1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/tracehook.h> 29 #include <linux/errno.h> 30 #include <linux/sched/signal.h> 31 #include <linux/sched/task.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/fs_context.h> 50 #include <linux/fs_parser.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/mutex.h> 83 #include <linux/posix-timers.h> 84 #include <linux/syslog.h> 85 #include <linux/user_namespace.h> 86 #include <linux/export.h> 87 #include <linux/msg.h> 88 #include <linux/shm.h> 89 #include <linux/bpf.h> 90 #include <linux/kernfs.h> 91 #include <linux/stringhash.h> /* for hashlen_string() */ 92 #include <uapi/linux/mount.h> 93 #include <linux/fsnotify.h> 94 #include <linux/fanotify.h> 95 96 #include "avc.h" 97 #include "objsec.h" 98 #include "netif.h" 99 #include "netnode.h" 100 #include "netport.h" 101 #include "ibpkey.h" 102 #include "xfrm.h" 103 #include "netlabel.h" 104 #include "audit.h" 105 #include "avc_ss.h" 106 107 struct selinux_state selinux_state; 108 109 /* SECMARK reference count */ 110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 111 112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 113 static int selinux_enforcing_boot __initdata; 114 115 static int __init enforcing_setup(char *str) 116 { 117 unsigned long enforcing; 118 if (!kstrtoul(str, 0, &enforcing)) 119 selinux_enforcing_boot = enforcing ? 1 : 0; 120 return 1; 121 } 122 __setup("enforcing=", enforcing_setup); 123 #else 124 #define selinux_enforcing_boot 1 125 #endif 126 127 int selinux_enabled_boot __initdata = 1; 128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 129 static int __init selinux_enabled_setup(char *str) 130 { 131 unsigned long enabled; 132 if (!kstrtoul(str, 0, &enabled)) 133 selinux_enabled_boot = enabled ? 1 : 0; 134 return 1; 135 } 136 __setup("selinux=", selinux_enabled_setup); 137 #endif 138 139 static unsigned int selinux_checkreqprot_boot = 140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 148 if (checkreqprot) 149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); 150 } 151 return 1; 152 } 153 __setup("checkreqprot=", checkreqprot_setup); 154 155 /** 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 157 * 158 * Description: 159 * This function checks the SECMARK reference counter to see if any SECMARK 160 * targets are currently configured, if the reference counter is greater than 161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network 163 * policy capability is enabled, SECMARK is always considered enabled. 164 * 165 */ 166 static int selinux_secmark_enabled(void) 167 { 168 return (selinux_policycap_alwaysnetwork() || 169 atomic_read(&selinux_secmark_refcount)); 170 } 171 172 /** 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 174 * 175 * Description: 176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 177 * (1) if any are enabled or false (0) if neither are enabled. If the 178 * always_check_network policy capability is enabled, peer labeling 179 * is always considered enabled. 180 * 181 */ 182 static int selinux_peerlbl_enabled(void) 183 { 184 return (selinux_policycap_alwaysnetwork() || 185 netlbl_enabled() || selinux_xfrm_enabled()); 186 } 187 188 static int selinux_netcache_avc_callback(u32 event) 189 { 190 if (event == AVC_CALLBACK_RESET) { 191 sel_netif_flush(); 192 sel_netnode_flush(); 193 sel_netport_flush(); 194 synchronize_net(); 195 } 196 return 0; 197 } 198 199 static int selinux_lsm_notifier_avc_callback(u32 event) 200 { 201 if (event == AVC_CALLBACK_RESET) { 202 sel_ib_pkey_flush(); 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 204 } 205 206 return 0; 207 } 208 209 /* 210 * initialise the security for the init task 211 */ 212 static void cred_init_security(void) 213 { 214 struct cred *cred = (struct cred *) current->real_cred; 215 struct task_security_struct *tsec; 216 217 tsec = selinux_cred(cred); 218 tsec->osid = tsec->sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 /* 233 * get the subjective security ID of a task 234 */ 235 static inline u32 task_sid_subj(const struct task_struct *task) 236 { 237 u32 sid; 238 239 rcu_read_lock(); 240 sid = cred_sid(rcu_dereference(task->cred)); 241 rcu_read_unlock(); 242 return sid; 243 } 244 245 /* 246 * get the objective security ID of a task 247 */ 248 static inline u32 task_sid_obj(const struct task_struct *task) 249 { 250 u32 sid; 251 252 rcu_read_lock(); 253 sid = cred_sid(__task_cred(task)); 254 rcu_read_unlock(); 255 return sid; 256 } 257 258 /* 259 * get the security ID of a task for use with binder 260 */ 261 static inline u32 task_sid_binder(const struct task_struct *task) 262 { 263 /* 264 * In many case where this function is used we should be using the 265 * task's subjective SID, but we can't reliably access the subjective 266 * creds of a task other than our own so we must use the objective 267 * creds/SID, which are safe to access. The downside is that if a task 268 * is temporarily overriding it's creds it will not be reflected here; 269 * however, it isn't clear that binder would handle that case well 270 * anyway. 271 * 272 * If this ever changes and we can safely reference the subjective 273 * creds/SID of another task, this function will make it easier to 274 * identify the various places where we make use of the task SIDs in 275 * the binder code. It is also likely that we will need to adjust 276 * the main drivers/android binder code as well. 277 */ 278 return task_sid_obj(task); 279 } 280 281 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 282 283 /* 284 * Try reloading inode security labels that have been marked as invalid. The 285 * @may_sleep parameter indicates when sleeping and thus reloading labels is 286 * allowed; when set to false, returns -ECHILD when the label is 287 * invalid. The @dentry parameter should be set to a dentry of the inode. 288 */ 289 static int __inode_security_revalidate(struct inode *inode, 290 struct dentry *dentry, 291 bool may_sleep) 292 { 293 struct inode_security_struct *isec = selinux_inode(inode); 294 295 might_sleep_if(may_sleep); 296 297 if (selinux_initialized(&selinux_state) && 298 isec->initialized != LABEL_INITIALIZED) { 299 if (!may_sleep) 300 return -ECHILD; 301 302 /* 303 * Try reloading the inode security label. This will fail if 304 * @opt_dentry is NULL and no dentry for this inode can be 305 * found; in that case, continue using the old label. 306 */ 307 inode_doinit_with_dentry(inode, dentry); 308 } 309 return 0; 310 } 311 312 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 313 { 314 return selinux_inode(inode); 315 } 316 317 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 318 { 319 int error; 320 321 error = __inode_security_revalidate(inode, NULL, !rcu); 322 if (error) 323 return ERR_PTR(error); 324 return selinux_inode(inode); 325 } 326 327 /* 328 * Get the security label of an inode. 329 */ 330 static struct inode_security_struct *inode_security(struct inode *inode) 331 { 332 __inode_security_revalidate(inode, NULL, true); 333 return selinux_inode(inode); 334 } 335 336 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 337 { 338 struct inode *inode = d_backing_inode(dentry); 339 340 return selinux_inode(inode); 341 } 342 343 /* 344 * Get the security label of a dentry's backing inode. 345 */ 346 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 347 { 348 struct inode *inode = d_backing_inode(dentry); 349 350 __inode_security_revalidate(inode, dentry, true); 351 return selinux_inode(inode); 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 const char *fscontext, *context, *rootcontext, *defcontext; 381 }; 382 383 static void selinux_free_mnt_opts(void *mnt_opts) 384 { 385 struct selinux_mnt_opts *opts = mnt_opts; 386 kfree(opts->fscontext); 387 kfree(opts->context); 388 kfree(opts->rootcontext); 389 kfree(opts->defcontext); 390 kfree(opts); 391 } 392 393 enum { 394 Opt_error = -1, 395 Opt_context = 0, 396 Opt_defcontext = 1, 397 Opt_fscontext = 2, 398 Opt_rootcontext = 3, 399 Opt_seclabel = 4, 400 }; 401 402 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 403 static struct { 404 const char *name; 405 int len; 406 int opt; 407 bool has_arg; 408 } tokens[] = { 409 A(context, true), 410 A(fscontext, true), 411 A(defcontext, true), 412 A(rootcontext, true), 413 A(seclabel, false), 414 }; 415 #undef A 416 417 static int match_opt_prefix(char *s, int l, char **arg) 418 { 419 int i; 420 421 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 422 size_t len = tokens[i].len; 423 if (len > l || memcmp(s, tokens[i].name, len)) 424 continue; 425 if (tokens[i].has_arg) { 426 if (len == l || s[len] != '=') 427 continue; 428 *arg = s + len + 1; 429 } else if (len != l) 430 continue; 431 return tokens[i].opt; 432 } 433 return Opt_error; 434 } 435 436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 437 438 static int may_context_mount_sb_relabel(u32 sid, 439 struct superblock_security_struct *sbsec, 440 const struct cred *cred) 441 { 442 const struct task_security_struct *tsec = selinux_cred(cred); 443 int rc; 444 445 rc = avc_has_perm(&selinux_state, 446 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 447 FILESYSTEM__RELABELFROM, NULL); 448 if (rc) 449 return rc; 450 451 rc = avc_has_perm(&selinux_state, 452 tsec->sid, sid, SECCLASS_FILESYSTEM, 453 FILESYSTEM__RELABELTO, NULL); 454 return rc; 455 } 456 457 static int may_context_mount_inode_relabel(u32 sid, 458 struct superblock_security_struct *sbsec, 459 const struct cred *cred) 460 { 461 const struct task_security_struct *tsec = selinux_cred(cred); 462 int rc; 463 rc = avc_has_perm(&selinux_state, 464 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__RELABELFROM, NULL); 466 if (rc) 467 return rc; 468 469 rc = avc_has_perm(&selinux_state, 470 sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 FILESYSTEM__ASSOCIATE, NULL); 472 return rc; 473 } 474 475 static int selinux_is_genfs_special_handling(struct super_block *sb) 476 { 477 /* Special handling. Genfs but also in-core setxattr handler */ 478 return !strcmp(sb->s_type->name, "sysfs") || 479 !strcmp(sb->s_type->name, "pstore") || 480 !strcmp(sb->s_type->name, "debugfs") || 481 !strcmp(sb->s_type->name, "tracefs") || 482 !strcmp(sb->s_type->name, "rootfs") || 483 (selinux_policycap_cgroupseclabel() && 484 (!strcmp(sb->s_type->name, "cgroup") || 485 !strcmp(sb->s_type->name, "cgroup2"))); 486 } 487 488 static int selinux_is_sblabel_mnt(struct super_block *sb) 489 { 490 struct superblock_security_struct *sbsec = selinux_superblock(sb); 491 492 /* 493 * IMPORTANT: Double-check logic in this function when adding a new 494 * SECURITY_FS_USE_* definition! 495 */ 496 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 497 498 switch (sbsec->behavior) { 499 case SECURITY_FS_USE_XATTR: 500 case SECURITY_FS_USE_TRANS: 501 case SECURITY_FS_USE_TASK: 502 case SECURITY_FS_USE_NATIVE: 503 return 1; 504 505 case SECURITY_FS_USE_GENFS: 506 return selinux_is_genfs_special_handling(sb); 507 508 /* Never allow relabeling on context mounts */ 509 case SECURITY_FS_USE_MNTPOINT: 510 case SECURITY_FS_USE_NONE: 511 default: 512 return 0; 513 } 514 } 515 516 static int sb_check_xattr_support(struct super_block *sb) 517 { 518 struct superblock_security_struct *sbsec = sb->s_security; 519 struct dentry *root = sb->s_root; 520 struct inode *root_inode = d_backing_inode(root); 521 u32 sid; 522 int rc; 523 524 /* 525 * Make sure that the xattr handler exists and that no 526 * error other than -ENODATA is returned by getxattr on 527 * the root directory. -ENODATA is ok, as this may be 528 * the first boot of the SELinux kernel before we have 529 * assigned xattr values to the filesystem. 530 */ 531 if (!(root_inode->i_opflags & IOP_XATTR)) { 532 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 533 sb->s_id, sb->s_type->name); 534 goto fallback; 535 } 536 537 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 538 if (rc < 0 && rc != -ENODATA) { 539 if (rc == -EOPNOTSUPP) { 540 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 541 sb->s_id, sb->s_type->name); 542 goto fallback; 543 } else { 544 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 545 sb->s_id, sb->s_type->name, -rc); 546 return rc; 547 } 548 } 549 return 0; 550 551 fallback: 552 /* No xattr support - try to fallback to genfs if possible. */ 553 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/", 554 SECCLASS_DIR, &sid); 555 if (rc) 556 return -EOPNOTSUPP; 557 558 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 559 sb->s_id, sb->s_type->name); 560 sbsec->behavior = SECURITY_FS_USE_GENFS; 561 sbsec->sid = sid; 562 return 0; 563 } 564 565 static int sb_finish_set_opts(struct super_block *sb) 566 { 567 struct superblock_security_struct *sbsec = selinux_superblock(sb); 568 struct dentry *root = sb->s_root; 569 struct inode *root_inode = d_backing_inode(root); 570 int rc = 0; 571 572 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 573 rc = sb_check_xattr_support(sb); 574 if (rc) 575 return rc; 576 } 577 578 sbsec->flags |= SE_SBINITIALIZED; 579 580 /* 581 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 582 * leave the flag untouched because sb_clone_mnt_opts might be handing 583 * us a superblock that needs the flag to be cleared. 584 */ 585 if (selinux_is_sblabel_mnt(sb)) 586 sbsec->flags |= SBLABEL_MNT; 587 else 588 sbsec->flags &= ~SBLABEL_MNT; 589 590 /* Initialize the root inode. */ 591 rc = inode_doinit_with_dentry(root_inode, root); 592 593 /* Initialize any other inodes associated with the superblock, e.g. 594 inodes created prior to initial policy load or inodes created 595 during get_sb by a pseudo filesystem that directly 596 populates itself. */ 597 spin_lock(&sbsec->isec_lock); 598 while (!list_empty(&sbsec->isec_head)) { 599 struct inode_security_struct *isec = 600 list_first_entry(&sbsec->isec_head, 601 struct inode_security_struct, list); 602 struct inode *inode = isec->inode; 603 list_del_init(&isec->list); 604 spin_unlock(&sbsec->isec_lock); 605 inode = igrab(inode); 606 if (inode) { 607 if (!IS_PRIVATE(inode)) 608 inode_doinit_with_dentry(inode, NULL); 609 iput(inode); 610 } 611 spin_lock(&sbsec->isec_lock); 612 } 613 spin_unlock(&sbsec->isec_lock); 614 return rc; 615 } 616 617 static int bad_option(struct superblock_security_struct *sbsec, char flag, 618 u32 old_sid, u32 new_sid) 619 { 620 char mnt_flags = sbsec->flags & SE_MNTMASK; 621 622 /* check if the old mount command had the same options */ 623 if (sbsec->flags & SE_SBINITIALIZED) 624 if (!(sbsec->flags & flag) || 625 (old_sid != new_sid)) 626 return 1; 627 628 /* check if we were passed the same options twice, 629 * aka someone passed context=a,context=b 630 */ 631 if (!(sbsec->flags & SE_SBINITIALIZED)) 632 if (mnt_flags & flag) 633 return 1; 634 return 0; 635 } 636 637 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 638 { 639 int rc = security_context_str_to_sid(&selinux_state, s, 640 sid, GFP_KERNEL); 641 if (rc) 642 pr_warn("SELinux: security_context_str_to_sid" 643 "(%s) failed for (dev %s, type %s) errno=%d\n", 644 s, sb->s_id, sb->s_type->name, rc); 645 return rc; 646 } 647 648 /* 649 * Allow filesystems with binary mount data to explicitly set mount point 650 * labeling information. 651 */ 652 static int selinux_set_mnt_opts(struct super_block *sb, 653 void *mnt_opts, 654 unsigned long kern_flags, 655 unsigned long *set_kern_flags) 656 { 657 const struct cred *cred = current_cred(); 658 struct superblock_security_struct *sbsec = selinux_superblock(sb); 659 struct dentry *root = sb->s_root; 660 struct selinux_mnt_opts *opts = mnt_opts; 661 struct inode_security_struct *root_isec; 662 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 663 u32 defcontext_sid = 0; 664 int rc = 0; 665 666 mutex_lock(&sbsec->lock); 667 668 if (!selinux_initialized(&selinux_state)) { 669 if (!opts) { 670 /* Defer initialization until selinux_complete_init, 671 after the initial policy is loaded and the security 672 server is ready to handle calls. */ 673 goto out; 674 } 675 rc = -EINVAL; 676 pr_warn("SELinux: Unable to set superblock options " 677 "before the security server is initialized\n"); 678 goto out; 679 } 680 if (kern_flags && !set_kern_flags) { 681 /* Specifying internal flags without providing a place to 682 * place the results is not allowed */ 683 rc = -EINVAL; 684 goto out; 685 } 686 687 /* 688 * Binary mount data FS will come through this function twice. Once 689 * from an explicit call and once from the generic calls from the vfs. 690 * Since the generic VFS calls will not contain any security mount data 691 * we need to skip the double mount verification. 692 * 693 * This does open a hole in which we will not notice if the first 694 * mount using this sb set explict options and a second mount using 695 * this sb does not set any security options. (The first options 696 * will be used for both mounts) 697 */ 698 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 699 && !opts) 700 goto out; 701 702 root_isec = backing_inode_security_novalidate(root); 703 704 /* 705 * parse the mount options, check if they are valid sids. 706 * also check if someone is trying to mount the same sb more 707 * than once with different security options. 708 */ 709 if (opts) { 710 if (opts->fscontext) { 711 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 712 if (rc) 713 goto out; 714 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 715 fscontext_sid)) 716 goto out_double_mount; 717 sbsec->flags |= FSCONTEXT_MNT; 718 } 719 if (opts->context) { 720 rc = parse_sid(sb, opts->context, &context_sid); 721 if (rc) 722 goto out; 723 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 724 context_sid)) 725 goto out_double_mount; 726 sbsec->flags |= CONTEXT_MNT; 727 } 728 if (opts->rootcontext) { 729 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 730 if (rc) 731 goto out; 732 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 733 rootcontext_sid)) 734 goto out_double_mount; 735 sbsec->flags |= ROOTCONTEXT_MNT; 736 } 737 if (opts->defcontext) { 738 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 739 if (rc) 740 goto out; 741 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 742 defcontext_sid)) 743 goto out_double_mount; 744 sbsec->flags |= DEFCONTEXT_MNT; 745 } 746 } 747 748 if (sbsec->flags & SE_SBINITIALIZED) { 749 /* previously mounted with options, but not on this attempt? */ 750 if ((sbsec->flags & SE_MNTMASK) && !opts) 751 goto out_double_mount; 752 rc = 0; 753 goto out; 754 } 755 756 if (strcmp(sb->s_type->name, "proc") == 0) 757 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 758 759 if (!strcmp(sb->s_type->name, "debugfs") || 760 !strcmp(sb->s_type->name, "tracefs") || 761 !strcmp(sb->s_type->name, "binder") || 762 !strcmp(sb->s_type->name, "bpf") || 763 !strcmp(sb->s_type->name, "pstore") || 764 !strcmp(sb->s_type->name, "securityfs")) 765 sbsec->flags |= SE_SBGENFS; 766 767 if (!strcmp(sb->s_type->name, "sysfs") || 768 !strcmp(sb->s_type->name, "cgroup") || 769 !strcmp(sb->s_type->name, "cgroup2")) 770 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 771 772 if (!sbsec->behavior) { 773 /* 774 * Determine the labeling behavior to use for this 775 * filesystem type. 776 */ 777 rc = security_fs_use(&selinux_state, sb); 778 if (rc) { 779 pr_warn("%s: security_fs_use(%s) returned %d\n", 780 __func__, sb->s_type->name, rc); 781 goto out; 782 } 783 } 784 785 /* 786 * If this is a user namespace mount and the filesystem type is not 787 * explicitly whitelisted, then no contexts are allowed on the command 788 * line and security labels must be ignored. 789 */ 790 if (sb->s_user_ns != &init_user_ns && 791 strcmp(sb->s_type->name, "tmpfs") && 792 strcmp(sb->s_type->name, "ramfs") && 793 strcmp(sb->s_type->name, "devpts") && 794 strcmp(sb->s_type->name, "overlay")) { 795 if (context_sid || fscontext_sid || rootcontext_sid || 796 defcontext_sid) { 797 rc = -EACCES; 798 goto out; 799 } 800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 802 rc = security_transition_sid(&selinux_state, 803 current_sid(), 804 current_sid(), 805 SECCLASS_FILE, NULL, 806 &sbsec->mntpoint_sid); 807 if (rc) 808 goto out; 809 } 810 goto out_set_opts; 811 } 812 813 /* sets the context of the superblock for the fs being mounted. */ 814 if (fscontext_sid) { 815 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 816 if (rc) 817 goto out; 818 819 sbsec->sid = fscontext_sid; 820 } 821 822 /* 823 * Switch to using mount point labeling behavior. 824 * sets the label used on all file below the mountpoint, and will set 825 * the superblock context if not already set. 826 */ 827 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 828 sbsec->behavior = SECURITY_FS_USE_NATIVE; 829 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 830 } 831 832 if (context_sid) { 833 if (!fscontext_sid) { 834 rc = may_context_mount_sb_relabel(context_sid, sbsec, 835 cred); 836 if (rc) 837 goto out; 838 sbsec->sid = context_sid; 839 } else { 840 rc = may_context_mount_inode_relabel(context_sid, sbsec, 841 cred); 842 if (rc) 843 goto out; 844 } 845 if (!rootcontext_sid) 846 rootcontext_sid = context_sid; 847 848 sbsec->mntpoint_sid = context_sid; 849 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 850 } 851 852 if (rootcontext_sid) { 853 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 854 cred); 855 if (rc) 856 goto out; 857 858 root_isec->sid = rootcontext_sid; 859 root_isec->initialized = LABEL_INITIALIZED; 860 } 861 862 if (defcontext_sid) { 863 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 864 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 865 rc = -EINVAL; 866 pr_warn("SELinux: defcontext option is " 867 "invalid for this filesystem type\n"); 868 goto out; 869 } 870 871 if (defcontext_sid != sbsec->def_sid) { 872 rc = may_context_mount_inode_relabel(defcontext_sid, 873 sbsec, cred); 874 if (rc) 875 goto out; 876 } 877 878 sbsec->def_sid = defcontext_sid; 879 } 880 881 out_set_opts: 882 rc = sb_finish_set_opts(sb); 883 out: 884 mutex_unlock(&sbsec->lock); 885 return rc; 886 out_double_mount: 887 rc = -EINVAL; 888 pr_warn("SELinux: mount invalid. Same superblock, different " 889 "security settings for (dev %s, type %s)\n", sb->s_id, 890 sb->s_type->name); 891 goto out; 892 } 893 894 static int selinux_cmp_sb_context(const struct super_block *oldsb, 895 const struct super_block *newsb) 896 { 897 struct superblock_security_struct *old = selinux_superblock(oldsb); 898 struct superblock_security_struct *new = selinux_superblock(newsb); 899 char oldflags = old->flags & SE_MNTMASK; 900 char newflags = new->flags & SE_MNTMASK; 901 902 if (oldflags != newflags) 903 goto mismatch; 904 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 905 goto mismatch; 906 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 907 goto mismatch; 908 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 909 goto mismatch; 910 if (oldflags & ROOTCONTEXT_MNT) { 911 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 912 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 913 if (oldroot->sid != newroot->sid) 914 goto mismatch; 915 } 916 return 0; 917 mismatch: 918 pr_warn("SELinux: mount invalid. Same superblock, " 919 "different security settings for (dev %s, " 920 "type %s)\n", newsb->s_id, newsb->s_type->name); 921 return -EBUSY; 922 } 923 924 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 925 struct super_block *newsb, 926 unsigned long kern_flags, 927 unsigned long *set_kern_flags) 928 { 929 int rc = 0; 930 const struct superblock_security_struct *oldsbsec = 931 selinux_superblock(oldsb); 932 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 933 934 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 935 int set_context = (oldsbsec->flags & CONTEXT_MNT); 936 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 937 938 /* 939 * if the parent was able to be mounted it clearly had no special lsm 940 * mount options. thus we can safely deal with this superblock later 941 */ 942 if (!selinux_initialized(&selinux_state)) 943 return 0; 944 945 /* 946 * Specifying internal flags without providing a place to 947 * place the results is not allowed. 948 */ 949 if (kern_flags && !set_kern_flags) 950 return -EINVAL; 951 952 /* how can we clone if the old one wasn't set up?? */ 953 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 954 955 /* if fs is reusing a sb, make sure that the contexts match */ 956 if (newsbsec->flags & SE_SBINITIALIZED) { 957 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 958 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 959 return selinux_cmp_sb_context(oldsb, newsb); 960 } 961 962 mutex_lock(&newsbsec->lock); 963 964 newsbsec->flags = oldsbsec->flags; 965 966 newsbsec->sid = oldsbsec->sid; 967 newsbsec->def_sid = oldsbsec->def_sid; 968 newsbsec->behavior = oldsbsec->behavior; 969 970 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 971 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 972 rc = security_fs_use(&selinux_state, newsb); 973 if (rc) 974 goto out; 975 } 976 977 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 978 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 979 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 980 } 981 982 if (set_context) { 983 u32 sid = oldsbsec->mntpoint_sid; 984 985 if (!set_fscontext) 986 newsbsec->sid = sid; 987 if (!set_rootcontext) { 988 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 989 newisec->sid = sid; 990 } 991 newsbsec->mntpoint_sid = sid; 992 } 993 if (set_rootcontext) { 994 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 995 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 996 997 newisec->sid = oldisec->sid; 998 } 999 1000 sb_finish_set_opts(newsb); 1001 out: 1002 mutex_unlock(&newsbsec->lock); 1003 return rc; 1004 } 1005 1006 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1007 { 1008 struct selinux_mnt_opts *opts = *mnt_opts; 1009 1010 if (token == Opt_seclabel) /* eaten and completely ignored */ 1011 return 0; 1012 1013 if (!opts) { 1014 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1015 if (!opts) 1016 return -ENOMEM; 1017 *mnt_opts = opts; 1018 } 1019 if (!s) 1020 return -ENOMEM; 1021 switch (token) { 1022 case Opt_context: 1023 if (opts->context || opts->defcontext) 1024 goto Einval; 1025 opts->context = s; 1026 break; 1027 case Opt_fscontext: 1028 if (opts->fscontext) 1029 goto Einval; 1030 opts->fscontext = s; 1031 break; 1032 case Opt_rootcontext: 1033 if (opts->rootcontext) 1034 goto Einval; 1035 opts->rootcontext = s; 1036 break; 1037 case Opt_defcontext: 1038 if (opts->context || opts->defcontext) 1039 goto Einval; 1040 opts->defcontext = s; 1041 break; 1042 } 1043 return 0; 1044 Einval: 1045 pr_warn(SEL_MOUNT_FAIL_MSG); 1046 return -EINVAL; 1047 } 1048 1049 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1050 void **mnt_opts) 1051 { 1052 int token = Opt_error; 1053 int rc, i; 1054 1055 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1056 if (strcmp(option, tokens[i].name) == 0) { 1057 token = tokens[i].opt; 1058 break; 1059 } 1060 } 1061 1062 if (token == Opt_error) 1063 return -EINVAL; 1064 1065 if (token != Opt_seclabel) { 1066 val = kmemdup_nul(val, len, GFP_KERNEL); 1067 if (!val) { 1068 rc = -ENOMEM; 1069 goto free_opt; 1070 } 1071 } 1072 rc = selinux_add_opt(token, val, mnt_opts); 1073 if (unlikely(rc)) { 1074 kfree(val); 1075 goto free_opt; 1076 } 1077 return rc; 1078 1079 free_opt: 1080 if (*mnt_opts) { 1081 selinux_free_mnt_opts(*mnt_opts); 1082 *mnt_opts = NULL; 1083 } 1084 return rc; 1085 } 1086 1087 static int show_sid(struct seq_file *m, u32 sid) 1088 { 1089 char *context = NULL; 1090 u32 len; 1091 int rc; 1092 1093 rc = security_sid_to_context(&selinux_state, sid, 1094 &context, &len); 1095 if (!rc) { 1096 bool has_comma = context && strchr(context, ','); 1097 1098 seq_putc(m, '='); 1099 if (has_comma) 1100 seq_putc(m, '\"'); 1101 seq_escape(m, context, "\"\n\\"); 1102 if (has_comma) 1103 seq_putc(m, '\"'); 1104 } 1105 kfree(context); 1106 return rc; 1107 } 1108 1109 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1110 { 1111 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1112 int rc; 1113 1114 if (!