| hooks.c (817199e006e514e6c39a17ed2e9fece1bd56b898) | hooks.c (d80a8f1b58c2bc8d7c6bfb65401ea4f7ec8cddc2) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* | 1// SPDX-License-Identifier: GPL-2.0-only 2/* |
| 3 * Security-Enhanced Linux (SELinux) security module | 3 * NSA Security-Enhanced Linux (SELinux) security module |
| 4 * 5 * This file contains the SELinux hook function implementations. 6 * | 4 * 5 * This file contains the SELinux hook function implementations. 6 * |
| 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> | 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> |
| 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. --- 203 unchanged lines hidden (view full) --- 219static inline u32 cred_sid(const struct cred *cred) 220{ 221 const struct task_security_struct *tsec; 222 223 tsec = selinux_cred(cred); 224 return tsec->sid; 225} 226 | 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. --- 203 unchanged lines hidden (view full) --- 219static inline u32 cred_sid(const struct cred *cred) 220{ 221 const struct task_security_struct *tsec; 222 223 tsec = selinux_cred(cred); 224 return tsec->sid; 225} 226 |
| 227static void __ad_net_init(struct common_audit_data *ad, 228 struct lsm_network_audit *net, 229 int ifindex, struct sock *sk, u16 family) 230{ 231 ad->type = LSM_AUDIT_DATA_NET; 232 ad->u.net = net; 233 net->netif = ifindex; 234 net->sk = sk; 235 net->family = family; 236} 237 238static void ad_net_init_from_sk(struct common_audit_data *ad, 239 struct lsm_network_audit *net, 240 struct sock *sk) 241{ 242 __ad_net_init(ad, net, 0, sk, 0); 243} 244 245static void ad_net_init_from_iif(struct common_audit_data *ad, 246 struct lsm_network_audit *net, 247 int ifindex, u16 family) 248{ 249 __ad_net_init(ad, net, ifindex, NULL, family); 250} 251 | |
| 252/* 253 * get the objective security ID of a task 254 */ 255static inline u32 task_sid_obj(const struct task_struct *task) 256{ 257 u32 sid; 258 259 rcu_read_lock(); --- 885 unchanged lines hidden (view full) --- 1145 1146static inline int default_protocol_dgram(int protocol) 1147{ 1148 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1149} 1150 1151static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1152{ | 227/* 228 * get the objective security ID of a task 229 */ 230static inline u32 task_sid_obj(const struct task_struct *task) 231{ 232 u32 sid; 233 234 rcu_read_lock(); --- 885 unchanged lines hidden (view full) --- 1120 1121static inline int default_protocol_dgram(int protocol) 1122{ 1123 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1124} 1125 1126static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1127{ |
| 1153 bool extsockclass = selinux_policycap_extsockclass(); | 1128 int extsockclass = selinux_policycap_extsockclass(); |
| 1154 1155 switch (family) { 1156 case PF_UNIX: 1157 switch (type) { 1158 case SOCK_STREAM: 1159 case SOCK_SEQPACKET: 1160 return SECCLASS_UNIX_STREAM_SOCKET; 1161 case SOCK_DGRAM: --- 1603 unchanged lines hidden (view full) --- 2765static int selinux_umount(struct vfsmount *mnt, int flags) 2766{ 2767 const struct cred *cred = current_cred(); 2768 2769 return superblock_has_perm(cred, mnt->mnt_sb, 2770 FILESYSTEM__UNMOUNT, NULL); 2771} 2772 | 1129 1130 switch (family) { 1131 case PF_UNIX: 1132 switch (type) { 1133 case SOCK_STREAM: 1134 case SOCK_SEQPACKET: 1135 return SECCLASS_UNIX_STREAM_SOCKET; 1136 case SOCK_DGRAM: --- 1603 unchanged lines hidden (view full) --- 2740static int selinux_umount(struct vfsmount *mnt, int flags) 2741{ 2742 const struct cred *cred = current_cred(); 2743 2744 return superblock_has_perm(cred, mnt->mnt_sb, 2745 FILESYSTEM__UNMOUNT, NULL); 2746} 2747 |
| 2748static int selinux_fs_context_submount(struct fs_context *fc, 2749 struct super_block *reference) 2750{ 2751 const struct superblock_security_struct *sbsec; 2752 struct selinux_mnt_opts *opts; 2753 2754 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2755 if (!opts) 2756 return -ENOMEM; 2757 2758 sbsec = selinux_superblock(reference); 2759 if (sbsec->flags & FSCONTEXT_MNT) 2760 opts->fscontext_sid = sbsec->sid; 2761 if (sbsec->flags & CONTEXT_MNT) 2762 opts->context_sid = sbsec->mntpoint_sid; 2763 if (sbsec->flags & DEFCONTEXT_MNT) 2764 opts->defcontext_sid = sbsec->def_sid; 2765 fc->security = opts; 2766 return 0; 2767} 2768 |
