret = PTR_ERR(fsi->bool_dir); 2002 fsi->bool_dir = NULL; 2003 goto err; 2004 } 2005 2006 ret = -ENOMEM; 2007 inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO); 2008 if (!inode) 2009 goto err; 2010 2011 inode->i_ino = ++fsi->last_ino; 2012 isec = selinux_inode(inode); 2013 isec->sid = SECINITSID_DEVNULL; 2014 isec->sclass = SECCLASS_CHR_FILE; 2015 isec->initialized = LABEL_INITIALIZED; 2016 2017 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3)); 2018 ret = sel_attach_file(sb->s_root, NULL_FILE_NAME, inode); 2019 if (ret) 2020 goto err; 2021 2022 dentry = sel_make_dir(sb->s_root, "avc", &fsi->last_ino); 2023 if (IS_ERR(dentry)) { 2024 ret = PTR_ERR(dentry); 2025 goto err; 2026 } 2027 2028 ret = sel_make_avc_files(dentry); 2029 if (ret) 2030 goto err; 2031 2032 dentry = sel_make_dir(sb->s_root, "ss", &fsi->last_ino); 2033 if (IS_ERR(dentry)) { 2034 ret = PTR_ERR(dentry); 2035 goto err; 2036 } 2037 2038 ret = sel_make_ss_files(dentry); 2039 if (ret) 2040 goto err; 2041 2042 dentry = sel_make_dir(sb->s_root, "initial_contexts", &fsi->last_ino); 2043 if (IS_ERR(dentry)) { 2044 ret = PTR_ERR(dentry); 2045 goto err; 2046 } 2047 2048 ret = sel_make_initcon_files(dentry); 2049 if (ret) 2050 goto err; 2051 2052 fsi->class_dir = sel_make_dir(sb->s_root, CLASS_DIR_NAME, &fsi->last_ino); 2053 if (IS_ERR(fsi->class_dir)) { 2054 ret = PTR_ERR(fsi->class_dir); 2055 fsi->class_dir = NULL; 2056 goto err; 2057 } 2058 2059 dentry = sel_make_dir(sb->s_root, "policy_capabilities", &fsi->last_ino); 2060 if (IS_ERR(dentry)) { 2061 ret = PTR_ERR(dentry); 2062 goto err; 2063 } 2064 2065 ret = sel_make_policycap(dentry); 2066 if (ret) { 2067 pr_err("SELinux: failed to load policy capabilities\n"); 2068 goto err; 2069 } 2070 2071 return 0; 2072 err: 2073 pr_err("SELinux: %s: failed while creating inodes\n", 2074 __func__); 2075 2076 return ret; 2077 } 2078 2079 static int sel_get_tree(struct fs_context *fc) 2080 { 2081 return get_tree_single(fc, sel_fill_super); 2082 } 2083 2084 static const struct fs_context_operations sel_context_ops = { 2085 .get_tree = sel_get_tree, 2086 }; 2087 2088 static int sel_init_fs_context(struct fs_context *fc) 2089 { 2090 fc->ops = &sel_context_ops; 2091 return 0; 2092 } 2093 2094 static void sel_kill_sb(struct super_block *sb) 2095 { 2096 selinux_fs_info_free(sb); 2097 kill_anon_super(sb); 2098 } 2099 2100 static struct file_system_type sel_fs_type = { 2101 .name = "selinuxfs", 2102 .init_fs_context = sel_init_fs_context, 2103 .kill_sb = sel_kill_sb, 2104 }; 2105 2106 struct path selinux_null __ro_after_init; 2107 2108 int __init init_sel_fs(void) 2109 { 2110 struct qstr null_name = QSTR_INIT(NULL_FILE_NAME, 2111 sizeof(NULL_FILE_NAME)-1); 2112 int err; 2113 2114 if (!selinux_enabled_boot) 2115 return 0; 2116 2117 err = sysfs_create_mount_point(fs_kobj, "selinux"); 2118 if (err) 2119 return err; 2120 2121 err = register_filesystem(&sel_fs_type); 2122 if (err) { 2123 sysfs_remove_mount_point(fs_kobj, "selinux"); 2124 return err; 2125 } 2126 2127 selinux_null.mnt = kern_mount(&sel_fs_type); 2128 if (IS_ERR(selinux_null.mnt)) { 2129 pr_err("selinuxfs: could not mount!\n"); 2130 err = PTR_ERR(selinux_null.mnt); 2131 selinux_null.mnt = NULL; 2132 return err; 2133 } 2134 2135 selinux_null.dentry = try_lookup_noperm(&null_name, 2136 selinux_null.mnt->mnt_root); 2137 if (IS_ERR(selinux_null.dentry)) { 2138 pr_err("selinuxfs: could not lookup null!\n"); 2139 err = PTR_ERR(selinux_null.dentry); 2140 selinux_null.dentry = NULL; 2141 return err; 2142 } 2143 2144 /* 2145 * Try to pre-allocate the status page, so the sequence number of the 2146 * initial policy load can be stored. 2147 */ 2148 (void) selinux_kernel_status_page(); 2149 2150 return err; 2151 } 2152