(sbsec->flags & SE_SBINITIALIZED)) 1115 return 0; 1116 1117 if (!selinux_initialized(&selinux_state)) 1118 return 0; 1119 1120 if (sbsec->flags & FSCONTEXT_MNT) { 1121 seq_putc(m, ','); 1122 seq_puts(m, FSCONTEXT_STR); 1123 rc = show_sid(m, sbsec->sid); 1124 if (rc) 1125 return rc; 1126 } 1127 if (sbsec->flags & CONTEXT_MNT) { 1128 seq_putc(m, ','); 1129 seq_puts(m, CONTEXT_STR); 1130 rc = show_sid(m, sbsec->mntpoint_sid); 1131 if (rc) 1132 return rc; 1133 } 1134 if (sbsec->flags & DEFCONTEXT_MNT) { 1135 seq_putc(m, ','); 1136 seq_puts(m, DEFCONTEXT_STR); 1137 rc = show_sid(m, sbsec->def_sid); 1138 if (rc) 1139 return rc; 1140 } 1141 if (sbsec->flags & ROOTCONTEXT_MNT) { 1142 struct dentry *root = sb->s_root; 1143 struct inode_security_struct *isec = backing_inode_security(root); 1144 seq_putc(m, ','); 1145 seq_puts(m, ROOTCONTEXT_STR); 1146 rc = show_sid(m, isec->sid); 1147 if (rc) 1148 return rc; 1149 } 1150 if (sbsec->flags & SBLABEL_MNT) { 1151 seq_putc(m, ','); 1152 seq_puts(m, SECLABEL_STR); 1153 } 1154 return 0; 1155 } 1156 1157 static inline u16 inode_mode_to_security_class(umode_t mode) 1158 { 1159 switch (mode & S_IFMT) { 1160 case S_IFSOCK: 1161 return SECCLASS_SOCK_FILE; 1162 case S_IFLNK: 1163 return SECCLASS_LNK_FILE; 1164 case S_IFREG: 1165 return SECCLASS_FILE; 1166 case S_IFBLK: 1167 return SECCLASS_BLK_FILE; 1168 case S_IFDIR: 1169 return SECCLASS_DIR; 1170 case S_IFCHR: 1171 return SECCLASS_CHR_FILE; 1172 case S_IFIFO: 1173 return SECCLASS_FIFO_FILE; 1174 1175 } 1176 1177 return SECCLASS_FILE; 1178 } 1179 1180 static inline int default_protocol_stream(int protocol) 1181 { 1182 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1183 protocol == IPPROTO_MPTCP); 1184 } 1185 1186 static inline int default_protocol_dgram(int protocol) 1187 { 1188 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1189 } 1190 1191 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1192 { 1193 int extsockclass = selinux_policycap_extsockclass(); 1194 1195 switch (family) { 1196 case PF_UNIX: 1197 switch (type) { 1198 case SOCK_STREAM: 1199 case SOCK_SEQPACKET: 1200 return SECCLASS_UNIX_STREAM_SOCKET; 1201 case SOCK_DGRAM: 1202 case SOCK_RAW: 1203 return SECCLASS_UNIX_DGRAM_SOCKET; 1204 } 1205 break; 1206 case PF_INET: 1207 case PF_INET6: 1208 switch (type) { 1209 case SOCK_STREAM: 1210 case SOCK_SEQPACKET: 1211 if (default_protocol_stream(protocol)) 1212 return SECCLASS_TCP_SOCKET; 1213 else if (extsockclass && protocol == IPPROTO_SCTP) 1214 return SECCLASS_SCTP_SOCKET; 1215 else 1216 return SECCLASS_RAWIP_SOCKET; 1217 case SOCK_DGRAM: 1218 if (default_protocol_dgram(protocol)) 1219 return SECCLASS_UDP_SOCKET; 1220 else if (extsockclass && (protocol == IPPROTO_ICMP || 1221 protocol == IPPROTO_ICMPV6)) 1222 return SECCLASS_ICMP_SOCKET; 1223 else 1224 return SECCLASS_RAWIP_SOCKET; 1225 case SOCK_DCCP: 1226 return SECCLASS_DCCP_SOCKET; 1227 default: 1228 return SECCLASS_RAWIP_SOCKET; 1229 } 1230 break; 1231 case PF_NETLINK: 1232 switch (protocol) { 1233 case NETLINK_ROUTE: 1234 return SECCLASS_NETLINK_ROUTE_SOCKET; 1235 case NETLINK_SOCK_DIAG: 1236 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1237 case NETLINK_NFLOG: 1238 return SECCLASS_NETLINK_NFLOG_SOCKET; 1239 case NETLINK_XFRM: 1240 return SECCLASS_NETLINK_XFRM_SOCKET; 1241 case NETLINK_SELINUX: 1242 return SECCLASS_NETLINK_SELINUX_SOCKET; 1243 case NETLINK_ISCSI: 1244 return SECCLASS_NETLINK_ISCSI_SOCKET; 1245 case NETLINK_AUDIT: 1246 return SECCLASS_NETLINK_AUDIT_SOCKET; 1247 case NETLINK_FIB_LOOKUP: 1248 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1249 case NETLINK_CONNECTOR: 1250 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1251 case NETLINK_NETFILTER: 1252 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1253 case NETLINK_DNRTMSG: 1254 return SECCLASS_NETLINK_DNRT_SOCKET; 1255 case NETLINK_KOBJECT_UEVENT: 1256 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1257 case NETLINK_GENERIC: 1258 return SECCLASS_NETLINK_GENERIC_SOCKET; 1259 case NETLINK_SCSITRANSPORT: 1260 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1261 case NETLINK_RDMA: 1262 return SECCLASS_NETLINK_RDMA_SOCKET; 1263 case NETLINK_CRYPTO: 1264 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1265 default: 1266 return SECCLASS_NETLINK_SOCKET; 1267 } 1268 case PF_PACKET: 1269 return SECCLASS_PACKET_SOCKET; 1270 case PF_KEY: 1271 return SECCLASS_KEY_SOCKET; 1272 case PF_APPLETALK: 1273 return SECCLASS_APPLETALK_SOCKET; 1274 } 1275 1276 if (extsockclass) { 1277 switch (family) { 1278 case PF_AX25: 1279 return SECCLASS_AX25_SOCKET; 1280 case PF_IPX: 1281 return SECCLASS_IPX_SOCKET; 1282 case PF_NETROM: 1283 return SECCLASS_NETROM_SOCKET; 1284 case PF_ATMPVC: 1285 return SECCLASS_ATMPVC_SOCKET; 1286 case PF_X25: 1287 return SECCLASS_X25_SOCKET; 1288 case PF_ROSE: 1289 return SECCLASS_ROSE_SOCKET; 1290 case PF_DECnet: 1291 return SECCLASS_DECNET_SOCKET; 1292 case PF_ATMSVC: 1293 return SECCLASS_ATMSVC_SOCKET; 1294 case PF_RDS: 1295 return SECCLASS_RDS_SOCKET; 1296 case PF_IRDA: 1297 return SECCLASS_IRDA_SOCKET; 1298 case PF_PPPOX: 1299 return SECCLASS_PPPOX_SOCKET; 1300 case PF_LLC: 1301 return SECCLASS_LLC_SOCKET; 1302 case PF_CAN: 1303 return SECCLASS_CAN_SOCKET; 1304 case PF_TIPC: 1305 return SECCLASS_TIPC_SOCKET; 1306 case PF_BLUETOOTH: 1307 return SECCLASS_BLUETOOTH_SOCKET; 1308 case PF_IUCV: 1309 return SECCLASS_IUCV_SOCKET; 1310 case PF_RXRPC: 1311 return SECCLASS_RXRPC_SOCKET; 1312 case PF_ISDN: 1313 return SECCLASS_ISDN_SOCKET; 1314 case PF_PHONET: 1315 return SECCLASS_PHONET_SOCKET; 1316 case PF_IEEE802154: 1317 return SECCLASS_IEEE802154_SOCKET; 1318 case PF_CAIF: 1319 return SECCLASS_CAIF_SOCKET; 1320 case PF_ALG: 1321 return SECCLASS_ALG_SOCKET; 1322 case PF_NFC: 1323 return SECCLASS_NFC_SOCKET; 1324 case PF_VSOCK: 1325 return SECCLASS_VSOCK_SOCKET; 1326 case PF_KCM: 1327 return SECCLASS_KCM_SOCKET; 1328 case PF_QIPCRTR: 1329 return SECCLASS_QIPCRTR_SOCKET; 1330 case PF_SMC: 1331 return SECCLASS_SMC_SOCKET; 1332 case PF_XDP: 1333 return SECCLASS_XDP_SOCKET; 1334 case PF_MCTP: 1335 return SECCLASS_MCTP_SOCKET; 1336 #if PF_MAX > 46 1337 #error New address family defined, please update this function. 1338 #endif 1339 } 1340 } 1341 1342 return SECCLASS_SOCKET; 1343 } 1344 1345 static int selinux_genfs_get_sid(struct dentry *dentry, 1346 u16 tclass, 1347 u16 flags, 1348 u32 *sid) 1349 { 1350 int rc; 1351 struct super_block *sb = dentry->d_sb; 1352 char *buffer, *path; 1353 1354 buffer = (char *)__get_free_page(GFP_KERNEL); 1355 if (!buffer) 1356 return -ENOMEM; 1357 1358 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1359 if (IS_ERR(path)) 1360 rc = PTR_ERR(path); 1361 else { 1362 if (flags & SE_SBPROC) { 1363 /* each process gets a /proc/PID/ entry. Strip off the 1364 * PID part to get a valid selinux labeling. 1365 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1366 while (path[1] >= '0' && path[1] <= '9') { 1367 path[1] = '/'; 1368 path++; 1369 } 1370 } 1371 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1372 path, tclass, sid); 1373 if (rc == -ENOENT) { 1374 /* No match in policy, mark as unlabeled. */ 1375 *sid = SECINITSID_UNLABELED; 1376 rc = 0; 1377 } 1378 } 1379 free_page((unsigned long)buffer); 1380 return rc; 1381 } 1382 1383 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1384 u32 def_sid, u32 *sid) 1385 { 1386 #define INITCONTEXTLEN 255 1387 char *context; 1388 unsigned int len; 1389 int rc; 1390 1391 len = INITCONTEXTLEN; 1392 context = kmalloc(len + 1, GFP_NOFS); 1393 if (!context) 1394 return -ENOMEM; 1395 1396 context[len] = '\0'; 1397 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1398 if (rc == -ERANGE) { 1399 kfree(context); 1400 1401 /* Need a larger buffer. Query for the right size. */ 1402 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1403 if (rc < 0) 1404 return rc; 1405 1406 len = rc; 1407 context = kmalloc(len + 1, GFP_NOFS); 1408 if (!context) 1409 return -ENOMEM; 1410 1411 context[len] = '\0'; 1412 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1413 context, len); 1414 } 1415 if (rc < 0) { 1416 kfree(context); 1417 if (rc != -ENODATA) { 1418 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1419 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1420 return rc; 1421 } 1422 *sid = def_sid; 1423 return 0; 1424 } 1425 1426 rc = security_context_to_sid_default(&selinux_state, context, rc, sid, 1427 def_sid, GFP_NOFS); 1428 if (rc) { 1429 char *dev = inode->i_sb->s_id; 1430 unsigned long ino = inode->i_ino; 1431 1432 if (rc == -EINVAL) { 1433 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1434 ino, dev, context); 1435 } else { 1436 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1437 __func__, context, -rc, dev, ino); 1438 } 1439 } 1440 kfree(context); 1441 return 0; 1442 } 1443 1444 /* The inode's security attributes must be initialized before first use. */ 1445 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1446 { 1447 struct superblock_security_struct *sbsec = NULL; 1448 struct inode_security_struct *isec = selinux_inode(inode); 1449 u32 task_sid, sid = 0; 1450 u16 sclass; 1451 struct dentry *dentry; 1452 int rc = 0; 1453 1454 if (isec->initialized == LABEL_INITIALIZED) 1455 return 0; 1456 1457 spin_lock(&isec->lock); 1458 if (isec->initialized == LABEL_INITIALIZED) 1459 goto out_unlock; 1460 1461 if (isec->sclass == SECCLASS_FILE) 1462 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1463 1464 sbsec = selinux_superblock(inode->i_sb); 1465 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1466 /* Defer initialization until selinux_complete_init, 1467 after the initial policy is loaded and the security 1468 server is ready to handle calls. */ 1469 spin_lock(&sbsec->isec_lock); 1470 if (list_empty(&isec->list)) 1471 list_add(&isec->list, &sbsec->isec_head); 1472 spin_unlock(&sbsec->isec_lock); 1473 goto out_unlock; 1474 } 1475 1476 sclass = isec->sclass; 1477 task_sid = isec->task_sid; 1478 sid = isec->sid; 1479 isec->initialized = LABEL_PENDING; 1480 spin_unlock(&isec->lock); 1481 1482 switch (sbsec->behavior) { 1483 case SECURITY_FS_USE_NATIVE: 1484 break; 1485 case SECURITY_FS_USE_XATTR: 1486 if (!(inode->i_opflags & IOP_XATTR)) { 1487 sid = sbsec->def_sid; 1488 break; 1489 } 1490 /* Need a dentry, since the xattr API requires one. 1491 Life would be simpler if we could just pass the inode. */ 1492 if (opt_dentry) { 1493 /* Called from d_instantiate or d_splice_alias. */ 1494 dentry = dget(opt_dentry); 1495 } else { 1496 /* 1497 * Called from selinux_complete_init, try to find a dentry. 1498 * Some filesystems really want a connected one, so try 1499 * that first. We could split SECURITY_FS_USE_XATTR in 1500 * two, depending upon that... 1501 */ 1502 dentry = d_find_alias(inode); 1503 if (!dentry) 1504 dentry = d_find_any_alias(inode); 1505 } 1506 if (!dentry) { 1507 /* 1508 * this is can be hit on boot when a file is accessed 1509 * before the policy is loaded. When we load policy we 1510 * may find inodes that have no dentry on the 1511 * sbsec->isec_head list. No reason to complain as these 1512 * will get fixed up the next time we go through 1513 * inode_doinit with a dentry, before these inodes could 1514 * be used again by userspace. 1515 */ 1516 goto out_invalid; 1517 } 1518 1519 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1520 &sid); 1521 dput(dentry); 1522 if (rc) 1523 goto out; 1524 break; 1525 case SECURITY_FS_USE_TASK: 1526 sid = task_sid; 1527 break; 1528 case SECURITY_FS_USE_TRANS: 1529 /* Default to the fs SID. */ 1530 sid = sbsec->sid; 1531 1532 /* Try to obtain a transition SID. */ 1533 rc = security_transition_sid(&selinux_state, task_sid, sid, 1534 sclass, NULL, &sid); 1535 if (rc) 1536 goto out; 1537 break; 1538 case SECURITY_FS_USE_MNTPOINT: 1539 sid = sbsec->mntpoint_sid; 1540 break; 1541 default: 1542 /* Default to the fs superblock SID. */ 1543 sid = sbsec->sid; 1544 1545 if ((sbsec->flags & SE_SBGENFS) && 1546 (!S_ISLNK(inode->i_mode) || 1547 selinux_policycap_genfs_seclabel_symlinks())) { 1548 /* We must have a dentry to determine the label on 1549 * procfs inodes */ 1550 if (opt_dentry) { 1551 /* Called from d_instantiate or 1552 * d_splice_alias. */ 1553 dentry = dget(opt_dentry); 1554 } else { 1555 /* Called from selinux_complete_init, try to 1556 * find a dentry. Some filesystems really want 1557 * a connected one, so try that first. 1558 */ 1559 dentry = d_find_alias(inode); 1560 if (!dentry) 1561 dentry = d_find_any_alias(inode); 1562 } 1563 /* 1564 * This can be hit on boot when a file is accessed 1565 * before the policy is loaded. When we load policy we 1566 * may find inodes that have no dentry on the 1567 * sbsec->isec_head list. No reason to complain as 1568 * these will get fixed up the next time we go through 1569 * inode_doinit() with a dentry, before these inodes 1570 * could be used again by userspace. 1571 */ 1572 if (!dentry) 1573 goto out_invalid; 1574 rc = selinux_genfs_get_sid(dentry, sclass, 1575 sbsec->flags, &sid); 1576 if (rc) { 1577 dput(dentry); 1578 goto out; 1579 } 1580 1581 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1582 (inode->i_opflags & IOP_XATTR)) { 1583 rc = inode_doinit_use_xattr(inode, dentry, 1584 sid, &sid); 1585 if (rc) { 1586 dput(dentry); 1587 goto out; 1588 } 1589 } 1590 dput(dentry); 1591 } 1592 break; 1593 } 1594 1595 out: 1596 spin_lock(&isec->lock); 1597 if (isec->initialized == LABEL_PENDING) { 1598 if (rc) { 1599 isec->initialized = LABEL_INVALID; 1600 goto out_unlock; 1601 } 1602 isec->initialized = LABEL_INITIALIZED; 1603 isec->sid = sid; 1604 } 1605 1606 out_unlock: 1607 spin_unlock(&isec->lock); 1608 return rc; 1609 1610 out_invalid: 1611 spin_lock(&isec->lock); 1612 if (isec->initialized == LABEL_PENDING) { 1613 isec->initialized = LABEL_INVALID; 1614 isec->sid = sid; 1615 } 1616 spin_unlock(&isec->lock); 1617 return 0; 1618 } 1619 1620 /* Convert a Linux signal to an access vector. */ 1621 static inline u32 signal_to_av(int sig) 1622 { 1623 u32 perm = 0; 1624 1625 switch (sig) { 1626 case SIGCHLD: 1627 /* Commonly granted from child to parent. */ 1628 perm = PROCESS__SIGCHLD; 1629 break; 1630 case SIGKILL: 1631 /* Cannot be caught or ignored */ 1632 perm = PROCESS__SIGKILL; 1633 break; 1634 case SIGSTOP: 1635 /* Cannot be caught or ignored */ 1636 perm = PROCESS__SIGSTOP; 1637 break; 1638 default: 1639 /* All other signals. */ 1640 perm = PROCESS__SIGNAL; 1641 break; 1642 } 1643 1644 return perm; 1645 } 1646 1647 #if CAP_LAST_CAP > 63 1648 #error Fix SELinux to handle capabilities > 63. 1649 #endif 1650 1651 /* Check whether a task is allowed to use a capability. */ 1652 static int cred_has_capability(const struct cred *cred, 1653 int cap, unsigned int opts, bool initns) 1654 { 1655 struct common_audit_data ad; 1656 struct av_decision avd; 1657 u16 sclass; 1658 u32 sid = cred_sid(cred); 1659 u32 av = CAP_TO_MASK(cap); 1660 int rc; 1661 1662 ad.type = LSM_AUDIT_DATA_CAP; 1663 ad.u.cap = cap; 1664 1665 switch (CAP_TO_INDEX(cap)) { 1666 case 0: 1667 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1668 break; 1669 case 1: 1670 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1671 break; 1672 default: 1673 pr_err("SELinux: out of range capability %d\n", cap); 1674 BUG(); 1675 return -EINVAL; 1676 } 1677 1678 rc = avc_has_perm_noaudit(&selinux_state, 1679 sid, sid, sclass, av, 0, &avd); 1680 if (!(opts & CAP_OPT_NOAUDIT)) { 1681 int rc2 = avc_audit(&selinux_state, 1682 sid, sid, sclass, av, &avd, rc, &ad); 1683 if (rc2) 1684 return rc2; 1685 } 1686 return rc; 1687 } 1688 1689 /* Check whether a task has a particular permission to an inode. 1690 The 'adp' parameter is optional and allows other audit 1691 data to be passed (e.g. the dentry). */ 1692 static int inode_has_perm(const struct cred *cred, 1693 struct inode *inode, 1694 u32 perms, 1695 struct common_audit_data *adp) 1696 { 1697 struct inode_security_struct *isec; 1698 u32 sid; 1699 1700 validate_creds(cred); 1701 1702 if (unlikely(IS_PRIVATE(inode))) 1703 return 0; 1704 1705 sid = cred_sid(cred); 1706 isec = selinux_inode(inode); 1707 1708 return avc_has_perm(&selinux_state, 1709 sid, isec->sid, isec->sclass, perms, adp); 1710 } 1711 1712 /* Same as inode_has_perm, but pass explicit audit data containing 1713 the dentry to help the auditing code to more easily generate the 1714 pathname if needed. */ 1715 static inline int dentry_has_perm(const struct cred *cred, 1716 struct dentry *dentry, 1717 u32 av) 1718 { 1719 struct inode *inode = d_backing_inode(dentry); 1720 struct common_audit_data ad; 1721 1722 ad.type = LSM_AUDIT_DATA_DENTRY; 1723 ad.u.dentry = dentry; 1724 __inode_security_revalidate(inode, dentry, true); 1725 return inode_has_perm(cred, inode, av, &ad); 1726 } 1727 1728 /* Same as inode_has_perm, but pass explicit audit data containing 1729 the path to help the auditing code to more easily generate the 1730 pathname if needed. */ 1731 static inline int path_has_perm(const struct cred *cred, 1732 const struct path *path, 1733 u32 av) 1734 { 1735 struct inode *inode = d_backing_inode(path->dentry); 1736 struct common_audit_data ad; 1737 1738 ad.type = LSM_AUDIT_DATA_PATH; 1739 ad.u.path = *path; 1740 __inode_security_revalidate(inode, path->dentry, true); 1741 return inode_has_perm(cred, inode, av, &ad); 1742 } 1743 1744 /* Same as path_has_perm, but uses the inode from the file struct. */ 1745 static inline int file_path_has_perm(const struct cred *cred, 1746 struct file *file, 1747 u32 av) 1748 { 1749 struct common_audit_data ad; 1750 1751 ad.type = LSM_AUDIT_DATA_FILE; 1752 ad.u.file = file; 1753 return inode_has_perm(cred, file_inode(file), av, &ad); 1754 } 1755 1756 #ifdef CONFIG_BPF_SYSCALL 1757 static int bpf_fd_pass(struct file *file, u32 sid); 1758 #endif 1759 1760 /* Check whether a task can use an open file descriptor to 1761 access an inode in a given way. Check access to the 1762 descriptor itself, and then use dentry_has_perm to 1763 check a particular permission to the file. 1764 Access to the descriptor is implicitly granted if it 1765 has the same SID as the process. If av is zero, then 1766 access to the file is not checked, e.g. for cases 1767 where only the descriptor is affected like seek. */ 1768 static int file_has_perm(const struct cred *cred, 1769 struct file *file, 1770 u32 av) 1771 { 1772 struct file_security_struct *fsec = selinux_file(file); 1773 struct inode *inode = file_inode(file); 1774 struct common_audit_data ad; 1775 u32 sid = cred_sid(cred); 1776 int rc; 1777 1778 ad.type = LSM_AUDIT_DATA_FILE; 1779 ad.u.file = file; 1780 1781 if (sid != fsec->sid) { 1782 rc = avc_has_perm(&selinux_state, 1783 sid, fsec->sid, 1784 SECCLASS_FD, 1785 FD__USE, 1786 &ad); 1787 if (rc) 1788 goto out; 1789 } 1790 1791 #ifdef CONFIG_BPF_SYSCALL 1792 rc = bpf_fd_pass(file, cred_sid(cred)); 1793 if (rc) 1794 return rc; 1795 #endif 1796 1797 /* av is zero if only checking access to the descriptor. */ 1798 rc = 0; 1799 if (av) 1800 rc = inode_has_perm(cred, inode, av, &ad); 1801 1802 out: 1803 return rc; 1804 } 1805 1806 /* 1807 * Determine the label for an inode that might be unioned. 1808 */ 1809 static int 1810 selinux_determine_inode_label(const struct task_security_struct *tsec, 1811 struct inode *dir, 1812 const struct qstr *name, u16 tclass, 1813 u32 *_new_isid) 1814 { 1815 const struct superblock_security_struct *sbsec = 1816 selinux_superblock(dir->i_sb); 1817 1818 if ((sbsec->flags & SE_SBINITIALIZED) && 1819 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1820 *_new_isid = sbsec->mntpoint_sid; 1821 } else if ((sbsec->flags & SBLABEL_MNT) && 1822 tsec->create_sid) { 1823 *_new_isid = tsec->create_sid; 1824 } else { 1825 const struct inode_security_struct *dsec = inode_security(dir); 1826 return security_transition_sid(&selinux_state, tsec->sid, 1827 dsec->sid, tclass, 1828 name, _new_isid); 1829 } 1830 1831 return 0; 1832 } 1833 1834 /* Check whether a task can create a file. */ 1835 static int may_create(struct inode *dir, 1836 struct dentry *dentry, 1837 u16 tclass) 1838 { 1839 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1840 struct inode_security_struct *dsec; 1841 struct superblock_security_struct *sbsec; 1842 u32 sid, newsid; 1843 struct common_audit_data ad; 1844 int rc; 1845 1846 dsec = inode_security(dir); 1847 sbsec = selinux_superblock(dir->i_sb); 1848 1849 sid = tsec->sid; 1850 1851 ad.type = LSM_AUDIT_DATA_DENTRY; 1852 ad.u.dentry = dentry; 1853 1854 rc = avc_has_perm(&selinux_state, 1855 sid, dsec->sid, SECCLASS_DIR, 1856 DIR__ADD_NAME | DIR__SEARCH, 1857 &ad); 1858 if (rc) 1859 return rc; 1860 1861 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1862 &newsid); 1863 if (rc) 1864 return rc; 1865 1866 rc = avc_has_perm(&selinux_state, 1867 sid, newsid, tclass, FILE__CREATE, &ad); 1868 if (rc) 1869 return rc; 1870 1871 return avc_has_perm(&selinux_state, 1872 newsid, sbsec->sid, 1873 SECCLASS_FILESYSTEM, 1874 FILESYSTEM__ASSOCIATE, &ad); 1875 } 1876 1877 #define MAY_LINK 0 1878 #define MAY_UNLINK 1 1879 #define MAY_RMDIR 2 1880 1881 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1882 static int may_link(struct inode *dir, 1883 struct dentry *dentry, 1884 int kind) 1885 1886 { 1887 struct inode_security_struct *dsec, *isec; 1888 struct common_audit_data ad; 1889 u32 sid = current_sid(); 1890 u32 av; 1891 int rc; 1892 1893 dsec = inode_security(dir); 1894 isec = backing_inode_security(dentry); 1895 1896 ad.type = LSM_AUDIT_DATA_DENTRY; 1897 ad.u.dentry = dentry; 1898 1899 av = DIR__SEARCH; 1900 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1901 rc = avc_has_perm(&selinux_state, 1902 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1903 if (rc) 1904 return rc; 1905 1906 switch (kind) { 1907 case MAY_LINK: 1908 av = FILE__LINK; 1909 break; 1910 case MAY_UNLINK: 1911 av = FILE__UNLINK; 1912 break; 1913 case MAY_RMDIR: 1914 av = DIR__RMDIR; 1915 break; 1916 default: 1917 pr_warn("SELinux: %s: unrecognized kind %d\n", 1918 __func__, kind); 1919 return 0; 1920 } 1921 1922 rc = avc_has_perm(&selinux_state, 1923 sid, isec->sid, isec->sclass, av, &ad); 1924 return rc; 1925 } 1926 1927 static inline int may_rename(struct inode *old_dir, 1928 struct dentry *old_dentry, 1929 struct inode *new_dir, 1930 struct dentry *new_dentry) 1931 { 1932 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1933 struct common_audit_data ad; 1934 u32 sid = current_sid(); 1935 u32 av; 1936 int old_is_dir, new_is_dir; 1937 int rc; 1938 1939 old_dsec = inode_security(old_dir); 1940 old_isec = backing_inode_security(old_dentry); 1941 old_is_dir = d_is_dir(old_dentry); 1942 new_dsec = inode_security(new_dir); 1943 1944 ad.type = LSM_AUDIT_DATA_DENTRY; 1945 1946 ad.u.dentry = old_dentry; 1947 rc = avc_has_perm(&selinux_state, 1948 sid, old_dsec->sid, SECCLASS_DIR, 1949 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1950 if (rc) 1951 return rc; 1952 rc = avc_has_perm(&selinux_state, 1953 sid, old_isec->sid, 1954 old_isec->sclass, FILE__RENAME, &ad); 1955 if (rc) 1956 return rc; 1957 if (old_is_dir && new_dir != old_dir) { 1958 rc = avc_has_perm(&selinux_state, 1959 sid, old_isec->sid, 1960 old_isec->sclass, DIR__REPARENT, &ad); 1961 if (rc) 1962 return rc; 1963 } 1964 1965 ad.u.dentry = new_dentry; 1966 av = DIR__ADD_NAME | DIR__SEARCH; 1967 if (d_is_positive(new_dentry)) 1968 av |= DIR__REMOVE_NAME; 1969 rc = avc_has_perm(&selinux_state, 1970 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1971 if (rc) 1972 return rc; 1973 if (d_is_positive(new_dentry)) { 1974 new_isec = backing_inode_security(new_dentry); 1975 new_is_dir = d_is_dir(new_dentry); 1976 rc = avc_has_perm(&selinux_state, 1977 sid, new_isec->sid, 1978 new_isec->sclass, 1979 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1980 if (rc) 1981 return rc; 1982 } 1983 1984 return 0; 1985 } 1986 1987 /* Check whether a task can perform a filesystem operation. */ 1988 static int superblock_has_perm(const struct cred *cred, 1989 struct super_block *sb, 1990 u32 perms, 1991 struct common_audit_data *ad) 1992 { 1993 struct superblock_security_struct *sbsec; 1994 u32 sid = cred_sid(cred); 1995 1996 sbsec = selinux_superblock(sb); 1997 return avc_has_perm(&selinux_state, 1998 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1999 } 2000 2001 /* Convert a Linux mode and permission mask to an access vector. */ 2002 static inline u32 file_mask_to_av(int mode, int mask) 2003 { 2004 u32 av = 0; 2005 2006 if (!S_ISDIR(mode)) { 2007 if (mask & MAY_EXEC) 2008 av |= FILE__EXECUTE; 2009 if (mask & MAY_READ) 2010 av |= FILE__READ; 2011 2012 if (mask & MAY_APPEND) 2013 av |= FILE__APPEND; 2014 else if (mask & MAY_WRITE) 2015 av |= FILE__WRITE; 2016 2017 } else { 2018 if (mask & MAY_EXEC) 2019 av |= DIR__SEARCH; 2020 if (mask & MAY_WRITE) 2021 av |= DIR__WRITE; 2022 if (mask & MAY_READ) 2023 av |= DIR__READ; 2024 } 2025 2026 return av; 2027 } 2028 2029 /* Convert a Linux file to an access vector. */ 2030 static inline u32 file_to_av(struct file *file) 2031 { 2032 u32 av = 0; 2033 2034 if (file->f_mode & FMODE_READ) 2035 av |= FILE__READ; 2036 if (file->f_mode & FMODE_WRITE) { 2037 if (file->f_flags & O_APPEND) 2038 av |= FILE__APPEND; 2039 else 2040 av |= FILE__WRITE; 2041 } 2042 if (!av) { 2043 /* 2044 * Special file opened with flags 3 for ioctl-only use. 2045 */ 2046 av = FILE__IOCTL; 2047 } 2048 2049 return av; 2050 } 2051 2052 /* 2053 * Convert a file to an access vector and include the correct 2054 * open permission. 