|
| 2773static int selinux_fs_context_dup(struct fs_context *fc, 2774 struct fs_context *src_fc) 2775{ 2776 const struct selinux_mnt_opts *src = src_fc->security; 2777 2778 if (!src) 2779 return 0; 2780 --- 156 unchanged lines hidden (view full) --- 2937 * been initialized via inode_alloc_security but is otherwise 2938 * untouched. 2939 */ 2940 2941 if (context_inode) { 2942 struct inode_security_struct *context_isec = 2943 selinux_inode(context_inode); 2944 if (context_isec->initialized != LABEL_INITIALIZED) { | 2769static int selinux_fs_context_dup(struct fs_context *fc, 2770 struct fs_context *src_fc) 2771{ 2772 const struct selinux_mnt_opts *src = src_fc->security; 2773 2774 if (!src) 2775 return 0; 2776 --- 156 unchanged lines hidden (view full) --- 2933 * been initialized via inode_alloc_security but is otherwise 2934 * untouched. 2935 */ 2936 2937 if (context_inode) { 2938 struct inode_security_struct *context_isec = 2939 selinux_inode(context_inode); 2940 if (context_isec->initialized != LABEL_INITIALIZED) { |
| 2945 pr_err("SELinux: context_inode is not initialized\n"); | 2941 pr_err("SELinux: context_inode is not initialized"); |
| 2946 return -EACCES; 2947 } 2948 2949 isec->sclass = context_isec->sclass; 2950 isec->sid = context_isec->sid; 2951 } else { 2952 isec->sclass = SECCLASS_ANON_INODE; 2953 rc = security_transition_sid( --- 1565 unchanged lines hidden (view full) --- 4519 return security_transition_sid(tsec->sid, tsec->sid, 4520 secclass, NULL, socksid); 4521} 4522 4523static int sock_has_perm(struct sock *sk, u32 perms) 4524{ 4525 struct sk_security_struct *sksec = sk->sk_security; 4526 struct common_audit_data ad; | 2942 return -EACCES; 2943 } 2944 2945 isec->sclass = context_isec->sclass; 2946 isec->sid = context_isec->sid; 2947 } else { 2948 isec->sclass = SECCLASS_ANON_INODE; 2949 rc = security_transition_sid( --- 1565 unchanged lines hidden (view full) --- 4515 return security_transition_sid(tsec->sid, tsec->sid, 4516 secclass, NULL, socksid); 4517} 4518 4519static int sock_has_perm(struct sock *sk, u32 perms) 4520{ 4521 struct sk_security_struct *sksec = sk->sk_security; 4522 struct common_audit_data ad; |
| 4527 struct lsm_network_audit net; | 4523 struct lsm_network_audit net = {0,}; |
| 4528 4529 if (sksec->sid == SECINITSID_KERNEL) 4530 return 0; 4531 | 4524 4525 if (sksec->sid == SECINITSID_KERNEL) 4526 return 0; 4527 |
| 4532 ad_net_init_from_sk(&ad, &net, sk); | 4528 ad.type = LSM_AUDIT_DATA_NET; 4529 ad.u.net = &net; 4530 ad.u.net->sk = sk; |
| 4533 4534 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4535 &ad); 4536} 4537 4538static int selinux_socket_create(int family, int type, 4539 int protocol, int kern) 4540{ --- 376 unchanged lines hidden (view full) --- 4917static int selinux_socket_unix_stream_connect(struct sock *sock, 4918 struct sock *other, 4919 struct sock *newsk) 4920{ 4921 struct sk_security_struct *sksec_sock = sock->sk_security; 4922 struct sk_security_struct *sksec_other = other->sk_security; 4923 struct sk_security_struct *sksec_new = newsk->sk_security; 4924 struct common_audit_data ad; | 4531 4532 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4533 &ad); 4534} 4535 4536static int selinux_socket_create(int family, int type, 4537 int protocol, int kern) 4538{ --- 376 unchanged lines hidden (view full) --- 4915static int selinux_socket_unix_stream_connect(struct sock *sock, 4916 struct sock *other, 4917 struct sock *newsk) 4918{ 4919 struct sk_security_struct *sksec_sock = sock->sk_security; 4920 struct sk_security_struct *sksec_other = other->sk_security; 4921 struct sk_security_struct *sksec_new = newsk->sk_security; 4922 struct common_audit_data ad; |
| 4925 struct lsm_network_audit net; | 4923 struct lsm_network_audit net = {0,}; |
| 4926 int err; 4927 | 4924 int err; 4925 |
| 4928 ad_net_init_from_sk(&ad, &net, other); | 4926 ad.type = LSM_AUDIT_DATA_NET; 4927 ad.u.net = &net; 4928 ad.u.net->sk = other; |
