1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/tracehook.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/dccp.h> 69 #include <linux/sctp.h> 70 #include <net/sctp/structs.h> 71 #include <linux/quota.h> 72 #include <linux/un.h> /* for Unix socket types */ 73 #include <net/af_unix.h> /* for Unix socket types */ 74 #include <linux/parser.h> 75 #include <linux/nfs_mount.h> 76 #include <net/ipv6.h> 77 #include <linux/hugetlb.h> 78 #include <linux/personality.h> 79 #include <linux/audit.h> 80 #include <linux/string.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 95 #include "avc.h" 96 #include "objsec.h" 97 #include "netif.h" 98 #include "netnode.h" 99 #include "netport.h" 100 #include "ibpkey.h" 101 #include "xfrm.h" 102 #include "netlabel.h" 103 #include "audit.h" 104 #include "avc_ss.h" 105 106 struct selinux_state selinux_state; 107 108 /* SECMARK reference count */ 109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 110 111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 112 static int selinux_enforcing_boot; 113 114 static int __init enforcing_setup(char *str) 115 { 116 unsigned long enforcing; 117 if (!kstrtoul(str, 0, &enforcing)) 118 selinux_enforcing_boot = enforcing ? 1 : 0; 119 return 1; 120 } 121 __setup("enforcing=", enforcing_setup); 122 #else 123 #define selinux_enforcing_boot 1 124 #endif 125 126 int selinux_enabled __lsm_ro_after_init = 1; 127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 128 static int __init selinux_enabled_setup(char *str) 129 { 130 unsigned long enabled; 131 if (!kstrtoul(str, 0, &enabled)) 132 selinux_enabled = enabled ? 1 : 0; 133 return 1; 134 } 135 __setup("selinux=", selinux_enabled_setup); 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 /** 152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 153 * 154 * Description: 155 * This function checks the SECMARK reference counter to see if any SECMARK 156 * targets are currently configured, if the reference counter is greater than 157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network 159 * policy capability is enabled, SECMARK is always considered enabled. 160 * 161 */ 162 static int selinux_secmark_enabled(void) 163 { 164 return (selinux_policycap_alwaysnetwork() || 165 atomic_read(&selinux_secmark_refcount)); 166 } 167 168 /** 169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 170 * 171 * Description: 172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 173 * (1) if any are enabled or false (0) if neither are enabled. If the 174 * always_check_network policy capability is enabled, peer labeling 175 * is always considered enabled. 176 * 177 */ 178 static int selinux_peerlbl_enabled(void) 179 { 180 return (selinux_policycap_alwaysnetwork() || 181 netlbl_enabled() || selinux_xfrm_enabled()); 182 } 183 184 static int selinux_netcache_avc_callback(u32 event) 185 { 186 if (event == AVC_CALLBACK_RESET) { 187 sel_netif_flush(); 188 sel_netnode_flush(); 189 sel_netport_flush(); 190 synchronize_net(); 191 } 192 return 0; 193 } 194 195 static int selinux_lsm_notifier_avc_callback(u32 event) 196 { 197 if (event == AVC_CALLBACK_RESET) { 198 sel_ib_pkey_flush(); 199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 200 } 201 202 return 0; 203 } 204 205 /* 206 * initialise the security for the init task 207 */ 208 static void cred_init_security(void) 209 { 210 struct cred *cred = (struct cred *) current->real_cred; 211 struct task_security_struct *tsec; 212 213 tsec = selinux_cred(cred); 214 tsec->osid = tsec->sid = SECINITSID_KERNEL; 215 } 216 217 /* 218 * get the security ID of a set of credentials 219 */ 220 static inline u32 cred_sid(const struct cred *cred) 221 { 222 const struct task_security_struct *tsec; 223 224 tsec = selinux_cred(cred); 225 return tsec->sid; 226 } 227 228 /* 229 * get the objective security ID of a task 230 */ 231 static inline u32 task_sid(const struct task_struct *task) 232 { 233 u32 sid; 234 235 rcu_read_lock(); 236 sid = cred_sid(__task_cred(task)); 237 rcu_read_unlock(); 238 return sid; 239 } 240 241 /* Allocate and free functions for each kind of security blob. */ 242 243 static int inode_alloc_security(struct inode *inode) 244 { 245 struct inode_security_struct *isec = selinux_inode(inode); 246 u32 sid = current_sid(); 247 248 spin_lock_init(&isec->lock); 249 INIT_LIST_HEAD(&isec->list); 250 isec->inode = inode; 251 isec->sid = SECINITSID_UNLABELED; 252 isec->sclass = SECCLASS_FILE; 253 isec->task_sid = sid; 254 isec->initialized = LABEL_INVALID; 255 256 return 0; 257 } 258 259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 260 261 /* 262 * Try reloading inode security labels that have been marked as invalid. The 263 * @may_sleep parameter indicates when sleeping and thus reloading labels is 264 * allowed; when set to false, returns -ECHILD when the label is 265 * invalid. The @dentry parameter should be set to a dentry of the inode. 266 */ 267 static int __inode_security_revalidate(struct inode *inode, 268 struct dentry *dentry, 269 bool may_sleep) 270 { 271 struct inode_security_struct *isec = selinux_inode(inode); 272 273 might_sleep_if(may_sleep); 274 275 if (selinux_state.initialized && 276 isec->initialized != LABEL_INITIALIZED) { 277 if (!may_sleep) 278 return -ECHILD; 279 280 /* 281 * Try reloading the inode security label. This will fail if 282 * @opt_dentry is NULL and no dentry for this inode can be 283 * found; in that case, continue using the old label. 284 */ 285 inode_doinit_with_dentry(inode, dentry); 286 } 287 return 0; 288 } 289 290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 291 { 292 return selinux_inode(inode); 293 } 294 295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 296 { 297 int error; 298 299 error = __inode_security_revalidate(inode, NULL, !rcu); 300 if (error) 301 return ERR_PTR(error); 302 return selinux_inode(inode); 303 } 304 305 /* 306 * Get the security label of an inode. 307 */ 308 static struct inode_security_struct *inode_security(struct inode *inode) 309 { 310 __inode_security_revalidate(inode, NULL, true); 311 return selinux_inode(inode); 312 } 313 314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 315 { 316 struct inode *inode = d_backing_inode(dentry); 317 318 return selinux_inode(inode); 319 } 320 321 /* 322 * Get the security label of a dentry's backing inode. 323 */ 324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 325 { 326 struct inode *inode = d_backing_inode(dentry); 327 328 __inode_security_revalidate(inode, dentry, true); 329 return selinux_inode(inode); 330 } 331 332 static void inode_free_security(struct inode *inode) 333 { 334 struct inode_security_struct *isec = selinux_inode(inode); 335 struct superblock_security_struct *sbsec; 336 337 if (!isec) 338 return; 339 sbsec = inode->i_sb->s_security; 340 /* 341 * As not all inode security structures are in a list, we check for 342 * empty list outside of the lock to make sure that we won't waste 343 * time taking a lock doing nothing. 344 * 345 * The list_del_init() function can be safely called more than once. 346 * It should not be possible for this function to be called with 347 * concurrent list_add(), but for better safety against future changes 348 * in the code, we use list_empty_careful() here. 349 */ 350 if (!list_empty_careful(&isec->list)) { 351 spin_lock(&sbsec->isec_lock); 352 list_del_init(&isec->list); 353 spin_unlock(&sbsec->isec_lock); 354 } 355 } 356 357 static int file_alloc_security(struct file *file) 358 { 359 struct file_security_struct *fsec = selinux_file(file); 360 u32 sid = current_sid(); 361 362 fsec->sid = sid; 363 fsec->fown_sid = sid; 364 365 return 0; 366 } 367 368 static int superblock_alloc_security(struct super_block *sb) 369 { 370 struct superblock_security_struct *sbsec; 371 372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 373 if (!sbsec) 374 return -ENOMEM; 375 376 mutex_init(&sbsec->lock); 377 INIT_LIST_HEAD(&sbsec->isec_head); 378 spin_lock_init(&sbsec->isec_lock); 379 sbsec->sb = sb; 380 sbsec->sid = SECINITSID_UNLABELED; 381 sbsec->def_sid = SECINITSID_FILE; 382 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 383 sb->s_security = sbsec; 384 385 return 0; 386 } 387 388 static void superblock_free_security(struct super_block *sb) 389 { 390 struct superblock_security_struct *sbsec = sb->s_security; 391 sb->s_security = NULL; 392 kfree(sbsec); 393 } 394 395 struct selinux_mnt_opts { 396 const char *fscontext, *context, *rootcontext, *defcontext; 397 }; 398 399 static void selinux_free_mnt_opts(void *mnt_opts) 400 { 401 struct selinux_mnt_opts *opts = mnt_opts; 402 kfree(opts->fscontext); 403 kfree(opts->context); 404 kfree(opts->rootcontext); 405 kfree(opts->defcontext); 406 kfree(opts); 407 } 408 409 static inline int inode_doinit(struct inode *inode) 410 { 411 return inode_doinit_with_dentry(inode, NULL); 412 } 413 414 enum { 415 Opt_error = -1, 416 Opt_context = 0, 417 Opt_defcontext = 1, 418 Opt_fscontext = 2, 419 Opt_rootcontext = 3, 420 Opt_seclabel = 4, 421 }; 422 423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 424 static struct { 425 const char *name; 426 int len; 427 int opt; 428 bool has_arg; 429 } tokens[] = { 430 A(context, true), 431 A(fscontext, true), 432 A(defcontext, true), 433 A(rootcontext, true), 434 A(seclabel, false), 435 }; 436 #undef A 437 438 static int match_opt_prefix(char *s, int l, char **arg) 439 { 440 int i; 441 442 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 443 size_t len = tokens[i].len; 444 if (len > l || memcmp(s, tokens[i].name, len)) 445 continue; 446 if (tokens[i].has_arg) { 447 if (len == l || s[len] != '=') 448 continue; 449 *arg = s + len + 1; 450 } else if (len != l) 451 continue; 452 return tokens[i].opt; 453 } 454 return Opt_error; 455 } 456 457 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 458 459 static int may_context_mount_sb_relabel(u32 sid, 460 struct superblock_security_struct *sbsec, 461 const struct cred *cred) 462 { 463 const struct task_security_struct *tsec = selinux_cred(cred); 464 int rc; 465 466 rc = avc_has_perm(&selinux_state, 467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 468 FILESYSTEM__RELABELFROM, NULL); 469 if (rc) 470 return rc; 471 472 rc = avc_has_perm(&selinux_state, 473 tsec->sid, sid, SECCLASS_FILESYSTEM, 474 FILESYSTEM__RELABELTO, NULL); 475 return rc; 476 } 477 478 static int may_context_mount_inode_relabel(u32 sid, 479 struct superblock_security_struct *sbsec, 480 const struct cred *cred) 481 { 482 const struct task_security_struct *tsec = selinux_cred(cred); 483 int rc; 484 rc = avc_has_perm(&selinux_state, 485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 486 FILESYSTEM__RELABELFROM, NULL); 487 if (rc) 488 return rc; 489 490 rc = avc_has_perm(&selinux_state, 491 sid, sbsec->sid, SECCLASS_FILESYSTEM, 492 FILESYSTEM__ASSOCIATE, NULL); 493 return rc; 494 } 495 496 static int selinux_is_genfs_special_handling(struct super_block *sb) 497 { 498 /* Special handling. Genfs but also in-core setxattr handler */ 499 return !strcmp(sb->s_type->name, "sysfs") || 500 !strcmp(sb->s_type->name, "pstore") || 501 !strcmp(sb->s_type->name, "debugfs") || 502 !strcmp(sb->s_type->name, "tracefs") || 503 !strcmp(sb->s_type->name, "rootfs") || 504 (selinux_policycap_cgroupseclabel() && 505 (!strcmp(sb->s_type->name, "cgroup") || 506 !strcmp(sb->s_type->name, "cgroup2"))); 507 } 508 509 static int selinux_is_sblabel_mnt(struct super_block *sb) 510 { 511 struct superblock_security_struct *sbsec = sb->s_security; 512 513 /* 514 * IMPORTANT: Double-check logic in this function when adding a new 515 * SECURITY_FS_USE_* definition! 516 */ 517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 518 519 switch (sbsec->behavior) { 520 case SECURITY_FS_USE_XATTR: 521 case SECURITY_FS_USE_TRANS: 522 case SECURITY_FS_USE_TASK: 523 case SECURITY_FS_USE_NATIVE: 524 return 1; 525 526 case SECURITY_FS_USE_GENFS: 527 return selinux_is_genfs_special_handling(sb); 528 529 /* Never allow relabeling on context mounts */ 530 case SECURITY_FS_USE_MNTPOINT: 531 case SECURITY_FS_USE_NONE: 532 default: 533 return 0; 534 } 535 } 536 537 static int sb_finish_set_opts(struct super_block *sb) 538 { 539 struct superblock_security_struct *sbsec = sb->s_security; 540 struct dentry *root = sb->s_root; 541 struct inode *root_inode = d_backing_inode(root); 542 int rc = 0; 543 544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 545 /* Make sure that the xattr handler exists and that no 546 error other than -ENODATA is returned by getxattr on 547 the root directory. -ENODATA is ok, as this may be 548 the first boot of the SELinux kernel before we have 549 assigned xattr values to the filesystem. */ 550 if (!(root_inode->i_opflags & IOP_XATTR)) { 551 pr_warn("SELinux: (dev %s, type %s) has no " 552 "xattr support\n", sb->s_id, sb->s_type->name); 553 rc = -EOPNOTSUPP; 554 goto out; 555 } 556 557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 558 if (rc < 0 && rc != -ENODATA) { 559 if (rc == -EOPNOTSUPP) 560 pr_warn("SELinux: (dev %s, type " 561 "%s) has no security xattr handler\n", 562 sb->s_id, sb->s_type->name); 563 else 564 pr_warn("SELinux: (dev %s, type " 565 "%s) getxattr errno %d\n", sb->s_id, 566 sb->s_type->name, -rc); 567 goto out; 568 } 569 } 570 571 sbsec->flags |= SE_SBINITIALIZED; 572 573 /* 574 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 575 * leave the flag untouched because sb_clone_mnt_opts might be handing 576 * us a superblock that needs the flag to be cleared. 577 */ 578 if (selinux_is_sblabel_mnt(sb)) 579 sbsec->flags |= SBLABEL_MNT; 580 else 581 sbsec->flags &= ~SBLABEL_MNT; 582 583 /* Initialize the root inode. */ 584 rc = inode_doinit_with_dentry(root_inode, root); 585 586 /* Initialize any other inodes associated with the superblock, e.g. 587 inodes created prior to initial policy load or inodes created 588 during get_sb by a pseudo filesystem that directly 589 populates itself. */ 590 spin_lock(&sbsec->isec_lock); 591 while (!list_empty(&sbsec->isec_head)) { 592 struct inode_security_struct *isec = 593 list_first_entry(&sbsec->isec_head, 594 struct inode_security_struct, list); 595 struct inode *inode = isec->inode; 596 list_del_init(&isec->list); 597 spin_unlock(&sbsec->isec_lock); 598 inode = igrab(inode); 599 if (inode) { 600 if (!IS_PRIVATE(inode)) 601 inode_doinit(inode); 602 iput(inode); 603 } 604 spin_lock(&sbsec->isec_lock); 605 } 606 spin_unlock(&sbsec->isec_lock); 607 out: 608 return rc; 609 } 610 611 static int bad_option(struct superblock_security_struct *sbsec, char flag, 612 u32 old_sid, u32 new_sid) 613 { 614 char mnt_flags = sbsec->flags & SE_MNTMASK; 615 616 /* check if the old mount command had the same options */ 617 if (sbsec->flags & SE_SBINITIALIZED) 618 if (!(sbsec->flags & flag) || 619 (old_sid != new_sid)) 620 return 1; 621 622 /* check if we were passed the same options twice, 623 * aka someone passed context=a,context=b 624 */ 625 if (!(sbsec->flags & SE_SBINITIALIZED)) 626 if (mnt_flags & flag) 627 return 1; 628 return 0; 629 } 630 631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 632 { 633 int rc = security_context_str_to_sid(&selinux_state, s, 634 sid, GFP_KERNEL); 635 if (rc) 636 pr_warn("SELinux: security_context_str_to_sid" 637 "(%s) failed for (dev %s, type %s) errno=%d\n", 638 s, sb->s_id, sb->s_type->name, rc); 639 return rc; 640 } 641 642 /* 643 * Allow filesystems with binary mount data to explicitly set mount point 644 * labeling information. 645 */ 646 static int selinux_set_mnt_opts(struct super_block *sb, 647 void *mnt_opts, 648 unsigned long kern_flags, 649 unsigned long *set_kern_flags) 650 { 651 const struct cred *cred = current_cred(); 652 struct superblock_security_struct *sbsec = sb->s_security; 653 struct dentry *root = sbsec->sb->s_root; 654 struct selinux_mnt_opts *opts = mnt_opts; 655 struct inode_security_struct *root_isec; 656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 657 u32 defcontext_sid = 0; 658 int rc = 0; 659 660 mutex_lock(&sbsec->lock); 661 662 if (!selinux_state.initialized) { 663 if (!opts) { 664 /* Defer initialization until selinux_complete_init, 665 after the initial policy is loaded and the security 666 server is ready to handle calls. */ 667 goto out; 668 } 669 rc = -EINVAL; 670 pr_warn("SELinux: Unable to set superblock options " 671 "before the security server is initialized\n"); 672 goto out; 673 } 674 if (kern_flags && !set_kern_flags) { 675 /* Specifying internal flags without providing a place to 676 * place the results is not allowed */ 677 rc = -EINVAL; 678 goto out; 679 } 680 681 /* 682 * Binary mount data FS will come through this function twice. Once 683 * from an explicit call and once from the generic calls from the vfs. 684 * Since the generic VFS calls will not contain any security mount data 685 * we need to skip the double mount verification. 686 * 687 * This does open a hole in which we will not notice if the first 688 * mount using this sb set explict options and a second mount using 689 * this sb does not set any security options. (The first options 690 * will be used for both mounts) 691 */ 692 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 693 && !opts) 694 goto out; 695 696 root_isec = backing_inode_security_novalidate(root); 697 698 /* 699 * parse the mount options, check if they are valid sids. 700 * also check if someone is trying to mount the same sb more 701 * than once with different security options. 702 */ 703 if (opts) { 704 if (opts->fscontext) { 705 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 706 if (rc) 707 goto out; 708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 709 fscontext_sid)) 710 goto out_double_mount; 711 sbsec->flags |= FSCONTEXT_MNT; 712 } 713 if (opts->context) { 714 rc = parse_sid(sb, opts->context, &context_sid); 715 if (rc) 716 goto out; 717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 718 context_sid)) 719 goto out_double_mount; 720 sbsec->flags |= CONTEXT_MNT; 721 } 722 if (opts->rootcontext) { 723 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 724 if (rc) 725 goto out; 726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 727 rootcontext_sid)) 728 goto out_double_mount; 729 sbsec->flags |= ROOTCONTEXT_MNT; 730 } 731 if (opts->defcontext) { 732 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 733 if (rc) 734 goto out; 735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 736 defcontext_sid)) 737 goto out_double_mount; 738 sbsec->flags |= DEFCONTEXT_MNT; 739 } 740 } 741 742 if (sbsec->flags & SE_SBINITIALIZED) { 743 /* previously mounted with options, but not on this attempt? */ 744 if ((sbsec->flags & SE_MNTMASK) && !opts) 745 goto out_double_mount; 746 rc = 0; 747 goto out; 748 } 749 750 if (strcmp(sb->s_type->name, "proc") == 0) 751 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 752 753 if (!strcmp(sb->s_type->name, "debugfs") || 754 !strcmp(sb->s_type->name, "tracefs") || 755 !strcmp(sb->s_type->name, "pstore")) 756 sbsec->flags |= SE_SBGENFS; 757 758 if (!strcmp(sb->s_type->name, "sysfs") || 759 !strcmp(sb->s_type->name, "cgroup") || 760 !strcmp(sb->s_type->name, "cgroup2")) 761 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 762 763 if (!sbsec->behavior) { 764 /* 765 * Determine the labeling behavior to use for this 766 * filesystem type. 767 */ 768 rc = security_fs_use(&selinux_state, sb); 769 if (rc) { 770 pr_warn("%s: security_fs_use(%s) returned %d\n", 771 __func__, sb->s_type->name, rc); 772 goto out; 773 } 774 } 775 776 /* 777 * If this is a user namespace mount and the filesystem type is not 778 * explicitly whitelisted, then no contexts are allowed on the command 779 * line and security labels must be ignored. 780 */ 781 if (sb->s_user_ns != &init_user_ns && 782 strcmp(sb->s_type->name, "tmpfs") && 783 strcmp(sb->s_type->name, "ramfs") && 784 strcmp(sb->s_type->name, "devpts")) { 785 if (context_sid || fscontext_sid || rootcontext_sid || 786 defcontext_sid) { 787 rc = -EACCES; 788 goto out; 789 } 790 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 792 rc = security_transition_sid(&selinux_state, 793 current_sid(), 794 current_sid(), 795 SECCLASS_FILE, NULL, 796 &sbsec->mntpoint_sid); 797 if (rc) 798 goto out; 799 } 800 goto out_set_opts; 801 } 802 803 /* sets the context of the superblock for the fs being mounted. */ 804 if (fscontext_sid) { 805 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 806 if (rc) 807 goto out; 808 809 sbsec->sid = fscontext_sid; 810 } 811 812 /* 813 * Switch to using mount point labeling behavior. 814 * sets the label used on all file below the mountpoint, and will set 815 * the superblock context if not already set. 816 */ 817 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 818 sbsec->behavior = SECURITY_FS_USE_NATIVE; 819 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 820 } 821 822 if (context_sid) { 823 if (!fscontext_sid) { 824 rc = may_context_mount_sb_relabel(context_sid, sbsec, 825 cred); 826 if (rc) 827 goto out; 828 sbsec->sid = context_sid; 829 } else { 830 rc = may_context_mount_inode_relabel(context_sid, sbsec, 831 cred); 832 if (rc) 833 goto out; 834 } 835 if (!rootcontext_sid) 836 rootcontext_sid = context_sid; 837 838 sbsec->mntpoint_sid = context_sid; 839 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 840 } 841 842 if (rootcontext_sid) { 843 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 844 cred); 845 if (rc) 846 goto out; 847 848 root_isec->sid = rootcontext_sid; 849 root_isec->initialized = LABEL_INITIALIZED; 850 } 851 852 if (defcontext_sid) { 853 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 854 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 855 rc = -EINVAL; 856 pr_warn("SELinux: defcontext option is " 857 "invalid for this filesystem type\n"); 858 goto out; 859 } 860 861 if (defcontext_sid != sbsec->def_sid) { 862 rc = may_context_mount_inode_relabel(defcontext_sid, 863 sbsec, cred); 864 if (rc) 865 goto out; 866 } 867 868 sbsec->def_sid = defcontext_sid; 869 } 870 871 out_set_opts: 872 rc = sb_finish_set_opts(sb); 873 out: 874 mutex_unlock(&sbsec->lock); 875 return rc; 876 out_double_mount: 877 rc = -EINVAL; 878 pr_warn("SELinux: mount invalid. Same superblock, different " 879 "security settings for (dev %s, type %s)\n", sb->s_id, 880 sb->s_type->name); 881 goto out; 882 } 883 884 static int selinux_cmp_sb_context(const struct super_block *oldsb, 885 const struct super_block *newsb) 886 { 887 struct superblock_security_struct *old = oldsb->s_security; 888 struct superblock_security_struct *new = newsb->s_security; 889 char oldflags = old->flags & SE_MNTMASK; 890 char newflags = new->flags & SE_MNTMASK; 891 892 if (oldflags != newflags) 893 goto mismatch; 894 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 895 goto mismatch; 896 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 897 goto mismatch; 898 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 899 goto mismatch; 900 if (oldflags & ROOTCONTEXT_MNT) { 901 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 902 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 903 if (oldroot->sid != newroot->sid) 904 goto mismatch; 905 } 906 return 0; 907 mismatch: 908 pr_warn("SELinux: mount invalid. Same superblock, " 909 "different security settings for (dev %s, " 910 "type %s)\n", newsb->s_id, newsb->s_type->name); 911 return -EBUSY; 912 } 913 914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 915 struct super_block *newsb, 916 unsigned long kern_flags, 917 unsigned long *set_kern_flags) 918 { 919 int rc = 0; 920 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 921 struct superblock_security_struct *newsbsec = newsb->s_security; 922 923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 924 int set_context = (oldsbsec->flags & CONTEXT_MNT); 925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 926 927 /* 928 * if the parent was able to be mounted it clearly had no special lsm 929 * mount options. thus we can safely deal with this superblock later 930 */ 931 if (!selinux_state.initialized) 932 return 0; 933 934 /* 935 * Specifying internal flags without providing a place to 936 * place the results is not allowed. 