2055 */ 2056 static inline u32 open_file_to_av(struct file *file) 2057 { 2058 u32 av = file_to_av(file); 2059 struct inode *inode = file_inode(file); 2060 2061 if (selinux_policycap_openperm() && 2062 inode->i_sb->s_magic != SOCKFS_MAGIC) 2063 av |= FILE__OPEN; 2064 2065 return av; 2066 } 2067 2068 /* Hook functions begin here. */ 2069 2070 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2071 { 2072 return avc_has_perm(&selinux_state, 2073 current_sid(), task_sid_binder(mgr), SECCLASS_BINDER, 2074 BINDER__SET_CONTEXT_MGR, NULL); 2075 } 2076 2077 static int selinux_binder_transaction(struct task_struct *from, 2078 struct task_struct *to) 2079 { 2080 u32 mysid = current_sid(); 2081 u32 fromsid = task_sid_binder(from); 2082 int rc; 2083 2084 if (mysid != fromsid) { 2085 rc = avc_has_perm(&selinux_state, 2086 mysid, fromsid, SECCLASS_BINDER, 2087 BINDER__IMPERSONATE, NULL); 2088 if (rc) 2089 return rc; 2090 } 2091 2092 return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to), 2093 SECCLASS_BINDER, BINDER__CALL, NULL); 2094 } 2095 2096 static int selinux_binder_transfer_binder(struct task_struct *from, 2097 struct task_struct *to) 2098 { 2099 return avc_has_perm(&selinux_state, 2100 task_sid_binder(from), task_sid_binder(to), 2101 SECCLASS_BINDER, BINDER__TRANSFER, 2102 NULL); 2103 } 2104 2105 static int selinux_binder_transfer_file(struct task_struct *from, 2106 struct task_struct *to, 2107 struct file *file) 2108 { 2109 u32 sid = task_sid_binder(to); 2110 struct file_security_struct *fsec = selinux_file(file); 2111 struct dentry *dentry = file->f_path.dentry; 2112 struct inode_security_struct *isec; 2113 struct common_audit_data ad; 2114 int rc; 2115 2116 ad.type = LSM_AUDIT_DATA_PATH; 2117 ad.u.path = file->f_path; 2118 2119 if (sid != fsec->sid) { 2120 rc = avc_has_perm(&selinux_state, 2121 sid, fsec->sid, 2122 SECCLASS_FD, 2123 FD__USE, 2124 &ad); 2125 if (rc) 2126 return rc; 2127 } 2128 2129 #ifdef CONFIG_BPF_SYSCALL 2130 rc = bpf_fd_pass(file, sid); 2131 if (rc) 2132 return rc; 2133 #endif 2134 2135 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2136 return 0; 2137 2138 isec = backing_inode_security(dentry); 2139 return avc_has_perm(&selinux_state, 2140 sid, isec->sid, isec->sclass, file_to_av(file), 2141 &ad); 2142 } 2143 2144 static int selinux_ptrace_access_check(struct task_struct *child, 2145 unsigned int mode) 2146 { 2147 u32 sid = current_sid(); 2148 u32 csid = task_sid_obj(child); 2149 2150 if (mode & PTRACE_MODE_READ) 2151 return avc_has_perm(&selinux_state, 2152 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2153 2154 return avc_has_perm(&selinux_state, 2155 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2156 } 2157 2158 static int selinux_ptrace_traceme(struct task_struct *parent) 2159 { 2160 return avc_has_perm(&selinux_state, 2161 task_sid_subj(parent), task_sid_obj(current), 2162 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2163 } 2164 2165 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2166 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2167 { 2168 return avc_has_perm(&selinux_state, 2169 current_sid(), task_sid_obj(target), SECCLASS_PROCESS, 2170 PROCESS__GETCAP, NULL); 2171 } 2172 2173 static int selinux_capset(struct cred *new, const struct cred *old, 2174 const kernel_cap_t *effective, 2175 const kernel_cap_t *inheritable, 2176 const kernel_cap_t *permitted) 2177 { 2178 return avc_has_perm(&selinux_state, 2179 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2180 PROCESS__SETCAP, NULL); 2181 } 2182 2183 /* 2184 * (This comment used to live with the selinux_task_setuid hook, 2185 * which was removed). 2186 * 2187 * Since setuid only affects the current process, and since the SELinux 2188 * controls are not based on the Linux identity attributes, SELinux does not 2189 * need to control this operation. However, SELinux does control the use of 2190 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2191 */ 2192 2193 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2194 int cap, unsigned int opts) 2195 { 2196 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2197 } 2198 2199 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2200 { 2201 const struct cred *cred = current_cred(); 2202 int rc = 0; 2203 2204 if (!sb) 2205 return 0; 2206 2207 switch (cmds) { 2208 case Q_SYNC: 2209 case Q_QUOTAON: 2210 case Q_QUOTAOFF: 2211 case Q_SETINFO: 2212 case Q_SETQUOTA: 2213 case Q_XQUOTAOFF: 2214 case Q_XQUOTAON: 2215 case Q_XSETQLIM: 2216 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2217 break; 2218 case Q_GETFMT: 2219 case Q_GETINFO: 2220 case Q_GETQUOTA: 2221 case Q_XGETQUOTA: 2222 case Q_XGETQSTAT: 2223 case Q_XGETQSTATV: 2224 case Q_XGETNEXTQUOTA: 2225 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2226 break; 2227 default: 2228 rc = 0; /* let the kernel handle invalid cmds */ 2229 break; 2230 } 2231 return rc; 2232 } 2233 2234 static int selinux_quota_on(struct dentry *dentry) 2235 { 2236 const struct cred *cred = current_cred(); 2237 2238 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2239 } 2240 2241 static int selinux_syslog(int type) 2242 { 2243 switch (type) { 2244 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2245 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2246 return avc_has_perm(&selinux_state, 2247 current_sid(), SECINITSID_KERNEL, 2248 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2249 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2250 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2251 /* Set level of messages printed to console */ 2252 case SYSLOG_ACTION_CONSOLE_LEVEL: 2253 return avc_has_perm(&selinux_state, 2254 current_sid(), SECINITSID_KERNEL, 2255 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2256 NULL); 2257 } 2258 /* All other syslog types */ 2259 return avc_has_perm(&selinux_state, 2260 current_sid(), SECINITSID_KERNEL, 2261 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2262 } 2263 2264 /* 2265 * Check that a process has enough memory to allocate a new virtual 2266 * mapping. 0 means there is enough memory for the allocation to 2267 * succeed and -ENOMEM implies there is not. 2268 * 2269 * Do not audit the selinux permission check, as this is applied to all 2270 * processes that allocate mappings. 2271 */ 2272 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2273 { 2274 int rc, cap_sys_admin = 0; 2275 2276 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2277 CAP_OPT_NOAUDIT, true); 2278 if (rc == 0) 2279 cap_sys_admin = 1; 2280 2281 return cap_sys_admin; 2282 } 2283 2284 /* binprm security operations */ 2285 2286 static u32 ptrace_parent_sid(void) 2287 { 2288 u32 sid = 0; 2289 struct task_struct *tracer; 2290 2291 rcu_read_lock(); 2292 tracer = ptrace_parent(current); 2293 if (tracer) 2294 sid = task_sid_obj(tracer); 2295 rcu_read_unlock(); 2296 2297 return sid; 2298 } 2299 2300 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2301 const struct task_security_struct *old_tsec, 2302 const struct task_security_struct *new_tsec) 2303 { 2304 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2305 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2306 int rc; 2307 u32 av; 2308 2309 if (!nnp && !nosuid) 2310 return 0; /* neither NNP nor nosuid */ 2311 2312 if (new_tsec->sid == old_tsec->sid) 2313 return 0; /* No change in credentials */ 2314 2315 /* 2316 * If the policy enables the nnp_nosuid_transition policy capability, 2317 * then we permit transitions under NNP or nosuid if the 2318 * policy allows the corresponding permission between 2319 * the old and new contexts. 2320 */ 2321 if (selinux_policycap_nnp_nosuid_transition()) { 2322 av = 0; 2323 if (nnp) 2324 av |= PROCESS2__NNP_TRANSITION; 2325 if (nosuid) 2326 av |= PROCESS2__NOSUID_TRANSITION; 2327 rc = avc_has_perm(&selinux_state, 2328 old_tsec->sid, new_tsec->sid, 2329 SECCLASS_PROCESS2, av, NULL); 2330 if (!rc) 2331 return 0; 2332 } 2333 2334 /* 2335 * We also permit NNP or nosuid transitions to bounded SIDs, 2336 * i.e. SIDs that are guaranteed to only be allowed a subset 2337 * of the permissions of the current SID. 2338 */ 2339 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2340 new_tsec->sid); 2341 if (!rc) 2342 return 0; 2343 2344 /* 2345 * On failure, preserve the errno values for NNP vs nosuid. 2346 * NNP: Operation not permitted for caller. 2347 * nosuid: Permission denied to file. 2348 */ 2349 if (nnp) 2350 return -EPERM; 2351 return -EACCES; 2352 } 2353 2354 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2355 { 2356 const struct task_security_struct *old_tsec; 2357 struct task_security_struct *new_tsec; 2358 struct inode_security_struct *isec; 2359 struct common_audit_data ad; 2360 struct inode *inode = file_inode(bprm->file); 2361 int rc; 2362 2363 /* SELinux context only depends on initial program or script and not 2364 * the script interpreter */ 2365 2366 old_tsec = selinux_cred(current_cred()); 2367 new_tsec = selinux_cred(bprm->cred); 2368 isec = inode_security(inode); 2369 2370 /* Default to the current task SID. */ 2371 new_tsec->sid = old_tsec->sid; 2372 new_tsec->osid = old_tsec->sid; 2373 2374 /* Reset fs, key, and sock SIDs on execve. */ 2375 new_tsec->create_sid = 0; 2376 new_tsec->keycreate_sid = 0; 2377 new_tsec->sockcreate_sid = 0; 2378 2379 if (old_tsec->exec_sid) { 2380 new_tsec->sid = old_tsec->exec_sid; 2381 /* Reset exec SID on execve. */ 2382 new_tsec->exec_sid = 0; 2383 2384 /* Fail on NNP or nosuid if not an allowed transition. */ 2385 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2386 if (rc) 2387 return rc; 2388 } else { 2389 /* Check for a default transition on this program. */ 2390 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2391 isec->sid, SECCLASS_PROCESS, NULL, 2392 &new_tsec->sid); 2393 if (rc) 2394 return rc; 2395 2396 /* 2397 * Fallback to old SID on NNP or nosuid if not an allowed 2398 * transition. 2399 */ 2400 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2401 if (rc) 2402 new_tsec->sid = old_tsec->sid; 2403 } 2404 2405 ad.type = LSM_AUDIT_DATA_FILE; 2406 ad.u.file = bprm->file; 2407 2408 if (new_tsec->sid == old_tsec->sid) { 2409 rc = avc_has_perm(&selinux_state, 2410 old_tsec->sid, isec->sid, 2411 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2412 if (rc) 2413 return rc; 2414 } else { 2415 /* Check permissions for the transition. */ 2416 rc = avc_has_perm(&selinux_state, 2417 old_tsec->sid, new_tsec->sid, 2418 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2419 if (rc) 2420 return rc; 2421 2422 rc = avc_has_perm(&selinux_state, 2423 new_tsec->sid, isec->sid, 2424 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2425 if (rc) 2426 return rc; 2427 2428 /* Check for shared state */ 2429 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2430 rc = avc_has_perm(&selinux_state, 2431 old_tsec->sid, new_tsec->sid, 2432 SECCLASS_PROCESS, PROCESS__SHARE, 2433 NULL); 2434 if (rc) 2435 return -EPERM; 2436 } 2437 2438 /* Make sure that anyone attempting to ptrace over a task that 2439 * changes its SID has the appropriate permit */ 2440 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2441 u32 ptsid = ptrace_parent_sid(); 2442 if (ptsid != 0) { 2443 rc = avc_has_perm(&selinux_state, 2444 ptsid, new_tsec->sid, 2445 SECCLASS_PROCESS, 2446 PROCESS__PTRACE, NULL); 2447 if (rc) 2448 return -EPERM; 2449 } 2450 } 2451 2452 /* Clear any possibly unsafe personality bits on exec: */ 2453 bprm->per_clear |= PER_CLEAR_ON_SETID; 2454 2455 /* Enable secure mode for SIDs transitions unless 2456 the noatsecure permission is granted between 2457 the two SIDs, i.e. ahp returns 0. */ 2458 rc = avc_has_perm(&selinux_state, 2459 old_tsec->sid, new_tsec->sid, 2460 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2461 NULL); 2462 bprm->secureexec |= !!rc; 2463 } 2464 2465 return 0; 2466 } 2467 2468 static int match_file(const void *p, struct file *file, unsigned fd) 2469 { 2470 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2471 } 2472 2473 /* Derived from fs/exec.c:flush_old_files. */ 2474 static inline void flush_unauthorized_files(const struct cred *cred, 2475 struct files_struct *files) 2476 { 2477 struct file *file, *devnull = NULL; 2478 struct tty_struct *tty; 2479 int drop_tty = 0; 2480 unsigned n; 2481 2482 tty = get_current_tty(); 2483 if (tty) { 2484 spin_lock(&tty->files_lock); 2485 if (!list_empty(&tty->tty_files)) { 2486 struct tty_file_private *file_priv; 2487 2488 /* Revalidate access to controlling tty. 2489 Use file_path_has_perm on the tty path directly 2490 rather than using file_has_perm, as this particular 2491 open file may belong to another process and we are 2492 only interested in the inode-based check here. */ 2493 file_priv = list_first_entry(&tty->tty_files, 2494 struct tty_file_private, list); 2495 file = file_priv->file; 2496 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2497 drop_tty = 1; 2498 } 2499 spin_unlock(&tty->files_lock); 2500 tty_kref_put(tty); 2501 } 2502 /* Reset controlling tty. */ 2503 if (drop_tty) 2504 no_tty(); 2505 2506 /* Revalidate access to inherited open files. */ 2507 n = iterate_fd(files, 0, match_file, cred); 2508 if (!n) /* none found? */ 2509 return; 2510 2511 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2512 if (IS_ERR(devnull)) 2513 devnull = NULL; 2514 /* replace all the matching ones with this */ 2515 do { 2516 replace_fd(n - 1, devnull, 0); 2517 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2518 if (devnull) 2519 fput(devnull); 2520 } 2521 2522 /* 2523 * Prepare a process for imminent new credential changes due to exec 2524 */ 2525 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2526 { 2527 struct task_security_struct *new_tsec; 2528 struct rlimit *rlim, *initrlim; 2529 int rc, i; 2530 2531 new_tsec = selinux_cred(bprm->cred); 2532 if (new_tsec->sid == new_tsec->osid) 2533 return; 2534 2535 /* Close files for which the new task SID is not authorized. */ 2536 flush_unauthorized_files(bprm->cred, current->files); 2537 2538 /* Always clear parent death signal on SID transitions. */ 2539 current->pdeath_signal = 0; 2540 2541 /* Check whether the new SID can inherit resource limits from the old 2542 * SID. If not, reset all soft limits to the lower of the current 2543 * task's hard limit and the init task's soft limit. 2544 * 2545 * Note that the setting of hard limits (even to lower them) can be 2546 * controlled by the setrlimit check. The inclusion of the init task's 2547 * soft limit into the computation is to avoid resetting soft limits 2548 * higher than the default soft limit for cases where the default is 2549 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2550 */ 2551 rc = avc_has_perm(&selinux_state, 2552 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2553 PROCESS__RLIMITINH, NULL); 2554 if (rc) { 2555 /* protect against do_prlimit() */ 2556 task_lock(current); 2557 for (i = 0; i < RLIM_NLIMITS; i++) { 2558 rlim = current->signal->rlim + i; 2559 initrlim = init_task.signal->rlim + i; 2560 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2561 } 2562 task_unlock(current); 2563 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2564 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2565 } 2566 } 2567 2568 /* 2569 * Clean up the process immediately after the installation of new credentials 2570 * due to exec 2571 */ 2572 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2573 { 2574 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2575 u32 osid, sid; 2576 int rc; 2577 2578 osid = tsec->osid; 2579 sid = tsec->sid; 2580 2581 if (sid == osid) 2582 return; 2583 2584 /* Check whether the new SID can inherit signal state from the old SID. 2585 * If not, clear itimers to avoid subsequent signal generation and 2586 * flush and unblock signals. 2587 * 2588 * This must occur _after_ the task SID has been updated so that any 2589 * kill done after the flush will be checked against the new SID. 2590 */ 2591 rc = avc_has_perm(&selinux_state, 2592 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2593 if (rc) { 2594 clear_itimer(); 2595 2596 spin_lock_irq(¤t->sighand->siglock); 2597 if (!fatal_signal_pending(current)) { 2598 flush_sigqueue(¤t->pending); 2599 flush_sigqueue(¤t->signal->shared_pending); 2600 flush_signal_handlers(current, 1); 2601 sigemptyset(¤t->blocked); 2602 recalc_sigpending(); 2603 } 2604 spin_unlock_irq(¤t->sighand->siglock); 2605 } 2606 2607 /* Wake up the parent if it is waiting so that it can recheck 2608 * wait permission to the new task SID. */ 2609 read_lock(&tasklist_lock); 2610 __wake_up_parent(current, current->real_parent); 2611 read_unlock(&tasklist_lock); 2612 } 2613 2614 /* superblock security operations */ 2615 2616 static int selinux_sb_alloc_security(struct super_block *sb) 2617 { 2618 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2619 2620 mutex_init(&sbsec->lock); 2621 INIT_LIST_HEAD(&sbsec->isec_head); 2622 spin_lock_init(&sbsec->isec_lock); 2623 sbsec->sid = SECINITSID_UNLABELED; 2624 sbsec->def_sid = SECINITSID_FILE; 2625 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2626 2627 return 0; 2628 } 2629 2630 static inline int opt_len(const char *s) 2631 { 2632 bool open_quote = false; 2633 int len; 2634 char c; 2635 2636 for (len = 0; (c = s[len]) != '\0'; len++) { 2637 if (c == '"') 2638 open_quote = !open_quote; 2639 if (c == ',' && !open_quote) 2640 break; 2641 } 2642 return len; 2643 } 2644 2645 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2646 { 2647 char *from = options; 2648 char *to = options; 2649 bool first = true; 2650 int rc; 2651 2652 while (1) { 2653 int len = opt_len(from); 2654 int token; 2655 char *arg = NULL; 2656 2657 token = match_opt_prefix(from, len, &arg); 2658 2659 if (token != Opt_error) { 2660 char *p, *q; 2661 2662 /* strip quotes */ 2663 if (arg) { 2664 for (p = q = arg; p < from + len; p++) { 2665 char c = *p; 2666 if (c != '"') 2667 *q++ = c; 2668 } 2669 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2670 if (!arg) { 2671 rc = -ENOMEM; 2672 goto free_opt; 2673 } 2674 } 2675 rc = selinux_add_opt(token, arg, mnt_opts); 2676 if (unlikely(rc)) { 2677 kfree(arg); 2678 goto free_opt; 2679 } 2680 } else { 2681 if (!first) { // copy with preceding comma 2682 from--; 2683 len++; 2684 } 2685 if (to != from) 2686 memmove(to, from, len); 2687 to += len; 2688 first = false; 2689 } 2690 if (!from[len]) 2691 break; 2692 from += len + 1; 2693 } 2694 *to = '\0'; 2695 return 0; 2696 2697 free_opt: 2698 if (*mnt_opts) { 2699 selinux_free_mnt_opts(*mnt_opts); 2700 *mnt_opts = NULL; 2701 } 2702 return rc; 2703 } 2704 2705 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2706 { 2707 struct selinux_mnt_opts *opts = mnt_opts; 2708 struct superblock_security_struct *sbsec = sb->s_security; 2709 u32 sid; 2710 int rc; 2711 2712 /* 2713 * Superblock not initialized (i.e. no options) - reject if any 2714 * options specified, otherwise accept. 2715 */ 2716 if (!(sbsec->flags & SE_SBINITIALIZED)) 2717 return opts ? 1 : 0; 2718 2719 /* 2720 * Superblock initialized and no options specified - reject if 2721 * superblock has any options set, otherwise accept. 2722 */ 2723 if (!opts) 2724 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2725 2726 if (opts->fscontext) { 2727 rc = parse_sid(sb, opts->fscontext, &sid); 2728 if (rc) 2729 return 1; 2730 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2731 return 1; 2732 } 2733 if (opts->context) { 2734 rc = parse_sid(sb, opts->context, &sid); 2735 if (rc) 2736 return 1; 2737 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2738 return 1; 2739 } 2740 if (opts->rootcontext) { 2741 struct inode_security_struct *root_isec; 2742 2743 root_isec = backing_inode_security(sb->s_root); 2744 rc = parse_sid(sb, opts->rootcontext, &sid); 2745 if (rc) 2746 return 1; 2747 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2748 return 1; 2749 } 2750 if (opts->defcontext) { 2751 rc = parse_sid(sb, opts->defcontext, &sid); 2752 if (rc) 2753 return 1; 2754 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2755 return 1; 2756 } 2757 return 0; 2758 } 2759 2760 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2761 { 2762 struct selinux_mnt_opts *opts = mnt_opts; 2763 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2764 u32 sid; 2765 int rc; 2766 2767 if (!(sbsec->flags & SE_SBINITIALIZED)) 2768 return 0; 2769 2770 if (!opts) 2771 return 0; 2772 2773 if (opts->fscontext) { 2774 rc = parse_sid(sb, opts->fscontext, &sid); 2775 if (rc) 2776 return rc; 2777 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2778 goto out_bad_option; 2779 } 2780 if (opts->context) { 2781 rc = parse_sid(sb, opts->context, &sid); 2782 if (rc) 2783 return rc; 2784 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2785 goto out_bad_option; 2786 } 2787 if (opts->rootcontext) { 2788 struct inode_security_struct *root_isec; 2789 root_isec = backing_inode_security(sb->s_root); 2790 rc = parse_sid(sb, opts->rootcontext, &sid); 2791 if (rc) 2792 return rc; 2793 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2794 goto out_bad_option; 2795 } 2796 if (opts->defcontext) { 2797 rc = parse_sid(sb, opts->defcontext, &sid); 2798 if (rc) 2799 return rc; 2800 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2801 goto out_bad_option; 2802 } 2803 return 0; 2804 2805 out_bad_option: 2806 pr_warn("SELinux: unable to change security options " 2807 "during remount (dev %s, type=%s)\n", sb->s_id, 2808 sb->s_type->name); 2809 return -EINVAL; 2810 } 2811 2812 static int selinux_sb_kern_mount(struct super_block *sb) 2813 { 2814 const struct cred *cred = current_cred(); 2815 struct common_audit_data ad; 2816 2817 ad.type = LSM_AUDIT_DATA_DENTRY; 2818 ad.u.dentry = sb->s_root; 2819 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2820 } 2821 2822 static int selinux_sb_statfs(struct dentry *dentry) 2823 { 2824 const struct cred *cred = current_cred(); 2825 struct common_audit_data ad; 2826 2827 ad.type = LSM_AUDIT_DATA_DENTRY; 2828 ad.u.dentry = dentry->d_sb->s_root; 2829 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2830 } 2831 2832 static int selinux_mount(const char *dev_name, 2833 const struct path *path, 2834 const char *type, 2835 unsigned long flags, 2836 void *data) 2837 { 2838 const struct cred *cred = current_cred(); 2839 2840 if (flags & MS_REMOUNT) 2841 return superblock_has_perm(cred, path->dentry->d_sb, 2842 FILESYSTEM__REMOUNT, NULL); 2843 else 2844 return path_has_perm(cred, path, FILE__MOUNTON); 2845 } 2846 2847 static int selinux_move_mount(const struct path *from_path, 2848 const struct path *to_path) 2849 { 2850 const struct cred *cred = current_cred(); 2851 2852 return path_has_perm(cred, to_path, FILE__MOUNTON); 2853 } 2854 2855 static int selinux_umount(struct vfsmount *mnt, int flags) 2856 { 2857 const struct cred *cred = current_cred(); 2858 2859 return superblock_has_perm(cred, mnt->mnt_sb, 2860 FILESYSTEM__UNMOUNT, NULL); 2861 } 2862 2863 static int selinux_fs_context_dup(struct fs_context *fc, 2864 struct fs_context *src_fc) 2865 { 2866 const struct selinux_mnt_opts *src = src_fc->security; 2867 struct selinux_mnt_opts *opts; 2868 2869 if (!src) 2870 return 0; 2871 2872 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 2873 if (!fc->security) 2874 return -ENOMEM; 2875 2876 opts = fc->security; 2877 2878 if (src->fscontext) { 2879 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL); 2880 if (!opts->fscontext) 2881 return -ENOMEM; 2882 } 2883 if (src->context) { 2884 opts->context = kstrdup(src->context, GFP_KERNEL); 2885 if (!opts->context) 2886 return -ENOMEM; 2887 } 2888 if (src->rootcontext) { 2889 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL); 2890 if (!opts->rootcontext) 2891 return -ENOMEM; 2892 } 2893 if (src->defcontext) { 2894 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL); 2895 if (!opts->defcontext) 2896 return -ENOMEM; 2897 } 2898 return 0; 2899 } 2900 2901 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2902 fsparam_string(CONTEXT_STR, Opt_context), 2903 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2904 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2905 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2906 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2907 {} 2908 }; 2909 2910 static int selinux_fs_context_parse_param(struct fs_context *fc, 2911 struct fs_parameter *param) 2912 { 2913 struct fs_parse_result result; 2914 int opt, rc; 2915 2916 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2917 if (opt < 0) 2918 return opt; 2919 2920 rc = selinux_add_opt(opt, param->string, &fc->security); 2921 if (!rc) { 2922 param->string = NULL; 2923 rc = 1; 2924 } 2925 return rc; 2926 } 2927 2928 /* inode security operations */ 2929 2930 static int selinux_inode_alloc_security(struct inode *inode) 2931 { 2932 struct inode_security_struct *isec = selinux_inode(inode); 2933 u32 sid = current_sid(); 2934 2935 spin_lock_init(&isec->lock); 2936 INIT_LIST_HEAD(&isec->list); 2937 isec->inode = inode; 2938 isec->sid = SECINITSID_UNLABELED; 2939 isec->sclass = SECCLASS_FILE; 2940 isec->task_sid = sid; 2941 isec->initialized = LABEL_INVALID; 2942 2943 return 0; 2944 } 2945 2946 static void selinux_inode_free_security(struct inode *inode) 2947 { 2948 inode_free_security(inode); 2949 } 2950 2951 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2952 const struct qstr *name, void **ctx, 2953 u32 *ctxlen) 2954 { 2955 u32 newsid; 2956 int rc; 2957 2958 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2959 d_inode(dentry->d_parent), name, 2960 inode_mode_to_security_class(mode), 2961 &newsid); 2962 if (rc) 2963 return rc; 2964 2965 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2966 ctxlen); 2967 } 2968 2969 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2970 struct qstr *name, 2971 const struct cred *old, 2972 struct cred *new) 2973 { 2974 u32 newsid; 2975 int rc; 2976 struct task_security_struct *tsec; 2977 2978 rc = selinux_determine_inode_label(selinux_cred(old), 2979 d_inode(dentry->d_parent), name, 2980 inode_mode_to_security_class(mode), 2981 &newsid); 2982 if (rc) 2983 return rc; 2984 2985 tsec = selinux_cred(new); 2986 tsec->create_sid = newsid; 2987 return 0; 2988 } 2989 2990 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2991 const struct qstr *qstr, 2992 const char **name, 2993 void **value, size_t *len) 2994 { 2995 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2996 struct superblock_security_struct *sbsec; 2997 u32 newsid, clen; 2998 int rc; 2999 char *context; 3000 3001 sbsec = selinux_superblock(dir->i_sb); 3002 3003 newsid = tsec->create_sid; 3004 3005 rc = selinux_determine_inode_label(tsec, dir, qstr, 3006 inode_mode_to_security_class(inode->i_mode), 3007 &newsid); 3008 if (rc) 3009 return rc; 3010 3011 /* Possibly defer initialization to selinux_complete_init. */ 3012 if (sbsec->flags & SE_SBINITIALIZED) { 3013 struct inode_security_struct *isec = selinux_inode(inode); 3014 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3015 isec->sid = newsid; 3016 isec->initialized = LABEL_INITIALIZED; 3017 } 3018 3019 if (!selinux_initialized(&selinux_state) || 3020 !