| 4929 4930 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4931 sksec_other->sclass, 4932 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4933 if (err) 4934 return err; 4935 4936 /* server child socket */ --- 10 unchanged lines hidden (view full) --- 4947} 4948 4949static int selinux_socket_unix_may_send(struct socket *sock, 4950 struct socket *other) 4951{ 4952 struct sk_security_struct *ssec = sock->sk->sk_security; 4953 struct sk_security_struct *osec = other->sk->sk_security; 4954 struct common_audit_data ad; | 4929 4930 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4931 sksec_other->sclass, 4932 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4933 if (err) 4934 return err; 4935 4936 /* server child socket */ --- 10 unchanged lines hidden (view full) --- 4947} 4948 4949static int selinux_socket_unix_may_send(struct socket *sock, 4950 struct socket *other) 4951{ 4952 struct sk_security_struct *ssec = sock->sk->sk_security; 4953 struct sk_security_struct *osec = other->sk->sk_security; 4954 struct common_audit_data ad; |
| 4955 struct lsm_network_audit net; | 4955 struct lsm_network_audit net = {0,}; |
| 4956 | 4956 |
| 4957 ad_net_init_from_sk(&ad, &net, other->sk); | 4957 ad.type = LSM_AUDIT_DATA_NET; 4958 ad.u.net = &net; 4959 ad.u.net->sk = other->sk; |
| 4958 4959 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4960 &ad); 4961} 4962 4963static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4964 char *addrp, u16 family, u32 peer_sid, 4965 struct common_audit_data *ad) --- 19 unchanged lines hidden (view full) --- 4985 4986static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4987 u16 family) 4988{ 4989 int err = 0; 4990 struct sk_security_struct *sksec = sk->sk_security; 4991 u32 sk_sid = sksec->sid; 4992 struct common_audit_data ad; | 4960 4961 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4962 &ad); 4963} 4964 4965static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4966 char *addrp, u16 family, u32 peer_sid, 4967 struct common_audit_data *ad) --- 19 unchanged lines hidden (view full) --- 4987 4988static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4989 u16 family) 4990{ 4991 int err = 0; 4992 struct sk_security_struct *sksec = sk->sk_security; 4993 u32 sk_sid = sksec->sid; 4994 struct common_audit_data ad; |
| 4993 struct lsm_network_audit net; | 4995 struct lsm_network_audit net = {0,}; |
| 4994 char *addrp; 4995 | 4996 char *addrp; 4997 |
| 4996 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); | 4998 ad.type = LSM_AUDIT_DATA_NET; 4999 ad.u.net = &net; 5000 ad.u.net->netif = skb->skb_iif; 5001 ad.u.net->family = family; |
| 4997 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4998 if (err) 4999 return err; 5000 5001 if (selinux_secmark_enabled()) { 5002 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5003 PACKET__RECV, &ad); 5004 if (err) --- 5 unchanged lines hidden (view full) --- 5010 return err; 5011 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5012 5013 return err; 5014} 5015 5016static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5017{ | 5002 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5003 if (err) 5004 return err; 5005 5006 if (selinux_secmark_enabled()) { 5007 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5008 PACKET__RECV, &ad); 5009 if (err) --- 5 unchanged lines hidden (view full) --- 5015 return err; 5016 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5017 5018 return err; 5019} 5020 5021static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5022{ |
| 5018 int err, peerlbl_active, secmark_active; | 5023 int err; |
| 5019 struct sk_security_struct *sksec = sk->sk_security; 5020 u16 family = sk->sk_family; 5021 u32 sk_sid = sksec->sid; 5022 struct common_audit_data ad; | 5024 struct sk_security_struct *sksec = sk->sk_security; 5025 u16 family = sk->sk_family; 5026 u32 sk_sid = sksec->sid; 5027 struct common_audit_data ad; |
| 5023 struct lsm_network_audit net; | 5028 struct lsm_network_audit net = {0,}; |
| 5024 char *addrp; | 5029 char *addrp; |
| 5030 u8 secmark_active; 5031 u8 peerlbl_active; |
|
