1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/selinux.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 89 #include "avc.h" 90 #include "objsec.h" 91 #include "netif.h" 92 #include "netnode.h" 93 #include "netport.h" 94 #include "ibpkey.h" 95 #include "xfrm.h" 96 #include "netlabel.h" 97 #include "audit.h" 98 #include "avc_ss.h" 99 100 /* SECMARK reference count */ 101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 102 103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 104 int selinux_enforcing; 105 106 static int __init enforcing_setup(char *str) 107 { 108 unsigned long enforcing; 109 if (!kstrtoul(str, 0, &enforcing)) 110 selinux_enforcing = enforcing ? 1 : 0; 111 return 1; 112 } 113 __setup("enforcing=", enforcing_setup); 114 #endif 115 116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 118 119 static int __init selinux_enabled_setup(char *str) 120 { 121 unsigned long enabled; 122 if (!kstrtoul(str, 0, &enabled)) 123 selinux_enabled = enabled ? 1 : 0; 124 return 1; 125 } 126 __setup("selinux=", selinux_enabled_setup); 127 #else 128 int selinux_enabled = 1; 129 #endif 130 131 static struct kmem_cache *sel_inode_cache; 132 static struct kmem_cache *file_security_cache; 133 134 /** 135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 136 * 137 * Description: 138 * This function checks the SECMARK reference counter to see if any SECMARK 139 * targets are currently configured, if the reference counter is greater than 140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network 142 * policy capability is enabled, SECMARK is always considered enabled. 143 * 144 */ 145 static int selinux_secmark_enabled(void) 146 { 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 148 } 149 150 /** 151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 152 * 153 * Description: 154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 155 * (1) if any are enabled or false (0) if neither are enabled. If the 156 * always_check_network policy capability is enabled, peer labeling 157 * is always considered enabled. 158 * 159 */ 160 static int selinux_peerlbl_enabled(void) 161 { 162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 163 } 164 165 static int selinux_netcache_avc_callback(u32 event) 166 { 167 if (event == AVC_CALLBACK_RESET) { 168 sel_netif_flush(); 169 sel_netnode_flush(); 170 sel_netport_flush(); 171 synchronize_net(); 172 } 173 return 0; 174 } 175 176 static int selinux_lsm_notifier_avc_callback(u32 event) 177 { 178 if (event == AVC_CALLBACK_RESET) { 179 sel_ib_pkey_flush(); 180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 181 } 182 183 return 0; 184 } 185 186 /* 187 * initialise the security for the init task 188 */ 189 static void cred_init_security(void) 190 { 191 struct cred *cred = (struct cred *) current->real_cred; 192 struct task_security_struct *tsec; 193 194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 195 if (!tsec) 196 panic("SELinux: Failed to initialize initial task.\n"); 197 198 tsec->osid = tsec->sid = SECINITSID_KERNEL; 199 cred->security = tsec; 200 } 201 202 /* 203 * get the security ID of a set of credentials 204 */ 205 static inline u32 cred_sid(const struct cred *cred) 206 { 207 const struct task_security_struct *tsec; 208 209 tsec = cred->security; 210 return tsec->sid; 211 } 212 213 /* 214 * get the objective security ID of a task 215 */ 216 static inline u32 task_sid(const struct task_struct *task) 217 { 218 u32 sid; 219 220 rcu_read_lock(); 221 sid = cred_sid(__task_cred(task)); 222 rcu_read_unlock(); 223 return sid; 224 } 225 226 /* Allocate and free functions for each kind of security blob. */ 227 228 static int inode_alloc_security(struct inode *inode) 229 { 230 struct inode_security_struct *isec; 231 u32 sid = current_sid(); 232 233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 234 if (!isec) 235 return -ENOMEM; 236 237 spin_lock_init(&isec->lock); 238 INIT_LIST_HEAD(&isec->list); 239 isec->inode = inode; 240 isec->sid = SECINITSID_UNLABELED; 241 isec->sclass = SECCLASS_FILE; 242 isec->task_sid = sid; 243 isec->initialized = LABEL_INVALID; 244 inode->i_security = isec; 245 246 return 0; 247 } 248 249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 250 251 /* 252 * Try reloading inode security labels that have been marked as invalid. The 253 * @may_sleep parameter indicates when sleeping and thus reloading labels is 254 * allowed; when set to false, returns -ECHILD when the label is 255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 256 * when no dentry is available, set it to NULL instead. 257 */ 258 static int __inode_security_revalidate(struct inode *inode, 259 struct dentry *opt_dentry, 260 bool may_sleep) 261 { 262 struct inode_security_struct *isec = inode->i_security; 263 264 might_sleep_if(may_sleep); 265 266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 267 if (!may_sleep) 268 return -ECHILD; 269 270 /* 271 * Try reloading the inode security label. This will fail if 272 * @opt_dentry is NULL and no dentry for this inode can be 273 * found; in that case, continue using the old label. 274 */ 275 inode_doinit_with_dentry(inode, opt_dentry); 276 } 277 return 0; 278 } 279 280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 281 { 282 return inode->i_security; 283 } 284 285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 286 { 287 int error; 288 289 error = __inode_security_revalidate(inode, NULL, !rcu); 290 if (error) 291 return ERR_PTR(error); 292 return inode->i_security; 293 } 294 295 /* 296 * Get the security label of an inode. 297 */ 298 static struct inode_security_struct *inode_security(struct inode *inode) 299 { 300 __inode_security_revalidate(inode, NULL, true); 301 return inode->i_security; 302 } 303 304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 305 { 306 struct inode *inode = d_backing_inode(dentry); 307 308 return inode->i_security; 309 } 310 311 /* 312 * Get the security label of a dentry's backing inode. 313 */ 314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 315 { 316 struct inode *inode = d_backing_inode(dentry); 317 318 __inode_security_revalidate(inode, dentry, true); 319 return inode->i_security; 320 } 321 322 static void inode_free_rcu(struct rcu_head *head) 323 { 324 struct inode_security_struct *isec; 325 326 isec = container_of(head, struct inode_security_struct, rcu); 327 kmem_cache_free(sel_inode_cache, isec); 328 } 329 330 static void inode_free_security(struct inode *inode) 331 { 332 struct inode_security_struct *isec = inode->i_security; 333 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 334 335 /* 336 * As not all inode security structures are in a list, we check for 337 * empty list outside of the lock to make sure that we won't waste 338 * time taking a lock doing nothing. 339 * 340 * The list_del_init() function can be safely called more than once. 341 * It should not be possible for this function to be called with 342 * concurrent list_add(), but for better safety against future changes 343 * in the code, we use list_empty_careful() here. 344 */ 345 if (!list_empty_careful(&isec->list)) { 346 spin_lock(&sbsec->isec_lock); 347 list_del_init(&isec->list); 348 spin_unlock(&sbsec->isec_lock); 349 } 350 351 /* 352 * The inode may still be referenced in a path walk and 353 * a call to selinux_inode_permission() can be made 354 * after inode_free_security() is called. Ideally, the VFS 355 * wouldn't do this, but fixing that is a much harder 356 * job. For now, simply free the i_security via RCU, and 357 * leave the current inode->i_security pointer intact. 