937 */ 938 if (kern_flags && !set_kern_flags) 939 return -EINVAL; 940 941 /* how can we clone if the old one wasn't set up?? */ 942 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 943 944 /* if fs is reusing a sb, make sure that the contexts match */ 945 if (newsbsec->flags & SE_SBINITIALIZED) { 946 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 948 return selinux_cmp_sb_context(oldsb, newsb); 949 } 950 951 mutex_lock(&newsbsec->lock); 952 953 newsbsec->flags = oldsbsec->flags; 954 955 newsbsec->sid = oldsbsec->sid; 956 newsbsec->def_sid = oldsbsec->def_sid; 957 newsbsec->behavior = oldsbsec->behavior; 958 959 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 960 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 961 rc = security_fs_use(&selinux_state, newsb); 962 if (rc) 963 goto out; 964 } 965 966 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 967 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 968 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 969 } 970 971 if (set_context) { 972 u32 sid = oldsbsec->mntpoint_sid; 973 974 if (!set_fscontext) 975 newsbsec->sid = sid; 976 if (!set_rootcontext) { 977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 978 newisec->sid = sid; 979 } 980 newsbsec->mntpoint_sid = sid; 981 } 982 if (set_rootcontext) { 983 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 985 986 newisec->sid = oldisec->sid; 987 } 988 989 sb_finish_set_opts(newsb); 990 out: 991 mutex_unlock(&newsbsec->lock); 992 return rc; 993 } 994 995 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 996 { 997 struct selinux_mnt_opts *opts = *mnt_opts; 998 999 if (token == Opt_seclabel) /* eaten and completely ignored */ 1000 return 0; 1001 1002 if (!opts) { 1003 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1004 if (!opts) 1005 return -ENOMEM; 1006 *mnt_opts = opts; 1007 } 1008 if (!s) 1009 return -ENOMEM; 1010 switch (token) { 1011 case Opt_context: 1012 if (opts->context || opts->defcontext) 1013 goto Einval; 1014 opts->context = s; 1015 break; 1016 case Opt_fscontext: 1017 if (opts->fscontext) 1018 goto Einval; 1019 opts->fscontext = s; 1020 break; 1021 case Opt_rootcontext: 1022 if (opts->rootcontext) 1023 goto Einval; 1024 opts->rootcontext = s; 1025 break; 1026 case Opt_defcontext: 1027 if (opts->context || opts->defcontext) 1028 goto Einval; 1029 opts->defcontext = s; 1030 break; 1031 } 1032 return 0; 1033 Einval: 1034 pr_warn(SEL_MOUNT_FAIL_MSG); 1035 return -EINVAL; 1036 } 1037 1038 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1039 void **mnt_opts) 1040 { 1041 int token = Opt_error; 1042 int rc, i; 1043 1044 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1045 if (strcmp(option, tokens[i].name) == 0) { 1046 token = tokens[i].opt; 1047 break; 1048 } 1049 } 1050 1051 if (token == Opt_error) 1052 return -EINVAL; 1053 1054 if (token != Opt_seclabel) { 1055 val = kmemdup_nul(val, len, GFP_KERNEL); 1056 if (!val) { 1057 rc = -ENOMEM; 1058 goto free_opt; 1059 } 1060 } 1061 rc = selinux_add_opt(token, val, mnt_opts); 1062 if (unlikely(rc)) { 1063 kfree(val); 1064 goto free_opt; 1065 } 1066 return rc; 1067 1068 free_opt: 1069 if (*mnt_opts) { 1070 selinux_free_mnt_opts(*mnt_opts); 1071 *mnt_opts = NULL; 1072 } 1073 return rc; 1074 } 1075 1076 static int show_sid(struct seq_file *m, u32 sid) 1077 { 1078 char *context = NULL; 1079 u32 len; 1080 int rc; 1081 1082 rc = security_sid_to_context(&selinux_state, sid, 1083 &context, &len); 1084 if (!rc) { 1085 bool has_comma = context && strchr(context, ','); 1086 1087 seq_putc(m, '='); 1088 if (has_comma) 1089 seq_putc(m, '\"'); 1090 seq_escape(m, context, "\"\n\\"); 1091 if (has_comma) 1092 seq_putc(m, '\"'); 1093 } 1094 kfree(context); 1095 return rc; 1096 } 1097 1098 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1099 { 1100 struct superblock_security_struct *sbsec = sb->s_security; 1101 int rc; 1102 1103 if (!(sbsec->flags & SE_SBINITIALIZED)) 1104 return 0; 1105 1106 if (!selinux_state.initialized) 1107 return 0; 1108 1109 if (sbsec->flags & FSCONTEXT_MNT) { 1110 seq_putc(m, ','); 1111 seq_puts(m, FSCONTEXT_STR); 1112 rc = show_sid(m, sbsec->sid); 1113 if (rc) 1114 return rc; 1115 } 1116 if (sbsec->flags & CONTEXT_MNT) { 1117 seq_putc(m, ','); 1118 seq_puts(m, CONTEXT_STR); 1119 rc = show_sid(m, sbsec->mntpoint_sid); 1120 if (rc) 1121 return rc; 1122 } 1123 if (sbsec->flags & DEFCONTEXT_MNT) { 1124 seq_putc(m, ','); 1125 seq_puts(m, DEFCONTEXT_STR); 1126 rc = show_sid(m, sbsec->def_sid); 1127 if (rc) 1128 return rc; 1129 } 1130 if (sbsec->flags & ROOTCONTEXT_MNT) { 1131 struct dentry *root = sbsec->sb->s_root; 1132 struct inode_security_struct *isec = backing_inode_security(root); 1133 seq_putc(m, ','); 1134 seq_puts(m, ROOTCONTEXT_STR); 1135 rc = show_sid(m, isec->sid); 1136 if (rc) 1137 return rc; 1138 } 1139 if (sbsec->flags & SBLABEL_MNT) { 1140 seq_putc(m, ','); 1141 seq_puts(m, SECLABEL_STR); 1142 } 1143 return 0; 1144 } 1145 1146 static inline u16 inode_mode_to_security_class(umode_t mode) 1147 { 1148 switch (mode & S_IFMT) { 1149 case S_IFSOCK: 1150 return SECCLASS_SOCK_FILE; 1151 case S_IFLNK: 1152 return SECCLASS_LNK_FILE; 1153 case S_IFREG: 1154 return SECCLASS_FILE; 1155 case S_IFBLK: 1156 return SECCLASS_BLK_FILE; 1157 case S_IFDIR: 1158 return SECCLASS_DIR; 1159 case S_IFCHR: 1160 return SECCLASS_CHR_FILE; 1161 case S_IFIFO: 1162 return SECCLASS_FIFO_FILE; 1163 1164 } 1165 1166 return SECCLASS_FILE; 1167 } 1168 1169 static inline int default_protocol_stream(int protocol) 1170 { 1171 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1172 } 1173 1174 static inline int default_protocol_dgram(int protocol) 1175 { 1176 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1177 } 1178 1179 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1180 { 1181 int extsockclass = selinux_policycap_extsockclass(); 1182 1183 switch (family) { 1184 case PF_UNIX: 1185 switch (type) { 1186 case SOCK_STREAM: 1187 case SOCK_SEQPACKET: 1188 return SECCLASS_UNIX_STREAM_SOCKET; 1189 case SOCK_DGRAM: 1190 case SOCK_RAW: 1191 return SECCLASS_UNIX_DGRAM_SOCKET; 1192 } 1193 break; 1194 case PF_INET: 1195 case PF_INET6: 1196 switch (type) { 1197 case SOCK_STREAM: 1198 case SOCK_SEQPACKET: 1199 if (default_protocol_stream(protocol)) 1200 return SECCLASS_TCP_SOCKET; 1201 else if (extsockclass && protocol == IPPROTO_SCTP) 1202 return SECCLASS_SCTP_SOCKET; 1203 else 1204 return SECCLASS_RAWIP_SOCKET; 1205 case SOCK_DGRAM: 1206 if (default_protocol_dgram(protocol)) 1207 return SECCLASS_UDP_SOCKET; 1208 else if (extsockclass && (protocol == IPPROTO_ICMP || 1209 protocol == IPPROTO_ICMPV6)) 1210 return SECCLASS_ICMP_SOCKET; 1211 else 1212 return SECCLASS_RAWIP_SOCKET; 1213 case SOCK_DCCP: 1214 return SECCLASS_DCCP_SOCKET; 1215 default: 1216 return SECCLASS_RAWIP_SOCKET; 1217 } 1218 break; 1219 case PF_NETLINK: 1220 switch (protocol) { 1221 case NETLINK_ROUTE: 1222 return SECCLASS_NETLINK_ROUTE_SOCKET; 1223 case NETLINK_SOCK_DIAG: 1224 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1225 case NETLINK_NFLOG: 1226 return SECCLASS_NETLINK_NFLOG_SOCKET; 1227 case NETLINK_XFRM: 1228 return SECCLASS_NETLINK_XFRM_SOCKET; 1229 case NETLINK_SELINUX: 1230 return SECCLASS_NETLINK_SELINUX_SOCKET; 1231 case NETLINK_ISCSI: 1232 return SECCLASS_NETLINK_ISCSI_SOCKET; 1233 case NETLINK_AUDIT: 1234 return SECCLASS_NETLINK_AUDIT_SOCKET; 1235 case NETLINK_FIB_LOOKUP: 1236 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1237 case NETLINK_CONNECTOR: 1238 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1239 case NETLINK_NETFILTER: 1240 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1241 case NETLINK_DNRTMSG: 1242 return SECCLASS_NETLINK_DNRT_SOCKET; 1243 case NETLINK_KOBJECT_UEVENT: 1244 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1245 case NETLINK_GENERIC: 1246 return SECCLASS_NETLINK_GENERIC_SOCKET; 1247 case NETLINK_SCSITRANSPORT: 1248 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1249 case NETLINK_RDMA: 1250 return SECCLASS_NETLINK_RDMA_SOCKET; 1251 case NETLINK_CRYPTO: 1252 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1253 default: 1254 return SECCLASS_NETLINK_SOCKET; 1255 } 1256 case PF_PACKET: 1257 return SECCLASS_PACKET_SOCKET; 1258 case PF_KEY: 1259 return SECCLASS_KEY_SOCKET; 1260 case PF_APPLETALK: 1261 return SECCLASS_APPLETALK_SOCKET; 1262 } 1263 1264 if (extsockclass) { 1265 switch (family) { 1266 case PF_AX25: 1267 return SECCLASS_AX25_SOCKET; 1268 case PF_IPX: 1269 return SECCLASS_IPX_SOCKET; 1270 case PF_NETROM: 1271 return SECCLASS_NETROM_SOCKET; 1272 case PF_ATMPVC: 1273 return SECCLASS_ATMPVC_SOCKET; 1274 case PF_X25: 1275 return SECCLASS_X25_SOCKET; 1276 case PF_ROSE: 1277 return SECCLASS_ROSE_SOCKET; 1278 case PF_DECnet: 1279 return SECCLASS_DECNET_SOCKET; 1280 case PF_ATMSVC: 1281 return SECCLASS_ATMSVC_SOCKET; 1282 case PF_RDS: 1283 return SECCLASS_RDS_SOCKET; 1284 case PF_IRDA: 1285 return SECCLASS_IRDA_SOCKET; 1286 case PF_PPPOX: 1287 return SECCLASS_PPPOX_SOCKET; 1288 case PF_LLC: 1289 return SECCLASS_LLC_SOCKET; 1290 case PF_CAN: 1291 return SECCLASS_CAN_SOCKET; 1292 case PF_TIPC: 1293 return SECCLASS_TIPC_SOCKET; 1294 case PF_BLUETOOTH: 1295 return SECCLASS_BLUETOOTH_SOCKET; 1296 case PF_IUCV: 1297 return SECCLASS_IUCV_SOCKET; 1298 case PF_RXRPC: 1299 return SECCLASS_RXRPC_SOCKET; 1300 case PF_ISDN: 1301 return SECCLASS_ISDN_SOCKET; 1302 case PF_PHONET: 1303 return SECCLASS_PHONET_SOCKET; 1304 case PF_IEEE802154: 1305 return SECCLASS_IEEE802154_SOCKET; 1306 case PF_CAIF: 1307 return SECCLASS_CAIF_SOCKET; 1308 case PF_ALG: 1309 return SECCLASS_ALG_SOCKET; 1310 case PF_NFC: 1311 return SECCLASS_NFC_SOCKET; 1312 case PF_VSOCK: 1313 return SECCLASS_VSOCK_SOCKET; 1314 case PF_KCM: 1315 return SECCLASS_KCM_SOCKET; 1316 case PF_QIPCRTR: 1317 return SECCLASS_QIPCRTR_SOCKET; 1318 case PF_SMC: 1319 return SECCLASS_SMC_SOCKET; 1320 case PF_XDP: 1321 return SECCLASS_XDP_SOCKET; 1322 #if PF_MAX > 45 1323 #error New address family defined, please update this function. 1324 #endif 1325 } 1326 } 1327 1328 return SECCLASS_SOCKET; 1329 } 1330 1331 static int selinux_genfs_get_sid(struct dentry *dentry, 1332 u16 tclass, 1333 u16 flags, 1334 u32 *sid) 1335 { 1336 int rc; 1337 struct super_block *sb = dentry->d_sb; 1338 char *buffer, *path; 1339 1340 buffer = (char *)__get_free_page(GFP_KERNEL); 1341 if (!buffer) 1342 return -ENOMEM; 1343 1344 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1345 if (IS_ERR(path)) 1346 rc = PTR_ERR(path); 1347 else { 1348 if (flags & SE_SBPROC) { 1349 /* each process gets a /proc/PID/ entry. Strip off the 1350 * PID part to get a valid selinux labeling. 1351 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1352 while (path[1] >= '0' && path[1] <= '9') { 1353 path[1] = '/'; 1354 path++; 1355 } 1356 } 1357 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1358 path, tclass, sid); 1359 if (rc == -ENOENT) { 1360 /* No match in policy, mark as unlabeled. */ 1361 *sid = SECINITSID_UNLABELED; 1362 rc = 0; 1363 } 1364 } 1365 free_page((unsigned long)buffer); 1366 return rc; 1367 } 1368 1369 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1370 u32 def_sid, u32 *sid) 1371 { 1372 #define INITCONTEXTLEN 255 1373 char *context; 1374 unsigned int len; 1375 int rc; 1376 1377 len = INITCONTEXTLEN; 1378 context = kmalloc(len + 1, GFP_NOFS); 1379 if (!context) 1380 return -ENOMEM; 1381 1382 context[len] = '\0'; 1383 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1384 if (rc == -ERANGE) { 1385 kfree(context); 1386 1387 /* Need a larger buffer. Query for the right size. */ 1388 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1389 if (rc < 0) 1390 return rc; 1391 1392 len = rc; 1393 context = kmalloc(len + 1, GFP_NOFS); 1394 if (!context) 1395 return -ENOMEM; 1396 1397 context[len] = '\0'; 1398 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1399 context, len); 1400 } 1401 if (rc < 0) { 1402 kfree(context); 1403 if (rc != -ENODATA) { 1404 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1405 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1406 return rc; 1407 } 1408 *sid = def_sid; 1409 return 0; 1410 } 1411 1412 rc = security_context_to_sid_default(&selinux_state, context, rc, sid, 1413 def_sid, GFP_NOFS); 1414 if (rc) { 1415 char *dev = inode->i_sb->s_id; 1416 unsigned long ino = inode->i_ino; 1417 1418 if (rc == -EINVAL) { 1419 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1420 ino, dev, context); 1421 } else { 1422 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1423 __func__, context, -rc, dev, ino); 1424 } 1425 } 1426 kfree(context); 1427 return 0; 1428 } 1429 1430 /* The inode's security attributes must be initialized before first use. */ 1431 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1432 { 1433 struct superblock_security_struct *sbsec = NULL; 1434 struct inode_security_struct *isec = selinux_inode(inode); 1435 u32 task_sid, sid = 0; 1436 u16 sclass; 1437 struct dentry *dentry; 1438 int rc = 0; 1439 1440 if (isec->initialized == LABEL_INITIALIZED) 1441 return 0; 1442 1443 spin_lock(&isec->lock); 1444 if (isec->initialized == LABEL_INITIALIZED) 1445 goto out_unlock; 1446 1447 if (isec->sclass == SECCLASS_FILE) 1448 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1449 1450 sbsec = inode->i_sb->s_security; 1451 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1452 /* Defer initialization until selinux_complete_init, 1453 after the initial policy is loaded and the security 1454 server is ready to handle calls. */ 1455 spin_lock(&sbsec->isec_lock); 1456 if (list_empty(&isec->list)) 1457 list_add(&isec->list, &sbsec->isec_head); 1458 spin_unlock(&sbsec->isec_lock); 1459 goto out_unlock; 1460 } 1461 1462 sclass = isec->sclass; 1463 task_sid = isec->task_sid; 1464 sid = isec->sid; 1465 isec->initialized = LABEL_PENDING; 1466 spin_unlock(&isec->lock); 1467 1468 switch (sbsec->behavior) { 1469 case SECURITY_FS_USE_NATIVE: 1470 break; 1471 case SECURITY_FS_USE_XATTR: 1472 if (!(inode->i_opflags & IOP_XATTR)) { 1473 sid = sbsec->def_sid; 1474 break; 1475 } 1476 /* Need a dentry, since the xattr API requires one. 1477 Life would be simpler if we could just pass the inode. */ 1478 if (opt_dentry) { 1479 /* Called from d_instantiate or d_splice_alias. */ 1480 dentry = dget(opt_dentry); 1481 } else { 1482 /* 1483 * Called from selinux_complete_init, try to find a dentry. 1484 * Some filesystems really want a connected one, so try 1485 * that first. We could split SECURITY_FS_USE_XATTR in 1486 * two, depending upon that... 1487 */ 1488 dentry = d_find_alias(inode); 1489 if (!dentry) 1490 dentry = d_find_any_alias(inode); 1491 } 1492 if (!dentry) { 1493 /* 1494 * this is can be hit on boot when a file is accessed 1495 * before the policy is loaded. When we load policy we 1496 * may find inodes that have no dentry on the 1497 * sbsec->isec_head list. No reason to complain as these 1498 * will get fixed up the next time we go through 1499 * inode_doinit with a dentry, before these inodes could 1500 * be used again by userspace. 1501 */ 1502 goto out; 1503 } 1504 1505 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1506 &sid); 1507 dput(dentry); 1508 if (rc) 1509 goto out; 1510 break; 1511 case SECURITY_FS_USE_TASK: 1512 sid = task_sid; 1513 break; 1514 case SECURITY_FS_USE_TRANS: 1515 /* Default to the fs SID. */ 1516 sid = sbsec->sid; 1517 1518 /* Try to obtain a transition SID. */ 1519 rc = security_transition_sid(&selinux_state, task_sid, sid, 1520 sclass, NULL, &sid); 1521 if (rc) 1522 goto out; 1523 break; 1524 case SECURITY_FS_USE_MNTPOINT: 1525 sid = sbsec->mntpoint_sid; 1526 break; 1527 default: 1528 /* Default to the fs superblock SID. */ 1529 sid = sbsec->sid; 1530 1531 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1532 /* We must have a dentry to determine the label on 1533 * procfs inodes */ 1534 if (opt_dentry) { 1535 /* Called from d_instantiate or 1536 * d_splice_alias. */ 1537 dentry = dget(opt_dentry); 1538 } else { 1539 /* Called from selinux_complete_init, try to 1540 * find a dentry. Some filesystems really want 1541 * a connected one, so try that first. 1542 */ 1543 dentry = d_find_alias(inode); 1544 if (!dentry) 1545 dentry = d_find_any_alias(inode); 1546 } 1547 /* 1548 * This can be hit on boot when a file is accessed 1549 * before the policy is loaded. When we load policy we 1550 * may find inodes that have no dentry on the 1551 * sbsec->isec_head list. No reason to complain as 1552 * these will get fixed up the next time we go through 1553 * inode_doinit() with a dentry, before these inodes 1554 * could be used again by userspace. 1555 */ 1556 if (!dentry) 1557 goto out; 1558 rc = selinux_genfs_get_sid(dentry, sclass, 1559 sbsec->flags, &sid); 1560 if (rc) { 1561 dput(dentry); 1562 goto out; 1563 } 1564 1565 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1566 (inode->i_opflags & IOP_XATTR)) { 1567 rc = inode_doinit_use_xattr(inode, dentry, 1568 sid, &sid); 1569 if (rc) { 1570 dput(dentry); 1571 goto out; 1572 } 1573 } 1574 dput(dentry); 1575 } 1576 break; 1577 } 1578 1579 out: 1580 spin_lock(&isec->lock); 1581 if (isec->initialized == LABEL_PENDING) { 1582 if (!sid || rc) { 1583 isec->initialized = LABEL_INVALID; 1584 goto out_unlock; 1585 } 1586 1587 isec->initialized = LABEL_INITIALIZED; 1588 isec->sid = sid; 1589 } 1590 1591 out_unlock: 1592 spin_unlock(&isec->lock); 1593 return rc; 1594 } 1595 1596 /* Convert a Linux signal to an access vector. */ 1597 static inline u32 signal_to_av(int sig) 1598 { 1599 u32 perm = 0; 1600 1601 switch (sig) { 1602 case SIGCHLD: 1603 /* Commonly granted from child to parent. */ 1604 perm = PROCESS__SIGCHLD; 1605 break; 1606 case SIGKILL: 1607 /* Cannot be caught or ignored */ 1608 perm = PROCESS__SIGKILL; 1609 break; 1610 case SIGSTOP: 1611 /* Cannot be caught or ignored */ 1612 perm = PROCESS__SIGSTOP; 1613 break; 1614 default: 1615 /* All other signals. */ 1616 perm = PROCESS__SIGNAL; 1617 break; 1618 } 1619 1620 return perm; 1621 } 1622 1623 #if CAP_LAST_CAP > 63 1624 #error Fix SELinux to handle capabilities > 63. 1625 #endif 1626 1627 /* Check whether a task is allowed to use a capability. */ 1628 static int cred_has_capability(const struct cred *cred, 1629 int cap, unsigned int opts, bool initns) 1630 { 1631 struct common_audit_data ad; 1632 struct av_decision avd; 1633 u16 sclass; 1634 u32 sid = cred_sid(cred); 1635 u32 av = CAP_TO_MASK(cap); 1636 int rc; 1637 1638 ad.type = LSM_AUDIT_DATA_CAP; 1639 ad.u.cap = cap; 1640 1641 switch (CAP_TO_INDEX(cap)) { 1642 case 0: 1643 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1644 break; 1645 case 1: 1646 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1647 break; 1648 default: 1649 pr_err("SELinux: out of range capability %d\n", cap); 1650 BUG(); 1651 return -EINVAL; 1652 } 1653 1654 rc = avc_has_perm_noaudit(&selinux_state, 1655 sid, sid, sclass, av, 0, &avd); 1656 if (!(opts & CAP_OPT_NOAUDIT)) { 1657 int rc2 = avc_audit(&selinux_state, 1658 sid, sid, sclass, av, &avd, rc, &ad, 0); 1659 if (rc2) 1660 return rc2; 1661 } 1662 return rc; 1663 } 1664 1665 /* Check whether a task has a particular permission to an inode. 1666 The 'adp' parameter is optional and allows other audit 1667 data to be passed (e.g. the dentry). */ 1668 static int inode_has_perm(const struct cred *cred, 1669 struct inode *inode, 1670 u32 perms, 1671 struct common_audit_data *adp) 1672 { 1673 struct inode_security_struct *isec; 1674 u32 sid; 1675 1676 validate_creds(cred); 1677 1678 if (unlikely(IS_PRIVATE(inode))) 1679 return 0; 1680 1681 sid = cred_sid(cred); 1682 isec = selinux_inode(inode); 1683 1684 return avc_has_perm(&selinux_state, 1685 sid, isec->sid, isec->sclass, perms, adp); 1686 } 1687 1688 /* Same as inode_has_perm, but pass explicit audit data containing 1689 the dentry to help the auditing code to more easily generate the 1690 pathname if needed. */ 1691 static inline int dentry_has_perm(const struct cred *cred, 1692 struct dentry *dentry, 1693 u32 av) 1694 { 1695 struct inode *inode = d_backing_inode(dentry); 1696 struct common_audit_data ad; 1697 1698 ad.type = LSM_AUDIT_DATA_DENTRY; 1699 ad.u.dentry = dentry; 1700 __inode_security_revalidate(inode, dentry, true); 1701 return inode_has_perm(cred, inode, av, &ad); 1702 } 1703 1704 /* Same as inode_has_perm, but pass explicit audit data containing 1705 the path to help the auditing code to more easily generate the 1706 pathname if needed. */ 1707 static inline int path_has_perm(const struct cred *cred, 1708 const struct path *path, 1709 u32 av) 1710 { 1711 struct inode *inode = d_backing_inode(path->dentry); 1712 struct common_audit_data ad; 1713 1714 ad.type = LSM_AUDIT_DATA_PATH; 1715 ad.u.path = *path; 1716 __inode_security_revalidate(inode, path->dentry, true); 1717 return inode_has_perm(cred, inode, av, &ad); 1718 } 1719 1720 /* Same as path_has_perm, but uses the inode from the file struct. */ 1721 static inline int file_path_has_perm(const struct cred *cred, 1722 struct file *file, 1723 u32 av) 1724 { 1725 struct common_audit_data ad; 1726 1727 ad.type = LSM_AUDIT_DATA_FILE; 1728 ad.u.file = file; 1729 return inode_has_perm(cred, file_inode(file), av, &ad); 1730 } 1731 1732 #ifdef CONFIG_BPF_SYSCALL 1733 static int bpf_fd_pass(struct file *file, u32 sid); 1734 #endif 1735 1736 /* Check whether a task can use an open file descriptor to 1737 access an inode in a given way. Check access to the 1738 descriptor itself, and then use dentry_has_perm to 1739 check a particular permission to the file. 1740 Access to the descriptor is implicitly granted if it 1741 has the same SID as the process. If av is zero, then 1742 access to the file is not checked, e.g. for cases 1743 where only the descriptor is affected like seek. */ 1744 static int file_has_perm(const struct cred *cred, 1745 struct file *file, 1746 u32 av) 1747 { 1748 struct file_security_struct *fsec = selinux_file(file); 1749 struct inode *inode = file_inode(file); 1750 struct common_audit_data ad; 1751 u32 sid = cred_sid(cred); 1752 int rc; 1753 1754 ad.type = LSM_AUDIT_DATA_FILE; 1755 ad.u.file = file; 1756 1757 if (sid != fsec->sid) { 1758 rc = avc_has_perm(&selinux_state, 1759 sid, fsec->sid, 1760 SECCLASS_FD, 1761 FD__USE, 1762 &ad); 1763 if (rc) 1764 goto out; 1765 } 1766 1767 #ifdef CONFIG_BPF_SYSCALL 1768 rc = bpf_fd_pass(file, cred_sid(cred)); 1769 if (rc) 1770 return rc; 1771 #endif 1772 1773 /* av is zero if only checking access to the descriptor. */ 1774 rc = 0; 1775 if (av) 1776 rc = inode_has_perm(cred, inode, av, &ad); 1777 1778 out: 1779 return rc; 1780 } 1781 1782 /* 1783 * Determine the label for an inode that might be unioned. 1784 */ 1785 static int 1786 selinux_determine_inode_label(const struct task_security_struct *tsec, 1787 struct inode *dir, 1788 const struct qstr *name, u16 tclass, 1789 u32 *_new_isid) 1790 { 1791 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1792 1793 if ((sbsec->flags & SE_SBINITIALIZED) && 1794 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1795 *_new_isid = sbsec->mntpoint_sid; 1796 } else if ((sbsec->flags & SBLABEL_MNT) && 1797 tsec->create_sid) { 1798 *_new_isid = tsec->create_sid; 1799 } else { 1800 const struct inode_security_struct *dsec = inode_security(dir); 1801 return security_transition_sid(&selinux_state, tsec->sid, 1802 dsec->sid, tclass, 1803 name, _new_isid); 1804 } 1805 1806 return 0; 1807 } 1808 1809 /* Check whether a task can create a file. */ 1810 static int may_create(struct inode *dir, 1811 struct dentry *dentry, 1812 u16 tclass) 1813 { 1814 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1815 struct inode_security_struct *dsec; 1816 struct superblock_security_struct *sbsec; 1817 u32 sid, newsid; 1818 struct common_audit_data ad; 1819 int rc; 1820 1821 dsec = inode_security(dir); 1822 sbsec = dir->i_sb->s_security; 1823 1824 sid = tsec->sid; 1825 1826 ad.type = LSM_AUDIT_DATA_DENTRY; 1827 ad.u.dentry = dentry; 1828 1829 rc = avc_has_perm(&selinux_state, 1830 sid, dsec->sid, SECCLASS_DIR, 1831 DIR__ADD_NAME | DIR__SEARCH, 1832 &ad); 1833 if (rc) 1834 return rc; 1835 1836 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir, 1837 &dentry->d_name, tclass, &newsid); 1838 if (rc) 1839 return rc; 1840 1841 rc = avc_has_perm(&selinux_state, 1842 sid, newsid, tclass, FILE__CREATE, &ad); 1843 if (rc) 1844 return rc; 1845 1846 return avc_has_perm(&selinux_state, 1847 newsid, sbsec->sid, 1848 SECCLASS_FILESYSTEM, 1849 FILESYSTEM__ASSOCIATE, &ad); 1850 } 1851 1852 #define MAY_LINK 0 1853 #define MAY_UNLINK 1 1854 #define MAY_RMDIR 2 1855 1856 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1857 static int may_link(struct inode *dir, 1858 struct dentry *dentry, 1859 int kind) 1860 1861 { 1862 struct inode_security_struct *dsec, *isec; 1863 struct common_audit_data ad; 1864 u32 sid = current_sid(); 1865 u32 av; 1866 int rc; 1867 1868 dsec = inode_security(dir); 1869 isec = backing_inode_security(dentry); 1870 1871 ad.type = LSM_AUDIT_DATA_DENTRY; 1872 ad.u.dentry = dentry; 1873 1874 av = DIR__SEARCH; 1875 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1876 rc = avc_has_perm(&selinux_state, 1877 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1878 if (rc) 1879 return rc; 1880 1881 switch (kind) { 1882 case MAY_LINK: 1883 av = FILE__LINK; 1884 break; 1885 case MAY_UNLINK: 1886 av = FILE__UNLINK; 1887 break; 1888 case MAY_RMDIR: 1889 av = DIR__RMDIR; 1890 break; 1891 default: 1892 pr_warn("SELinux: %s: unrecognized kind %d\n", 1893 __func__, kind); 1894 return 0; 1895 } 1896 1897 rc = avc_has_perm(&selinux_state, 1898 sid, isec->sid, isec->sclass, av, &ad); 1899 return rc; 1900 } 1901 1902 static inline int may_rename(struct inode *old_dir, 1903 struct dentry *old_dentry, 1904 struct inode *new_dir, 1905 struct dentry *new_dentry) 1906 { 1907 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1908 struct common_audit_data ad; 1909 u32 sid = current_sid(); 1910 u32 av; 1911 int old_is_dir, new_is_dir; 1912 int rc; 1913 1914 old_dsec = inode_security(old_dir); 1915 old_isec = backing_inode_security(old_dentry); 1916 old_is_dir = d_is_dir(old_dentry); 1917 new_dsec = inode_security(new_dir); 1918 1919 ad.type = LSM_AUDIT_DATA_DENTRY; 1920 1921 ad.u.dentry = old_dentry; 1922 rc = avc_has_perm(&selinux_state, 1923 sid, old_dsec->sid, SECCLASS_DIR, 1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1925 if (rc) 1926 return rc; 1927 rc = avc_has_perm(&selinux_state, 1928 sid, old_isec->sid, 1929 old_isec->sclass, FILE__RENAME, &ad); 1930 if (rc) 1931 return rc; 1932 if (old_is_dir && new_dir != old_dir) { 1933 rc = avc_has_perm(&selinux_state, 1934 sid, old_isec->sid, 1935 old_isec->sclass, DIR__REPARENT, &ad); 1936 if (rc) 1937 return rc; 1938 } 1939 1940 ad.u.dentry = new_dentry; 1941 av = DIR__ADD_NAME | DIR__SEARCH; 1942 if (d_is_positive(new_dentry)) 1943 av |= DIR__REMOVE_NAME; 1944 rc = avc_has_perm(&selinux_state, 1945 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1946 if (rc) 1947 return rc; 1948 if (d_is_positive(new_dentry)) { 1949 new_isec = backing_inode_security(new_dentry); 1950 new_is_dir = d_is_dir(new_dentry); 1951 rc = avc_has_perm(&selinux_state, 1952 sid, new_isec->sid, 1953 new_isec->sclass, 1954 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1955 if (rc) 1956 return rc; 1957 } 1958 1959 return 0; 1960 } 1961 1962 /* Check whether a task can perform a filesystem operation. */ 1963 static int superblock_has_perm(const struct cred *cred, 1964 struct super_block *sb, 1965 u32 perms, 1966 struct common_audit_data *ad) 1967 { 1968 struct superblock_security_struct *sbsec; 1969 u32 sid = cred_sid(cred); 1970 1971 sbsec = sb->s_security; 1972 return avc_has_perm(&selinux_state, 1973 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1974 } 1975 1976 /* Convert a Linux mode and permission mask to an access vector. */ 1977 static inline u32 file_mask_to_av(int mode, int mask) 1978 { 1979 u32 av = 0; 1980 1981 if (!S_ISDIR(mode)) { 1982 if (mask & MAY_EXEC) 1983 av |= FILE__EXECUTE; 1984 if (mask & MAY_READ) 1985 av |= FILE__READ; 1986 1987 if (mask & MAY_APPEND) 1988 av |= FILE__APPEND; 1989 else if (mask & MAY_WRITE) 1990 av |= FILE__WRITE; 1991 1992 } else { 1993 if (mask & MAY_EXEC) 1994 av |= DIR__SEARCH; 1995 if (mask & MAY_WRITE) 1996 av |= DIR__WRITE; 1997 if (mask & MAY_READ) 1998 av |= DIR__READ; 1999 } 2000 2001 return av; 2002 } 2003 2004 /* Convert a Linux file to an access vector. */ 2005 static inline u32 file_to_av(struct file *file) 2006 { 2007 u32 av = 0; 2008 2009 if (file->f_mode & FMODE_READ) 2010 av |= FILE__READ; 2011 if (file->f_mode & FMODE_WRITE) { 2012 if (file->f_flags & O_APPEND) 2013 av |= FILE__APPEND; 2014 else 2015 av |= FILE__WRITE; 2016 } 2017 if (!av) { 2018 /* 2019 * Special file opened with flags 3 for ioctl-only use. 2020 */ 2021 av = FILE__IOCTL; 2022 } 2023 2024 return av; 2025 } 2026 2027 /* 2028 * Convert a file to an access vector and include the correct open 2029 * open permission. 