| 5025 5026 if (family != PF_INET && family != PF_INET6) 5027 return 0; 5028 5029 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5030 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5031 family = PF_INET; 5032 --- 4 unchanged lines hidden (view full) --- 5037 if (!selinux_policycap_netpeer()) 5038 return selinux_sock_rcv_skb_compat(sk, skb, family); 5039 5040 secmark_active = selinux_secmark_enabled(); 5041 peerlbl_active = selinux_peerlbl_enabled(); 5042 if (!secmark_active && !peerlbl_active) 5043 return 0; 5044 | 5032 5033 if (family != PF_INET && family != PF_INET6) 5034 return 0; 5035 5036 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5037 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5038 family = PF_INET; 5039 --- 4 unchanged lines hidden (view full) --- 5044 if (!selinux_policycap_netpeer()) 5045 return selinux_sock_rcv_skb_compat(sk, skb, family); 5046 5047 secmark_active = selinux_secmark_enabled(); 5048 peerlbl_active = selinux_peerlbl_enabled(); 5049 if (!secmark_active && !peerlbl_active) 5050 return 0; 5051 |
| 5045 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); | 5052 ad.type = LSM_AUDIT_DATA_NET; 5053 ad.u.net = &net; 5054 ad.u.net->netif = skb->skb_iif; 5055 ad.u.net->family = family; |
| 5046 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5047 if (err) 5048 return err; 5049 5050 if (peerlbl_active) { 5051 u32 peer_sid; 5052 5053 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); --- 153 unchanged lines hidden (view full) --- 5207 */ 5208static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5209 struct sk_buff *skb) 5210{ 5211 struct sock *sk = asoc->base.sk; 5212 u16 family = sk->sk_family; 5213 struct sk_security_struct *sksec = sk->sk_security; 5214 struct common_audit_data ad; | 5056 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5057 if (err) 5058 return err; 5059 5060 if (peerlbl_active) { 5061 u32 peer_sid; 5062 5063 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); --- 153 unchanged lines hidden (view full) --- 5217 */ 5218static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5219 struct sk_buff *skb) 5220{ 5221 struct sock *sk = asoc->base.sk; 5222 u16 family = sk->sk_family; 5223 struct sk_security_struct *sksec = sk->sk_security; 5224 struct common_audit_data ad; |
| 5215 struct lsm_network_audit net; | 5225 struct lsm_network_audit net = {0,}; |
| 5216 int err; 5217 5218 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5219 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5220 family = PF_INET; 5221 5222 if (selinux_peerlbl_enabled()) { 5223 asoc->peer_secid = SECSID_NULL; --- 19 unchanged lines hidden (view full) --- 5243 * then it is approved by policy and used as the primary 5244 * peer SID for getpeercon(3). 5245 */ 5246 sksec->peer_sid = asoc->peer_secid; 5247 } else if (sksec->peer_sid != asoc->peer_secid) { 5248 /* Other association peer SIDs are checked to enforce 5249 * consistency among the peer SIDs. 5250 */ | 5226 int err; 5227 5228 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5229 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5230 family = PF_INET; 5231 5232 if (selinux_peerlbl_enabled()) { 5233 asoc->peer_secid = SECSID_NULL; --- 19 unchanged lines hidden (view full) --- 5253 * then it is approved by policy and used as the primary 5254 * peer SID for getpeercon(3). 5255 */ 5256 sksec->peer_sid = asoc->peer_secid; 5257 } else if (sksec->peer_sid != asoc->peer_secid) { 5258 /* Other association peer SIDs are checked to enforce 5259 * consistency among the peer SIDs. 5260 */ |
| 5251 ad_net_init_from_sk(&ad, &net, asoc->base.sk); | 5261 ad.type = LSM_AUDIT_DATA_NET; 5262 ad.u.net = &net; 5263 ad.u.net->sk = asoc->base.sk; |
| 5252 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5253 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5254 &ad); 5255 if (err) 5256 return err; 5257 } 5258 return 0; 5259} --- 214 unchanged lines hidden (view full) --- 5474 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5475 family = PF_INET; 5476 5477 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5478} 5479 5480static int selinux_secmark_relabel_packet(u32 sid) 5481{ | 5264 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5265 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5266 &ad); 5267 if (err) 5268 return err; 5269 } 5270 return 0; 5271} --- 214 unchanged lines hidden (view full) --- 5486 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5487 family = PF_INET; 5488 5489 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5490} 5491 5492static int selinux_secmark_relabel_packet(u32 sid) 5493{ |