(sbsec->flags & SBLABEL_MNT)) 3021 return -EOPNOTSUPP; 3022 3023 if (name) 3024 *name = XATTR_SELINUX_SUFFIX; 3025 3026 if (value && len) { 3027 rc = security_sid_to_context_force(&selinux_state, newsid, 3028 &context, &clen); 3029 if (rc) 3030 return rc; 3031 *value = context; 3032 *len = clen; 3033 } 3034 3035 return 0; 3036 } 3037 3038 static int selinux_inode_init_security_anon(struct inode *inode, 3039 const struct qstr *name, 3040 const struct inode *context_inode) 3041 { 3042 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3043 struct common_audit_data ad; 3044 struct inode_security_struct *isec; 3045 int rc; 3046 3047 if (unlikely(!selinux_initialized(&selinux_state))) 3048 return 0; 3049 3050 isec = selinux_inode(inode); 3051 3052 /* 3053 * We only get here once per ephemeral inode. The inode has 3054 * been initialized via inode_alloc_security but is otherwise 3055 * untouched. 3056 */ 3057 3058 if (context_inode) { 3059 struct inode_security_struct *context_isec = 3060 selinux_inode(context_inode); 3061 if (context_isec->initialized != LABEL_INITIALIZED) { 3062 pr_err("SELinux: context_inode is not initialized"); 3063 return -EACCES; 3064 } 3065 3066 isec->sclass = context_isec->sclass; 3067 isec->sid = context_isec->sid; 3068 } else { 3069 isec->sclass = SECCLASS_ANON_INODE; 3070 rc = security_transition_sid( 3071 &selinux_state, tsec->sid, tsec->sid, 3072 isec->sclass, name, &isec->sid); 3073 if (rc) 3074 return rc; 3075 } 3076 3077 isec->initialized = LABEL_INITIALIZED; 3078 /* 3079 * Now that we've initialized security, check whether we're 3080 * allowed to actually create this type of anonymous inode. 3081 */ 3082 3083 ad.type = LSM_AUDIT_DATA_INODE; 3084 ad.u.inode = inode; 3085 3086 return avc_has_perm(&selinux_state, 3087 tsec->sid, 3088 isec->sid, 3089 isec->sclass, 3090 FILE__CREATE, 3091 &ad); 3092 } 3093 3094 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3095 { 3096 return may_create(dir, dentry, SECCLASS_FILE); 3097 } 3098 3099 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3100 { 3101 return may_link(dir, old_dentry, MAY_LINK); 3102 } 3103 3104 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3105 { 3106 return may_link(dir, dentry, MAY_UNLINK); 3107 } 3108 3109 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3110 { 3111 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3112 } 3113 3114 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3115 { 3116 return may_create(dir, dentry, SECCLASS_DIR); 3117 } 3118 3119 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3120 { 3121 return may_link(dir, dentry, MAY_RMDIR); 3122 } 3123 3124 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3125 { 3126 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3127 } 3128 3129 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3130 struct inode *new_inode, struct dentry *new_dentry) 3131 { 3132 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3133 } 3134 3135 static int selinux_inode_readlink(struct dentry *dentry) 3136 { 3137 const struct cred *cred = current_cred(); 3138 3139 return dentry_has_perm(cred, dentry, FILE__READ); 3140 } 3141 3142 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3143 bool rcu) 3144 { 3145 const struct cred *cred = current_cred(); 3146 struct common_audit_data ad; 3147 struct inode_security_struct *isec; 3148 u32 sid; 3149 3150 validate_creds(cred); 3151 3152 ad.type = LSM_AUDIT_DATA_DENTRY; 3153 ad.u.dentry = dentry; 3154 sid = cred_sid(cred); 3155 isec = inode_security_rcu(inode, rcu); 3156 if (IS_ERR(isec)) 3157 return PTR_ERR(isec); 3158 3159 return avc_has_perm(&selinux_state, 3160 sid, isec->sid, isec->sclass, FILE__READ, &ad); 3161 } 3162 3163 static noinline int audit_inode_permission(struct inode *inode, 3164 u32 perms, u32 audited, u32 denied, 3165 int result) 3166 { 3167 struct common_audit_data ad; 3168 struct inode_security_struct *isec = selinux_inode(inode); 3169 3170 ad.type = LSM_AUDIT_DATA_INODE; 3171 ad.u.inode = inode; 3172 3173 return slow_avc_audit(&selinux_state, 3174 current_sid(), isec->sid, isec->sclass, perms, 3175 audited, denied, result, &ad); 3176 } 3177 3178 static int selinux_inode_permission(struct inode *inode, int mask) 3179 { 3180 const struct cred *cred = current_cred(); 3181 u32 perms; 3182 bool from_access; 3183 bool no_block = mask & MAY_NOT_BLOCK; 3184 struct inode_security_struct *isec; 3185 u32 sid; 3186 struct av_decision avd; 3187 int rc, rc2; 3188 u32 audited, denied; 3189 3190 from_access = mask & MAY_ACCESS; 3191 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3192 3193 /* No permission to check. Existence test. */ 3194 if (!mask) 3195 return 0; 3196 3197 validate_creds(cred); 3198 3199 if (unlikely(IS_PRIVATE(inode))) 3200 return 0; 3201 3202 perms = file_mask_to_av(inode->i_mode, mask); 3203 3204 sid = cred_sid(cred); 3205 isec = inode_security_rcu(inode, no_block); 3206 if (IS_ERR(isec)) 3207 return PTR_ERR(isec); 3208 3209 rc = avc_has_perm_noaudit(&selinux_state, 3210 sid, isec->sid, isec->sclass, perms, 0, 3211 &avd); 3212 audited = avc_audit_required(perms, &avd, rc, 3213 from_access ? FILE__AUDIT_ACCESS : 0, 3214 &denied); 3215 if (likely(!audited)) 3216 return rc; 3217 3218 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3219 if (rc2) 3220 return rc2; 3221 return rc; 3222 } 3223 3224 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3225 { 3226 const struct cred *cred = current_cred(); 3227 struct inode *inode = d_backing_inode(dentry); 3228 unsigned int ia_valid = iattr->ia_valid; 3229 __u32 av = FILE__WRITE; 3230 3231 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3232 if (ia_valid & ATTR_FORCE) { 3233 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3234 ATTR_FORCE); 3235 if (!ia_valid) 3236 return 0; 3237 } 3238 3239 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3240 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3241 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3242 3243 if (selinux_policycap_openperm() && 3244 inode->i_sb->s_magic != SOCKFS_MAGIC && 3245 (ia_valid & ATTR_SIZE) && 3246 !(ia_valid & ATTR_FILE)) 3247 av |= FILE__OPEN; 3248 3249 return dentry_has_perm(cred, dentry, av); 3250 } 3251 3252 static int selinux_inode_getattr(const struct path *path) 3253 { 3254 return path_has_perm(current_cred(), path, FILE__GETATTR); 3255 } 3256 3257 static bool has_cap_mac_admin(bool audit) 3258 { 3259 const struct cred *cred = current_cred(); 3260 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3261 3262 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3263 return false; 3264 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3265 return false; 3266 return true; 3267 } 3268 3269 static int selinux_inode_setxattr(struct user_namespace *mnt_userns, 3270 struct dentry *dentry, const char *name, 3271 const void *value, size_t size, int flags) 3272 { 3273 struct inode *inode = d_backing_inode(dentry); 3274 struct inode_security_struct *isec; 3275 struct superblock_security_struct *sbsec; 3276 struct common_audit_data ad; 3277 u32 newsid, sid = current_sid(); 3278 int rc = 0; 3279 3280 if (strcmp(name, XATTR_NAME_SELINUX)) { 3281 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3282 if (rc) 3283 return rc; 3284 3285 /* Not an attribute we recognize, so just check the 3286 ordinary setattr permission. */ 3287 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3288 } 3289 3290 if (!selinux_initialized(&selinux_state)) 3291 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM); 3292 3293 sbsec = selinux_superblock(inode->i_sb); 3294 if (!(sbsec->flags & SBLABEL_MNT)) 3295 return -EOPNOTSUPP; 3296 3297 if (!inode_owner_or_capable(mnt_userns, inode)) 3298 return -EPERM; 3299 3300 ad.type = LSM_AUDIT_DATA_DENTRY; 3301 ad.u.dentry = dentry; 3302 3303 isec = backing_inode_security(dentry); 3304 rc = avc_has_perm(&selinux_state, 3305 sid, isec->sid, isec->sclass, 3306 FILE__RELABELFROM, &ad); 3307 if (rc) 3308 return rc; 3309 3310 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3311 GFP_KERNEL); 3312 if (rc == -EINVAL) { 3313 if (!has_cap_mac_admin(true)) { 3314 struct audit_buffer *ab; 3315 size_t audit_size; 3316 3317 /* We strip a nul only if it is at the end, otherwise the 3318 * context contains a nul and we should audit that */ 3319 if (value) { 3320 const char *str = value; 3321 3322 if (str[size - 1] == '\0') 3323 audit_size = size - 1; 3324 else 3325 audit_size = size; 3326 } else { 3327 audit_size = 0; 3328 } 3329 ab = audit_log_start(audit_context(), 3330 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3331 if (!ab) 3332 return rc; 3333 audit_log_format(ab, "op=setxattr invalid_context="); 3334 audit_log_n_untrustedstring(ab, value, audit_size); 3335 audit_log_end(ab); 3336 3337 return rc; 3338 } 3339 rc = security_context_to_sid_force(&selinux_state, value, 3340 size, &newsid); 3341 } 3342 if (rc) 3343 return rc; 3344 3345 rc = avc_has_perm(&selinux_state, 3346 sid, newsid, isec->sclass, 3347 FILE__RELABELTO, &ad); 3348 if (rc) 3349 return rc; 3350 3351 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3352 sid, isec->sclass); 3353 if (rc) 3354 return rc; 3355 3356 return avc_has_perm(&selinux_state, 3357 newsid, 3358 sbsec->sid, 3359 SECCLASS_FILESYSTEM, 3360 FILESYSTEM__ASSOCIATE, 3361 &ad); 3362 } 3363 3364 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3365 const void *value, size_t size, 3366 int flags) 3367 { 3368 struct inode *inode = d_backing_inode(dentry); 3369 struct inode_security_struct *isec; 3370 u32 newsid; 3371 int rc; 3372 3373 if (strcmp(name, XATTR_NAME_SELINUX)) { 3374 /* Not an attribute we recognize, so nothing to do. */ 3375 return; 3376 } 3377 3378 if (!selinux_initialized(&selinux_state)) { 3379 /* If we haven't even been initialized, then we can't validate 3380 * against a policy, so leave the label as invalid. It may 3381 * resolve to a valid label on the next revalidation try if 3382 * we've since initialized. 3383 */ 3384 return; 3385 } 3386 3387 rc = security_context_to_sid_force(&selinux_state, value, size, 3388 &newsid); 3389 if (rc) { 3390 pr_err("SELinux: unable to map context to SID" 3391 "for (%s, %lu), rc=%d\n", 3392 inode->i_sb->s_id, inode->i_ino, -rc); 3393 return; 3394 } 3395 3396 isec = backing_inode_security(dentry); 3397 spin_lock(&isec->lock); 3398 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3399 isec->sid = newsid; 3400 isec->initialized = LABEL_INITIALIZED; 3401 spin_unlock(&isec->lock); 3402 3403 return; 3404 } 3405 3406 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3407 { 3408 const struct cred *cred = current_cred(); 3409 3410 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3411 } 3412 3413 static int selinux_inode_listxattr(struct dentry *dentry) 3414 { 3415 const struct cred *cred = current_cred(); 3416 3417 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3418 } 3419 3420 static int selinux_inode_removexattr(struct user_namespace *mnt_userns, 3421 struct dentry *dentry, const char *name) 3422 { 3423 if (strcmp(name, XATTR_NAME_SELINUX)) { 3424 int rc = cap_inode_removexattr(mnt_userns, dentry, name); 3425 if (rc) 3426 return rc; 3427 3428 /* Not an attribute we recognize, so just check the 3429 ordinary setattr permission. */ 3430 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3431 } 3432 3433 if (!selinux_initialized(&selinux_state)) 3434 return 0; 3435 3436 /* No one is allowed to remove a SELinux security label. 3437 You can change the label, but all data must be labeled. */ 3438 return -EACCES; 3439 } 3440 3441 static int selinux_path_notify(const struct path *path, u64 mask, 3442 unsigned int obj_type) 3443 { 3444 int ret; 3445 u32 perm; 3446 3447 struct common_audit_data ad; 3448 3449 ad.type = LSM_AUDIT_DATA_PATH; 3450 ad.u.path = *path; 3451 3452 /* 3453 * Set permission needed based on the type of mark being set. 3454 * Performs an additional check for sb watches. 3455 */ 3456 switch (obj_type) { 3457 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3458 perm = FILE__WATCH_MOUNT; 3459 break; 3460 case FSNOTIFY_OBJ_TYPE_SB: 3461 perm = FILE__WATCH_SB; 3462 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3463 FILESYSTEM__WATCH, &ad); 3464 if (ret) 3465 return ret; 3466 break; 3467 case FSNOTIFY_OBJ_TYPE_INODE: 3468 perm = FILE__WATCH; 3469 break; 3470 default: 3471 return -EINVAL; 3472 } 3473 3474 /* blocking watches require the file:watch_with_perm permission */ 3475 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3476 perm |= FILE__WATCH_WITH_PERM; 3477 3478 /* watches on read-like events need the file:watch_reads permission */ 3479 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3480 perm |= FILE__WATCH_READS; 3481 3482 return path_has_perm(current_cred(), path, perm); 3483 } 3484 3485 /* 3486 * Copy the inode security context value to the user. 3487 * 3488 * Permission check is handled by selinux_inode_getxattr hook. 3489 */ 3490 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns, 3491 struct inode *inode, const char *name, 3492 void **buffer, bool alloc) 3493 { 3494 u32 size; 3495 int error; 3496 char *context = NULL; 3497 struct inode_security_struct *isec; 3498 3499 /* 3500 * If we're not initialized yet, then we can't validate contexts, so 3501 * just let vfs_getxattr fall back to using the on-disk xattr. 3502 */ 3503 if (!selinux_initialized(&selinux_state) || 3504 strcmp(name, XATTR_SELINUX_SUFFIX)) 3505 return -EOPNOTSUPP; 3506 3507 /* 3508 * If the caller has CAP_MAC_ADMIN, then get the raw context 3509 * value even if it is not defined by current policy; otherwise, 3510 * use the in-core value under current policy. 3511 * Use the non-auditing forms of the permission checks since 3512 * getxattr may be called by unprivileged processes commonly 3513 * and lack of permission just means that we fall back to the 3514 * in-core context value, not a denial. 3515 */ 3516 isec = inode_security(inode); 3517 if (has_cap_mac_admin(false)) 3518 error = security_sid_to_context_force(&selinux_state, 3519 isec->sid, &context, 3520 &size); 3521 else 3522 error = security_sid_to_context(&selinux_state, isec->sid, 3523 &context, &size); 3524 if (error) 3525 return error; 3526 error = size; 3527 if (alloc) { 3528 *buffer = context; 3529 goto out_nofree; 3530 } 3531 kfree(context); 3532 out_nofree: 3533 return error; 3534 } 3535 3536 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3537 const void *value, size_t size, int flags) 3538 { 3539 struct inode_security_struct *isec = inode_security_novalidate(inode); 3540 struct superblock_security_struct *sbsec; 3541 u32 newsid; 3542 int rc; 3543 3544 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3545 return -EOPNOTSUPP; 3546 3547 sbsec = selinux_superblock(inode->i_sb); 3548 if (!(sbsec->flags & SBLABEL_MNT)) 3549 return -EOPNOTSUPP; 3550 3551 if (!value || !size) 3552 return -EACCES; 3553 3554 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3555 GFP_KERNEL); 3556 if (rc) 3557 return rc; 3558 3559 spin_lock(&isec->lock); 3560 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3561 isec->sid = newsid; 3562 isec->initialized = LABEL_INITIALIZED; 3563 spin_unlock(&isec->lock); 3564 return 0; 3565 } 3566 3567 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3568 { 3569 const int len = sizeof(XATTR_NAME_SELINUX); 3570 3571 if (!selinux_initialized(&selinux_state)) 3572 return 0; 3573 3574 if (buffer && len <= buffer_size) 3575 memcpy(buffer, XATTR_NAME_SELINUX, len); 3576 return len; 3577 } 3578 3579 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3580 { 3581 struct inode_security_struct *isec = inode_security_novalidate(inode); 3582 *secid = isec->sid; 3583 } 3584 3585 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3586 { 3587 u32 sid; 3588 struct task_security_struct *tsec; 3589 struct cred *new_creds = *new; 3590 3591 if (new_creds == NULL) { 3592 new_creds = prepare_creds(); 3593 if (!new_creds) 3594 return -ENOMEM; 3595 } 3596 3597 tsec = selinux_cred(new_creds); 3598 /* Get label from overlay inode and set it in create_sid */ 3599 selinux_inode_getsecid(d_inode(src), &sid); 3600 tsec->create_sid = sid; 3601 *new = new_creds; 3602 return 0; 3603 } 3604 3605 static int selinux_inode_copy_up_xattr(const char *name) 3606 { 3607 /* The copy_up hook above sets the initial context on an inode, but we 3608 * don't then want to overwrite it by blindly copying all the lower 3609 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3610 */ 3611 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3612 return 1; /* Discard */ 3613 /* 3614 * Any other attribute apart from SELINUX is not claimed, supported 3615 * by selinux. 3616 */ 3617 return -EOPNOTSUPP; 3618 } 3619 3620 /* kernfs node operations */ 3621 3622 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3623 struct kernfs_node *kn) 3624 { 3625 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3626 u32 parent_sid, newsid, clen; 3627 int rc; 3628 char *context; 3629 3630 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3631 if (rc == -ENODATA) 3632 return 0; 3633 else if (rc < 0) 3634 return rc; 3635 3636 clen = (u32)rc; 3637 context = kmalloc(clen, GFP_KERNEL); 3638 if (!context) 3639 return -ENOMEM; 3640 3641 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3642 if (rc < 0) { 3643 kfree(context); 3644 return rc; 3645 } 3646 3647 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid, 3648 GFP_KERNEL); 3649 kfree(context); 3650 if (rc) 3651 return rc; 3652 3653 if (tsec->create_sid) { 3654 newsid = tsec->create_sid; 3655 } else { 3656 u16 secclass = inode_mode_to_security_class(kn->mode); 3657 struct qstr q; 3658 3659 q.name = kn->name; 3660 q.hash_len = hashlen_string(kn_dir, kn->name); 3661 3662 rc = security_transition_sid(&selinux_state, tsec->sid, 3663 parent_sid, secclass, &q, 3664 &newsid); 3665 if (rc) 3666 return rc; 3667 } 3668 3669 rc = security_sid_to_context_force(&selinux_state, newsid, 3670 &context, &clen); 3671 if (rc) 3672 return rc; 3673 3674 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3675 XATTR_CREATE); 3676 kfree(context); 3677 return rc; 3678 } 3679 3680 3681 /* file security operations */ 3682 3683 static int selinux_revalidate_file_permission(struct file *file, int mask) 3684 { 3685 const struct cred *cred = current_cred(); 3686 struct inode *inode = file_inode(file); 3687 3688 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3689 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3690 mask |= MAY_APPEND; 3691 3692 return file_has_perm(cred, file, 3693 file_mask_to_av(inode->i_mode, mask)); 3694 } 3695 3696 static int selinux_file_permission(struct file *file, int mask) 3697 { 3698 struct inode *inode = file_inode(file); 3699 struct file_security_struct *fsec = selinux_file(file); 3700 struct inode_security_struct *isec; 3701 u32 sid = current_sid(); 3702 3703 if (!mask) 3704 /* No permission to check. Existence test. */ 3705 return 0; 3706 3707 isec = inode_security(inode); 3708 if (sid == fsec->sid && fsec->isid == isec->sid && 3709 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3710 /* No change since file_open check. */ 3711 return 0; 3712 3713 return selinux_revalidate_file_permission(file, mask); 3714 } 3715 3716 static int selinux_file_alloc_security(struct file *file) 3717 { 3718 struct file_security_struct *fsec = selinux_file(file); 3719 u32 sid = current_sid(); 3720 3721 fsec->sid = sid; 3722 fsec->fown_sid = sid; 3723 3724 return 0; 3725 } 3726 3727 /* 3728 * Check whether a task has the ioctl permission and cmd 3729 * operation to an inode. 3730 */ 3731 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3732 u32 requested, u16 cmd) 3733 { 3734 struct common_audit_data ad; 3735 struct file_security_struct *fsec = selinux_file(file); 3736 struct inode *inode = file_inode(file); 3737 struct inode_security_struct *isec; 3738 struct lsm_ioctlop_audit ioctl; 3739 u32 ssid = cred_sid(cred); 3740 int rc; 3741 u8 driver = cmd >> 8; 3742 u8 xperm = cmd & 0xff; 3743 3744 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3745 ad.u.op = &ioctl; 3746 ad.u.op->cmd = cmd; 3747 ad.u.op->path = file->f_path; 3748 3749 if (ssid != fsec->sid) { 3750 rc = avc_has_perm(&selinux_state, 3751 ssid, fsec->sid, 3752 SECCLASS_FD, 3753 FD__USE, 3754 &ad); 3755 if (rc) 3756 goto out; 3757 } 3758 3759 if (unlikely(IS_PRIVATE(inode))) 3760 return 0; 3761 3762 isec = inode_security(inode); 3763 rc = avc_has_extended_perms(&selinux_state, 3764 ssid, isec->sid, isec->sclass, 3765 requested, driver, xperm, &ad); 3766 out: 3767 return rc; 3768 } 3769 3770 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3771 unsigned long arg) 3772 { 3773 const struct cred *cred = current_cred(); 3774 int error = 0; 3775 3776 switch (cmd) { 3777 case FIONREAD: 3778 case FIBMAP: 3779 case FIGETBSZ: 3780 case FS_IOC_GETFLAGS: 3781 case FS_IOC_GETVERSION: 3782 error = file_has_perm(cred, file, FILE__GETATTR); 3783 break; 3784 3785 case FS_IOC_SETFLAGS: 3786 case FS_IOC_SETVERSION: 3787 error = file_has_perm(cred, file, FILE__SETATTR); 3788 break; 3789 3790 /* sys_ioctl() checks */ 3791 case FIONBIO: 3792 case FIOASYNC: 3793 error = file_has_perm(cred, file, 0); 3794 break; 3795 3796 case KDSKBENT: 3797 case KDSKBSENT: 3798 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3799 CAP_OPT_NONE, true); 3800 break; 3801 3802 /* default case assumes that the command will go 3803 * to the file's ioctl() function. 3804 */ 3805 default: 3806 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3807 } 3808 return error; 3809 } 3810 3811 static int default_noexec __ro_after_init; 3812 3813 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3814 { 3815 const struct cred *cred = current_cred(); 3816 u32 sid = cred_sid(cred); 3817 int rc = 0; 3818 3819 if (default_noexec && 3820 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3821 (!shared && (prot & PROT_WRITE)))) { 3822 /* 3823 * We are making executable an anonymous mapping or a 3824 * private file mapping that will also be writable. 3825 * This has an additional check. 3826 */ 3827 rc = avc_has_perm(&selinux_state, 3828 sid, sid, SECCLASS_PROCESS, 3829 PROCESS__EXECMEM, NULL); 3830 if (rc) 3831 goto error; 3832 } 3833 3834 if (file) { 3835 /* read access is always possible with a mapping */ 3836 u32 av = FILE__READ; 3837 3838 /* write access only matters if the mapping is shared */ 3839 if (shared && (prot & PROT_WRITE)) 3840 av |= FILE__WRITE; 3841 3842 if (prot & PROT_EXEC) 3843 av |= FILE__EXECUTE; 3844 3845 return file_has_perm(cred, file, av); 3846 } 3847 3848 error: 3849 return rc; 3850 } 3851 3852 static int selinux_mmap_addr(unsigned long addr) 3853 { 3854 int rc = 0; 3855 3856 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3857 u32 sid = current_sid(); 3858 rc = avc_has_perm(&selinux_state, 3859 sid, sid, SECCLASS_MEMPROTECT, 3860 MEMPROTECT__MMAP_ZERO, NULL); 3861 } 3862 3863 return rc; 3864 } 3865 3866 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3867 unsigned long prot, unsigned long flags) 3868 { 3869 struct common_audit_data ad; 3870 int rc; 3871 3872 if (file) { 3873 ad.type = LSM_AUDIT_DATA_FILE; 3874 ad.u.file = file; 3875 rc = inode_has_perm(current_cred(), file_inode(file), 3876 FILE__MAP, &ad); 3877 if (rc) 3878 return rc; 3879 } 3880 3881 if (checkreqprot_get(&selinux_state)) 3882 prot = reqprot; 3883 3884 return file_map_prot_check(file, prot, 3885 (flags & MAP_TYPE) == MAP_SHARED); 3886 } 3887 3888 static int selinux_file_mprotect(struct vm_area_struct *vma, 3889 unsigned long reqprot, 3890 unsigned long prot) 3891 { 3892 const struct cred *cred = current_cred(); 3893 u32 sid = cred_sid(cred); 3894 3895 if (checkreqprot_get(&selinux_state)) 3896 prot = reqprot; 3897 3898 if (default_noexec && 3899 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3900 int rc = 0; 3901 if (vma->vm_start >= vma->vm_mm->start_brk && 3902 vma->vm_end <= vma->vm_mm->brk) { 3903 rc = avc_has_perm(&selinux_state, 3904 sid, sid, SECCLASS_PROCESS, 3905 PROCESS__EXECHEAP, NULL); 3906 } else if (!vma->vm_file && 3907 ((vma->vm_start <= vma->vm_mm->start_stack && 3908 vma->vm_end >= vma->vm_mm->start_stack) || 3909 vma_is_stack_for_current(vma))) { 3910 rc = avc_has_perm(&selinux_state, 3911 sid, sid, SECCLASS_PROCESS, 3912 PROCESS__EXECSTACK, NULL); 3913 } else if (vma->vm_file && vma->anon_vma) { 3914 /* 3915 * We are making executable a file mapping that has 3916 * had some COW done. Since pages might have been 3917 * written, check ability to execute the possibly 3918 * modified content. This typically should only 3919 * occur for text relocations. 