1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/selinux.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 89 #include "avc.h" 90 #include "objsec.h" 91 #include "netif.h" 92 #include "netnode.h" 93 #include "netport.h" 94 #include "ibpkey.h" 95 #include "xfrm.h" 96 #include "netlabel.h" 97 #include "audit.h" 98 #include "avc_ss.h" 99 100 /* SECMARK reference count */ 101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 102 103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 104 int selinux_enforcing; 105 106 static int __init enforcing_setup(char *str) 107 { 108 unsigned long enforcing; 109 if (!kstrtoul(str, 0, &enforcing)) 110 selinux_enforcing = enforcing ? 1 : 0; 111 return 1; 112 } 113 __setup("enforcing=", enforcing_setup); 114 #endif 115 116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 118 119 static int __init selinux_enabled_setup(char *str) 120 { 121 unsigned long enabled; 122 if (!kstrtoul(str, 0, &enabled)) 123 selinux_enabled = enabled ? 1 : 0; 124 return 1; 125 } 126 __setup("selinux=", selinux_enabled_setup); 127 #else 128 int selinux_enabled = 1; 129 #endif 130 131 static struct kmem_cache *sel_inode_cache; 132 static struct kmem_cache *file_security_cache; 133 134 /** 135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 136 * 137 * Description: 138 * This function checks the SECMARK reference counter to see if any SECMARK 139 * targets are currently configured, if the reference counter is greater than 140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network 142 * policy capability is enabled, SECMARK is always considered enabled. 143 * 144 */ 145 static int selinux_secmark_enabled(void) 146 { 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 148 } 149 150 /** 151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 152 * 153 * Description: 154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 155 * (1) if any are enabled or false (0) if neither are enabled. If the 156 * always_check_network policy capability is enabled, peer labeling 157 * is always considered enabled. 158 * 159 */ 160 static int selinux_peerlbl_enabled(void) 161 { 162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 163 } 164 165 static int selinux_netcache_avc_callback(u32 event) 166 { 167 if (event == AVC_CALLBACK_RESET) { 168 sel_netif_flush(); 169 sel_netnode_flush(); 170 sel_netport_flush(); 171 synchronize_net(); 172 } 173 return 0; 174 } 175 176 static int selinux_lsm_notifier_avc_callback(u32 event) 177 { 178 if (event == AVC_CALLBACK_RESET) { 179 sel_ib_pkey_flush(); 180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 181 } 182 183 return 0; 184 } 185 186 /* 187 * initialise the security for the init task 188 */ 189 static void cred_init_security(void) 190 { 191 struct cred *cred = (struct cred *) current->real_cred; 192 struct task_security_struct *tsec; 193 194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 195 if (!tsec) 196 panic("SELinux: Failed to initialize initial task.\n"); 197 198 tsec->osid = tsec->sid = SECINITSID_KERNEL; 199 cred->security = tsec; 200 } 201 202 /* 203 * get the security ID of a set of credentials 204 */ 205 static inline u32 cred_sid(const struct cred *cred) 206 { 207 const struct task_security_struct *tsec; 208 209 tsec = cred->security; 210 return tsec->sid; 211 } 212 213 /* 214 * get the objective security ID of a task 215 */ 216 static inline u32 task_sid(const struct task_struct *task) 217 { 218 u32 sid; 219 220 rcu_read_lock(); 221 sid = cred_sid(__task_cred(task)); 222 rcu_read_unlock(); 223 return sid; 224 } 225 226 /* Allocate and free functions for each kind of security blob. */ 227 228 static int inode_alloc_security(struct inode *inode) 229 { 230 struct inode_security_struct *isec; 231 u32 sid = current_sid(); 232 233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 234 if (!isec) 235 return -ENOMEM; 236 237 spin_lock_init(&isec->lock); 238 INIT_LIST_HEAD(&isec->list); 239 isec->inode = inode; 240 isec->sid = SECINITSID_UNLABELED; 241 isec->sclass = SECCLASS_FILE; 242 isec->task_sid = sid; 243 isec->initialized = LABEL_INVALID; 244 inode->i_security = isec; 245 246 return 0; 247 } 248 249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 250 251 /* 252 * Try reloading inode security labels that have been marked as invalid. The 253 * @may_sleep parameter indicates when sleeping and thus reloading labels is 254 * allowed; when set to false, returns -ECHILD when the label is 255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 256 * when no dentry is available, set it to NULL instead. 257 */ 258 static int __inode_security_revalidate(struct inode *inode, 259 struct dentry *opt_dentry, 260 bool may_sleep) 261 { 262 struct inode_security_struct *isec = inode->i_security; 263 264 might_sleep_if(may_sleep); 265 266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 267 if (!may_sleep) 268 return -ECHILD; 269 270 /* 271 * Try reloading the inode security label. This will fail if 272 * @opt_dentry is NULL and no dentry for this inode can be 273 * found; in that case, continue using the old label. 274 */ 275 inode_doinit_with_dentry(inode, opt_dentry); 276 } 277 return 0; 278 } 279 280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 281 { 282 return inode->i_security; 283 } 284 285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 286 { 287 int error; 288 289 error = __inode_security_revalidate(inode, NULL, !rcu); 290 if (error) 291 return ERR_PTR(error); 292 return inode->i_security; 293 } 294 295 /* 296 * Get the security label of an inode. 297 */ 298 static struct inode_security_struct *inode_security(struct inode *inode) 299 { 300 __inode_security_revalidate(inode, NULL, true); 301 return inode->i_security; 302 } 303 304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 305 { 306 struct inode *inode = d_backing_inode(dentry); 307 308 return inode->i_security; 309 } 310 311 /* 312 * Get the security label of a dentry's backing inode. 313 */ 314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 315 { 316 struct inode *inode = d_backing_inode(dentry); 317 318 __inode_security_revalidate(inode, dentry, true); 319 return inode->i_security; 320 } 321 322 static void inode_free_rcu(struct rcu_head *head) 323 { 324 struct inode_security_struct *isec; 325 326 isec = container_of(head, struct inode_security_struct, rcu); 327 kmem_cache_free(sel_inode_cache, isec); 328 } 329 330 static void inode_free_security(struct inode *inode) 331 { 332 struct inode_security_struct *isec = inode->i_security; 333 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 334 335 /* 336 * As not all inode security structures are in a list, we check for 337 * empty list outside of the lock to make sure that we won't waste 338 * time taking a lock doing nothing. 339 * 340 * The list_del_init() function can be safely called more than once. 341 * It should not be possible for this function to be called with 342 * concurrent list_add(), but for better safety against future changes 343 * in the code, we use list_empty_careful() here. 344 */ 345 if (!list_empty_careful(&isec->list)) { 346 spin_lock(&sbsec->isec_lock); 347 list_del_init(&isec->list); 348 spin_unlock(&sbsec->isec_lock); 349 } 350 351 /* 352 * The inode may still be referenced in a path walk and 353 * a call to selinux_inode_permission() can be made 354 * after inode_free_security() is called. Ideally, the VFS 355 * wouldn't do this, but fixing that is a much harder 356 * job. For now, simply free the i_security via RCU, and 357 * leave the current inode->i_security pointer intact. 358 * The inode will be freed after the RCU grace period too. 359 */ 360 call_rcu(&isec->rcu, inode_free_rcu); 361 } 362 363 static int file_alloc_security(struct file *file) 364 { 365 struct file_security_struct *fsec; 366 u32 sid = current_sid(); 367 368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 369 if (!fsec) 370 return -ENOMEM; 371 372 fsec->sid = sid; 373 fsec->fown_sid = sid; 374 file->f_security = fsec; 375 376 return 0; 377 } 378 379 static void file_free_security(struct file *file) 380 { 381 struct file_security_struct *fsec = file->f_security; 382 file->f_security = NULL; 383 kmem_cache_free(file_security_cache, fsec); 384 } 385 386 static int superblock_alloc_security(struct super_block *sb) 387 { 388 struct superblock_security_struct *sbsec; 389 390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 391 if (!sbsec) 392 return -ENOMEM; 393 394 mutex_init(&sbsec->lock); 395 INIT_LIST_HEAD(&sbsec->isec_head); 396 spin_lock_init(&sbsec->isec_lock); 397 sbsec->sb = sb; 398 sbsec->sid = SECINITSID_UNLABELED; 399 sbsec->def_sid = SECINITSID_FILE; 400 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 401 sb->s_security = sbsec; 402 403 return 0; 404 } 405 406 static void superblock_free_security(struct super_block *sb) 407 { 408 struct superblock_security_struct *sbsec = sb->s_security; 409 sb->s_security = NULL; 410 kfree(sbsec); 411 } 412 413 static inline int inode_doinit(struct inode *inode) 414 { 415 return inode_doinit_with_dentry(inode, NULL); 416 } 417 418 enum { 419 Opt_error = -1, 420 Opt_context = 1, 421 Opt_fscontext = 2, 422 Opt_defcontext = 3, 423 Opt_rootcontext = 4, 424 Opt_labelsupport = 5, 425 Opt_nextmntopt = 6, 426 }; 427 428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 429 430 static const match_table_t tokens = { 431 {Opt_context, CONTEXT_STR "%s"}, 432 {Opt_fscontext, FSCONTEXT_STR "%s"}, 433 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 435 {Opt_labelsupport, LABELSUPP_STR}, 436 {Opt_error, NULL}, 437 }; 438 439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 440 441 static int may_context_mount_sb_relabel(u32 sid, 442 struct superblock_security_struct *sbsec, 443 const struct cred *cred) 444 { 445 const struct task_security_struct *tsec = cred->security; 446 int rc; 447 448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELFROM, NULL); 450 if (rc) 451 return rc; 452 453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 454 FILESYSTEM__RELABELTO, NULL); 455 return rc; 456 } 457 458 static int may_context_mount_inode_relabel(u32 sid, 459 struct superblock_security_struct *sbsec, 460 const struct cred *cred) 461 { 462 const struct task_security_struct *tsec = cred->security; 463 int rc; 464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__RELABELFROM, NULL); 466 if (rc) 467 return rc; 468 469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 470 FILESYSTEM__ASSOCIATE, NULL); 471 return rc; 472 } 473 474 static int selinux_is_sblabel_mnt(struct super_block *sb) 475 { 476 struct superblock_security_struct *sbsec = sb->s_security; 477 478 return sbsec->behavior == SECURITY_FS_USE_XATTR || 479 sbsec->behavior == SECURITY_FS_USE_TRANS || 480 sbsec->behavior == SECURITY_FS_USE_TASK || 481 sbsec->behavior == SECURITY_FS_USE_NATIVE || 482 /* Special handling. Genfs but also in-core setxattr handler */ 483 !strcmp(sb->s_type->name, "sysfs") || 484 !strcmp(sb->s_type->name, "pstore") || 485 !strcmp(sb->s_type->name, "debugfs") || 486 !strcmp(sb->s_type->name, "tracefs") || 487 !strcmp(sb->s_type->name, "rootfs") || 488 (selinux_policycap_cgroupseclabel && 489 (!strcmp(sb->s_type->name, "cgroup") || 490 !strcmp(sb->s_type->name, "cgroup2"))); 491 } 492 493 static int sb_finish_set_opts(struct super_block *sb) 494 { 495 struct superblock_security_struct *sbsec = sb->s_security; 496 struct dentry *root = sb->s_root; 497 struct inode *root_inode = d_backing_inode(root); 498 int rc = 0; 499 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 501 /* Make sure that the xattr handler exists and that no 502 error other than -ENODATA is returned by getxattr on 503 the root directory. -ENODATA is ok, as this may be 504 the first boot of the SELinux kernel before we have 505 assigned xattr values to the filesystem. */ 506 if (!(root_inode->i_opflags & IOP_XATTR)) { 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 508 "xattr support\n", sb->s_id, sb->s_type->name); 509 rc = -EOPNOTSUPP; 510 goto out; 511 } 512 513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 514 if (rc < 0 && rc != -ENODATA) { 515 if (rc == -EOPNOTSUPP) 516 printk(KERN_WARNING "SELinux: (dev %s, type " 517 "%s) has no security xattr handler\n", 518 sb->s_id, sb->s_type->name); 519 else 520 printk(KERN_WARNING "SELinux: (dev %s, type " 521 "%s) getxattr errno %d\n", sb->s_id, 522 sb->s_type->name, -rc); 523 goto out; 524 } 525 } 526 527 sbsec->flags |= SE_SBINITIALIZED; 528 529 /* 530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 531 * leave the flag untouched because sb_clone_mnt_opts might be handing 532 * us a superblock that needs the flag to be cleared. 533 */ 534 if (selinux_is_sblabel_mnt(sb)) 535 sbsec->flags |= SBLABEL_MNT; 536 else 537 sbsec->flags &= ~SBLABEL_MNT; 538 539 /* Initialize the root inode. */ 540 rc = inode_doinit_with_dentry(root_inode, root); 541 542 /* Initialize any other inodes associated with the superblock, e.g. 543 inodes created prior to initial policy load or inodes created 544 during get_sb by a pseudo filesystem that directly 545 populates itself. */ 546 spin_lock(&sbsec->isec_lock); 547 next_inode: 548 if (!list_empty(&sbsec->isec_head)) { 549 struct inode_security_struct *isec = 550 list_entry(sbsec->isec_head.next, 551 struct inode_security_struct, list); 552 struct inode *inode = isec->inode; 553 list_del_init(&isec->list); 554 spin_unlock(&sbsec->isec_lock); 555 inode = igrab(inode); 556 if (inode) { 557 if (!IS_PRIVATE(inode)) 558 inode_doinit(inode); 559 iput(inode); 560 } 561 spin_lock(&sbsec->isec_lock); 562 goto next_inode; 563 } 564 spin_unlock(&sbsec->isec_lock); 565 out: 566 return rc; 567 } 568 569 /* 570 * This function should allow an FS to ask what it's mount security 571 * options were so it can use those later for submounts, displaying 572 * mount options, or whatever. 573 */ 574 static int selinux_get_mnt_opts(const struct super_block *sb, 575 struct security_mnt_opts *opts) 576 { 577 int rc = 0, i; 578 struct superblock_security_struct *sbsec = sb->s_security; 579 char *context = NULL; 580 u32 len; 581 char tmp; 582 583 security_init_mnt_opts(opts); 584 585 if (!(sbsec->flags & SE_SBINITIALIZED)) 586 return -EINVAL; 587 588 if (!ss_initialized) 589 return -EINVAL; 590 591 /* make sure we always check enough bits to cover the mask */ 592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 593 594 tmp = sbsec->flags & SE_MNTMASK; 595 /* count the number of mount options for this sb */ 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 597 if (tmp & 0x01) 598 opts->num_mnt_opts++; 599 tmp >>= 1; 600 } 601 /* Check if the Label support flag is set */ 602 if (sbsec->flags & SBLABEL_MNT) 603 opts->num_mnt_opts++; 604 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 606 if (!opts->mnt_opts) { 607 rc = -ENOMEM; 608 goto out_free; 609 } 610 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 612 if (!opts->mnt_opts_flags) { 613 rc = -ENOMEM; 614 goto out_free; 615 } 616 617 i = 0; 618 if (sbsec->flags & FSCONTEXT_MNT) { 619 rc = security_sid_to_context(sbsec->sid, &context, &len); 620 if (rc) 621 goto out_free; 622 opts->mnt_opts[i] = context; 623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 624 } 625 if (sbsec->flags & CONTEXT_MNT) { 626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 627 if (rc) 628 goto out_free; 629 opts->mnt_opts[i] = context; 630 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 631 } 632 if (sbsec->flags & DEFCONTEXT_MNT) { 633 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 634 if (rc) 635 goto out_free; 636 opts->mnt_opts[i] = context; 637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 638 } 639 if (sbsec->flags & ROOTCONTEXT_MNT) { 640 struct dentry *root = sbsec->sb->s_root; 641 struct inode_security_struct *isec = backing_inode_security(root); 642 643 rc = security_sid_to_context(isec->sid, &context, &len); 644 if (rc) 645 goto out_free; 646 opts->mnt_opts[i] = context; 647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 648 } 649 if (sbsec->flags & SBLABEL_MNT) { 650 opts->mnt_opts[i] = NULL; 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 652 } 653 654 BUG_ON(i != opts->num_mnt_opts); 655 656 return 0; 657 658 out_free: 659 security_free_mnt_opts(opts); 660 return rc; 661 } 662 663 static int bad_option(struct superblock_security_struct *sbsec, char flag, 664 u32 old_sid, u32 new_sid) 665 { 666 char mnt_flags = sbsec->flags & SE_MNTMASK; 667 668 /* check if the old mount command had the same options */ 669 if (sbsec->flags & SE_SBINITIALIZED) 670 if (!(sbsec->flags & flag) || 671 (old_sid != new_sid)) 672 return 1; 673 674 /* check if we were passed the same options twice, 675 * aka someone passed context=a,context=b 676 */ 677 if (!(sbsec->flags & SE_SBINITIALIZED)) 678 if (mnt_flags & flag) 679 return 1; 680 return 0; 681 } 682 683 /* 684 * Allow filesystems with binary mount data to explicitly set mount point 685 * labeling information. 686 */ 687 static int selinux_set_mnt_opts(struct super_block *sb, 688 struct security_mnt_opts *opts, 689 unsigned long kern_flags, 690 unsigned long *set_kern_flags) 691 { 692 const struct cred *cred = current_cred(); 693 int rc = 0, i; 694 struct superblock_security_struct *sbsec = sb->s_security; 695 const char *name = sb->s_type->name; 696 struct dentry *root = sbsec->sb->s_root; 697 struct inode_security_struct *root_isec; 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 699 u32 defcontext_sid = 0; 700 char **mount_options = opts->mnt_opts; 701 int *flags = opts->mnt_opts_flags; 702 int num_opts = opts->num_mnt_opts; 703 704 mutex_lock(&sbsec->lock); 705 706 if (!ss_initialized) { 707 if (!num_opts) { 708 /* Defer initialization until selinux_complete_init, 709 after the initial policy is loaded and the security 710 server is ready to handle calls. */ 711 goto out; 712 } 713 rc = -EINVAL; 714 printk(KERN_WARNING "SELinux: Unable to set superblock options " 715 "before the security server is initialized\n"); 716 goto out; 717 } 718 if (kern_flags && !set_kern_flags) { 719 /* Specifying internal flags without providing a place to 720 * place the results is not allowed */ 721 rc = -EINVAL; 722 goto out; 723 } 724 725 /* 726 * Binary mount data FS will come through this function twice. Once 727 * from an explicit call and once from the generic calls from the vfs. 728 * Since the generic VFS calls will not contain any security mount data 729 * we need to skip the double mount verification. 730 * 731 * This does open a hole in which we will not notice if the first 732 * mount using this sb set explict options and a second mount using 733 * this sb does not set any security options. (The first options 734 * will be used for both mounts) 735 */ 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 737 && (num_opts == 0)) 738 goto out; 739 740 root_isec = backing_inode_security_novalidate(root); 741 742 /* 743 * parse the mount options, check if they are valid sids. 744 * also check if someone is trying to mount the same sb more 745 * than once with different security options. 746 */ 747 for (i = 0; i < num_opts; i++) { 748 u32 sid; 749 750 if (flags[i] == SBLABEL_MNT) 751 continue; 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 753 if (rc) { 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 755 "(%s) failed for (dev %s, type %s) errno=%d\n", 756 mount_options[i], sb->s_id, name, rc); 757 goto out; 758 } 759 switch (flags[i]) { 760 case FSCONTEXT_MNT: 761 fscontext_sid = sid; 762 763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 764 fscontext_sid)) 765 goto out_double_mount; 766 767 sbsec->flags |= FSCONTEXT_MNT; 768 break; 769 case CONTEXT_MNT: 770 context_sid = sid; 771 772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 773 context_sid)) 774 goto out_double_mount; 775 776 sbsec->flags |= CONTEXT_MNT; 777 break; 778 case ROOTCONTEXT_MNT: 779 rootcontext_sid = sid; 780 781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 782 rootcontext_sid)) 783 goto out_double_mount; 784 785 sbsec->flags |= ROOTCONTEXT_MNT; 786 787 break; 788 case DEFCONTEXT_MNT: 789 defcontext_sid = sid; 790 791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 792 defcontext_sid)) 793 goto out_double_mount; 794 795 sbsec->flags |= DEFCONTEXT_MNT; 796 797 break; 798 default: 799 rc = -EINVAL; 800 goto out; 801 } 802 } 803 804 if (sbsec->flags & SE_SBINITIALIZED) { 805 /* previously mounted with options, but not on this attempt? */ 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 807 goto out_double_mount; 808 rc = 0; 809 goto out; 810 } 811 812 if (strcmp(sb->s_type->name, "proc") == 0) 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 814 815 if (!strcmp(sb->s_type->name, "debugfs") || 816 !strcmp(sb->s_type->name, "tracefs") || 817 !strcmp(sb->s_type->name, "sysfs") || 818 !strcmp(sb->s_type->name, "pstore") || 819 !strcmp(sb->s_type->name, "cgroup") || 820 !strcmp(sb->s_type->name, "cgroup2")) 821 sbsec->flags |= SE_SBGENFS; 822 823 if (!sbsec->behavior) { 824 /* 825 * Determine the labeling behavior to use for this 826 * filesystem type. 827 */ 828 rc = security_fs_use(sb); 829 if (rc) { 830 printk(KERN_WARNING 831 "%s: security_fs_use(%s) returned %d\n", 832 __func__, sb->s_type->name, rc); 833 goto out; 834 } 835 } 836 837 /* 838 * If this is a user namespace mount and the filesystem type is not 839 * explicitly whitelisted, then no contexts are allowed on the command 840 * line and security labels must be ignored. 841 */ 842 if (sb->s_user_ns != &init_user_ns && 843 strcmp(sb->s_type->name, "tmpfs") && 844 strcmp(sb->s_type->name, "ramfs") && 845 strcmp(sb->s_type->name, "devpts")) { 846 if (context_sid || fscontext_sid || rootcontext_sid || 847 defcontext_sid) { 848 rc = -EACCES; 849 goto out; 850 } 851 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 852 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 853 rc = security_transition_sid(current_sid(), current_sid(), 854 SECCLASS_FILE, NULL, 855 &sbsec->mntpoint_sid); 856 if (rc) 857 goto out; 858 } 859 goto out_set_opts; 860 } 861 862 /* sets the context of the superblock for the fs being mounted. */ 863 if (fscontext_sid) { 864 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 865 if (rc) 866 goto out; 867 868 sbsec->sid = fscontext_sid; 869 } 870 871 /* 872 * Switch to using mount point labeling behavior. 