358 * The inode will be freed after the RCU grace period too. 359 */ 360 call_rcu(&isec->rcu, inode_free_rcu); 361 } 362 363 static int file_alloc_security(struct file *file) 364 { 365 struct file_security_struct *fsec; 366 u32 sid = current_sid(); 367 368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 369 if (!fsec) 370 return -ENOMEM; 371 372 fsec->sid = sid; 373 fsec->fown_sid = sid; 374 file->f_security = fsec; 375 376 return 0; 377 } 378 379 static void file_free_security(struct file *file) 380 { 381 struct file_security_struct *fsec = file->f_security; 382 file->f_security = NULL; 383 kmem_cache_free(file_security_cache, fsec); 384 } 385 386 static int superblock_alloc_security(struct super_block *sb) 387 { 388 struct superblock_security_struct *sbsec; 389 390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 391 if (!sbsec) 392 return -ENOMEM; 393 394 mutex_init(&sbsec->lock); 395 INIT_LIST_HEAD(&sbsec->isec_head); 396 spin_lock_init(&sbsec->isec_lock); 397 sbsec->sb = sb; 398 sbsec->sid = SECINITSID_UNLABELED; 399 sbsec->def_sid = SECINITSID_FILE; 400 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 401 sb->s_security = sbsec; 402 403 return 0; 404 } 405 406 static void superblock_free_security(struct super_block *sb) 407 { 408 struct superblock_security_struct *sbsec = sb->s_security; 409 sb->s_security = NULL; 410 kfree(sbsec); 411 } 412 413 static inline int inode_doinit(struct inode *inode) 414 { 415 return inode_doinit_with_dentry(inode, NULL); 416 } 417 418 enum { 419 Opt_error = -1, 420 Opt_context = 1, 421 Opt_fscontext = 2, 422 Opt_defcontext = 3, 423 Opt_rootcontext = 4, 424 Opt_labelsupport = 5, 425 Opt_nextmntopt = 6, 426 }; 427 428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 429 430 static const match_table_t tokens = { 431 {Opt_context, CONTEXT_STR "%s"}, 432 {Opt_fscontext, FSCONTEXT_STR "%s"}, 433 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 435 {Opt_labelsupport, LABELSUPP_STR}, 436 {Opt_error, NULL}, 437 }; 438 439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 440 441 static int may_context_mount_sb_relabel(u32 sid, 442 struct superblock_security_struct *sbsec, 443 const struct cred *cred) 444 { 445 const struct task_security_struct *tsec = cred->security; 446 int rc; 447 448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELFROM, NULL); 450 if (rc) 451 return rc; 452 453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 454 FILESYSTEM__RELABELTO, NULL); 455 return rc; 456 } 457 458 static int may_context_mount_inode_relabel(u32 sid, 459 struct superblock_security_struct *sbsec, 460 const struct cred *cred) 461 { 462 const struct task_security_struct *tsec = cred->security; 463 int rc; 464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__RELABELFROM, NULL); 466 if (rc) 467 return rc; 468 469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 470 FILESYSTEM__ASSOCIATE, NULL); 471 return rc; 472 } 473 474 static int selinux_is_sblabel_mnt(struct super_block *sb) 475 { 476 struct superblock_security_struct *sbsec = sb->s_security; 477 478 return sbsec->behavior == SECURITY_FS_USE_XATTR || 479 sbsec->behavior == SECURITY_FS_USE_TRANS || 480 sbsec->behavior == SECURITY_FS_USE_TASK || 481 sbsec->behavior == SECURITY_FS_USE_NATIVE || 482 /* Special handling. Genfs but also in-core setxattr handler */ 483 !strcmp(sb->s_type->name, "sysfs") || 484 !strcmp(sb->s_type->name, "pstore") || 485 !strcmp(sb->s_type->name, "debugfs") || 486 !strcmp(sb->s_type->name, "tracefs") || 487 !strcmp(sb->s_type->name, "rootfs") || 488 (selinux_policycap_cgroupseclabel && 489 (!strcmp(sb->s_type->name, "cgroup") || 490 !strcmp(sb->s_type->name, "cgroup2"))); 491 } 492 493 static int sb_finish_set_opts(struct super_block *sb) 494 { 495 struct superblock_security_struct *sbsec = sb->s_security; 496 struct dentry *root = sb->s_root; 497 struct inode *root_inode = d_backing_inode(root); 498 int rc = 0; 499 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 501 /* Make sure that the xattr handler exists and that no 502 error other than -ENODATA is returned by getxattr on 503 the root directory. -ENODATA is ok, as this may be 504 the first boot of the SELinux kernel before we have 505 assigned xattr values to the filesystem. */ 506 if (!(root_inode->i_opflags & IOP_XATTR)) { 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 508 "xattr support\n", sb->s_id, sb->s_type->name); 509 rc = -EOPNOTSUPP; 510 goto out; 511 } 512 513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 514 if (rc < 0 && rc != -ENODATA) { 515 if (rc == -EOPNOTSUPP) 516 printk(KERN_WARNING "SELinux: (dev %s, type " 517 "%s) has no security xattr handler\n", 518 sb->s_id, sb->s_type->name); 519 else 520 printk(KERN_WARNING "SELinux: (dev %s, type " 521 "%s) getxattr errno %d\n", sb->s_id, 522 sb->s_type->name, -rc); 523 goto out; 524 } 525 } 526 527 sbsec->flags |= SE_SBINITIALIZED; 528 529 /* 530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 531 * leave the flag untouched because sb_clone_mnt_opts might be handing 532 * us a superblock that needs the flag to be cleared. 533 */ 534 if (selinux_is_sblabel_mnt(sb)) 535 sbsec->flags |= SBLABEL_MNT; 536 else 537 sbsec->flags &= ~SBLABEL_MNT; 538 539 /* Initialize the root inode. */ 540 rc = inode_doinit_with_dentry(root_inode, root); 541 542 /* Initialize any other inodes associated with the superblock, e.g. 543 inodes created prior to initial policy load or inodes created 544 during get_sb by a pseudo filesystem that directly 545 populates itself. */ 546 spin_lock(&sbsec->isec_lock); 547 next_inode: 548 if (!list_empty(&sbsec->isec_head)) { 549 struct inode_security_struct *isec = 550 list_entry(sbsec->isec_head.next, 551 struct inode_security_struct, list); 552 struct inode *inode = isec->inode; 553 list_del_init(&isec->list); 554 spin_unlock(&sbsec->isec_lock); 555 inode = igrab(inode); 556 if (inode) { 557 if (!IS_PRIVATE(inode)) 558 inode_doinit(inode); 559 iput(inode); 560 } 561 spin_lock(&sbsec->isec_lock); 562 goto next_inode; 563 } 564 spin_unlock(&sbsec->isec_lock); 565 out: 566 return rc; 567 } 568 569 /* 570 * This function should allow an FS to ask what it's mount security 571 * options were so it can use those later for submounts, displaying 572 * mount options, or whatever. 573 */ 574 static int selinux_get_mnt_opts(const struct super_block *sb, 575 struct security_mnt_opts *opts) 576 { 577 int rc = 0, i; 578 struct superblock_security_struct *sbsec = sb->s_security; 579 char *context = NULL; 580 u32 len; 581 char tmp; 582 583 security_init_mnt_opts(opts); 584 585 if (!