2030 */ 2031 static inline u32 open_file_to_av(struct file *file) 2032 { 2033 u32 av = file_to_av(file); 2034 struct inode *inode = file_inode(file); 2035 2036 if (selinux_policycap_openperm() && 2037 inode->i_sb->s_magic != SOCKFS_MAGIC) 2038 av |= FILE__OPEN; 2039 2040 return av; 2041 } 2042 2043 /* Hook functions begin here. */ 2044 2045 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2046 { 2047 u32 mysid = current_sid(); 2048 u32 mgrsid = task_sid(mgr); 2049 2050 return avc_has_perm(&selinux_state, 2051 mysid, mgrsid, SECCLASS_BINDER, 2052 BINDER__SET_CONTEXT_MGR, NULL); 2053 } 2054 2055 static int selinux_binder_transaction(struct task_struct *from, 2056 struct task_struct *to) 2057 { 2058 u32 mysid = current_sid(); 2059 u32 fromsid = task_sid(from); 2060 u32 tosid = task_sid(to); 2061 int rc; 2062 2063 if (mysid != fromsid) { 2064 rc = avc_has_perm(&selinux_state, 2065 mysid, fromsid, SECCLASS_BINDER, 2066 BINDER__IMPERSONATE, NULL); 2067 if (rc) 2068 return rc; 2069 } 2070 2071 return avc_has_perm(&selinux_state, 2072 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2073 NULL); 2074 } 2075 2076 static int selinux_binder_transfer_binder(struct task_struct *from, 2077 struct task_struct *to) 2078 { 2079 u32 fromsid = task_sid(from); 2080 u32 tosid = task_sid(to); 2081 2082 return avc_has_perm(&selinux_state, 2083 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2084 NULL); 2085 } 2086 2087 static int selinux_binder_transfer_file(struct task_struct *from, 2088 struct task_struct *to, 2089 struct file *file) 2090 { 2091 u32 sid = task_sid(to); 2092 struct file_security_struct *fsec = selinux_file(file); 2093 struct dentry *dentry = file->f_path.dentry; 2094 struct inode_security_struct *isec; 2095 struct common_audit_data ad; 2096 int rc; 2097 2098 ad.type = LSM_AUDIT_DATA_PATH; 2099 ad.u.path = file->f_path; 2100 2101 if (sid != fsec->sid) { 2102 rc = avc_has_perm(&selinux_state, 2103 sid, fsec->sid, 2104 SECCLASS_FD, 2105 FD__USE, 2106 &ad); 2107 if (rc) 2108 return rc; 2109 } 2110 2111 #ifdef CONFIG_BPF_SYSCALL 2112 rc = bpf_fd_pass(file, sid); 2113 if (rc) 2114 return rc; 2115 #endif 2116 2117 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2118 return 0; 2119 2120 isec = backing_inode_security(dentry); 2121 return avc_has_perm(&selinux_state, 2122 sid, isec->sid, isec->sclass, file_to_av(file), 2123 &ad); 2124 } 2125 2126 static int selinux_ptrace_access_check(struct task_struct *child, 2127 unsigned int mode) 2128 { 2129 u32 sid = current_sid(); 2130 u32 csid = task_sid(child); 2131 2132 if (mode & PTRACE_MODE_READ) 2133 return avc_has_perm(&selinux_state, 2134 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2135 2136 return avc_has_perm(&selinux_state, 2137 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2138 } 2139 2140 static int selinux_ptrace_traceme(struct task_struct *parent) 2141 { 2142 return avc_has_perm(&selinux_state, 2143 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2144 PROCESS__PTRACE, NULL); 2145 } 2146 2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2148 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2149 { 2150 return avc_has_perm(&selinux_state, 2151 current_sid(), task_sid(target), SECCLASS_PROCESS, 2152 PROCESS__GETCAP, NULL); 2153 } 2154 2155 static int selinux_capset(struct cred *new, const struct cred *old, 2156 const kernel_cap_t *effective, 2157 const kernel_cap_t *inheritable, 2158 const kernel_cap_t *permitted) 2159 { 2160 return avc_has_perm(&selinux_state, 2161 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2162 PROCESS__SETCAP, NULL); 2163 } 2164 2165 /* 2166 * (This comment used to live with the selinux_task_setuid hook, 2167 * which was removed). 2168 * 2169 * Since setuid only affects the current process, and since the SELinux 2170 * controls are not based on the Linux identity attributes, SELinux does not 2171 * need to control this operation. However, SELinux does control the use of 2172 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2173 */ 2174 2175 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2176 int cap, unsigned int opts) 2177 { 2178 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2179 } 2180 2181 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2182 { 2183 const struct cred *cred = current_cred(); 2184 int rc = 0; 2185 2186 if (!sb) 2187 return 0; 2188 2189 switch (cmds) { 2190 case Q_SYNC: 2191 case Q_QUOTAON: 2192 case Q_QUOTAOFF: 2193 case Q_SETINFO: 2194 case Q_SETQUOTA: 2195 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2196 break; 2197 case Q_GETFMT: 2198 case Q_GETINFO: 2199 case Q_GETQUOTA: 2200 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2201 break; 2202 default: 2203 rc = 0; /* let the kernel handle invalid cmds */ 2204 break; 2205 } 2206 return rc; 2207 } 2208 2209 static int selinux_quota_on(struct dentry *dentry) 2210 { 2211 const struct cred *cred = current_cred(); 2212 2213 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2214 } 2215 2216 static int selinux_syslog(int type) 2217 { 2218 switch (type) { 2219 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2220 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2221 return avc_has_perm(&selinux_state, 2222 current_sid(), SECINITSID_KERNEL, 2223 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2224 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2225 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2226 /* Set level of messages printed to console */ 2227 case SYSLOG_ACTION_CONSOLE_LEVEL: 2228 return avc_has_perm(&selinux_state, 2229 current_sid(), SECINITSID_KERNEL, 2230 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2231 NULL); 2232 } 2233 /* All other syslog types */ 2234 return avc_has_perm(&selinux_state, 2235 current_sid(), SECINITSID_KERNEL, 2236 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2237 } 2238 2239 /* 2240 * Check that a process has enough memory to allocate a new virtual 2241 * mapping. 0 means there is enough memory for the allocation to 2242 * succeed and -ENOMEM implies there is not. 2243 * 2244 * Do not audit the selinux permission check, as this is applied to all 2245 * processes that allocate mappings. 2246 */ 2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2248 { 2249 int rc, cap_sys_admin = 0; 2250 2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2252 CAP_OPT_NOAUDIT, true); 2253 if (rc == 0) 2254 cap_sys_admin = 1; 2255 2256 return cap_sys_admin; 2257 } 2258 2259 /* binprm security operations */ 2260 2261 static u32 ptrace_parent_sid(void) 2262 { 2263 u32 sid = 0; 2264 struct task_struct *tracer; 2265 2266 rcu_read_lock(); 2267 tracer = ptrace_parent(current); 2268 if (tracer) 2269 sid = task_sid(tracer); 2270 rcu_read_unlock(); 2271 2272 return sid; 2273 } 2274 2275 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2276 const struct task_security_struct *old_tsec, 2277 const struct task_security_struct *new_tsec) 2278 { 2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2281 int rc; 2282 u32 av; 2283 2284 if (!nnp && !nosuid) 2285 return 0; /* neither NNP nor nosuid */ 2286 2287 if (new_tsec->sid == old_tsec->sid) 2288 return 0; /* No change in credentials */ 2289 2290 /* 2291 * If the policy enables the nnp_nosuid_transition policy capability, 2292 * then we permit transitions under NNP or nosuid if the 2293 * policy allows the corresponding permission between 2294 * the old and new contexts. 2295 */ 2296 if (selinux_policycap_nnp_nosuid_transition()) { 2297 av = 0; 2298 if (nnp) 2299 av |= PROCESS2__NNP_TRANSITION; 2300 if (nosuid) 2301 av |= PROCESS2__NOSUID_TRANSITION; 2302 rc = avc_has_perm(&selinux_state, 2303 old_tsec->sid, new_tsec->sid, 2304 SECCLASS_PROCESS2, av, NULL); 2305 if (!rc) 2306 return 0; 2307 } 2308 2309 /* 2310 * We also permit NNP or nosuid transitions to bounded SIDs, 2311 * i.e. SIDs that are guaranteed to only be allowed a subset 2312 * of the permissions of the current SID. 2313 */ 2314 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2315 new_tsec->sid); 2316 if (!rc) 2317 return 0; 2318 2319 /* 2320 * On failure, preserve the errno values for NNP vs nosuid. 2321 * NNP: Operation not permitted for caller. 2322 * nosuid: Permission denied to file. 2323 */ 2324 if (nnp) 2325 return -EPERM; 2326 return -EACCES; 2327 } 2328 2329 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2330 { 2331 const struct task_security_struct *old_tsec; 2332 struct task_security_struct *new_tsec; 2333 struct inode_security_struct *isec; 2334 struct common_audit_data ad; 2335 struct inode *inode = file_inode(bprm->file); 2336 int rc; 2337 2338 /* SELinux context only depends on initial program or script and not 2339 * the script interpreter */ 2340 if (bprm->called_set_creds) 2341 return 0; 2342 2343 old_tsec = selinux_cred(current_cred()); 2344 new_tsec = selinux_cred(bprm->cred); 2345 isec = inode_security(inode); 2346 2347 /* Default to the current task SID. */ 2348 new_tsec->sid = old_tsec->sid; 2349 new_tsec->osid = old_tsec->sid; 2350 2351 /* Reset fs, key, and sock SIDs on execve. */ 2352 new_tsec->create_sid = 0; 2353 new_tsec->keycreate_sid = 0; 2354 new_tsec->sockcreate_sid = 0; 2355 2356 if (old_tsec->exec_sid) { 2357 new_tsec->sid = old_tsec->exec_sid; 2358 /* Reset exec SID on execve. */ 2359 new_tsec->exec_sid = 0; 2360 2361 /* Fail on NNP or nosuid if not an allowed transition. */ 2362 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2363 if (rc) 2364 return rc; 2365 } else { 2366 /* Check for a default transition on this program. */ 2367 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2368 isec->sid, SECCLASS_PROCESS, NULL, 2369 &new_tsec->sid); 2370 if (rc) 2371 return rc; 2372 2373 /* 2374 * Fallback to old SID on NNP or nosuid if not an allowed 2375 * transition. 2376 */ 2377 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2378 if (rc) 2379 new_tsec->sid = old_tsec->sid; 2380 } 2381 2382 ad.type = LSM_AUDIT_DATA_FILE; 2383 ad.u.file = bprm->file; 2384 2385 if (new_tsec->sid == old_tsec->sid) { 2386 rc = avc_has_perm(&selinux_state, 2387 old_tsec->sid, isec->sid, 2388 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2389 if (rc) 2390 return rc; 2391 } else { 2392 /* Check permissions for the transition. */ 2393 rc = avc_has_perm(&selinux_state, 2394 old_tsec->sid, new_tsec->sid, 2395 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2396 if (rc) 2397 return rc; 2398 2399 rc = avc_has_perm(&selinux_state, 2400 new_tsec->sid, isec->sid, 2401 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2402 if (rc) 2403 return rc; 2404 2405 /* Check for shared state */ 2406 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2407 rc = avc_has_perm(&selinux_state, 2408 old_tsec->sid, new_tsec->sid, 2409 SECCLASS_PROCESS, PROCESS__SHARE, 2410 NULL); 2411 if (rc) 2412 return -EPERM; 2413 } 2414 2415 /* Make sure that anyone attempting to ptrace over a task that 2416 * changes its SID has the appropriate permit */ 2417 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2418 u32 ptsid = ptrace_parent_sid(); 2419 if (ptsid != 0) { 2420 rc = avc_has_perm(&selinux_state, 2421 ptsid, new_tsec->sid, 2422 SECCLASS_PROCESS, 2423 PROCESS__PTRACE, NULL); 2424 if (rc) 2425 return -EPERM; 2426 } 2427 } 2428 2429 /* Clear any possibly unsafe personality bits on exec: */ 2430 bprm->per_clear |= PER_CLEAR_ON_SETID; 2431 2432 /* Enable secure mode for SIDs transitions unless 2433 the noatsecure permission is granted between 2434 the two SIDs, i.e. ahp returns 0. */ 2435 rc = avc_has_perm(&selinux_state, 2436 old_tsec->sid, new_tsec->sid, 2437 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2438 NULL); 2439 bprm->secureexec |= !!rc; 2440 } 2441 2442 return 0; 2443 } 2444 2445 static int match_file(const void *p, struct file *file, unsigned fd) 2446 { 2447 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2448 } 2449 2450 /* Derived from fs/exec.c:flush_old_files. */ 2451 static inline void flush_unauthorized_files(const struct cred *cred, 2452 struct files_struct *files) 2453 { 2454 struct file *file, *devnull = NULL; 2455 struct tty_struct *tty; 2456 int drop_tty = 0; 2457 unsigned n; 2458 2459 tty = get_current_tty(); 2460 if (tty) { 2461 spin_lock(&tty->files_lock); 2462 if (!list_empty(&tty->tty_files)) { 2463 struct tty_file_private *file_priv; 2464 2465 /* Revalidate access to controlling tty. 2466 Use file_path_has_perm on the tty path directly 2467 rather than using file_has_perm, as this particular 2468 open file may belong to another process and we are 2469 only interested in the inode-based check here. */ 2470 file_priv = list_first_entry(&tty->tty_files, 2471 struct tty_file_private, list); 2472 file = file_priv->file; 2473 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2474 drop_tty = 1; 2475 } 2476 spin_unlock(&tty->files_lock); 2477 tty_kref_put(tty); 2478 } 2479 /* Reset controlling tty. */ 2480 if (drop_tty) 2481 no_tty(); 2482 2483 /* Revalidate access to inherited open files. */ 2484 n = iterate_fd(files, 0, match_file, cred); 2485 if (!n) /* none found? */ 2486 return; 2487 2488 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2489 if (IS_ERR(devnull)) 2490 devnull = NULL; 2491 /* replace all the matching ones with this */ 2492 do { 2493 replace_fd(n - 1, devnull, 0); 2494 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2495 if (devnull) 2496 fput(devnull); 2497 } 2498 2499 /* 2500 * Prepare a process for imminent new credential changes due to exec 2501 */ 2502 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2503 { 2504 struct task_security_struct *new_tsec; 2505 struct rlimit *rlim, *initrlim; 2506 int rc, i; 2507 2508 new_tsec = selinux_cred(bprm->cred); 2509 if (new_tsec->sid == new_tsec->osid) 2510 return; 2511 2512 /* Close files for which the new task SID is not authorized. */ 2513 flush_unauthorized_files(bprm->cred, current->files); 2514 2515 /* Always clear parent death signal on SID transitions. */ 2516 current->pdeath_signal = 0; 2517 2518 /* Check whether the new SID can inherit resource limits from the old 2519 * SID. If not, reset all soft limits to the lower of the current 2520 * task's hard limit and the init task's soft limit. 2521 * 2522 * Note that the setting of hard limits (even to lower them) can be 2523 * controlled by the setrlimit check. The inclusion of the init task's 2524 * soft limit into the computation is to avoid resetting soft limits 2525 * higher than the default soft limit for cases where the default is 2526 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2527 */ 2528 rc = avc_has_perm(&selinux_state, 2529 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2530 PROCESS__RLIMITINH, NULL); 2531 if (rc) { 2532 /* protect against do_prlimit() */ 2533 task_lock(current); 2534 for (i = 0; i < RLIM_NLIMITS; i++) { 2535 rlim = current->signal->rlim + i; 2536 initrlim = init_task.signal->rlim + i; 2537 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2538 } 2539 task_unlock(current); 2540 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2541 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2542 } 2543 } 2544 2545 /* 2546 * Clean up the process immediately after the installation of new credentials 2547 * due to exec 2548 */ 2549 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2550 { 2551 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2552 u32 osid, sid; 2553 int rc; 2554 2555 osid = tsec->osid; 2556 sid = tsec->sid; 2557 2558 if (sid == osid) 2559 return; 2560 2561 /* Check whether the new SID can inherit signal state from the old SID. 2562 * If not, clear itimers to avoid subsequent signal generation and 2563 * flush and unblock signals. 2564 * 2565 * This must occur _after_ the task SID has been updated so that any 2566 * kill done after the flush will be checked against the new SID. 2567 */ 2568 rc = avc_has_perm(&selinux_state, 2569 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2570 if (rc) { 2571 clear_itimer(); 2572 2573 spin_lock_irq(¤t->sighand->siglock); 2574 if (!fatal_signal_pending(current)) { 2575 flush_sigqueue(¤t->pending); 2576 flush_sigqueue(¤t->signal->shared_pending); 2577 flush_signal_handlers(current, 1); 2578 sigemptyset(¤t->blocked); 2579 recalc_sigpending(); 2580 } 2581 spin_unlock_irq(¤t->sighand->siglock); 2582 } 2583 2584 /* Wake up the parent if it is waiting so that it can recheck 2585 * wait permission to the new task SID. */ 2586 read_lock(&tasklist_lock); 2587 __wake_up_parent(current, current->real_parent); 2588 read_unlock(&tasklist_lock); 2589 } 2590 2591 /* superblock security operations */ 2592 2593 static int selinux_sb_alloc_security(struct super_block *sb) 2594 { 2595 return superblock_alloc_security(sb); 2596 } 2597 2598 static void selinux_sb_free_security(struct super_block *sb) 2599 { 2600 superblock_free_security(sb); 2601 } 2602 2603 static inline int opt_len(const char *s) 2604 { 2605 bool open_quote = false; 2606 int len; 2607 char c; 2608 2609 for (len = 0; (c = s[len]) != '\0'; len++) { 2610 if (c == '"') 2611 open_quote = !open_quote; 2612 if (c == ',' && !open_quote) 2613 break; 2614 } 2615 return len; 2616 } 2617 2618 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2619 { 2620 char *from = options; 2621 char *to = options; 2622 bool first = true; 2623 int rc; 2624 2625 while (1) { 2626 int len = opt_len(from); 2627 int token; 2628 char *arg = NULL; 2629 2630 token = match_opt_prefix(from, len, &arg); 2631 2632 if (token != Opt_error) { 2633 char *p, *q; 2634 2635 /* strip quotes */ 2636 if (arg) { 2637 for (p = q = arg; p < from + len; p++) { 2638 char c = *p; 2639 if (c != '"') 2640 *q++ = c; 2641 } 2642 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2643 if (!arg) { 2644 rc = -ENOMEM; 2645 goto free_opt; 2646 } 2647 } 2648 rc = selinux_add_opt(token, arg, mnt_opts); 2649 if (unlikely(rc)) { 2650 kfree(arg); 2651 goto free_opt; 2652 } 2653 } else { 2654 if (!first) { // copy with preceding comma 2655 from--; 2656 len++; 2657 } 2658 if (to != from) 2659 memmove(to, from, len); 2660 to += len; 2661 first = false; 2662 } 2663 if (!from[len]) 2664 break; 2665 from += len + 1; 2666 } 2667 *to = '\0'; 2668 return 0; 2669 2670 free_opt: 2671 if (*mnt_opts) { 2672 selinux_free_mnt_opts(*mnt_opts); 2673 *mnt_opts = NULL; 2674 } 2675 return rc; 2676 } 2677 2678 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2679 { 2680 struct selinux_mnt_opts *opts = mnt_opts; 2681 struct superblock_security_struct *sbsec = sb->s_security; 2682 u32 sid; 2683 int rc; 2684 2685 if (!(sbsec->flags & SE_SBINITIALIZED)) 2686 return 0; 2687 2688 if (!opts) 2689 return 0; 2690 2691 if (opts->fscontext) { 2692 rc = parse_sid(sb, opts->fscontext, &sid); 2693 if (rc) 2694 return rc; 2695 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2696 goto out_bad_option; 2697 } 2698 if (opts->context) { 2699 rc = parse_sid(sb, opts->context, &sid); 2700 if (rc) 2701 return rc; 2702 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2703 goto out_bad_option; 2704 } 2705 if (opts->rootcontext) { 2706 struct inode_security_struct *root_isec; 2707 root_isec = backing_inode_security(sb->s_root); 2708 rc = parse_sid(sb, opts->rootcontext, &sid); 2709 if (rc) 2710 return rc; 2711 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2712 goto out_bad_option; 2713 } 2714 if (opts->defcontext) { 2715 rc = parse_sid(sb, opts->defcontext, &sid); 2716 if (rc) 2717 return rc; 2718 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2719 goto out_bad_option; 2720 } 2721 return 0; 2722 2723 out_bad_option: 2724 pr_warn("SELinux: unable to change security options " 2725 "during remount (dev %s, type=%s)\n", sb->s_id, 2726 sb->s_type->name); 2727 return -EINVAL; 2728 } 2729 2730 static int selinux_sb_kern_mount(struct super_block *sb) 2731 { 2732 const struct cred *cred = current_cred(); 2733 struct common_audit_data ad; 2734 2735 ad.type = LSM_AUDIT_DATA_DENTRY; 2736 ad.u.dentry = sb->s_root; 2737 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2738 } 2739 2740 static int selinux_sb_statfs(struct dentry *dentry) 2741 { 2742 const struct cred *cred = current_cred(); 2743 struct common_audit_data ad; 2744 2745 ad.type = LSM_AUDIT_DATA_DENTRY; 2746 ad.u.dentry = dentry->d_sb->s_root; 2747 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2748 } 2749 2750 static int selinux_mount(const char *dev_name, 2751 const struct path *path, 2752 const char *type, 2753 unsigned long flags, 2754 void *data) 2755 { 2756 const struct cred *cred = current_cred(); 2757 2758 if (flags & MS_REMOUNT) 2759 return superblock_has_perm(cred, path->dentry->d_sb, 2760 FILESYSTEM__REMOUNT, NULL); 2761 else 2762 return path_has_perm(cred, path, FILE__MOUNTON); 2763 } 2764 2765 static int selinux_umount(struct vfsmount *mnt, int flags) 2766 { 2767 const struct cred *cred = current_cred(); 2768 2769 return superblock_has_perm(cred, mnt->mnt_sb, 2770 FILESYSTEM__UNMOUNT, NULL); 2771 } 2772 2773 static int selinux_fs_context_dup(struct fs_context *fc, 2774 struct fs_context *src_fc) 2775 { 2776 const struct selinux_mnt_opts *src = src_fc->security; 2777 struct selinux_mnt_opts *opts; 2778 2779 if (!src) 2780 return 0; 2781 2782 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 2783 if (!fc->security) 2784 return -ENOMEM; 2785 2786 opts = fc->security; 2787 2788 if (src->fscontext) { 2789 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL); 2790 if (!opts->fscontext) 2791 return -ENOMEM; 2792 } 2793 if (src->context) { 2794 opts->context = kstrdup(src->context, GFP_KERNEL); 2795 if (!opts->context) 2796 return -ENOMEM; 2797 } 2798 if (src->rootcontext) { 2799 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL); 2800 if (!opts->rootcontext) 2801 return -ENOMEM; 2802 } 2803 if (src->defcontext) { 2804 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL); 2805 if (!opts->defcontext) 2806 return -ENOMEM; 2807 } 2808 return 0; 2809 } 2810 2811 static const struct fs_parameter_spec selinux_param_specs[] = { 2812 fsparam_string(CONTEXT_STR, Opt_context), 2813 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2814 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2815 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2816 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2817 {} 2818 }; 2819 2820 static const struct fs_parameter_description selinux_fs_parameters = { 2821 .name = "SELinux", 2822 .specs = selinux_param_specs, 2823 }; 2824 2825 static int selinux_fs_context_parse_param(struct fs_context *fc, 2826 struct fs_parameter *param) 2827 { 2828 struct fs_parse_result result; 2829 int opt, rc; 2830 2831 opt = fs_parse(fc, &selinux_fs_parameters, param, &result); 2832 if (opt < 0) 2833 return opt; 2834 2835 rc = selinux_add_opt(opt, param->string, &fc->security); 2836 if (!rc) { 2837 param->string = NULL; 2838 rc = 1; 2839 } 2840 return rc; 2841 } 2842 2843 /* inode security operations */ 2844 2845 static int selinux_inode_alloc_security(struct inode *inode) 2846 { 2847 return inode_alloc_security(inode); 2848 } 2849 2850 static void selinux_inode_free_security(struct inode *inode) 2851 { 2852 inode_free_security(inode); 2853 } 2854 2855 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2856 const struct qstr *name, void **ctx, 2857 u32 *ctxlen) 2858 { 2859 u32 newsid; 2860 int rc; 2861 2862 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2863 d_inode(dentry->d_parent), name, 2864 inode_mode_to_security_class(mode), 2865 &newsid); 2866 if (rc) 2867 return rc; 2868 2869 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2870 ctxlen); 2871 } 2872 2873 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2874 struct qstr *name, 2875 const struct cred *old, 2876 struct cred *new) 2877 { 2878 u32 newsid; 2879 int rc; 2880 struct task_security_struct *tsec; 2881 2882 rc = selinux_determine_inode_label(selinux_cred(old), 2883 d_inode(dentry->d_parent), name, 2884 inode_mode_to_security_class(mode), 2885 &newsid); 2886 if (rc) 2887 return rc; 2888 2889 tsec = selinux_cred(new); 2890 tsec->create_sid = newsid; 2891 return 0; 2892 } 2893 2894 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2895 const struct qstr *qstr, 2896 const char **name, 2897 void **value, size_t *len) 2898 { 2899 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2900 struct superblock_security_struct *sbsec; 2901 u32 newsid, clen; 2902 int rc; 2903 char *context; 2904 2905 sbsec = dir->i_sb->s_security; 2906 2907 newsid = tsec->create_sid; 2908 2909 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2910 dir, qstr, 2911 inode_mode_to_security_class(inode->i_mode), 2912 &newsid); 2913 if (rc) 2914 return rc; 2915 2916 /* Possibly defer initialization to selinux_complete_init. */ 2917 if (sbsec->flags & SE_SBINITIALIZED) { 2918 struct inode_security_struct *isec = selinux_inode(inode); 2919 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2920 isec->sid = newsid; 2921 isec->initialized = LABEL_INITIALIZED; 2922 } 2923 2924 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 2925 return -EOPNOTSUPP; 2926 2927 if (name) 2928 *name = XATTR_SELINUX_SUFFIX; 2929 2930 if (value && len) { 2931 rc = security_sid_to_context_force(&selinux_state, newsid, 2932 &context, &clen); 2933 if (rc) 2934 return rc; 2935 *value = context; 2936 *len = clen; 2937 } 2938 2939 return 0; 2940 } 2941 2942 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2943 { 2944 return may_create(dir, dentry, SECCLASS_FILE); 2945 } 2946 2947 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2948 { 2949 return may_link(dir, old_dentry, MAY_LINK); 2950 } 2951 2952 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2953 { 2954 return may_link(dir, dentry, MAY_UNLINK); 2955 } 2956 2957 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2958 { 2959 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2960 } 2961 2962 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2963 { 2964 return may_create(dir, dentry, SECCLASS_DIR); 2965 } 2966 2967 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2968 { 2969 return may_link(dir, dentry, MAY_RMDIR); 2970 } 2971 2972 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2973 { 2974 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2975 } 2976 2977 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2978 struct inode *new_inode, struct dentry *new_dentry) 2979 { 2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2981 } 2982 2983 static int selinux_inode_readlink(struct dentry *dentry) 2984 { 2985 const struct cred *cred = current_cred(); 2986 2987 return dentry_has_perm(cred, dentry, FILE__READ); 2988 } 2989 2990 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2991 bool rcu) 2992 { 2993 const struct cred *cred = current_cred(); 2994 struct common_audit_data ad; 2995 struct inode_security_struct *isec; 2996 u32 sid; 2997 2998 validate_creds(cred); 2999 3000 ad.type = LSM_AUDIT_DATA_DENTRY; 3001 ad.u.dentry = dentry; 3002 sid = cred_sid(cred); 3003 isec = inode_security_rcu(inode, rcu); 3004 if (IS_ERR(isec)) 3005 return PTR_ERR(isec); 3006 3007 return avc_has_perm_flags(&selinux_state, 3008 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3009 rcu ? MAY_NOT_BLOCK : 0); 3010 } 3011 3012 static noinline int audit_inode_permission(struct inode *inode, 3013 u32 perms, u32 audited, u32 denied, 3014 int result, 3015 unsigned flags) 3016 { 3017 struct common_audit_data ad; 3018 struct inode_security_struct *isec = selinux_inode(inode); 3019 int rc; 3020 3021 ad.type = LSM_AUDIT_DATA_INODE; 3022 ad.u.inode = inode; 3023 3024 rc = slow_avc_audit(&selinux_state, 3025 current_sid(), isec->sid, isec->sclass, perms, 3026 audited, denied, result, &ad, flags); 3027 if (rc) 3028 return rc; 3029 return 0; 3030 } 3031 3032 static int selinux_inode_permission(struct inode *inode, int mask) 3033 { 3034 const struct cred *cred = current_cred(); 3035 u32 perms; 3036 bool from_access; 3037 unsigned flags = mask & MAY_NOT_BLOCK; 3038 struct inode_security_struct *isec; 3039 u32 sid; 3040 struct av_decision avd; 3041 int rc, rc2; 3042 u32 audited, denied; 3043 3044 from_access = mask & MAY_ACCESS; 3045 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3046 3047 /* No permission to check. Existence test. */ 3048 if (!mask) 3049 return 0; 3050 3051 validate_creds(cred); 3052 3053 if (unlikely(IS_PRIVATE(inode))) 3054 return 0; 3055 3056 perms = file_mask_to_av(inode->i_mode, mask); 3057 3058 sid = cred_sid(cred); 3059 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3060 if (IS_ERR(isec)) 3061 return PTR_ERR(isec); 3062 3063 rc = avc_has_perm_noaudit(&selinux_state, 3064 sid, isec->sid, isec->sclass, perms, 3065 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, 3066 &avd); 3067 audited = avc_audit_required(perms, &avd, rc, 3068 from_access ? FILE__AUDIT_ACCESS : 0, 3069 &denied); 3070 if (likely(!audited)) 3071 return rc; 3072 3073 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3074 if (rc2) 3075 return rc2; 3076 return rc; 3077 } 3078 3079 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3080 { 3081 const struct cred *cred = current_cred(); 3082 struct inode *inode = d_backing_inode(dentry); 3083 unsigned int ia_valid = iattr->ia_valid; 3084 __u32 av = FILE__WRITE; 3085 3086 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3087 if (ia_valid & ATTR_FORCE) { 3088 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3089 ATTR_FORCE); 3090 if (!ia_valid) 3091 return 0; 3092 } 3093 3094 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3095 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3096 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3097 3098 if (selinux_policycap_openperm() && 3099 inode->i_sb->s_magic != SOCKFS_MAGIC && 3100 (ia_valid & ATTR_SIZE) && 3101 !(ia_valid & ATTR_FILE)) 3102 av |= FILE__OPEN; 3103 3104 return dentry_has_perm(cred, dentry, av); 3105 } 3106 3107 static int selinux_inode_getattr(const struct path *path) 3108 { 3109 return path_has_perm(current_cred(), path, FILE__GETATTR); 3110 } 3111 3112 static bool has_cap_mac_admin(bool audit) 3113 { 3114 const struct cred *cred = current_cred(); 3115 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3116 3117 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3118 return false; 3119 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3120 return false; 3121 return true; 3122 } 3123 3124 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3125 const void *value, size_t size, int flags) 3126 { 3127 struct inode *inode = d_backing_inode(dentry); 3128 struct inode_security_struct *isec; 3129 struct superblock_security_struct *sbsec; 3130 struct common_audit_data ad; 3131 u32 newsid, sid = current_sid(); 3132 int rc = 0; 3133 3134 if (strcmp(name, XATTR_NAME_SELINUX)) { 3135 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3136 if (rc) 3137 return rc; 3138 3139 /* Not an attribute we recognize, so just check the 3140 ordinary setattr permission. */ 3141 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3142 } 3143 3144 if (!selinux_state.initialized) 3145 return (inode_owner_or_capable(inode) ? 0 : -EPERM); 3146 3147 sbsec = inode->i_sb->s_security; 3148 if (!(sbsec->flags & SBLABEL_MNT)) 3149 return -EOPNOTSUPP; 3150 3151 if (!inode_owner_or_capable(inode)) 3152 return -EPERM; 3153 3154 ad.type = LSM_AUDIT_DATA_DENTRY; 3155 ad.u.dentry = dentry; 3156 3157 isec = backing_inode_security(dentry); 3158 rc = avc_has_perm(&selinux_state, 3159 sid, isec->sid, isec->sclass, 3160 FILE__RELABELFROM, &ad); 3161 if (rc) 3162 return rc; 3163 3164 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3165 GFP_KERNEL); 3166 if (rc == -EINVAL) { 3167 if (!has_cap_mac_admin(true)) { 3168 struct audit_buffer *ab; 3169 size_t audit_size; 3170 3171 /* We strip a nul only if it is at the end, otherwise the 3172 * context contains a nul and we should audit that */ 3173 if (value) { 3174 const char *str = value; 3175 3176 if (str[size - 1] == '\0') 3177 audit_size = size - 1; 3178 else 3179 audit_size = size; 3180 } else { 3181 audit_size = 0; 3182 } 3183 ab = audit_log_start(audit_context(), 3184 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3185 audit_log_format(ab, "op=setxattr invalid_context="); 3186 audit_log_n_untrustedstring(ab, value, audit_size); 3187 audit_log_end(ab); 3188 3189 return rc; 3190 } 3191 rc = security_context_to_sid_force(&selinux_state, value, 3192 size, &newsid); 3193 } 3194 if (rc) 3195 return rc; 3196 3197 rc = avc_has_perm(&selinux_state, 3198 sid, newsid, isec->sclass, 3199 FILE__RELABELTO, &ad); 3200 if (rc) 3201 return rc; 3202 3203 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3204 sid, isec->sclass); 3205 if (rc) 3206 return rc; 3207 3208 return avc_has_perm(&selinux_state, 3209 newsid, 3210 sbsec->sid, 3211 SECCLASS_FILESYSTEM, 3212 FILESYSTEM__ASSOCIATE, 3213 &ad); 3214 } 3215 3216 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3217 const void *value, size_t size, 3218 int flags) 3219 { 3220 struct inode *inode = d_backing_inode(dentry); 3221 struct inode_security_struct *isec; 3222 u32 newsid; 3223 int rc; 3224 3225 if (strcmp(name, XATTR_NAME_SELINUX)) { 3226 /* Not an attribute we recognize, so nothing to do. */ 3227 return; 3228 } 3229 3230 if (!selinux_state.initialized) { 3231 /* If we haven't even been initialized, then we can't validate 3232 * against a policy, so leave the label as invalid. It may 3233 * resolve to a valid label on the next revalidation try if 3234 * we've since initialized. 3235 */ 3236 return; 3237 } 3238 3239 rc = security_context_to_sid_force(&selinux_state, value, size, 3240 &newsid); 3241 if (rc) { 3242 pr_err("SELinux: unable to map context to SID" 3243 "for (%s, %lu), rc=%d\n", 3244 inode->i_sb->s_id, inode->i_ino, -rc); 3245 return; 3246 } 3247 3248 isec = backing_inode_security(dentry); 3249 spin_lock(&isec->lock); 3250 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3251 isec->sid = newsid; 3252 isec->initialized = LABEL_INITIALIZED; 3253 spin_unlock(&isec->lock); 3254 3255 return; 3256 } 3257 3258 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3259 { 3260 const struct cred *cred = current_cred(); 3261 3262 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3263 } 3264 3265 static int selinux_inode_listxattr(struct dentry *dentry) 3266 { 3267 const struct cred *cred = current_cred(); 3268 3269 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3270 } 3271 3272 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3273 { 3274 if (strcmp(name, XATTR_NAME_SELINUX)) { 3275 int rc = cap_inode_removexattr(dentry, name); 3276 if (rc) 3277 return rc; 3278 3279 /* Not an attribute we recognize, so just check the 3280 ordinary setattr permission. */ 3281 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3282 } 3283 3284 /* No one is allowed to remove a SELinux security label. 3285 You can change the label, but all data must be labeled. */ 3286 return -EACCES; 3287 } 3288 3289 static int selinux_path_notify(const struct path *path, u64 mask, 3290 unsigned int obj_type) 3291 { 3292 int ret; 3293 u32 perm; 3294 3295 struct common_audit_data ad; 3296 3297 ad.type = LSM_AUDIT_DATA_PATH; 3298 ad.u.path = *path; 3299 3300 /* 3301 * Set permission needed based on the type of mark being set. 3302 * Performs an additional check for sb watches. 3303 */ 3304 switch (obj_type) { 3305 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3306 perm = FILE__WATCH_MOUNT; 3307 break; 3308 case FSNOTIFY_OBJ_TYPE_SB: 3309 perm = FILE__WATCH_SB; 3310 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3311 FILESYSTEM__WATCH, &ad); 3312 if (ret) 3313 return ret; 3314 break; 3315 case FSNOTIFY_OBJ_TYPE_INODE: 3316 perm = FILE__WATCH; 3317 break; 3318 default: 3319 return -EINVAL; 3320 } 3321 3322 /* blocking watches require the file:watch_with_perm permission */ 3323 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3324 perm |= FILE__WATCH_WITH_PERM; 3325 3326 /* watches on read-like events need the file:watch_reads permission */ 3327 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3328 perm |= FILE__WATCH_READS; 3329 3330 return path_has_perm(current_cred(), path, perm); 3331 } 3332 3333 /* 3334 * Copy the inode security context value to the user. 3335 * 3336 * Permission check is handled by selinux_inode_getxattr hook. 3337 */ 3338 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3339 { 3340 u32 size; 3341 int error; 3342 char *context = NULL; 3343 struct inode_security_struct *isec; 3344 3345 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3346 return -EOPNOTSUPP; 3347 3348 /* 3349 * If the caller has CAP_MAC_ADMIN, then get the raw context 3350 * value even if it is not defined by current policy; otherwise, 3351 * use the in-core value under current policy. 3352 * Use the non-auditing forms of the permission checks since 3353 * getxattr may be called by unprivileged processes commonly 3354 * and lack of permission just means that we fall back to the 3355 * in-core context value, not a denial. 3356 */ 3357 isec = inode_security(inode); 3358 if (has_cap_mac_admin(false)) 3359 error = security_sid_to_context_force(&selinux_state, 3360 isec->sid, &context, 3361 &size); 3362 else 3363 error = security_sid_to_context(&selinux_state, isec->sid, 3364 &context, &size); 3365 if (error) 3366 return error; 3367 error = size; 3368 if (alloc) { 3369 *buffer = context; 3370 goto out_nofree; 3371 } 3372 kfree(context); 3373 out_nofree: 3374 return error; 3375 } 3376 3377 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3378 const void *value, size_t size, int flags) 3379 { 3380 struct inode_security_struct *isec = inode_security_novalidate(inode); 3381 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 3382 u32 newsid; 3383 int rc; 3384 3385 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3386 return -EOPNOTSUPP; 3387 3388 if (!(sbsec->flags & SBLABEL_MNT)) 3389 return -EOPNOTSUPP; 3390 3391 if (!value || !size) 3392 return -EACCES; 3393 3394 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3395 GFP_KERNEL); 3396 if (rc) 3397 return rc; 3398 3399 spin_lock(&isec->lock); 3400 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3401 isec->sid = newsid; 3402 isec->initialized = LABEL_INITIALIZED; 3403 spin_unlock(&isec->lock); 3404 return 0; 3405 } 3406 3407 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3408 { 3409 const int len = sizeof(XATTR_NAME_SELINUX); 3410 if (buffer && len <= buffer_size) 3411 memcpy(buffer, XATTR_NAME_SELINUX, len); 3412 return len; 3413 } 3414 3415 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3416 { 3417 struct inode_security_struct *isec = inode_security_novalidate(inode); 3418 *secid = isec->sid; 3419 } 3420 3421 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3422 { 3423 u32 sid; 3424 struct task_security_struct *tsec; 3425 struct cred *new_creds = *new; 3426 3427 if (new_creds == NULL) { 3428 new_creds = prepare_creds(); 3429 if (!new_creds) 3430 return -ENOMEM; 3431 } 3432 3433 tsec = selinux_cred(new_creds); 3434 /* Get label from overlay inode and set it in create_sid */ 3435 selinux_inode_getsecid(d_inode(src), &sid); 3436 tsec->create_sid = sid; 3437 *new = new_creds; 3438 return 0; 3439 } 3440 3441 static int selinux_inode_copy_up_xattr(const char *name) 3442 { 3443 /* The copy_up hook above sets the initial context on an inode, but we 3444 * don't then want to overwrite it by blindly copying all the lower 3445 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3446 */ 3447 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3448 return 1; /* Discard */ 3449 /* 3450 * Any other attribute apart from SELINUX is not claimed, supported 3451 * by selinux. 3452 */ 3453 return -EOPNOTSUPP; 3454 } 3455 3456 /* kernfs node operations */ 3457 3458 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3459 struct kernfs_node *kn) 3460 { 3461 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3462 u32 parent_sid, newsid, clen; 3463 int rc; 3464 char *context; 3465 3466 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3467 if (rc == -ENODATA) 3468 return 0; 3469 else if (rc < 0) 3470 return rc; 3471 3472 clen = (u32)rc; 3473 context = kmalloc(clen, GFP_KERNEL); 3474 if (!context) 3475 return -ENOMEM; 3476 3477 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3478 if (rc < 0) { 3479 kfree(context); 3480 return rc; 3481 } 3482 3483 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid, 3484 GFP_KERNEL); 3485 kfree(context); 3486 if (rc) 3487 return rc; 3488 3489 if (tsec->create_sid) { 3490 newsid = tsec->create_sid; 3491 } else { 3492 u16 secclass = inode_mode_to_security_class(kn->mode); 3493 struct qstr q; 3494 3495 q.name = kn->name; 3496 q.hash_len = hashlen_string(kn_dir, kn->name); 3497 3498 rc = security_transition_sid(&selinux_state, tsec->sid, 3499 parent_sid, secclass, &q, 3500 &newsid); 3501 if (rc) 3502 return rc; 3503 } 3504 3505 rc = security_sid_to_context_force(&selinux_state, newsid, 3506 &context, &clen); 3507 if (rc) 3508 return rc; 3509 3510 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3511 XATTR_CREATE); 3512 kfree(context); 3513 return rc; 3514 } 3515 3516 3517 /* file security operations */ 3518 3519 static int selinux_revalidate_file_permission(struct file *file, int mask) 3520 { 3521 const struct cred *cred = current_cred(); 3522 struct inode *inode = file_inode(file); 3523 3524 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3525 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3526 mask |= MAY_APPEND; 3527 3528 return file_has_perm(cred, file, 3529 file_mask_to_av(inode->i_mode, mask)); 3530 } 3531 3532 static int selinux_file_permission(struct file *file, int mask) 3533 { 3534 struct inode *inode = file_inode(file); 3535 struct file_security_struct *fsec = selinux_file(file); 3536 struct inode_security_struct *isec; 3537 u32 sid = current_sid(); 3538 3539 if (!mask) 3540 /* No permission to check. Existence test. */ 3541 return 0; 3542 3543 isec = inode_security(inode); 3544 if (sid == fsec->sid && fsec->isid == isec->sid && 3545 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3546 /* No change since file_open check. */ 3547 return 0; 3548 3549 return selinux_revalidate_file_permission(file, mask); 3550 } 3551 3552 static int selinux_file_alloc_security(struct file *file) 3553 { 3554 return file_alloc_security(file); 3555 } 3556 3557 /* 3558 * Check whether a task has the ioctl permission and cmd 3559 * operation to an inode. 3560 */ 3561 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3562 u32 requested, u16 cmd) 3563 { 3564 struct common_audit_data ad; 3565 struct file_security_struct *fsec = selinux_file(file); 3566 struct inode *inode = file_inode(file); 3567 struct inode_security_struct *isec; 3568 struct lsm_ioctlop_audit ioctl; 3569 u32 ssid = cred_sid(cred); 3570 int rc; 3571 u8 driver = cmd >> 8; 3572 u8 xperm = cmd & 0xff; 3573 3574 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3575 ad.u.op = &ioctl; 3576 ad.u.op->cmd = cmd; 3577 ad.u.op->path = file->f_path; 3578 3579 if (ssid != fsec->sid) { 3580 rc = avc_has_perm(&selinux_state, 3581 ssid, fsec->sid, 3582 SECCLASS_FD, 3583 FD__USE, 3584 &ad); 3585 if (rc) 3586 goto out; 3587 } 3588 3589 if (unlikely(IS_PRIVATE(inode))) 3590 return 0; 3591 3592 isec = inode_security(inode); 3593 rc = avc_has_extended_perms(&selinux_state, 3594 ssid, isec->sid, isec->sclass, 3595 requested, driver, xperm, &ad); 3596 out: 3597 return rc; 3598 } 3599 3600 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3601 unsigned long arg) 3602 { 3603 const struct cred *cred = current_cred(); 3604 int error = 0; 3605 3606 switch (cmd) { 3607 case FIONREAD: 3608 /* fall through */ 3609 case FIBMAP: 3610 /* fall through */ 3611 case FIGETBSZ: 3612 /* fall through */ 3613 case FS_IOC_GETFLAGS: 3614 /* fall through */ 3615 case FS_IOC_GETVERSION: 3616 error = file_has_perm(cred, file, FILE__GETATTR); 3617 break; 3618 3619 case FS_IOC_SETFLAGS: 3620 /* fall through */ 3621 case FS_IOC_SETVERSION: 3622 error = file_has_perm(cred, file, FILE__SETATTR); 3623 break; 3624 3625 /* sys_ioctl() checks */ 3626 case FIONBIO: 3627 /* fall through */ 3628 case FIOASYNC: 3629 error = file_has_perm(cred, file, 0); 3630 break; 3631 3632 case KDSKBENT: 3633 case KDSKBSENT: 3634 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3635 CAP_OPT_NONE, true); 3636 break; 3637 3638 /* default case assumes that the command will go 3639 * to the file's ioctl() function. 3640 */ 3641 default: 3642 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3643 } 3644 return error; 3645 } 3646 3647 static int default_noexec; 3648 3649 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3650 { 3651 const struct cred *cred = current_cred(); 3652 u32 sid = cred_sid(cred); 3653 int rc = 0; 3654 3655 if (default_noexec && 3656 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3657 (!shared && (prot & PROT_WRITE)))) { 3658 /* 3659 * We are making executable an anonymous mapping or a 3660 * private file mapping that will also be writable. 3661 * This has an additional check. 3662 */ 3663 rc = avc_has_perm(&selinux_state, 3664 sid, sid, SECCLASS_PROCESS, 3665 PROCESS__EXECMEM, NULL); 3666 if (rc) 3667 goto error; 3668 } 3669 3670 if (file) { 3671 /* read access is always possible with a mapping */ 3672 u32 av = FILE__READ; 3673 3674 /* write access only matters if the mapping is shared */ 3675 if (shared && (prot & PROT_WRITE)) 3676 av |= FILE__WRITE; 3677 3678 if (prot & PROT_EXEC) 3679 av |= FILE__EXECUTE; 3680 3681 return file_has_perm(cred, file, av); 3682 } 3683 3684 error: 3685 return rc; 3686 } 3687 3688 static int selinux_mmap_addr(unsigned long addr) 3689 { 3690 int rc = 0; 3691 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3693 u32 sid = current_sid(); 3694 rc = avc_has_perm(&selinux_state, 3695 sid, sid, SECCLASS_MEMPROTECT, 3696 MEMPROTECT__MMAP_ZERO, NULL); 3697 } 3698 3699 return rc; 3700 } 3701 3702 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3703 unsigned long prot, unsigned long flags) 3704 { 3705 struct common_audit_data ad; 3706 int rc; 3707 3708 if (file) { 3709 ad.type = LSM_AUDIT_DATA_FILE; 3710 ad.u.file = file; 3711 rc = inode_has_perm(current_cred(), file_inode(file), 3712 FILE__MAP, &ad); 3713 if (rc) 3714 return rc; 3715 } 3716 3717 if (selinux_state.checkreqprot) 3718 prot = reqprot; 3719 3720 return file_map_prot_check(file, prot, 3721 (flags & MAP_TYPE) == MAP_SHARED); 3722 } 3723 3724 static int selinux_file_mprotect(struct vm_area_struct *vma, 3725 unsigned long reqprot, 3726 unsigned long prot) 3727 { 3728 const struct cred *cred = current_cred(); 3729 u32 sid = cred_sid(cred); 3730 3731 if (selinux_state.checkreqprot) 3732 prot = reqprot; 3733 3734 if (default_noexec && 3735 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3736 int rc = 0; 3737 if (vma->vm_start >= vma->vm_mm->start_brk && 3738 vma->vm_end <= vma->vm_mm->brk) { 3739 rc = avc_has_perm(&selinux_state, 3740 sid, sid, SECCLASS_PROCESS, 3741 PROCESS__EXECHEAP, NULL); 3742 } else if (!vma->vm_file && 3743 ((vma->vm_start <= vma->vm_mm->start_stack && 3744 vma->vm_end >= vma->vm_mm->start_stack) || 3745 vma_is_stack_for_current(vma))) { 3746 rc = avc_has_perm(&selinux_state, 3747 sid, sid, SECCLASS_PROCESS, 3748 PROCESS__EXECSTACK, NULL); 3749 } else if (vma->vm_file && vma->anon_vma) { 3750 /* 3751 * We are making executable a file mapping that has 3752 * had some COW done. Since pages might have been 3753 * written, check ability to execute the possibly 3754 * modified content. This typically should only 3755 * occur for text relocations. 