873 * sets the label used on all file below the mountpoint, and will set 874 * the superblock context if not already set. 875 */ 876 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 877 sbsec->behavior = SECURITY_FS_USE_NATIVE; 878 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 879 } 880 881 if (context_sid) { 882 if (!fscontext_sid) { 883 rc = may_context_mount_sb_relabel(context_sid, sbsec, 884 cred); 885 if (rc) 886 goto out; 887 sbsec->sid = context_sid; 888 } else { 889 rc = may_context_mount_inode_relabel(context_sid, sbsec, 890 cred); 891 if (rc) 892 goto out; 893 } 894 if (!rootcontext_sid) 895 rootcontext_sid = context_sid; 896 897 sbsec->mntpoint_sid = context_sid; 898 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 899 } 900 901 if (rootcontext_sid) { 902 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 903 cred); 904 if (rc) 905 goto out; 906 907 root_isec->sid = rootcontext_sid; 908 root_isec->initialized = LABEL_INITIALIZED; 909 } 910 911 if (defcontext_sid) { 912 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 913 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 914 rc = -EINVAL; 915 printk(KERN_WARNING "SELinux: defcontext option is " 916 "invalid for this filesystem type\n"); 917 goto out; 918 } 919 920 if (defcontext_sid != sbsec->def_sid) { 921 rc = may_context_mount_inode_relabel(defcontext_sid, 922 sbsec, cred); 923 if (rc) 924 goto out; 925 } 926 927 sbsec->def_sid = defcontext_sid; 928 } 929 930 out_set_opts: 931 rc = sb_finish_set_opts(sb); 932 out: 933 mutex_unlock(&sbsec->lock); 934 return rc; 935 out_double_mount: 936 rc = -EINVAL; 937 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 938 "security settings for (dev %s, type %s)\n", sb->s_id, name); 939 goto out; 940 } 941 942 static int selinux_cmp_sb_context(const struct super_block *oldsb, 943 const struct super_block *newsb) 944 { 945 struct superblock_security_struct *old = oldsb->s_security; 946 struct superblock_security_struct *new = newsb->s_security; 947 char oldflags = old->flags & SE_MNTMASK; 948 char newflags = new->flags & SE_MNTMASK; 949 950 if (oldflags != newflags) 951 goto mismatch; 952 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 953 goto mismatch; 954 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 955 goto mismatch; 956 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 957 goto mismatch; 958 if (oldflags & ROOTCONTEXT_MNT) { 959 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 960 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 961 if (oldroot->sid != newroot->sid) 962 goto mismatch; 963 } 964 return 0; 965 mismatch: 966 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 967 "different security settings for (dev %s, " 968 "type %s)\n", newsb->s_id, newsb->s_type->name); 969 return -EBUSY; 970 } 971 972 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 973 struct super_block *newsb, 974 unsigned long kern_flags, 975 unsigned long *set_kern_flags) 976 { 977 int rc = 0; 978 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 979 struct superblock_security_struct *newsbsec = newsb->s_security; 980 981 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 982 int set_context = (oldsbsec->flags & CONTEXT_MNT); 983 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 984 985 /* 986 * if the parent was able to be mounted it clearly had no special lsm 987 * mount options. thus we can safely deal with this superblock later 988 */ 989 if (!ss_initialized) 990 return 0; 991 992 /* 993 * Specifying internal flags without providing a place to 994 * place the results is not allowed. 995 */ 996 if (kern_flags && !set_kern_flags) 997 return -EINVAL; 998 999 /* how can we clone if the old one wasn't set up?? */ 1000 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1001 1002 /* if fs is reusing a sb, make sure that the contexts match */ 1003 if (newsbsec->flags & SE_SBINITIALIZED) 1004 return selinux_cmp_sb_context(oldsb, newsb); 1005 1006 mutex_lock(&newsbsec->lock); 1007 1008 newsbsec->flags = oldsbsec->flags; 1009 1010 newsbsec->sid = oldsbsec->sid; 1011 newsbsec->def_sid = oldsbsec->def_sid; 1012 newsbsec->behavior = oldsbsec->behavior; 1013 1014 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1015 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1016 rc = security_fs_use(newsb); 1017 if (rc) 1018 goto out; 1019 } 1020 1021 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1022 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1023 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1024 } 1025 1026 if (set_context) { 1027 u32 sid = oldsbsec->mntpoint_sid; 1028 1029 if (!set_fscontext) 1030 newsbsec->sid = sid; 1031 if (!set_rootcontext) { 1032 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1033 newisec->sid = sid; 1034 } 1035 newsbsec->mntpoint_sid = sid; 1036 } 1037 if (set_rootcontext) { 1038 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1039 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1040 1041 newisec->sid = oldisec->sid; 1042 } 1043 1044 sb_finish_set_opts(newsb); 1045 out: 1046 mutex_unlock(&newsbsec->lock); 1047 return rc; 1048 } 1049 1050 static int selinux_parse_opts_str(char *options, 1051 struct security_mnt_opts *opts) 1052 { 1053 char *p; 1054 char *context = NULL, *defcontext = NULL; 1055 char *fscontext = NULL, *rootcontext = NULL; 1056 int rc, num_mnt_opts = 0; 1057 1058 opts->num_mnt_opts = 0; 1059 1060 /* Standard string-based options. */ 1061 while ((p = strsep(&options, "|")) != NULL) { 1062 int token; 1063 substring_t args[MAX_OPT_ARGS]; 1064 1065 if (!*p) 1066 continue; 1067 1068 token = match_token(p, tokens, args); 1069 1070 switch (token) { 1071 case Opt_context: 1072 if (context || defcontext) { 1073 rc = -EINVAL; 1074 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1075 goto out_err; 1076 } 1077 context = match_strdup(&args[0]); 1078 if (!context) { 1079 rc = -ENOMEM; 1080 goto out_err; 1081 } 1082 break; 1083 1084 case Opt_fscontext: 1085 if (fscontext) { 1086 rc = -EINVAL; 1087 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1088 goto out_err; 1089 } 1090 fscontext = match_strdup(&args[0]); 1091 if (!fscontext) { 1092 rc = -ENOMEM; 1093 goto out_err; 1094 } 1095 break; 1096 1097 case Opt_rootcontext: 1098 if (rootcontext) { 1099 rc = -EINVAL; 1100 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1101 goto out_err; 1102 } 1103 rootcontext = match_strdup(&args[0]); 1104 if (!rootcontext) { 1105 rc = -ENOMEM; 1106 goto out_err; 1107 } 1108 break; 1109 1110 case Opt_defcontext: 1111 if (context || defcontext) { 1112 rc = -EINVAL; 1113 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1114 goto out_err; 1115 } 1116 defcontext = match_strdup(&args[0]); 1117 if (!defcontext) { 1118 rc = -ENOMEM; 1119 goto out_err; 1120 } 1121 break; 1122 case Opt_labelsupport: 1123 break; 1124 default: 1125 rc = -EINVAL; 1126 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1127 goto out_err; 1128 1129 } 1130 } 1131 1132 rc = -ENOMEM; 1133 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1134 if (!opts->mnt_opts) 1135 goto out_err; 1136 1137 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1138 GFP_KERNEL); 1139 if (!opts->mnt_opts_flags) 1140 goto out_err; 1141 1142 if (fscontext) { 1143 opts->mnt_opts[num_mnt_opts] = fscontext; 1144 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1145 } 1146 if (context) { 1147 opts->mnt_opts[num_mnt_opts] = context; 1148 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1149 } 1150 if (rootcontext) { 1151 opts->mnt_opts[num_mnt_opts] = rootcontext; 1152 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1153 } 1154 if (defcontext) { 1155 opts->mnt_opts[num_mnt_opts] = defcontext; 1156 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1157 } 1158 1159 opts->num_mnt_opts = num_mnt_opts; 1160 return 0; 1161 1162 out_err: 1163 security_free_mnt_opts(opts); 1164 kfree(context); 1165 kfree(defcontext); 1166 kfree(fscontext); 1167 kfree(rootcontext); 1168 return rc; 1169 } 1170 /* 1171 * string mount options parsing and call set the sbsec 1172 */ 1173 static int superblock_doinit(struct super_block *sb, void *data) 1174 { 1175 int rc = 0; 1176 char *options = data; 1177 struct security_mnt_opts opts; 1178 1179 security_init_mnt_opts(&opts); 1180 1181 if (!data) 1182 goto out; 1183 1184 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1185 1186 rc = selinux_parse_opts_str(options, &opts); 1187 if (rc) 1188 goto out_err; 1189 1190 out: 1191 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1192 1193 out_err: 1194 security_free_mnt_opts(&opts); 1195 return rc; 1196 } 1197 1198 static void selinux_write_opts(struct seq_file *m, 1199 struct security_mnt_opts *opts) 1200 { 1201 int i; 1202 char *prefix; 1203 1204 for (i = 0; i < opts->num_mnt_opts; i++) { 1205 char *has_comma; 1206 1207 if (opts->mnt_opts[i]) 1208 has_comma = strchr(opts->mnt_opts[i], ','); 1209 else 1210 has_comma = NULL; 1211 1212 switch (opts->mnt_opts_flags[i]) { 1213 case CONTEXT_MNT: 1214 prefix = CONTEXT_STR; 1215 break; 1216 case FSCONTEXT_MNT: 1217 prefix = FSCONTEXT_STR; 1218 break; 1219 case ROOTCONTEXT_MNT: 1220 prefix = ROOTCONTEXT_STR; 1221 break; 1222 case DEFCONTEXT_MNT: 1223 prefix = DEFCONTEXT_STR; 1224 break; 1225 case SBLABEL_MNT: 1226 seq_putc(m, ','); 1227 seq_puts(m, LABELSUPP_STR); 1228 continue; 1229 default: 1230 BUG(); 1231 return; 1232 }; 1233 /* we need a comma before each option */ 1234 seq_putc(m, ','); 1235 seq_puts(m, prefix); 1236 if (has_comma) 1237 seq_putc(m, '\"'); 1238 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1239 if (has_comma) 1240 seq_putc(m, '\"'); 1241 } 1242 } 1243 1244 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1245 { 1246 struct security_mnt_opts opts; 1247 int rc; 1248 1249 rc = selinux_get_mnt_opts(sb, &opts); 1250 if (rc) { 1251 /* before policy load we may get EINVAL, don't show anything */ 1252 if (rc == -EINVAL) 1253 rc = 0; 1254 return rc; 1255 } 1256 1257 selinux_write_opts(m, &opts); 1258 1259 security_free_mnt_opts(&opts); 1260 1261 return rc; 1262 } 1263 1264 static inline u16 inode_mode_to_security_class(umode_t mode) 1265 { 1266 switch (mode & S_IFMT) { 1267 case S_IFSOCK: 1268 return SECCLASS_SOCK_FILE; 1269 case S_IFLNK: 1270 return SECCLASS_LNK_FILE; 1271 case S_IFREG: 1272 return SECCLASS_FILE; 1273 case S_IFBLK: 1274 return SECCLASS_BLK_FILE; 1275 case S_IFDIR: 1276 return SECCLASS_DIR; 1277 case S_IFCHR: 1278 return SECCLASS_CHR_FILE; 1279 case S_IFIFO: 1280 return SECCLASS_FIFO_FILE; 1281 1282 } 1283 1284 return SECCLASS_FILE; 1285 } 1286 1287 static inline int default_protocol_stream(int protocol) 1288 { 1289 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1290 } 1291 1292 static inline int default_protocol_dgram(int protocol) 1293 { 1294 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1295 } 1296 1297 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1298 { 1299 int extsockclass = selinux_policycap_extsockclass; 1300 1301 switch (family) { 1302 case PF_UNIX: 1303 switch (type) { 1304 case SOCK_STREAM: 1305 case SOCK_SEQPACKET: 1306 return SECCLASS_UNIX_STREAM_SOCKET; 1307 case SOCK_DGRAM: 1308 case SOCK_RAW: 1309 return SECCLASS_UNIX_DGRAM_SOCKET; 1310 } 1311 break; 1312 case PF_INET: 1313 case PF_INET6: 1314 switch (type) { 1315 case SOCK_STREAM: 1316 case SOCK_SEQPACKET: 1317 if (default_protocol_stream(protocol)) 1318 return SECCLASS_TCP_SOCKET; 1319 else if (extsockclass && protocol == IPPROTO_SCTP) 1320 return SECCLASS_SCTP_SOCKET; 1321 else 1322 return SECCLASS_RAWIP_SOCKET; 1323 case SOCK_DGRAM: 1324 if (default_protocol_dgram(protocol)) 1325 return SECCLASS_UDP_SOCKET; 1326 else if (extsockclass && (protocol == IPPROTO_ICMP || 1327 protocol == IPPROTO_ICMPV6)) 1328 return SECCLASS_ICMP_SOCKET; 1329 else 1330 return SECCLASS_RAWIP_SOCKET; 1331 case SOCK_DCCP: 1332 return SECCLASS_DCCP_SOCKET; 1333 default: 1334 return SECCLASS_RAWIP_SOCKET; 1335 } 1336 break; 1337 case PF_NETLINK: 1338 switch (protocol) { 1339 case NETLINK_ROUTE: 1340 return SECCLASS_NETLINK_ROUTE_SOCKET; 1341 case NETLINK_SOCK_DIAG: 1342 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1343 case NETLINK_NFLOG: 1344 return SECCLASS_NETLINK_NFLOG_SOCKET; 1345 case NETLINK_XFRM: 1346 return SECCLASS_NETLINK_XFRM_SOCKET; 1347 case NETLINK_SELINUX: 1348 return SECCLASS_NETLINK_SELINUX_SOCKET; 1349 case NETLINK_ISCSI: 1350 return SECCLASS_NETLINK_ISCSI_SOCKET; 1351 case NETLINK_AUDIT: 1352 return SECCLASS_NETLINK_AUDIT_SOCKET; 1353 case NETLINK_FIB_LOOKUP: 1354 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1355 case NETLINK_CONNECTOR: 1356 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1357 case NETLINK_NETFILTER: 1358 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1359 case NETLINK_DNRTMSG: 1360 return SECCLASS_NETLINK_DNRT_SOCKET; 1361 case NETLINK_KOBJECT_UEVENT: 1362 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1363 case NETLINK_GENERIC: 1364 return SECCLASS_NETLINK_GENERIC_SOCKET; 1365 case NETLINK_SCSITRANSPORT: 1366 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1367 case NETLINK_RDMA: 1368 return SECCLASS_NETLINK_RDMA_SOCKET; 1369 case NETLINK_CRYPTO: 1370 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1371 default: 1372 return SECCLASS_NETLINK_SOCKET; 1373 } 1374 case PF_PACKET: 1375 return SECCLASS_PACKET_SOCKET; 1376 case PF_KEY: 1377 return SECCLASS_KEY_SOCKET; 1378 case PF_APPLETALK: 1379 return SECCLASS_APPLETALK_SOCKET; 1380 } 1381 1382 if (extsockclass) { 1383 switch (family) { 1384 case PF_AX25: 1385 return SECCLASS_AX25_SOCKET; 1386 case PF_IPX: 1387 return SECCLASS_IPX_SOCKET; 1388 case PF_NETROM: 1389 return SECCLASS_NETROM_SOCKET; 1390 case PF_ATMPVC: 1391 return SECCLASS_ATMPVC_SOCKET; 1392 case PF_X25: 1393 return SECCLASS_X25_SOCKET; 1394 case PF_ROSE: 1395 return SECCLASS_ROSE_SOCKET; 1396 case PF_DECnet: 1397 return SECCLASS_DECNET_SOCKET; 1398 case PF_ATMSVC: 1399 return SECCLASS_ATMSVC_SOCKET; 1400 case PF_RDS: 1401 return SECCLASS_RDS_SOCKET; 1402 case PF_IRDA: 1403 return SECCLASS_IRDA_SOCKET; 1404 case PF_PPPOX: 1405 return SECCLASS_PPPOX_SOCKET; 1406 case PF_LLC: 1407 return SECCLASS_LLC_SOCKET; 1408 case PF_CAN: 1409 return SECCLASS_CAN_SOCKET; 1410 case PF_TIPC: 1411 return SECCLASS_TIPC_SOCKET; 1412 case PF_BLUETOOTH: 1413 return SECCLASS_BLUETOOTH_SOCKET; 1414 case PF_IUCV: 1415 return SECCLASS_IUCV_SOCKET; 1416 case PF_RXRPC: 1417 return SECCLASS_RXRPC_SOCKET; 1418 case PF_ISDN: 1419 return SECCLASS_ISDN_SOCKET; 1420 case PF_PHONET: 1421 return SECCLASS_PHONET_SOCKET; 1422 case PF_IEEE802154: 1423 return SECCLASS_IEEE802154_SOCKET; 1424 case PF_CAIF: 1425 return SECCLASS_CAIF_SOCKET; 1426 case PF_ALG: 1427 return SECCLASS_ALG_SOCKET; 1428 case PF_NFC: 1429 return SECCLASS_NFC_SOCKET; 1430 case PF_VSOCK: 1431 return SECCLASS_VSOCK_SOCKET; 1432 case PF_KCM: 1433 return SECCLASS_KCM_SOCKET; 1434 case PF_QIPCRTR: 1435 return SECCLASS_QIPCRTR_SOCKET; 1436 case PF_SMC: 1437 return SECCLASS_SMC_SOCKET; 1438 #if PF_MAX > 44 1439 #error New address family defined, please update this function. 1440 #endif 1441 } 1442 } 1443 1444 return SECCLASS_SOCKET; 1445 } 1446 1447 static int selinux_genfs_get_sid(struct dentry *dentry, 1448 u16 tclass, 1449 u16 flags, 1450 u32 *sid) 1451 { 1452 int rc; 1453 struct super_block *sb = dentry->d_sb; 1454 char *buffer, *path; 1455 1456 buffer = (char *)__get_free_page(GFP_KERNEL); 1457 if (!buffer) 1458 return -ENOMEM; 1459 1460 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1461 if (IS_ERR(path)) 1462 rc = PTR_ERR(path); 1463 else { 1464 if (flags & SE_SBPROC) { 1465 /* each process gets a /proc/PID/ entry. Strip off the 1466 * PID part to get a valid selinux labeling. 1467 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1468 while (path[1] >= '0' && path[1] <= '9') { 1469 path[1] = '/'; 1470 path++; 1471 } 1472 } 1473 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1474 } 1475 free_page((unsigned long)buffer); 1476 return rc; 1477 } 1478 1479 /* The inode's security attributes must be initialized before first use. */ 1480 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1481 { 1482 struct superblock_security_struct *sbsec = NULL; 1483 struct inode_security_struct *isec = inode->i_security; 1484 u32 task_sid, sid = 0; 1485 u16 sclass; 1486 struct dentry *dentry; 1487 #define INITCONTEXTLEN 255 1488 char *context = NULL; 1489 unsigned len = 0; 1490 int rc = 0; 1491 1492 if (isec->initialized == LABEL_INITIALIZED) 1493 return 0; 1494 1495 spin_lock(&isec->lock); 1496 if (isec->initialized == LABEL_INITIALIZED) 1497 goto out_unlock; 1498 1499 if (isec->sclass == SECCLASS_FILE) 1500 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1501 1502 sbsec = inode->i_sb->s_security; 1503 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1504 /* Defer initialization until selinux_complete_init, 1505 after the initial policy is loaded and the security 1506 server is ready to handle calls. */ 1507 spin_lock(&sbsec->isec_lock); 1508 if (list_empty(&isec->list)) 1509 list_add(&isec->list, &sbsec->isec_head); 1510 spin_unlock(&sbsec->isec_lock); 1511 goto out_unlock; 1512 } 1513 1514 sclass = isec->sclass; 1515 task_sid = isec->task_sid; 1516 sid = isec->sid; 1517 isec->initialized = LABEL_PENDING; 1518 spin_unlock(&isec->lock); 1519 1520 switch (sbsec->behavior) { 1521 case SECURITY_FS_USE_NATIVE: 1522 break; 1523 case SECURITY_FS_USE_XATTR: 1524 if (!(inode->i_opflags & IOP_XATTR)) { 1525 sid = sbsec->def_sid; 1526 break; 1527 } 1528 /* Need a dentry, since the xattr API requires one. 1529 Life would be simpler if we could just pass the inode. */ 1530 if (opt_dentry) { 1531 /* Called from d_instantiate or d_splice_alias. */ 1532 dentry = dget(opt_dentry); 1533 } else { 1534 /* Called from selinux_complete_init, try to find a dentry. */ 1535 dentry = d_find_alias(inode); 1536 } 1537 if (!dentry) { 1538 /* 1539 * this is can be hit on boot when a file is accessed 1540 * before the policy is loaded. When we load policy we 1541 * may find inodes that have no dentry on the 1542 * sbsec->isec_head list. No reason to complain as these 1543 * will get fixed up the next time we go through 1544 * inode_doinit with a dentry, before these inodes could 1545 * be used again by userspace. 1546 */ 1547 goto out; 1548 } 1549 1550 len = INITCONTEXTLEN; 1551 context = kmalloc(len+1, GFP_NOFS); 1552 if (!context) { 1553 rc = -ENOMEM; 1554 dput(dentry); 1555 goto out; 1556 } 1557 context[len] = '\0'; 1558 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1559 if (rc == -ERANGE) { 1560 kfree(context); 1561 1562 /* Need a larger buffer. Query for the right size. */ 1563 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1564 if (rc < 0) { 1565 dput(dentry); 1566 goto out; 1567 } 1568 len = rc; 1569 context = kmalloc(len+1, GFP_NOFS); 1570 if (!context) { 1571 rc = -ENOMEM; 1572 dput(dentry); 1573 goto out; 1574 } 1575 context[len] = '\0'; 1576 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1577 } 1578 dput(dentry); 1579 if (rc < 0) { 1580 if (rc != -ENODATA) { 1581 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1582 "%d for dev=%s ino=%ld\n", __func__, 1583 -rc, inode->i_sb->s_id, inode->i_ino); 1584 kfree(context); 1585 goto out; 1586 } 1587 /* Map ENODATA to the default file SID */ 1588 sid = sbsec->def_sid; 1589 rc = 0; 1590 } else { 1591 rc = security_context_to_sid_default(context, rc, &sid, 1592 sbsec->def_sid, 1593 GFP_NOFS); 1594 if (rc) { 1595 char *dev = inode->i_sb->s_id; 1596 unsigned long ino = inode->i_ino; 1597 1598 if (rc == -EINVAL) { 1599 if (printk_ratelimit()) 1600 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1601 "context=%s. This indicates you may need to relabel the inode or the " 1602 "filesystem in question.\n", ino, dev, context); 1603 } else { 1604 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1605 "returned %d for dev=%s ino=%ld\n", 1606 __func__, context, -rc, dev, ino); 1607 } 1608 kfree(context); 1609 /* Leave with the unlabeled SID */ 1610 rc = 0; 1611 break; 1612 } 1613 } 1614 kfree(context); 1615 break; 1616 case SECURITY_FS_USE_TASK: 1617 sid = task_sid; 1618 break; 1619 case SECURITY_FS_USE_TRANS: 1620 /* Default to the fs SID. */ 1621 sid = sbsec->sid; 1622 1623 /* Try to obtain a transition SID. */ 1624 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1625 if (rc) 1626 goto out; 1627 break; 1628 case SECURITY_FS_USE_MNTPOINT: 1629 sid = sbsec->mntpoint_sid; 1630 break; 1631 default: 1632 /* Default to the fs superblock SID. */ 1633 sid = sbsec->sid; 1634 1635 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1636 /* We must have a dentry to determine the label on 1637 * procfs inodes */ 1638 if (opt_dentry) 1639 /* Called from d_instantiate or 1640 * d_splice_alias. */ 1641 dentry = dget(opt_dentry); 1642 else 1643 /* Called from selinux_complete_init, try to 1644 * find a dentry. */ 1645 dentry = d_find_alias(inode); 1646 /* 1647 * This can be hit on boot when a file is accessed 1648 * before the policy is loaded. When we load policy we 1649 * may find inodes that have no dentry on the 1650 * sbsec->isec_head list. No reason to complain as 1651 * these will get fixed up the next time we go through 1652 * inode_doinit() with a dentry, before these inodes 1653 * could be used again by userspace. 1654 */ 1655 if (!dentry) 1656 goto out; 1657 rc = selinux_genfs_get_sid(dentry, sclass, 1658 sbsec->flags, &sid); 1659 dput(dentry); 1660 if (rc) 1661 goto out; 1662 } 1663 break; 1664 } 1665 1666 out: 1667 spin_lock(&isec->lock); 1668 if (isec->initialized == LABEL_PENDING) { 1669 if (!sid || rc) { 1670 isec->initialized = LABEL_INVALID; 1671 goto out_unlock; 1672 } 1673 1674 isec->initialized = LABEL_INITIALIZED; 1675 isec->sid = sid; 1676 } 1677 1678 out_unlock: 1679 spin_unlock(&isec->lock); 1680 return rc; 1681 } 1682 1683 /* Convert a Linux signal to an access vector. */ 1684 static inline u32 signal_to_av(int sig) 1685 { 1686 u32 perm = 0; 1687 1688 switch (sig) { 1689 case SIGCHLD: 1690 /* Commonly granted from child to parent. */ 1691 perm = PROCESS__SIGCHLD; 1692 break; 1693 case SIGKILL: 1694 /* Cannot be caught or ignored */ 1695 perm = PROCESS__SIGKILL; 1696 break; 1697 case SIGSTOP: 1698 /* Cannot be caught or ignored */ 1699 perm = PROCESS__SIGSTOP; 1700 break; 1701 default: 1702 /* All other signals. */ 1703 perm = PROCESS__SIGNAL; 1704 break; 1705 } 1706 1707 return perm; 1708 } 1709 1710 #if CAP_LAST_CAP > 63 1711 #error Fix SELinux to handle capabilities > 63. 1712 #endif 1713 1714 /* Check whether a task is allowed to use a capability. */ 1715 static int cred_has_capability(const struct cred *cred, 1716 int cap, int audit, bool initns) 1717 { 1718 struct common_audit_data ad; 1719 struct av_decision avd; 1720 u16 sclass; 1721 u32 sid = cred_sid(cred); 1722 u32 av = CAP_TO_MASK(cap); 1723 int rc; 1724 1725 ad.type = LSM_AUDIT_DATA_CAP; 1726 ad.u.cap = cap; 1727 1728 switch (CAP_TO_INDEX(cap)) { 1729 case 0: 1730 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1731 break; 1732 case 1: 1733 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1734 break; 1735 default: 1736 printk(KERN_ERR 1737 "SELinux: out of range capability %d\n", cap); 1738 BUG(); 1739 return -EINVAL; 1740 } 1741 1742 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1743 if (audit == SECURITY_CAP_AUDIT) { 1744 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1745 if (rc2) 1746 return rc2; 1747 } 1748 return rc; 1749 } 1750 1751 /* Check whether a task has a particular permission to an inode. 