3920 */ 3921 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3922 } 3923 if (rc) 3924 return rc; 3925 } 3926 3927 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3928 } 3929 3930 static int selinux_file_lock(struct file *file, unsigned int cmd) 3931 { 3932 const struct cred *cred = current_cred(); 3933 3934 return file_has_perm(cred, file, FILE__LOCK); 3935 } 3936 3937 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3938 unsigned long arg) 3939 { 3940 const struct cred *cred = current_cred(); 3941 int err = 0; 3942 3943 switch (cmd) { 3944 case F_SETFL: 3945 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3946 err = file_has_perm(cred, file, FILE__WRITE); 3947 break; 3948 } 3949 fallthrough; 3950 case F_SETOWN: 3951 case F_SETSIG: 3952 case F_GETFL: 3953 case F_GETOWN: 3954 case F_GETSIG: 3955 case F_GETOWNER_UIDS: 3956 /* Just check FD__USE permission */ 3957 err = file_has_perm(cred, file, 0); 3958 break; 3959 case F_GETLK: 3960 case F_SETLK: 3961 case F_SETLKW: 3962 case F_OFD_GETLK: 3963 case F_OFD_SETLK: 3964 case F_OFD_SETLKW: 3965 #if BITS_PER_LONG == 32 3966 case F_GETLK64: 3967 case F_SETLK64: 3968 case F_SETLKW64: 3969 #endif 3970 err = file_has_perm(cred, file, FILE__LOCK); 3971 break; 3972 } 3973 3974 return err; 3975 } 3976 3977 static void selinux_file_set_fowner(struct file *file) 3978 { 3979 struct file_security_struct *fsec; 3980 3981 fsec = selinux_file(file); 3982 fsec->fown_sid = current_sid(); 3983 } 3984 3985 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3986 struct fown_struct *fown, int signum) 3987 { 3988 struct file *file; 3989 u32 sid = task_sid_obj(tsk); 3990 u32 perm; 3991 struct file_security_struct *fsec; 3992 3993 /* struct fown_struct is never outside the context of a struct file */ 3994 file = container_of(fown, struct file, f_owner); 3995 3996 fsec = selinux_file(file); 3997 3998 if (!signum) 3999 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4000 else 4001 perm = signal_to_av(signum); 4002 4003 return avc_has_perm(&selinux_state, 4004 fsec->fown_sid, sid, 4005 SECCLASS_PROCESS, perm, NULL); 4006 } 4007 4008 static int selinux_file_receive(struct file *file) 4009 { 4010 const struct cred *cred = current_cred(); 4011 4012 return file_has_perm(cred, file, file_to_av(file)); 4013 } 4014 4015 static int selinux_file_open(struct file *file) 4016 { 4017 struct file_security_struct *fsec; 4018 struct inode_security_struct *isec; 4019 4020 fsec = selinux_file(file); 4021 isec = inode_security(file_inode(file)); 4022 /* 4023 * Save inode label and policy sequence number 4024 * at open-time so that selinux_file_permission 4025 * can determine whether revalidation is necessary. 4026 * Task label is already saved in the file security 4027 * struct as its SID. 4028 */ 4029 fsec->isid = isec->sid; 4030 fsec->pseqno = avc_policy_seqno(&selinux_state); 4031 /* 4032 * Since the inode label or policy seqno may have changed 4033 * between the selinux_inode_permission check and the saving 4034 * of state above, recheck that access is still permitted. 4035 * Otherwise, access might never be revalidated against the 4036 * new inode label or new policy. 4037 * This check is not redundant - do not remove. 4038 */ 4039 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4040 } 4041 4042 /* task security operations */ 4043 4044 static int selinux_task_alloc(struct task_struct *task, 4045 unsigned long clone_flags) 4046 { 4047 u32 sid = current_sid(); 4048 4049 return avc_has_perm(&selinux_state, 4050 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4051 } 4052 4053 /* 4054 * prepare a new set of credentials for modification 4055 */ 4056 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4057 gfp_t gfp) 4058 { 4059 const struct task_security_struct *old_tsec = selinux_cred(old); 4060 struct task_security_struct *tsec = selinux_cred(new); 4061 4062 *tsec = *old_tsec; 4063 return 0; 4064 } 4065 4066 /* 4067 * transfer the SELinux data to a blank set of creds 4068 */ 4069 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4070 { 4071 const struct task_security_struct *old_tsec = selinux_cred(old); 4072 struct task_security_struct *tsec = selinux_cred(new); 4073 4074 *tsec = *old_tsec; 4075 } 4076 4077 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4078 { 4079 *secid = cred_sid(c); 4080 } 4081 4082 /* 4083 * set the security data for a kernel service 4084 * - all the creation contexts are set to unlabelled 4085 */ 4086 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4087 { 4088 struct task_security_struct *tsec = selinux_cred(new); 4089 u32 sid = current_sid(); 4090 int ret; 4091 4092 ret = avc_has_perm(&selinux_state, 4093 sid, secid, 4094 SECCLASS_KERNEL_SERVICE, 4095 KERNEL_SERVICE__USE_AS_OVERRIDE, 4096 NULL); 4097 if (ret == 0) { 4098 tsec->sid = secid; 4099 tsec->create_sid = 0; 4100 tsec->keycreate_sid = 0; 4101 tsec->sockcreate_sid = 0; 4102 } 4103 return ret; 4104 } 4105 4106 /* 4107 * set the file creation context in a security record to the same as the 4108 * objective context of the specified inode 4109 */ 4110 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4111 { 4112 struct inode_security_struct *isec = inode_security(inode); 4113 struct task_security_struct *tsec = selinux_cred(new); 4114 u32 sid = current_sid(); 4115 int ret; 4116 4117 ret = avc_has_perm(&selinux_state, 4118 sid, isec->sid, 4119 SECCLASS_KERNEL_SERVICE, 4120 KERNEL_SERVICE__CREATE_FILES_AS, 4121 NULL); 4122 4123 if (ret == 0) 4124 tsec->create_sid = isec->sid; 4125 return ret; 4126 } 4127 4128 static int selinux_kernel_module_request(char *kmod_name) 4129 { 4130 struct common_audit_data ad; 4131 4132 ad.type = LSM_AUDIT_DATA_KMOD; 4133 ad.u.kmod_name = kmod_name; 4134 4135 return avc_has_perm(&selinux_state, 4136 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4137 SYSTEM__MODULE_REQUEST, &ad); 4138 } 4139 4140 static int selinux_kernel_module_from_file(struct file *file) 4141 { 4142 struct common_audit_data ad; 4143 struct inode_security_struct *isec; 4144 struct file_security_struct *fsec; 4145 u32 sid = current_sid(); 4146 int rc; 4147 4148 /* init_module */ 4149 if (file == NULL) 4150 return avc_has_perm(&selinux_state, 4151 sid, sid, SECCLASS_SYSTEM, 4152 SYSTEM__MODULE_LOAD, NULL); 4153 4154 /* finit_module */ 4155 4156 ad.type = LSM_AUDIT_DATA_FILE; 4157 ad.u.file = file; 4158 4159 fsec = selinux_file(file); 4160 if (sid != fsec->sid) { 4161 rc = avc_has_perm(&selinux_state, 4162 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4163 if (rc) 4164 return rc; 4165 } 4166 4167 isec = inode_security(file_inode(file)); 4168 return avc_has_perm(&selinux_state, 4169 sid, isec->sid, SECCLASS_SYSTEM, 4170 SYSTEM__MODULE_LOAD, &ad); 4171 } 4172 4173 static int selinux_kernel_read_file(struct file *file, 4174 enum kernel_read_file_id id, 4175 bool contents) 4176 { 4177 int rc = 0; 4178 4179 switch (id) { 4180 case READING_MODULE: 4181 rc = selinux_kernel_module_from_file(contents ? file : NULL); 4182 break; 4183 default: 4184 break; 4185 } 4186 4187 return rc; 4188 } 4189 4190 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4191 { 4192 int rc = 0; 4193 4194 switch (id) { 4195 case LOADING_MODULE: 4196 rc = selinux_kernel_module_from_file(NULL); 4197 break; 4198 default: 4199 break; 4200 } 4201 4202 return rc; 4203 } 4204 4205 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4206 { 4207 return avc_has_perm(&selinux_state, 4208 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4209 PROCESS__SETPGID, NULL); 4210 } 4211 4212 static int selinux_task_getpgid(struct task_struct *p) 4213 { 4214 return avc_has_perm(&selinux_state, 4215 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4216 PROCESS__GETPGID, NULL); 4217 } 4218 4219 static int selinux_task_getsid(struct task_struct *p) 4220 { 4221 return avc_has_perm(&selinux_state, 4222 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4223 PROCESS__GETSESSION, NULL); 4224 } 4225 4226 static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) 4227 { 4228 *secid = task_sid_subj(p); 4229 } 4230 4231 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4232 { 4233 *secid = task_sid_obj(p); 4234 } 4235 4236 static int selinux_task_setnice(struct task_struct *p, int nice) 4237 { 4238 return avc_has_perm(&selinux_state, 4239 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4240 PROCESS__SETSCHED, NULL); 4241 } 4242 4243 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4244 { 4245 return avc_has_perm(&selinux_state, 4246 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4247 PROCESS__SETSCHED, NULL); 4248 } 4249 4250 static int selinux_task_getioprio(struct task_struct *p) 4251 { 4252 return avc_has_perm(&selinux_state, 4253 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4254 PROCESS__GETSCHED, NULL); 4255 } 4256 4257 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4258 unsigned int flags) 4259 { 4260 u32 av = 0; 4261 4262 if (!flags) 4263 return 0; 4264 if (flags & LSM_PRLIMIT_WRITE) 4265 av |= PROCESS__SETRLIMIT; 4266 if (flags & LSM_PRLIMIT_READ) 4267 av |= PROCESS__GETRLIMIT; 4268 return avc_has_perm(&selinux_state, 4269 cred_sid(cred), cred_sid(tcred), 4270 SECCLASS_PROCESS, av, NULL); 4271 } 4272 4273 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4274 struct rlimit *new_rlim) 4275 { 4276 struct rlimit *old_rlim = p->signal->rlim + resource; 4277 4278 /* Control the ability to change the hard limit (whether 4279 lowering or raising it), so that the hard limit can 4280 later be used as a safe reset point for the soft limit 4281 upon context transitions. See selinux_bprm_committing_creds. */ 4282 if (old_rlim->rlim_max != new_rlim->rlim_max) 4283 return avc_has_perm(&selinux_state, 4284 current_sid(), task_sid_obj(p), 4285 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4286 4287 return 0; 4288 } 4289 4290 static int selinux_task_setscheduler(struct task_struct *p) 4291 { 4292 return avc_has_perm(&selinux_state, 4293 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4294 PROCESS__SETSCHED, NULL); 4295 } 4296 4297 static int selinux_task_getscheduler(struct task_struct *p) 4298 { 4299 return avc_has_perm(&selinux_state, 4300 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4301 PROCESS__GETSCHED, NULL); 4302 } 4303 4304 static int selinux_task_movememory(struct task_struct *p) 4305 { 4306 return avc_has_perm(&selinux_state, 4307 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4308 PROCESS__SETSCHED, NULL); 4309 } 4310 4311 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4312 int sig, const struct cred *cred) 4313 { 4314 u32 secid; 4315 u32 perm; 4316 4317 if (!sig) 4318 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4319 else 4320 perm = signal_to_av(sig); 4321 if (!cred) 4322 secid = current_sid(); 4323 else 4324 secid = cred_sid(cred); 4325 return avc_has_perm(&selinux_state, 4326 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4327 } 4328 4329 static void selinux_task_to_inode(struct task_struct *p, 4330 struct inode *inode) 4331 { 4332 struct inode_security_struct *isec = selinux_inode(inode); 4333 u32 sid = task_sid_obj(p); 4334 4335 spin_lock(&isec->lock); 4336 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4337 isec->sid = sid; 4338 isec->initialized = LABEL_INITIALIZED; 4339 spin_unlock(&isec->lock); 4340 } 4341 4342 /* Returns error only if unable to parse addresses */ 4343 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4344 struct common_audit_data *ad, u8 *proto) 4345 { 4346 int offset, ihlen, ret = -EINVAL; 4347 struct iphdr _iph, *ih; 4348 4349 offset = skb_network_offset(skb); 4350 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4351 if (ih == NULL) 4352 goto out; 4353 4354 ihlen = ih->ihl * 4; 4355 if (ihlen < sizeof(_iph)) 4356 goto out; 4357 4358 ad->u.net->v4info.saddr = ih->saddr; 4359 ad->u.net->v4info.daddr = ih->daddr; 4360 ret = 0; 4361 4362 if (proto) 4363 *proto = ih->protocol; 4364 4365 switch (ih->protocol) { 4366 case IPPROTO_TCP: { 4367 struct tcphdr _tcph, *th; 4368 4369 if (ntohs(ih->frag_off) & IP_OFFSET) 4370 break; 4371 4372 offset += ihlen; 4373 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4374 if (th == NULL) 4375 break; 4376 4377 ad->u.net->sport = th->source; 4378 ad->u.net->dport = th->dest; 4379 break; 4380 } 4381 4382 case IPPROTO_UDP: { 4383 struct udphdr _udph, *uh; 4384 4385 if (ntohs(ih->frag_off) & IP_OFFSET) 4386 break; 4387 4388 offset += ihlen; 4389 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4390 if (uh == NULL) 4391 break; 4392 4393 ad->u.net->sport = uh->source; 4394 ad->u.net->dport = uh->dest; 4395 break; 4396 } 4397 4398 case IPPROTO_DCCP: { 4399 struct dccp_hdr _dccph, *dh; 4400 4401 if (ntohs(ih->frag_off) & IP_OFFSET) 4402 break; 4403 4404 offset += ihlen; 4405 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4406 if (dh == NULL) 4407 break; 4408 4409 ad->u.net->sport = dh->dccph_sport; 4410 ad->u.net->dport = dh->dccph_dport; 4411 break; 4412 } 4413 4414 #if IS_ENABLED(CONFIG_IP_SCTP) 4415 case IPPROTO_SCTP: { 4416 struct sctphdr _sctph, *sh; 4417 4418 if (ntohs(ih->frag_off) & IP_OFFSET) 4419 break; 4420 4421 offset += ihlen; 4422 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4423 if (sh == NULL) 4424 break; 4425 4426 ad->u.net->sport = sh->source; 4427 ad->u.net->dport = sh->dest; 4428 break; 4429 } 4430 #endif 4431 default: 4432 break; 4433 } 4434 out: 4435 return ret; 4436 } 4437 4438 #if IS_ENABLED(CONFIG_IPV6) 4439 4440 /* Returns error only if unable to parse addresses */ 4441 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4442 struct common_audit_data *ad, u8 *proto) 4443 { 4444 u8 nexthdr; 4445 int ret = -EINVAL, offset; 4446 struct ipv6hdr _ipv6h, *ip6; 4447 __be16 frag_off; 4448 4449 offset = skb_network_offset(skb); 4450 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4451 if (ip6 == NULL) 4452 goto out; 4453 4454 ad->u.net->v6info.saddr = ip6->saddr; 4455 ad->u.net->v6info.daddr = ip6->daddr; 4456 ret = 0; 4457 4458 nexthdr = ip6->nexthdr; 4459 offset += sizeof(_ipv6h); 4460 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4461 if (offset < 0) 4462 goto out; 4463 4464 if (proto) 4465 *proto = nexthdr; 4466 4467 switch (nexthdr) { 4468 case IPPROTO_TCP: { 4469 struct tcphdr _tcph, *th; 4470 4471 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4472 if (th == NULL) 4473 break; 4474 4475 ad->u.net->sport = th->source; 4476 ad->u.net->dport = th->dest; 4477 break; 4478 } 4479 4480 case IPPROTO_UDP: { 4481 struct udphdr _udph, *uh; 4482 4483 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4484 if (uh == NULL) 4485 break; 4486 4487 ad->u.net->sport = uh->source; 4488 ad->u.net->dport = uh->dest; 4489 break; 4490 } 4491 4492 case IPPROTO_DCCP: { 4493 struct dccp_hdr _dccph, *dh; 4494 4495 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4496 if (dh == NULL) 4497 break; 4498 4499 ad->u.net->sport = dh->dccph_sport; 4500 ad->u.net->dport = dh->dccph_dport; 4501 break; 4502 } 4503 4504 #if IS_ENABLED(CONFIG_IP_SCTP) 4505 case IPPROTO_SCTP: { 4506 struct sctphdr _sctph, *sh; 4507 4508 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4509 if (sh == NULL) 4510 break; 4511 4512 ad->u.net->sport = sh->source; 4513 ad->u.net->dport = sh->dest; 4514 break; 4515 } 4516 #endif 4517 /* includes fragments */ 4518 default: 4519 break; 4520 } 4521 out: 4522 return ret; 4523 } 4524 4525 #endif /* IPV6 */ 4526 4527 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4528 char **_addrp, int src, u8 *proto) 4529 { 4530 char *addrp; 4531 int ret; 4532 4533 switch (ad->u.net->family) { 4534 case PF_INET: 4535 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4536 if (ret) 4537 goto parse_error; 4538 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4539 &ad->u.net->v4info.daddr); 4540 goto okay; 4541 4542 #if IS_ENABLED(CONFIG_IPV6) 4543 case PF_INET6: 4544 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4545 if (ret) 4546 goto parse_error; 4547 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4548 &ad->u.net->v6info.daddr); 4549 goto okay; 4550 #endif /* IPV6 */ 4551 default: 4552 addrp = NULL; 4553 goto okay; 4554 } 4555 4556 parse_error: 4557 pr_warn( 4558 "SELinux: failure in selinux_parse_skb()," 4559 " unable to parse packet\n"); 4560 return ret; 4561 4562 okay: 4563 if (_addrp) 4564 *_addrp = addrp; 4565 return 0; 4566 } 4567 4568 /** 4569 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4570 * @skb: the packet 4571 * @family: protocol family 4572 * @sid: the packet's peer label SID 4573 * 4574 * Description: 4575 * Check the various different forms of network peer labeling and determine 4576 * the peer label/SID for the packet; most of the magic actually occurs in 4577 * the security server function security_net_peersid_cmp(). The function 4578 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4579 * or -EACCES if @sid is invalid due to inconsistencies with the different 4580 * peer labels. 4581 * 4582 */ 4583 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4584 { 4585 int err; 4586 u32 xfrm_sid; 4587 u32 nlbl_sid; 4588 u32 nlbl_type; 4589 4590 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4591 if (unlikely(err)) 4592 return -EACCES; 4593 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4594 if (unlikely(err)) 4595 return -EACCES; 4596 4597 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4598 nlbl_type, xfrm_sid, sid); 4599 if (unlikely(err)) { 4600 pr_warn( 4601 "SELinux: failure in selinux_skb_peerlbl_sid()," 4602 " unable to determine packet's peer label\n"); 4603 return -EACCES; 4604 } 4605 4606 return 0; 4607 } 4608 4609 /** 4610 * selinux_conn_sid - Determine the child socket label for a connection 4611 * @sk_sid: the parent socket's SID 4612 * @skb_sid: the packet's SID 4613 * @conn_sid: the resulting connection SID 4614 * 4615 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4616 * combined with the MLS information from @skb_sid in order to create 4617 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4618 * of @sk_sid. Returns zero on success, negative values on failure. 4619 * 4620 */ 4621 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4622 { 4623 int err = 0; 4624 4625 if (skb_sid != SECSID_NULL) 4626 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4627 conn_sid); 4628 else 4629 *conn_sid = sk_sid; 4630 4631 return err; 4632 } 4633 4634 /* socket security operations */ 4635 4636 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4637 u16 secclass, u32 *socksid) 4638 { 4639 if (tsec->sockcreate_sid > SECSID_NULL) { 4640 *socksid = tsec->sockcreate_sid; 4641 return 0; 4642 } 4643 4644 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4645 secclass, NULL, socksid); 4646 } 4647 4648 static int sock_has_perm(struct sock *sk, u32 perms) 4649 { 4650 struct sk_security_struct *sksec = sk->sk_security; 4651 struct common_audit_data ad; 4652 struct lsm_network_audit net = {0,}; 4653 4654 if (sksec->sid == SECINITSID_KERNEL) 4655 return 0; 4656 4657 ad.type = LSM_AUDIT_DATA_NET; 4658 ad.u.net = &net; 4659 ad.u.net->sk = sk; 4660 4661 return avc_has_perm(&selinux_state, 4662 current_sid(), sksec->sid, sksec->sclass, perms, 4663 &ad); 4664 } 4665 4666 static int selinux_socket_create(int family, int type, 4667 int protocol, int kern) 4668 { 4669 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4670 u32 newsid; 4671 u16 secclass; 4672 int rc; 4673 4674 if (kern) 4675 return 0; 4676 4677 secclass = socket_type_to_security_class(family, type, protocol); 4678 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4679 if (rc) 4680 return rc; 4681 4682 return avc_has_perm(&selinux_state, 4683 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4684 } 4685 4686 static int selinux_socket_post_create(struct socket *sock, int family, 4687 int type, int protocol, int kern) 4688 { 4689 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4690 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4691 struct sk_security_struct *sksec; 4692 u16 sclass = socket_type_to_security_class(family, type, protocol); 4693 u32 sid = SECINITSID_KERNEL; 4694 int err = 0; 4695 4696 if (!kern) { 4697 err = socket_sockcreate_sid(tsec, sclass, &sid); 4698 if (err) 4699 return err; 4700 } 4701 4702 isec->sclass = sclass; 4703 isec->sid = sid; 4704 isec->initialized = LABEL_INITIALIZED; 4705 4706 if (sock->sk) { 4707 sksec = sock->sk->sk_security; 4708 sksec->sclass = sclass; 4709 sksec->sid = sid; 4710 /* Allows detection of the first association on this socket */ 4711 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4712 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4713 4714 err = selinux_netlbl_socket_post_create(sock->sk, family); 4715 } 4716 4717 return err; 4718 } 4719 4720 static int selinux_socket_socketpair(struct socket *socka, 4721 struct socket *sockb) 4722 { 4723 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4724 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4725 4726 sksec_a->peer_sid = sksec_b->sid; 4727 sksec_b->peer_sid = sksec_a->sid; 4728 4729 return 0; 4730 } 4731 4732 /* Range of port numbers used to automatically bind. 4733 Need to determine whether we should perform a name_bind 4734 permission check between the socket and the port number. */ 4735 4736 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4737 { 4738 struct sock *sk = sock->sk; 4739 struct sk_security_struct *sksec = sk->sk_security; 4740 u16 family; 4741 int err; 4742 4743 err = sock_has_perm(sk, SOCKET__BIND); 4744 if (err) 4745 goto out; 4746 4747 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4748 family = sk->sk_family; 4749 if (family == PF_INET || family == PF_INET6) { 4750 char *addrp; 4751 struct common_audit_data ad; 4752 struct lsm_network_audit net = {0,}; 4753 struct sockaddr_in *addr4 = NULL; 4754 struct sockaddr_in6 *addr6 = NULL; 4755 u16 family_sa; 4756 unsigned short snum; 4757 u32 sid, node_perm; 4758 4759 /* 4760 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4761 * that validates multiple binding addresses. Because of this 4762 * need to check address->sa_family as it is possible to have 4763 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4764 */ 4765 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4766 return -EINVAL; 4767 family_sa = address->sa_family; 4768 switch (family_sa) { 4769 case AF_UNSPEC: 4770 case AF_INET: 4771 if (addrlen < sizeof(struct sockaddr_in)) 4772 return -EINVAL; 4773 addr4 = (struct sockaddr_in *)address; 4774 if (family_sa == AF_UNSPEC) { 4775 /* see __inet_bind(), we only want to allow 4776 * AF_UNSPEC if the address is INADDR_ANY 4777 */ 4778 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4779 goto err_af; 4780 family_sa = AF_INET; 4781 } 4782 snum = ntohs(addr4->sin_port); 4783 addrp = (char *)&addr4->sin_addr.s_addr; 4784 break; 4785 case AF_INET6: 4786 if (addrlen < SIN6_LEN_RFC2133) 4787 return -EINVAL; 4788 addr6 = (struct sockaddr_in6 *)address; 4789 snum = ntohs(addr6->sin6_port); 4790 addrp = (char *)&addr6->sin6_addr.s6_addr; 4791 break; 4792 default: 4793 goto err_af; 4794 } 4795 4796 ad.type = LSM_AUDIT_DATA_NET; 4797 ad.u.net = &net; 4798 ad.u.net->sport = htons(snum); 4799 ad.u.net->family = family_sa; 4800 4801 if (snum) { 4802 int low, high; 4803 4804 inet_get_local_port_range(sock_net(sk), &low, &high); 4805 4806 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4807 snum < low || snum > high) { 4808 err = sel_netport_sid(sk->sk_protocol, 4809 snum, &sid); 4810 if (err) 4811 goto out; 4812 err = avc_has_perm(&selinux_state, 4813 sksec->sid, sid, 4814 sksec->sclass, 4815 SOCKET__NAME_BIND, &ad); 4816 if (err) 4817 goto out; 4818 } 4819 } 4820 4821 switch (sksec->sclass) { 4822 case SECCLASS_TCP_SOCKET: 4823 node_perm = TCP_SOCKET__NODE_BIND; 4824 break; 4825 4826 case SECCLASS_UDP_SOCKET: 4827 node_perm = UDP_SOCKET__NODE_BIND; 4828 break; 4829 4830 case SECCLASS_DCCP_SOCKET: 4831 node_perm = DCCP_SOCKET__NODE_BIND; 4832 break; 4833 4834 case SECCLASS_SCTP_SOCKET: 4835 node_perm = SCTP_SOCKET__NODE_BIND; 4836 break; 4837 4838 default: 4839 node_perm = RAWIP_SOCKET__NODE_BIND; 4840 break; 4841 } 4842 4843 err = sel_netnode_sid(addrp, family_sa, &sid); 4844 if (err) 4845 goto out; 4846 4847 if (family_sa == AF_INET) 4848 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4849 else 4850 ad.u.net->v6info.saddr = addr6->sin6_addr; 4851 4852 err = avc_has_perm(&selinux_state, 4853 sksec->sid, sid, 4854 sksec->sclass, node_perm, &ad); 4855 if (err) 4856 goto out; 4857 } 4858 out: 4859 return err; 4860 err_af: 4861 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4862 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4863 return -EINVAL; 4864 return -EAFNOSUPPORT; 4865 } 4866 4867 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4868 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4869 */ 4870 static int selinux_socket_connect_helper(struct socket *sock, 4871 struct sockaddr *address, int addrlen) 4872 { 4873 struct sock *sk = sock->sk; 4874 struct sk_security_struct *sksec = sk->sk_security; 4875 int err; 4876 4877 err = sock_has_perm(sk, SOCKET__CONNECT); 4878 if (err) 4879 return err; 4880 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4881 return -EINVAL; 4882 4883 /* connect(AF_UNSPEC) has special handling, as it is a documented 4884 * way to disconnect the socket 4885 */ 4886 if (address->sa_family == AF_UNSPEC) 4887 return 0; 4888 4889 /* 4890 * If a TCP, DCCP or SCTP socket, check name_connect permission 4891 * for the port. 4892 */ 4893 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4894 sksec->sclass == SECCLASS_DCCP_SOCKET || 4895 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4896 struct common_audit_data ad; 4897 struct lsm_network_audit net = {0,}; 4898 struct sockaddr_in *addr4 = NULL; 4899 struct sockaddr_in6 *addr6 = NULL; 4900 unsigned short snum; 4901 u32 sid, perm; 4902 4903 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4904 * that validates multiple connect addresses. Because of this 4905 * need to check address->sa_family as it is possible to have 4906 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4907 */ 4908 switch (address->sa_family) { 4909 case AF_INET: 4910 addr4 = (struct sockaddr_in *)address; 4911 if (addrlen < sizeof(struct sockaddr_in)) 4912 return -EINVAL; 4913 snum = ntohs(addr4->sin_port); 4914 break; 4915 case AF_INET6: 4916 addr6 = (struct sockaddr_in6 *)address; 4917 if (addrlen < SIN6_LEN_RFC2133) 4918 return -EINVAL; 4919 snum = ntohs(addr6->sin6_port); 4920 break; 4921 default: 4922 /* Note that SCTP services expect -EINVAL, whereas 4923 * others expect -EAFNOSUPPORT. 