(sbsec->flags & SE_SBINITIALIZED)) 586 return -EINVAL; 587 588 if (!ss_initialized) 589 return -EINVAL; 590 591 /* make sure we always check enough bits to cover the mask */ 592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 593 594 tmp = sbsec->flags & SE_MNTMASK; 595 /* count the number of mount options for this sb */ 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 597 if (tmp & 0x01) 598 opts->num_mnt_opts++; 599 tmp >>= 1; 600 } 601 /* Check if the Label support flag is set */ 602 if (sbsec->flags & SBLABEL_MNT) 603 opts->num_mnt_opts++; 604 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 606 if (!opts->mnt_opts) { 607 rc = -ENOMEM; 608 goto out_free; 609 } 610 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 612 if (!opts->mnt_opts_flags) { 613 rc = -ENOMEM; 614 goto out_free; 615 } 616 617 i = 0; 618 if (sbsec->flags & FSCONTEXT_MNT) { 619 rc = security_sid_to_context(sbsec->sid, &context, &len); 620 if (rc) 621 goto out_free; 622 opts->mnt_opts[i] = context; 623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 624 } 625 if (sbsec->flags & CONTEXT_MNT) { 626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 627 if (rc) 628 goto out_free; 629 opts->mnt_opts[i] = context; 630 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 631 } 632 if (sbsec->flags & DEFCONTEXT_MNT) { 633 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 634 if (rc) 635 goto out_free; 636 opts->mnt_opts[i] = context; 637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 638 } 639 if (sbsec->flags & ROOTCONTEXT_MNT) { 640 struct dentry *root = sbsec->sb->s_root; 641 struct inode_security_struct *isec = backing_inode_security(root); 642 643 rc = security_sid_to_context(isec->sid, &context, &len); 644 if (rc) 645 goto out_free; 646 opts->mnt_opts[i] = context; 647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 648 } 649 if (sbsec->flags & SBLABEL_MNT) { 650 opts->mnt_opts[i] = NULL; 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 652 } 653 654 BUG_ON(i != opts->num_mnt_opts); 655 656 return 0; 657 658 out_free: 659 security_free_mnt_opts(opts); 660 return rc; 661 } 662 663 static int bad_option(struct superblock_security_struct *sbsec, char flag, 664 u32 old_sid, u32 new_sid) 665 { 666 char mnt_flags = sbsec->flags & SE_MNTMASK; 667 668 /* check if the old mount command had the same options */ 669 if (sbsec->flags & SE_SBINITIALIZED) 670 if (!(sbsec->flags & flag) || 671 (old_sid != new_sid)) 672 return 1; 673 674 /* check if we were passed the same options twice, 675 * aka someone passed context=a,context=b 676 */ 677 if (!(sbsec->flags & SE_SBINITIALIZED)) 678 if (mnt_flags & flag) 679 return 1; 680 return 0; 681 } 682 683 /* 684 * Allow filesystems with binary mount data to explicitly set mount point 685 * labeling information. 686 */ 687 static int selinux_set_mnt_opts(struct super_block *sb, 688 struct security_mnt_opts *opts, 689 unsigned long kern_flags, 690 unsigned long *set_kern_flags) 691 { 692 const struct cred *cred = current_cred(); 693 int rc = 0, i; 694 struct superblock_security_struct *sbsec = sb->s_security; 695 const char *name = sb->s_type->name; 696 struct dentry *root = sbsec->sb->s_root; 697 struct inode_security_struct *root_isec; 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 699 u32 defcontext_sid = 0; 700 char **mount_options = opts->mnt_opts; 701 int *flags = opts->mnt_opts_flags; 702 int num_opts = opts->num_mnt_opts; 703 704 mutex_lock(&sbsec->lock); 705 706 if (!ss_initialized) { 707 if (!num_opts) { 708 /* Defer initialization until selinux_complete_init, 709 after the initial policy is loaded and the security 710 server is ready to handle calls. */ 711 goto out; 712 } 713 rc = -EINVAL; 714 printk(KERN_WARNING "SELinux: Unable to set superblock options " 715 "before the security server is initialized\n"); 716 goto out; 717 } 718 if (kern_flags && !set_kern_flags) { 719 /* Specifying internal flags without providing a place to 720 * place the results is not allowed */ 721 rc = -EINVAL; 722 goto out; 723 } 724 725 /* 726 * Binary mount data FS will come through this function twice. Once 727 * from an explicit call and once from the generic calls from the vfs. 728 * Since the generic VFS calls will not contain any security mount data 729 * we need to skip the double mount verification. 730 * 731 * This does open a hole in which we will not notice if the first 732 * mount using this sb set explict options and a second mount using 733 * this sb does not set any security options. (The first options 734 * will be used for both mounts) 735 */ 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 737 && (num_opts == 0)) 738 goto out; 739 740 root_isec = backing_inode_security_novalidate(root); 741 742 /* 743 * parse the mount options, check if they are valid sids. 744 * also check if someone is trying to mount the same sb more 745 * than once with different security options. 746 */ 747 for (i = 0; i < num_opts; i++) { 748 u32 sid; 749 750 if (flags[i] == SBLABEL_MNT) 751 continue; 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 753 if (rc) { 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 755 "(%s) failed for (dev %s, type %s) errno=%d\n", 756 mount_options[i], sb->s_id, name, rc); 757 goto out; 758 } 759 switch (flags[i]) { 760 case FSCONTEXT_MNT: 761 fscontext_sid = sid; 762 763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 764 fscontext_sid)) 765 goto out_double_mount; 766 767 sbsec->flags |= FSCONTEXT_MNT; 768 break; 769 case CONTEXT_MNT: 770 context_sid = sid; 771 772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 773 context_sid)) 774 goto out_double_mount; 775 776 sbsec->flags |= CONTEXT_MNT; 777 break; 778 case ROOTCONTEXT_MNT: 779 rootcontext_sid = sid; 780 781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 782 rootcontext_sid)) 783 goto out_double_mount; 784 785 sbsec->flags |= ROOTCONTEXT_MNT; 786 787 break; 788 case DEFCONTEXT_MNT: 789 defcontext_sid = sid; 790 791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 792 defcontext_sid)) 793 goto out_double_mount; 794 795 sbsec->flags |= DEFCONTEXT_MNT; 796 797 break; 798 default: 799 rc = -EINVAL; 800 goto out; 801 } 802 } 803 804 if (sbsec->flags & SE_SBINITIALIZED) { 805 /* previously mounted with options, but not on this attempt? */ 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 807 goto out_double_mount; 808 rc = 0; 809 goto out; 810 } 811 812 if (strcmp(sb->s_type->name, "proc") == 0) 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 814 815 if (!strcmp(sb->s_type->name, "debugfs") || 816 !strcmp(sb->s_type->name, "tracefs") || 817 !strcmp(sb->s_type->name, "sysfs") || 818 !strcmp(sb->s_type->name, "pstore")) 819 sbsec->flags |= SE_SBGENFS; 820 821 if (!sbsec->behavior) { 822 /* 823 * Determine the labeling behavior to use for this 824 * filesystem type. 825 */ 826 rc = security_fs_use(sb); 827 if (rc) { 828 printk(KERN_WARNING 829 "%s: security_fs_use(%s) returned %d\n", 830 __func__, sb->s_type->name, rc); 831 goto out; 832 } 833 } 834 835 /* 836 * If this is a user namespace mount and the filesystem type is not 837 * explicitly whitelisted, then no contexts are allowed on the command 838 * line and security labels must be ignored. 839 */ 840 if (sb->s_user_ns != &init_user_ns && 841 strcmp(sb->s_type->name, "tmpfs") && 842 strcmp(sb->s_type->name, "ramfs") && 843 strcmp(sb->s_type->name, "devpts")) { 844 if (context_sid || fscontext_sid || rootcontext_sid || 845 defcontext_sid) { 846 rc = -EACCES; 847 goto out; 848 } 849 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 850 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 851 rc = security_transition_sid(current_sid(), current_sid(), 852 SECCLASS_FILE, NULL, 853 &sbsec->mntpoint_sid); 854 if (rc) 855 goto out; 856 } 857 goto out_set_opts; 858 } 859 860 /* sets the context of the superblock for the fs being mounted. */ 861 if (fscontext_sid) { 862 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 863 if (rc) 864 goto out; 865 866 sbsec->sid = fscontext_sid; 867 } 868 869 /* 870 * Switch to using mount point labeling behavior. 