1752 The 'adp' parameter is optional and allows other audit 1753 data to be passed (e.g. the dentry). */ 1754 static int inode_has_perm(const struct cred *cred, 1755 struct inode *inode, 1756 u32 perms, 1757 struct common_audit_data *adp) 1758 { 1759 struct inode_security_struct *isec; 1760 u32 sid; 1761 1762 validate_creds(cred); 1763 1764 if (unlikely(IS_PRIVATE(inode))) 1765 return 0; 1766 1767 sid = cred_sid(cred); 1768 isec = inode->i_security; 1769 1770 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1771 } 1772 1773 /* Same as inode_has_perm, but pass explicit audit data containing 1774 the dentry to help the auditing code to more easily generate the 1775 pathname if needed. */ 1776 static inline int dentry_has_perm(const struct cred *cred, 1777 struct dentry *dentry, 1778 u32 av) 1779 { 1780 struct inode *inode = d_backing_inode(dentry); 1781 struct common_audit_data ad; 1782 1783 ad.type = LSM_AUDIT_DATA_DENTRY; 1784 ad.u.dentry = dentry; 1785 __inode_security_revalidate(inode, dentry, true); 1786 return inode_has_perm(cred, inode, av, &ad); 1787 } 1788 1789 /* Same as inode_has_perm, but pass explicit audit data containing 1790 the path to help the auditing code to more easily generate the 1791 pathname if needed. */ 1792 static inline int path_has_perm(const struct cred *cred, 1793 const struct path *path, 1794 u32 av) 1795 { 1796 struct inode *inode = d_backing_inode(path->dentry); 1797 struct common_audit_data ad; 1798 1799 ad.type = LSM_AUDIT_DATA_PATH; 1800 ad.u.path = *path; 1801 __inode_security_revalidate(inode, path->dentry, true); 1802 return inode_has_perm(cred, inode, av, &ad); 1803 } 1804 1805 /* Same as path_has_perm, but uses the inode from the file struct. */ 1806 static inline int file_path_has_perm(const struct cred *cred, 1807 struct file *file, 1808 u32 av) 1809 { 1810 struct common_audit_data ad; 1811 1812 ad.type = LSM_AUDIT_DATA_FILE; 1813 ad.u.file = file; 1814 return inode_has_perm(cred, file_inode(file), av, &ad); 1815 } 1816 1817 /* Check whether a task can use an open file descriptor to 1818 access an inode in a given way. Check access to the 1819 descriptor itself, and then use dentry_has_perm to 1820 check a particular permission to the file. 1821 Access to the descriptor is implicitly granted if it 1822 has the same SID as the process. If av is zero, then 1823 access to the file is not checked, e.g. for cases 1824 where only the descriptor is affected like seek. */ 1825 static int file_has_perm(const struct cred *cred, 1826 struct file *file, 1827 u32 av) 1828 { 1829 struct file_security_struct *fsec = file->f_security; 1830 struct inode *inode = file_inode(file); 1831 struct common_audit_data ad; 1832 u32 sid = cred_sid(cred); 1833 int rc; 1834 1835 ad.type = LSM_AUDIT_DATA_FILE; 1836 ad.u.file = file; 1837 1838 if (sid != fsec->sid) { 1839 rc = avc_has_perm(sid, fsec->sid, 1840 SECCLASS_FD, 1841 FD__USE, 1842 &ad); 1843 if (rc) 1844 goto out; 1845 } 1846 1847 /* av is zero if only checking access to the descriptor. */ 1848 rc = 0; 1849 if (av) 1850 rc = inode_has_perm(cred, inode, av, &ad); 1851 1852 out: 1853 return rc; 1854 } 1855 1856 /* 1857 * Determine the label for an inode that might be unioned. 1858 */ 1859 static int 1860 selinux_determine_inode_label(const struct task_security_struct *tsec, 1861 struct inode *dir, 1862 const struct qstr *name, u16 tclass, 1863 u32 *_new_isid) 1864 { 1865 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1866 1867 if ((sbsec->flags & SE_SBINITIALIZED) && 1868 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1869 *_new_isid = sbsec->mntpoint_sid; 1870 } else if ((sbsec->flags & SBLABEL_MNT) && 1871 tsec->create_sid) { 1872 *_new_isid = tsec->create_sid; 1873 } else { 1874 const struct inode_security_struct *dsec = inode_security(dir); 1875 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1876 name, _new_isid); 1877 } 1878 1879 return 0; 1880 } 1881 1882 /* Check whether a task can create a file. */ 1883 static int may_create(struct inode *dir, 1884 struct dentry *dentry, 1885 u16 tclass) 1886 { 1887 const struct task_security_struct *tsec = current_security(); 1888 struct inode_security_struct *dsec; 1889 struct superblock_security_struct *sbsec; 1890 u32 sid, newsid; 1891 struct common_audit_data ad; 1892 int rc; 1893 1894 dsec = inode_security(dir); 1895 sbsec = dir->i_sb->s_security; 1896 1897 sid = tsec->sid; 1898 1899 ad.type = LSM_AUDIT_DATA_DENTRY; 1900 ad.u.dentry = dentry; 1901 1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1903 DIR__ADD_NAME | DIR__SEARCH, 1904 &ad); 1905 if (rc) 1906 return rc; 1907 1908 rc = selinux_determine_inode_label(current_security(), dir, 1909 &dentry->d_name, tclass, &newsid); 1910 if (rc) 1911 return rc; 1912 1913 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1914 if (rc) 1915 return rc; 1916 1917 return avc_has_perm(newsid, sbsec->sid, 1918 SECCLASS_FILESYSTEM, 1919 FILESYSTEM__ASSOCIATE, &ad); 1920 } 1921 1922 #define MAY_LINK 0 1923 #define MAY_UNLINK 1 1924 #define MAY_RMDIR 2 1925 1926 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1927 static int may_link(struct inode *dir, 1928 struct dentry *dentry, 1929 int kind) 1930 1931 { 1932 struct inode_security_struct *dsec, *isec; 1933 struct common_audit_data ad; 1934 u32 sid = current_sid(); 1935 u32 av; 1936 int rc; 1937 1938 dsec = inode_security(dir); 1939 isec = backing_inode_security(dentry); 1940 1941 ad.type = LSM_AUDIT_DATA_DENTRY; 1942 ad.u.dentry = dentry; 1943 1944 av = DIR__SEARCH; 1945 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1946 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1947 if (rc) 1948 return rc; 1949 1950 switch (kind) { 1951 case MAY_LINK: 1952 av = FILE__LINK; 1953 break; 1954 case MAY_UNLINK: 1955 av = FILE__UNLINK; 1956 break; 1957 case MAY_RMDIR: 1958 av = DIR__RMDIR; 1959 break; 1960 default: 1961 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1962 __func__, kind); 1963 return 0; 1964 } 1965 1966 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1967 return rc; 1968 } 1969 1970 static inline int may_rename(struct inode *old_dir, 1971 struct dentry *old_dentry, 1972 struct inode *new_dir, 1973 struct dentry *new_dentry) 1974 { 1975 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1976 struct common_audit_data ad; 1977 u32 sid = current_sid(); 1978 u32 av; 1979 int old_is_dir, new_is_dir; 1980 int rc; 1981 1982 old_dsec = inode_security(old_dir); 1983 old_isec = backing_inode_security(old_dentry); 1984 old_is_dir = d_is_dir(old_dentry); 1985 new_dsec = inode_security(new_dir); 1986 1987 ad.type = LSM_AUDIT_DATA_DENTRY; 1988 1989 ad.u.dentry = old_dentry; 1990 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1991 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1992 if (rc) 1993 return rc; 1994 rc = avc_has_perm(sid, old_isec->sid, 1995 old_isec->sclass, FILE__RENAME, &ad); 1996 if (rc) 1997 return rc; 1998 if (old_is_dir && new_dir != old_dir) { 1999 rc = avc_has_perm(sid, old_isec->sid, 2000 old_isec->sclass, DIR__REPARENT, &ad); 2001 if (rc) 2002 return rc; 2003 } 2004 2005 ad.u.dentry = new_dentry; 2006 av = DIR__ADD_NAME | DIR__SEARCH; 2007 if (d_is_positive(new_dentry)) 2008 av |= DIR__REMOVE_NAME; 2009 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2010 if (rc) 2011 return rc; 2012 if (d_is_positive(new_dentry)) { 2013 new_isec = backing_inode_security(new_dentry); 2014 new_is_dir = d_is_dir(new_dentry); 2015 rc = avc_has_perm(sid, new_isec->sid, 2016 new_isec->sclass, 2017 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2018 if (rc) 2019 return rc; 2020 } 2021 2022 return 0; 2023 } 2024 2025 /* Check whether a task can perform a filesystem operation. */ 2026 static int superblock_has_perm(const struct cred *cred, 2027 struct super_block *sb, 2028 u32 perms, 2029 struct common_audit_data *ad) 2030 { 2031 struct superblock_security_struct *sbsec; 2032 u32 sid = cred_sid(cred); 2033 2034 sbsec = sb->s_security; 2035 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2036 } 2037 2038 /* Convert a Linux mode and permission mask to an access vector. */ 2039 static inline u32 file_mask_to_av(int mode, int mask) 2040 { 2041 u32 av = 0; 2042 2043 if (!S_ISDIR(mode)) { 2044 if (mask & MAY_EXEC) 2045 av |= FILE__EXECUTE; 2046 if (mask & MAY_READ) 2047 av |= FILE__READ; 2048 2049 if (mask & MAY_APPEND) 2050 av |= FILE__APPEND; 2051 else if (mask & MAY_WRITE) 2052 av |= FILE__WRITE; 2053 2054 } else { 2055 if (mask & MAY_EXEC) 2056 av |= DIR__SEARCH; 2057 if (mask & MAY_WRITE) 2058 av |= DIR__WRITE; 2059 if (mask & MAY_READ) 2060 av |= DIR__READ; 2061 } 2062 2063 return av; 2064 } 2065 2066 /* Convert a Linux file to an access vector. */ 2067 static inline u32 file_to_av(struct file *file) 2068 { 2069 u32 av = 0; 2070 2071 if (file->f_mode & FMODE_READ) 2072 av |= FILE__READ; 2073 if (file->f_mode & FMODE_WRITE) { 2074 if (file->f_flags & O_APPEND) 2075 av |= FILE__APPEND; 2076 else 2077 av |= FILE__WRITE; 2078 } 2079 if (!av) { 2080 /* 2081 * Special file opened with flags 3 for ioctl-only use. 2082 */ 2083 av = FILE__IOCTL; 2084 } 2085 2086 return av; 2087 } 2088 2089 /* 2090 * Convert a file to an access vector and include the correct open 2091 * open permission. 2092 */ 2093 static inline u32 open_file_to_av(struct file *file) 2094 { 2095 u32 av = file_to_av(file); 2096 struct inode *inode = file_inode(file); 2097 2098 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2099 av |= FILE__OPEN; 2100 2101 return av; 2102 } 2103 2104 /* Hook functions begin here. */ 2105 2106 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2107 { 2108 u32 mysid = current_sid(); 2109 u32 mgrsid = task_sid(mgr); 2110 2111 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2112 BINDER__SET_CONTEXT_MGR, NULL); 2113 } 2114 2115 static int selinux_binder_transaction(struct task_struct *from, 2116 struct task_struct *to) 2117 { 2118 u32 mysid = current_sid(); 2119 u32 fromsid = task_sid(from); 2120 u32 tosid = task_sid(to); 2121 int rc; 2122 2123 if (mysid != fromsid) { 2124 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2125 BINDER__IMPERSONATE, NULL); 2126 if (rc) 2127 return rc; 2128 } 2129 2130 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2131 NULL); 2132 } 2133 2134 static int selinux_binder_transfer_binder(struct task_struct *from, 2135 struct task_struct *to) 2136 { 2137 u32 fromsid = task_sid(from); 2138 u32 tosid = task_sid(to); 2139 2140 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2141 NULL); 2142 } 2143 2144 static int selinux_binder_transfer_file(struct task_struct *from, 2145 struct task_struct *to, 2146 struct file *file) 2147 { 2148 u32 sid = task_sid(to); 2149 struct file_security_struct *fsec = file->f_security; 2150 struct dentry *dentry = file->f_path.dentry; 2151 struct inode_security_struct *isec; 2152 struct common_audit_data ad; 2153 int rc; 2154 2155 ad.type = LSM_AUDIT_DATA_PATH; 2156 ad.u.path = file->f_path; 2157 2158 if (sid != fsec->sid) { 2159 rc = avc_has_perm(sid, fsec->sid, 2160 SECCLASS_FD, 2161 FD__USE, 2162 &ad); 2163 if (rc) 2164 return rc; 2165 } 2166 2167 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2168 return 0; 2169 2170 isec = backing_inode_security(dentry); 2171 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2172 &ad); 2173 } 2174 2175 static int selinux_ptrace_access_check(struct task_struct *child, 2176 unsigned int mode) 2177 { 2178 u32 sid = current_sid(); 2179 u32 csid = task_sid(child); 2180 2181 if (mode & PTRACE_MODE_READ) 2182 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2183 2184 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2185 } 2186 2187 static int selinux_ptrace_traceme(struct task_struct *parent) 2188 { 2189 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2190 PROCESS__PTRACE, NULL); 2191 } 2192 2193 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2194 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2195 { 2196 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2197 PROCESS__GETCAP, NULL); 2198 } 2199 2200 static int selinux_capset(struct cred *new, const struct cred *old, 2201 const kernel_cap_t *effective, 2202 const kernel_cap_t *inheritable, 2203 const kernel_cap_t *permitted) 2204 { 2205 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2206 PROCESS__SETCAP, NULL); 2207 } 2208 2209 /* 2210 * (This comment used to live with the selinux_task_setuid hook, 2211 * which was removed). 2212 * 2213 * Since setuid only affects the current process, and since the SELinux 2214 * controls are not based on the Linux identity attributes, SELinux does not 2215 * need to control this operation. However, SELinux does control the use of 2216 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2217 */ 2218 2219 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2220 int cap, int audit) 2221 { 2222 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2223 } 2224 2225 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2226 { 2227 const struct cred *cred = current_cred(); 2228 int rc = 0; 2229 2230 if (!sb) 2231 return 0; 2232 2233 switch (cmds) { 2234 case Q_SYNC: 2235 case Q_QUOTAON: 2236 case Q_QUOTAOFF: 2237 case Q_SETINFO: 2238 case Q_SETQUOTA: 2239 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2240 break; 2241 case Q_GETFMT: 2242 case Q_GETINFO: 2243 case Q_GETQUOTA: 2244 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2245 break; 2246 default: 2247 rc = 0; /* let the kernel handle invalid cmds */ 2248 break; 2249 } 2250 return rc; 2251 } 2252 2253 static int selinux_quota_on(struct dentry *dentry) 2254 { 2255 const struct cred *cred = current_cred(); 2256 2257 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2258 } 2259 2260 static int selinux_syslog(int type) 2261 { 2262 switch (type) { 2263 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2264 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2265 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2266 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2267 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2268 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2269 /* Set level of messages printed to console */ 2270 case SYSLOG_ACTION_CONSOLE_LEVEL: 2271 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2272 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2273 NULL); 2274 } 2275 /* All other syslog types */ 2276 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2277 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2278 } 2279 2280 /* 2281 * Check that a process has enough memory to allocate a new virtual 2282 * mapping. 0 means there is enough memory for the allocation to 2283 * succeed and -ENOMEM implies there is not. 2284 * 2285 * Do not audit the selinux permission check, as this is applied to all 2286 * processes that allocate mappings. 2287 */ 2288 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2289 { 2290 int rc, cap_sys_admin = 0; 2291 2292 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2293 SECURITY_CAP_NOAUDIT, true); 2294 if (rc == 0) 2295 cap_sys_admin = 1; 2296 2297 return cap_sys_admin; 2298 } 2299 2300 /* binprm security operations */ 2301 2302 static u32 ptrace_parent_sid(void) 2303 { 2304 u32 sid = 0; 2305 struct task_struct *tracer; 2306 2307 rcu_read_lock(); 2308 tracer = ptrace_parent(current); 2309 if (tracer) 2310 sid = task_sid(tracer); 2311 rcu_read_unlock(); 2312 2313 return sid; 2314 } 2315 2316 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2317 const struct task_security_struct *old_tsec, 2318 const struct task_security_struct *new_tsec) 2319 { 2320 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2321 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2322 int rc; 2323 u32 av; 2324 2325 if (!nnp && !nosuid) 2326 return 0; /* neither NNP nor nosuid */ 2327 2328 if (new_tsec->sid == old_tsec->sid) 2329 return 0; /* No change in credentials */ 2330 2331 /* 2332 * If the policy enables the nnp_nosuid_transition policy capability, 2333 * then we permit transitions under NNP or nosuid if the 2334 * policy allows the corresponding permission between 2335 * the old and new contexts. 2336 */ 2337 if (selinux_policycap_nnp_nosuid_transition) { 2338 av = 0; 2339 if (nnp) 2340 av |= PROCESS2__NNP_TRANSITION; 2341 if (nosuid) 2342 av |= PROCESS2__NOSUID_TRANSITION; 2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2344 SECCLASS_PROCESS2, av, NULL); 2345 if (!rc) 2346 return 0; 2347 } 2348 2349 /* 2350 * We also permit NNP or nosuid transitions to bounded SIDs, 2351 * i.e. SIDs that are guaranteed to only be allowed a subset 2352 * of the permissions of the current SID. 2353 */ 2354 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2355 if (!rc) 2356 return 0; 2357 2358 /* 2359 * On failure, preserve the errno values for NNP vs nosuid. 2360 * NNP: Operation not permitted for caller. 2361 * nosuid: Permission denied to file. 2362 */ 2363 if (nnp) 2364 return -EPERM; 2365 return -EACCES; 2366 } 2367 2368 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2369 { 2370 const struct task_security_struct *old_tsec; 2371 struct task_security_struct *new_tsec; 2372 struct inode_security_struct *isec; 2373 struct common_audit_data ad; 2374 struct inode *inode = file_inode(bprm->file); 2375 int rc; 2376 2377 /* SELinux context only depends on initial program or script and not 2378 * the script interpreter */ 2379 if (bprm->called_set_creds) 2380 return 0; 2381 2382 old_tsec = current_security(); 2383 new_tsec = bprm->cred->security; 2384 isec = inode_security(inode); 2385 2386 /* Default to the current task SID. */ 2387 new_tsec->sid = old_tsec->sid; 2388 new_tsec->osid = old_tsec->sid; 2389 2390 /* Reset fs, key, and sock SIDs on execve. */ 2391 new_tsec->create_sid = 0; 2392 new_tsec->keycreate_sid = 0; 2393 new_tsec->sockcreate_sid = 0; 2394 2395 if (old_tsec->exec_sid) { 2396 new_tsec->sid = old_tsec->exec_sid; 2397 /* Reset exec SID on execve. */ 2398 new_tsec->exec_sid = 0; 2399 2400 /* Fail on NNP or nosuid if not an allowed transition. */ 2401 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2402 if (rc) 2403 return rc; 2404 } else { 2405 /* Check for a default transition on this program. */ 2406 rc = security_transition_sid(old_tsec->sid, isec->sid, 2407 SECCLASS_PROCESS, NULL, 2408 &new_tsec->sid); 2409 if (rc) 2410 return rc; 2411 2412 /* 2413 * Fallback to old SID on NNP or nosuid if not an allowed 2414 * transition. 2415 */ 2416 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2417 if (rc) 2418 new_tsec->sid = old_tsec->sid; 2419 } 2420 2421 ad.type = LSM_AUDIT_DATA_FILE; 2422 ad.u.file = bprm->file; 2423 2424 if (new_tsec->sid == old_tsec->sid) { 2425 rc = avc_has_perm(old_tsec->sid, isec->sid, 2426 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2427 if (rc) 2428 return rc; 2429 } else { 2430 /* Check permissions for the transition. */ 2431 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2432 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2433 if (rc) 2434 return rc; 2435 2436 rc = avc_has_perm(new_tsec->sid, isec->sid, 2437 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2438 if (rc) 2439 return rc; 2440 2441 /* Check for shared state */ 2442 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2443 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2444 SECCLASS_PROCESS, PROCESS__SHARE, 2445 NULL); 2446 if (rc) 2447 return -EPERM; 2448 } 2449 2450 /* Make sure that anyone attempting to ptrace over a task that 2451 * changes its SID has the appropriate permit */ 2452 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2453 u32 ptsid = ptrace_parent_sid(); 2454 if (ptsid != 0) { 2455 rc = avc_has_perm(ptsid, new_tsec->sid, 2456 SECCLASS_PROCESS, 2457 PROCESS__PTRACE, NULL); 2458 if (rc) 2459 return -EPERM; 2460 } 2461 } 2462 2463 /* Clear any possibly unsafe personality bits on exec: */ 2464 bprm->per_clear |= PER_CLEAR_ON_SETID; 2465 2466 /* Enable secure mode for SIDs transitions unless 2467 the noatsecure permission is granted between 2468 the two SIDs, i.e. ahp returns 0. */ 2469 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2470 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2471 NULL); 2472 bprm->secureexec |= !!rc; 2473 } 2474 2475 return 0; 2476 } 2477 2478 static int match_file(const void *p, struct file *file, unsigned fd) 2479 { 2480 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2481 } 2482 2483 /* Derived from fs/exec.c:flush_old_files. */ 2484 static inline void flush_unauthorized_files(const struct cred *cred, 2485 struct files_struct *files) 2486 { 2487 struct file *file, *devnull = NULL; 2488 struct tty_struct *tty; 2489 int drop_tty = 0; 2490 unsigned n; 2491 2492 tty = get_current_tty(); 2493 if (tty) { 2494 spin_lock(&tty->files_lock); 2495 if (!list_empty(&tty->tty_files)) { 2496 struct tty_file_private *file_priv; 2497 2498 /* Revalidate access to controlling tty. 2499 Use file_path_has_perm on the tty path directly 2500 rather than using file_has_perm, as this particular 2501 open file may belong to another process and we are 2502 only interested in the inode-based check here. */ 2503 file_priv = list_first_entry(&tty->tty_files, 2504 struct tty_file_private, list); 2505 file = file_priv->file; 2506 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2507 drop_tty = 1; 2508 } 2509 spin_unlock(&tty->files_lock); 2510 tty_kref_put(tty); 2511 } 2512 /* Reset controlling tty. */ 2513 if (drop_tty) 2514 no_tty(); 2515 2516 /* Revalidate access to inherited open files. */ 2517 n = iterate_fd(files, 0, match_file, cred); 2518 if (!n) /* none found? */ 2519 return; 2520 2521 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2522 if (IS_ERR(devnull)) 2523 devnull = NULL; 2524 /* replace all the matching ones with this */ 2525 do { 2526 replace_fd(n - 1, devnull, 0); 2527 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2528 if (devnull) 2529 fput(devnull); 2530 } 2531 2532 /* 2533 * Prepare a process for imminent new credential changes due to exec 2534 */ 2535 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2536 { 2537 struct task_security_struct *new_tsec; 2538 struct rlimit *rlim, *initrlim; 2539 int rc, i; 2540 2541 new_tsec = bprm->cred->security; 2542 if (new_tsec->sid == new_tsec->osid) 2543 return; 2544 2545 /* Close files for which the new task SID is not authorized. */ 2546 flush_unauthorized_files(bprm->cred, current->files); 2547 2548 /* Always clear parent death signal on SID transitions. */ 2549 current->pdeath_signal = 0; 2550 2551 /* Check whether the new SID can inherit resource limits from the old 2552 * SID. If not, reset all soft limits to the lower of the current 2553 * task's hard limit and the init task's soft limit. 