4924 */ 4925 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4926 return -EINVAL; 4927 else 4928 return -EAFNOSUPPORT; 4929 } 4930 4931 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4932 if (err) 4933 return err; 4934 4935 switch (sksec->sclass) { 4936 case SECCLASS_TCP_SOCKET: 4937 perm = TCP_SOCKET__NAME_CONNECT; 4938 break; 4939 case SECCLASS_DCCP_SOCKET: 4940 perm = DCCP_SOCKET__NAME_CONNECT; 4941 break; 4942 case SECCLASS_SCTP_SOCKET: 4943 perm = SCTP_SOCKET__NAME_CONNECT; 4944 break; 4945 } 4946 4947 ad.type = LSM_AUDIT_DATA_NET; 4948 ad.u.net = &net; 4949 ad.u.net->dport = htons(snum); 4950 ad.u.net->family = address->sa_family; 4951 err = avc_has_perm(&selinux_state, 4952 sksec->sid, sid, sksec->sclass, perm, &ad); 4953 if (err) 4954 return err; 4955 } 4956 4957 return 0; 4958 } 4959 4960 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4961 static int selinux_socket_connect(struct socket *sock, 4962 struct sockaddr *address, int addrlen) 4963 { 4964 int err; 4965 struct sock *sk = sock->sk; 4966 4967 err = selinux_socket_connect_helper(sock, address, addrlen); 4968 if (err) 4969 return err; 4970 4971 return selinux_netlbl_socket_connect(sk, address); 4972 } 4973 4974 static int selinux_socket_listen(struct socket *sock, int backlog) 4975 { 4976 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4977 } 4978 4979 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4980 { 4981 int err; 4982 struct inode_security_struct *isec; 4983 struct inode_security_struct *newisec; 4984 u16 sclass; 4985 u32 sid; 4986 4987 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4988 if (err) 4989 return err; 4990 4991 isec = inode_security_novalidate(SOCK_INODE(sock)); 4992 spin_lock(&isec->lock); 4993 sclass = isec->sclass; 4994 sid = isec->sid; 4995 spin_unlock(&isec->lock); 4996 4997 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4998 newisec->sclass = sclass; 4999 newisec->sid = sid; 5000 newisec->initialized = LABEL_INITIALIZED; 5001 5002 return 0; 5003 } 5004 5005 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5006 int size) 5007 { 5008 return sock_has_perm(sock->sk, SOCKET__WRITE); 5009 } 5010 5011 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5012 int size, int flags) 5013 { 5014 return sock_has_perm(sock->sk, SOCKET__READ); 5015 } 5016 5017 static int selinux_socket_getsockname(struct socket *sock) 5018 { 5019 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5020 } 5021 5022 static int selinux_socket_getpeername(struct socket *sock) 5023 { 5024 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5025 } 5026 5027 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5028 { 5029 int err; 5030 5031 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5032 if (err) 5033 return err; 5034 5035 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5036 } 5037 5038 static int selinux_socket_getsockopt(struct socket *sock, int level, 5039 int optname) 5040 { 5041 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5042 } 5043 5044 static int selinux_socket_shutdown(struct socket *sock, int how) 5045 { 5046 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5047 } 5048 5049 static int selinux_socket_unix_stream_connect(struct sock *sock, 5050 struct sock *other, 5051 struct sock *newsk) 5052 { 5053 struct sk_security_struct *sksec_sock = sock->sk_security; 5054 struct sk_security_struct *sksec_other = other->sk_security; 5055 struct sk_security_struct *sksec_new = newsk->sk_security; 5056 struct common_audit_data ad; 5057 struct lsm_network_audit net = {0,}; 5058 int err; 5059 5060 ad.type = LSM_AUDIT_DATA_NET; 5061 ad.u.net = &net; 5062 ad.u.net->sk = other; 5063 5064 err = avc_has_perm(&selinux_state, 5065 sksec_sock->sid, sksec_other->sid, 5066 sksec_other->sclass, 5067 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5068 if (err) 5069 return err; 5070 5071 /* server child socket */ 5072 sksec_new->peer_sid = sksec_sock->sid; 5073 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 5074 sksec_sock->sid, &sksec_new->sid); 5075 if (err) 5076 return err; 5077 5078 /* connecting socket */ 5079 sksec_sock->peer_sid = sksec_new->sid; 5080 5081 return 0; 5082 } 5083 5084 static int selinux_socket_unix_may_send(struct socket *sock, 5085 struct socket *other) 5086 { 5087 struct sk_security_struct *ssec = sock->sk->sk_security; 5088 struct sk_security_struct *osec = other->sk->sk_security; 5089 struct common_audit_data ad; 5090 struct lsm_network_audit net = {0,}; 5091 5092 ad.type = LSM_AUDIT_DATA_NET; 5093 ad.u.net = &net; 5094 ad.u.net->sk = other->sk; 5095 5096 return avc_has_perm(&selinux_state, 5097 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5098 &ad); 5099 } 5100 5101 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5102 char *addrp, u16 family, u32 peer_sid, 5103 struct common_audit_data *ad) 5104 { 5105 int err; 5106 u32 if_sid; 5107 u32 node_sid; 5108 5109 err = sel_netif_sid(ns, ifindex, &if_sid); 5110 if (err) 5111 return err; 5112 err = avc_has_perm(&selinux_state, 5113 peer_sid, if_sid, 5114 SECCLASS_NETIF, NETIF__INGRESS, ad); 5115 if (err) 5116 return err; 5117 5118 err = sel_netnode_sid(addrp, family, &node_sid); 5119 if (err) 5120 return err; 5121 return avc_has_perm(&selinux_state, 5122 peer_sid, node_sid, 5123 SECCLASS_NODE, NODE__RECVFROM, ad); 5124 } 5125 5126 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5127 u16 family) 5128 { 5129 int err = 0; 5130 struct sk_security_struct *sksec = sk->sk_security; 5131 u32 sk_sid = sksec->sid; 5132 struct common_audit_data ad; 5133 struct lsm_network_audit net = {0,}; 5134 char *addrp; 5135 5136 ad.type = LSM_AUDIT_DATA_NET; 5137 ad.u.net = &net; 5138 ad.u.net->netif = skb->skb_iif; 5139 ad.u.net->family = family; 5140 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5141 if (err) 5142 return err; 5143 5144 if (selinux_secmark_enabled()) { 5145 err = avc_has_perm(&selinux_state, 5146 sk_sid, skb->secmark, SECCLASS_PACKET, 5147 PACKET__RECV, &ad); 5148 if (err) 5149 return err; 5150 } 5151 5152 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5153 if (err) 5154 return err; 5155 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5156 5157 return err; 5158 } 5159 5160 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5161 { 5162 int err; 5163 struct sk_security_struct *sksec = sk->sk_security; 5164 u16 family = sk->sk_family; 5165 u32 sk_sid = sksec->sid; 5166 struct common_audit_data ad; 5167 struct lsm_network_audit net = {0,}; 5168 char *addrp; 5169 u8 secmark_active; 5170 u8 peerlbl_active; 5171 5172 if (family != PF_INET && family != PF_INET6) 5173 return 0; 5174 5175 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5176 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5177 family = PF_INET; 5178 5179 /* If any sort of compatibility mode is enabled then handoff processing 5180 * to the selinux_sock_rcv_skb_compat() function to deal with the 5181 * special handling. We do this in an attempt to keep this function 5182 * as fast and as clean as possible. */ 5183 if (!selinux_policycap_netpeer()) 5184 return selinux_sock_rcv_skb_compat(sk, skb, family); 5185 5186 secmark_active = selinux_secmark_enabled(); 5187 peerlbl_active = selinux_peerlbl_enabled(); 5188 if (!secmark_active && !peerlbl_active) 5189 return 0; 5190 5191 ad.type = LSM_AUDIT_DATA_NET; 5192 ad.u.net = &net; 5193 ad.u.net->netif = skb->skb_iif; 5194 ad.u.net->family = family; 5195 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5196 if (err) 5197 return err; 5198 5199 if (peerlbl_active) { 5200 u32 peer_sid; 5201 5202 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5203 if (err) 5204 return err; 5205 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5206 addrp, family, peer_sid, &ad); 5207 if (err) { 5208 selinux_netlbl_err(skb, family, err, 0); 5209 return err; 5210 } 5211 err = avc_has_perm(&selinux_state, 5212 sk_sid, peer_sid, SECCLASS_PEER, 5213 PEER__RECV, &ad); 5214 if (err) { 5215 selinux_netlbl_err(skb, family, err, 0); 5216 return err; 5217 } 5218 } 5219 5220 if (secmark_active) { 5221 err = avc_has_perm(&selinux_state, 5222 sk_sid, skb->secmark, SECCLASS_PACKET, 5223 PACKET__RECV, &ad); 5224 if (err) 5225 return err; 5226 } 5227 5228 return err; 5229 } 5230 5231 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5232 int __user *optlen, unsigned len) 5233 { 5234 int err = 0; 5235 char *scontext; 5236 u32 scontext_len; 5237 struct sk_security_struct *sksec = sock->sk->sk_security; 5238 u32 peer_sid = SECSID_NULL; 5239 5240 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5241 sksec->sclass == SECCLASS_TCP_SOCKET || 5242 sksec->sclass == SECCLASS_SCTP_SOCKET) 5243 peer_sid = sksec->peer_sid; 5244 if (peer_sid == SECSID_NULL) 5245 return -ENOPROTOOPT; 5246 5247 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5248 &scontext_len); 5249 if (err) 5250 return err; 5251 5252 if (scontext_len > len) { 5253 err = -ERANGE; 5254 goto out_len; 5255 } 5256 5257 if (copy_to_user(optval, scontext, scontext_len)) 5258 err = -EFAULT; 5259 5260 out_len: 5261 if (put_user(scontext_len, optlen)) 5262 err = -EFAULT; 5263 kfree(scontext); 5264 return err; 5265 } 5266 5267 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5268 { 5269 u32 peer_secid = SECSID_NULL; 5270 u16 family; 5271 struct inode_security_struct *isec; 5272 5273 if (skb && skb->protocol == htons(ETH_P_IP)) 5274 family = PF_INET; 5275 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5276 family = PF_INET6; 5277 else if (sock) 5278 family = sock->sk->sk_family; 5279 else 5280 goto out; 5281 5282 if (sock && family == PF_UNIX) { 5283 isec = inode_security_novalidate(SOCK_INODE(sock)); 5284 peer_secid = isec->sid; 5285 } else if (skb) 5286 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5287 5288 out: 5289 *secid = peer_secid; 5290 if (peer_secid == SECSID_NULL) 5291 return -EINVAL; 5292 return 0; 5293 } 5294 5295 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5296 { 5297 struct sk_security_struct *sksec; 5298 5299 sksec = kzalloc(sizeof(*sksec), priority); 5300 if (!sksec) 5301 return -ENOMEM; 5302 5303 sksec->peer_sid = SECINITSID_UNLABELED; 5304 sksec->sid = SECINITSID_UNLABELED; 5305 sksec->sclass = SECCLASS_SOCKET; 5306 selinux_netlbl_sk_security_reset(sksec); 5307 sk->sk_security = sksec; 5308 5309 return 0; 5310 } 5311 5312 static void selinux_sk_free_security(struct sock *sk) 5313 { 5314 struct sk_security_struct *sksec = sk->sk_security; 5315 5316 sk->sk_security = NULL; 5317 selinux_netlbl_sk_security_free(sksec); 5318 kfree(sksec); 5319 } 5320 5321 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5322 { 5323 struct sk_security_struct *sksec = sk->sk_security; 5324 struct sk_security_struct *newsksec = newsk->sk_security; 5325 5326 newsksec->sid = sksec->sid; 5327 newsksec->peer_sid = sksec->peer_sid; 5328 newsksec->sclass = sksec->sclass; 5329 5330 selinux_netlbl_sk_security_reset(newsksec); 5331 } 5332 5333 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5334 { 5335 if (!sk) 5336 *secid = SECINITSID_ANY_SOCKET; 5337 else { 5338 struct sk_security_struct *sksec = sk->sk_security; 5339 5340 *secid = sksec->sid; 5341 } 5342 } 5343 5344 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5345 { 5346 struct inode_security_struct *isec = 5347 inode_security_novalidate(SOCK_INODE(parent)); 5348 struct sk_security_struct *sksec = sk->sk_security; 5349 5350 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5351 sk->sk_family == PF_UNIX) 5352 isec->sid = sksec->sid; 5353 sksec->sclass = isec->sclass; 5354 } 5355 5356 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5357 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5358 * already present). 5359 */ 5360 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5361 struct sk_buff *skb) 5362 { 5363 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5364 struct common_audit_data ad; 5365 struct lsm_network_audit net = {0,}; 5366 u8 peerlbl_active; 5367 u32 peer_sid = SECINITSID_UNLABELED; 5368 u32 conn_sid; 5369 int err = 0; 5370 5371 if (!selinux_policycap_extsockclass()) 5372 return 0; 5373 5374 peerlbl_active = selinux_peerlbl_enabled(); 5375 5376 if (peerlbl_active) { 5377 /* This will return peer_sid = SECSID_NULL if there are 5378 * no peer labels, see security_net_peersid_resolve(). 5379 */ 5380 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5381 &peer_sid); 5382 if (err) 5383 return err; 5384 5385 if (peer_sid == SECSID_NULL) 5386 peer_sid = SECINITSID_UNLABELED; 5387 } 5388 5389 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5390 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5391 5392 /* Here as first association on socket. As the peer SID 5393 * was allowed by peer recv (and the netif/node checks), 5394 * then it is approved by policy and used as the primary 5395 * peer SID for getpeercon(3). 5396 */ 5397 sksec->peer_sid = peer_sid; 5398 } else if (sksec->peer_sid != peer_sid) { 5399 /* Other association peer SIDs are checked to enforce 5400 * consistency among the peer SIDs. 5401 */ 5402 ad.type = LSM_AUDIT_DATA_NET; 5403 ad.u.net = &net; 5404 ad.u.net->sk = ep->base.sk; 5405 err = avc_has_perm(&selinux_state, 5406 sksec->peer_sid, peer_sid, sksec->sclass, 5407 SCTP_SOCKET__ASSOCIATION, &ad); 5408 if (err) 5409 return err; 5410 } 5411 5412 /* Compute the MLS component for the connection and store 5413 * the information in ep. This will be used by SCTP TCP type 5414 * sockets and peeled off connections as they cause a new 5415 * socket to be generated. selinux_sctp_sk_clone() will then 5416 * plug this into the new socket. 5417 */ 5418 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5419 if (err) 5420 return err; 5421 5422 ep->secid = conn_sid; 5423 ep->peer_secid = peer_sid; 5424 5425 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5426 return selinux_netlbl_sctp_assoc_request(ep, skb); 5427 } 5428 5429 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5430 * based on their @optname. 5431 */ 5432 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5433 struct sockaddr *address, 5434 int addrlen) 5435 { 5436 int len, err = 0, walk_size = 0; 5437 void *addr_buf; 5438 struct sockaddr *addr; 5439 struct socket *sock; 5440 5441 if (!selinux_policycap_extsockclass()) 5442 return 0; 5443 5444 /* Process one or more addresses that may be IPv4 or IPv6 */ 5445 sock = sk->sk_socket; 5446 addr_buf = address; 5447 5448 while (walk_size < addrlen) { 5449 if (walk_size + sizeof(sa_family_t) > addrlen) 5450 return -EINVAL; 5451 5452 addr = addr_buf; 5453 switch (addr->sa_family) { 5454 case AF_UNSPEC: 5455 case AF_INET: 5456 len = sizeof(struct sockaddr_in); 5457 break; 5458 case AF_INET6: 5459 len = sizeof(struct sockaddr_in6); 5460 break; 5461 default: 5462 return -EINVAL; 5463 } 5464 5465 if (walk_size + len > addrlen) 5466 return -EINVAL; 5467 5468 err = -EINVAL; 5469 switch (optname) { 5470 /* Bind checks */ 5471 case SCTP_PRIMARY_ADDR: 5472 case SCTP_SET_PEER_PRIMARY_ADDR: 5473 case SCTP_SOCKOPT_BINDX_ADD: 5474 err = selinux_socket_bind(sock, addr, len); 5475 break; 5476 /* Connect checks */ 5477 case SCTP_SOCKOPT_CONNECTX: 5478 case SCTP_PARAM_SET_PRIMARY: 5479 case SCTP_PARAM_ADD_IP: 5480 case SCTP_SENDMSG_CONNECT: 5481 err = selinux_socket_connect_helper(sock, addr, len); 5482 if (err) 5483 return err; 5484 5485 /* As selinux_sctp_bind_connect() is called by the 5486 * SCTP protocol layer, the socket is already locked, 5487 * therefore selinux_netlbl_socket_connect_locked() 5488 * is called here. The situations handled are: 5489 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5490 * whenever a new IP address is added or when a new 5491 * primary address is selected. 5492 * Note that an SCTP connect(2) call happens before 5493 * the SCTP protocol layer and is handled via 5494 * selinux_socket_connect(). 5495 */ 5496 err = selinux_netlbl_socket_connect_locked(sk, addr); 5497 break; 5498 } 5499 5500 if (err) 5501 return err; 5502 5503 addr_buf += len; 5504 walk_size += len; 5505 } 5506 5507 return 0; 5508 } 5509 5510 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5511 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5512 struct sock *newsk) 5513 { 5514 struct sk_security_struct *sksec = sk->sk_security; 5515 struct sk_security_struct *newsksec = newsk->sk_security; 5516 5517 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5518 * the non-sctp clone version. 5519 */ 5520 if (!selinux_policycap_extsockclass()) 5521 return selinux_sk_clone_security(sk, newsk); 5522 5523 newsksec->sid = ep->secid; 5524 newsksec->peer_sid = ep->peer_secid; 5525 newsksec->sclass = sksec->sclass; 5526 selinux_netlbl_sctp_sk_clone(sk, newsk); 5527 } 5528 5529 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5530 struct request_sock *req) 5531 { 5532 struct sk_security_struct *sksec = sk->sk_security; 5533 int err; 5534 u16 family = req->rsk_ops->family; 5535 u32 connsid; 5536 u32 peersid; 5537 5538 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5539 if (err) 5540 return err; 5541 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5542 if (err) 5543 return err; 5544 req->secid = connsid; 5545 req->peer_secid = peersid; 5546 5547 return selinux_netlbl_inet_conn_request(req, family); 5548 } 5549 5550 static void selinux_inet_csk_clone(struct sock *newsk, 5551 const struct request_sock *req) 5552 { 5553 struct sk_security_struct *newsksec = newsk->sk_security; 5554 5555 newsksec->sid = req->secid; 5556 newsksec->peer_sid = req->peer_secid; 5557 /* NOTE: Ideally, we should also get the isec->sid for the 5558 new socket in sync, but we don't have the isec available yet. 5559 So we will wait until sock_graft to do it, by which 5560 time it will have been created and available. */ 5561 5562 /* We don't need to take any sort of lock here as we are the only 5563 * thread with access to newsksec */ 5564 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5565 } 5566 5567 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5568 { 5569 u16 family = sk->sk_family; 5570 struct sk_security_struct *sksec = sk->sk_security; 5571 5572 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5573 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5574 family = PF_INET; 5575 5576 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5577 } 5578 5579 static int selinux_secmark_relabel_packet(u32 sid) 5580 { 5581 const struct task_security_struct *__tsec; 5582 u32 tsid; 5583 5584 __tsec = selinux_cred(current_cred()); 5585 tsid = __tsec->sid; 5586 5587 return avc_has_perm(&selinux_state, 5588 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5589 NULL); 5590 } 5591 5592 static void selinux_secmark_refcount_inc(void) 5593 { 5594 atomic_inc(&selinux_secmark_refcount); 5595 } 5596 5597 static void selinux_secmark_refcount_dec(void) 5598 { 5599 atomic_dec(&selinux_secmark_refcount); 5600 } 5601 5602 static void selinux_req_classify_flow(const struct request_sock *req, 5603 struct flowi_common *flic) 5604 { 5605 flic->flowic_secid = req->secid; 5606 } 5607 5608 static int selinux_tun_dev_alloc_security(void **security) 5609 { 5610 struct tun_security_struct *tunsec; 5611 5612 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5613 if (!tunsec) 5614 return -ENOMEM; 5615 tunsec->sid = current_sid(); 5616 5617 *security = tunsec; 5618 return 0; 5619 } 5620 5621 static void selinux_tun_dev_free_security(void *security) 5622 { 5623 kfree(security); 5624 } 5625 5626 static int selinux_tun_dev_create(void) 5627 { 5628 u32 sid = current_sid(); 5629 5630 /* we aren't taking into account the "sockcreate" SID since the socket 5631 * that is being created here is not a socket in the traditional sense, 5632 * instead it is a private sock, accessible only to the kernel, and 5633 * representing a wide range of network traffic spanning multiple 5634 * connections unlike traditional sockets - check the TUN driver to 5635 * get a better understanding of why this socket is special */ 5636 5637 return avc_has_perm(&selinux_state, 5638 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5639 NULL); 5640 } 5641 5642 static int selinux_tun_dev_attach_queue(void *security) 5643 { 5644 struct tun_security_struct *tunsec = security; 5645 5646 return avc_has_perm(&selinux_state, 5647 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5648 TUN_SOCKET__ATTACH_QUEUE, NULL); 5649 } 5650 5651 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5652 { 5653 struct tun_security_struct *tunsec = security; 5654 struct sk_security_struct *sksec = sk->sk_security; 5655 5656 /* we don't currently perform any NetLabel based labeling here and it 5657 * isn't clear that we would want to do so anyway; while we could apply 5658 * labeling without the support of the TUN user the resulting labeled 5659 * traffic from the other end of the connection would almost certainly 5660 * cause confusion to the TUN user that had no idea network labeling 5661 * protocols were being used */ 5662 5663 sksec->sid = tunsec->sid; 5664 sksec->sclass = SECCLASS_TUN_SOCKET; 5665 5666 return 0; 5667 } 5668 5669 static int selinux_tun_dev_open(void *security) 5670 { 5671 struct tun_security_struct *tunsec = security; 5672 u32 sid = current_sid(); 5673 int err; 5674 5675 err = avc_has_perm(&selinux_state, 5676 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5677 TUN_SOCKET__RELABELFROM, NULL); 5678 if (err) 5679 return err; 5680 err = avc_has_perm(&selinux_state, 5681 sid, sid, SECCLASS_TUN_SOCKET, 5682 TUN_SOCKET__RELABELTO, NULL); 5683 if (err) 5684 return err; 5685 tunsec->sid = sid; 5686 5687 return 0; 5688 } 5689 5690 #ifdef CONFIG_NETFILTER 5691 5692 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5693 const struct nf_hook_state *state) 5694 { 5695 const struct net_device *indev = state->in; 5696 u16 family = state->pf; 5697 int err; 5698 char *addrp; 5699 u32 peer_sid; 5700 struct common_audit_data ad; 5701 struct lsm_network_audit net = {0,}; 5702 u8 secmark_active; 5703 u8 netlbl_active; 5704 u8 peerlbl_active; 5705 5706 if (!selinux_policycap_netpeer()) 5707 return NF_ACCEPT; 5708 5709 secmark_active = selinux_secmark_enabled(); 5710 netlbl_active = netlbl_enabled(); 5711 peerlbl_active = selinux_peerlbl_enabled(); 5712 if (!secmark_active && !peerlbl_active) 5713 return NF_ACCEPT; 5714 5715 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5716 return NF_DROP; 5717 5718 ad.type = LSM_AUDIT_DATA_NET; 5719 ad.u.net = &net; 5720 ad.u.net->netif = indev->ifindex; 5721 ad.u.net->family = family; 5722 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5723 return NF_DROP; 5724 5725 if (peerlbl_active) { 5726 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5727 addrp, family, peer_sid, &ad); 5728 if (err) { 5729 selinux_netlbl_err(skb, family, err, 1); 5730 return NF_DROP; 5731 } 5732 } 5733 5734 if (secmark_active) 5735 if (avc_has_perm(&selinux_state, 5736 peer_sid, skb->secmark, 5737 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5738 return NF_DROP; 5739 5740 if (netlbl_active) 5741 /* we do this in the FORWARD path and not the POST_ROUTING 5742 * path because we want to make sure we apply the necessary 5743 * labeling before IPsec is applied so we can leverage AH 5744 * protection */ 5745 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5746 return NF_DROP; 5747 5748 return NF_ACCEPT; 5749 } 5750 5751 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5752 const struct nf_hook_state *state) 5753 { 5754 u16 family = state->pf; 5755 struct sock *sk; 5756 u32 sid; 5757 5758 if (!netlbl_enabled()) 5759 return NF_ACCEPT; 5760 5761 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5762 * because we want to make sure we apply the necessary labeling 5763 * before IPsec is applied so we can leverage AH protection */ 5764 sk = skb->sk; 5765 if (sk) { 5766 struct sk_security_struct *sksec; 5767 5768 if (sk_listener(sk)) 5769 /* if the socket is the listening state then this 5770 * packet is a SYN-ACK packet which means it needs to 5771 * be labeled based on the connection/request_sock and 5772 * not the parent socket. unfortunately, we can't 5773 * lookup the request_sock yet as it isn't queued on 5774 * the parent socket until after the SYN-ACK is sent. 5775 * the "solution" is to simply pass the packet as-is 5776 * as any IP option based labeling should be copied 5777 * from the initial connection request (in the IP 5778 * layer). it is far from ideal, but until we get a 5779 * security label in the packet itself this is the 5780 * best we can do. */ 5781 return NF_ACCEPT; 5782 5783 /* standard practice, label using the parent socket */ 5784 sksec = sk->sk_security; 5785 sid = sksec->sid; 5786 } else 5787 sid = SECINITSID_KERNEL; 5788 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5789 return NF_DROP; 5790 5791 return NF_ACCEPT; 5792 } 5793 5794 5795 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5796 int ifindex, 5797 u16 family) 5798 { 5799 struct sock *sk = skb_to_full_sk(skb); 5800 struct sk_security_struct *sksec; 5801 struct common_audit_data ad; 5802 struct lsm_network_audit net = {0,}; 5803 char *addrp; 5804 u8 proto; 5805 5806 if (sk == NULL) 5807 return NF_ACCEPT; 5808 sksec = sk->sk_security; 5809 5810 ad.type = LSM_AUDIT_DATA_NET; 5811 ad.u.net = &net; 5812 ad.u.net->netif = ifindex; 5813 ad.u.net->family = family; 5814 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5815 return NF_DROP; 5816 5817 if (selinux_secmark_enabled()) 5818 if (avc_has_perm(&selinux_state, 5819 sksec->sid, skb->secmark, 5820 SECCLASS_PACKET, PACKET__SEND, &ad)) 5821 return NF_DROP_ERR(-ECONNREFUSED); 5822 5823 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5824 return NF_DROP_ERR(-ECONNREFUSED); 5825 5826 return NF_ACCEPT; 5827 } 5828 5829 static unsigned int selinux_ip_postroute(void *priv, 5830 struct sk_buff *skb, 5831 const struct nf_hook_state *state) 5832 { 5833 const struct net_device *outdev = state->out; 5834 u16 family = state->pf; 5835 u32 secmark_perm; 5836 u32 peer_sid; 5837 int ifindex = outdev->ifindex; 5838 struct sock *sk; 5839 struct common_audit_data ad; 5840 struct lsm_network_audit net = {0,}; 5841 char *addrp; 5842 u8 secmark_active; 5843 u8 peerlbl_active; 5844 5845 /* If any sort of compatibility mode is enabled then handoff processing 5846 * to the selinux_ip_postroute_compat() function to deal with the 5847 * special handling. We do this in an attempt to keep this function 5848 * as fast and as clean as possible. */ 5849 if (!selinux_policycap_netpeer()) 5850 return selinux_ip_postroute_compat(skb, ifindex, family); 5851 5852 secmark_active = selinux_secmark_enabled(); 5853 peerlbl_active = selinux_peerlbl_enabled(); 5854 if (!secmark_active && !peerlbl_active) 5855 return NF_ACCEPT; 5856 5857 sk = skb_to_full_sk(skb); 5858 5859 #ifdef CONFIG_XFRM 5860 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5861 * packet transformation so allow the packet to pass without any checks 5862 * since we'll have another chance to perform access control checks 5863 * when the packet is on it's final way out. 5864 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5865 * is NULL, in this case go ahead and apply access control. 