871 * sets the label used on all file below the mountpoint, and will set 872 * the superblock context if not already set. 873 */ 874 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 875 sbsec->behavior = SECURITY_FS_USE_NATIVE; 876 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 877 } 878 879 if (context_sid) { 880 if (!fscontext_sid) { 881 rc = may_context_mount_sb_relabel(context_sid, sbsec, 882 cred); 883 if (rc) 884 goto out; 885 sbsec->sid = context_sid; 886 } else { 887 rc = may_context_mount_inode_relabel(context_sid, sbsec, 888 cred); 889 if (rc) 890 goto out; 891 } 892 if (!rootcontext_sid) 893 rootcontext_sid = context_sid; 894 895 sbsec->mntpoint_sid = context_sid; 896 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 897 } 898 899 if (rootcontext_sid) { 900 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 901 cred); 902 if (rc) 903 goto out; 904 905 root_isec->sid = rootcontext_sid; 906 root_isec->initialized = LABEL_INITIALIZED; 907 } 908 909 if (defcontext_sid) { 910 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 911 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 912 rc = -EINVAL; 913 printk(KERN_WARNING "SELinux: defcontext option is " 914 "invalid for this filesystem type\n"); 915 goto out; 916 } 917 918 if (defcontext_sid != sbsec->def_sid) { 919 rc = may_context_mount_inode_relabel(defcontext_sid, 920 sbsec, cred); 921 if (rc) 922 goto out; 923 } 924 925 sbsec->def_sid = defcontext_sid; 926 } 927 928 out_set_opts: 929 rc = sb_finish_set_opts(sb); 930 out: 931 mutex_unlock(&sbsec->lock); 932 return rc; 933 out_double_mount: 934 rc = -EINVAL; 935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 936 "security settings for (dev %s, type %s)\n", sb->s_id, name); 937 goto out; 938 } 939 940 static int selinux_cmp_sb_context(const struct super_block *oldsb, 941 const struct super_block *newsb) 942 { 943 struct superblock_security_struct *old = oldsb->s_security; 944 struct superblock_security_struct *new = newsb->s_security; 945 char oldflags = old->flags & SE_MNTMASK; 946 char newflags = new->flags & SE_MNTMASK; 947 948 if (oldflags != newflags) 949 goto mismatch; 950 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 951 goto mismatch; 952 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 953 goto mismatch; 954 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 955 goto mismatch; 956 if (oldflags & ROOTCONTEXT_MNT) { 957 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 958 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 959 if (oldroot->sid != newroot->sid) 960 goto mismatch; 961 } 962 return 0; 963 mismatch: 964 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 965 "different security settings for (dev %s, " 966 "type %s)\n", newsb->s_id, newsb->s_type->name); 967 return -EBUSY; 968 } 969 970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 971 struct super_block *newsb, 972 unsigned long kern_flags, 973 unsigned long *set_kern_flags) 974 { 975 int rc = 0; 976 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 977 struct superblock_security_struct *newsbsec = newsb->s_security; 978 979 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 980 int set_context = (oldsbsec->flags & CONTEXT_MNT); 981 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 982 983 /* 984 * if the parent was able to be mounted it clearly had no special lsm 985 * mount options. thus we can safely deal with this superblock later 986 */ 987 if (!ss_initialized) 988 return 0; 989 990 /* 991 * Specifying internal flags without providing a place to 992 * place the results is not allowed. 993 */ 994 if (kern_flags && !set_kern_flags) 995 return -EINVAL; 996 997 /* how can we clone if the old one wasn't set up?? */ 998 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 999 1000 /* if fs is reusing a sb, make sure that the contexts match */ 1001 if (newsbsec->flags & SE_SBINITIALIZED) 1002 return selinux_cmp_sb_context(oldsb, newsb); 1003 1004 mutex_lock(&newsbsec->lock); 1005 1006 newsbsec->flags = oldsbsec->flags; 1007 1008 newsbsec->sid = oldsbsec->sid; 1009 newsbsec->def_sid = oldsbsec->def_sid; 1010 newsbsec->behavior = oldsbsec->behavior; 1011 1012 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1013 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1014 rc = security_fs_use(newsb); 1015 if (rc) 1016 goto out; 1017 } 1018 1019 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1020 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1021 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1022 } 1023 1024 if (set_context) { 1025 u32 sid = oldsbsec->mntpoint_sid; 1026 1027 if (!set_fscontext) 1028 newsbsec->sid = sid; 1029 if (!set_rootcontext) { 1030 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1031 newisec->sid = sid; 1032 } 1033 newsbsec->mntpoint_sid = sid; 1034 } 1035 if (set_rootcontext) { 1036 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1037 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1038 1039 newisec->sid = oldisec->sid; 1040 } 1041 1042 sb_finish_set_opts(newsb); 1043 out: 1044 mutex_unlock(&newsbsec->lock); 1045 return rc; 1046 } 1047 1048 static int selinux_parse_opts_str(char *options, 1049 struct security_mnt_opts *opts) 1050 { 1051 char *p; 1052 char *context = NULL, *defcontext = NULL; 1053 char *fscontext = NULL, *rootcontext = NULL; 1054 int rc, num_mnt_opts = 0; 1055 1056 opts->num_mnt_opts = 0; 1057 1058 /* Standard string-based options. */ 1059 while ((p = strsep(&options, "|")) != NULL) { 1060 int token; 1061 substring_t args[MAX_OPT_ARGS]; 1062 1063 if (!*p) 1064 continue; 1065 1066 token = match_token(p, tokens, args); 1067 1068 switch (token) { 1069 case Opt_context: 1070 if (context || defcontext) { 1071 rc = -EINVAL; 1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1073 goto out_err; 1074 } 1075 context = match_strdup(&args[0]); 1076 if (!context) { 1077 rc = -ENOMEM; 1078 goto out_err; 1079 } 1080 break; 1081 1082 case Opt_fscontext: 1083 if (fscontext) { 1084 rc = -EINVAL; 1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1086 goto out_err; 1087 } 1088 fscontext = match_strdup(&args[0]); 1089 if (!fscontext) { 1090 rc = -ENOMEM; 1091 goto out_err; 1092 } 1093 break; 1094 1095 case Opt_rootcontext: 1096 if (rootcontext) { 1097 rc = -EINVAL; 1098 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1099 goto out_err; 1100 } 1101 rootcontext = match_strdup(&args[0]); 1102 if (!rootcontext) { 1103 rc = -ENOMEM; 1104 goto out_err; 1105 } 1106 break; 1107 1108 case Opt_defcontext: 1109 if (context || defcontext) { 1110 rc = -EINVAL; 1111 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1112 goto out_err; 1113 } 1114 defcontext = match_strdup(&args[0]); 1115 if (!defcontext) { 1116 rc = -ENOMEM; 1117 goto out_err; 1118 } 1119 break; 1120 case Opt_labelsupport: 1121 break; 1122 default: 1123 rc = -EINVAL; 1124 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1125 goto out_err; 1126 1127 } 1128 } 1129 1130 rc = -ENOMEM; 1131 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1132 if (!opts->mnt_opts) 1133 goto out_err; 1134 1135 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1136 GFP_KERNEL); 1137 if (!opts->mnt_opts_flags) 1138 goto out_err; 1139 1140 if (fscontext) { 1141 opts->mnt_opts[num_mnt_opts] = fscontext; 1142 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1143 } 1144 if (context) { 1145 opts->mnt_opts[num_mnt_opts] = context; 1146 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1147 } 1148 if (rootcontext) { 1149 opts->mnt_opts[num_mnt_opts] = rootcontext; 1150 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1151 } 1152 if (defcontext) { 1153 opts->mnt_opts[num_mnt_opts] = defcontext; 1154 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1155 } 1156 1157 opts->num_mnt_opts = num_mnt_opts; 1158 return 0; 1159 1160 out_err: 1161 security_free_mnt_opts(opts); 1162 kfree(context); 1163 kfree(defcontext); 1164 kfree(fscontext); 1165 kfree(rootcontext); 1166 return rc; 1167 } 1168 /* 1169 * string mount options parsing and call set the sbsec 1170 */ 1171 static int superblock_doinit(struct super_block *sb, void *data) 1172 { 1173 int rc = 0; 1174 char *options = data; 1175 struct security_mnt_opts opts; 