2554 * 2555 * Note that the setting of hard limits (even to lower them) can be 2556 * controlled by the setrlimit check. The inclusion of the init task's 2557 * soft limit into the computation is to avoid resetting soft limits 2558 * higher than the default soft limit for cases where the default is 2559 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2560 */ 2561 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2562 PROCESS__RLIMITINH, NULL); 2563 if (rc) { 2564 /* protect against do_prlimit() */ 2565 task_lock(current); 2566 for (i = 0; i < RLIM_NLIMITS; i++) { 2567 rlim = current->signal->rlim + i; 2568 initrlim = init_task.signal->rlim + i; 2569 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2570 } 2571 task_unlock(current); 2572 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2573 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2574 } 2575 } 2576 2577 /* 2578 * Clean up the process immediately after the installation of new credentials 2579 * due to exec 2580 */ 2581 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2582 { 2583 const struct task_security_struct *tsec = current_security(); 2584 struct itimerval itimer; 2585 u32 osid, sid; 2586 int rc, i; 2587 2588 osid = tsec->osid; 2589 sid = tsec->sid; 2590 2591 if (sid == osid) 2592 return; 2593 2594 /* Check whether the new SID can inherit signal state from the old SID. 2595 * If not, clear itimers to avoid subsequent signal generation and 2596 * flush and unblock signals. 2597 * 2598 * This must occur _after_ the task SID has been updated so that any 2599 * kill done after the flush will be checked against the new SID. 2600 */ 2601 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2602 if (rc) { 2603 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2604 memset(&itimer, 0, sizeof itimer); 2605 for (i = 0; i < 3; i++) 2606 do_setitimer(i, &itimer, NULL); 2607 } 2608 spin_lock_irq(¤t->sighand->siglock); 2609 if (!fatal_signal_pending(current)) { 2610 flush_sigqueue(¤t->pending); 2611 flush_sigqueue(¤t->signal->shared_pending); 2612 flush_signal_handlers(current, 1); 2613 sigemptyset(¤t->blocked); 2614 recalc_sigpending(); 2615 } 2616 spin_unlock_irq(¤t->sighand->siglock); 2617 } 2618 2619 /* Wake up the parent if it is waiting so that it can recheck 2620 * wait permission to the new task SID. */ 2621 read_lock(&tasklist_lock); 2622 __wake_up_parent(current, current->real_parent); 2623 read_unlock(&tasklist_lock); 2624 } 2625 2626 /* superblock security operations */ 2627 2628 static int selinux_sb_alloc_security(struct super_block *sb) 2629 { 2630 return superblock_alloc_security(sb); 2631 } 2632 2633 static void selinux_sb_free_security(struct super_block *sb) 2634 { 2635 superblock_free_security(sb); 2636 } 2637 2638 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2639 { 2640 if (plen > olen) 2641 return 0; 2642 2643 return !memcmp(prefix, option, plen); 2644 } 2645 2646 static inline int selinux_option(char *option, int len) 2647 { 2648 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2649 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2650 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2651 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2652 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2653 } 2654 2655 static inline void take_option(char **to, char *from, int *first, int len) 2656 { 2657 if (!*first) { 2658 **to = ','; 2659 *to += 1; 2660 } else 2661 *first = 0; 2662 memcpy(*to, from, len); 2663 *to += len; 2664 } 2665 2666 static inline void take_selinux_option(char **to, char *from, int *first, 2667 int len) 2668 { 2669 int current_size = 0; 2670 2671 if (!*first) { 2672 **to = '|'; 2673 *to += 1; 2674 } else 2675 *first = 0; 2676 2677 while (current_size < len) { 2678 if (*from != '"') { 2679 **to = *from; 2680 *to += 1; 2681 } 2682 from += 1; 2683 current_size += 1; 2684 } 2685 } 2686 2687 static int selinux_sb_copy_data(char *orig, char *copy) 2688 { 2689 int fnosec, fsec, rc = 0; 2690 char *in_save, *in_curr, *in_end; 2691 char *sec_curr, *nosec_save, *nosec; 2692 int open_quote = 0; 2693 2694 in_curr = orig; 2695 sec_curr = copy; 2696 2697 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2698 if (!nosec) { 2699 rc = -ENOMEM; 2700 goto out; 2701 } 2702 2703 nosec_save = nosec; 2704 fnosec = fsec = 1; 2705 in_save = in_end = orig; 2706 2707 do { 2708 if (*in_end == '"') 2709 open_quote = !open_quote; 2710 if ((*in_end == ',' && open_quote == 0) || 2711 *in_end == '\0') { 2712 int len = in_end - in_curr; 2713 2714 if (selinux_option(in_curr, len)) 2715 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2716 else 2717 take_option(&nosec, in_curr, &fnosec, len); 2718 2719 in_curr = in_end + 1; 2720 } 2721 } while (*in_end++); 2722 2723 strcpy(in_save, nosec_save); 2724 free_page((unsigned long)nosec_save); 2725 out: 2726 return rc; 2727 } 2728 2729 static int selinux_sb_remount(struct super_block *sb, void *data) 2730 { 2731 int rc, i, *flags; 2732 struct security_mnt_opts opts; 2733 char *secdata, **mount_options; 2734 struct superblock_security_struct *sbsec = sb->s_security; 2735 2736 if (!(sbsec->flags & SE_SBINITIALIZED)) 2737 return 0; 2738 2739 if (!data) 2740 return 0; 2741 2742 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2743 return 0; 2744 2745 security_init_mnt_opts(&opts); 2746 secdata = alloc_secdata(); 2747 if (!secdata) 2748 return -ENOMEM; 2749 rc = selinux_sb_copy_data(data, secdata); 2750 if (rc) 2751 goto out_free_secdata; 2752 2753 rc = selinux_parse_opts_str(secdata, &opts); 2754 if (rc) 2755 goto out_free_secdata; 2756 2757 mount_options = opts.mnt_opts; 2758 flags = opts.mnt_opts_flags; 2759 2760 for (i = 0; i < opts.num_mnt_opts; i++) { 2761 u32 sid; 2762 2763 if (flags[i] == SBLABEL_MNT) 2764 continue; 2765 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2766 if (rc) { 2767 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2768 "(%s) failed for (dev %s, type %s) errno=%d\n", 2769 mount_options[i], sb->s_id, sb->s_type->name, rc); 2770 goto out_free_opts; 2771 } 2772 rc = -EINVAL; 2773 switch (flags[i]) { 2774 case FSCONTEXT_MNT: 2775 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2776 goto out_bad_option; 2777 break; 2778 case CONTEXT_MNT: 2779 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2780 goto out_bad_option; 2781 break; 2782 case ROOTCONTEXT_MNT: { 2783 struct inode_security_struct *root_isec; 2784 root_isec = backing_inode_security(sb->s_root); 2785 2786 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2787 goto out_bad_option; 2788 break; 2789 } 2790 case DEFCONTEXT_MNT: 2791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2792 goto out_bad_option; 2793 break; 2794 default: 2795 goto out_free_opts; 2796 } 2797 } 2798 2799 rc = 0; 2800 out_free_opts: 2801 security_free_mnt_opts(&opts); 2802 out_free_secdata: 2803 free_secdata(secdata); 2804 return rc; 2805 out_bad_option: 2806 printk(KERN_WARNING "SELinux: unable to change security options " 2807 "during remount (dev %s, type=%s)\n", sb->s_id, 2808 sb->s_type->name); 2809 goto out_free_opts; 2810 } 2811 2812 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2813 { 2814 const struct cred *cred = current_cred(); 2815 struct common_audit_data ad; 2816 int rc; 2817 2818 rc = superblock_doinit(sb, data); 2819 if (rc) 2820 return rc; 2821 2822 /* Allow all mounts performed by the kernel */ 2823 if (flags & MS_KERNMOUNT) 2824 return 0; 2825 2826 ad.type = LSM_AUDIT_DATA_DENTRY; 2827 ad.u.dentry = sb->s_root; 2828 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2829 } 2830 2831 static int selinux_sb_statfs(struct dentry *dentry) 2832 { 2833 const struct cred *cred = current_cred(); 2834 struct common_audit_data ad; 2835 2836 ad.type = LSM_AUDIT_DATA_DENTRY; 2837 ad.u.dentry = dentry->d_sb->s_root; 2838 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2839 } 2840 2841 static int selinux_mount(const char *dev_name, 2842 const struct path *path, 2843 const char *type, 2844 unsigned long flags, 2845 void *data) 2846 { 2847 const struct cred *cred = current_cred(); 2848 2849 if (flags & MS_REMOUNT) 2850 return superblock_has_perm(cred, path->dentry->d_sb, 2851 FILESYSTEM__REMOUNT, NULL); 2852 else 2853 return path_has_perm(cred, path, FILE__MOUNTON); 2854 } 2855 2856 static int selinux_umount(struct vfsmount *mnt, int flags) 2857 { 2858 const struct cred *cred = current_cred(); 2859 2860 return superblock_has_perm(cred, mnt->mnt_sb, 2861 FILESYSTEM__UNMOUNT, NULL); 2862 } 2863 2864 /* inode security operations */ 2865 2866 static int selinux_inode_alloc_security(struct inode *inode) 2867 { 2868 return inode_alloc_security(inode); 2869 } 2870 2871 static void selinux_inode_free_security(struct inode *inode) 2872 { 2873 inode_free_security(inode); 2874 } 2875 2876 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2877 const struct qstr *name, void **ctx, 2878 u32 *ctxlen) 2879 { 2880 u32 newsid; 2881 int rc; 2882 2883 rc = selinux_determine_inode_label(current_security(), 2884 d_inode(dentry->d_parent), name, 2885 inode_mode_to_security_class(mode), 2886 &newsid); 2887 if (rc) 2888 return rc; 2889 2890 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2891 } 2892 2893 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2894 struct qstr *name, 2895 const struct cred *old, 2896 struct cred *new) 2897 { 2898 u32 newsid; 2899 int rc; 2900 struct task_security_struct *tsec; 2901 2902 rc = selinux_determine_inode_label(old->security, 2903 d_inode(dentry->d_parent), name, 2904 inode_mode_to_security_class(mode), 2905 &newsid); 2906 if (rc) 2907 return rc; 2908 2909 tsec = new->security; 2910 tsec->create_sid = newsid; 2911 return 0; 2912 } 2913 2914 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2915 const struct qstr *qstr, 2916 const char **name, 2917 void **value, size_t *len) 2918 { 2919 const struct task_security_struct *tsec = current_security(); 2920 struct superblock_security_struct *sbsec; 2921 u32 newsid, clen; 2922 int rc; 2923 char *context; 2924 2925 sbsec = dir->i_sb->s_security; 2926 2927 newsid = tsec->create_sid; 2928 2929 rc = selinux_determine_inode_label(current_security(), 2930 dir, qstr, 2931 inode_mode_to_security_class(inode->i_mode), 2932 &newsid); 2933 if (rc) 2934 return rc; 2935 2936 /* Possibly defer initialization to selinux_complete_init. */ 2937 if (sbsec->flags & SE_SBINITIALIZED) { 2938 struct inode_security_struct *isec = inode->i_security; 2939 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2940 isec->sid = newsid; 2941 isec->initialized = LABEL_INITIALIZED; 2942 } 2943 2944 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2945 return -EOPNOTSUPP; 2946 2947 if (name) 2948 *name = XATTR_SELINUX_SUFFIX; 2949 2950 if (value && len) { 2951 rc = security_sid_to_context_force(newsid, &context, &clen); 2952 if (rc) 2953 return rc; 2954 *value = context; 2955 *len = clen; 2956 } 2957 2958 return 0; 2959 } 2960 2961 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2962 { 2963 return may_create(dir, dentry, SECCLASS_FILE); 2964 } 2965 2966 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2967 { 2968 return may_link(dir, old_dentry, MAY_LINK); 2969 } 2970 2971 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2972 { 2973 return may_link(dir, dentry, MAY_UNLINK); 2974 } 2975 2976 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2977 { 2978 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2979 } 2980 2981 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2982 { 2983 return may_create(dir, dentry, SECCLASS_DIR); 2984 } 2985 2986 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2987 { 2988 return may_link(dir, dentry, MAY_RMDIR); 2989 } 2990 2991 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2992 { 2993 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2994 } 2995 2996 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2997 struct inode *new_inode, struct dentry *new_dentry) 2998 { 2999 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3000 } 3001 3002 static int selinux_inode_readlink(struct dentry *dentry) 3003 { 3004 const struct cred *cred = current_cred(); 3005 3006 return dentry_has_perm(cred, dentry, FILE__READ); 3007 } 3008 3009 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3010 bool rcu) 3011 { 3012 const struct cred *cred = current_cred(); 3013 struct common_audit_data ad; 3014 struct inode_security_struct *isec; 3015 u32 sid; 3016 3017 validate_creds(cred); 3018 3019 ad.type = LSM_AUDIT_DATA_DENTRY; 3020 ad.u.dentry = dentry; 3021 sid = cred_sid(cred); 3022 isec = inode_security_rcu(inode, rcu); 3023 if (IS_ERR(isec)) 3024 return PTR_ERR(isec); 3025 3026 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3027 rcu ? MAY_NOT_BLOCK : 0); 3028 } 3029 3030 static noinline int audit_inode_permission(struct inode *inode, 3031 u32 perms, u32 audited, u32 denied, 3032 int result, 3033 unsigned flags) 3034 { 3035 struct common_audit_data ad; 3036 struct inode_security_struct *isec = inode->i_security; 3037 int rc; 3038 3039 ad.type = LSM_AUDIT_DATA_INODE; 3040 ad.u.inode = inode; 3041 3042 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3043 audited, denied, result, &ad, flags); 3044 if (rc) 3045 return rc; 3046 return 0; 3047 } 3048 3049 static int selinux_inode_permission(struct inode *inode, int mask) 3050 { 3051 const struct cred *cred = current_cred(); 3052 u32 perms; 3053 bool from_access; 3054 unsigned flags = mask & MAY_NOT_BLOCK; 3055 struct inode_security_struct *isec; 3056 u32 sid; 3057 struct av_decision avd; 3058 int rc, rc2; 3059 u32 audited, denied; 3060 3061 from_access = mask & MAY_ACCESS; 3062 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3063 3064 /* No permission to check. Existence test. */ 3065 if (!mask) 3066 return 0; 3067 3068 validate_creds(cred); 3069 3070 if (unlikely(IS_PRIVATE(inode))) 3071 return 0; 3072 3073 perms = file_mask_to_av(inode->i_mode, mask); 3074 3075 sid = cred_sid(cred); 3076 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3077 if (IS_ERR(isec)) 3078 return PTR_ERR(isec); 3079 3080 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3081 audited = avc_audit_required(perms, &avd, rc, 3082 from_access ? FILE__AUDIT_ACCESS : 0, 3083 &denied); 3084 if (likely(!audited)) 3085 return rc; 3086 3087 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3088 if (rc2) 3089 return rc2; 3090 return rc; 3091 } 3092 3093 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3094 { 3095 const struct cred *cred = current_cred(); 3096 struct inode *inode = d_backing_inode(dentry); 3097 unsigned int ia_valid = iattr->ia_valid; 3098 __u32 av = FILE__WRITE; 3099 3100 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3101 if (ia_valid & ATTR_FORCE) { 3102 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3103 ATTR_FORCE); 3104 if (!ia_valid) 3105 return 0; 3106 } 3107 3108 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3109 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3110 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3111 3112 if (selinux_policycap_openperm && 3113 inode->i_sb->s_magic != SOCKFS_MAGIC && 3114 (ia_valid & ATTR_SIZE) && 3115 !(ia_valid & ATTR_FILE)) 3116 av |= FILE__OPEN; 3117 3118 return dentry_has_perm(cred, dentry, av); 3119 } 3120 3121 static int selinux_inode_getattr(const struct path *path) 3122 { 3123 return path_has_perm(current_cred(), path, FILE__GETATTR); 3124 } 3125 3126 static bool has_cap_mac_admin(bool audit) 3127 { 3128 const struct cred *cred = current_cred(); 3129 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3130 3131 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3132 return false; 3133 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3134 return false; 3135 return true; 3136 } 3137 3138 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3139 const void *value, size_t size, int flags) 3140 { 3141 struct inode *inode = d_backing_inode(dentry); 3142 struct inode_security_struct *isec; 3143 struct superblock_security_struct *sbsec; 3144 struct common_audit_data ad; 3145 u32 newsid, sid = current_sid(); 3146 int rc = 0; 3147 3148 if (strcmp(name, XATTR_NAME_SELINUX)) { 3149 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3150 if (rc) 3151 return rc; 3152 3153 /* Not an attribute we recognize, so just check the 3154 ordinary setattr permission. */ 3155 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3156 } 3157 3158 sbsec = inode->i_sb->s_security; 3159 if (!(sbsec->flags & SBLABEL_MNT)) 3160 return -EOPNOTSUPP; 3161 3162 if (!inode_owner_or_capable(inode)) 3163 return -EPERM; 3164 3165 ad.type = LSM_AUDIT_DATA_DENTRY; 3166 ad.u.dentry = dentry; 3167 3168 isec = backing_inode_security(dentry); 3169 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3170 FILE__RELABELFROM, &ad); 3171 if (rc) 3172 return rc; 3173 3174 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3175 if (rc == -EINVAL) { 3176 if (!has_cap_mac_admin(true)) { 3177 struct audit_buffer *ab; 3178 size_t audit_size; 3179 const char *str; 3180 3181 /* We strip a nul only if it is at the end, otherwise the 3182 * context contains a nul and we should audit that */ 3183 if (value) { 3184 str = value; 3185 if (str[size - 1] == '\0') 3186 audit_size = size - 1; 3187 else 3188 audit_size = size; 3189 } else { 3190 str = ""; 3191 audit_size = 0; 3192 } 3193 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3194 audit_log_format(ab, "op=setxattr invalid_context="); 3195 audit_log_n_untrustedstring(ab, value, audit_size); 3196 audit_log_end(ab); 3197 3198 return rc; 3199 } 3200 rc = security_context_to_sid_force(value, size, &newsid); 3201 } 3202 if (rc) 3203 return rc; 3204 3205 rc = avc_has_perm(sid, newsid, isec->sclass, 3206 FILE__RELABELTO, &ad); 3207 if (rc) 3208 return rc; 3209 3210 rc = security_validate_transition(isec->sid, newsid, sid, 3211 isec->sclass); 3212 if (rc) 3213 return rc; 3214 3215 return avc_has_perm(newsid, 3216 sbsec->sid, 3217 SECCLASS_FILESYSTEM, 3218 FILESYSTEM__ASSOCIATE, 3219 &ad); 3220 } 3221 3222 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3223 const void *value, size_t size, 3224 int flags) 3225 { 3226 struct inode *inode = d_backing_inode(dentry); 3227 struct inode_security_struct *isec; 3228 u32 newsid; 3229 int rc; 3230 3231 if (strcmp(name, XATTR_NAME_SELINUX)) { 3232 /* Not an attribute we recognize, so nothing to do. */ 3233 return; 3234 } 3235 3236 rc = security_context_to_sid_force(value, size, &newsid); 3237 if (rc) { 3238 printk(KERN_ERR "SELinux: unable to map context to SID" 3239 "for (%s, %lu), rc=%d\n", 3240 inode->i_sb->s_id, inode->i_ino, -rc); 3241 return; 3242 } 3243 3244 isec = backing_inode_security(dentry); 3245 spin_lock(&isec->lock); 3246 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3247 isec->sid = newsid; 3248 isec->initialized = LABEL_INITIALIZED; 3249 spin_unlock(&isec->lock); 3250 3251 return; 3252 } 3253 3254 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3255 { 3256 const struct cred *cred = current_cred(); 3257 3258 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3259 } 3260 3261 static int selinux_inode_listxattr(struct dentry *dentry) 3262 { 3263 const struct cred *cred = current_cred(); 3264 3265 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3266 } 3267 3268 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3269 { 3270 if (strcmp(name, XATTR_NAME_SELINUX)) { 3271 int rc = cap_inode_removexattr(dentry, name); 3272 if (rc) 3273 return rc; 3274 3275 /* Not an attribute we recognize, so just check the 3276 ordinary setattr permission. */ 3277 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3278 } 3279 3280 /* No one is allowed to remove a SELinux security label. 3281 You can change the label, but all data must be labeled. */ 3282 return -EACCES; 3283 } 3284 3285 /* 3286 * Copy the inode security context value to the user. 3287 * 3288 * Permission check is handled by selinux_inode_getxattr hook. 3289 */ 3290 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3291 { 3292 u32 size; 3293 int error; 3294 char *context = NULL; 3295 struct inode_security_struct *isec; 3296 3297 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3298 return -EOPNOTSUPP; 3299 3300 /* 3301 * If the caller has CAP_MAC_ADMIN, then get the raw context 3302 * value even if it is not defined by current policy; otherwise, 3303 * use the in-core value under current policy. 3304 * Use the non-auditing forms of the permission checks since 3305 * getxattr may be called by unprivileged processes commonly 3306 * and lack of permission just means that we fall back to the 3307 * in-core context value, not a denial. 3308 */ 3309 isec = inode_security(inode); 3310 if (has_cap_mac_admin(false)) 3311 error = security_sid_to_context_force(isec->sid, &context, 3312 &size); 3313 else 3314 error = security_sid_to_context(isec->sid, &context, &size); 3315 if (error) 3316 return error; 3317 error = size; 3318 if (alloc) { 3319 *buffer = context; 3320 goto out_nofree; 3321 } 3322 kfree(context); 3323 out_nofree: 3324 return error; 3325 } 3326 3327 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3328 const void *value, size_t size, int flags) 3329 { 3330 struct inode_security_struct *isec = inode_security_novalidate(inode); 3331 u32 newsid; 3332 int rc; 3333 3334 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3335 return -EOPNOTSUPP; 3336 3337 if (!value || !size) 3338 return -EACCES; 3339 3340 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3341 if (rc) 3342 return rc; 3343 3344 spin_lock(&isec->lock); 3345 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3346 isec->sid = newsid; 3347 isec->initialized = LABEL_INITIALIZED; 3348 spin_unlock(&isec->lock); 3349 return 0; 3350 } 3351 3352 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3353 { 3354 const int len = sizeof(XATTR_NAME_SELINUX); 3355 if (buffer && len <= buffer_size) 3356 memcpy(buffer, XATTR_NAME_SELINUX, len); 3357 return len; 3358 } 3359 3360 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3361 { 3362 struct inode_security_struct *isec = inode_security_novalidate(inode); 3363 *secid = isec->sid; 3364 } 3365 3366 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3367 { 3368 u32 sid; 3369 struct task_security_struct *tsec; 3370 struct cred *new_creds = *new; 3371 3372 if (new_creds == NULL) { 3373 new_creds = prepare_creds(); 3374 if (!new_creds) 3375 return -ENOMEM; 3376 } 3377 3378 tsec = new_creds->security; 3379 /* Get label from overlay inode and set it in create_sid */ 3380 selinux_inode_getsecid(d_inode(src), &sid); 3381 tsec->create_sid = sid; 3382 *new = new_creds; 3383 return 0; 3384 } 3385 3386 static int selinux_inode_copy_up_xattr(const char *name) 3387 { 3388 /* The copy_up hook above sets the initial context on an inode, but we 3389 * don't then want to overwrite it by blindly copying all the lower 3390 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3391 */ 3392 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3393 return 1; /* Discard */ 3394 /* 3395 * Any other attribute apart from SELINUX is not claimed, supported 3396 * by selinux. 