3756 */ 3757 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3758 } 3759 if (rc) 3760 return rc; 3761 } 3762 3763 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3764 } 3765 3766 static int selinux_file_lock(struct file *file, unsigned int cmd) 3767 { 3768 const struct cred *cred = current_cred(); 3769 3770 return file_has_perm(cred, file, FILE__LOCK); 3771 } 3772 3773 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3774 unsigned long arg) 3775 { 3776 const struct cred *cred = current_cred(); 3777 int err = 0; 3778 3779 switch (cmd) { 3780 case F_SETFL: 3781 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3782 err = file_has_perm(cred, file, FILE__WRITE); 3783 break; 3784 } 3785 /* fall through */ 3786 case F_SETOWN: 3787 case F_SETSIG: 3788 case F_GETFL: 3789 case F_GETOWN: 3790 case F_GETSIG: 3791 case F_GETOWNER_UIDS: 3792 /* Just check FD__USE permission */ 3793 err = file_has_perm(cred, file, 0); 3794 break; 3795 case F_GETLK: 3796 case F_SETLK: 3797 case F_SETLKW: 3798 case F_OFD_GETLK: 3799 case F_OFD_SETLK: 3800 case F_OFD_SETLKW: 3801 #if BITS_PER_LONG == 32 3802 case F_GETLK64: 3803 case F_SETLK64: 3804 case F_SETLKW64: 3805 #endif 3806 err = file_has_perm(cred, file, FILE__LOCK); 3807 break; 3808 } 3809 3810 return err; 3811 } 3812 3813 static void selinux_file_set_fowner(struct file *file) 3814 { 3815 struct file_security_struct *fsec; 3816 3817 fsec = selinux_file(file); 3818 fsec->fown_sid = current_sid(); 3819 } 3820 3821 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3822 struct fown_struct *fown, int signum) 3823 { 3824 struct file *file; 3825 u32 sid = task_sid(tsk); 3826 u32 perm; 3827 struct file_security_struct *fsec; 3828 3829 /* struct fown_struct is never outside the context of a struct file */ 3830 file = container_of(fown, struct file, f_owner); 3831 3832 fsec = selinux_file(file); 3833 3834 if (!signum) 3835 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3836 else 3837 perm = signal_to_av(signum); 3838 3839 return avc_has_perm(&selinux_state, 3840 fsec->fown_sid, sid, 3841 SECCLASS_PROCESS, perm, NULL); 3842 } 3843 3844 static int selinux_file_receive(struct file *file) 3845 { 3846 const struct cred *cred = current_cred(); 3847 3848 return file_has_perm(cred, file, file_to_av(file)); 3849 } 3850 3851 static int selinux_file_open(struct file *file) 3852 { 3853 struct file_security_struct *fsec; 3854 struct inode_security_struct *isec; 3855 3856 fsec = selinux_file(file); 3857 isec = inode_security(file_inode(file)); 3858 /* 3859 * Save inode label and policy sequence number 3860 * at open-time so that selinux_file_permission 3861 * can determine whether revalidation is necessary. 3862 * Task label is already saved in the file security 3863 * struct as its SID. 3864 */ 3865 fsec->isid = isec->sid; 3866 fsec->pseqno = avc_policy_seqno(&selinux_state); 3867 /* 3868 * Since the inode label or policy seqno may have changed 3869 * between the selinux_inode_permission check and the saving 3870 * of state above, recheck that access is still permitted. 3871 * Otherwise, access might never be revalidated against the 3872 * new inode label or new policy. 3873 * This check is not redundant - do not remove. 3874 */ 3875 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3876 } 3877 3878 /* task security operations */ 3879 3880 static int selinux_task_alloc(struct task_struct *task, 3881 unsigned long clone_flags) 3882 { 3883 u32 sid = current_sid(); 3884 3885 return avc_has_perm(&selinux_state, 3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3887 } 3888 3889 /* 3890 * prepare a new set of credentials for modification 3891 */ 3892 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3893 gfp_t gfp) 3894 { 3895 const struct task_security_struct *old_tsec = selinux_cred(old); 3896 struct task_security_struct *tsec = selinux_cred(new); 3897 3898 *tsec = *old_tsec; 3899 return 0; 3900 } 3901 3902 /* 3903 * transfer the SELinux data to a blank set of creds 3904 */ 3905 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3906 { 3907 const struct task_security_struct *old_tsec = selinux_cred(old); 3908 struct task_security_struct *tsec = selinux_cred(new); 3909 3910 *tsec = *old_tsec; 3911 } 3912 3913 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3914 { 3915 *secid = cred_sid(c); 3916 } 3917 3918 /* 3919 * set the security data for a kernel service 3920 * - all the creation contexts are set to unlabelled 3921 */ 3922 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3923 { 3924 struct task_security_struct *tsec = selinux_cred(new); 3925 u32 sid = current_sid(); 3926 int ret; 3927 3928 ret = avc_has_perm(&selinux_state, 3929 sid, secid, 3930 SECCLASS_KERNEL_SERVICE, 3931 KERNEL_SERVICE__USE_AS_OVERRIDE, 3932 NULL); 3933 if (ret == 0) { 3934 tsec->sid = secid; 3935 tsec->create_sid = 0; 3936 tsec->keycreate_sid = 0; 3937 tsec->sockcreate_sid = 0; 3938 } 3939 return ret; 3940 } 3941 3942 /* 3943 * set the file creation context in a security record to the same as the 3944 * objective context of the specified inode 3945 */ 3946 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3947 { 3948 struct inode_security_struct *isec = inode_security(inode); 3949 struct task_security_struct *tsec = selinux_cred(new); 3950 u32 sid = current_sid(); 3951 int ret; 3952 3953 ret = avc_has_perm(&selinux_state, 3954 sid, isec->sid, 3955 SECCLASS_KERNEL_SERVICE, 3956 KERNEL_SERVICE__CREATE_FILES_AS, 3957 NULL); 3958 3959 if (ret == 0) 3960 tsec->create_sid = isec->sid; 3961 return ret; 3962 } 3963 3964 static int selinux_kernel_module_request(char *kmod_name) 3965 { 3966 struct common_audit_data ad; 3967 3968 ad.type = LSM_AUDIT_DATA_KMOD; 3969 ad.u.kmod_name = kmod_name; 3970 3971 return avc_has_perm(&selinux_state, 3972 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3973 SYSTEM__MODULE_REQUEST, &ad); 3974 } 3975 3976 static int selinux_kernel_module_from_file(struct file *file) 3977 { 3978 struct common_audit_data ad; 3979 struct inode_security_struct *isec; 3980 struct file_security_struct *fsec; 3981 u32 sid = current_sid(); 3982 int rc; 3983 3984 /* init_module */ 3985 if (file == NULL) 3986 return avc_has_perm(&selinux_state, 3987 sid, sid, SECCLASS_SYSTEM, 3988 SYSTEM__MODULE_LOAD, NULL); 3989 3990 /* finit_module */ 3991 3992 ad.type = LSM_AUDIT_DATA_FILE; 3993 ad.u.file = file; 3994 3995 fsec = selinux_file(file); 3996 if (sid != fsec->sid) { 3997 rc = avc_has_perm(&selinux_state, 3998 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3999 if (rc) 4000 return rc; 4001 } 4002 4003 isec = inode_security(file_inode(file)); 4004 return avc_has_perm(&selinux_state, 4005 sid, isec->sid, SECCLASS_SYSTEM, 4006 SYSTEM__MODULE_LOAD, &ad); 4007 } 4008 4009 static int selinux_kernel_read_file(struct file *file, 4010 enum kernel_read_file_id id) 4011 { 4012 int rc = 0; 4013 4014 switch (id) { 4015 case READING_MODULE: 4016 rc = selinux_kernel_module_from_file(file); 4017 break; 4018 default: 4019 break; 4020 } 4021 4022 return rc; 4023 } 4024 4025 static int selinux_kernel_load_data(enum kernel_load_data_id id) 4026 { 4027 int rc = 0; 4028 4029 switch (id) { 4030 case LOADING_MODULE: 4031 rc = selinux_kernel_module_from_file(NULL); 4032 default: 4033 break; 4034 } 4035 4036 return rc; 4037 } 4038 4039 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4040 { 4041 return avc_has_perm(&selinux_state, 4042 current_sid(), task_sid(p), SECCLASS_PROCESS, 4043 PROCESS__SETPGID, NULL); 4044 } 4045 4046 static int selinux_task_getpgid(struct task_struct *p) 4047 { 4048 return avc_has_perm(&selinux_state, 4049 current_sid(), task_sid(p), SECCLASS_PROCESS, 4050 PROCESS__GETPGID, NULL); 4051 } 4052 4053 static int selinux_task_getsid(struct task_struct *p) 4054 { 4055 return avc_has_perm(&selinux_state, 4056 current_sid(), task_sid(p), SECCLASS_PROCESS, 4057 PROCESS__GETSESSION, NULL); 4058 } 4059 4060 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4061 { 4062 *secid = task_sid(p); 4063 } 4064 4065 static int selinux_task_setnice(struct task_struct *p, int nice) 4066 { 4067 return avc_has_perm(&selinux_state, 4068 current_sid(), task_sid(p), SECCLASS_PROCESS, 4069 PROCESS__SETSCHED, NULL); 4070 } 4071 4072 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4073 { 4074 return avc_has_perm(&selinux_state, 4075 current_sid(), task_sid(p), SECCLASS_PROCESS, 4076 PROCESS__SETSCHED, NULL); 4077 } 4078 4079 static int selinux_task_getioprio(struct task_struct *p) 4080 { 4081 return avc_has_perm(&selinux_state, 4082 current_sid(), task_sid(p), SECCLASS_PROCESS, 4083 PROCESS__GETSCHED, NULL); 4084 } 4085 4086 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4087 unsigned int flags) 4088 { 4089 u32 av = 0; 4090 4091 if (!flags) 4092 return 0; 4093 if (flags & LSM_PRLIMIT_WRITE) 4094 av |= PROCESS__SETRLIMIT; 4095 if (flags & LSM_PRLIMIT_READ) 4096 av |= PROCESS__GETRLIMIT; 4097 return avc_has_perm(&selinux_state, 4098 cred_sid(cred), cred_sid(tcred), 4099 SECCLASS_PROCESS, av, NULL); 4100 } 4101 4102 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4103 struct rlimit *new_rlim) 4104 { 4105 struct rlimit *old_rlim = p->signal->rlim + resource; 4106 4107 /* Control the ability to change the hard limit (whether 4108 lowering or raising it), so that the hard limit can 4109 later be used as a safe reset point for the soft limit 4110 upon context transitions. See selinux_bprm_committing_creds. */ 4111 if (old_rlim->rlim_max != new_rlim->rlim_max) 4112 return avc_has_perm(&selinux_state, 4113 current_sid(), task_sid(p), 4114 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4115 4116 return 0; 4117 } 4118 4119 static int selinux_task_setscheduler(struct task_struct *p) 4120 { 4121 return avc_has_perm(&selinux_state, 4122 current_sid(), task_sid(p), SECCLASS_PROCESS, 4123 PROCESS__SETSCHED, NULL); 4124 } 4125 4126 static int selinux_task_getscheduler(struct task_struct *p) 4127 { 4128 return avc_has_perm(&selinux_state, 4129 current_sid(), task_sid(p), SECCLASS_PROCESS, 4130 PROCESS__GETSCHED, NULL); 4131 } 4132 4133 static int selinux_task_movememory(struct task_struct *p) 4134 { 4135 return avc_has_perm(&selinux_state, 4136 current_sid(), task_sid(p), SECCLASS_PROCESS, 4137 PROCESS__SETSCHED, NULL); 4138 } 4139 4140 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4141 int sig, const struct cred *cred) 4142 { 4143 u32 secid; 4144 u32 perm; 4145 4146 if (!sig) 4147 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4148 else 4149 perm = signal_to_av(sig); 4150 if (!cred) 4151 secid = current_sid(); 4152 else 4153 secid = cred_sid(cred); 4154 return avc_has_perm(&selinux_state, 4155 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4156 } 4157 4158 static void selinux_task_to_inode(struct task_struct *p, 4159 struct inode *inode) 4160 { 4161 struct inode_security_struct *isec = selinux_inode(inode); 4162 u32 sid = task_sid(p); 4163 4164 spin_lock(&isec->lock); 4165 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4166 isec->sid = sid; 4167 isec->initialized = LABEL_INITIALIZED; 4168 spin_unlock(&isec->lock); 4169 } 4170 4171 /* Returns error only if unable to parse addresses */ 4172 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4173 struct common_audit_data *ad, u8 *proto) 4174 { 4175 int offset, ihlen, ret = -EINVAL; 4176 struct iphdr _iph, *ih; 4177 4178 offset = skb_network_offset(skb); 4179 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4180 if (ih == NULL) 4181 goto out; 4182 4183 ihlen = ih->ihl * 4; 4184 if (ihlen < sizeof(_iph)) 4185 goto out; 4186 4187 ad->u.net->v4info.saddr = ih->saddr; 4188 ad->u.net->v4info.daddr = ih->daddr; 4189 ret = 0; 4190 4191 if (proto) 4192 *proto = ih->protocol; 4193 4194 switch (ih->protocol) { 4195 case IPPROTO_TCP: { 4196 struct tcphdr _tcph, *th; 4197 4198 if (ntohs(ih->frag_off) & IP_OFFSET) 4199 break; 4200 4201 offset += ihlen; 4202 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4203 if (th == NULL) 4204 break; 4205 4206 ad->u.net->sport = th->source; 4207 ad->u.net->dport = th->dest; 4208 break; 4209 } 4210 4211 case IPPROTO_UDP: { 4212 struct udphdr _udph, *uh; 4213 4214 if (ntohs(ih->frag_off) & IP_OFFSET) 4215 break; 4216 4217 offset += ihlen; 4218 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4219 if (uh == NULL) 4220 break; 4221 4222 ad->u.net->sport = uh->source; 4223 ad->u.net->dport = uh->dest; 4224 break; 4225 } 4226 4227 case IPPROTO_DCCP: { 4228 struct dccp_hdr _dccph, *dh; 4229 4230 if (ntohs(ih->frag_off) & IP_OFFSET) 4231 break; 4232 4233 offset += ihlen; 4234 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4235 if (dh == NULL) 4236 break; 4237 4238 ad->u.net->sport = dh->dccph_sport; 4239 ad->u.net->dport = dh->dccph_dport; 4240 break; 4241 } 4242 4243 #if IS_ENABLED(CONFIG_IP_SCTP) 4244 case IPPROTO_SCTP: { 4245 struct sctphdr _sctph, *sh; 4246 4247 if (ntohs(ih->frag_off) & IP_OFFSET) 4248 break; 4249 4250 offset += ihlen; 4251 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4252 if (sh == NULL) 4253 break; 4254 4255 ad->u.net->sport = sh->source; 4256 ad->u.net->dport = sh->dest; 4257 break; 4258 } 4259 #endif 4260 default: 4261 break; 4262 } 4263 out: 4264 return ret; 4265 } 4266 4267 #if IS_ENABLED(CONFIG_IPV6) 4268 4269 /* Returns error only if unable to parse addresses */ 4270 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4271 struct common_audit_data *ad, u8 *proto) 4272 { 4273 u8 nexthdr; 4274 int ret = -EINVAL, offset; 4275 struct ipv6hdr _ipv6h, *ip6; 4276 __be16 frag_off; 4277 4278 offset = skb_network_offset(skb); 4279 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4280 if (ip6 == NULL) 4281 goto out; 4282 4283 ad->u.net->v6info.saddr = ip6->saddr; 4284 ad->u.net->v6info.daddr = ip6->daddr; 4285 ret = 0; 4286 4287 nexthdr = ip6->nexthdr; 4288 offset += sizeof(_ipv6h); 4289 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4290 if (offset < 0) 4291 goto out; 4292 4293 if (proto) 4294 *proto = nexthdr; 4295 4296 switch (nexthdr) { 4297 case IPPROTO_TCP: { 4298 struct tcphdr _tcph, *th; 4299 4300 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4301 if (th == NULL) 4302 break; 4303 4304 ad->u.net->sport = th->source; 4305 ad->u.net->dport = th->dest; 4306 break; 4307 } 4308 4309 case IPPROTO_UDP: { 4310 struct udphdr _udph, *uh; 4311 4312 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4313 if (uh == NULL) 4314 break; 4315 4316 ad->u.net->sport = uh->source; 4317 ad->u.net->dport = uh->dest; 4318 break; 4319 } 4320 4321 case IPPROTO_DCCP: { 4322 struct dccp_hdr _dccph, *dh; 4323 4324 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4325 if (dh == NULL) 4326 break; 4327 4328 ad->u.net->sport = dh->dccph_sport; 4329 ad->u.net->dport = dh->dccph_dport; 4330 break; 4331 } 4332 4333 #if IS_ENABLED(CONFIG_IP_SCTP) 4334 case IPPROTO_SCTP: { 4335 struct sctphdr _sctph, *sh; 4336 4337 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4338 if (sh == NULL) 4339 break; 4340 4341 ad->u.net->sport = sh->source; 4342 ad->u.net->dport = sh->dest; 4343 break; 4344 } 4345 #endif 4346 /* includes fragments */ 4347 default: 4348 break; 4349 } 4350 out: 4351 return ret; 4352 } 4353 4354 #endif /* IPV6 */ 4355 4356 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4357 char **_addrp, int src, u8 *proto) 4358 { 4359 char *addrp; 4360 int ret; 4361 4362 switch (ad->u.net->family) { 4363 case PF_INET: 4364 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4365 if (ret) 4366 goto parse_error; 4367 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4368 &ad->u.net->v4info.daddr); 4369 goto okay; 4370 4371 #if IS_ENABLED(CONFIG_IPV6) 4372 case PF_INET6: 4373 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4374 if (ret) 4375 goto parse_error; 4376 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4377 &ad->u.net->v6info.daddr); 4378 goto okay; 4379 #endif /* IPV6 */ 4380 default: 4381 addrp = NULL; 4382 goto okay; 4383 } 4384 4385 parse_error: 4386 pr_warn( 4387 "SELinux: failure in selinux_parse_skb()," 4388 " unable to parse packet\n"); 4389 return ret; 4390 4391 okay: 4392 if (_addrp) 4393 *_addrp = addrp; 4394 return 0; 4395 } 4396 4397 /** 4398 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4399 * @skb: the packet 4400 * @family: protocol family 4401 * @sid: the packet's peer label SID 4402 * 4403 * Description: 4404 * Check the various different forms of network peer labeling and determine 4405 * the peer label/SID for the packet; most of the magic actually occurs in 4406 * the security server function security_net_peersid_cmp(). The function 4407 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4408 * or -EACCES if @sid is invalid due to inconsistencies with the different 4409 * peer labels. 4410 * 4411 */ 4412 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4413 { 4414 int err; 4415 u32 xfrm_sid; 4416 u32 nlbl_sid; 4417 u32 nlbl_type; 4418 4419 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4420 if (unlikely(err)) 4421 return -EACCES; 4422 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4423 if (unlikely(err)) 4424 return -EACCES; 4425 4426 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4427 nlbl_type, xfrm_sid, sid); 4428 if (unlikely(err)) { 4429 pr_warn( 4430 "SELinux: failure in selinux_skb_peerlbl_sid()," 4431 " unable to determine packet's peer label\n"); 4432 return -EACCES; 4433 } 4434 4435 return 0; 4436 } 4437 4438 /** 4439 * selinux_conn_sid - Determine the child socket label for a connection 4440 * @sk_sid: the parent socket's SID 4441 * @skb_sid: the packet's SID 4442 * @conn_sid: the resulting connection SID 4443 * 4444 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4445 * combined with the MLS information from @skb_sid in order to create 4446 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4447 * of @sk_sid. Returns zero on success, negative values on failure. 4448 * 4449 */ 4450 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4451 { 4452 int err = 0; 4453 4454 if (skb_sid != SECSID_NULL) 4455 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4456 conn_sid); 4457 else 4458 *conn_sid = sk_sid; 4459 4460 return err; 4461 } 4462 4463 /* socket security operations */ 4464 4465 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4466 u16 secclass, u32 *socksid) 4467 { 4468 if (tsec->sockcreate_sid > SECSID_NULL) { 4469 *socksid = tsec->sockcreate_sid; 4470 return 0; 4471 } 4472 4473 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4474 secclass, NULL, socksid); 4475 } 4476 4477 static int sock_has_perm(struct sock *sk, u32 perms) 4478 { 4479 struct sk_security_struct *sksec = sk->sk_security; 4480 struct common_audit_data ad; 4481 struct lsm_network_audit net = {0,}; 4482 4483 if (sksec->sid == SECINITSID_KERNEL) 4484 return 0; 4485 4486 ad.type = LSM_AUDIT_DATA_NET; 4487 ad.u.net = &net; 4488 ad.u.net->sk = sk; 4489 4490 return avc_has_perm(&selinux_state, 4491 current_sid(), sksec->sid, sksec->sclass, perms, 4492 &ad); 4493 } 4494 4495 static int selinux_socket_create(int family, int type, 4496 int protocol, int kern) 4497 { 4498 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4499 u32 newsid; 4500 u16 secclass; 4501 int rc; 4502 4503 if (kern) 4504 return 0; 4505 4506 secclass = socket_type_to_security_class(family, type, protocol); 4507 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4508 if (rc) 4509 return rc; 4510 4511 return avc_has_perm(&selinux_state, 4512 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4513 } 4514 4515 static int selinux_socket_post_create(struct socket *sock, int family, 4516 int type, int protocol, int kern) 4517 { 4518 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4519 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4520 struct sk_security_struct *sksec; 4521 u16 sclass = socket_type_to_security_class(family, type, protocol); 4522 u32 sid = SECINITSID_KERNEL; 4523 int err = 0; 4524 4525 if (!kern) { 4526 err = socket_sockcreate_sid(tsec, sclass, &sid); 4527 if (err) 4528 return err; 4529 } 4530 4531 isec->sclass = sclass; 4532 isec->sid = sid; 4533 isec->initialized = LABEL_INITIALIZED; 4534 4535 if (sock->sk) { 4536 sksec = sock->sk->sk_security; 4537 sksec->sclass = sclass; 4538 sksec->sid = sid; 4539 /* Allows detection of the first association on this socket */ 4540 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4541 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4542 4543 err = selinux_netlbl_socket_post_create(sock->sk, family); 4544 } 4545 4546 return err; 4547 } 4548 4549 static int selinux_socket_socketpair(struct socket *socka, 4550 struct socket *sockb) 4551 { 4552 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4553 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4554 4555 sksec_a->peer_sid = sksec_b->sid; 4556 sksec_b->peer_sid = sksec_a->sid; 4557 4558 return 0; 4559 } 4560 4561 /* Range of port numbers used to automatically bind. 4562 Need to determine whether we should perform a name_bind 4563 permission check between the socket and the port number. */ 4564 4565 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4566 { 4567 struct sock *sk = sock->sk; 4568 struct sk_security_struct *sksec = sk->sk_security; 4569 u16 family; 4570 int err; 4571 4572 err = sock_has_perm(sk, SOCKET__BIND); 4573 if (err) 4574 goto out; 4575 4576 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4577 family = sk->sk_family; 4578 if (family == PF_INET || family == PF_INET6) { 4579 char *addrp; 4580 struct common_audit_data ad; 4581 struct lsm_network_audit net = {0,}; 4582 struct sockaddr_in *addr4 = NULL; 4583 struct sockaddr_in6 *addr6 = NULL; 4584 u16 family_sa; 4585 unsigned short snum; 4586 u32 sid, node_perm; 4587 4588 /* 4589 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4590 * that validates multiple binding addresses. Because of this 4591 * need to check address->sa_family as it is possible to have 4592 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4593 */ 4594 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4595 return -EINVAL; 4596 family_sa = address->sa_family; 4597 switch (family_sa) { 4598 case AF_UNSPEC: 4599 case AF_INET: 4600 if (addrlen < sizeof(struct sockaddr_in)) 4601 return -EINVAL; 4602 addr4 = (struct sockaddr_in *)address; 4603 if (family_sa == AF_UNSPEC) { 4604 /* see __inet_bind(), we only want to allow 4605 * AF_UNSPEC if the address is INADDR_ANY 4606 */ 4607 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4608 goto err_af; 4609 family_sa = AF_INET; 4610 } 4611 snum = ntohs(addr4->sin_port); 4612 addrp = (char *)&addr4->sin_addr.s_addr; 4613 break; 4614 case AF_INET6: 4615 if (addrlen < SIN6_LEN_RFC2133) 4616 return -EINVAL; 4617 addr6 = (struct sockaddr_in6 *)address; 4618 snum = ntohs(addr6->sin6_port); 4619 addrp = (char *)&addr6->sin6_addr.s6_addr; 4620 break; 4621 default: 4622 goto err_af; 4623 } 4624 4625 ad.type = LSM_AUDIT_DATA_NET; 4626 ad.u.net = &net; 4627 ad.u.net->sport = htons(snum); 4628 ad.u.net->family = family_sa; 4629 4630 if (snum) { 4631 int low, high; 4632 4633 inet_get_local_port_range(sock_net(sk), &low, &high); 4634 4635 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4636 snum < low || snum > high) { 4637 err = sel_netport_sid(sk->sk_protocol, 4638 snum, &sid); 4639 if (err) 4640 goto out; 4641 err = avc_has_perm(&selinux_state, 4642 sksec->sid, sid, 4643 sksec->sclass, 4644 SOCKET__NAME_BIND, &ad); 4645 if (err) 4646 goto out; 4647 } 4648 } 4649 4650 switch (sksec->sclass) { 4651 case SECCLASS_TCP_SOCKET: 4652 node_perm = TCP_SOCKET__NODE_BIND; 4653 break; 4654 4655 case SECCLASS_UDP_SOCKET: 4656 node_perm = UDP_SOCKET__NODE_BIND; 4657 break; 4658 4659 case SECCLASS_DCCP_SOCKET: 4660 node_perm = DCCP_SOCKET__NODE_BIND; 4661 break; 4662 4663 case SECCLASS_SCTP_SOCKET: 4664 node_perm = SCTP_SOCKET__NODE_BIND; 4665 break; 4666 4667 default: 4668 node_perm = RAWIP_SOCKET__NODE_BIND; 4669 break; 4670 } 4671 4672 err = sel_netnode_sid(addrp, family_sa, &sid); 4673 if (err) 4674 goto out; 4675 4676 if (family_sa == AF_INET) 4677 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4678 else 4679 ad.u.net->v6info.saddr = addr6->sin6_addr; 4680 4681 err = avc_has_perm(&selinux_state, 4682 sksec->sid, sid, 4683 sksec->sclass, node_perm, &ad); 4684 if (err) 4685 goto out; 4686 } 4687 out: 4688 return err; 4689 err_af: 4690 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4691 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4692 return -EINVAL; 4693 return -EAFNOSUPPORT; 4694 } 4695 4696 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4697 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4698 */ 4699 static int selinux_socket_connect_helper(struct socket *sock, 4700 struct sockaddr *address, int addrlen) 4701 { 4702 struct sock *sk = sock->sk; 4703 struct sk_security_struct *sksec = sk->sk_security; 4704 int err; 4705 4706 err = sock_has_perm(sk, SOCKET__CONNECT); 4707 if (err) 4708 return err; 4709 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4710 return -EINVAL; 4711 4712 /* connect(AF_UNSPEC) has special handling, as it is a documented 4713 * way to disconnect the socket 4714 */ 4715 if (address->sa_family == AF_UNSPEC) 4716 return 0; 4717 4718 /* 4719 * If a TCP, DCCP or SCTP socket, check name_connect permission 4720 * for the port. 4721 */ 4722 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4723 sksec->sclass == SECCLASS_DCCP_SOCKET || 4724 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4725 struct common_audit_data ad; 4726 struct lsm_network_audit net = {0,}; 4727 struct sockaddr_in *addr4 = NULL; 4728 struct sockaddr_in6 *addr6 = NULL; 4729 unsigned short snum; 4730 u32 sid, perm; 4731 4732 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4733 * that validates multiple connect addresses. Because of this 4734 * need to check address->sa_family as it is possible to have 4735 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4736 */ 4737 switch (address->sa_family) { 4738 case AF_INET: 4739 addr4 = (struct sockaddr_in *)address; 4740 if (addrlen < sizeof(struct sockaddr_in)) 4741 return -EINVAL; 4742 snum = ntohs(addr4->sin_port); 4743 break; 4744 case AF_INET6: 4745 addr6 = (struct sockaddr_in6 *)address; 4746 if (addrlen < SIN6_LEN_RFC2133) 4747 return -EINVAL; 4748 snum = ntohs(addr6->sin6_port); 4749 break; 4750 default: 4751 /* Note that SCTP services expect -EINVAL, whereas 4752 * others expect -EAFNOSUPPORT. 