1176 1177 security_init_mnt_opts(&opts); 1178 1179 if (!data) 1180 goto out; 1181 1182 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1183 1184 rc = selinux_parse_opts_str(options, &opts); 1185 if (rc) 1186 goto out_err; 1187 1188 out: 1189 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1190 1191 out_err: 1192 security_free_mnt_opts(&opts); 1193 return rc; 1194 } 1195 1196 static void selinux_write_opts(struct seq_file *m, 1197 struct security_mnt_opts *opts) 1198 { 1199 int i; 1200 char *prefix; 1201 1202 for (i = 0; i < opts->num_mnt_opts; i++) { 1203 char *has_comma; 1204 1205 if (opts->mnt_opts[i]) 1206 has_comma = strchr(opts->mnt_opts[i], ','); 1207 else 1208 has_comma = NULL; 1209 1210 switch (opts->mnt_opts_flags[i]) { 1211 case CONTEXT_MNT: 1212 prefix = CONTEXT_STR; 1213 break; 1214 case FSCONTEXT_MNT: 1215 prefix = FSCONTEXT_STR; 1216 break; 1217 case ROOTCONTEXT_MNT: 1218 prefix = ROOTCONTEXT_STR; 1219 break; 1220 case DEFCONTEXT_MNT: 1221 prefix = DEFCONTEXT_STR; 1222 break; 1223 case SBLABEL_MNT: 1224 seq_putc(m, ','); 1225 seq_puts(m, LABELSUPP_STR); 1226 continue; 1227 default: 1228 BUG(); 1229 return; 1230 }; 1231 /* we need a comma before each option */ 1232 seq_putc(m, ','); 1233 seq_puts(m, prefix); 1234 if (has_comma) 1235 seq_putc(m, '\"'); 1236 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1237 if (has_comma) 1238 seq_putc(m, '\"'); 1239 } 1240 } 1241 1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1243 { 1244 struct security_mnt_opts opts; 1245 int rc; 1246 1247 rc = selinux_get_mnt_opts(sb, &opts); 1248 if (rc) { 1249 /* before policy load we may get EINVAL, don't show anything */ 1250 if (rc == -EINVAL) 1251 rc = 0; 1252 return rc; 1253 } 1254 1255 selinux_write_opts(m, &opts); 1256 1257 security_free_mnt_opts(&opts); 1258 1259 return rc; 1260 } 1261 1262 static inline u16 inode_mode_to_security_class(umode_t mode) 1263 { 1264 switch (mode & S_IFMT) { 1265 case S_IFSOCK: 1266 return SECCLASS_SOCK_FILE; 1267 case S_IFLNK: 1268 return SECCLASS_LNK_FILE; 1269 case S_IFREG: 1270 return SECCLASS_FILE; 1271 case S_IFBLK: 1272 return SECCLASS_BLK_FILE; 1273 case S_IFDIR: 1274 return SECCLASS_DIR; 1275 case S_IFCHR: 1276 return SECCLASS_CHR_FILE; 1277 case S_IFIFO: 1278 return SECCLASS_FIFO_FILE; 1279 1280 } 1281 1282 return SECCLASS_FILE; 1283 } 1284 1285 static inline int default_protocol_stream(int protocol) 1286 { 1287 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1288 } 1289 1290 static inline int default_protocol_dgram(int protocol) 1291 { 1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1293 } 1294 1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1296 { 1297 int extsockclass = selinux_policycap_extsockclass; 1298 1299 switch (family) { 1300 case PF_UNIX: 1301 switch (type) { 1302 case SOCK_STREAM: 1303 case SOCK_SEQPACKET: 1304 return SECCLASS_UNIX_STREAM_SOCKET; 1305 case SOCK_DGRAM: 1306 return SECCLASS_UNIX_DGRAM_SOCKET; 1307 } 1308 break; 1309 case PF_INET: 1310 case PF_INET6: 1311 switch (type) { 1312 case SOCK_STREAM: 1313 case SOCK_SEQPACKET: 1314 if (default_protocol_stream(protocol)) 1315 return SECCLASS_TCP_SOCKET; 1316 else if (extsockclass && protocol == IPPROTO_SCTP) 1317 return SECCLASS_SCTP_SOCKET; 1318 else 1319 return SECCLASS_RAWIP_SOCKET; 1320 case SOCK_DGRAM: 1321 if (default_protocol_dgram(protocol)) 1322 return SECCLASS_UDP_SOCKET; 1323 else if (extsockclass && (protocol == IPPROTO_ICMP || 1324 protocol == IPPROTO_ICMPV6)) 1325 return SECCLASS_ICMP_SOCKET; 1326 else 1327 return SECCLASS_RAWIP_SOCKET; 1328 case SOCK_DCCP: 1329 return SECCLASS_DCCP_SOCKET; 1330 default: 1331 return SECCLASS_RAWIP_SOCKET; 1332 } 1333 break; 1334 case PF_NETLINK: 1335 switch (protocol) { 1336 case NETLINK_ROUTE: 1337 return SECCLASS_NETLINK_ROUTE_SOCKET; 1338 case NETLINK_SOCK_DIAG: 1339 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1340 case NETLINK_NFLOG: 1341 return SECCLASS_NETLINK_NFLOG_SOCKET; 1342 case NETLINK_XFRM: 1343 return SECCLASS_NETLINK_XFRM_SOCKET; 1344 case NETLINK_SELINUX: 1345 return SECCLASS_NETLINK_SELINUX_SOCKET; 1346 case NETLINK_ISCSI: 1347 return SECCLASS_NETLINK_ISCSI_SOCKET; 1348 case NETLINK_AUDIT: 1349 return SECCLASS_NETLINK_AUDIT_SOCKET; 1350 case NETLINK_FIB_LOOKUP: 1351 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1352 case NETLINK_CONNECTOR: 1353 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1354 case NETLINK_NETFILTER: 1355 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1356 case NETLINK_DNRTMSG: 1357 return SECCLASS_NETLINK_DNRT_SOCKET; 1358 case NETLINK_KOBJECT_UEVENT: 1359 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1360 case NETLINK_GENERIC: 1361 return SECCLASS_NETLINK_GENERIC_SOCKET; 1362 case NETLINK_SCSITRANSPORT: 1363 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1364 case NETLINK_RDMA: 1365 return SECCLASS_NETLINK_RDMA_SOCKET; 1366 case NETLINK_CRYPTO: 1367 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1368 default: 1369 return SECCLASS_NETLINK_SOCKET; 1370 } 1371 case PF_PACKET: 1372 return SECCLASS_PACKET_SOCKET; 1373 case PF_KEY: 1374 return SECCLASS_KEY_SOCKET; 1375 case PF_APPLETALK: 1376 return SECCLASS_APPLETALK_SOCKET; 1377 } 1378 1379 if (extsockclass) { 1380 switch (family) { 1381 case PF_AX25: 1382 return SECCLASS_AX25_SOCKET; 1383 case PF_IPX: 1384 return SECCLASS_IPX_SOCKET; 1385 case PF_NETROM: 1386 return SECCLASS_NETROM_SOCKET; 1387 case PF_ATMPVC: 1388 return SECCLASS_ATMPVC_SOCKET; 1389 case PF_X25: 1390 return SECCLASS_X25_SOCKET; 1391 case PF_ROSE: 1392 return SECCLASS_ROSE_SOCKET; 1393 case PF_DECnet: 1394 return SECCLASS_DECNET_SOCKET; 1395 case PF_ATMSVC: 1396 return SECCLASS_ATMSVC_SOCKET; 1397 case PF_RDS: 1398 return SECCLASS_RDS_SOCKET; 1399 case PF_IRDA: 1400 return SECCLASS_IRDA_SOCKET; 1401 case PF_PPPOX: 1402 return SECCLASS_PPPOX_SOCKET; 1403 case PF_LLC: 1404 return SECCLASS_LLC_SOCKET; 1405 case PF_CAN: 1406 return SECCLASS_CAN_SOCKET; 1407 case PF_TIPC: 1408 return SECCLASS_TIPC_SOCKET; 1409 case PF_BLUETOOTH: 1410 return SECCLASS_BLUETOOTH_SOCKET; 1411 case PF_IUCV: 1412 return SECCLASS_IUCV_SOCKET; 1413 case PF_RXRPC: 1414 return SECCLASS_RXRPC_SOCKET; 1415 case PF_ISDN: 1416 return SECCLASS_ISDN_SOCKET; 1417 case PF_PHONET: 1418 return SECCLASS_PHONET_SOCKET; 1419 case PF_IEEE802154: 1420 return SECCLASS_IEEE802154_SOCKET; 1421 case PF_CAIF: 1422 return SECCLASS_CAIF_SOCKET; 1423 case PF_ALG: 1424 return SECCLASS_ALG_SOCKET; 1425 case PF_NFC: 1426 return SECCLASS_NFC_SOCKET; 1427 case PF_VSOCK: 1428 return SECCLASS_VSOCK_SOCKET; 1429 case PF_KCM: 1430 return SECCLASS_KCM_SOCKET; 1431 case PF_QIPCRTR: 1432 return SECCLASS_QIPCRTR_SOCKET; 1433 case PF_SMC: 1434 return SECCLASS_SMC_SOCKET; 1435 #if PF_MAX > 44 1436 #error New address family defined, please update this function. 1437 #endif 1438 } 1439 } 1440 1441 return SECCLASS_SOCKET; 1442 } 1443 1444 static int selinux_genfs_get_sid(struct dentry *dentry, 1445 u16 tclass, 1446 u16 flags, 1447 u32 *sid) 1448 { 1449 int rc; 1450 struct super_block *sb = dentry->d_sb; 1451 char *buffer, *path; 1452 1453 buffer = (char *)__get_free_page(GFP_KERNEL); 1454 if (!buffer) 1455 return -ENOMEM; 1456 1457 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1458 if (IS_ERR(path)) 1459 rc = PTR_ERR(path); 1460 else { 1461 if (flags & SE_SBPROC) { 1462 /* each process gets a /proc/PID/ entry. Strip off the 1463 * PID part to get a valid selinux labeling. 