3397 */ 3398 return -EOPNOTSUPP; 3399 } 3400 3401 /* file security operations */ 3402 3403 static int selinux_revalidate_file_permission(struct file *file, int mask) 3404 { 3405 const struct cred *cred = current_cred(); 3406 struct inode *inode = file_inode(file); 3407 3408 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3409 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3410 mask |= MAY_APPEND; 3411 3412 return file_has_perm(cred, file, 3413 file_mask_to_av(inode->i_mode, mask)); 3414 } 3415 3416 static int selinux_file_permission(struct file *file, int mask) 3417 { 3418 struct inode *inode = file_inode(file); 3419 struct file_security_struct *fsec = file->f_security; 3420 struct inode_security_struct *isec; 3421 u32 sid = current_sid(); 3422 3423 if (!mask) 3424 /* No permission to check. Existence test. */ 3425 return 0; 3426 3427 isec = inode_security(inode); 3428 if (sid == fsec->sid && fsec->isid == isec->sid && 3429 fsec->pseqno == avc_policy_seqno()) 3430 /* No change since file_open check. */ 3431 return 0; 3432 3433 return selinux_revalidate_file_permission(file, mask); 3434 } 3435 3436 static int selinux_file_alloc_security(struct file *file) 3437 { 3438 return file_alloc_security(file); 3439 } 3440 3441 static void selinux_file_free_security(struct file *file) 3442 { 3443 file_free_security(file); 3444 } 3445 3446 /* 3447 * Check whether a task has the ioctl permission and cmd 3448 * operation to an inode. 3449 */ 3450 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3451 u32 requested, u16 cmd) 3452 { 3453 struct common_audit_data ad; 3454 struct file_security_struct *fsec = file->f_security; 3455 struct inode *inode = file_inode(file); 3456 struct inode_security_struct *isec; 3457 struct lsm_ioctlop_audit ioctl; 3458 u32 ssid = cred_sid(cred); 3459 int rc; 3460 u8 driver = cmd >> 8; 3461 u8 xperm = cmd & 0xff; 3462 3463 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3464 ad.u.op = &ioctl; 3465 ad.u.op->cmd = cmd; 3466 ad.u.op->path = file->f_path; 3467 3468 if (ssid != fsec->sid) { 3469 rc = avc_has_perm(ssid, fsec->sid, 3470 SECCLASS_FD, 3471 FD__USE, 3472 &ad); 3473 if (rc) 3474 goto out; 3475 } 3476 3477 if (unlikely(IS_PRIVATE(inode))) 3478 return 0; 3479 3480 isec = inode_security(inode); 3481 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3482 requested, driver, xperm, &ad); 3483 out: 3484 return rc; 3485 } 3486 3487 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3488 unsigned long arg) 3489 { 3490 const struct cred *cred = current_cred(); 3491 int error = 0; 3492 3493 switch (cmd) { 3494 case FIONREAD: 3495 /* fall through */ 3496 case FIBMAP: 3497 /* fall through */ 3498 case FIGETBSZ: 3499 /* fall through */ 3500 case FS_IOC_GETFLAGS: 3501 /* fall through */ 3502 case FS_IOC_GETVERSION: 3503 error = file_has_perm(cred, file, FILE__GETATTR); 3504 break; 3505 3506 case FS_IOC_SETFLAGS: 3507 /* fall through */ 3508 case FS_IOC_SETVERSION: 3509 error = file_has_perm(cred, file, FILE__SETATTR); 3510 break; 3511 3512 /* sys_ioctl() checks */ 3513 case FIONBIO: 3514 /* fall through */ 3515 case FIOASYNC: 3516 error = file_has_perm(cred, file, 0); 3517 break; 3518 3519 case KDSKBENT: 3520 case KDSKBSENT: 3521 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3522 SECURITY_CAP_AUDIT, true); 3523 break; 3524 3525 /* default case assumes that the command will go 3526 * to the file's ioctl() function. 3527 */ 3528 default: 3529 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3530 } 3531 return error; 3532 } 3533 3534 static int default_noexec; 3535 3536 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3537 { 3538 const struct cred *cred = current_cred(); 3539 u32 sid = cred_sid(cred); 3540 int rc = 0; 3541 3542 if (default_noexec && 3543 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3544 (!shared && (prot & PROT_WRITE)))) { 3545 /* 3546 * We are making executable an anonymous mapping or a 3547 * private file mapping that will also be writable. 3548 * This has an additional check. 3549 */ 3550 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3551 PROCESS__EXECMEM, NULL); 3552 if (rc) 3553 goto error; 3554 } 3555 3556 if (file) { 3557 /* read access is always possible with a mapping */ 3558 u32 av = FILE__READ; 3559 3560 /* write access only matters if the mapping is shared */ 3561 if (shared && (prot & PROT_WRITE)) 3562 av |= FILE__WRITE; 3563 3564 if (prot & PROT_EXEC) 3565 av |= FILE__EXECUTE; 3566 3567 return file_has_perm(cred, file, av); 3568 } 3569 3570 error: 3571 return rc; 3572 } 3573 3574 static int selinux_mmap_addr(unsigned long addr) 3575 { 3576 int rc = 0; 3577 3578 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3579 u32 sid = current_sid(); 3580 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3581 MEMPROTECT__MMAP_ZERO, NULL); 3582 } 3583 3584 return rc; 3585 } 3586 3587 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3588 unsigned long prot, unsigned long flags) 3589 { 3590 struct common_audit_data ad; 3591 int rc; 3592 3593 if (file) { 3594 ad.type = LSM_AUDIT_DATA_FILE; 3595 ad.u.file = file; 3596 rc = inode_has_perm(current_cred(), file_inode(file), 3597 FILE__MAP, &ad); 3598 if (rc) 3599 return rc; 3600 } 3601 3602 if (selinux_checkreqprot) 3603 prot = reqprot; 3604 3605 return file_map_prot_check(file, prot, 3606 (flags & MAP_TYPE) == MAP_SHARED); 3607 } 3608 3609 static int selinux_file_mprotect(struct vm_area_struct *vma, 3610 unsigned long reqprot, 3611 unsigned long prot) 3612 { 3613 const struct cred *cred = current_cred(); 3614 u32 sid = cred_sid(cred); 3615 3616 if (selinux_checkreqprot) 3617 prot = reqprot; 3618 3619 if (default_noexec && 3620 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3621 int rc = 0; 3622 if (vma->vm_start >= vma->vm_mm->start_brk && 3623 vma->vm_end <= vma->vm_mm->brk) { 3624 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3625 PROCESS__EXECHEAP, NULL); 3626 } else if (!vma->vm_file && 3627 ((vma->vm_start <= vma->vm_mm->start_stack && 3628 vma->vm_end >= vma->vm_mm->start_stack) || 3629 vma_is_stack_for_current(vma))) { 3630 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3631 PROCESS__EXECSTACK, NULL); 3632 } else if (vma->vm_file && vma->anon_vma) { 3633 /* 3634 * We are making executable a file mapping that has 3635 * had some COW done. Since pages might have been 3636 * written, check ability to execute the possibly 3637 * modified content. This typically should only 3638 * occur for text relocations. 3639 */ 3640 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3641 } 3642 if (rc) 3643 return rc; 3644 } 3645 3646 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3647 } 3648 3649 static int selinux_file_lock(struct file *file, unsigned int cmd) 3650 { 3651 const struct cred *cred = current_cred(); 3652 3653 return file_has_perm(cred, file, FILE__LOCK); 3654 } 3655 3656 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3657 unsigned long arg) 3658 { 3659 const struct cred *cred = current_cred(); 3660 int err = 0; 3661 3662 switch (cmd) { 3663 case F_SETFL: 3664 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3665 err = file_has_perm(cred, file, FILE__WRITE); 3666 break; 3667 } 3668 /* fall through */ 3669 case F_SETOWN: 3670 case F_SETSIG: 3671 case F_GETFL: 3672 case F_GETOWN: 3673 case F_GETSIG: 3674 case F_GETOWNER_UIDS: 3675 /* Just check FD__USE permission */ 3676 err = file_has_perm(cred, file, 0); 3677 break; 3678 case F_GETLK: 3679 case F_SETLK: 3680 case F_SETLKW: 3681 case F_OFD_GETLK: 3682 case F_OFD_SETLK: 3683 case F_OFD_SETLKW: 3684 #if BITS_PER_LONG == 32 3685 case F_GETLK64: 3686 case F_SETLK64: 3687 case F_SETLKW64: 3688 #endif 3689 err = file_has_perm(cred, file, FILE__LOCK); 3690 break; 3691 } 3692 3693 return err; 3694 } 3695 3696 static void selinux_file_set_fowner(struct file *file) 3697 { 3698 struct file_security_struct *fsec; 3699 3700 fsec = file->f_security; 3701 fsec->fown_sid = current_sid(); 3702 } 3703 3704 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3705 struct fown_struct *fown, int signum) 3706 { 3707 struct file *file; 3708 u32 sid = task_sid(tsk); 3709 u32 perm; 3710 struct file_security_struct *fsec; 3711 3712 /* struct fown_struct is never outside the context of a struct file */ 3713 file = container_of(fown, struct file, f_owner); 3714 3715 fsec = file->f_security; 3716 3717 if (!signum) 3718 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3719 else 3720 perm = signal_to_av(signum); 3721 3722 return avc_has_perm(fsec->fown_sid, sid, 3723 SECCLASS_PROCESS, perm, NULL); 3724 } 3725 3726 static int selinux_file_receive(struct file *file) 3727 { 3728 const struct cred *cred = current_cred(); 3729 3730 return file_has_perm(cred, file, file_to_av(file)); 3731 } 3732 3733 static int selinux_file_open(struct file *file, const struct cred *cred) 3734 { 3735 struct file_security_struct *fsec; 3736 struct inode_security_struct *isec; 3737 3738 fsec = file->f_security; 3739 isec = inode_security(file_inode(file)); 3740 /* 3741 * Save inode label and policy sequence number 3742 * at open-time so that selinux_file_permission 3743 * can determine whether revalidation is necessary. 3744 * Task label is already saved in the file security 3745 * struct as its SID. 3746 */ 3747 fsec->isid = isec->sid; 3748 fsec->pseqno = avc_policy_seqno(); 3749 /* 3750 * Since the inode label or policy seqno may have changed 3751 * between the selinux_inode_permission check and the saving 3752 * of state above, recheck that access is still permitted. 3753 * Otherwise, access might never be revalidated against the 3754 * new inode label or new policy. 3755 * This check is not redundant - do not remove. 3756 */ 3757 return file_path_has_perm(cred, file, open_file_to_av(file)); 3758 } 3759 3760 /* task security operations */ 3761 3762 static int selinux_task_alloc(struct task_struct *task, 3763 unsigned long clone_flags) 3764 { 3765 u32 sid = current_sid(); 3766 3767 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3768 } 3769 3770 /* 3771 * allocate the SELinux part of blank credentials 3772 */ 3773 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3774 { 3775 struct task_security_struct *tsec; 3776 3777 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3778 if (!tsec) 3779 return -ENOMEM; 3780 3781 cred->security = tsec; 3782 return 0; 3783 } 3784 3785 /* 3786 * detach and free the LSM part of a set of credentials 3787 */ 3788 static void selinux_cred_free(struct cred *cred) 3789 { 3790 struct task_security_struct *tsec = cred->security; 3791 3792 /* 3793 * cred->security == NULL if security_cred_alloc_blank() or 3794 * security_prepare_creds() returned an error. 3795 */ 3796 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3797 cred->security = (void *) 0x7UL; 3798 kfree(tsec); 3799 } 3800 3801 /* 3802 * prepare a new set of credentials for modification 3803 */ 3804 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3805 gfp_t gfp) 3806 { 3807 const struct task_security_struct *old_tsec; 3808 struct task_security_struct *tsec; 3809 3810 old_tsec = old->security; 3811 3812 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3813 if (!tsec) 3814 return -ENOMEM; 3815 3816 new->security = tsec; 3817 return 0; 3818 } 3819 3820 /* 3821 * transfer the SELinux data to a blank set of creds 3822 */ 3823 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3824 { 3825 const struct task_security_struct *old_tsec = old->security; 3826 struct task_security_struct *tsec = new->security; 3827 3828 *tsec = *old_tsec; 3829 } 3830 3831 /* 3832 * set the security data for a kernel service 3833 * - all the creation contexts are set to unlabelled 3834 */ 3835 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3836 { 3837 struct task_security_struct *tsec = new->security; 3838 u32 sid = current_sid(); 3839 int ret; 3840 3841 ret = avc_has_perm(sid, secid, 3842 SECCLASS_KERNEL_SERVICE, 3843 KERNEL_SERVICE__USE_AS_OVERRIDE, 3844 NULL); 3845 if (ret == 0) { 3846 tsec->sid = secid; 3847 tsec->create_sid = 0; 3848 tsec->keycreate_sid = 0; 3849 tsec->sockcreate_sid = 0; 3850 } 3851 return ret; 3852 } 3853 3854 /* 3855 * set the file creation context in a security record to the same as the 3856 * objective context of the specified inode 3857 */ 3858 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3859 { 3860 struct inode_security_struct *isec = inode_security(inode); 3861 struct task_security_struct *tsec = new->security; 3862 u32 sid = current_sid(); 3863 int ret; 3864 3865 ret = avc_has_perm(sid, isec->sid, 3866 SECCLASS_KERNEL_SERVICE, 3867 KERNEL_SERVICE__CREATE_FILES_AS, 3868 NULL); 3869 3870 if (ret == 0) 3871 tsec->create_sid = isec->sid; 3872 return ret; 3873 } 3874 3875 static int selinux_kernel_module_request(char *kmod_name) 3876 { 3877 struct common_audit_data ad; 3878 3879 ad.type = LSM_AUDIT_DATA_KMOD; 3880 ad.u.kmod_name = kmod_name; 3881 3882 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3883 SYSTEM__MODULE_REQUEST, &ad); 3884 } 3885 3886 static int selinux_kernel_module_from_file(struct file *file) 3887 { 3888 struct common_audit_data ad; 3889 struct inode_security_struct *isec; 3890 struct file_security_struct *fsec; 3891 u32 sid = current_sid(); 3892 int rc; 3893 3894 /* init_module */ 3895 if (file == NULL) 3896 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3897 SYSTEM__MODULE_LOAD, NULL); 3898 3899 /* finit_module */ 3900 3901 ad.type = LSM_AUDIT_DATA_FILE; 3902 ad.u.file = file; 3903 3904 fsec = file->f_security; 3905 if (sid != fsec->sid) { 3906 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3907 if (rc) 3908 return rc; 3909 } 3910 3911 isec = inode_security(file_inode(file)); 3912 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3913 SYSTEM__MODULE_LOAD, &ad); 3914 } 3915 3916 static int selinux_kernel_read_file(struct file *file, 3917 enum kernel_read_file_id id) 3918 { 3919 int rc = 0; 3920 3921 switch (id) { 3922 case READING_MODULE: 3923 rc = selinux_kernel_module_from_file(file); 3924 break; 3925 default: 3926 break; 3927 } 3928 3929 return rc; 3930 } 3931 3932 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3933 { 3934 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3935 PROCESS__SETPGID, NULL); 3936 } 3937 3938 static int selinux_task_getpgid(struct task_struct *p) 3939 { 3940 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3941 PROCESS__GETPGID, NULL); 3942 } 3943 3944 static int selinux_task_getsid(struct task_struct *p) 3945 { 3946 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3947 PROCESS__GETSESSION, NULL); 3948 } 3949 3950 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3951 { 3952 *secid = task_sid(p); 3953 } 3954 3955 static int selinux_task_setnice(struct task_struct *p, int nice) 3956 { 3957 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3958 PROCESS__SETSCHED, NULL); 3959 } 3960 3961 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3962 { 3963 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3964 PROCESS__SETSCHED, NULL); 3965 } 3966 3967 static int selinux_task_getioprio(struct task_struct *p) 3968 { 3969 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3970 PROCESS__GETSCHED, NULL); 3971 } 3972 3973 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3974 unsigned int flags) 3975 { 3976 u32 av = 0; 3977 3978 if (!flags) 3979 return 0; 3980 if (flags & LSM_PRLIMIT_WRITE) 3981 av |= PROCESS__SETRLIMIT; 3982 if (flags & LSM_PRLIMIT_READ) 3983 av |= PROCESS__GETRLIMIT; 3984 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 3985 SECCLASS_PROCESS, av, NULL); 3986 } 3987 3988 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3989 struct rlimit *new_rlim) 3990 { 3991 struct rlimit *old_rlim = p->signal->rlim + resource; 3992 3993 /* Control the ability to change the hard limit (whether 3994 lowering or raising it), so that the hard limit can 3995 later be used as a safe reset point for the soft limit 3996 upon context transitions. See selinux_bprm_committing_creds. */ 3997 if (old_rlim->rlim_max != new_rlim->rlim_max) 3998 return avc_has_perm(current_sid(), task_sid(p), 3999 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4000 4001 return 0; 4002 } 4003 4004 static int selinux_task_setscheduler(struct task_struct *p) 4005 { 4006 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4007 PROCESS__SETSCHED, NULL); 4008 } 4009 4010 static int selinux_task_getscheduler(struct task_struct *p) 4011 { 4012 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4013 PROCESS__GETSCHED, NULL); 4014 } 4015 4016 static int selinux_task_movememory(struct task_struct *p) 4017 { 4018 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4019 PROCESS__SETSCHED, NULL); 4020 } 4021 4022 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4023 int sig, u32 secid) 4024 { 4025 u32 perm; 4026 4027 if (!sig) 4028 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4029 else 4030 perm = signal_to_av(sig); 4031 if (!secid) 4032 secid = current_sid(); 4033 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4034 } 4035 4036 static void selinux_task_to_inode(struct task_struct *p, 4037 struct inode *inode) 4038 { 4039 struct inode_security_struct *isec = inode->i_security; 4040 u32 sid = task_sid(p); 4041 4042 spin_lock(&isec->lock); 4043 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4044 isec->sid = sid; 4045 isec->initialized = LABEL_INITIALIZED; 4046 spin_unlock(&isec->lock); 4047 } 4048 4049 /* Returns error only if unable to parse addresses */ 4050 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4051 struct common_audit_data *ad, u8 *proto) 4052 { 4053 int offset, ihlen, ret = -EINVAL; 4054 struct iphdr _iph, *ih; 4055 4056 offset = skb_network_offset(skb); 4057 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4058 if (ih == NULL) 4059 goto out; 4060 4061 ihlen = ih->ihl * 4; 4062 if (ihlen < sizeof(_iph)) 4063 goto out; 4064 4065 ad->u.net->v4info.saddr = ih->saddr; 4066 ad->u.net->v4info.daddr = ih->daddr; 4067 ret = 0; 4068 4069 if (proto) 4070 *proto = ih->protocol; 4071 4072 switch (ih->protocol) { 4073 case IPPROTO_TCP: { 4074 struct tcphdr _tcph, *th; 4075 4076 if (ntohs(ih->frag_off) & IP_OFFSET) 4077 break; 4078 4079 offset += ihlen; 4080 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4081 if (th == NULL) 4082 break; 4083 4084 ad->u.net->sport = th->source; 4085 ad->u.net->dport = th->dest; 4086 break; 4087 } 4088 4089 case IPPROTO_UDP: { 4090 struct udphdr _udph, *uh; 4091 4092 if (ntohs(ih->frag_off) & IP_OFFSET) 4093 break; 4094 4095 offset += ihlen; 4096 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4097 if (uh == NULL) 4098 break; 4099 4100 ad->u.net->sport = uh->source; 4101 ad->u.net->dport = uh->dest; 4102 break; 4103 } 4104 4105 case IPPROTO_DCCP: { 4106 struct dccp_hdr _dccph, *dh; 4107 4108 if (ntohs(ih->frag_off) & IP_OFFSET) 4109 break; 4110 4111 offset += ihlen; 4112 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4113 if (dh == NULL) 4114 break; 4115 4116 ad->u.net->sport = dh->dccph_sport; 4117 ad->u.net->dport = dh->dccph_dport; 4118 break; 4119 } 4120 4121 default: 4122 break; 4123 } 4124 out: 4125 return ret; 4126 } 4127 4128 #if IS_ENABLED(CONFIG_IPV6) 4129 4130 /* Returns error only if unable to parse addresses */ 4131 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4132 struct common_audit_data *ad, u8 *proto) 4133 { 4134 u8 nexthdr; 4135 int ret = -EINVAL, offset; 4136 struct ipv6hdr _ipv6h, *ip6; 4137 __be16 frag_off; 4138 4139 offset = skb_network_offset(skb); 4140 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4141 if (ip6 == NULL) 4142 goto out; 4143 4144 ad->u.net->v6info.saddr = ip6->saddr; 4145 ad->u.net->v6info.daddr = ip6->daddr; 4146 ret = 0; 4147 4148 nexthdr = ip6->nexthdr; 4149 offset += sizeof(_ipv6h); 4150 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4151 if (offset < 0) 4152 goto out; 4153 4154 if (proto) 4155 *proto = nexthdr; 4156 4157 switch (nexthdr) { 4158 case IPPROTO_TCP: { 4159 struct tcphdr _tcph, *th; 4160 4161 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4162 if (th == NULL) 4163 break; 4164 4165 ad->u.net->sport = th->source; 4166 ad->u.net->dport = th->dest; 4167 break; 4168 } 4169 4170 case IPPROTO_UDP: { 4171 struct udphdr _udph, *uh; 4172 4173 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4174 if (uh == NULL) 4175 break; 4176 4177 ad->u.net->sport = uh->source; 4178 ad->u.net->dport = uh->dest; 4179 break; 4180 } 4181 4182 case IPPROTO_DCCP: { 4183 struct dccp_hdr _dccph, *dh; 4184 4185 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4186 if (dh == NULL) 4187 break; 4188 4189 ad->u.net->sport = dh->dccph_sport; 4190 ad->u.net->dport = dh->dccph_dport; 4191 break; 4192 } 4193 4194 /* includes fragments */ 4195 default: 4196 break; 4197 } 4198 out: 4199 return ret; 4200 } 4201 4202 #endif /* IPV6 */ 4203 4204 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4205 char **_addrp, int src, u8 *proto) 4206 { 4207 char *addrp; 4208 int ret; 4209 4210 switch (ad->u.net->family) { 4211 case PF_INET: 4212 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4213 if (ret) 4214 goto parse_error; 4215 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4216 &ad->u.net->v4info.daddr); 4217 goto okay; 4218 4219 #if IS_ENABLED(CONFIG_IPV6) 4220 case PF_INET6: 4221 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4222 if (ret) 4223 goto parse_error; 4224 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4225 &ad->u.net->v6info.daddr); 4226 goto okay; 4227 #endif /* IPV6 */ 4228 default: 4229 addrp = NULL; 4230 goto okay; 4231 } 4232 4233 parse_error: 4234 printk(KERN_WARNING 4235 "SELinux: failure in selinux_parse_skb()," 4236 " unable to parse packet\n"); 4237 return ret; 4238 4239 okay: 4240 if (_addrp) 4241 *_addrp = addrp; 4242 return 0; 4243 } 4244 4245 /** 4246 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4247 * @skb: the packet 4248 * @family: protocol family 4249 * @sid: the packet's peer label SID 4250 * 4251 * Description: 4252 * Check the various different forms of network peer labeling and determine 4253 * the peer label/SID for the packet; most of the magic actually occurs in 4254 * the security server function security_net_peersid_cmp(). The function 4255 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4256 * or -EACCES if @sid is invalid due to inconsistencies with the different 4257 * peer labels. 4258 * 4259 */ 4260 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4261 { 4262 int err; 4263 u32 xfrm_sid; 4264 u32 nlbl_sid; 4265 u32 nlbl_type; 4266 4267 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4268 if (unlikely(err)) 4269 return -EACCES; 4270 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4271 if (unlikely(err)) 4272 return -EACCES; 4273 4274 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4275 if (unlikely(err)) { 4276 printk(KERN_WARNING 4277 "SELinux: failure in selinux_skb_peerlbl_sid()," 4278 " unable to determine packet's peer label\n"); 4279 return -EACCES; 4280 } 4281 4282 return 0; 4283 } 4284 4285 /** 4286 * selinux_conn_sid - Determine the child socket label for a connection 4287 * @sk_sid: the parent socket's SID 4288 * @skb_sid: the packet's SID 4289 * @conn_sid: the resulting connection SID 4290 * 4291 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4292 * combined with the MLS information from @skb_sid in order to create 4293 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4294 * of @sk_sid. Returns zero on success, negative values on failure. 