5866 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5867 * TCP listening state we cannot wait until the XFRM processing 5868 * is done as we will miss out on the SA label if we do; 5869 * unfortunately, this means more work, but it is only once per 5870 * connection. */ 5871 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5872 !(sk && sk_listener(sk))) 5873 return NF_ACCEPT; 5874 #endif 5875 5876 if (sk == NULL) { 5877 /* Without an associated socket the packet is either coming 5878 * from the kernel or it is being forwarded; check the packet 5879 * to determine which and if the packet is being forwarded 5880 * query the packet directly to determine the security label. */ 5881 if (skb->skb_iif) { 5882 secmark_perm = PACKET__FORWARD_OUT; 5883 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5884 return NF_DROP; 5885 } else { 5886 secmark_perm = PACKET__SEND; 5887 peer_sid = SECINITSID_KERNEL; 5888 } 5889 } else if (sk_listener(sk)) { 5890 /* Locally generated packet but the associated socket is in the 5891 * listening state which means this is a SYN-ACK packet. In 5892 * this particular case the correct security label is assigned 5893 * to the connection/request_sock but unfortunately we can't 5894 * query the request_sock as it isn't queued on the parent 5895 * socket until after the SYN-ACK packet is sent; the only 5896 * viable choice is to regenerate the label like we do in 5897 * selinux_inet_conn_request(). See also selinux_ip_output() 5898 * for similar problems. */ 5899 u32 skb_sid; 5900 struct sk_security_struct *sksec; 5901 5902 sksec = sk->sk_security; 5903 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5904 return NF_DROP; 5905 /* At this point, if the returned skb peerlbl is SECSID_NULL 5906 * and the packet has been through at least one XFRM 5907 * transformation then we must be dealing with the "final" 5908 * form of labeled IPsec packet; since we've already applied 5909 * all of our access controls on this packet we can safely 5910 * pass the packet. */ 5911 if (skb_sid == SECSID_NULL) { 5912 switch (family) { 5913 case PF_INET: 5914 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5915 return NF_ACCEPT; 5916 break; 5917 case PF_INET6: 5918 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5919 return NF_ACCEPT; 5920 break; 5921 default: 5922 return NF_DROP_ERR(-ECONNREFUSED); 5923 } 5924 } 5925 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5926 return NF_DROP; 5927 secmark_perm = PACKET__SEND; 5928 } else { 5929 /* Locally generated packet, fetch the security label from the 5930 * associated socket. */ 5931 struct sk_security_struct *sksec = sk->sk_security; 5932 peer_sid = sksec->sid; 5933 secmark_perm = PACKET__SEND; 5934 } 5935 5936 ad.type = LSM_AUDIT_DATA_NET; 5937 ad.u.net = &net; 5938 ad.u.net->netif = ifindex; 5939 ad.u.net->family = family; 5940 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5941 return NF_DROP; 5942 5943 if (secmark_active) 5944 if (avc_has_perm(&selinux_state, 5945 peer_sid, skb->secmark, 5946 SECCLASS_PACKET, secmark_perm, &ad)) 5947 return NF_DROP_ERR(-ECONNREFUSED); 5948 5949 if (peerlbl_active) { 5950 u32 if_sid; 5951 u32 node_sid; 5952 5953 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5954 return NF_DROP; 5955 if (avc_has_perm(&selinux_state, 5956 peer_sid, if_sid, 5957 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5958 return NF_DROP_ERR(-ECONNREFUSED); 5959 5960 if (sel_netnode_sid(addrp, family, &node_sid)) 5961 return NF_DROP; 5962 if (avc_has_perm(&selinux_state, 5963 peer_sid, node_sid, 5964 SECCLASS_NODE, NODE__SENDTO, &ad)) 5965 return NF_DROP_ERR(-ECONNREFUSED); 5966 } 5967 5968 return NF_ACCEPT; 5969 } 5970 #endif /* CONFIG_NETFILTER */ 5971 5972 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5973 { 5974 int rc = 0; 5975 unsigned int msg_len; 5976 unsigned int data_len = skb->len; 5977 unsigned char *data = skb->data; 5978 struct nlmsghdr *nlh; 5979 struct sk_security_struct *sksec = sk->sk_security; 5980 u16 sclass = sksec->sclass; 5981 u32 perm; 5982 5983 while (data_len >= nlmsg_total_size(0)) { 5984 nlh = (struct nlmsghdr *)data; 5985 5986 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 5987 * users which means we can't reject skb's with bogus 5988 * length fields; our solution is to follow what 5989 * netlink_rcv_skb() does and simply skip processing at 5990 * messages with length fields that are clearly junk 5991 */ 5992 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 5993 return 0; 5994 5995 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 5996 if (rc == 0) { 5997 rc = sock_has_perm(sk, perm); 5998 if (rc) 5999 return rc; 6000 } else if (rc == -EINVAL) { 6001 /* -EINVAL is a missing msg/perm mapping */ 6002 pr_warn_ratelimited("SELinux: unrecognized netlink" 6003 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6004 " pid=%d comm=%s\n", 6005 sk->sk_protocol, nlh->nlmsg_type, 6006 secclass_map[sclass - 1].name, 6007 task_pid_nr(current), current->comm); 6008 if (enforcing_enabled(&selinux_state) && 6009 !security_get_allow_unknown(&selinux_state)) 6010 return rc; 6011 rc = 0; 6012 } else if (rc == -ENOENT) { 6013 /* -ENOENT is a missing socket/class mapping, ignore */ 6014 rc = 0; 6015 } else { 6016 return rc; 6017 } 6018 6019 /* move to the next message after applying netlink padding */ 6020 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6021 if (msg_len >= data_len) 6022 return 0; 6023 data_len -= msg_len; 6024 data += msg_len; 6025 } 6026 6027 return rc; 6028 } 6029 6030 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6031 { 6032 isec->sclass = sclass; 6033 isec->sid = current_sid(); 6034 } 6035 6036 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6037 u32 perms) 6038 { 6039 struct ipc_security_struct *isec; 6040 struct common_audit_data ad; 6041 u32 sid = current_sid(); 6042 6043 isec = selinux_ipc(ipc_perms); 6044 6045 ad.type = LSM_AUDIT_DATA_IPC; 6046 ad.u.ipc_id = ipc_perms->key; 6047 6048 return avc_has_perm(&selinux_state, 6049 sid, isec->sid, isec->sclass, perms, &ad); 6050 } 6051 6052 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6053 { 6054 struct msg_security_struct *msec; 6055 6056 msec = selinux_msg_msg(msg); 6057 msec->sid = SECINITSID_UNLABELED; 6058 6059 return 0; 6060 } 6061 6062 /* message queue security operations */ 6063 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6064 { 6065 struct ipc_security_struct *isec; 6066 struct common_audit_data ad; 6067 u32 sid = current_sid(); 6068 int rc; 6069 6070 isec = selinux_ipc(msq); 6071 ipc_init_security(isec, SECCLASS_MSGQ); 6072 6073 ad.type = LSM_AUDIT_DATA_IPC; 6074 ad.u.ipc_id = msq->key; 6075 6076 rc = avc_has_perm(&selinux_state, 6077 sid, isec->sid, SECCLASS_MSGQ, 6078 MSGQ__CREATE, &ad); 6079 return rc; 6080 } 6081 6082 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6083 { 6084 struct ipc_security_struct *isec; 6085 struct common_audit_data ad; 6086 u32 sid = current_sid(); 6087 6088 isec = selinux_ipc(msq); 6089 6090 ad.type = LSM_AUDIT_DATA_IPC; 6091 ad.u.ipc_id = msq->key; 6092 6093 return avc_has_perm(&selinux_state, 6094 sid, isec->sid, SECCLASS_MSGQ, 6095 MSGQ__ASSOCIATE, &ad); 6096 } 6097 6098 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6099 { 6100 int err; 6101 int perms; 6102 6103 switch (cmd) { 6104 case IPC_INFO: 6105 case MSG_INFO: 6106 /* No specific object, just general system-wide information. */ 6107 return avc_has_perm(&selinux_state, 6108 current_sid(), SECINITSID_KERNEL, 6109 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6110 case IPC_STAT: 6111 case MSG_STAT: 6112 case MSG_STAT_ANY: 6113 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6114 break; 6115 case IPC_SET: 6116 perms = MSGQ__SETATTR; 6117 break; 6118 case IPC_RMID: 6119 perms = MSGQ__DESTROY; 6120 break; 6121 default: 6122 return 0; 6123 } 6124 6125 err = ipc_has_perm(msq, perms); 6126 return err; 6127 } 6128 6129 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6130 { 6131 struct ipc_security_struct *isec; 6132 struct msg_security_struct *msec; 6133 struct common_audit_data ad; 6134 u32 sid = current_sid(); 6135 int rc; 6136 6137 isec = selinux_ipc(msq); 6138 msec = selinux_msg_msg(msg); 6139 6140 /* 6141 * First time through, need to assign label to the message 6142 */ 6143 if (msec->sid == SECINITSID_UNLABELED) { 6144 /* 6145 * Compute new sid based on current process and 6146 * message queue this message will be stored in 6147 */ 6148 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6149 SECCLASS_MSG, NULL, &msec->sid); 6150 if (rc) 6151 return rc; 6152 } 6153 6154 ad.type = LSM_AUDIT_DATA_IPC; 6155 ad.u.ipc_id = msq->key; 6156 6157 /* Can this process write to the queue? */ 6158 rc = avc_has_perm(&selinux_state, 6159 sid, isec->sid, SECCLASS_MSGQ, 6160 MSGQ__WRITE, &ad); 6161 if (!rc) 6162 /* Can this process send the message */ 6163 rc = avc_has_perm(&selinux_state, 6164 sid, msec->sid, SECCLASS_MSG, 6165 MSG__SEND, &ad); 6166 if (!rc) 6167 /* Can the message be put in the queue? */ 6168 rc = avc_has_perm(&selinux_state, 6169 msec->sid, isec->sid, SECCLASS_MSGQ, 6170 MSGQ__ENQUEUE, &ad); 6171 6172 return rc; 6173 } 6174 6175 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6176 struct task_struct *target, 6177 long type, int mode) 6178 { 6179 struct ipc_security_struct *isec; 6180 struct msg_security_struct *msec; 6181 struct common_audit_data ad; 6182 u32 sid = task_sid_subj(target); 6183 int rc; 6184 6185 isec = selinux_ipc(msq); 6186 msec = selinux_msg_msg(msg); 6187 6188 ad.type = LSM_AUDIT_DATA_IPC; 6189 ad.u.ipc_id = msq->key; 6190 6191 rc = avc_has_perm(&selinux_state, 6192 sid, isec->sid, 6193 SECCLASS_MSGQ, MSGQ__READ, &ad); 6194 if (!rc) 6195 rc = avc_has_perm(&selinux_state, 6196 sid, msec->sid, 6197 SECCLASS_MSG, MSG__RECEIVE, &ad); 6198 return rc; 6199 } 6200 6201 /* Shared Memory security operations */ 6202 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6203 { 6204 struct ipc_security_struct *isec; 6205 struct common_audit_data ad; 6206 u32 sid = current_sid(); 6207 int rc; 6208 6209 isec = selinux_ipc(shp); 6210 ipc_init_security(isec, SECCLASS_SHM); 6211 6212 ad.type = LSM_AUDIT_DATA_IPC; 6213 ad.u.ipc_id = shp->key; 6214 6215 rc = avc_has_perm(&selinux_state, 6216 sid, isec->sid, SECCLASS_SHM, 6217 SHM__CREATE, &ad); 6218 return rc; 6219 } 6220 6221 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6222 { 6223 struct ipc_security_struct *isec; 6224 struct common_audit_data ad; 6225 u32 sid = current_sid(); 6226 6227 isec = selinux_ipc(shp); 6228 6229 ad.type = LSM_AUDIT_DATA_IPC; 6230 ad.u.ipc_id = shp->key; 6231 6232 return avc_has_perm(&selinux_state, 6233 sid, isec->sid, SECCLASS_SHM, 6234 SHM__ASSOCIATE, &ad); 6235 } 6236 6237 /* Note, at this point, shp is locked down */ 6238 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6239 { 6240 int perms; 6241 int err; 6242 6243 switch (cmd) { 6244 case IPC_INFO: 6245 case SHM_INFO: 6246 /* No specific object, just general system-wide information. */ 6247 return avc_has_perm(&selinux_state, 6248 current_sid(), SECINITSID_KERNEL, 6249 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6250 case IPC_STAT: 6251 case SHM_STAT: 6252 case SHM_STAT_ANY: 6253 perms = SHM__GETATTR | SHM__ASSOCIATE; 6254 break; 6255 case IPC_SET: 6256 perms = SHM__SETATTR; 6257 break; 6258 case SHM_LOCK: 6259 case SHM_UNLOCK: 6260 perms = SHM__LOCK; 6261 break; 6262 case IPC_RMID: 6263 perms = SHM__DESTROY; 6264 break; 6265 default: 6266 return 0; 6267 } 6268 6269 err = ipc_has_perm(shp, perms); 6270 return err; 6271 } 6272 6273 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6274 char __user *shmaddr, int shmflg) 6275 { 6276 u32 perms; 6277 6278 if (shmflg & SHM_RDONLY) 6279 perms = SHM__READ; 6280 else 6281 perms = SHM__READ | SHM__WRITE; 6282 6283 return ipc_has_perm(shp, perms); 6284 } 6285 6286 /* Semaphore security operations */ 6287 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6288 { 6289 struct ipc_security_struct *isec; 6290 struct common_audit_data ad; 6291 u32 sid = current_sid(); 6292 int rc; 6293 6294 isec = selinux_ipc(sma); 6295 ipc_init_security(isec, SECCLASS_SEM); 6296 6297 ad.type = LSM_AUDIT_DATA_IPC; 6298 ad.u.ipc_id = sma->key; 6299 6300 rc = avc_has_perm(&selinux_state, 6301 sid, isec->sid, SECCLASS_SEM, 6302 SEM__CREATE, &ad); 6303 return rc; 6304 } 6305 6306 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6307 { 6308 struct ipc_security_struct *isec; 6309 struct common_audit_data ad; 6310 u32 sid = current_sid(); 6311 6312 isec = selinux_ipc(sma); 6313 6314 ad.type = LSM_AUDIT_DATA_IPC; 6315 ad.u.ipc_id = sma->key; 6316 6317 return avc_has_perm(&selinux_state, 6318 sid, isec->sid, SECCLASS_SEM, 6319 SEM__ASSOCIATE, &ad); 6320 } 6321 6322 /* Note, at this point, sma is locked down */ 6323 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6324 { 6325 int err; 6326 u32 perms; 6327 6328 switch (cmd) { 6329 case IPC_INFO: 6330 case SEM_INFO: 6331 /* No specific object, just general system-wide information. */ 6332 return avc_has_perm(&selinux_state, 6333 current_sid(), SECINITSID_KERNEL, 6334 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6335 case GETPID: 6336 case GETNCNT: 6337 case GETZCNT: 6338 perms = SEM__GETATTR; 6339 break; 6340 case GETVAL: 6341 case GETALL: 6342 perms = SEM__READ; 6343 break; 6344 case SETVAL: 6345 case SETALL: 6346 perms = SEM__WRITE; 6347 break; 6348 case IPC_RMID: 6349 perms = SEM__DESTROY; 6350 break; 6351 case IPC_SET: 6352 perms = SEM__SETATTR; 6353 break; 6354 case IPC_STAT: 6355 case SEM_STAT: 6356 case SEM_STAT_ANY: 6357 perms = SEM__GETATTR | SEM__ASSOCIATE; 6358 break; 6359 default: 6360 return 0; 6361 } 6362 6363 err = ipc_has_perm(sma, perms); 6364 return err; 6365 } 6366 6367 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6368 struct sembuf *sops, unsigned nsops, int alter) 6369 { 6370 u32 perms; 6371 6372 if (alter) 6373 perms = SEM__READ | SEM__WRITE; 6374 else 6375 perms = SEM__READ; 6376 6377 return ipc_has_perm(sma, perms); 6378 } 6379 6380 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6381 { 6382 u32 av = 0; 6383 6384 av = 0; 6385 if (flag & S_IRUGO) 6386 av |= IPC__UNIX_READ; 6387 if (flag & S_IWUGO) 6388 av |= IPC__UNIX_WRITE; 6389 6390 if (av == 0) 6391 return 0; 6392 6393 return ipc_has_perm(ipcp, av); 6394 } 6395 6396 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6397 { 6398 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6399 *secid = isec->sid; 6400 } 6401 6402 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6403 { 6404 if (inode) 6405 inode_doinit_with_dentry(inode, dentry); 6406 } 6407 6408 static int selinux_getprocattr(struct task_struct *p, 6409 char *name, char **value) 6410 { 6411 const struct task_security_struct *__tsec; 6412 u32 sid; 6413 int error; 6414 unsigned len; 6415 6416 rcu_read_lock(); 6417 __tsec = selinux_cred(__task_cred(p)); 6418 6419 if (current != p) { 6420 error = avc_has_perm(&selinux_state, 6421 current_sid(), __tsec->sid, 6422 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6423 if (error) 6424 goto bad; 6425 } 6426 6427 if (!strcmp(name, "current")) 6428 sid = __tsec->sid; 6429 else if (!strcmp(name, "prev")) 6430 sid = __tsec->osid; 6431 else if (!strcmp(name, "exec")) 6432 sid = __tsec->exec_sid; 6433 else if (!strcmp(name, "fscreate")) 6434 sid = __tsec->create_sid; 6435 else if (!strcmp(name, "keycreate")) 6436 sid = __tsec->keycreate_sid; 6437 else if (!strcmp(name, "sockcreate")) 6438 sid = __tsec->sockcreate_sid; 6439 else { 6440 error = -EINVAL; 6441 goto bad; 6442 } 6443 rcu_read_unlock(); 6444 6445 if (!sid) 6446 return 0; 6447 6448 error = security_sid_to_context(&selinux_state, sid, value, &len); 6449 if (error) 6450 return error; 6451 return len; 6452 6453 bad: 6454 rcu_read_unlock(); 6455 return error; 6456 } 6457 6458 static int selinux_setprocattr(const char *name, void *value, size_t size) 6459 { 6460 struct task_security_struct *tsec; 6461 struct cred *new; 6462 u32 mysid = current_sid(), sid = 0, ptsid; 6463 int error; 6464 char *str = value; 6465 6466 /* 6467 * Basic control over ability to set these attributes at all. 6468 */ 6469 if (!strcmp(name, "exec")) 6470 error = avc_has_perm(&selinux_state, 6471 mysid, mysid, SECCLASS_PROCESS, 6472 PROCESS__SETEXEC, NULL); 6473 else if (!strcmp(name, "fscreate")) 6474 error = avc_has_perm(&selinux_state, 6475 mysid, mysid, SECCLASS_PROCESS, 6476 PROCESS__SETFSCREATE, NULL); 6477 else if (!strcmp(name, "keycreate")) 6478 error = avc_has_perm(&selinux_state, 6479 mysid, mysid, SECCLASS_PROCESS, 6480 PROCESS__SETKEYCREATE, NULL); 6481 else if (!strcmp(name, "sockcreate")) 6482 error = avc_has_perm(&selinux_state, 6483 mysid, mysid, SECCLASS_PROCESS, 6484 PROCESS__SETSOCKCREATE, NULL); 6485 else if (!strcmp(name, "current")) 6486 error = avc_has_perm(&selinux_state, 6487 mysid, mysid, SECCLASS_PROCESS, 6488 PROCESS__SETCURRENT, NULL); 6489 else 6490 error = -EINVAL; 6491 if (error) 6492 return error; 6493 6494 /* Obtain a SID for the context, if one was specified. */ 6495 if (size && str[0] && str[0] != '\n') { 6496 if (str[size-1] == '\n') { 6497 str[size-1] = 0; 6498 size--; 6499 } 6500 error = security_context_to_sid(&selinux_state, value, size, 6501 &sid, GFP_KERNEL); 6502 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6503 if (!has_cap_mac_admin(true)) { 6504 struct audit_buffer *ab; 6505 size_t audit_size; 6506 6507 /* We strip a nul only if it is at the end, otherwise the 6508 * context contains a nul and we should audit that */ 6509 if (str[size - 1] == '\0') 6510 audit_size = size - 1; 6511 else 6512 audit_size = size; 6513 ab = audit_log_start(audit_context(), 6514 GFP_ATOMIC, 6515 AUDIT_SELINUX_ERR); 6516 if (!ab) 6517 return error; 6518 audit_log_format(ab, "op=fscreate invalid_context="); 6519 audit_log_n_untrustedstring(ab, value, audit_size); 6520 audit_log_end(ab); 6521 6522 return error; 6523 } 6524 error = security_context_to_sid_force( 6525 &selinux_state, 6526 value, size, &sid); 6527 } 6528 if (error) 6529 return error; 6530 } 6531 6532 new = prepare_creds(); 6533 if (!new) 6534 return -ENOMEM; 6535 6536 /* Permission checking based on the specified context is 6537 performed during the actual operation (execve, 6538 open/mkdir/...), when we know the full context of the 6539 operation. See selinux_bprm_creds_for_exec for the execve 6540 checks and may_create for the file creation checks. The 6541 operation will then fail if the context is not permitted. */ 6542 tsec = selinux_cred(new); 6543 if (!strcmp(name, "exec")) { 6544 tsec->exec_sid = sid; 6545 } else if (!strcmp(name, "fscreate")) { 6546 tsec->create_sid = sid; 6547 } else if (!strcmp(name, "keycreate")) { 6548 if (sid) { 6549 error = avc_has_perm(&selinux_state, mysid, sid, 6550 SECCLASS_KEY, KEY__CREATE, NULL); 6551 if (error) 6552 goto abort_change; 6553 } 6554 tsec->keycreate_sid = sid; 6555 } else if (!strcmp(name, "sockcreate")) { 6556 tsec->sockcreate_sid = sid; 6557 } else if (!strcmp(name, "current")) { 6558 error = -EINVAL; 6559 if (sid == 0) 6560 goto abort_change; 6561 6562 /* Only allow single threaded processes to change context */ 6563 error = -EPERM; 6564 if (!current_is_single_threaded()) { 6565 error = security_bounded_transition(&selinux_state, 6566 tsec->sid, sid); 6567 if (error) 6568 goto abort_change; 6569 } 6570 6571 /* Check permissions for the transition. */ 6572 error = avc_has_perm(&selinux_state, 6573 tsec->sid, sid, SECCLASS_PROCESS, 6574 PROCESS__DYNTRANSITION, NULL); 6575 if (error) 6576 goto abort_change; 6577 6578 /* Check for ptracing, and update the task SID if ok. 6579 Otherwise, leave SID unchanged and fail. */ 6580 ptsid = ptrace_parent_sid(); 6581 if (ptsid != 0) { 6582 error = avc_has_perm(&selinux_state, 6583 ptsid, sid, SECCLASS_PROCESS, 6584 PROCESS__PTRACE, NULL); 6585 if (error) 6586 goto abort_change; 6587 } 6588 6589 tsec->sid = sid; 6590 } else { 6591 error = -EINVAL; 6592 goto abort_change; 6593 } 6594 6595 commit_creds(new); 6596 return size; 6597 6598 abort_change: 6599 abort_creds(new); 6600 return error; 6601 } 6602 6603 static int selinux_ismaclabel(const char *name) 6604 { 6605 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6606 } 6607 6608 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6609 { 6610 return security_sid_to_context(&selinux_state, secid, 6611 secdata, seclen); 6612 } 6613 6614 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6615 { 6616 return security_context_to_sid(&selinux_state, secdata, seclen, 6617 secid, GFP_KERNEL); 6618 } 6619 6620 static void selinux_release_secctx(char *secdata, u32 seclen) 6621 { 6622 kfree(secdata); 6623 } 6624 6625 static void selinux_inode_invalidate_secctx(struct inode *inode) 6626 { 6627 struct inode_security_struct *isec = selinux_inode(inode); 6628 6629 spin_lock(&isec->lock); 6630 isec->initialized = LABEL_INVALID; 6631 spin_unlock(&isec->lock); 6632 } 6633 6634 /* 6635 * called with inode->i_mutex locked 6636 */ 6637 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6638 { 6639 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6640 ctx, ctxlen, 0); 6641 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6642 return rc == -EOPNOTSUPP ? 0 : rc; 6643 } 6644 6645 /* 6646 * called with inode->i_mutex locked 6647 */ 6648 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6649 { 6650 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX, 6651 ctx, ctxlen, 0); 6652 } 6653 6654 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6655 { 6656 int len = 0; 6657 len = selinux_inode_getsecurity(&init_user_ns, inode, 6658 XATTR_SELINUX_SUFFIX, ctx, true); 6659 if (len < 0) 6660 return len; 6661 *ctxlen = len; 6662 return 0; 6663 } 6664 #ifdef CONFIG_KEYS 6665 6666 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6667 unsigned long flags) 6668 { 6669 const struct task_security_struct *tsec; 6670 struct key_security_struct *ksec; 6671 6672 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6673 if (!ksec) 6674 return -ENOMEM; 6675 6676 tsec = selinux_cred(cred); 6677 if (tsec->keycreate_sid) 6678 ksec->sid = tsec->keycreate_sid; 6679 else 6680 ksec->sid = tsec->sid; 6681 6682 k->security = ksec; 6683 return 0; 6684 } 6685 6686 static void selinux_key_free(struct key *k) 6687 { 6688 struct key_security_struct *ksec = k->security; 6689 6690 k->security = NULL; 6691 kfree(ksec); 6692 } 6693 6694 static int selinux_key_permission(key_ref_t key_ref, 6695 const struct cred *cred, 6696 enum key_need_perm need_perm) 6697 { 6698 struct key *key; 6699 struct key_security_struct *ksec; 6700 u32 perm, sid; 6701 6702 switch (need_perm) { 6703 case KEY_NEED_VIEW: 6704 perm = KEY__VIEW; 6705 break; 6706 case KEY_NEED_READ: 6707 perm = KEY__READ; 6708 break; 6709 case KEY_NEED_WRITE: 6710 perm = KEY__WRITE; 6711 break; 6712 case KEY_NEED_SEARCH: 6713 perm = KEY__SEARCH; 6714 break; 6715 case KEY_NEED_LINK: 6716 perm = KEY__LINK; 6717 break; 6718 case KEY_NEED_SETATTR: 6719 perm = KEY__SETATTR; 6720 break; 6721 case KEY_NEED_UNLINK: 6722 case KEY_SYSADMIN_OVERRIDE: 6723 case KEY_AUTHTOKEN_OVERRIDE: 6724 case KEY_DEFER_PERM_CHECK: 6725 return 0; 6726 default: 6727 WARN_ON(1); 6728 return -EPERM; 6729 6730 } 6731 6732 sid = cred_sid(cred); 6733 key = key_ref_to_ptr(key_ref); 6734 ksec = key->security; 6735 6736 return avc_has_perm(&selinux_state, 6737 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6738 } 6739 6740 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6741 { 6742 struct key_security_struct *ksec = key->security; 6743 char *context = NULL; 6744 unsigned len; 6745 int rc; 6746 6747 rc = security_sid_to_context(&selinux_state, ksec->sid, 6748 &context, &len); 6749 if (!rc) 6750 rc = len; 6751 *_buffer = context; 6752 return rc; 6753 } 6754 6755 #ifdef CONFIG_KEY_NOTIFICATIONS 6756 static int selinux_watch_key(struct key *key) 6757 { 6758 struct key_security_struct *ksec = key->security; 6759 u32 sid = current_sid(); 6760 6761 return avc_has_perm(&selinux_state, 6762 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6763 } 6764 #endif 6765 #endif 6766 6767 #ifdef CONFIG_SECURITY_INFINIBAND 6768 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6769 { 6770 struct common_audit_data ad; 6771 int err; 6772 u32 sid = 0; 6773 struct ib_security_struct *sec = ib_sec; 6774 struct lsm_ibpkey_audit ibpkey; 6775 6776 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6777 if (err) 6778 return err; 6779 6780 ad.type = LSM_AUDIT_DATA_IBPKEY; 6781 ibpkey.subnet_prefix = subnet_prefix; 6782 ibpkey.pkey = pkey_val; 6783 ad.u.ibpkey = &ibpkey; 6784 return avc_has_perm(&selinux_state, 6785 sec->sid, sid, 6786 SECCLASS_INFINIBAND_PKEY, 6787 INFINIBAND_PKEY__ACCESS, &ad); 6788 } 6789 6790 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6791 u8 port_num) 6792 { 6793 struct common_audit_data ad; 6794 int err; 6795 u32 sid = 0; 6796 struct ib_security_struct *sec = ib_sec; 6797 struct lsm_ibendport_audit ibendport; 6798 6799 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6800 &sid); 6801 6802 if (err) 6803 return err; 6804 6805 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6806 ibendport.dev_name = dev_name; 6807 ibendport.port = port_num; 6808 ad.u.ibendport = &ibendport; 6809 return avc_has_perm(&selinux_state, 6810 sec->sid, sid, 6811 SECCLASS_INFINIBAND_ENDPORT, 6812 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6813 } 6814 6815 static int selinux_ib_alloc_security(void **ib_sec) 6816 { 6817 struct ib_security_struct *sec; 6818 6819 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6820 if (!sec) 6821 return -ENOMEM; 6822 sec->sid = current_sid(); 6823 6824 *ib_sec = sec; 6825 return 0; 6826 } 6827 6828 static void selinux_ib_free_security(void *ib_sec) 6829 { 6830 kfree(ib_sec); 6831 } 6832 #endif 6833 6834 #ifdef CONFIG_BPF_SYSCALL 6835 static int selinux_bpf(int cmd, union bpf_attr *attr, 6836 unsigned int size) 6837 { 6838 u32 sid = current_sid(); 6839 int ret; 6840 6841 switch (cmd) { 6842 case BPF_MAP_CREATE: 6843 ret = avc_has_perm(&selinux_state, 6844 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6845 NULL); 6846 break; 6847 case BPF_PROG_LOAD: 6848 ret = avc_has_perm(&selinux_state, 6849 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6850 NULL); 6851 break; 6852 default: 6853 ret = 0; 6854 break; 6855 } 6856 6857 return ret; 6858 } 6859 6860 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6861 { 6862 u32 av = 0; 6863 6864 if (fmode & FMODE_READ) 6865 av |= BPF__MAP_READ; 6866 if (fmode & FMODE_WRITE) 6867 av |= BPF__MAP_WRITE; 6868 return av; 6869 } 6870 6871 /* This function will check the file pass through unix socket or binder to see 6872 * if it is a bpf related object. And apply correspinding checks on the bpf 6873 * object based on the type. The bpf maps and programs, not like other files and 6874 * socket, are using a shared anonymous inode inside the kernel as their inode. 