4753 */ 4754 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4755 return -EINVAL; 4756 else 4757 return -EAFNOSUPPORT; 4758 } 4759 4760 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4761 if (err) 4762 return err; 4763 4764 switch (sksec->sclass) { 4765 case SECCLASS_TCP_SOCKET: 4766 perm = TCP_SOCKET__NAME_CONNECT; 4767 break; 4768 case SECCLASS_DCCP_SOCKET: 4769 perm = DCCP_SOCKET__NAME_CONNECT; 4770 break; 4771 case SECCLASS_SCTP_SOCKET: 4772 perm = SCTP_SOCKET__NAME_CONNECT; 4773 break; 4774 } 4775 4776 ad.type = LSM_AUDIT_DATA_NET; 4777 ad.u.net = &net; 4778 ad.u.net->dport = htons(snum); 4779 ad.u.net->family = address->sa_family; 4780 err = avc_has_perm(&selinux_state, 4781 sksec->sid, sid, sksec->sclass, perm, &ad); 4782 if (err) 4783 return err; 4784 } 4785 4786 return 0; 4787 } 4788 4789 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4790 static int selinux_socket_connect(struct socket *sock, 4791 struct sockaddr *address, int addrlen) 4792 { 4793 int err; 4794 struct sock *sk = sock->sk; 4795 4796 err = selinux_socket_connect_helper(sock, address, addrlen); 4797 if (err) 4798 return err; 4799 4800 return selinux_netlbl_socket_connect(sk, address); 4801 } 4802 4803 static int selinux_socket_listen(struct socket *sock, int backlog) 4804 { 4805 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4806 } 4807 4808 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4809 { 4810 int err; 4811 struct inode_security_struct *isec; 4812 struct inode_security_struct *newisec; 4813 u16 sclass; 4814 u32 sid; 4815 4816 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4817 if (err) 4818 return err; 4819 4820 isec = inode_security_novalidate(SOCK_INODE(sock)); 4821 spin_lock(&isec->lock); 4822 sclass = isec->sclass; 4823 sid = isec->sid; 4824 spin_unlock(&isec->lock); 4825 4826 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4827 newisec->sclass = sclass; 4828 newisec->sid = sid; 4829 newisec->initialized = LABEL_INITIALIZED; 4830 4831 return 0; 4832 } 4833 4834 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4835 int size) 4836 { 4837 return sock_has_perm(sock->sk, SOCKET__WRITE); 4838 } 4839 4840 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4841 int size, int flags) 4842 { 4843 return sock_has_perm(sock->sk, SOCKET__READ); 4844 } 4845 4846 static int selinux_socket_getsockname(struct socket *sock) 4847 { 4848 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4849 } 4850 4851 static int selinux_socket_getpeername(struct socket *sock) 4852 { 4853 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4854 } 4855 4856 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4857 { 4858 int err; 4859 4860 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4861 if (err) 4862 return err; 4863 4864 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4865 } 4866 4867 static int selinux_socket_getsockopt(struct socket *sock, int level, 4868 int optname) 4869 { 4870 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4871 } 4872 4873 static int selinux_socket_shutdown(struct socket *sock, int how) 4874 { 4875 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4876 } 4877 4878 static int selinux_socket_unix_stream_connect(struct sock *sock, 4879 struct sock *other, 4880 struct sock *newsk) 4881 { 4882 struct sk_security_struct *sksec_sock = sock->sk_security; 4883 struct sk_security_struct *sksec_other = other->sk_security; 4884 struct sk_security_struct *sksec_new = newsk->sk_security; 4885 struct common_audit_data ad; 4886 struct lsm_network_audit net = {0,}; 4887 int err; 4888 4889 ad.type = LSM_AUDIT_DATA_NET; 4890 ad.u.net = &net; 4891 ad.u.net->sk = other; 4892 4893 err = avc_has_perm(&selinux_state, 4894 sksec_sock->sid, sksec_other->sid, 4895 sksec_other->sclass, 4896 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4897 if (err) 4898 return err; 4899 4900 /* server child socket */ 4901 sksec_new->peer_sid = sksec_sock->sid; 4902 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4903 sksec_sock->sid, &sksec_new->sid); 4904 if (err) 4905 return err; 4906 4907 /* connecting socket */ 4908 sksec_sock->peer_sid = sksec_new->sid; 4909 4910 return 0; 4911 } 4912 4913 static int selinux_socket_unix_may_send(struct socket *sock, 4914 struct socket *other) 4915 { 4916 struct sk_security_struct *ssec = sock->sk->sk_security; 4917 struct sk_security_struct *osec = other->sk->sk_security; 4918 struct common_audit_data ad; 4919 struct lsm_network_audit net = {0,}; 4920 4921 ad.type = LSM_AUDIT_DATA_NET; 4922 ad.u.net = &net; 4923 ad.u.net->sk = other->sk; 4924 4925 return avc_has_perm(&selinux_state, 4926 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4927 &ad); 4928 } 4929 4930 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4931 char *addrp, u16 family, u32 peer_sid, 4932 struct common_audit_data *ad) 4933 { 4934 int err; 4935 u32 if_sid; 4936 u32 node_sid; 4937 4938 err = sel_netif_sid(ns, ifindex, &if_sid); 4939 if (err) 4940 return err; 4941 err = avc_has_perm(&selinux_state, 4942 peer_sid, if_sid, 4943 SECCLASS_NETIF, NETIF__INGRESS, ad); 4944 if (err) 4945 return err; 4946 4947 err = sel_netnode_sid(addrp, family, &node_sid); 4948 if (err) 4949 return err; 4950 return avc_has_perm(&selinux_state, 4951 peer_sid, node_sid, 4952 SECCLASS_NODE, NODE__RECVFROM, ad); 4953 } 4954 4955 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4956 u16 family) 4957 { 4958 int err = 0; 4959 struct sk_security_struct *sksec = sk->sk_security; 4960 u32 sk_sid = sksec->sid; 4961 struct common_audit_data ad; 4962 struct lsm_network_audit net = {0,}; 4963 char *addrp; 4964 4965 ad.type = LSM_AUDIT_DATA_NET; 4966 ad.u.net = &net; 4967 ad.u.net->netif = skb->skb_iif; 4968 ad.u.net->family = family; 4969 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4970 if (err) 4971 return err; 4972 4973 if (selinux_secmark_enabled()) { 4974 err = avc_has_perm(&selinux_state, 4975 sk_sid, skb->secmark, SECCLASS_PACKET, 4976 PACKET__RECV, &ad); 4977 if (err) 4978 return err; 4979 } 4980 4981 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4982 if (err) 4983 return err; 4984 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4985 4986 return err; 4987 } 4988 4989 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4990 { 4991 int err; 4992 struct sk_security_struct *sksec = sk->sk_security; 4993 u16 family = sk->sk_family; 4994 u32 sk_sid = sksec->sid; 4995 struct common_audit_data ad; 4996 struct lsm_network_audit net = {0,}; 4997 char *addrp; 4998 u8 secmark_active; 4999 u8 peerlbl_active; 5000 5001 if (family != PF_INET && family != PF_INET6) 5002 return 0; 5003 5004 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5005 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5006 family = PF_INET; 5007 5008 /* If any sort of compatibility mode is enabled then handoff processing 5009 * to the selinux_sock_rcv_skb_compat() function to deal with the 5010 * special handling. We do this in an attempt to keep this function 5011 * as fast and as clean as possible. */ 5012 if (!selinux_policycap_netpeer()) 5013 return selinux_sock_rcv_skb_compat(sk, skb, family); 5014 5015 secmark_active = selinux_secmark_enabled(); 5016 peerlbl_active = selinux_peerlbl_enabled(); 5017 if (!secmark_active && !peerlbl_active) 5018 return 0; 5019 5020 ad.type = LSM_AUDIT_DATA_NET; 5021 ad.u.net = &net; 5022 ad.u.net->netif = skb->skb_iif; 5023 ad.u.net->family = family; 5024 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5025 if (err) 5026 return err; 5027 5028 if (peerlbl_active) { 5029 u32 peer_sid; 5030 5031 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5032 if (err) 5033 return err; 5034 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5035 addrp, family, peer_sid, &ad); 5036 if (err) { 5037 selinux_netlbl_err(skb, family, err, 0); 5038 return err; 5039 } 5040 err = avc_has_perm(&selinux_state, 5041 sk_sid, peer_sid, SECCLASS_PEER, 5042 PEER__RECV, &ad); 5043 if (err) { 5044 selinux_netlbl_err(skb, family, err, 0); 5045 return err; 5046 } 5047 } 5048 5049 if (secmark_active) { 5050 err = avc_has_perm(&selinux_state, 5051 sk_sid, skb->secmark, SECCLASS_PACKET, 5052 PACKET__RECV, &ad); 5053 if (err) 5054 return err; 5055 } 5056 5057 return err; 5058 } 5059 5060 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5061 int __user *optlen, unsigned len) 5062 { 5063 int err = 0; 5064 char *scontext; 5065 u32 scontext_len; 5066 struct sk_security_struct *sksec = sock->sk->sk_security; 5067 u32 peer_sid = SECSID_NULL; 5068 5069 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5070 sksec->sclass == SECCLASS_TCP_SOCKET || 5071 sksec->sclass == SECCLASS_SCTP_SOCKET) 5072 peer_sid = sksec->peer_sid; 5073 if (peer_sid == SECSID_NULL) 5074 return -ENOPROTOOPT; 5075 5076 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5077 &scontext_len); 5078 if (err) 5079 return err; 5080 5081 if (scontext_len > len) { 5082 err = -ERANGE; 5083 goto out_len; 5084 } 5085 5086 if (copy_to_user(optval, scontext, scontext_len)) 5087 err = -EFAULT; 5088 5089 out_len: 5090 if (put_user(scontext_len, optlen)) 5091 err = -EFAULT; 5092 kfree(scontext); 5093 return err; 5094 } 5095 5096 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5097 { 5098 u32 peer_secid = SECSID_NULL; 5099 u16 family; 5100 struct inode_security_struct *isec; 5101 5102 if (skb && skb->protocol == htons(ETH_P_IP)) 5103 family = PF_INET; 5104 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5105 family = PF_INET6; 5106 else if (sock) 5107 family = sock->sk->sk_family; 5108 else 5109 goto out; 5110 5111 if (sock && family == PF_UNIX) { 5112 isec = inode_security_novalidate(SOCK_INODE(sock)); 5113 peer_secid = isec->sid; 5114 } else if (skb) 5115 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5116 5117 out: 5118 *secid = peer_secid; 5119 if (peer_secid == SECSID_NULL) 5120 return -EINVAL; 5121 return 0; 5122 } 5123 5124 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5125 { 5126 struct sk_security_struct *sksec; 5127 5128 sksec = kzalloc(sizeof(*sksec), priority); 5129 if (!sksec) 5130 return -ENOMEM; 5131 5132 sksec->peer_sid = SECINITSID_UNLABELED; 5133 sksec->sid = SECINITSID_UNLABELED; 5134 sksec->sclass = SECCLASS_SOCKET; 5135 selinux_netlbl_sk_security_reset(sksec); 5136 sk->sk_security = sksec; 5137 5138 return 0; 5139 } 5140 5141 static void selinux_sk_free_security(struct sock *sk) 5142 { 5143 struct sk_security_struct *sksec = sk->sk_security; 5144 5145 sk->sk_security = NULL; 5146 selinux_netlbl_sk_security_free(sksec); 5147 kfree(sksec); 5148 } 5149 5150 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5151 { 5152 struct sk_security_struct *sksec = sk->sk_security; 5153 struct sk_security_struct *newsksec = newsk->sk_security; 5154 5155 newsksec->sid = sksec->sid; 5156 newsksec->peer_sid = sksec->peer_sid; 5157 newsksec->sclass = sksec->sclass; 5158 5159 selinux_netlbl_sk_security_reset(newsksec); 5160 } 5161 5162 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5163 { 5164 if (!sk) 5165 *secid = SECINITSID_ANY_SOCKET; 5166 else { 5167 struct sk_security_struct *sksec = sk->sk_security; 5168 5169 *secid = sksec->sid; 5170 } 5171 } 5172 5173 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5174 { 5175 struct inode_security_struct *isec = 5176 inode_security_novalidate(SOCK_INODE(parent)); 5177 struct sk_security_struct *sksec = sk->sk_security; 5178 5179 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5180 sk->sk_family == PF_UNIX) 5181 isec->sid = sksec->sid; 5182 sksec->sclass = isec->sclass; 5183 } 5184 5185 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5186 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5187 * already present). 5188 */ 5189 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5190 struct sk_buff *skb) 5191 { 5192 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5193 struct common_audit_data ad; 5194 struct lsm_network_audit net = {0,}; 5195 u8 peerlbl_active; 5196 u32 peer_sid = SECINITSID_UNLABELED; 5197 u32 conn_sid; 5198 int err = 0; 5199 5200 if (!selinux_policycap_extsockclass()) 5201 return 0; 5202 5203 peerlbl_active = selinux_peerlbl_enabled(); 5204 5205 if (peerlbl_active) { 5206 /* This will return peer_sid = SECSID_NULL if there are 5207 * no peer labels, see security_net_peersid_resolve(). 5208 */ 5209 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5210 &peer_sid); 5211 if (err) 5212 return err; 5213 5214 if (peer_sid == SECSID_NULL) 5215 peer_sid = SECINITSID_UNLABELED; 5216 } 5217 5218 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5219 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5220 5221 /* Here as first association on socket. As the peer SID 5222 * was allowed by peer recv (and the netif/node checks), 5223 * then it is approved by policy and used as the primary 5224 * peer SID for getpeercon(3). 5225 */ 5226 sksec->peer_sid = peer_sid; 5227 } else if (sksec->peer_sid != peer_sid) { 5228 /* Other association peer SIDs are checked to enforce 5229 * consistency among the peer SIDs. 5230 */ 5231 ad.type = LSM_AUDIT_DATA_NET; 5232 ad.u.net = &net; 5233 ad.u.net->sk = ep->base.sk; 5234 err = avc_has_perm(&selinux_state, 5235 sksec->peer_sid, peer_sid, sksec->sclass, 5236 SCTP_SOCKET__ASSOCIATION, &ad); 5237 if (err) 5238 return err; 5239 } 5240 5241 /* Compute the MLS component for the connection and store 5242 * the information in ep. This will be used by SCTP TCP type 5243 * sockets and peeled off connections as they cause a new 5244 * socket to be generated. selinux_sctp_sk_clone() will then 5245 * plug this into the new socket. 5246 */ 5247 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5248 if (err) 5249 return err; 5250 5251 ep->secid = conn_sid; 5252 ep->peer_secid = peer_sid; 5253 5254 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5255 return selinux_netlbl_sctp_assoc_request(ep, skb); 5256 } 5257 5258 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5259 * based on their @optname. 5260 */ 5261 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5262 struct sockaddr *address, 5263 int addrlen) 5264 { 5265 int len, err = 0, walk_size = 0; 5266 void *addr_buf; 5267 struct sockaddr *addr; 5268 struct socket *sock; 5269 5270 if (!selinux_policycap_extsockclass()) 5271 return 0; 5272 5273 /* Process one or more addresses that may be IPv4 or IPv6 */ 5274 sock = sk->sk_socket; 5275 addr_buf = address; 5276 5277 while (walk_size < addrlen) { 5278 if (walk_size + sizeof(sa_family_t) > addrlen) 5279 return -EINVAL; 5280 5281 addr = addr_buf; 5282 switch (addr->sa_family) { 5283 case AF_UNSPEC: 5284 case AF_INET: 5285 len = sizeof(struct sockaddr_in); 5286 break; 5287 case AF_INET6: 5288 len = sizeof(struct sockaddr_in6); 5289 break; 5290 default: 5291 return -EINVAL; 5292 } 5293 5294 if (walk_size + len > addrlen) 5295 return -EINVAL; 5296 5297 err = -EINVAL; 5298 switch (optname) { 5299 /* Bind checks */ 5300 case SCTP_PRIMARY_ADDR: 5301 case SCTP_SET_PEER_PRIMARY_ADDR: 5302 case SCTP_SOCKOPT_BINDX_ADD: 5303 err = selinux_socket_bind(sock, addr, len); 5304 break; 5305 /* Connect checks */ 5306 case SCTP_SOCKOPT_CONNECTX: 5307 case SCTP_PARAM_SET_PRIMARY: 5308 case SCTP_PARAM_ADD_IP: 5309 case SCTP_SENDMSG_CONNECT: 5310 err = selinux_socket_connect_helper(sock, addr, len); 5311 if (err) 5312 return err; 5313 5314 /* As selinux_sctp_bind_connect() is called by the 5315 * SCTP protocol layer, the socket is already locked, 5316 * therefore selinux_netlbl_socket_connect_locked() is 5317 * is called here. The situations handled are: 5318 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5319 * whenever a new IP address is added or when a new 5320 * primary address is selected. 5321 * Note that an SCTP connect(2) call happens before 5322 * the SCTP protocol layer and is handled via 5323 * selinux_socket_connect(). 5324 */ 5325 err = selinux_netlbl_socket_connect_locked(sk, addr); 5326 break; 5327 } 5328 5329 if (err) 5330 return err; 5331 5332 addr_buf += len; 5333 walk_size += len; 5334 } 5335 5336 return 0; 5337 } 5338 5339 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5340 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5341 struct sock *newsk) 5342 { 5343 struct sk_security_struct *sksec = sk->sk_security; 5344 struct sk_security_struct *newsksec = newsk->sk_security; 5345 5346 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5347 * the non-sctp clone version. 5348 */ 5349 if (!selinux_policycap_extsockclass()) 5350 return selinux_sk_clone_security(sk, newsk); 5351 5352 newsksec->sid = ep->secid; 5353 newsksec->peer_sid = ep->peer_secid; 5354 newsksec->sclass = sksec->sclass; 5355 selinux_netlbl_sctp_sk_clone(sk, newsk); 5356 } 5357 5358 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5359 struct request_sock *req) 5360 { 5361 struct sk_security_struct *sksec = sk->sk_security; 5362 int err; 5363 u16 family = req->rsk_ops->family; 5364 u32 connsid; 5365 u32 peersid; 5366 5367 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5368 if (err) 5369 return err; 5370 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5371 if (err) 5372 return err; 5373 req->secid = connsid; 5374 req->peer_secid = peersid; 5375 5376 return selinux_netlbl_inet_conn_request(req, family); 5377 } 5378 5379 static void selinux_inet_csk_clone(struct sock *newsk, 5380 const struct request_sock *req) 5381 { 5382 struct sk_security_struct *newsksec = newsk->sk_security; 5383 5384 newsksec->sid = req->secid; 5385 newsksec->peer_sid = req->peer_secid; 5386 /* NOTE: Ideally, we should also get the isec->sid for the 5387 new socket in sync, but we don't have the isec available yet. 5388 So we will wait until sock_graft to do it, by which 5389 time it will have been created and available. */ 5390 5391 /* We don't need to take any sort of lock here as we are the only 5392 * thread with access to newsksec */ 5393 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5394 } 5395 5396 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5397 { 5398 u16 family = sk->sk_family; 5399 struct sk_security_struct *sksec = sk->sk_security; 5400 5401 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5402 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5403 family = PF_INET; 5404 5405 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5406 } 5407 5408 static int selinux_secmark_relabel_packet(u32 sid) 5409 { 5410 const struct task_security_struct *__tsec; 5411 u32 tsid; 5412 5413 __tsec = selinux_cred(current_cred()); 5414 tsid = __tsec->sid; 5415 5416 return avc_has_perm(&selinux_state, 5417 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5418 NULL); 5419 } 5420 5421 static void selinux_secmark_refcount_inc(void) 5422 { 5423 atomic_inc(&selinux_secmark_refcount); 5424 } 5425 5426 static void selinux_secmark_refcount_dec(void) 5427 { 5428 atomic_dec(&selinux_secmark_refcount); 5429 } 5430 5431 static void selinux_req_classify_flow(const struct request_sock *req, 5432 struct flowi *fl) 5433 { 5434 fl->flowi_secid = req->secid; 5435 } 5436 5437 static int selinux_tun_dev_alloc_security(void **security) 5438 { 5439 struct tun_security_struct *tunsec; 5440 5441 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5442 if (!tunsec) 5443 return -ENOMEM; 5444 tunsec->sid = current_sid(); 5445 5446 *security = tunsec; 5447 return 0; 5448 } 5449 5450 static void selinux_tun_dev_free_security(void *security) 5451 { 5452 kfree(security); 5453 } 5454 5455 static int selinux_tun_dev_create(void) 5456 { 5457 u32 sid = current_sid(); 5458 5459 /* we aren't taking into account the "sockcreate" SID since the socket 5460 * that is being created here is not a socket in the traditional sense, 5461 * instead it is a private sock, accessible only to the kernel, and 5462 * representing a wide range of network traffic spanning multiple 5463 * connections unlike traditional sockets - check the TUN driver to 5464 * get a better understanding of why this socket is special */ 5465 5466 return avc_has_perm(&selinux_state, 5467 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5468 NULL); 5469 } 5470 5471 static int selinux_tun_dev_attach_queue(void *security) 5472 { 5473 struct tun_security_struct *tunsec = security; 5474 5475 return avc_has_perm(&selinux_state, 5476 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5477 TUN_SOCKET__ATTACH_QUEUE, NULL); 5478 } 5479 5480 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5481 { 5482 struct tun_security_struct *tunsec = security; 5483 struct sk_security_struct *sksec = sk->sk_security; 5484 5485 /* we don't currently perform any NetLabel based labeling here and it 5486 * isn't clear that we would want to do so anyway; while we could apply 5487 * labeling without the support of the TUN user the resulting labeled 5488 * traffic from the other end of the connection would almost certainly 5489 * cause confusion to the TUN user that had no idea network labeling 5490 * protocols were being used */ 5491 5492 sksec->sid = tunsec->sid; 5493 sksec->sclass = SECCLASS_TUN_SOCKET; 5494 5495 return 0; 5496 } 5497 5498 static int selinux_tun_dev_open(void *security) 5499 { 5500 struct tun_security_struct *tunsec = security; 5501 u32 sid = current_sid(); 5502 int err; 5503 5504 err = avc_has_perm(&selinux_state, 5505 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5506 TUN_SOCKET__RELABELFROM, NULL); 5507 if (err) 5508 return err; 5509 err = avc_has_perm(&selinux_state, 5510 sid, sid, SECCLASS_TUN_SOCKET, 5511 TUN_SOCKET__RELABELTO, NULL); 5512 if (err) 5513 return err; 5514 tunsec->sid = sid; 5515 5516 return 0; 5517 } 5518 5519 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5520 { 5521 int err = 0; 5522 u32 perm; 5523 struct nlmsghdr *nlh; 5524 struct sk_security_struct *sksec = sk->sk_security; 5525 5526 if (skb->len < NLMSG_HDRLEN) { 5527 err = -EINVAL; 5528 goto out; 5529 } 5530 nlh = nlmsg_hdr(skb); 5531 5532 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5533 if (err) { 5534 if (err == -EINVAL) { 5535 pr_warn_ratelimited("SELinux: unrecognized netlink" 5536 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5537 " pig=%d comm=%s\n", 5538 sk->sk_protocol, nlh->nlmsg_type, 5539 secclass_map[sksec->sclass - 1].name, 5540 task_pid_nr(current), current->comm); 5541 if (!enforcing_enabled(&selinux_state) || 5542 security_get_allow_unknown(&selinux_state)) 5543 err = 0; 5544 } 5545 5546 /* Ignore */ 5547 if (err == -ENOENT) 5548 err = 0; 5549 goto out; 5550 } 5551 5552 err = sock_has_perm(sk, perm); 5553 out: 5554 return err; 5555 } 5556 5557 #ifdef CONFIG_NETFILTER 5558 5559 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5560 const struct net_device *indev, 5561 u16 family) 5562 { 5563 int err; 5564 char *addrp; 5565 u32 peer_sid; 5566 struct common_audit_data ad; 5567 struct lsm_network_audit net = {0,}; 5568 u8 secmark_active; 5569 u8 netlbl_active; 5570 u8 peerlbl_active; 5571 5572 if (!selinux_policycap_netpeer()) 5573 return NF_ACCEPT; 5574 5575 secmark_active = selinux_secmark_enabled(); 5576 netlbl_active = netlbl_enabled(); 5577 peerlbl_active = selinux_peerlbl_enabled(); 5578 if (!secmark_active && !peerlbl_active) 5579 return NF_ACCEPT; 5580 5581 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5582 return NF_DROP; 5583 5584 ad.type = LSM_AUDIT_DATA_NET; 5585 ad.u.net = &net; 5586 ad.u.net->netif = indev->ifindex; 5587 ad.u.net->family = family; 5588 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5589 return NF_DROP; 5590 5591 if (peerlbl_active) { 5592 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5593 addrp, family, peer_sid, &ad); 5594 if (err) { 5595 selinux_netlbl_err(skb, family, err, 1); 5596 return NF_DROP; 5597 } 5598 } 5599 5600 if (secmark_active) 5601 if (avc_has_perm(&selinux_state, 5602 peer_sid, skb->secmark, 5603 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5604 return NF_DROP; 5605 5606 if (netlbl_active) 5607 /* we do this in the FORWARD path and not the POST_ROUTING 5608 * path because we want to make sure we apply the necessary 5609 * labeling before IPsec is applied so we can leverage AH 5610 * protection */ 5611 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5612 return NF_DROP; 5613 5614 return NF_ACCEPT; 5615 } 5616 5617 static unsigned int selinux_ipv4_forward(void *priv, 5618 struct sk_buff *skb, 5619 const struct nf_hook_state *state) 5620 { 5621 return selinux_ip_forward(skb, state->in, PF_INET); 5622 } 5623 5624 #if IS_ENABLED(CONFIG_IPV6) 5625 static unsigned int selinux_ipv6_forward(void *priv, 5626 struct sk_buff *skb, 5627 const struct nf_hook_state *state) 5628 { 5629 return selinux_ip_forward(skb, state->in, PF_INET6); 5630 } 5631 #endif /* IPV6 */ 5632 5633 static unsigned int selinux_ip_output(struct sk_buff *skb, 5634 u16 family) 5635 { 5636 struct sock *sk; 5637 u32 sid; 5638 5639 if (!netlbl_enabled()) 5640 return NF_ACCEPT; 5641 5642 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5643 * because we want to make sure we apply the necessary labeling 5644 * before IPsec is applied so we can leverage AH protection */ 5645 sk = skb->sk; 5646 if (sk) { 5647 struct sk_security_struct *sksec; 5648 5649 if (sk_listener(sk)) 5650 /* if the socket is the listening state then this 5651 * packet is a SYN-ACK packet which means it needs to 5652 * be labeled based on the connection/request_sock and 5653 * not the parent socket. unfortunately, we can't 5654 * lookup the request_sock yet as it isn't queued on 5655 * the parent socket until after the SYN-ACK is sent. 5656 * the "solution" is to simply pass the packet as-is 5657 * as any IP option based labeling should be copied 5658 * from the initial connection request (in the IP 5659 * layer). it is far from ideal, but until we get a 5660 * security label in the packet itself this is the 5661 * best we can do. */ 5662 return NF_ACCEPT; 5663 5664 /* standard practice, label using the parent socket */ 5665 sksec = sk->sk_security; 5666 sid = sksec->sid; 5667 } else 5668 sid = SECINITSID_KERNEL; 5669 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5670 return NF_DROP; 5671 5672 return NF_ACCEPT; 5673 } 5674 5675 static unsigned int selinux_ipv4_output(void *priv, 5676 struct sk_buff *skb, 5677 const struct nf_hook_state *state) 5678 { 5679 return selinux_ip_output(skb, PF_INET); 5680 } 5681 5682 #if IS_ENABLED(CONFIG_IPV6) 5683 static unsigned int selinux_ipv6_output(void *priv, 5684 struct sk_buff *skb, 5685 const struct nf_hook_state *state) 5686 { 5687 return selinux_ip_output(skb, PF_INET6); 5688 } 5689 #endif /* IPV6 */ 5690 5691 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5692 int ifindex, 5693 u16 family) 5694 { 5695 struct sock *sk = skb_to_full_sk(skb); 5696 struct sk_security_struct *sksec; 5697 struct common_audit_data ad; 5698 struct lsm_network_audit net = {0,}; 5699 char *addrp; 5700 u8 proto; 5701 5702 if (sk == NULL) 5703 return NF_ACCEPT; 5704 sksec = sk->sk_security; 5705 5706 ad.type = LSM_AUDIT_DATA_NET; 5707 ad.u.net = &net; 5708 ad.u.net->netif = ifindex; 5709 ad.u.net->family = family; 5710 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5711 return NF_DROP; 5712 5713 if (selinux_secmark_enabled()) 5714 if (avc_has_perm(&selinux_state, 5715 sksec->sid, skb->secmark, 5716 SECCLASS_PACKET, PACKET__SEND, &ad)) 5717 return NF_DROP_ERR(-ECONNREFUSED); 5718 5719 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5720 return NF_DROP_ERR(-ECONNREFUSED); 5721 5722 return NF_ACCEPT; 5723 } 5724 5725 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5726 const struct net_device *outdev, 5727 u16 family) 5728 { 5729 u32 secmark_perm; 5730 u32 peer_sid; 5731 int ifindex = outdev->ifindex; 5732 struct sock *sk; 5733 struct common_audit_data ad; 5734 struct lsm_network_audit net = {0,}; 5735 char *addrp; 5736 u8 secmark_active; 5737 u8 peerlbl_active; 5738 5739 /* If any sort of compatibility mode is enabled then handoff processing 5740 * to the selinux_ip_postroute_compat() function to deal with the 5741 * special handling. We do this in an attempt to keep this function 5742 * as fast and as clean as possible. */ 5743 if (!selinux_policycap_netpeer()) 5744 return selinux_ip_postroute_compat(skb, ifindex, family); 5745 5746 secmark_active = selinux_secmark_enabled(); 5747 peerlbl_active = selinux_peerlbl_enabled(); 5748 if (!secmark_active && !peerlbl_active) 5749 return NF_ACCEPT; 5750 5751 sk = skb_to_full_sk(skb); 5752 5753 #ifdef CONFIG_XFRM 5754 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5755 * packet transformation so allow the packet to pass without any checks 5756 * since we'll have another chance to perform access control checks 5757 * when the packet is on it's final way out. 5758 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5759 * is NULL, in this case go ahead and apply access control. 