| 5482 const struct task_security_struct *tsec; | 5494 const struct task_security_struct *__tsec; |
| 5483 u32 tsid; 5484 | 5495 u32 tsid; 5496 |
| 5485 tsec = selinux_cred(current_cred()); 5486 tsid = tsec->sid; | 5497 __tsec = selinux_cred(current_cred()); 5498 tsid = __tsec->sid; |
| 5487 5488 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5489 NULL); 5490} 5491 5492static void selinux_secmark_refcount_inc(void) 5493{ 5494 atomic_inc(&selinux_secmark_refcount); --- 93 unchanged lines hidden (view full) --- 5588static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5589 const struct nf_hook_state *state) 5590{ 5591 int ifindex; 5592 u16 family; 5593 char *addrp; 5594 u32 peer_sid; 5595 struct common_audit_data ad; | 5499 5500 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5501 NULL); 5502} 5503 5504static void selinux_secmark_refcount_inc(void) 5505{ 5506 atomic_inc(&selinux_secmark_refcount); --- 93 unchanged lines hidden (view full) --- 5600static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5601 const struct nf_hook_state *state) 5602{ 5603 int ifindex; 5604 u16 family; 5605 char *addrp; 5606 u32 peer_sid; 5607 struct common_audit_data ad; |
| 5596 struct lsm_network_audit net; | 5608 struct lsm_network_audit net = {0,}; |
| 5597 int secmark_active, peerlbl_active; 5598 5599 if (!selinux_policycap_netpeer()) 5600 return NF_ACCEPT; 5601 5602 secmark_active = selinux_secmark_enabled(); 5603 peerlbl_active = selinux_peerlbl_enabled(); 5604 if (!secmark_active && !peerlbl_active) 5605 return NF_ACCEPT; 5606 5607 family = state->pf; 5608 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5609 return NF_DROP; 5610 5611 ifindex = state->in->ifindex; | 5609 int secmark_active, peerlbl_active; 5610 5611 if (!selinux_policycap_netpeer()) 5612 return NF_ACCEPT; 5613 5614 secmark_active = selinux_secmark_enabled(); 5615 peerlbl_active = selinux_peerlbl_enabled(); 5616 if (!secmark_active && !peerlbl_active) 5617 return NF_ACCEPT; 5618 5619 family = state->pf; 5620 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5621 return NF_DROP; 5622 5623 ifindex = state->in->ifindex; |
| 5612 ad_net_init_from_iif(&ad, &net, ifindex, family); | 5624 ad.type = LSM_AUDIT_DATA_NET; 5625 ad.u.net = &net; 5626 ad.u.net->netif = ifindex; 5627 ad.u.net->family = family; |
| 5613 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5614 return NF_DROP; 5615 5616 if (peerlbl_active) { 5617 int err; 5618 5619 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5620 addrp, family, peer_sid, &ad); --- 63 unchanged lines hidden (view full) --- 5684 5685 5686static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5687 const struct nf_hook_state *state) 5688{ 5689 struct sock *sk; 5690 struct sk_security_struct *sksec; 5691 struct common_audit_data ad; | 5628 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5629 return NF_DROP; 5630 5631 if (peerlbl_active) { 5632 int err; 5633 5634 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5635 addrp, family, peer_sid, &ad); --- 63 unchanged lines hidden (view full) --- 5699 5700 5701static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5702 const struct nf_hook_state *state) 5703{ 5704 struct sock *sk; 5705 struct sk_security_struct *sksec; 5706 struct common_audit_data ad; |
| 5692 struct lsm_network_audit net; | 5707 struct lsm_network_audit net = {0,}; |
| 5693 u8 proto = 0; 5694 5695 sk = skb_to_full_sk(skb); 5696 if (sk == NULL) 5697 return NF_ACCEPT; 5698 sksec = sk->sk_security; 5699 | 5708 u8 proto = 0; 5709 5710 sk = skb_to_full_sk(skb); 5711 if (sk == NULL) 5712 return NF_ACCEPT; 5713 sksec = sk->sk_security; 5714 |