6875 * So checking that inode cannot identify if the process have privilege to 6876 * access the bpf object and that's why we have to add this additional check in 6877 * selinux_file_receive and selinux_binder_transfer_files. 6878 */ 6879 static int bpf_fd_pass(struct file *file, u32 sid) 6880 { 6881 struct bpf_security_struct *bpfsec; 6882 struct bpf_prog *prog; 6883 struct bpf_map *map; 6884 int ret; 6885 6886 if (file->f_op == &bpf_map_fops) { 6887 map = file->private_data; 6888 bpfsec = map->security; 6889 ret = avc_has_perm(&selinux_state, 6890 sid, bpfsec->sid, SECCLASS_BPF, 6891 bpf_map_fmode_to_av(file->f_mode), NULL); 6892 if (ret) 6893 return ret; 6894 } else if (file->f_op == &bpf_prog_fops) { 6895 prog = file->private_data; 6896 bpfsec = prog->aux->security; 6897 ret = avc_has_perm(&selinux_state, 6898 sid, bpfsec->sid, SECCLASS_BPF, 6899 BPF__PROG_RUN, NULL); 6900 if (ret) 6901 return ret; 6902 } 6903 return 0; 6904 } 6905 6906 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6907 { 6908 u32 sid = current_sid(); 6909 struct bpf_security_struct *bpfsec; 6910 6911 bpfsec = map->security; 6912 return avc_has_perm(&selinux_state, 6913 sid, bpfsec->sid, SECCLASS_BPF, 6914 bpf_map_fmode_to_av(fmode), NULL); 6915 } 6916 6917 static int selinux_bpf_prog(struct bpf_prog *prog) 6918 { 6919 u32 sid = current_sid(); 6920 struct bpf_security_struct *bpfsec; 6921 6922 bpfsec = prog->aux->security; 6923 return avc_has_perm(&selinux_state, 6924 sid, bpfsec->sid, SECCLASS_BPF, 6925 BPF__PROG_RUN, NULL); 6926 } 6927 6928 static int selinux_bpf_map_alloc(struct bpf_map *map) 6929 { 6930 struct bpf_security_struct *bpfsec; 6931 6932 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6933 if (!bpfsec) 6934 return -ENOMEM; 6935 6936 bpfsec->sid = current_sid(); 6937 map->security = bpfsec; 6938 6939 return 0; 6940 } 6941 6942 static void selinux_bpf_map_free(struct bpf_map *map) 6943 { 6944 struct bpf_security_struct *bpfsec = map->security; 6945 6946 map->security = NULL; 6947 kfree(bpfsec); 6948 } 6949 6950 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6951 { 6952 struct bpf_security_struct *bpfsec; 6953 6954 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6955 if (!bpfsec) 6956 return -ENOMEM; 6957 6958 bpfsec->sid = current_sid(); 6959 aux->security = bpfsec; 6960 6961 return 0; 6962 } 6963 6964 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6965 { 6966 struct bpf_security_struct *bpfsec = aux->security; 6967 6968 aux->security = NULL; 6969 kfree(bpfsec); 6970 } 6971 #endif 6972 6973 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6974 .lbs_cred = sizeof(struct task_security_struct), 6975 .lbs_file = sizeof(struct file_security_struct), 6976 .lbs_inode = sizeof(struct inode_security_struct), 6977 .lbs_ipc = sizeof(struct ipc_security_struct), 6978 .lbs_msg_msg = sizeof(struct msg_security_struct), 6979 .lbs_superblock = sizeof(struct superblock_security_struct), 6980 }; 6981 6982 #ifdef CONFIG_PERF_EVENTS 6983 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6984 { 6985 u32 requested, sid = current_sid(); 6986 6987 if (type == PERF_SECURITY_OPEN) 6988 requested = PERF_EVENT__OPEN; 6989 else if (type == PERF_SECURITY_CPU) 6990 requested = PERF_EVENT__CPU; 6991 else if (type == PERF_SECURITY_KERNEL) 6992 requested = PERF_EVENT__KERNEL; 6993 else if (type == PERF_SECURITY_TRACEPOINT) 6994 requested = PERF_EVENT__TRACEPOINT; 6995 else 6996 return -EINVAL; 6997 6998 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT, 6999 requested, NULL); 7000 } 7001 7002 static int selinux_perf_event_alloc(struct perf_event *event) 7003 { 7004 struct perf_event_security_struct *perfsec; 7005 7006 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 7007 if (!perfsec) 7008 return -ENOMEM; 7009 7010 perfsec->sid = current_sid(); 7011 event->security = perfsec; 7012 7013 return 0; 7014 } 7015 7016 static void selinux_perf_event_free(struct perf_event *event) 7017 { 7018 struct perf_event_security_struct *perfsec = event->security; 7019 7020 event->security = NULL; 7021 kfree(perfsec); 7022 } 7023 7024 static int selinux_perf_event_read(struct perf_event *event) 7025 { 7026 struct perf_event_security_struct *perfsec = event->security; 7027 u32 sid = current_sid(); 7028 7029 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7030 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7031 } 7032 7033 static int selinux_perf_event_write(struct perf_event *event) 7034 { 7035 struct perf_event_security_struct *perfsec = event->security; 7036 u32 sid = current_sid(); 7037 7038 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7039 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7040 } 7041 #endif 7042 7043 #ifdef CONFIG_IO_URING 7044 /** 7045 * selinux_uring_override_creds - check the requested cred override 7046 * @new: the target creds 7047 * 7048 * Check to see if the current task is allowed to override it's credentials 7049 * to service an io_uring operation. 7050 */ 7051 static int selinux_uring_override_creds(const struct cred *new) 7052 { 7053 return avc_has_perm(&selinux_state, current_sid(), cred_sid(new), 7054 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7055 } 7056 7057 /** 7058 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7059 * 7060 * Check to see if the current task is allowed to create a new io_uring 7061 * kernel polling thread. 7062 */ 7063 static int selinux_uring_sqpoll(void) 7064 { 7065 int sid = current_sid(); 7066 7067 return avc_has_perm(&selinux_state, sid, sid, 7068 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7069 } 7070 #endif /* CONFIG_IO_URING */ 7071 7072 /* 7073 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7074 * 1. any hooks that don't belong to (2.) or (3.) below, 7075 * 2. hooks that both access structures allocated by other hooks, and allocate 7076 * structures that can be later accessed by other hooks (mostly "cloning" 7077 * hooks), 7078 * 3. hooks that only allocate structures that can be later accessed by other 7079 * hooks ("allocating" hooks). 7080 * 7081 * Please follow block comment delimiters in the list to keep this order. 7082 * 7083 * This ordering is needed for SELinux runtime disable to work at least somewhat 7084 * safely. Breaking the ordering rules above might lead to NULL pointer derefs 7085 * when disabling SELinux at runtime. 7086 */ 7087 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 7088 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7089 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7090 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7091 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7092 7093 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7094 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7095 LSM_HOOK_INIT(capget, selinux_capget), 7096 LSM_HOOK_INIT(capset, selinux_capset), 7097 LSM_HOOK_INIT(capable, selinux_capable), 7098 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7099 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7100 LSM_HOOK_INIT(syslog, selinux_syslog), 7101 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7102 7103 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7104 7105 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7106 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7107 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7108 7109 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7110 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7111 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7112 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7113 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7114 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7115 LSM_HOOK_INIT(sb_mount, selinux_mount), 7116 LSM_HOOK_INIT(sb_umount, selinux_umount), 7117 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7118 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7119 7120 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7121 7122 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7123 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7124 7125 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7126 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7127 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7128 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7129 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7130 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7131 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7132 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7133 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7134 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7135 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7136 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7137 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7138 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7139 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7140 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7141 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7142 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7143 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7144 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7145 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7146 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7147 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7148 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7149 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 7150 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7151 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7152 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7153 7154 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7155 7156 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7157 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7158 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7159 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7160 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7161 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7162 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7163 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7164 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7165 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7166 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7167 7168 LSM_HOOK_INIT(file_open, selinux_file_open), 7169 7170 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7171 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7172 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7173 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7174 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7175 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7176 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7177 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7178 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7179 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7180 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7181 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7182 LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), 7183 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7184 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7185 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7186 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7187 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7188 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7189 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7190 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7191 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7192 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7193 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7194 7195 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7196 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7197 7198 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7199 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7200 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7201 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7202 7203 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7204 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7205 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7206 7207 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7208 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7209 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7210 7211 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7212 7213 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7214 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7215 7216 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7217 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7218 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7219 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7220 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7221 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7222 7223 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7224 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7225 7226 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7227 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7228 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7229 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7230 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7231 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7232 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7233 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7234 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7235 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7236 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7237 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7238 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7239 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7240 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7241 LSM_HOOK_INIT(socket_getpeersec_stream, 7242 selinux_socket_getpeersec_stream), 7243 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7244 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7245 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7246 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7247 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7248 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7249 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7250 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7251 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7252 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7253 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7254 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7255 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7256 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7257 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7258 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7259 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7260 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7261 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7262 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7263 #ifdef CONFIG_SECURITY_INFINIBAND 7264 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7265 LSM_HOOK_INIT(ib_endport_manage_subnet, 7266 selinux_ib_endport_manage_subnet), 7267 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7268 #endif 7269 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7270 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7271 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7272 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7273 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7274 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7275 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7276 selinux_xfrm_state_pol_flow_match), 7277 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7278 #endif 7279 7280 #ifdef CONFIG_KEYS 7281 LSM_HOOK_INIT(key_free, selinux_key_free), 7282 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7283 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7284 #ifdef CONFIG_KEY_NOTIFICATIONS 7285 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7286 #endif 7287 #endif 7288 7289 #ifdef CONFIG_AUDIT 7290 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7291 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7292 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7293 #endif 7294 7295 #ifdef CONFIG_BPF_SYSCALL 7296 LSM_HOOK_INIT(bpf, selinux_bpf), 7297 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7298 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7299 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7300 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7301 #endif 7302 7303 #ifdef CONFIG_PERF_EVENTS 7304 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7305 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7306 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7307 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7308 #endif 7309 7310 #ifdef CONFIG_IO_URING 7311 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7312 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7313 #endif 7314 7315 /* 7316 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7317 */ 7318 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7319 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7320 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7321 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 7322 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7323 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7324 #endif 7325 7326 /* 7327 * PUT "ALLOCATING" HOOKS HERE 7328 */ 7329 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7330 LSM_HOOK_INIT(msg_queue_alloc_security, 7331 selinux_msg_queue_alloc_security), 7332 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7333 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7334 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7335 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7336 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7337 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7338 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7339 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7340 #ifdef CONFIG_SECURITY_INFINIBAND 7341 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7342 #endif 7343 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7344 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7345 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7346 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7347 selinux_xfrm_state_alloc_acquire), 7348 #endif 7349 #ifdef CONFIG_KEYS 7350 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7351 #endif 7352 #ifdef CONFIG_AUDIT 7353 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7354 #endif 7355 #ifdef CONFIG_BPF_SYSCALL 7356 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7357 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7358 #endif 7359 #ifdef CONFIG_PERF_EVENTS 7360 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7361 #endif 7362 }; 7363 7364 static __init int selinux_init(void) 7365 { 7366 pr_info("SELinux: Initializing.\n"); 7367 7368 memset(&selinux_state, 0, sizeof(selinux_state)); 7369 enforcing_set(&selinux_state, selinux_enforcing_boot); 7370 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot); 7371 selinux_avc_init(&selinux_state.avc); 7372 mutex_init(&selinux_state.status_lock); 7373 mutex_init(&selinux_state.policy_mutex); 7374 7375 /* Set the security state for the initial task. */ 7376 cred_init_security(); 7377 7378 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7379 7380 avc_init(); 7381 7382 avtab_cache_init(); 7383 7384 ebitmap_cache_init(); 7385 7386 hashtab_cache_init(); 7387 7388 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7389 7390 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7391 panic("SELinux: Unable to register AVC netcache callback\n"); 7392 7393 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7394 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7395 7396 if (selinux_enforcing_boot) 7397 pr_debug("SELinux: Starting in enforcing mode\n"); 7398 else 7399 pr_debug("SELinux: Starting in permissive mode\n"); 7400 7401 fs_validate_description("selinux", selinux_fs_parameters); 7402 7403 return 0; 7404 } 7405 7406 static void delayed_superblock_init(struct super_block *sb, void *unused) 7407 { 7408 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7409 } 7410 7411 void selinux_complete_init(void) 7412 { 7413 pr_debug("SELinux: Completing initialization.\n"); 7414 7415 /* Set up any superblocks initialized prior to the policy load. */ 7416 pr_debug("SELinux: Setting up existing superblocks.\n"); 7417 iterate_supers(delayed_superblock_init, NULL); 7418 } 7419 7420 /* SELinux requires early initialization in order to label 7421 all processes and objects when they are created. */ 7422 DEFINE_LSM(selinux) = { 7423 .name = "selinux", 7424 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7425 .enabled = &selinux_enabled_boot, 7426 .blobs = &selinux_blob_sizes, 7427 .init = selinux_init, 7428 }; 7429 7430 #if defined(CONFIG_NETFILTER) 7431 7432 static const struct nf_hook_ops selinux_nf_ops[] = { 7433 { 7434 .hook = selinux_ip_postroute, 7435 .pf = NFPROTO_IPV4, 7436 .hooknum = NF_INET_POST_ROUTING, 7437 .priority = NF_IP_PRI_SELINUX_LAST, 7438 }, 7439 { 7440 .hook = selinux_ip_forward, 7441 .pf = NFPROTO_IPV4, 7442 .hooknum = NF_INET_FORWARD, 7443 .priority = NF_IP_PRI_SELINUX_FIRST, 7444 }, 7445 { 7446 .hook = selinux_ip_output, 7447 .pf = NFPROTO_IPV4, 7448 .hooknum = NF_INET_LOCAL_OUT, 7449 .priority = NF_IP_PRI_SELINUX_FIRST, 7450 }, 7451 #if IS_ENABLED(CONFIG_IPV6) 7452 { 7453 .hook = selinux_ip_postroute, 7454 .pf = NFPROTO_IPV6, 7455 .hooknum = NF_INET_POST_ROUTING, 7456 .priority = NF_IP6_PRI_SELINUX_LAST, 7457 }, 7458 { 7459 .hook = selinux_ip_forward, 7460 .pf = NFPROTO_IPV6, 7461 .hooknum = NF_INET_FORWARD, 7462 .priority = NF_IP6_PRI_SELINUX_FIRST, 7463 }, 7464 { 7465 .hook = selinux_ip_output, 7466 .pf = NFPROTO_IPV6, 7467 .hooknum = NF_INET_LOCAL_OUT, 7468 .priority = NF_IP6_PRI_SELINUX_FIRST, 7469 }, 7470 #endif /* IPV6 */ 7471 }; 7472 7473 static int __net_init selinux_nf_register(struct net *net) 7474 { 7475 return nf_register_net_hooks(net, selinux_nf_ops, 7476 ARRAY_SIZE(selinux_nf_ops)); 7477 } 7478 7479 static void __net_exit selinux_nf_unregister(struct net *net) 7480 { 7481 nf_unregister_net_hooks(net, selinux_nf_ops, 7482 ARRAY_SIZE(selinux_nf_ops)); 7483 } 7484 7485 static struct pernet_operations selinux_net_ops = { 7486 .init = selinux_nf_register, 7487 .exit = selinux_nf_unregister, 7488 }; 7489 7490 static int __init selinux_nf_ip_init(void) 7491 { 7492 int err; 7493 7494 if (!selinux_enabled_boot) 7495 return 0; 7496 7497 pr_debug("SELinux: Registering netfilter hooks\n"); 7498 7499 err = register_pernet_subsys(&selinux_net_ops); 7500 if (err) 7501 panic("SELinux: register_pernet_subsys: error %d\n", err); 7502 7503 return 0; 7504 } 7505 __initcall(selinux_nf_ip_init); 7506 7507 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7508 static void selinux_nf_ip_exit(void) 7509 { 7510 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7511 7512 unregister_pernet_subsys(&selinux_net_ops); 7513 } 7514 #endif 7515 7516 #else /* CONFIG_NETFILTER */ 7517 7518 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7519 #define selinux_nf_ip_exit() 7520 #endif 7521 7522 #endif /* CONFIG_NETFILTER */ 7523 7524 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7525 int selinux_disable(struct selinux_state *state) 7526 { 7527 if (selinux_initialized(state)) { 7528 /* Not permitted after initial policy load. */ 7529 return -EINVAL; 7530 } 7531 7532 if (selinux_disabled(state)) { 7533 /* Only do this once. */ 7534 return -EINVAL; 7535 } 7536 7537 selinux_mark_disabled(state); 7538 7539 pr_info("SELinux: Disabled at runtime.\n"); 7540 7541 /* 7542 * Unregister netfilter hooks. 7543 * Must be done before security_delete_hooks() to avoid breaking 7544 * runtime disable. 7545 */ 7546 selinux_nf_ip_exit(); 7547 7548 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7549 7550 /* Try to destroy the avc node cache */ 7551 avc_disable(); 7552 7553 /* Unregister selinuxfs. */ 7554 exit_sel_fs(); 7555 7556 return 0; 7557 } 7558 #endif 7559