5760 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5761 * TCP listening state we cannot wait until the XFRM processing 5762 * is done as we will miss out on the SA label if we do; 5763 * unfortunately, this means more work, but it is only once per 5764 * connection. */ 5765 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5766 !(sk && sk_listener(sk))) 5767 return NF_ACCEPT; 5768 #endif 5769 5770 if (sk == NULL) { 5771 /* Without an associated socket the packet is either coming 5772 * from the kernel or it is being forwarded; check the packet 5773 * to determine which and if the packet is being forwarded 5774 * query the packet directly to determine the security label. */ 5775 if (skb->skb_iif) { 5776 secmark_perm = PACKET__FORWARD_OUT; 5777 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5778 return NF_DROP; 5779 } else { 5780 secmark_perm = PACKET__SEND; 5781 peer_sid = SECINITSID_KERNEL; 5782 } 5783 } else if (sk_listener(sk)) { 5784 /* Locally generated packet but the associated socket is in the 5785 * listening state which means this is a SYN-ACK packet. In 5786 * this particular case the correct security label is assigned 5787 * to the connection/request_sock but unfortunately we can't 5788 * query the request_sock as it isn't queued on the parent 5789 * socket until after the SYN-ACK packet is sent; the only 5790 * viable choice is to regenerate the label like we do in 5791 * selinux_inet_conn_request(). See also selinux_ip_output() 5792 * for similar problems. */ 5793 u32 skb_sid; 5794 struct sk_security_struct *sksec; 5795 5796 sksec = sk->sk_security; 5797 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5798 return NF_DROP; 5799 /* At this point, if the returned skb peerlbl is SECSID_NULL 5800 * and the packet has been through at least one XFRM 5801 * transformation then we must be dealing with the "final" 5802 * form of labeled IPsec packet; since we've already applied 5803 * all of our access controls on this packet we can safely 5804 * pass the packet. */ 5805 if (skb_sid == SECSID_NULL) { 5806 switch (family) { 5807 case PF_INET: 5808 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5809 return NF_ACCEPT; 5810 break; 5811 case PF_INET6: 5812 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5813 return NF_ACCEPT; 5814 break; 5815 default: 5816 return NF_DROP_ERR(-ECONNREFUSED); 5817 } 5818 } 5819 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5820 return NF_DROP; 5821 secmark_perm = PACKET__SEND; 5822 } else { 5823 /* Locally generated packet, fetch the security label from the 5824 * associated socket. */ 5825 struct sk_security_struct *sksec = sk->sk_security; 5826 peer_sid = sksec->sid; 5827 secmark_perm = PACKET__SEND; 5828 } 5829 5830 ad.type = LSM_AUDIT_DATA_NET; 5831 ad.u.net = &net; 5832 ad.u.net->netif = ifindex; 5833 ad.u.net->family = family; 5834 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5835 return NF_DROP; 5836 5837 if (secmark_active) 5838 if (avc_has_perm(&selinux_state, 5839 peer_sid, skb->secmark, 5840 SECCLASS_PACKET, secmark_perm, &ad)) 5841 return NF_DROP_ERR(-ECONNREFUSED); 5842 5843 if (peerlbl_active) { 5844 u32 if_sid; 5845 u32 node_sid; 5846 5847 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5848 return NF_DROP; 5849 if (avc_has_perm(&selinux_state, 5850 peer_sid, if_sid, 5851 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5852 return NF_DROP_ERR(-ECONNREFUSED); 5853 5854 if (sel_netnode_sid(addrp, family, &node_sid)) 5855 return NF_DROP; 5856 if (avc_has_perm(&selinux_state, 5857 peer_sid, node_sid, 5858 SECCLASS_NODE, NODE__SENDTO, &ad)) 5859 return NF_DROP_ERR(-ECONNREFUSED); 5860 } 5861 5862 return NF_ACCEPT; 5863 } 5864 5865 static unsigned int selinux_ipv4_postroute(void *priv, 5866 struct sk_buff *skb, 5867 const struct nf_hook_state *state) 5868 { 5869 return selinux_ip_postroute(skb, state->out, PF_INET); 5870 } 5871 5872 #if IS_ENABLED(CONFIG_IPV6) 5873 static unsigned int selinux_ipv6_postroute(void *priv, 5874 struct sk_buff *skb, 5875 const struct nf_hook_state *state) 5876 { 5877 return selinux_ip_postroute(skb, state->out, PF_INET6); 5878 } 5879 #endif /* IPV6 */ 5880 5881 #endif /* CONFIG_NETFILTER */ 5882 5883 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5884 { 5885 return selinux_nlmsg_perm(sk, skb); 5886 } 5887 5888 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 5889 { 5890 isec->sclass = sclass; 5891 isec->sid = current_sid(); 5892 } 5893 5894 static int msg_msg_alloc_security(struct msg_msg *msg) 5895 { 5896 struct msg_security_struct *msec; 5897 5898 msec = selinux_msg_msg(msg); 5899 msec->sid = SECINITSID_UNLABELED; 5900 5901 return 0; 5902 } 5903 5904 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5905 u32 perms) 5906 { 5907 struct ipc_security_struct *isec; 5908 struct common_audit_data ad; 5909 u32 sid = current_sid(); 5910 5911 isec = selinux_ipc(ipc_perms); 5912 5913 ad.type = LSM_AUDIT_DATA_IPC; 5914 ad.u.ipc_id = ipc_perms->key; 5915 5916 return avc_has_perm(&selinux_state, 5917 sid, isec->sid, isec->sclass, perms, &ad); 5918 } 5919 5920 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5921 { 5922 return msg_msg_alloc_security(msg); 5923 } 5924 5925 /* message queue security operations */ 5926 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5927 { 5928 struct ipc_security_struct *isec; 5929 struct common_audit_data ad; 5930 u32 sid = current_sid(); 5931 int rc; 5932 5933 isec = selinux_ipc(msq); 5934 ipc_init_security(isec, SECCLASS_MSGQ); 5935 5936 ad.type = LSM_AUDIT_DATA_IPC; 5937 ad.u.ipc_id = msq->key; 5938 5939 rc = avc_has_perm(&selinux_state, 5940 sid, isec->sid, SECCLASS_MSGQ, 5941 MSGQ__CREATE, &ad); 5942 return rc; 5943 } 5944 5945 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5946 { 5947 struct ipc_security_struct *isec; 5948 struct common_audit_data ad; 5949 u32 sid = current_sid(); 5950 5951 isec = selinux_ipc(msq); 5952 5953 ad.type = LSM_AUDIT_DATA_IPC; 5954 ad.u.ipc_id = msq->key; 5955 5956 return avc_has_perm(&selinux_state, 5957 sid, isec->sid, SECCLASS_MSGQ, 5958 MSGQ__ASSOCIATE, &ad); 5959 } 5960 5961 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5962 { 5963 int err; 5964 int perms; 5965 5966 switch (cmd) { 5967 case IPC_INFO: 5968 case MSG_INFO: 5969 /* No specific object, just general system-wide information. */ 5970 return avc_has_perm(&selinux_state, 5971 current_sid(), SECINITSID_KERNEL, 5972 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5973 case IPC_STAT: 5974 case MSG_STAT: 5975 case MSG_STAT_ANY: 5976 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5977 break; 5978 case IPC_SET: 5979 perms = MSGQ__SETATTR; 5980 break; 5981 case IPC_RMID: 5982 perms = MSGQ__DESTROY; 5983 break; 5984 default: 5985 return 0; 5986 } 5987 5988 err = ipc_has_perm(msq, perms); 5989 return err; 5990 } 5991 5992 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 5993 { 5994 struct ipc_security_struct *isec; 5995 struct msg_security_struct *msec; 5996 struct common_audit_data ad; 5997 u32 sid = current_sid(); 5998 int rc; 5999 6000 isec = selinux_ipc(msq); 6001 msec = selinux_msg_msg(msg); 6002 6003 /* 6004 * First time through, need to assign label to the message 6005 */ 6006 if (msec->sid == SECINITSID_UNLABELED) { 6007 /* 6008 * Compute new sid based on current process and 6009 * message queue this message will be stored in 6010 */ 6011 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6012 SECCLASS_MSG, NULL, &msec->sid); 6013 if (rc) 6014 return rc; 6015 } 6016 6017 ad.type = LSM_AUDIT_DATA_IPC; 6018 ad.u.ipc_id = msq->key; 6019 6020 /* Can this process write to the queue? */ 6021 rc = avc_has_perm(&selinux_state, 6022 sid, isec->sid, SECCLASS_MSGQ, 6023 MSGQ__WRITE, &ad); 6024 if (!rc) 6025 /* Can this process send the message */ 6026 rc = avc_has_perm(&selinux_state, 6027 sid, msec->sid, SECCLASS_MSG, 6028 MSG__SEND, &ad); 6029 if (!rc) 6030 /* Can the message be put in the queue? */ 6031 rc = avc_has_perm(&selinux_state, 6032 msec->sid, isec->sid, SECCLASS_MSGQ, 6033 MSGQ__ENQUEUE, &ad); 6034 6035 return rc; 6036 } 6037 6038 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6039 struct task_struct *target, 6040 long type, int mode) 6041 { 6042 struct ipc_security_struct *isec; 6043 struct msg_security_struct *msec; 6044 struct common_audit_data ad; 6045 u32 sid = task_sid(target); 6046 int rc; 6047 6048 isec = selinux_ipc(msq); 6049 msec = selinux_msg_msg(msg); 6050 6051 ad.type = LSM_AUDIT_DATA_IPC; 6052 ad.u.ipc_id = msq->key; 6053 6054 rc = avc_has_perm(&selinux_state, 6055 sid, isec->sid, 6056 SECCLASS_MSGQ, MSGQ__READ, &ad); 6057 if (!rc) 6058 rc = avc_has_perm(&selinux_state, 6059 sid, msec->sid, 6060 SECCLASS_MSG, MSG__RECEIVE, &ad); 6061 return rc; 6062 } 6063 6064 /* Shared Memory security operations */ 6065 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6066 { 6067 struct ipc_security_struct *isec; 6068 struct common_audit_data ad; 6069 u32 sid = current_sid(); 6070 int rc; 6071 6072 isec = selinux_ipc(shp); 6073 ipc_init_security(isec, SECCLASS_SHM); 6074 6075 ad.type = LSM_AUDIT_DATA_IPC; 6076 ad.u.ipc_id = shp->key; 6077 6078 rc = avc_has_perm(&selinux_state, 6079 sid, isec->sid, SECCLASS_SHM, 6080 SHM__CREATE, &ad); 6081 return rc; 6082 } 6083 6084 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6085 { 6086 struct ipc_security_struct *isec; 6087 struct common_audit_data ad; 6088 u32 sid = current_sid(); 6089 6090 isec = selinux_ipc(shp); 6091 6092 ad.type = LSM_AUDIT_DATA_IPC; 6093 ad.u.ipc_id = shp->key; 6094 6095 return avc_has_perm(&selinux_state, 6096 sid, isec->sid, SECCLASS_SHM, 6097 SHM__ASSOCIATE, &ad); 6098 } 6099 6100 /* Note, at this point, shp is locked down */ 6101 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6102 { 6103 int perms; 6104 int err; 6105 6106 switch (cmd) { 6107 case IPC_INFO: 6108 case SHM_INFO: 6109 /* No specific object, just general system-wide information. */ 6110 return avc_has_perm(&selinux_state, 6111 current_sid(), SECINITSID_KERNEL, 6112 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6113 case IPC_STAT: 6114 case SHM_STAT: 6115 case SHM_STAT_ANY: 6116 perms = SHM__GETATTR | SHM__ASSOCIATE; 6117 break; 6118 case IPC_SET: 6119 perms = SHM__SETATTR; 6120 break; 6121 case SHM_LOCK: 6122 case SHM_UNLOCK: 6123 perms = SHM__LOCK; 6124 break; 6125 case IPC_RMID: 6126 perms = SHM__DESTROY; 6127 break; 6128 default: 6129 return 0; 6130 } 6131 6132 err = ipc_has_perm(shp, perms); 6133 return err; 6134 } 6135 6136 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6137 char __user *shmaddr, int shmflg) 6138 { 6139 u32 perms; 6140 6141 if (shmflg & SHM_RDONLY) 6142 perms = SHM__READ; 6143 else 6144 perms = SHM__READ | SHM__WRITE; 6145 6146 return ipc_has_perm(shp, perms); 6147 } 6148 6149 /* Semaphore security operations */ 6150 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6151 { 6152 struct ipc_security_struct *isec; 6153 struct common_audit_data ad; 6154 u32 sid = current_sid(); 6155 int rc; 6156 6157 isec = selinux_ipc(sma); 6158 ipc_init_security(isec, SECCLASS_SEM); 6159 6160 ad.type = LSM_AUDIT_DATA_IPC; 6161 ad.u.ipc_id = sma->key; 6162 6163 rc = avc_has_perm(&selinux_state, 6164 sid, isec->sid, SECCLASS_SEM, 6165 SEM__CREATE, &ad); 6166 return rc; 6167 } 6168 6169 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6170 { 6171 struct ipc_security_struct *isec; 6172 struct common_audit_data ad; 6173 u32 sid = current_sid(); 6174 6175 isec = selinux_ipc(sma); 6176 6177 ad.type = LSM_AUDIT_DATA_IPC; 6178 ad.u.ipc_id = sma->key; 6179 6180 return avc_has_perm(&selinux_state, 6181 sid, isec->sid, SECCLASS_SEM, 6182 SEM__ASSOCIATE, &ad); 6183 } 6184 6185 /* Note, at this point, sma is locked down */ 6186 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6187 { 6188 int err; 6189 u32 perms; 6190 6191 switch (cmd) { 6192 case IPC_INFO: 6193 case SEM_INFO: 6194 /* No specific object, just general system-wide information. */ 6195 return avc_has_perm(&selinux_state, 6196 current_sid(), SECINITSID_KERNEL, 6197 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6198 case GETPID: 6199 case GETNCNT: 6200 case GETZCNT: 6201 perms = SEM__GETATTR; 6202 break; 6203 case GETVAL: 6204 case GETALL: 6205 perms = SEM__READ; 6206 break; 6207 case SETVAL: 6208 case SETALL: 6209 perms = SEM__WRITE; 6210 break; 6211 case IPC_RMID: 6212 perms = SEM__DESTROY; 6213 break; 6214 case IPC_SET: 6215 perms = SEM__SETATTR; 6216 break; 6217 case IPC_STAT: 6218 case SEM_STAT: 6219 case SEM_STAT_ANY: 6220 perms = SEM__GETATTR | SEM__ASSOCIATE; 6221 break; 6222 default: 6223 return 0; 6224 } 6225 6226 err = ipc_has_perm(sma, perms); 6227 return err; 6228 } 6229 6230 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6231 struct sembuf *sops, unsigned nsops, int alter) 6232 { 6233 u32 perms; 6234 6235 if (alter) 6236 perms = SEM__READ | SEM__WRITE; 6237 else 6238 perms = SEM__READ; 6239 6240 return ipc_has_perm(sma, perms); 6241 } 6242 6243 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6244 { 6245 u32 av = 0; 6246 6247 av = 0; 6248 if (flag & S_IRUGO) 6249 av |= IPC__UNIX_READ; 6250 if (flag & S_IWUGO) 6251 av |= IPC__UNIX_WRITE; 6252 6253 if (av == 0) 6254 return 0; 6255 6256 return ipc_has_perm(ipcp, av); 6257 } 6258 6259 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6260 { 6261 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6262 *secid = isec->sid; 6263 } 6264 6265 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6266 { 6267 if (inode) 6268 inode_doinit_with_dentry(inode, dentry); 6269 } 6270 6271 static int selinux_getprocattr(struct task_struct *p, 6272 char *name, char **value) 6273 { 6274 const struct task_security_struct *__tsec; 6275 u32 sid; 6276 int error; 6277 unsigned len; 6278 6279 rcu_read_lock(); 6280 __tsec = selinux_cred(__task_cred(p)); 6281 6282 if (current != p) { 6283 error = avc_has_perm(&selinux_state, 6284 current_sid(), __tsec->sid, 6285 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6286 if (error) 6287 goto bad; 6288 } 6289 6290 if (!strcmp(name, "current")) 6291 sid = __tsec->sid; 6292 else if (!strcmp(name, "prev")) 6293 sid = __tsec->osid; 6294 else if (!strcmp(name, "exec")) 6295 sid = __tsec->exec_sid; 6296 else if (!strcmp(name, "fscreate")) 6297 sid = __tsec->create_sid; 6298 else if (!strcmp(name, "keycreate")) 6299 sid = __tsec->keycreate_sid; 6300 else if (!strcmp(name, "sockcreate")) 6301 sid = __tsec->sockcreate_sid; 6302 else { 6303 error = -EINVAL; 6304 goto bad; 6305 } 6306 rcu_read_unlock(); 6307 6308 if (!sid) 6309 return 0; 6310 6311 error = security_sid_to_context(&selinux_state, sid, value, &len); 6312 if (error) 6313 return error; 6314 return len; 6315 6316 bad: 6317 rcu_read_unlock(); 6318 return error; 6319 } 6320 6321 static int selinux_setprocattr(const char *name, void *value, size_t size) 6322 { 6323 struct task_security_struct *tsec; 6324 struct cred *new; 6325 u32 mysid = current_sid(), sid = 0, ptsid; 6326 int error; 6327 char *str = value; 6328 6329 /* 6330 * Basic control over ability to set these attributes at all. 6331 */ 6332 if (!strcmp(name, "exec")) 6333 error = avc_has_perm(&selinux_state, 6334 mysid, mysid, SECCLASS_PROCESS, 6335 PROCESS__SETEXEC, NULL); 6336 else if (!strcmp(name, "fscreate")) 6337 error = avc_has_perm(&selinux_state, 6338 mysid, mysid, SECCLASS_PROCESS, 6339 PROCESS__SETFSCREATE, NULL); 6340 else if (!strcmp(name, "keycreate")) 6341 error = avc_has_perm(&selinux_state, 6342 mysid, mysid, SECCLASS_PROCESS, 6343 PROCESS__SETKEYCREATE, NULL); 6344 else if (!strcmp(name, "sockcreate")) 6345 error = avc_has_perm(&selinux_state, 6346 mysid, mysid, SECCLASS_PROCESS, 6347 PROCESS__SETSOCKCREATE, NULL); 6348 else if (!strcmp(name, "current")) 6349 error = avc_has_perm(&selinux_state, 6350 mysid, mysid, SECCLASS_PROCESS, 6351 PROCESS__SETCURRENT, NULL); 6352 else 6353 error = -EINVAL; 6354 if (error) 6355 return error; 6356 6357 /* Obtain a SID for the context, if one was specified. */ 6358 if (size && str[0] && str[0] != '\n') { 6359 if (str[size-1] == '\n') { 6360 str[size-1] = 0; 6361 size--; 6362 } 6363 error = security_context_to_sid(&selinux_state, value, size, 6364 &sid, GFP_KERNEL); 6365 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6366 if (!has_cap_mac_admin(true)) { 6367 struct audit_buffer *ab; 6368 size_t audit_size; 6369 6370 /* We strip a nul only if it is at the end, otherwise the 6371 * context contains a nul and we should audit that */ 6372 if (str[size - 1] == '\0') 6373 audit_size = size - 1; 6374 else 6375 audit_size = size; 6376 ab = audit_log_start(audit_context(), 6377 GFP_ATOMIC, 6378 AUDIT_SELINUX_ERR); 6379 audit_log_format(ab, "op=fscreate invalid_context="); 6380 audit_log_n_untrustedstring(ab, value, audit_size); 6381 audit_log_end(ab); 6382 6383 return error; 6384 } 6385 error = security_context_to_sid_force( 6386 &selinux_state, 6387 value, size, &sid); 6388 } 6389 if (error) 6390 return error; 6391 } 6392 6393 new = prepare_creds(); 6394 if (!new) 6395 return -ENOMEM; 6396 6397 /* Permission checking based on the specified context is 6398 performed during the actual operation (execve, 6399 open/mkdir/...), when we know the full context of the 6400 operation. See selinux_bprm_set_creds for the execve 6401 checks and may_create for the file creation checks. The 6402 operation will then fail if the context is not permitted. */ 6403 tsec = selinux_cred(new); 6404 if (!strcmp(name, "exec")) { 6405 tsec->exec_sid = sid; 6406 } else if (!strcmp(name, "fscreate")) { 6407 tsec->create_sid = sid; 6408 } else if (!strcmp(name, "keycreate")) { 6409 if (sid) { 6410 error = avc_has_perm(&selinux_state, mysid, sid, 6411 SECCLASS_KEY, KEY__CREATE, NULL); 6412 if (error) 6413 goto abort_change; 6414 } 6415 tsec->keycreate_sid = sid; 6416 } else if (!strcmp(name, "sockcreate")) { 6417 tsec->sockcreate_sid = sid; 6418 } else if (!strcmp(name, "current")) { 6419 error = -EINVAL; 6420 if (sid == 0) 6421 goto abort_change; 6422 6423 /* Only allow single threaded processes to change context */ 6424 error = -EPERM; 6425 if (!current_is_single_threaded()) { 6426 error = security_bounded_transition(&selinux_state, 6427 tsec->sid, sid); 6428 if (error) 6429 goto abort_change; 6430 } 6431 6432 /* Check permissions for the transition. */ 6433 error = avc_has_perm(&selinux_state, 6434 tsec->sid, sid, SECCLASS_PROCESS, 6435 PROCESS__DYNTRANSITION, NULL); 6436 if (error) 6437 goto abort_change; 6438 6439 /* Check for ptracing, and update the task SID if ok. 6440 Otherwise, leave SID unchanged and fail. */ 6441 ptsid = ptrace_parent_sid(); 6442 if (ptsid != 0) { 6443 error = avc_has_perm(&selinux_state, 6444 ptsid, sid, SECCLASS_PROCESS, 6445 PROCESS__PTRACE, NULL); 6446 if (error) 6447 goto abort_change; 6448 } 6449 6450 tsec->sid = sid; 6451 } else { 6452 error = -EINVAL; 6453 goto abort_change; 6454 } 6455 6456 commit_creds(new); 6457 return size; 6458 6459 abort_change: 6460 abort_creds(new); 6461 return error; 6462 } 6463 6464 static int selinux_ismaclabel(const char *name) 6465 { 6466 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6467 } 6468 6469 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6470 { 6471 return security_sid_to_context(&selinux_state, secid, 6472 secdata, seclen); 6473 } 6474 6475 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6476 { 6477 return security_context_to_sid(&selinux_state, secdata, seclen, 6478 secid, GFP_KERNEL); 6479 } 6480 6481 static void selinux_release_secctx(char *secdata, u32 seclen) 6482 { 6483 kfree(secdata); 6484 } 6485 6486 static void selinux_inode_invalidate_secctx(struct inode *inode) 6487 { 6488 struct inode_security_struct *isec = selinux_inode(inode); 6489 6490 spin_lock(&isec->lock); 6491 isec->initialized = LABEL_INVALID; 6492 spin_unlock(&isec->lock); 6493 } 6494 6495 /* 6496 * called with inode->i_mutex locked 6497 */ 6498 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6499 { 6500 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6501 ctx, ctxlen, 0); 6502 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6503 return rc == -EOPNOTSUPP ? 