| 5700 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); | 5715 ad.type = LSM_AUDIT_DATA_NET; 5716 ad.u.net = &net; 5717 ad.u.net->netif = state->out->ifindex; 5718 ad.u.net->family = state->pf; |
| 5701 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5702 return NF_DROP; 5703 5704 if (selinux_secmark_enabled()) 5705 if (avc_has_perm(sksec->sid, skb->secmark, 5706 SECCLASS_PACKET, PACKET__SEND, &ad)) 5707 return NF_DROP_ERR(-ECONNREFUSED); 5708 --- 8 unchanged lines hidden (view full) --- 5717 const struct nf_hook_state *state) 5718{ 5719 u16 family; 5720 u32 secmark_perm; 5721 u32 peer_sid; 5722 int ifindex; 5723 struct sock *sk; 5724 struct common_audit_data ad; | 5719 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5720 return NF_DROP; 5721 5722 if (selinux_secmark_enabled()) 5723 if (avc_has_perm(sksec->sid, skb->secmark, 5724 SECCLASS_PACKET, PACKET__SEND, &ad)) 5725 return NF_DROP_ERR(-ECONNREFUSED); 5726 --- 8 unchanged lines hidden (view full) --- 5735 const struct nf_hook_state *state) 5736{ 5737 u16 family; 5738 u32 secmark_perm; 5739 u32 peer_sid; 5740 int ifindex; 5741 struct sock *sk; 5742 struct common_audit_data ad; |
| 5725 struct lsm_network_audit net; | 5743 struct lsm_network_audit net = {0,}; |
| 5726 char *addrp; 5727 int secmark_active, peerlbl_active; 5728 5729 /* If any sort of compatibility mode is enabled then handoff processing 5730 * to the selinux_ip_postroute_compat() function to deal with the 5731 * special handling. We do this in an attempt to keep this function 5732 * as fast and as clean as possible. */ 5733 if (!selinux_policycap_netpeer()) --- 80 unchanged lines hidden (view full) --- 5814 /* Locally generated packet, fetch the security label from the 5815 * associated socket. */ 5816 struct sk_security_struct *sksec = sk->sk_security; 5817 peer_sid = sksec->sid; 5818 secmark_perm = PACKET__SEND; 5819 } 5820 5821 ifindex = state->out->ifindex; | 5744 char *addrp; 5745 int secmark_active, peerlbl_active; 5746 5747 /* If any sort of compatibility mode is enabled then handoff processing 5748 * to the selinux_ip_postroute_compat() function to deal with the 5749 * special handling. We do this in an attempt to keep this function 5750 * as fast and as clean as possible. */ 5751 if (!selinux_policycap_netpeer()) --- 80 unchanged lines hidden (view full) --- 5832 /* Locally generated packet, fetch the security label from the 5833 * associated socket. */ 5834 struct sk_security_struct *sksec = sk->sk_security; 5835 peer_sid = sksec->sid; 5836 secmark_perm = PACKET__SEND; 5837 } 5838 5839 ifindex = state->out->ifindex; |
| 5822 ad_net_init_from_iif(&ad, &net, ifindex, family); | 5840 ad.type = LSM_AUDIT_DATA_NET; 5841 ad.u.net = &net; 5842 ad.u.net->netif = ifindex; 5843 ad.u.net->family = family; |
| 5823 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5824 return NF_DROP; 5825 5826 if (secmark_active) 5827 if (avc_has_perm(peer_sid, skb->secmark, 5828 SECCLASS_PACKET, secmark_perm, &ad)) 5829 return NF_DROP_ERR(-ECONNREFUSED); 5830 --- 136 unchanged lines hidden (view full) --- 5967 ad.u.ipc_id = msq->key; 5968 5969 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5970 MSGQ__ASSOCIATE, &ad); 5971} 5972 5973static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5974{ | 5844 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5845 return NF_DROP; 5846 5847 if (secmark_active) 5848 if (avc_has_perm(peer_sid, skb->secmark, 5849 SECCLASS_PACKET, secmark_perm, &ad)) 5850 return NF_DROP_ERR(-ECONNREFUSED); 5851 --- 136 unchanged lines hidden (view full) --- 5988 ad.u.ipc_id = msq->key; 5989 5990 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5991 MSGQ__ASSOCIATE, &ad); 5992} 5993 5994static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5995{ |
| 5975 u32 perms; | 5996 int err; 5997 int perms; |