4295 * 4296 */ 4297 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4298 { 4299 int err = 0; 4300 4301 if (skb_sid != SECSID_NULL) 4302 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4303 else 4304 *conn_sid = sk_sid; 4305 4306 return err; 4307 } 4308 4309 /* socket security operations */ 4310 4311 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4312 u16 secclass, u32 *socksid) 4313 { 4314 if (tsec->sockcreate_sid > SECSID_NULL) { 4315 *socksid = tsec->sockcreate_sid; 4316 return 0; 4317 } 4318 4319 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4320 socksid); 4321 } 4322 4323 static int sock_has_perm(struct sock *sk, u32 perms) 4324 { 4325 struct sk_security_struct *sksec = sk->sk_security; 4326 struct common_audit_data ad; 4327 struct lsm_network_audit net = {0,}; 4328 4329 if (sksec->sid == SECINITSID_KERNEL) 4330 return 0; 4331 4332 ad.type = LSM_AUDIT_DATA_NET; 4333 ad.u.net = &net; 4334 ad.u.net->sk = sk; 4335 4336 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4337 &ad); 4338 } 4339 4340 static int selinux_socket_create(int family, int type, 4341 int protocol, int kern) 4342 { 4343 const struct task_security_struct *tsec = current_security(); 4344 u32 newsid; 4345 u16 secclass; 4346 int rc; 4347 4348 if (kern) 4349 return 0; 4350 4351 secclass = socket_type_to_security_class(family, type, protocol); 4352 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4353 if (rc) 4354 return rc; 4355 4356 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4357 } 4358 4359 static int selinux_socket_post_create(struct socket *sock, int family, 4360 int type, int protocol, int kern) 4361 { 4362 const struct task_security_struct *tsec = current_security(); 4363 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4364 struct sk_security_struct *sksec; 4365 u16 sclass = socket_type_to_security_class(family, type, protocol); 4366 u32 sid = SECINITSID_KERNEL; 4367 int err = 0; 4368 4369 if (!kern) { 4370 err = socket_sockcreate_sid(tsec, sclass, &sid); 4371 if (err) 4372 return err; 4373 } 4374 4375 isec->sclass = sclass; 4376 isec->sid = sid; 4377 isec->initialized = LABEL_INITIALIZED; 4378 4379 if (sock->sk) { 4380 sksec = sock->sk->sk_security; 4381 sksec->sclass = sclass; 4382 sksec->sid = sid; 4383 err = selinux_netlbl_socket_post_create(sock->sk, family); 4384 } 4385 4386 return err; 4387 } 4388 4389 /* Range of port numbers used to automatically bind. 4390 Need to determine whether we should perform a name_bind 4391 permission check between the socket and the port number. */ 4392 4393 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4394 { 4395 struct sock *sk = sock->sk; 4396 u16 family; 4397 int err; 4398 4399 err = sock_has_perm(sk, SOCKET__BIND); 4400 if (err) 4401 goto out; 4402 4403 /* 4404 * If PF_INET or PF_INET6, check name_bind permission for the port. 4405 * Multiple address binding for SCTP is not supported yet: we just 4406 * check the first address now. 4407 */ 4408 family = sk->sk_family; 4409 if (family == PF_INET || family == PF_INET6) { 4410 char *addrp; 4411 struct sk_security_struct *sksec = sk->sk_security; 4412 struct common_audit_data ad; 4413 struct lsm_network_audit net = {0,}; 4414 struct sockaddr_in *addr4 = NULL; 4415 struct sockaddr_in6 *addr6 = NULL; 4416 unsigned short snum; 4417 u32 sid, node_perm; 4418 4419 if (family == PF_INET) { 4420 if (addrlen < sizeof(struct sockaddr_in)) { 4421 err = -EINVAL; 4422 goto out; 4423 } 4424 addr4 = (struct sockaddr_in *)address; 4425 snum = ntohs(addr4->sin_port); 4426 addrp = (char *)&addr4->sin_addr.s_addr; 4427 } else { 4428 if (addrlen < SIN6_LEN_RFC2133) { 4429 err = -EINVAL; 4430 goto out; 4431 } 4432 addr6 = (struct sockaddr_in6 *)address; 4433 snum = ntohs(addr6->sin6_port); 4434 addrp = (char *)&addr6->sin6_addr.s6_addr; 4435 } 4436 4437 if (snum) { 4438 int low, high; 4439 4440 inet_get_local_port_range(sock_net(sk), &low, &high); 4441 4442 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4443 snum > high) { 4444 err = sel_netport_sid(sk->sk_protocol, 4445 snum, &sid); 4446 if (err) 4447 goto out; 4448 ad.type = LSM_AUDIT_DATA_NET; 4449 ad.u.net = &net; 4450 ad.u.net->sport = htons(snum); 4451 ad.u.net->family = family; 4452 err = avc_has_perm(sksec->sid, sid, 4453 sksec->sclass, 4454 SOCKET__NAME_BIND, &ad); 4455 if (err) 4456 goto out; 4457 } 4458 } 4459 4460 switch (sksec->sclass) { 4461 case SECCLASS_TCP_SOCKET: 4462 node_perm = TCP_SOCKET__NODE_BIND; 4463 break; 4464 4465 case SECCLASS_UDP_SOCKET: 4466 node_perm = UDP_SOCKET__NODE_BIND; 4467 break; 4468 4469 case SECCLASS_DCCP_SOCKET: 4470 node_perm = DCCP_SOCKET__NODE_BIND; 4471 break; 4472 4473 default: 4474 node_perm = RAWIP_SOCKET__NODE_BIND; 4475 break; 4476 } 4477 4478 err = sel_netnode_sid(addrp, family, &sid); 4479 if (err) 4480 goto out; 4481 4482 ad.type = LSM_AUDIT_DATA_NET; 4483 ad.u.net = &net; 4484 ad.u.net->sport = htons(snum); 4485 ad.u.net->family = family; 4486 4487 if (family == PF_INET) 4488 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4489 else 4490 ad.u.net->v6info.saddr = addr6->sin6_addr; 4491 4492 err = avc_has_perm(sksec->sid, sid, 4493 sksec->sclass, node_perm, &ad); 4494 if (err) 4495 goto out; 4496 } 4497 out: 4498 return err; 4499 } 4500 4501 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4502 { 4503 struct sock *sk = sock->sk; 4504 struct sk_security_struct *sksec = sk->sk_security; 4505 int err; 4506 4507 err = sock_has_perm(sk, SOCKET__CONNECT); 4508 if (err) 4509 return err; 4510 4511 /* 4512 * If a TCP or DCCP socket, check name_connect permission for the port. 4513 */ 4514 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4515 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4516 struct common_audit_data ad; 4517 struct lsm_network_audit net = {0,}; 4518 struct sockaddr_in *addr4 = NULL; 4519 struct sockaddr_in6 *addr6 = NULL; 4520 unsigned short snum; 4521 u32 sid, perm; 4522 4523 if (sk->sk_family == PF_INET) { 4524 addr4 = (struct sockaddr_in *)address; 4525 if (addrlen < sizeof(struct sockaddr_in)) 4526 return -EINVAL; 4527 snum = ntohs(addr4->sin_port); 4528 } else { 4529 addr6 = (struct sockaddr_in6 *)address; 4530 if (addrlen < SIN6_LEN_RFC2133) 4531 return -EINVAL; 4532 snum = ntohs(addr6->sin6_port); 4533 } 4534 4535 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4536 if (err) 4537 goto out; 4538 4539 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4540 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4541 4542 ad.type = LSM_AUDIT_DATA_NET; 4543 ad.u.net = &net; 4544 ad.u.net->dport = htons(snum); 4545 ad.u.net->family = sk->sk_family; 4546 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4547 if (err) 4548 goto out; 4549 } 4550 4551 err = selinux_netlbl_socket_connect(sk, address); 4552 4553 out: 4554 return err; 4555 } 4556 4557 static int selinux_socket_listen(struct socket *sock, int backlog) 4558 { 4559 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4560 } 4561 4562 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4563 { 4564 int err; 4565 struct inode_security_struct *isec; 4566 struct inode_security_struct *newisec; 4567 u16 sclass; 4568 u32 sid; 4569 4570 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4571 if (err) 4572 return err; 4573 4574 isec = inode_security_novalidate(SOCK_INODE(sock)); 4575 spin_lock(&isec->lock); 4576 sclass = isec->sclass; 4577 sid = isec->sid; 4578 spin_unlock(&isec->lock); 4579 4580 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4581 newisec->sclass = sclass; 4582 newisec->sid = sid; 4583 newisec->initialized = LABEL_INITIALIZED; 4584 4585 return 0; 4586 } 4587 4588 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4589 int size) 4590 { 4591 return sock_has_perm(sock->sk, SOCKET__WRITE); 4592 } 4593 4594 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4595 int size, int flags) 4596 { 4597 return sock_has_perm(sock->sk, SOCKET__READ); 4598 } 4599 4600 static int selinux_socket_getsockname(struct socket *sock) 4601 { 4602 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4603 } 4604 4605 static int selinux_socket_getpeername(struct socket *sock) 4606 { 4607 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4608 } 4609 4610 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4611 { 4612 int err; 4613 4614 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4615 if (err) 4616 return err; 4617 4618 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4619 } 4620 4621 static int selinux_socket_getsockopt(struct socket *sock, int level, 4622 int optname) 4623 { 4624 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4625 } 4626 4627 static int selinux_socket_shutdown(struct socket *sock, int how) 4628 { 4629 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4630 } 4631 4632 static int selinux_socket_unix_stream_connect(struct sock *sock, 4633 struct sock *other, 4634 struct sock *newsk) 4635 { 4636 struct sk_security_struct *sksec_sock = sock->sk_security; 4637 struct sk_security_struct *sksec_other = other->sk_security; 4638 struct sk_security_struct *sksec_new = newsk->sk_security; 4639 struct common_audit_data ad; 4640 struct lsm_network_audit net = {0,}; 4641 int err; 4642 4643 ad.type = LSM_AUDIT_DATA_NET; 4644 ad.u.net = &net; 4645 ad.u.net->sk = other; 4646 4647 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4648 sksec_other->sclass, 4649 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4650 if (err) 4651 return err; 4652 4653 /* server child socket */ 4654 sksec_new->peer_sid = sksec_sock->sid; 4655 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4656 &sksec_new->sid); 4657 if (err) 4658 return err; 4659 4660 /* connecting socket */ 4661 sksec_sock->peer_sid = sksec_new->sid; 4662 4663 return 0; 4664 } 4665 4666 static int selinux_socket_unix_may_send(struct socket *sock, 4667 struct socket *other) 4668 { 4669 struct sk_security_struct *ssec = sock->sk->sk_security; 4670 struct sk_security_struct *osec = other->sk->sk_security; 4671 struct common_audit_data ad; 4672 struct lsm_network_audit net = {0,}; 4673 4674 ad.type = LSM_AUDIT_DATA_NET; 4675 ad.u.net = &net; 4676 ad.u.net->sk = other->sk; 4677 4678 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4679 &ad); 4680 } 4681 4682 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4683 char *addrp, u16 family, u32 peer_sid, 4684 struct common_audit_data *ad) 4685 { 4686 int err; 4687 u32 if_sid; 4688 u32 node_sid; 4689 4690 err = sel_netif_sid(ns, ifindex, &if_sid); 4691 if (err) 4692 return err; 4693 err = avc_has_perm(peer_sid, if_sid, 4694 SECCLASS_NETIF, NETIF__INGRESS, ad); 4695 if (err) 4696 return err; 4697 4698 err = sel_netnode_sid(addrp, family, &node_sid); 4699 if (err) 4700 return err; 4701 return avc_has_perm(peer_sid, node_sid, 4702 SECCLASS_NODE, NODE__RECVFROM, ad); 4703 } 4704 4705 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4706 u16 family) 4707 { 4708 int err = 0; 4709 struct sk_security_struct *sksec = sk->sk_security; 4710 u32 sk_sid = sksec->sid; 4711 struct common_audit_data ad; 4712 struct lsm_network_audit net = {0,}; 4713 char *addrp; 4714 4715 ad.type = LSM_AUDIT_DATA_NET; 4716 ad.u.net = &net; 4717 ad.u.net->netif = skb->skb_iif; 4718 ad.u.net->family = family; 4719 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4720 if (err) 4721 return err; 4722 4723 if (selinux_secmark_enabled()) { 4724 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4725 PACKET__RECV, &ad); 4726 if (err) 4727 return err; 4728 } 4729 4730 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4731 if (err) 4732 return err; 4733 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4734 4735 return err; 4736 } 4737 4738 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4739 { 4740 int err; 4741 struct sk_security_struct *sksec = sk->sk_security; 4742 u16 family = sk->sk_family; 4743 u32 sk_sid = sksec->sid; 4744 struct common_audit_data ad; 4745 struct lsm_network_audit net = {0,}; 4746 char *addrp; 4747 u8 secmark_active; 4748 u8 peerlbl_active; 4749 4750 if (family != PF_INET && family != PF_INET6) 4751 return 0; 4752 4753 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4754 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4755 family = PF_INET; 4756 4757 /* If any sort of compatibility mode is enabled then handoff processing 4758 * to the selinux_sock_rcv_skb_compat() function to deal with the 4759 * special handling. We do this in an attempt to keep this function 4760 * as fast and as clean as possible. */ 4761 if (!selinux_policycap_netpeer) 4762 return selinux_sock_rcv_skb_compat(sk, skb, family); 4763 4764 secmark_active = selinux_secmark_enabled(); 4765 peerlbl_active = selinux_peerlbl_enabled(); 4766 if (!secmark_active && !peerlbl_active) 4767 return 0; 4768 4769 ad.type = LSM_AUDIT_DATA_NET; 4770 ad.u.net = &net; 4771 ad.u.net->netif = skb->skb_iif; 4772 ad.u.net->family = family; 4773 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4774 if (err) 4775 return err; 4776 4777 if (peerlbl_active) { 4778 u32 peer_sid; 4779 4780 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4781 if (err) 4782 return err; 4783 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4784 addrp, family, peer_sid, &ad); 4785 if (err) { 4786 selinux_netlbl_err(skb, family, err, 0); 4787 return err; 4788 } 4789 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4790 PEER__RECV, &ad); 4791 if (err) { 4792 selinux_netlbl_err(skb, family, err, 0); 4793 return err; 4794 } 4795 } 4796 4797 if (secmark_active) { 4798 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4799 PACKET__RECV, &ad); 4800 if (err) 4801 return err; 4802 } 4803 4804 return err; 4805 } 4806 4807 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4808 int __user *optlen, unsigned len) 4809 { 4810 int err = 0; 4811 char *scontext; 4812 u32 scontext_len; 4813 struct sk_security_struct *sksec = sock->sk->sk_security; 4814 u32 peer_sid = SECSID_NULL; 4815 4816 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4817 sksec->sclass == SECCLASS_TCP_SOCKET) 4818 peer_sid = sksec->peer_sid; 4819 if (peer_sid == SECSID_NULL) 4820 return -ENOPROTOOPT; 4821 4822 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4823 if (err) 4824 return err; 4825 4826 if (scontext_len > len) { 4827 err = -ERANGE; 4828 goto out_len; 4829 } 4830 4831 if (copy_to_user(optval, scontext, scontext_len)) 4832 err = -EFAULT; 4833 4834 out_len: 4835 if (put_user(scontext_len, optlen)) 4836 err = -EFAULT; 4837 kfree(scontext); 4838 return err; 4839 } 4840 4841 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4842 { 4843 u32 peer_secid = SECSID_NULL; 4844 u16 family; 4845 struct inode_security_struct *isec; 4846 4847 if (skb && skb->protocol == htons(ETH_P_IP)) 4848 family = PF_INET; 4849 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4850 family = PF_INET6; 4851 else if (sock) 4852 family = sock->sk->sk_family; 4853 else 4854 goto out; 4855 4856 if (sock && family == PF_UNIX) { 4857 isec = inode_security_novalidate(SOCK_INODE(sock)); 4858 peer_secid = isec->sid; 4859 } else if (skb) 4860 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4861 4862 out: 4863 *secid = peer_secid; 4864 if (peer_secid == SECSID_NULL) 4865 return -EINVAL; 4866 return 0; 4867 } 4868 4869 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4870 { 4871 struct sk_security_struct *sksec; 4872 4873 sksec = kzalloc(sizeof(*sksec), priority); 4874 if (!sksec) 4875 return -ENOMEM; 4876 4877 sksec->peer_sid = SECINITSID_UNLABELED; 4878 sksec->sid = SECINITSID_UNLABELED; 4879 sksec->sclass = SECCLASS_SOCKET; 4880 selinux_netlbl_sk_security_reset(sksec); 4881 sk->sk_security = sksec; 4882 4883 return 0; 4884 } 4885 4886 static void selinux_sk_free_security(struct sock *sk) 4887 { 4888 struct sk_security_struct *sksec = sk->sk_security; 4889 4890 sk->sk_security = NULL; 4891 selinux_netlbl_sk_security_free(sksec); 4892 kfree(sksec); 4893 } 4894 4895 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4896 { 4897 struct sk_security_struct *sksec = sk->sk_security; 4898 struct sk_security_struct *newsksec = newsk->sk_security; 4899 4900 newsksec->sid = sksec->sid; 4901 newsksec->peer_sid = sksec->peer_sid; 4902 newsksec->sclass = sksec->sclass; 4903 4904 selinux_netlbl_sk_security_reset(newsksec); 4905 } 4906 4907 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4908 { 4909 if (!sk) 4910 *secid = SECINITSID_ANY_SOCKET; 4911 else { 4912 struct sk_security_struct *sksec = sk->sk_security; 4913 4914 *secid = sksec->sid; 4915 } 4916 } 4917 4918 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4919 { 4920 struct inode_security_struct *isec = 4921 inode_security_novalidate(SOCK_INODE(parent)); 4922 struct sk_security_struct *sksec = sk->sk_security; 4923 4924 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4925 sk->sk_family == PF_UNIX) 4926 isec->sid = sksec->sid; 4927 sksec->sclass = isec->sclass; 4928 } 4929 4930 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4931 struct request_sock *req) 4932 { 4933 struct sk_security_struct *sksec = sk->sk_security; 4934 int err; 4935 u16 family = req->rsk_ops->family; 4936 u32 connsid; 4937 u32 peersid; 4938 4939 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4940 if (err) 4941 return err; 4942 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4943 if (err) 4944 return err; 4945 req->secid = connsid; 4946 req->peer_secid = peersid; 4947 4948 return selinux_netlbl_inet_conn_request(req, family); 4949 } 4950 4951 static void selinux_inet_csk_clone(struct sock *newsk, 4952 const struct request_sock *req) 4953 { 4954 struct sk_security_struct *newsksec = newsk->sk_security; 4955 4956 newsksec->sid = req->secid; 4957 newsksec->peer_sid = req->peer_secid; 4958 /* NOTE: Ideally, we should also get the isec->sid for the 4959 new socket in sync, but we don't have the isec available yet. 4960 So we will wait until sock_graft to do it, by which 4961 time it will have been created and available. */ 4962 4963 /* We don't need to take any sort of lock here as we are the only 4964 * thread with access to newsksec */ 4965 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4966 } 4967 4968 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4969 { 4970 u16 family = sk->sk_family; 4971 struct sk_security_struct *sksec = sk->sk_security; 4972 4973 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4974 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4975 family = PF_INET; 4976 4977 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4978 } 4979 4980 static int selinux_secmark_relabel_packet(u32 sid) 4981 { 4982 const struct task_security_struct *__tsec; 4983 u32 tsid; 4984 4985 __tsec = current_security(); 4986 tsid = __tsec->sid; 4987 4988 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4989 } 4990 4991 static void selinux_secmark_refcount_inc(void) 4992 { 4993 atomic_inc(&selinux_secmark_refcount); 4994 } 4995 4996 static void selinux_secmark_refcount_dec(void) 4997 { 4998 atomic_dec(&selinux_secmark_refcount); 4999 } 5000 5001 static void selinux_req_classify_flow(const struct request_sock *req, 5002 struct flowi *fl) 5003 { 5004 fl->flowi_secid = req->secid; 5005 } 5006 5007 static int selinux_tun_dev_alloc_security(void **security) 5008 { 5009 struct tun_security_struct *tunsec; 5010 5011 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5012 if (!tunsec) 5013 return -ENOMEM; 5014 tunsec->sid = current_sid(); 5015 5016 *security = tunsec; 5017 return 0; 5018 } 5019 5020 static void selinux_tun_dev_free_security(void *security) 5021 { 5022 kfree(security); 5023 } 5024 5025 static int selinux_tun_dev_create(void) 5026 { 5027 u32 sid = current_sid(); 5028 5029 /* we aren't taking into account the "sockcreate" SID since the socket 5030 * that is being created here is not a socket in the traditional sense, 5031 * instead it is a private sock, accessible only to the kernel, and 5032 * representing a wide range of network traffic spanning multiple 5033 * connections unlike traditional sockets - check the TUN driver to 5034 * get a better understanding of why this socket is special */ 5035 5036 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5037 NULL); 5038 } 5039 5040 static int selinux_tun_dev_attach_queue(void *security) 5041 { 5042 struct tun_security_struct *tunsec = security; 5043 5044 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5045 TUN_SOCKET__ATTACH_QUEUE, NULL); 5046 } 5047 5048 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5049 { 5050 struct tun_security_struct *tunsec = security; 5051 struct sk_security_struct *sksec = sk->sk_security; 5052 5053 /* we don't currently perform any NetLabel based labeling here and it 5054 * isn't clear that we would want to do so anyway; while we could apply 5055 * labeling without the support of the TUN user the resulting labeled 5056 * traffic from the other end of the connection would almost certainly 5057 * cause confusion to the TUN user that had no idea network labeling 5058 * protocols were being used */ 5059 5060 sksec->sid = tunsec->sid; 5061 sksec->sclass = SECCLASS_TUN_SOCKET; 5062 5063 return 0; 5064 } 5065 5066 static int selinux_tun_dev_open(void *security) 5067 { 5068 struct tun_security_struct *tunsec = security; 5069 u32 sid = current_sid(); 5070 int err; 5071 5072 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5073 TUN_SOCKET__RELABELFROM, NULL); 5074 if (err) 5075 return err; 5076 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5077 TUN_SOCKET__RELABELTO, NULL); 5078 if (err) 5079 return err; 5080 tunsec->sid = sid; 5081 5082 return 0; 5083 } 5084 5085 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5086 { 5087 int err = 0; 5088 u32 perm; 5089 struct nlmsghdr *nlh; 5090 struct sk_security_struct *sksec = sk->sk_security; 5091 5092 if (skb->len < NLMSG_HDRLEN) { 5093 err = -EINVAL; 5094 goto out; 5095 } 5096 nlh = nlmsg_hdr(skb); 5097 5098 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5099 if (err) { 5100 if (err == -EINVAL) { 5101 pr_warn_ratelimited("SELinux: unrecognized netlink" 5102 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5103 " pig=%d comm=%s\n", 5104 sk->sk_protocol, nlh->nlmsg_type, 5105 secclass_map[sksec->sclass - 1].name, 5106 task_pid_nr(current), current->comm); 5107 if (!selinux_enforcing || security_get_allow_unknown()) 5108 err = 0; 5109 } 5110 5111 /* Ignore */ 5112 if (err == -ENOENT) 5113 err = 0; 5114 goto out; 5115 } 5116 5117 err = sock_has_perm(sk, perm); 5118 out: 5119 return err; 5120 } 5121 5122 #ifdef CONFIG_NETFILTER 5123 5124 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5125 const struct net_device *indev, 5126 u16 family) 5127 { 5128 int err; 5129 char *addrp; 5130 u32 peer_sid; 5131 struct common_audit_data ad; 5132 struct lsm_network_audit net = {0,}; 5133 u8 secmark_active; 5134 u8 netlbl_active; 5135 u8 peerlbl_active; 5136 5137 if (!selinux_policycap_netpeer) 5138 return NF_ACCEPT; 5139 5140 secmark_active = selinux_secmark_enabled(); 5141 netlbl_active = netlbl_enabled(); 5142 peerlbl_active = selinux_peerlbl_enabled(); 5143 if (!secmark_active && !peerlbl_active) 5144 return NF_ACCEPT; 5145 5146 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5147 