1464 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1465 while (path[1] >= '0' && path[1] <= '9') { 1466 path[1] = '/'; 1467 path++; 1468 } 1469 } 1470 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1471 } 1472 free_page((unsigned long)buffer); 1473 return rc; 1474 } 1475 1476 /* The inode's security attributes must be initialized before first use. */ 1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1478 { 1479 struct superblock_security_struct *sbsec = NULL; 1480 struct inode_security_struct *isec = inode->i_security; 1481 u32 task_sid, sid = 0; 1482 u16 sclass; 1483 struct dentry *dentry; 1484 #define INITCONTEXTLEN 255 1485 char *context = NULL; 1486 unsigned len = 0; 1487 int rc = 0; 1488 1489 if (isec->initialized == LABEL_INITIALIZED) 1490 return 0; 1491 1492 spin_lock(&isec->lock); 1493 if (isec->initialized == LABEL_INITIALIZED) 1494 goto out_unlock; 1495 1496 if (isec->sclass == SECCLASS_FILE) 1497 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1498 1499 sbsec = inode->i_sb->s_security; 1500 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1501 /* Defer initialization until selinux_complete_init, 1502 after the initial policy is loaded and the security 1503 server is ready to handle calls. */ 1504 spin_lock(&sbsec->isec_lock); 1505 if (list_empty(&isec->list)) 1506 list_add(&isec->list, &sbsec->isec_head); 1507 spin_unlock(&sbsec->isec_lock); 1508 goto out_unlock; 1509 } 1510 1511 sclass = isec->sclass; 1512 task_sid = isec->task_sid; 1513 sid = isec->sid; 1514 isec->initialized = LABEL_PENDING; 1515 spin_unlock(&isec->lock); 1516 1517 switch (sbsec->behavior) { 1518 case SECURITY_FS_USE_NATIVE: 1519 break; 1520 case SECURITY_FS_USE_XATTR: 1521 if (!(inode->i_opflags & IOP_XATTR)) { 1522 sid = sbsec->def_sid; 1523 break; 1524 } 1525 /* Need a dentry, since the xattr API requires one. 1526 Life would be simpler if we could just pass the inode. */ 1527 if (opt_dentry) { 1528 /* Called from d_instantiate or d_splice_alias. */ 1529 dentry = dget(opt_dentry); 1530 } else { 1531 /* Called from selinux_complete_init, try to find a dentry. */ 1532 dentry = d_find_alias(inode); 1533 } 1534 if (!dentry) { 1535 /* 1536 * this is can be hit on boot when a file is accessed 1537 * before the policy is loaded. When we load policy we 1538 * may find inodes that have no dentry on the 1539 * sbsec->isec_head list. No reason to complain as these 1540 * will get fixed up the next time we go through 1541 * inode_doinit with a dentry, before these inodes could 1542 * be used again by userspace. 1543 */ 1544 goto out; 1545 } 1546 1547 len = INITCONTEXTLEN; 1548 context = kmalloc(len+1, GFP_NOFS); 1549 if (!context) { 1550 rc = -ENOMEM; 1551 dput(dentry); 1552 goto out; 1553 } 1554 context[len] = '\0'; 1555 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1556 if (rc == -ERANGE) { 1557 kfree(context); 1558 1559 /* Need a larger buffer. Query for the right size. */ 1560 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1561 if (rc < 0) { 1562 dput(dentry); 1563 goto out; 1564 } 1565 len = rc; 1566 context = kmalloc(len+1, GFP_NOFS); 1567 if (!context) { 1568 rc = -ENOMEM; 1569 dput(dentry); 1570 goto out; 1571 } 1572 context[len] = '\0'; 1573 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1574 } 1575 dput(dentry); 1576 if (rc < 0) { 1577 if (rc != -ENODATA) { 1578 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1579 "%d for dev=%s ino=%ld\n", __func__, 1580 -rc, inode->i_sb->s_id, inode->i_ino); 1581 kfree(context); 1582 goto out; 1583 } 1584 /* Map ENODATA to the default file SID */ 1585 sid = sbsec->def_sid; 1586 rc = 0; 1587 } else { 1588 rc = security_context_to_sid_default(context, rc, &sid, 1589 sbsec->def_sid, 1590 GFP_NOFS); 1591 if (rc) { 1592 char *dev = inode->i_sb->s_id; 1593 unsigned long ino = inode->i_ino; 1594 1595 if (rc == -EINVAL) { 1596 if (printk_ratelimit()) 1597 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1598 "context=%s. This indicates you may need to relabel the inode or the " 1599 "filesystem in question.\n", ino, dev, context); 1600 } else { 1601 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1602 "returned %d for dev=%s ino=%ld\n", 1603 __func__, context, -rc, dev, ino); 1604 } 1605 kfree(context); 1606 /* Leave with the unlabeled SID */ 1607 rc = 0; 1608 break; 1609 } 1610 } 1611 kfree(context); 1612 break; 1613 case SECURITY_FS_USE_TASK: 1614 sid = task_sid; 1615 break; 1616 case SECURITY_FS_USE_TRANS: 1617 /* Default to the fs SID. */ 1618 sid = sbsec->sid; 1619 1620 /* Try to obtain a transition SID. */ 1621 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1622 if (rc) 1623 goto out; 1624 break; 1625 case SECURITY_FS_USE_MNTPOINT: 1626 sid = sbsec->mntpoint_sid; 1627 break; 1628 default: 1629 /* Default to the fs superblock SID. */ 1630 sid = sbsec->sid; 1631 1632 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1633 /* We must have a dentry to determine the label on 1634 * procfs inodes */ 1635 if (opt_dentry) 1636 /* Called from d_instantiate or 1637 * d_splice_alias. */ 1638 dentry = dget(opt_dentry); 1639 else 1640 /* Called from selinux_complete_init, try to 1641 * find a dentry. */ 1642 dentry = d_find_alias(inode); 1643 /* 1644 * This can be hit on boot when a file is accessed 1645 * before the policy is loaded. When we load policy we 1646 * may find inodes that have no dentry on the 1647 * sbsec->isec_head list. No reason to complain as 1648 * these will get fixed up the next time we go through 1649 * inode_doinit() with a dentry, before these inodes 1650 * could be used again by userspace. 1651 */ 1652 if (!dentry) 1653 goto out; 1654 rc = selinux_genfs_get_sid(dentry, sclass, 1655 sbsec->flags, &sid); 1656 dput(dentry); 1657 if (rc) 1658 goto out; 1659 } 1660 break; 1661 } 1662 1663 out: 1664 spin_lock(&isec->lock); 1665 if (isec->initialized == LABEL_PENDING) { 1666 if (!sid || rc) { 1667 isec->initialized = LABEL_INVALID; 1668 goto out_unlock; 1669 } 1670 1671 isec->initialized = LABEL_INITIALIZED; 1672 isec->sid = sid; 1673 } 1674 1675 out_unlock: 1676 spin_unlock(&isec->lock); 1677 return rc; 1678 } 1679 1680 /* Convert a Linux signal to an access vector. */ 1681 static inline u32 signal_to_av(int sig) 1682 { 1683 u32 perm = 0; 1684 1685 switch (sig) { 1686 case SIGCHLD: 1687 /* Commonly granted from child to parent. */ 1688 perm = PROCESS__SIGCHLD; 1689 break; 1690 case SIGKILL: 1691 /* Cannot be caught or ignored */ 1692 perm = PROCESS__SIGKILL; 1693 break; 1694 case SIGSTOP: 1695 /* Cannot be caught or ignored */ 1696 perm = PROCESS__SIGSTOP; 1697 break; 1698 default: 1699 /* All other signals. */ 1700 perm = PROCESS__SIGNAL; 1701 break; 1702 } 1703 1704 return perm; 1705 } 1706 1707 #if CAP_LAST_CAP > 63 1708 #error Fix SELinux to handle capabilities > 63. 1709 #endif 1710 1711 /* Check whether a task is allowed to use a capability. */ 1712 static int cred_has_capability(const struct cred *cred, 1713 int cap, int audit, bool initns) 1714 { 1715 struct common_audit_data ad; 1716 struct av_decision avd; 1717 u16 sclass; 1718 u32 sid = cred_sid(cred); 1719 u32 av = CAP_TO_MASK(cap); 1720 int rc; 1721 1722 ad.type = LSM_AUDIT_DATA_CAP; 1723 ad.u.cap = cap; 1724 1725 switch (CAP_TO_INDEX(cap)) { 1726 case 0: 1727 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1728 break; 1729 case 1: 1730 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1731 break; 1732 default: 1733 printk(KERN_ERR 1734 "SELinux: out of range capability %d\n", cap); 1735 BUG(); 1736 return -EINVAL; 1737 } 1738 1739 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1740 if (audit == SECURITY_CAP_AUDIT) { 1741 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1742 if (rc2) 1743 return rc2; 1744 } 1745 return rc; 1746 } 1747 1748 /* Check whether a task has a particular permission to an inode. 