| 5976 5977 switch (cmd) { 5978 case IPC_INFO: 5979 case MSG_INFO: 5980 /* No specific object, just general system-wide information. */ 5981 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5982 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5983 case IPC_STAT: --- 6 unchanged lines hidden (view full) --- 5990 break; 5991 case IPC_RMID: 5992 perms = MSGQ__DESTROY; 5993 break; 5994 default: 5995 return 0; 5996 } 5997 | 5998 5999 switch (cmd) { 6000 case IPC_INFO: 6001 case MSG_INFO: 6002 /* No specific object, just general system-wide information. */ 6003 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6004 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6005 case IPC_STAT: --- 6 unchanged lines hidden (view full) --- 6012 break; 6013 case IPC_RMID: 6014 perms = MSGQ__DESTROY; 6015 break; 6016 default: 6017 return 0; 6018 } 6019 |
| 5998 return ipc_has_perm(msq, perms); | 6020 err = ipc_has_perm(msq, perms); 6021 return err; |
| 5999} 6000 6001static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6002{ 6003 struct ipc_security_struct *isec; 6004 struct msg_security_struct *msec; 6005 struct common_audit_data ad; 6006 u32 sid = current_sid(); --- 88 unchanged lines hidden (view full) --- 6095 6096 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6097 SHM__ASSOCIATE, &ad); 6098} 6099 6100/* Note, at this point, shp is locked down */ 6101static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6102{ | 6022} 6023 6024static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6025{ 6026 struct ipc_security_struct *isec; 6027 struct msg_security_struct *msec; 6028 struct common_audit_data ad; 6029 u32 sid = current_sid(); --- 88 unchanged lines hidden (view full) --- 6118 6119 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6120 SHM__ASSOCIATE, &ad); 6121} 6122 6123/* Note, at this point, shp is locked down */ 6124static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6125{ |
| 6103 u32 perms; | 6126 int perms; 6127 int err; |
| 6104 6105 switch (cmd) { 6106 case IPC_INFO: 6107 case SHM_INFO: 6108 /* No specific object, just general system-wide information. */ 6109 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6110 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6111 case IPC_STAT: --- 10 unchanged lines hidden (view full) --- 6122 break; 6123 case IPC_RMID: 6124 perms = SHM__DESTROY; 6125 break; 6126 default: 6127 return 0; 6128 } 6129 | 6128 6129 switch (cmd) { 6130 case IPC_INFO: 6131 case SHM_INFO: 6132 /* No specific object, just general system-wide information. */ 6133 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6134 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6135 case IPC_STAT: --- 10 unchanged lines hidden (view full) --- 6146 break; 6147 case IPC_RMID: 6148 perms = SHM__DESTROY; 6149 break; 6150 default: 6151 return 0; 6152 } 6153 |
| 6130 return ipc_has_perm(shp, perms); | 6154 err = ipc_has_perm(shp, perms); 6155 return err; |
| 6131} 6132 6133static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6134 char __user *shmaddr, int shmflg) 6135{ 6136 u32 perms; 6137 6138 if (shmflg & SHM_RDONLY) --- 752 unchanged lines hidden (view full) --- 6891/** 6892 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 6893 * 6894 * Check to see if the current task is allowed to create a new io_uring 6895 * kernel polling thread. 6896 */ 6897static int selinux_uring_sqpoll(void) 6898{ | 6156} 6157 6158static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6159 char __user *shmaddr, int shmflg) 6160{ 6161 u32 perms; 6162 6163 if (shmflg & SHM_RDONLY) --- 752 unchanged lines hidden (view full) --- 6916/** 6917 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 6918 * 6919 * Check to see if the current task is allowed to create a new io_uring 6920 * kernel polling thread. 6921 */ 6922static int selinux_uring_sqpoll(void) 6923{ |
| 6899 u32 sid = current_sid(); | 6924 int sid = current_sid(); |