return NF_DROP; 5148 5149 ad.type = LSM_AUDIT_DATA_NET; 5150 ad.u.net = &net; 5151 ad.u.net->netif = indev->ifindex; 5152 ad.u.net->family = family; 5153 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5154 return NF_DROP; 5155 5156 if (peerlbl_active) { 5157 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5158 addrp, family, peer_sid, &ad); 5159 if (err) { 5160 selinux_netlbl_err(skb, family, err, 1); 5161 return NF_DROP; 5162 } 5163 } 5164 5165 if (secmark_active) 5166 if (avc_has_perm(peer_sid, skb->secmark, 5167 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5168 return NF_DROP; 5169 5170 if (netlbl_active) 5171 /* we do this in the FORWARD path and not the POST_ROUTING 5172 * path because we want to make sure we apply the necessary 5173 * labeling before IPsec is applied so we can leverage AH 5174 * protection */ 5175 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5176 return NF_DROP; 5177 5178 return NF_ACCEPT; 5179 } 5180 5181 static unsigned int selinux_ipv4_forward(void *priv, 5182 struct sk_buff *skb, 5183 const struct nf_hook_state *state) 5184 { 5185 return selinux_ip_forward(skb, state->in, PF_INET); 5186 } 5187 5188 #if IS_ENABLED(CONFIG_IPV6) 5189 static unsigned int selinux_ipv6_forward(void *priv, 5190 struct sk_buff *skb, 5191 const struct nf_hook_state *state) 5192 { 5193 return selinux_ip_forward(skb, state->in, PF_INET6); 5194 } 5195 #endif /* IPV6 */ 5196 5197 static unsigned int selinux_ip_output(struct sk_buff *skb, 5198 u16 family) 5199 { 5200 struct sock *sk; 5201 u32 sid; 5202 5203 if (!netlbl_enabled()) 5204 return NF_ACCEPT; 5205 5206 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5207 * because we want to make sure we apply the necessary labeling 5208 * before IPsec is applied so we can leverage AH protection */ 5209 sk = skb->sk; 5210 if (sk) { 5211 struct sk_security_struct *sksec; 5212 5213 if (sk_listener(sk)) 5214 /* if the socket is the listening state then this 5215 * packet is a SYN-ACK packet which means it needs to 5216 * be labeled based on the connection/request_sock and 5217 * not the parent socket. unfortunately, we can't 5218 * lookup the request_sock yet as it isn't queued on 5219 * the parent socket until after the SYN-ACK is sent. 5220 * the "solution" is to simply pass the packet as-is 5221 * as any IP option based labeling should be copied 5222 * from the initial connection request (in the IP 5223 * layer). it is far from ideal, but until we get a 5224 * security label in the packet itself this is the 5225 * best we can do. */ 5226 return NF_ACCEPT; 5227 5228 /* standard practice, label using the parent socket */ 5229 sksec = sk->sk_security; 5230 sid = sksec->sid; 5231 } else 5232 sid = SECINITSID_KERNEL; 5233 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5234 return NF_DROP; 5235 5236 return NF_ACCEPT; 5237 } 5238 5239 static unsigned int selinux_ipv4_output(void *priv, 5240 struct sk_buff *skb, 5241 const struct nf_hook_state *state) 5242 { 5243 return selinux_ip_output(skb, PF_INET); 5244 } 5245 5246 #if IS_ENABLED(CONFIG_IPV6) 5247 static unsigned int selinux_ipv6_output(void *priv, 5248 struct sk_buff *skb, 5249 const struct nf_hook_state *state) 5250 { 5251 return selinux_ip_output(skb, PF_INET6); 5252 } 5253 #endif /* IPV6 */ 5254 5255 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5256 int ifindex, 5257 u16 family) 5258 { 5259 struct sock *sk = skb_to_full_sk(skb); 5260 struct sk_security_struct *sksec; 5261 struct common_audit_data ad; 5262 struct lsm_network_audit net = {0,}; 5263 char *addrp; 5264 u8 proto; 5265 5266 if (sk == NULL) 5267 return NF_ACCEPT; 5268 sksec = sk->sk_security; 5269 5270 ad.type = LSM_AUDIT_DATA_NET; 5271 ad.u.net = &net; 5272 ad.u.net->netif = ifindex; 5273 ad.u.net->family = family; 5274 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5275 return NF_DROP; 5276 5277 if (selinux_secmark_enabled()) 5278 if (avc_has_perm(sksec->sid, skb->secmark, 5279 SECCLASS_PACKET, PACKET__SEND, &ad)) 5280 return NF_DROP_ERR(-ECONNREFUSED); 5281 5282 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5283 return NF_DROP_ERR(-ECONNREFUSED); 5284 5285 return NF_ACCEPT; 5286 } 5287 5288 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5289 const struct net_device *outdev, 5290 u16 family) 5291 { 5292 u32 secmark_perm; 5293 u32 peer_sid; 5294 int ifindex = outdev->ifindex; 5295 struct sock *sk; 5296 struct common_audit_data ad; 5297 struct lsm_network_audit net = {0,}; 5298 char *addrp; 5299 u8 secmark_active; 5300 u8 peerlbl_active; 5301 5302 /* If any sort of compatibility mode is enabled then handoff processing 5303 * to the selinux_ip_postroute_compat() function to deal with the 5304 * special handling. We do this in an attempt to keep this function 5305 * as fast and as clean as possible. */ 5306 if (!selinux_policycap_netpeer) 5307 return selinux_ip_postroute_compat(skb, ifindex, family); 5308 5309 secmark_active = selinux_secmark_enabled(); 5310 peerlbl_active = selinux_peerlbl_enabled(); 5311 if (!secmark_active && !peerlbl_active) 5312 return NF_ACCEPT; 5313 5314 sk = skb_to_full_sk(skb); 5315 5316 #ifdef CONFIG_XFRM 5317 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5318 * packet transformation so allow the packet to pass without any checks 5319 * since we'll have another chance to perform access control checks 5320 * when the packet is on it's final way out. 5321 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5322 * is NULL, in this case go ahead and apply access control. 5323 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5324 * TCP listening state we cannot wait until the XFRM processing 5325 * is done as we will miss out on the SA label if we do; 5326 * unfortunately, this means more work, but it is only once per 5327 * connection. */ 5328 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5329 !(sk && sk_listener(sk))) 5330 return NF_ACCEPT; 5331 #endif 5332 5333 if (sk == NULL) { 5334 /* Without an associated socket the packet is either coming 5335 * from the kernel or it is being forwarded; check the packet 5336 * to determine which and if the packet is being forwarded 5337 * query the packet directly to determine the security label. */ 5338 if (skb->skb_iif) { 5339 secmark_perm = PACKET__FORWARD_OUT; 5340 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5341 return NF_DROP; 5342 } else { 5343 secmark_perm = PACKET__SEND; 5344 peer_sid = SECINITSID_KERNEL; 5345 } 5346 } else if (sk_listener(sk)) { 5347 /* Locally generated packet but the associated socket is in the 5348 * listening state which means this is a SYN-ACK packet. In 5349 * this particular case the correct security label is assigned 5350 * to the connection/request_sock but unfortunately we can't 5351 * query the request_sock as it isn't queued on the parent 5352 * socket until after the SYN-ACK packet is sent; the only 5353 * viable choice is to regenerate the label like we do in 5354 * selinux_inet_conn_request(). See also selinux_ip_output() 5355 * for similar problems. */ 5356 u32 skb_sid; 5357 struct sk_security_struct *sksec; 5358 5359 sksec = sk->sk_security; 5360 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5361 return NF_DROP; 5362 /* At this point, if the returned skb peerlbl is SECSID_NULL 5363 * and the packet has been through at least one XFRM 5364 * transformation then we must be dealing with the "final" 5365 * form of labeled IPsec packet; since we've already applied 5366 * all of our access controls on this packet we can safely 5367 * pass the packet. */ 5368 if (skb_sid == SECSID_NULL) { 5369 switch (family) { 5370 case PF_INET: 5371 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5372 return NF_ACCEPT; 5373 break; 5374 case PF_INET6: 5375 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5376 return NF_ACCEPT; 5377 break; 5378 default: 5379 return NF_DROP_ERR(-ECONNREFUSED); 5380 } 5381 } 5382 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5383 return NF_DROP; 5384 secmark_perm = PACKET__SEND; 5385 } else { 5386 /* Locally generated packet, fetch the security label from the 5387 * associated socket. */ 5388 struct sk_security_struct *sksec = sk->sk_security; 5389 peer_sid = sksec->sid; 5390 secmark_perm = PACKET__SEND; 5391 } 5392 5393 ad.type = LSM_AUDIT_DATA_NET; 5394 ad.u.net = &net; 5395 ad.u.net->netif = ifindex; 5396 ad.u.net->family = family; 5397 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5398 return NF_DROP; 5399 5400 if (secmark_active) 5401 if (avc_has_perm(peer_sid, skb->secmark, 5402 SECCLASS_PACKET, secmark_perm, &ad)) 5403 return NF_DROP_ERR(-ECONNREFUSED); 5404 5405 if (peerlbl_active) { 5406 u32 if_sid; 5407 u32 node_sid; 5408 5409 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5410 return NF_DROP; 5411 if (avc_has_perm(peer_sid, if_sid, 5412 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5413 return NF_DROP_ERR(-ECONNREFUSED); 5414 5415 if (sel_netnode_sid(addrp, family, &node_sid)) 5416 return NF_DROP; 5417 if (avc_has_perm(peer_sid, node_sid, 5418 SECCLASS_NODE, NODE__SENDTO, &ad)) 5419 return NF_DROP_ERR(-ECONNREFUSED); 5420 } 5421 5422 return NF_ACCEPT; 5423 } 5424 5425 static unsigned int selinux_ipv4_postroute(void *priv, 5426 struct sk_buff *skb, 5427 const struct nf_hook_state *state) 5428 { 5429 return selinux_ip_postroute(skb, state->out, PF_INET); 5430 } 5431 5432 #if IS_ENABLED(CONFIG_IPV6) 5433 static unsigned int selinux_ipv6_postroute(void *priv, 5434 struct sk_buff *skb, 5435 const struct nf_hook_state *state) 5436 { 5437 return selinux_ip_postroute(skb, state->out, PF_INET6); 5438 } 5439 #endif /* IPV6 */ 5440 5441 #endif /* CONFIG_NETFILTER */ 5442 5443 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5444 { 5445 return selinux_nlmsg_perm(sk, skb); 5446 } 5447 5448 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5449 u16 sclass) 5450 { 5451 struct ipc_security_struct *isec; 5452 5453 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5454 if (!isec) 5455 return -ENOMEM; 5456 5457 isec->sclass = sclass; 5458 isec->sid = current_sid(); 5459 perm->security = isec; 5460 5461 return 0; 5462 } 5463 5464 static void ipc_free_security(struct kern_ipc_perm *perm) 5465 { 5466 struct ipc_security_struct *isec = perm->security; 5467 perm->security = NULL; 5468 kfree(isec); 5469 } 5470 5471 static int msg_msg_alloc_security(struct msg_msg *msg) 5472 { 5473 struct msg_security_struct *msec; 5474 5475 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5476 if (!msec) 5477 return -ENOMEM; 5478 5479 msec->sid = SECINITSID_UNLABELED; 5480 msg->security = msec; 5481 5482 return 0; 5483 } 5484 5485 static void msg_msg_free_security(struct msg_msg *msg) 5486 { 5487 struct msg_security_struct *msec = msg->security; 5488 5489 msg->security = NULL; 5490 kfree(msec); 5491 } 5492 5493 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5494 u32 perms) 5495 { 5496 struct ipc_security_struct *isec; 5497 struct common_audit_data ad; 5498 u32 sid = current_sid(); 5499 5500 isec = ipc_perms->security; 5501 5502 ad.type = LSM_AUDIT_DATA_IPC; 5503 ad.u.ipc_id = ipc_perms->key; 5504 5505 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5506 } 5507 5508 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5509 { 5510 return msg_msg_alloc_security(msg); 5511 } 5512 5513 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5514 { 5515 msg_msg_free_security(msg); 5516 } 5517 5518 /* message queue security operations */ 5519 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5520 { 5521 struct ipc_security_struct *isec; 5522 struct common_audit_data ad; 5523 u32 sid = current_sid(); 5524 int rc; 5525 5526 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5527 if (rc) 5528 return rc; 5529 5530 isec = msq->q_perm.security; 5531 5532 ad.type = LSM_AUDIT_DATA_IPC; 5533 ad.u.ipc_id = msq->q_perm.key; 5534 5535 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5536 MSGQ__CREATE, &ad); 5537 if (rc) { 5538 ipc_free_security(&msq->q_perm); 5539 return rc; 5540 } 5541 return 0; 5542 } 5543 5544 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5545 { 5546 ipc_free_security(&msq->q_perm); 5547 } 5548 5549 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5550 { 5551 struct ipc_security_struct *isec; 5552 struct common_audit_data ad; 5553 u32 sid = current_sid(); 5554 5555 isec = msq->q_perm.security; 5556 5557 ad.type = LSM_AUDIT_DATA_IPC; 5558 ad.u.ipc_id = msq->q_perm.key; 5559 5560 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5561 MSGQ__ASSOCIATE, &ad); 5562 } 5563 5564 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5565 { 5566 int err; 5567 int perms; 5568 5569 switch (cmd) { 5570 case IPC_INFO: 5571 case MSG_INFO: 5572 /* No specific object, just general system-wide information. */ 5573 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5574 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5575 case IPC_STAT: 5576 case MSG_STAT: 5577 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5578 break; 5579 case IPC_SET: 5580 perms = MSGQ__SETATTR; 5581 break; 5582 case IPC_RMID: 5583 perms = MSGQ__DESTROY; 5584 break; 5585 default: 5586 return 0; 5587 } 5588 5589 err = ipc_has_perm(&msq->q_perm, perms); 5590 return err; 5591 } 5592 5593 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5594 { 5595 struct ipc_security_struct *isec; 5596 struct msg_security_struct *msec; 5597 struct common_audit_data ad; 5598 u32 sid = current_sid(); 5599 int rc; 5600 5601 isec = msq->q_perm.security; 5602 msec = msg->security; 5603 5604 /* 5605 * First time through, need to assign label to the message 5606 */ 5607 if (msec->sid == SECINITSID_UNLABELED) { 5608 /* 5609 * Compute new sid based on current process and 5610 * message queue this message will be stored in 5611 */ 5612 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5613 NULL, &msec->sid); 5614 if (rc) 5615 return rc; 5616 } 5617 5618 ad.type = LSM_AUDIT_DATA_IPC; 5619 ad.u.ipc_id = msq->q_perm.key; 5620 5621 /* Can this process write to the queue? */ 5622 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5623 MSGQ__WRITE, &ad); 5624 if (!rc) 5625 /* Can this process send the message */ 5626 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5627 MSG__SEND, &ad); 5628 if (!rc) 5629 /* Can the message be put in the queue? */ 5630 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5631 MSGQ__ENQUEUE, &ad); 5632 5633 return rc; 5634 } 5635 5636 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5637 struct task_struct *target, 5638 long type, int mode) 5639 { 5640 struct ipc_security_struct *isec; 5641 struct msg_security_struct *msec; 5642 struct common_audit_data ad; 5643 u32 sid = task_sid(target); 5644 int rc; 5645 5646 isec = msq->q_perm.security; 5647 msec = msg->security; 5648 5649 ad.type = LSM_AUDIT_DATA_IPC; 5650 ad.u.ipc_id = msq->q_perm.key; 5651 5652 rc = avc_has_perm(sid, isec->sid, 5653 SECCLASS_MSGQ, MSGQ__READ, &ad); 5654 if (!rc) 5655 rc = avc_has_perm(sid, msec->sid, 5656 SECCLASS_MSG, MSG__RECEIVE, &ad); 5657 return rc; 5658 } 5659 5660 /* Shared Memory security operations */ 5661 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5662 { 5663 struct ipc_security_struct *isec; 5664 struct common_audit_data ad; 5665 u32 sid = current_sid(); 5666 int rc; 5667 5668 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 5669 if (rc) 5670 return rc; 5671 5672 isec = shp->shm_perm.security; 5673 5674 ad.type = LSM_AUDIT_DATA_IPC; 5675 ad.u.ipc_id = shp->shm_perm.key; 5676 5677 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5678 SHM__CREATE, &ad); 5679 if (rc) { 5680 ipc_free_security(&shp->shm_perm); 5681 return rc; 5682 } 5683 return 0; 5684 } 5685 5686 static void selinux_shm_free_security(struct shmid_kernel *shp) 5687 { 5688 ipc_free_security(&shp->shm_perm); 5689 } 5690 5691 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5692 { 5693 struct ipc_security_struct *isec; 5694 struct common_audit_data ad; 5695 u32 sid = current_sid(); 5696 5697 isec = shp->shm_perm.security; 5698 5699 ad.type = LSM_AUDIT_DATA_IPC; 5700 ad.u.ipc_id = shp->shm_perm.key; 5701 5702 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5703 SHM__ASSOCIATE, &ad); 5704 } 5705 5706 /* Note, at this point, shp is locked down */ 5707 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5708 { 5709 int perms; 5710 int err; 5711 5712 switch (cmd) { 5713 case IPC_INFO: 5714 case SHM_INFO: 5715 /* No specific object, just general system-wide information. */ 5716 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5717 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5718 case IPC_STAT: 5719 case SHM_STAT: 5720 perms = SHM__GETATTR | SHM__ASSOCIATE; 5721 break; 5722 case IPC_SET: 5723 perms = SHM__SETATTR; 5724 break; 5725 case SHM_LOCK: 5726 case SHM_UNLOCK: 5727 perms = SHM__LOCK; 5728 break; 5729 case IPC_RMID: 5730 perms = SHM__DESTROY; 5731 break; 5732 default: 5733 return 0; 5734 } 5735 5736 err = ipc_has_perm(&shp->shm_perm, perms); 5737 return err; 5738 } 5739 5740 static int selinux_shm_shmat(struct shmid_kernel *shp, 5741 char __user *shmaddr, int shmflg) 5742 { 5743 u32 perms; 5744 5745 if (shmflg & SHM_RDONLY) 5746 perms = SHM__READ; 5747 else 5748 perms = SHM__READ | SHM__WRITE; 5749 5750 return ipc_has_perm(&shp->shm_perm, perms); 5751 } 5752 5753 /* Semaphore security operations */ 5754 static int selinux_sem_alloc_security(struct sem_array *sma) 5755 { 5756 struct ipc_security_struct *isec; 5757 struct common_audit_data ad; 5758 u32 sid = current_sid(); 5759 int rc; 5760 5761 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 5762 if (rc) 5763 return rc; 5764 5765 isec = sma->sem_perm.security; 5766 5767 ad.type = LSM_AUDIT_DATA_IPC; 5768 ad.u.ipc_id = sma->sem_perm.key; 5769 5770 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5771 SEM__CREATE, &ad); 5772 if (rc) { 5773 ipc_free_security(&sma->sem_perm); 5774 return rc; 5775 } 5776 return 0; 5777 } 5778 5779 static void selinux_sem_free_security(struct sem_array *sma) 5780 { 5781 ipc_free_security(&sma->sem_perm); 5782 } 5783 5784 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5785 { 5786 struct ipc_security_struct *isec; 5787 struct common_audit_data ad; 5788 u32 sid = current_sid(); 5789 5790 isec = sma->sem_perm.security; 5791 5792 ad.type = LSM_AUDIT_DATA_IPC; 5793 ad.u.ipc_id = sma->sem_perm.key; 5794 5795 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5796 SEM__ASSOCIATE, &ad); 5797 } 5798 5799 /* Note, at this point, sma is locked down */ 5800 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5801 { 5802 int err; 5803 u32 perms; 5804 5805 switch (cmd) { 5806 case IPC_INFO: 5807 case SEM_INFO: 5808 /* No specific object, just general system-wide information. */ 5809 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5810 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5811 case GETPID: 5812 case GETNCNT: 5813 case GETZCNT: 5814 perms = SEM__GETATTR; 5815 break; 5816 case GETVAL: 5817 case GETALL: 5818 perms = SEM__READ; 5819 break; 5820 case SETVAL: 5821 case SETALL: 5822 perms = SEM__WRITE; 5823 break; 5824 case IPC_RMID: 5825 perms = SEM__DESTROY; 5826 break; 5827 case IPC_SET: 5828 perms = SEM__SETATTR; 5829 break; 5830 case IPC_STAT: 5831 case SEM_STAT: 5832 perms = SEM__GETATTR | SEM__ASSOCIATE; 5833 break; 5834 default: 5835 return 0; 5836 } 5837 5838 err = ipc_has_perm(&sma->sem_perm, perms); 5839 return err; 5840 } 5841 5842 static int selinux_sem_semop(struct sem_array *sma, 5843 struct sembuf *sops, unsigned nsops, int alter) 5844 { 5845 u32 perms; 5846 5847 if (alter) 5848 perms = SEM__READ | SEM__WRITE; 5849 else 5850 perms = SEM__READ; 5851 5852 return ipc_has_perm(&sma->sem_perm, perms); 5853 } 5854 5855 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5856 { 5857 u32 av = 0; 5858 5859 av = 0; 5860 if (flag & S_IRUGO) 5861 av |= IPC__UNIX_READ; 5862 if (flag & S_IWUGO) 5863 av |= IPC__UNIX_WRITE; 5864 5865 if (av == 0) 5866 return 0; 5867 5868 return ipc_has_perm(ipcp, av); 5869 } 5870 5871 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5872 { 5873 struct ipc_security_struct *isec = ipcp->security; 5874 *secid = isec->sid; 5875 } 5876 5877 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5878 { 5879 if (inode) 5880 inode_doinit_with_dentry(inode, dentry); 5881 } 5882 5883 static int selinux_getprocattr(struct task_struct *p, 5884 char *name, char **value) 5885 { 5886 const struct task_security_struct *__tsec; 5887 u32 sid; 5888 int error; 5889 unsigned len; 5890 5891 rcu_read_lock(); 5892 __tsec = __task_cred(p)->security; 5893 5894 if (current != p) { 5895 error = avc_has_perm(current_sid(), __tsec->sid, 5896 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 5897 if (error) 5898 goto bad; 5899 } 5900 5901 if (!strcmp(name, "current")) 5902 sid = __tsec->sid; 5903 else if (!strcmp(name, "prev")) 5904 sid = __tsec->osid; 5905 else if (!strcmp(name, "exec")) 5906 sid = __tsec->exec_sid; 5907 else if (!strcmp(name, "fscreate")) 5908 sid = __tsec->create_sid; 5909 else if (!strcmp(name, "keycreate")) 5910 sid = __tsec->keycreate_sid; 5911 else if (!strcmp(name, "sockcreate")) 5912 sid = __tsec->sockcreate_sid; 5913 else { 5914 error = -EINVAL; 5915 goto bad; 5916 } 5917 rcu_read_unlock(); 5918 5919 if (!sid) 5920 return 0; 5921 5922 error = security_sid_to_context(sid, value, &len); 5923 if (error) 5924 return error; 5925 return len; 5926 5927 bad: 5928 rcu_read_unlock(); 5929 return error; 5930 } 5931 5932 static int selinux_setprocattr(const char *name, void *value, size_t size) 5933 { 5934 struct task_security_struct *tsec; 5935 struct cred *new; 5936 u32 mysid = current_sid(), sid = 0, ptsid; 5937 int error; 5938 char *str = value; 5939 5940 /* 5941 * Basic control over ability to set these attributes at all. 5942 */ 5943 if (!strcmp(name, "exec")) 5944 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5945 PROCESS__SETEXEC, NULL); 5946 else if (!strcmp(name, "fscreate")) 5947 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5948 PROCESS__SETFSCREATE, NULL); 5949 else if (!strcmp(name, "keycreate")) 5950 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5951 PROCESS__SETKEYCREATE, NULL); 5952 else if (!strcmp(name, "sockcreate")) 5953 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5954 PROCESS__SETSOCKCREATE, NULL); 5955 else if (!strcmp(name, "current")) 5956 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5957 PROCESS__SETCURRENT, NULL); 5958 else 5959 error = -EINVAL; 5960 if (error) 5961 return error; 5962 5963 /* Obtain a SID for the context, if one was specified. */ 5964 if (size && str[0] && str[0] != '\n') { 5965 if (str[size-1] == '\n') { 5966 str[size-1] = 0; 5967 size--; 5968 } 5969 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5970 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5971 if (!has_cap_mac_admin(true)) { 5972 struct audit_buffer *ab; 5973 size_t audit_size; 5974 5975 /* We strip a nul only if it is at the end, otherwise the 5976 * context contains a nul and we should audit that */ 5977 if (str[size - 1] == '\0') 5978 audit_size = size - 1; 5979 else 5980 audit_size = size; 5981 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5982 audit_log_format(ab, "op=fscreate invalid_context="); 5983 audit_log_n_untrustedstring(ab, value, audit_size); 5984 audit_log_end(ab); 5985 5986 return error; 5987 } 5988 error = security_context_to_sid_force(value, size, 5989 &sid); 5990 } 5991 if (error) 5992 return error; 5993 } 5994 5995 new = prepare_creds(); 5996 if (!new) 5997 return -ENOMEM; 5998 5999 /* Permission checking based on the specified context is 6000 performed during the actual operation (execve, 6001 open/mkdir/...), when we know the full context of the 6002 operation. See selinux_bprm_set_creds for the execve 6003 checks and may_create for the file creation checks. The 6004 operation will then fail if the context is not permitted. */ 6005 tsec = new->security; 6006 if (!strcmp(name, "exec")) { 6007 tsec->exec_sid = sid; 6008 } else if (!strcmp(name, "fscreate")) { 6009 tsec->create_sid = sid; 6010 } else if (!strcmp(name, "keycreate")) { 6011 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6012 NULL); 6013 if (error) 6014 goto abort_change; 6015 tsec->keycreate_sid = sid; 6016 } else if (!strcmp(name, "sockcreate")) { 6017 tsec->sockcreate_sid = sid; 6018 } else if (!strcmp(name, "current")) { 6019 error = -EINVAL; 6020 if (sid == 0) 6021 goto abort_change; 6022 6023 /* Only allow single threaded processes to change context */ 6024 error = -EPERM; 6025 if (!current_is_single_threaded()) { 6026 error = security_bounded_transition(tsec->sid, sid); 6027 if (error) 6028 goto abort_change; 6029 } 6030 6031 /* Check permissions for the transition. */ 6032 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6033 PROCESS__DYNTRANSITION, NULL); 6034 if (error) 6035 goto abort_change; 6036 6037 /* Check for ptracing, and update the task SID if ok. 6038 Otherwise, leave SID unchanged and fail. */ 6039 ptsid = ptrace_parent_sid(); 6040 if (ptsid != 0) { 6041 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6042 PROCESS__PTRACE, NULL); 6043 if (error) 6044 goto abort_change; 6045 } 6046 6047 tsec->sid = sid; 6048 } else { 6049 error = -EINVAL; 6050 goto abort_change; 6051 } 6052 6053 commit_creds(new); 6054 return size; 6055 6056 abort_change: 6057 abort_creds(new); 6058 return error; 6059 } 6060 6061 static int selinux_ismaclabel(const char *name) 6062 { 6063 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6064 } 6065 6066 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6067 { 6068 return security_sid_to_context(secid, secdata, seclen); 6069 } 6070 6071 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6072 { 6073 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6074 } 6075 6076 static void selinux_release_secctx(char *secdata, u32 seclen) 6077 { 6078 kfree(secdata); 6079 } 6080 6081 static void selinux_inode_invalidate_secctx(struct inode *inode) 6082 { 6083 struct inode_security_struct *isec = inode->i_security; 6084 6085 spin_lock(&isec->lock); 6086 isec->initialized = LABEL_INVALID; 6087 spin_unlock(&isec->lock); 6088 } 6089 6090 /* 6091 * called with inode->i_mutex locked 6092 */ 6093 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6094 { 6095 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6096 } 6097 6098 /* 6099 * called with inode->i_mutex locked 6100 */ 6101 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6102 { 6103 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6104 } 6105 6106 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6107 { 6108 int len = 0; 6109 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6110 ctx, true); 6111 if (len < 0) 6112 return len; 6113 *ctxlen = len; 6114 return 0; 6115 } 6116 #ifdef CONFIG_KEYS 6117 6118 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6119 unsigned long flags) 6120 { 6121 const struct task_security_struct *tsec; 6122 struct key_security_struct *ksec; 6123 6124 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6125 if (!ksec) 6126 return -ENOMEM; 6127 6128 tsec = cred->security; 6129 if (tsec->keycreate_sid) 6130 ksec->sid = tsec->keycreate_sid; 6131 else 6132 ksec->sid = tsec->sid; 6133 6134 k->security = ksec; 6135 return 0; 6136 } 6137 6138 static void selinux_key_free(struct key *k) 6139 { 6140 struct key_security_struct *ksec = k->security; 6141 6142 k->security = NULL; 6143 kfree(ksec); 6144 } 6145 6146 static int selinux_key_permission(key_ref_t key_ref, 6147 const struct cred *cred, 6148 unsigned perm) 6149 { 6150 struct key *key; 6151 struct key_security_struct *ksec; 6152 u32 sid; 6153 6154 /* if no specific permissions are requested, we skip the 6155 permission check. No serious, additional covert channels 6156 appear to be created. */ 6157 if (perm == 0) 6158 return 0; 6159 6160 sid = cred_sid(cred); 6161 6162 key = key_ref_to_ptr(key_ref); 6163 ksec = key->security; 6164 6165 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6166 } 6167 6168 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6169 { 6170 struct key_security_struct *ksec = key->security; 6171 char *context = NULL; 6172 unsigned len; 6173 int rc; 6174 6175 rc = security_sid_to_context(ksec->sid, &context, &len); 6176 if (!rc) 6177 rc = len; 6178 *_buffer = context; 6179 return rc; 6180 } 6181 #endif 6182 6183 #ifdef CONFIG_SECURITY_INFINIBAND 6184 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6185 { 6186 struct common_audit_data ad; 6187 int err; 6188 u32 sid = 0; 6189 struct ib_security_struct *sec = ib_sec; 6190 struct lsm_ibpkey_audit ibpkey; 6191 6192 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6193 if (err) 6194 return err; 6195 6196 ad.type = LSM_AUDIT_DATA_IBPKEY; 6197 ibpkey.subnet_prefix = subnet_prefix; 6198 ibpkey.pkey = pkey_val; 6199 ad.u.ibpkey = &ibpkey; 6200 return avc_has_perm(sec->sid, sid, 6201 SECCLASS_INFINIBAND_PKEY, 6202 INFINIBAND_PKEY__ACCESS, &ad); 6203 } 6204 6205 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6206 u8 port_num) 6207 { 6208 struct common_audit_data ad; 6209 int err; 6210 u32 sid = 0; 6211 struct ib_security_struct *sec = ib_sec; 6212 struct lsm_ibendport_audit ibendport; 6213 6214 err = security_ib_endport_sid(dev_name, port_num, &sid); 6215 6216 if (err) 6217 return err; 6218 6219 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6220 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6221 ibendport.port = port_num; 6222 ad.u.ibendport = &ibendport; 6223 return avc_has_perm(sec->sid, sid, 6224 SECCLASS_INFINIBAND_ENDPORT, 6225 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6226 } 6227 6228 static int selinux_ib_alloc_security(void **ib_sec) 6229 { 6230 struct ib_security_struct *sec; 6231 6232 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6233 if (!sec) 6234 return -ENOMEM; 6235 sec->sid = current_sid(); 6236 6237 *ib_sec = sec; 6238 return 0; 6239 } 6240 6241 static void selinux_ib_free_security(void *ib_sec) 6242 { 6243 kfree(ib_sec); 6244 } 6245 #endif 6246 6247 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6248 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6249 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6250 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6251 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6252 6253 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6254 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6255 LSM_HOOK_INIT(capget, selinux_capget), 6256 LSM_HOOK_INIT(capset, selinux_capset), 6257 LSM_HOOK_INIT(capable, selinux_capable), 6258 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6259 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6260 LSM_HOOK_INIT(syslog, selinux_syslog), 6261 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6262 6263 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6264 6265 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6266 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6267 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6268 6269 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6270 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6271 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6272 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6273 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6274 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6275 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6276 LSM_HOOK_INIT(sb_mount, selinux_mount), 6277 LSM_HOOK_INIT(sb_umount, selinux_umount), 6278 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6279 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6280 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6281 6282 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6283 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6284 6285 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6286 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6287 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6288 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6289 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6290 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6291 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6292 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6293 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6294 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6295 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6296 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6297 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6298 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6299 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6300 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6301 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6302 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6303 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6304 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6305 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6306 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6307 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6308 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6309 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6310 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6311 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6312 6313 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6314 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6315 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6316 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6317 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6318 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6319 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6320 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6321 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6322 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6323 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6324 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6325 6326 LSM_HOOK_INIT(file_open, selinux_file_open), 6327 6328 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6329 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6330 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6331 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6332 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6333 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6334 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6335 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6336 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6337 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6338 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6339 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6340 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6341 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6342 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6343 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6344 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6345 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6346 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6347 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6348 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6349 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6350 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6351 6352 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6353 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6354 6355 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6356 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6357 6358 LSM_HOOK_INIT(msg_queue_alloc_security, 6359 selinux_msg_queue_alloc_security), 6360 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6361 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6362 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6363 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6364 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6365 6366 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6367 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6368 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6369 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6370 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6371 6372 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6373 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6374 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6375 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6376 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6377 6378 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6379 6380 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6381 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6382 6383 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6384 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6385 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6386 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6387 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6388 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6389 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6390 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6391 6392 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6393 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6394 6395 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6396 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6397 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6398 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6399 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6400 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6401 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6402 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6403 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6404 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6405 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6406 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6407 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6408 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6409 LSM_HOOK_INIT(socket_getpeersec_stream, 6410 selinux_socket_getpeersec_stream), 6411 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6412 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6413 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6414 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6415 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6416 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6417 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6418 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6419 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6420 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6421 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6422 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6423 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6424 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6425 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6426 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6427 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6428 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6429 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6430 #ifdef CONFIG_SECURITY_INFINIBAND 6431 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6432 LSM_HOOK_INIT(ib_endport_manage_subnet, 6433 selinux_ib_endport_manage_subnet), 6434 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6435 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6436 #endif 6437 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6438 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6439 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6440 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6441 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6442 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6443 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6444 selinux_xfrm_state_alloc_acquire), 6445 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6446 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6447 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6448 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6449 selinux_xfrm_state_pol_flow_match), 6450 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6451 #endif 6452 6453 #ifdef CONFIG_KEYS 6454 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6455 LSM_HOOK_INIT(key_free, selinux_key_free), 6456 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6457 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6458 #endif 6459 6460 #ifdef CONFIG_AUDIT 6461 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6462 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6463 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6464 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6465 #endif 6466 }; 6467 6468 static __init int selinux_init(void) 6469 { 6470 if (!security_module_enable("selinux")) { 6471 selinux_enabled = 0; 6472 return 0; 6473 } 6474 6475 if (!selinux_enabled) { 6476 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6477 return 0; 6478 } 6479 6480 printk(KERN_INFO "SELinux: Initializing.\n"); 6481 6482 /* Set the security state for the initial task. */ 6483 cred_init_security(); 6484 6485 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6486 6487 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6488 sizeof(struct inode_security_struct), 6489 0, SLAB_PANIC, NULL); 6490 file_security_cache = kmem_cache_create("selinux_file_security", 6491 sizeof(struct file_security_struct), 6492 0, SLAB_PANIC, NULL); 6493 avc_init(); 6494 6495 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6496 6497 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6498 panic("SELinux: Unable to register AVC netcache callback\n"); 6499 6500 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6501 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6502 6503 if (selinux_enforcing) 6504 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6505 else 6506 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6507 6508 return 0; 6509 } 6510 6511 static void delayed_superblock_init(struct super_block *sb, void *unused) 6512 { 6513 superblock_doinit(sb, NULL); 6514 } 6515 6516 void selinux_complete_init(void) 6517 { 6518 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6519 6520 /* Set up any superblocks initialized prior to the policy load. */ 6521 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6522 iterate_supers(delayed_superblock_init, NULL); 6523 } 6524 6525 /* SELinux requires early initialization in order to label 6526 all processes and objects when they are created. */ 6527 security_initcall(selinux_init); 6528 6529 #if defined(CONFIG_NETFILTER) 6530 6531 static const struct nf_hook_ops selinux_nf_ops[] = { 6532 { 6533 .hook = selinux_ipv4_postroute, 6534 .pf = NFPROTO_IPV4, 6535 .hooknum = NF_INET_POST_ROUTING, 6536 .priority = NF_IP_PRI_SELINUX_LAST, 6537 }, 6538 { 6539 .hook = selinux_ipv4_forward, 6540 .pf = NFPROTO_IPV4, 6541 .hooknum = NF_INET_FORWARD, 6542 .priority = NF_IP_PRI_SELINUX_FIRST, 6543 }, 6544 { 6545 .hook = selinux_ipv4_output, 6546 .pf = NFPROTO_IPV4, 6547 .hooknum = NF_INET_LOCAL_OUT, 6548 .priority = NF_IP_PRI_SELINUX_FIRST, 6549 }, 6550 #if IS_ENABLED(CONFIG_IPV6) 6551 { 6552 .hook = selinux_ipv6_postroute, 6553 .pf = NFPROTO_IPV6, 6554 .hooknum = NF_INET_POST_ROUTING, 6555 .priority = NF_IP6_PRI_SELINUX_LAST, 6556 }, 6557 { 6558 .hook = selinux_ipv6_forward, 6559 .pf = NFPROTO_IPV6, 6560 .hooknum = NF_INET_FORWARD, 6561 .priority = NF_IP6_PRI_SELINUX_FIRST, 6562 }, 6563 { 6564 .hook = selinux_ipv6_output, 6565 .pf = NFPROTO_IPV6, 6566 .hooknum = NF_INET_LOCAL_OUT, 6567 .priority = NF_IP6_PRI_SELINUX_FIRST, 6568 }, 6569 #endif /* IPV6 */ 6570 }; 6571 6572 static int __net_init selinux_nf_register(struct net *net) 6573 { 6574 return nf_register_net_hooks(net, selinux_nf_ops, 6575 ARRAY_SIZE(selinux_nf_ops)); 6576 } 6577 6578 static void __net_exit selinux_nf_unregister(struct net *net) 6579 { 6580 nf_unregister_net_hooks(net, selinux_nf_ops, 6581 ARRAY_SIZE(selinux_nf_ops)); 6582 } 6583 6584 static struct pernet_operations selinux_net_ops = { 6585 .init = selinux_nf_register, 6586 .exit = selinux_nf_unregister, 6587 }; 6588 6589 static int __init selinux_nf_ip_init(void) 6590 { 6591 int err; 6592 6593 if (!selinux_enabled) 6594 return 0; 6595 6596 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6597 6598 err = register_pernet_subsys(&selinux_net_ops); 6599 if (err) 6600 panic("SELinux: register_pernet_subsys: error %d\n", err); 6601 6602 return 0; 6603 } 6604 __initcall(selinux_nf_ip_init); 6605 6606 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6607 static void selinux_nf_ip_exit(void) 6608 { 6609 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6610 6611 unregister_pernet_subsys(&selinux_net_ops); 6612 } 6613 #endif 6614 6615 #else /* CONFIG_NETFILTER */ 6616 6617 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6618 #define selinux_nf_ip_exit() 6619 #endif 6620 6621 #endif /* CONFIG_NETFILTER */ 6622 6623 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6624 static int selinux_disabled; 6625 6626 int selinux_disable(void) 6627 { 6628 if (ss_initialized) { 6629 /* Not permitted after initial policy load. */ 6630 return -EINVAL; 6631 } 6632 6633 if (selinux_disabled) { 6634 /* Only do this once. */ 6635 return -EINVAL; 6636 } 6637 6638 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6639 6640 selinux_disabled = 1; 6641 selinux_enabled = 0; 6642 6643 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6644 6645 /* Try to destroy the avc node cache */ 6646 avc_disable(); 6647 6648 /* Unregister netfilter hooks. */ 6649 selinux_nf_ip_exit(); 6650 6651 /* Unregister selinuxfs. */ 6652 exit_sel_fs(); 6653 6654 return 0; 6655 } 6656 #endif 6657