1749 The 'adp' parameter is optional and allows other audit 1750 data to be passed (e.g. the dentry). */ 1751 static int inode_has_perm(const struct cred *cred, 1752 struct inode *inode, 1753 u32 perms, 1754 struct common_audit_data *adp) 1755 { 1756 struct inode_security_struct *isec; 1757 u32 sid; 1758 1759 validate_creds(cred); 1760 1761 if (unlikely(IS_PRIVATE(inode))) 1762 return 0; 1763 1764 sid = cred_sid(cred); 1765 isec = inode->i_security; 1766 1767 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1768 } 1769 1770 /* Same as inode_has_perm, but pass explicit audit data containing 1771 the dentry to help the auditing code to more easily generate the 1772 pathname if needed. */ 1773 static inline int dentry_has_perm(const struct cred *cred, 1774 struct dentry *dentry, 1775 u32 av) 1776 { 1777 struct inode *inode = d_backing_inode(dentry); 1778 struct common_audit_data ad; 1779 1780 ad.type = LSM_AUDIT_DATA_DENTRY; 1781 ad.u.dentry = dentry; 1782 __inode_security_revalidate(inode, dentry, true); 1783 return inode_has_perm(cred, inode, av, &ad); 1784 } 1785 1786 /* Same as inode_has_perm, but pass explicit audit data containing 1787 the path to help the auditing code to more easily generate the 1788 pathname if needed. */ 1789 static inline int path_has_perm(const struct cred *cred, 1790 const struct path *path, 1791 u32 av) 1792 { 1793 struct inode *inode = d_backing_inode(path->dentry); 1794 struct common_audit_data ad; 1795 1796 ad.type = LSM_AUDIT_DATA_PATH; 1797 ad.u.path = *path; 1798 __inode_security_revalidate(inode, path->dentry, true); 1799 return inode_has_perm(cred, inode, av, &ad); 1800 } 1801 1802 /* Same as path_has_perm, but uses the inode from the file struct. */ 1803 static inline int file_path_has_perm(const struct cred *cred, 1804 struct file *file, 1805 u32 av) 1806 { 1807 struct common_audit_data ad; 1808 1809 ad.type = LSM_AUDIT_DATA_FILE; 1810 ad.u.file = file; 1811 return inode_has_perm(cred, file_inode(file), av, &ad); 1812 } 1813 1814 /* Check whether a task can use an open file descriptor to 1815 access an inode in a given way. Check access to the 1816 descriptor itself, and then use dentry_has_perm to 1817 check a particular permission to the file. 1818 Access to the descriptor is implicitly granted if it 1819 has the same SID as the process. If av is zero, then 1820 access to the file is not checked, e.g. for cases 1821 where only the descriptor is affected like seek. */ 1822 static int file_has_perm(const struct cred *cred, 1823 struct file *file, 1824 u32 av) 1825 { 1826 struct file_security_struct *fsec = file->f_security; 1827 struct inode *inode = file_inode(file); 1828 struct common_audit_data ad; 1829 u32 sid = cred_sid(cred); 1830 int rc; 1831 1832 ad.type = LSM_AUDIT_DATA_FILE; 1833 ad.u.file = file; 1834 1835 if (sid != fsec->sid) { 1836 rc = avc_has_perm(sid, fsec->sid, 1837 SECCLASS_FD, 1838 FD__USE, 1839 &ad); 1840 if (rc) 1841 goto out; 1842 } 1843 1844 /* av is zero if only checking access to the descriptor. */ 1845 rc = 0; 1846 if (av) 1847 rc = inode_has_perm(cred, inode, av, &ad); 1848 1849 out: 1850 return rc; 1851 } 1852 1853 /* 1854 * Determine the label for an inode that might be unioned. 1855 */ 1856 static int 1857 selinux_determine_inode_label(const struct task_security_struct *tsec, 1858 struct inode *dir, 1859 const struct qstr *name, u16 tclass, 1860 u32 *_new_isid) 1861 { 1862 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1863 1864 if ((sbsec->flags & SE_SBINITIALIZED) && 1865 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1866 *_new_isid = sbsec->mntpoint_sid; 1867 } else if ((sbsec->flags & SBLABEL_MNT) && 1868 tsec->create_sid) { 1869 *_new_isid = tsec->create_sid; 1870 } else { 1871 const struct inode_security_struct *dsec = inode_security(dir); 1872 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1873 name, _new_isid); 1874 } 1875 1876 return 0; 1877 } 1878 1879 /* Check whether a task can create a file. */ 1880 static int may_create(struct inode *dir, 1881 struct dentry *dentry, 1882 u16 tclass) 1883 { 1884 const struct task_security_struct *tsec = current_security(); 1885 struct inode_security_struct *dsec; 1886 struct superblock_security_struct *sbsec; 1887 u32 sid, newsid; 1888 struct common_audit_data ad; 1889 int rc; 1890 1891 dsec = inode_security(dir); 1892 sbsec = dir->i_sb->s_security; 1893 1894 sid = tsec->sid; 1895 1896 ad.type = LSM_AUDIT_DATA_DENTRY; 1897 ad.u.dentry = dentry; 1898 1899 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1900 DIR__ADD_NAME | DIR__SEARCH, 1901 &ad); 1902 if (rc) 1903 return rc; 1904 1905 rc = selinux_determine_inode_label(current_security(), dir, 1906 &dentry->d_name, tclass, &newsid); 1907 if (rc) 1908 return rc; 1909 1910 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1911 if (rc) 1912 return rc; 1913 1914 return avc_has_perm(newsid, sbsec->sid, 1915 SECCLASS_FILESYSTEM, 1916 FILESYSTEM__ASSOCIATE, &ad); 1917 } 1918 1919 #define MAY_LINK 0 1920 #define MAY_UNLINK 1 1921 #define MAY_RMDIR 2 1922 1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1924 static int may_link(struct inode *dir, 1925 struct dentry *dentry, 1926 int kind) 1927 1928 { 1929 struct inode_security_struct *dsec, *isec; 1930 struct common_audit_data ad; 1931 u32 sid = current_sid(); 1932 u32 av; 1933 int rc; 1934 1935 dsec = inode_security(dir); 1936 isec = backing_inode_security(dentry); 1937 1938 ad.type = LSM_AUDIT_DATA_DENTRY; 1939 ad.u.dentry = dentry; 1940 1941 av = DIR__SEARCH; 1942 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1943 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1944 if (rc) 1945 return rc; 1946 1947 switch (kind) { 1948 case MAY_LINK: 1949 av = FILE__LINK; 1950 break; 1951 case MAY_UNLINK: 1952 av = FILE__UNLINK; 1953 break; 1954 case MAY_RMDIR: 1955 av = DIR__RMDIR; 1956 break; 1957 default: 1958 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1959 __func__, kind); 1960 return 0; 1961 } 1962 1963 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1964 return rc; 1965 } 1966 1967 static inline int may_rename(struct inode *old_dir, 1968 struct dentry *old_dentry, 1969 struct inode *new_dir, 1970 struct dentry *new_dentry) 1971 { 1972 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1973 struct common_audit_data ad; 1974 u32 sid = current_sid(); 1975 u32 av; 1976 int old_is_dir, new_is_dir; 1977 int rc; 1978 1979 old_dsec = inode_security(old_dir); 1980 old_isec = backing_inode_security(old_dentry); 1981 old_is_dir = d_is_dir(old_dentry); 1982 new_dsec = inode_security(new_dir); 1983 1984 ad.type = LSM_AUDIT_DATA_DENTRY; 1985 1986 ad.u.dentry = old_dentry; 1987 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1988 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1989 if (rc) 1990 return rc; 1991 rc = avc_has_perm(sid, old_isec->sid, 1992 old_isec->sclass, FILE__RENAME, &ad); 1993 if (rc) 1994 return rc; 1995 if (old_is_dir && new_dir != old_dir) { 1996 rc = avc_has_perm(sid, old_isec->sid, 1997 old_isec->sclass, DIR__REPARENT, &ad); 1998 if (rc) 1999 return rc; 2000 } 2001 2002 ad.u.dentry = new_dentry; 2003 av = DIR__ADD_NAME | DIR__SEARCH; 2004 if (d_is_positive(new_dentry)) 2005 av |= DIR__REMOVE_NAME; 2006 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2007 if (rc) 2008 return rc; 2009 if (d_is_positive(new_dentry)) { 2010 new_isec = backing_inode_security(new_dentry); 2011 new_is_dir = d_is_dir(new_dentry); 2012 rc = avc_has_perm(sid, new_isec->sid, 2013 new_isec->sclass, 2014 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2015 if (rc) 2016 return rc; 2017 } 2018 2019 return 0; 