0 : rc; 6504 } 6505 6506 /* 6507 * called with inode->i_mutex locked 6508 */ 6509 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6510 { 6511 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6512 } 6513 6514 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6515 { 6516 int len = 0; 6517 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6518 ctx, true); 6519 if (len < 0) 6520 return len; 6521 *ctxlen = len; 6522 return 0; 6523 } 6524 #ifdef CONFIG_KEYS 6525 6526 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6527 unsigned long flags) 6528 { 6529 const struct task_security_struct *tsec; 6530 struct key_security_struct *ksec; 6531 6532 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6533 if (!ksec) 6534 return -ENOMEM; 6535 6536 tsec = selinux_cred(cred); 6537 if (tsec->keycreate_sid) 6538 ksec->sid = tsec->keycreate_sid; 6539 else 6540 ksec->sid = tsec->sid; 6541 6542 k->security = ksec; 6543 return 0; 6544 } 6545 6546 static void selinux_key_free(struct key *k) 6547 { 6548 struct key_security_struct *ksec = k->security; 6549 6550 k->security = NULL; 6551 kfree(ksec); 6552 } 6553 6554 static int selinux_key_permission(key_ref_t key_ref, 6555 const struct cred *cred, 6556 unsigned perm) 6557 { 6558 struct key *key; 6559 struct key_security_struct *ksec; 6560 u32 sid; 6561 6562 /* if no specific permissions are requested, we skip the 6563 permission check. No serious, additional covert channels 6564 appear to be created. */ 6565 if (perm == 0) 6566 return 0; 6567 6568 sid = cred_sid(cred); 6569 6570 key = key_ref_to_ptr(key_ref); 6571 ksec = key->security; 6572 6573 return avc_has_perm(&selinux_state, 6574 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6575 } 6576 6577 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6578 { 6579 struct key_security_struct *ksec = key->security; 6580 char *context = NULL; 6581 unsigned len; 6582 int rc; 6583 6584 rc = security_sid_to_context(&selinux_state, ksec->sid, 6585 &context, &len); 6586 if (!rc) 6587 rc = len; 6588 *_buffer = context; 6589 return rc; 6590 } 6591 #endif 6592 6593 #ifdef CONFIG_SECURITY_INFINIBAND 6594 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6595 { 6596 struct common_audit_data ad; 6597 int err; 6598 u32 sid = 0; 6599 struct ib_security_struct *sec = ib_sec; 6600 struct lsm_ibpkey_audit ibpkey; 6601 6602 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6603 if (err) 6604 return err; 6605 6606 ad.type = LSM_AUDIT_DATA_IBPKEY; 6607 ibpkey.subnet_prefix = subnet_prefix; 6608 ibpkey.pkey = pkey_val; 6609 ad.u.ibpkey = &ibpkey; 6610 return avc_has_perm(&selinux_state, 6611 sec->sid, sid, 6612 SECCLASS_INFINIBAND_PKEY, 6613 INFINIBAND_PKEY__ACCESS, &ad); 6614 } 6615 6616 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6617 u8 port_num) 6618 { 6619 struct common_audit_data ad; 6620 int err; 6621 u32 sid = 0; 6622 struct ib_security_struct *sec = ib_sec; 6623 struct lsm_ibendport_audit ibendport; 6624 6625 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6626 &sid); 6627 6628 if (err) 6629 return err; 6630 6631 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6632 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6633 ibendport.port = port_num; 6634 ad.u.ibendport = &ibendport; 6635 return avc_has_perm(&selinux_state, 6636 sec->sid, sid, 6637 SECCLASS_INFINIBAND_ENDPORT, 6638 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6639 } 6640 6641 static int selinux_ib_alloc_security(void **ib_sec) 6642 { 6643 struct ib_security_struct *sec; 6644 6645 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6646 if (!sec) 6647 return -ENOMEM; 6648 sec->sid = current_sid(); 6649 6650 *ib_sec = sec; 6651 return 0; 6652 } 6653 6654 static void selinux_ib_free_security(void *ib_sec) 6655 { 6656 kfree(ib_sec); 6657 } 6658 #endif 6659 6660 #ifdef CONFIG_BPF_SYSCALL 6661 static int selinux_bpf(int cmd, union bpf_attr *attr, 6662 unsigned int size) 6663 { 6664 u32 sid = current_sid(); 6665 int ret; 6666 6667 switch (cmd) { 6668 case BPF_MAP_CREATE: 6669 ret = avc_has_perm(&selinux_state, 6670 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6671 NULL); 6672 break; 6673 case BPF_PROG_LOAD: 6674 ret = avc_has_perm(&selinux_state, 6675 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6676 NULL); 6677 break; 6678 default: 6679 ret = 0; 6680 break; 6681 } 6682 6683 return ret; 6684 } 6685 6686 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6687 { 6688 u32 av = 0; 6689 6690 if (fmode & FMODE_READ) 6691 av |= BPF__MAP_READ; 6692 if (fmode & FMODE_WRITE) 6693 av |= BPF__MAP_WRITE; 6694 return av; 6695 } 6696 6697 /* This function will check the file pass through unix socket or binder to see 6698 * if it is a bpf related object. And apply correspinding checks on the bpf 6699 * object based on the type. The bpf maps and programs, not like other files and 6700 * socket, are using a shared anonymous inode inside the kernel as their inode. 6701 * So checking that inode cannot identify if the process have privilege to 6702 * access the bpf object and that's why we have to add this additional check in 6703 * selinux_file_receive and selinux_binder_transfer_files. 6704 */ 6705 static int bpf_fd_pass(struct file *file, u32 sid) 6706 { 6707 struct bpf_security_struct *bpfsec; 6708 struct bpf_prog *prog; 6709 struct bpf_map *map; 6710 int ret; 6711 6712 if (file->f_op == &bpf_map_fops) { 6713 map = file->private_data; 6714 bpfsec = map->security; 6715 ret = avc_has_perm(&selinux_state, 6716 sid, bpfsec->sid, SECCLASS_BPF, 6717 bpf_map_fmode_to_av(file->f_mode), NULL); 6718 if (ret) 6719 return ret; 6720 } else if (file->f_op == &bpf_prog_fops) { 6721 prog = file->private_data; 6722 bpfsec = prog->aux->security; 6723 ret = avc_has_perm(&selinux_state, 6724 sid, bpfsec->sid, SECCLASS_BPF, 6725 BPF__PROG_RUN, NULL); 6726 if (ret) 6727 return ret; 6728 } 6729 return 0; 6730 } 6731 6732 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6733 { 6734 u32 sid = current_sid(); 6735 struct bpf_security_struct *bpfsec; 6736 6737 bpfsec = map->security; 6738 return avc_has_perm(&selinux_state, 6739 sid, bpfsec->sid, SECCLASS_BPF, 6740 bpf_map_fmode_to_av(fmode), NULL); 6741 } 6742 6743 static int selinux_bpf_prog(struct bpf_prog *prog) 6744 { 6745 u32 sid = current_sid(); 6746 struct bpf_security_struct *bpfsec; 6747 6748 bpfsec = prog->aux->security; 6749 return avc_has_perm(&selinux_state, 6750 sid, bpfsec->sid, SECCLASS_BPF, 6751 BPF__PROG_RUN, NULL); 6752 } 6753 6754 static int selinux_bpf_map_alloc(struct bpf_map *map) 6755 { 6756 struct bpf_security_struct *bpfsec; 6757 6758 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6759 if (!bpfsec) 6760 return -ENOMEM; 6761 6762 bpfsec->sid = current_sid(); 6763 map->security = bpfsec; 6764 6765 return 0; 6766 } 6767 6768 static void selinux_bpf_map_free(struct bpf_map *map) 6769 { 6770 struct bpf_security_struct *bpfsec = map->security; 6771 6772 map->security = NULL; 6773 kfree(bpfsec); 6774 } 6775 6776 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6777 { 6778 struct bpf_security_struct *bpfsec; 6779 6780 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6781 if (!bpfsec) 6782 return -ENOMEM; 6783 6784 bpfsec->sid = current_sid(); 6785 aux->security = bpfsec; 6786 6787 return 0; 6788 } 6789 6790 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6791 { 6792 struct bpf_security_struct *bpfsec = aux->security; 6793 6794 aux->security = NULL; 6795 kfree(bpfsec); 6796 } 6797 #endif 6798 6799 static int selinux_lockdown(enum lockdown_reason what) 6800 { 6801 struct common_audit_data ad; 6802 u32 sid = current_sid(); 6803 int invalid_reason = (what <= LOCKDOWN_NONE) || 6804 (what == LOCKDOWN_INTEGRITY_MAX) || 6805 (what >= LOCKDOWN_CONFIDENTIALITY_MAX); 6806 6807 if (WARN(invalid_reason, "Invalid lockdown reason")) { 6808 audit_log(audit_context(), 6809 GFP_ATOMIC, AUDIT_SELINUX_ERR, 6810 "lockdown_reason=invalid"); 6811 return -EINVAL; 6812 } 6813 6814 ad.type = LSM_AUDIT_DATA_LOCKDOWN; 6815 ad.u.reason = what; 6816 6817 if (what <= LOCKDOWN_INTEGRITY_MAX) 6818 return avc_has_perm(&selinux_state, 6819 sid, sid, SECCLASS_LOCKDOWN, 6820 LOCKDOWN__INTEGRITY, &ad); 6821 else 6822 return avc_has_perm(&selinux_state, 6823 sid, sid, SECCLASS_LOCKDOWN, 6824 LOCKDOWN__CONFIDENTIALITY, &ad); 6825 } 6826 6827 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6828 .lbs_cred = sizeof(struct task_security_struct), 6829 .lbs_file = sizeof(struct file_security_struct), 6830 .lbs_inode = sizeof(struct inode_security_struct), 6831 .lbs_ipc = sizeof(struct ipc_security_struct), 6832 .lbs_msg_msg = sizeof(struct msg_security_struct), 6833 }; 6834 6835 #ifdef CONFIG_PERF_EVENTS 6836 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6837 { 6838 u32 requested, sid = current_sid(); 6839 6840 if (type == PERF_SECURITY_OPEN) 6841 requested = PERF_EVENT__OPEN; 6842 else if (type == PERF_SECURITY_CPU) 6843 requested = PERF_EVENT__CPU; 6844 else if (type == PERF_SECURITY_KERNEL) 6845 requested = PERF_EVENT__KERNEL; 6846 else if (type == PERF_SECURITY_TRACEPOINT) 6847 requested = PERF_EVENT__TRACEPOINT; 6848 else 6849 return -EINVAL; 6850 6851 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT, 6852 requested, NULL); 6853 } 6854 6855 static int selinux_perf_event_alloc(struct perf_event *event) 6856 { 6857 struct perf_event_security_struct *perfsec; 6858 6859 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 6860 if (!perfsec) 6861 return -ENOMEM; 6862 6863 perfsec->sid = current_sid(); 6864 event->security = perfsec; 6865 6866 return 0; 6867 } 6868 6869 static void selinux_perf_event_free(struct perf_event *event) 6870 { 6871 struct perf_event_security_struct *perfsec = event->security; 6872 6873 event->security = NULL; 6874 kfree(perfsec); 6875 } 6876 6877 static int selinux_perf_event_read(struct perf_event *event) 6878 { 6879 struct perf_event_security_struct *perfsec = event->security; 6880 u32 sid = current_sid(); 6881 6882 return avc_has_perm(&selinux_state, sid, perfsec->sid, 6883 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 6884 } 6885 6886 static int selinux_perf_event_write(struct perf_event *event) 6887 { 6888 struct perf_event_security_struct *perfsec = event->security; 6889 u32 sid = current_sid(); 6890 6891 return avc_has_perm(&selinux_state, sid, perfsec->sid, 6892 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 6893 } 6894 #endif 6895 6896 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6897 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6898 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6899 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6900 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6901 6902 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6903 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6904 LSM_HOOK_INIT(capget, selinux_capget), 6905 LSM_HOOK_INIT(capset, selinux_capset), 6906 LSM_HOOK_INIT(capable, selinux_capable), 6907 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6908 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6909 LSM_HOOK_INIT(syslog, selinux_syslog), 6910 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6911 6912 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6913 6914 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6915 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6916 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6917 6918 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 6919 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 6920 6921 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6922 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6923 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6924 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6925 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6926 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6927 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6928 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6929 LSM_HOOK_INIT(sb_mount, selinux_mount), 6930 LSM_HOOK_INIT(sb_umount, selinux_umount), 6931 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6932 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6933 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 6934 6935 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6936 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6937 6938 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6939 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6940 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6941 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6942 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6943 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6944 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6945 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6946 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6947 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6948 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6949 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6950 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6951 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6952 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6953 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6954 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6955 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6956 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6957 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6958 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6959 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6960 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6961 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6962 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6963 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6964 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6965 LSM_HOOK_INIT(path_notify, selinux_path_notify), 6966 6967 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 6968 6969 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6970 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6971 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6972 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6973 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6974 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6975 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6976 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6977 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6978 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6979 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6980 6981 LSM_HOOK_INIT(file_open, selinux_file_open), 6982 6983 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6984 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6985 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6986 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6987 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6988 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6989 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6990 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 6991 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6992 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6993 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6994 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6995 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6996 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6997 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6998 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6999 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7000 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7001 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7002 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7003 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7004 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7005 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7006 7007 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7008 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7009 7010 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7011 7012 LSM_HOOK_INIT(msg_queue_alloc_security, 7013 selinux_msg_queue_alloc_security), 7014 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7015 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7016 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7017 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7018 7019 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7020 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7021 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7022 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7023 7024 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7025 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7026 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7027 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7028 7029 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7030 7031 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7032 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7033 7034 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7035 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7036 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7037 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7038 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7039 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7040 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7041 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7042 7043 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7044 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7045 7046 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7047 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7048 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7049 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7050 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7051 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7052 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7053 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7054 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7055 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7056 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7057 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7058 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7059 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7060 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7061 LSM_HOOK_INIT(socket_getpeersec_stream, 7062 selinux_socket_getpeersec_stream), 7063 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7064 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7065 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7066 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7067 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7068 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7069 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7070 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7071 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7072 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7073 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7074 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7075 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7076 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7077 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7078 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7079 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7080 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7081 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7082 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7083 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7084 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7085 #ifdef CONFIG_SECURITY_INFINIBAND 7086 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7087 LSM_HOOK_INIT(ib_endport_manage_subnet, 7088 selinux_ib_endport_manage_subnet), 7089 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7090 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7091 #endif 7092 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7093 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7094 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7095 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7096 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7097 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7098 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7099 selinux_xfrm_state_alloc_acquire), 7100 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7101 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7102 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7103 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7104 selinux_xfrm_state_pol_flow_match), 7105 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7106 #endif 7107 7108 #ifdef CONFIG_KEYS 7109 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7110 LSM_HOOK_INIT(key_free, selinux_key_free), 7111 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7112 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7113 #endif 7114 7115 #ifdef CONFIG_AUDIT 7116 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7117 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7118 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7119 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7120 #endif 7121 7122 #ifdef CONFIG_BPF_SYSCALL 7123 LSM_HOOK_INIT(bpf, selinux_bpf), 7124 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7125 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7126 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7127 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7128 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7129 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7130 #endif 7131 7132 #ifdef CONFIG_PERF_EVENTS 7133 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7134 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7135 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7136 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7137 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7138 #endif 7139 7140 LSM_HOOK_INIT(locked_down, selinux_lockdown), 7141 }; 7142 7143 static __init int selinux_init(void) 7144 { 7145 pr_info("SELinux: Initializing.\n"); 7146 7147 memset(&selinux_state, 0, sizeof(selinux_state)); 7148 enforcing_set(&selinux_state, selinux_enforcing_boot); 7149 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7150 selinux_ss_init(&selinux_state.ss); 7151 selinux_avc_init(&selinux_state.avc); 7152 7153 /* Set the security state for the initial task. */ 7154 cred_init_security(); 7155 7156 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7157 7158 avc_init(); 7159 7160 avtab_cache_init(); 7161 7162 ebitmap_cache_init(); 7163 7164 hashtab_cache_init(); 7165 7166 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7167 7168 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7169 panic("SELinux: Unable to register AVC netcache callback\n"); 7170 7171 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7172 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7173 7174 if (selinux_enforcing_boot) 7175 pr_debug("SELinux: Starting in enforcing mode\n"); 7176 else 7177 pr_debug("SELinux: Starting in permissive mode\n"); 7178 7179 fs_validate_description(&selinux_fs_parameters); 7180 7181 return 0; 7182 } 7183 7184 static void delayed_superblock_init(struct super_block *sb, void *unused) 7185 { 7186 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7187 } 7188 7189 void selinux_complete_init(void) 7190 { 7191 pr_debug("SELinux: Completing initialization.\n"); 7192 7193 /* Set up any superblocks initialized prior to the policy load. */ 7194 pr_debug("SELinux: Setting up existing superblocks.\n"); 7195 iterate_supers(delayed_superblock_init, NULL); 7196 } 7197 7198 /* SELinux requires early initialization in order to label 7199 all processes and objects when they are created. */ 7200 DEFINE_LSM(selinux) = { 7201 .name = "selinux", 7202 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7203 .enabled = &selinux_enabled, 7204 .blobs = &selinux_blob_sizes, 7205 .init = selinux_init, 7206 }; 7207 7208 #if defined(CONFIG_NETFILTER) 7209 7210 static const struct nf_hook_ops selinux_nf_ops[] = { 7211 { 7212 .hook = selinux_ipv4_postroute, 7213 .pf = NFPROTO_IPV4, 7214 .hooknum = NF_INET_POST_ROUTING, 7215 .priority = NF_IP_PRI_SELINUX_LAST, 7216 }, 7217 { 7218 .hook = selinux_ipv4_forward, 7219 .pf = NFPROTO_IPV4, 7220 .hooknum = NF_INET_FORWARD, 7221 .priority = NF_IP_PRI_SELINUX_FIRST, 7222 }, 7223 { 7224 .hook = selinux_ipv4_output, 7225 .pf = NFPROTO_IPV4, 7226 .hooknum = NF_INET_LOCAL_OUT, 7227 .priority = NF_IP_PRI_SELINUX_FIRST, 7228 }, 7229 #if IS_ENABLED(CONFIG_IPV6) 7230 { 7231 .hook = selinux_ipv6_postroute, 7232 .pf = NFPROTO_IPV6, 7233 .hooknum = NF_INET_POST_ROUTING, 7234 .priority = NF_IP6_PRI_SELINUX_LAST, 7235 }, 7236 { 7237 .hook = selinux_ipv6_forward, 7238 .pf = NFPROTO_IPV6, 7239 .hooknum = NF_INET_FORWARD, 7240 .priority = NF_IP6_PRI_SELINUX_FIRST, 7241 }, 7242 { 7243 .hook = selinux_ipv6_output, 7244 .pf = NFPROTO_IPV6, 7245 .hooknum = NF_INET_LOCAL_OUT, 7246 .priority = NF_IP6_PRI_SELINUX_FIRST, 7247 }, 7248 #endif /* IPV6 */ 7249 }; 7250 7251 static int __net_init selinux_nf_register(struct net *net) 7252 { 7253 return nf_register_net_hooks(net, selinux_nf_ops, 7254 ARRAY_SIZE(selinux_nf_ops)); 7255 } 7256 7257 static void __net_exit selinux_nf_unregister(struct net *net) 7258 { 7259 nf_unregister_net_hooks(net, selinux_nf_ops, 7260 ARRAY_SIZE(selinux_nf_ops)); 7261 } 7262 7263 static struct pernet_operations selinux_net_ops = { 7264 .init = selinux_nf_register, 7265 .exit = selinux_nf_unregister, 7266 }; 7267 7268 static int __init selinux_nf_ip_init(void) 7269 { 7270 int err; 7271 7272 if (!selinux_enabled) 7273 return 0; 7274 7275 pr_debug("SELinux: Registering netfilter hooks\n"); 7276 7277 err = register_pernet_subsys(&selinux_net_ops); 7278 if (err) 7279 panic("SELinux: register_pernet_subsys: error %d\n", err); 7280 7281 return 0; 7282 } 7283 __initcall(selinux_nf_ip_init); 7284 7285 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7286 static void selinux_nf_ip_exit(void) 7287 { 7288 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7289 7290 unregister_pernet_subsys(&selinux_net_ops); 7291 } 7292 #endif 7293 7294 #else /* CONFIG_NETFILTER */ 7295 7296 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7297 #define selinux_nf_ip_exit() 7298 #endif 7299 7300 #endif /* CONFIG_NETFILTER */ 7301 7302 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7303 int selinux_disable(struct selinux_state *state) 7304 { 7305 if (state->initialized) { 7306 /* Not permitted after initial policy load. */ 7307 return -EINVAL; 7308 } 7309 7310 if (state->disabled) { 7311 /* Only do this once. */ 7312 return -EINVAL; 7313 } 7314 7315 state->disabled = 1; 7316 7317 pr_info("SELinux: Disabled at runtime.\n"); 7318 7319 selinux_enabled = 0; 7320 7321 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7322 7323 /* Try to destroy the avc node cache */ 7324 avc_disable(); 7325 7326 /* Unregister netfilter hooks. */ 7327 selinux_nf_ip_exit(); 7328 7329 /* Unregister selinuxfs. */ 7330 exit_sel_fs(); 7331 7332 return 0; 7333 } 7334 #endif 7335