| 6900 6901 return avc_has_perm(sid, sid, 6902 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 6903} 6904 6905/** 6906 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 6907 * @ioucmd: the io_uring command structure --- 22 unchanged lines hidden (view full) --- 6930 * 1. any hooks that don't belong to (2.) or (3.) below, 6931 * 2. hooks that both access structures allocated by other hooks, and allocate 6932 * structures that can be later accessed by other hooks (mostly "cloning" 6933 * hooks), 6934 * 3. hooks that only allocate structures that can be later accessed by other 6935 * hooks ("allocating" hooks). 6936 * 6937 * Please follow block comment delimiters in the list to keep this order. | 6925 6926 return avc_has_perm(sid, sid, 6927 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 6928} 6929 6930/** 6931 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 6932 * @ioucmd: the io_uring command structure --- 22 unchanged lines hidden (view full) --- 6955 * 1. any hooks that don't belong to (2.) or (3.) below, 6956 * 2. hooks that both access structures allocated by other hooks, and allocate 6957 * structures that can be later accessed by other hooks (mostly "cloning" 6958 * hooks), 6959 * 3. hooks that only allocate structures that can be later accessed by other 6960 * hooks ("allocating" hooks). 6961 * 6962 * Please follow block comment delimiters in the list to keep this order. |
| 6963 * 6964 * This ordering is needed for SELinux runtime disable to work at least somewhat 6965 * safely. Breaking the ordering rules above might lead to NULL pointer derefs 6966 * when disabling SELinux at runtime. |
|
| 6938 */ 6939static struct security_hook_list selinux_hooks[] __ro_after_init = { 6940 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6941 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6942 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6943 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6944 6945 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), --- 223 unchanged lines hidden (view full) --- 7169 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7170 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7171 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7172#endif 7173 7174 /* 7175 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7176 */ | 6967 */ 6968static struct security_hook_list selinux_hooks[] __ro_after_init = { 6969 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6970 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6971 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6972 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6973 6974 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), --- 223 unchanged lines hidden (view full) --- 7198 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7199 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7200 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7201#endif 7202 7203 /* 7204 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7205 */ |
| 7206 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), |
|
| 7177 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7178 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7179 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7180#ifdef CONFIG_SECURITY_NETWORK_XFRM 7181 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7182#endif 7183 7184 /* --- 43 unchanged lines hidden (view full) --- 7228 selinux_avc_init(); 7229 mutex_init(&selinux_state.status_lock); 7230 mutex_init(&selinux_state.policy_mutex); 7231 7232 /* Set the security state for the initial task. */ 7233 cred_init_security(); 7234 7235 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); | 7207 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7208 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7209 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7210#ifdef CONFIG_SECURITY_NETWORK_XFRM 7211 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7212#endif 7213 7214 /* --- 43 unchanged lines hidden (view full) --- 7258 selinux_avc_init(); 7259 mutex_init(&selinux_state.status_lock); 7260 mutex_init(&selinux_state.policy_mutex); 7261 7262 /* Set the security state for the initial task. */ 7263 cred_init_security(); 7264 7265 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); |
| 7236 if (!default_noexec) 7237 pr_notice("SELinux: virtual memory is executable by default\n"); | |
| 7238 7239 avc_init(); 7240 7241 avtab_cache_init(); 7242 7243 ebitmap_cache_init(); 7244 7245 hashtab_cache_init(); --- 119 unchanged lines hidden --- | 7266 7267 avc_init(); 7268 7269 avtab_cache_init(); 7270 7271 ebitmap_cache_init(); 7272 7273 hashtab_cache_init(); --- 119 unchanged lines hidden --- |