2020 } 2021 2022 /* Check whether a task can perform a filesystem operation. */ 2023 static int superblock_has_perm(const struct cred *cred, 2024 struct super_block *sb, 2025 u32 perms, 2026 struct common_audit_data *ad) 2027 { 2028 struct superblock_security_struct *sbsec; 2029 u32 sid = cred_sid(cred); 2030 2031 sbsec = sb->s_security; 2032 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2033 } 2034 2035 /* Convert a Linux mode and permission mask to an access vector. */ 2036 static inline u32 file_mask_to_av(int mode, int mask) 2037 { 2038 u32 av = 0; 2039 2040 if (!S_ISDIR(mode)) { 2041 if (mask & MAY_EXEC) 2042 av |= FILE__EXECUTE; 2043 if (mask & MAY_READ) 2044 av |= FILE__READ; 2045 2046 if (mask & MAY_APPEND) 2047 av |= FILE__APPEND; 2048 else if (mask & MAY_WRITE) 2049 av |= FILE__WRITE; 2050 2051 } else { 2052 if (mask & MAY_EXEC) 2053 av |= DIR__SEARCH; 2054 if (mask & MAY_WRITE) 2055 av |= DIR__WRITE; 2056 if (mask & MAY_READ) 2057 av |= DIR__READ; 2058 } 2059 2060 return av; 2061 } 2062 2063 /* Convert a Linux file to an access vector. */ 2064 static inline u32 file_to_av(struct file *file) 2065 { 2066 u32 av = 0; 2067 2068 if (file->f_mode & FMODE_READ) 2069 av |= FILE__READ; 2070 if (file->f_mode & FMODE_WRITE) { 2071 if (file->f_flags & O_APPEND) 2072 av |= FILE__APPEND; 2073 else 2074 av |= FILE__WRITE; 2075 } 2076 if (!av) { 2077 /* 2078 * Special file opened with flags 3 for ioctl-only use. 2079 */ 2080 av = FILE__IOCTL; 2081 } 2082 2083 return av; 2084 } 2085 2086 /* 2087 * Convert a file to an access vector and include the correct open 2088 * open permission. 2089 */ 2090 static inline u32 open_file_to_av(struct file *file) 2091 { 2092 u32 av = file_to_av(file); 2093 struct inode *inode = file_inode(file); 2094 2095 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2096 av |= FILE__OPEN; 2097 2098 return av; 2099 } 2100 2101 /* Hook functions begin here. */ 2102 2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2104 { 2105 u32 mysid = current_sid(); 2106 u32 mgrsid = task_sid(mgr); 2107 2108 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2109 BINDER__SET_CONTEXT_MGR, NULL); 2110 } 2111 2112 static int selinux_binder_transaction(struct task_struct *from, 2113 struct task_struct *to) 2114 { 2115 u32 mysid = current_sid(); 2116 u32 fromsid = task_sid(from); 2117 u32 tosid = task_sid(to); 2118 int rc; 2119 2120 if (mysid != fromsid) { 2121 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2122 BINDER__IMPERSONATE, NULL); 2123 if (rc) 2124 return rc; 2125 } 2126 2127 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2128 NULL); 2129 } 2130 2131 static int selinux_binder_transfer_binder(struct task_struct *from, 2132 struct task_struct *to) 2133 { 2134 u32 fromsid = task_sid(from); 2135 u32 tosid = task_sid(to); 2136 2137 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2138 NULL); 2139 } 2140 2141 static int selinux_binder_transfer_file(struct task_struct *from, 2142 struct task_struct *to, 2143 struct file *file) 2144 { 2145 u32 sid = task_sid(to); 2146 struct file_security_struct *fsec = file->f_security; 2147 struct dentry *dentry = file->f_path.dentry; 2148 struct inode_security_struct *isec; 2149 struct common_audit_data ad; 2150 int rc; 2151 2152 ad.type = LSM_AUDIT_DATA_PATH; 2153 ad.u.path = file->f_path; 2154 2155 if (sid != fsec->sid) { 2156 rc = avc_has_perm(sid, fsec->sid, 2157 SECCLASS_FD, 2158 FD__USE, 2159 &ad); 2160 if (rc) 2161 return rc; 2162 } 2163 2164 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2165 return 0; 2166 2167 isec = backing_inode_security(dentry); 2168 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2169 &ad); 2170 } 2171 2172 static int selinux_ptrace_access_check(struct task_struct *child, 2173 unsigned int mode) 2174 { 2175 u32 sid = current_sid(); 2176 u32 csid = task_sid(child); 2177 2178 if (mode & PTRACE_MODE_READ) 2179 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2180 2181 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2182 } 2183 2184 static int selinux_ptrace_traceme(struct task_struct *parent) 2185 { 2186 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2187 PROCESS__PTRACE, NULL); 2188 } 2189 2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2191 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2192 { 2193 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2194 PROCESS__GETCAP, NULL); 2195 } 2196 2197 static int selinux_capset(struct cred *new, const struct cred *old, 2198 const kernel_cap_t *effective, 2199 const kernel_cap_t *inheritable, 2200 const kernel_cap_t *permitted) 2201 { 2202 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2203 PROCESS__SETCAP, NULL); 2204 } 2205 2206 /* 2207 * (This comment used to live with the selinux_task_setuid hook, 2208 * which was removed). 2209 * 2210 * Since setuid only affects the current process, and since the SELinux 2211 * controls are not based on the Linux identity attributes, SELinux does not 2212 * need to control this operation. However, SELinux does control the use of 2213 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2214 */ 2215 2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2217 int cap, int audit) 2218 { 2219 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2220 } 2221 2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2223 { 2224 const struct cred *cred = current_cred(); 2225 int rc = 0; 2226 2227 if (!sb) 2228 return 0; 2229 2230 switch (cmds) { 2231 case Q_SYNC: 2232 case Q_QUOTAON: 2233 case Q_QUOTAOFF: 2234 case Q_SETINFO: 2235 case Q_SETQUOTA: 2236 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2237 break; 2238 case Q_GETFMT: 2239 case Q_GETINFO: 2240 case Q_GETQUOTA: 2241 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2242 break; 2243 default: 2244 rc = 0; /* let the kernel handle invalid cmds */ 2245 break; 2246 } 2247 return rc; 2248 } 2249 2250 static int selinux_quota_on(struct dentry *dentry) 2251 { 2252 const struct cred *cred = current_cred(); 2253 2254 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2255 } 2256 2257 static int selinux_syslog(int type) 2258 { 2259 switch (type) { 2260 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2261 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2262 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2263 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2264 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2265 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2266 /* Set level of messages printed to console */ 2267 case SYSLOG_ACTION_CONSOLE_LEVEL: 2268 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2269 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2270 NULL); 2271 } 2272 /* All other syslog types */ 2273 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2274 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2275 } 2276 2277 /* 2278 * Check that a process has enough memory to allocate a new virtual 2279 * mapping. 0 means there is enough memory for the allocation to 2280 * succeed and -ENOMEM implies there is not. 2281 * 2282 * Do not audit the selinux permission check, as this is applied to all 2283 * processes that allocate mappings. 2284 */ 2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2286 { 2287 int rc, cap_sys_admin = 0; 2288 2289 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2290 SECURITY_CAP_NOAUDIT, true); 2291 if (rc == 0) 2292 cap_sys_admin = 1; 2293 2294 return cap_sys_admin; 2295 } 2296 2297 /* binprm security operations */ 2298 2299 static u32 ptrace_parent_sid(void) 2300 { 2301 u32 sid = 0; 2302 struct task_struct *tracer; 2303 2304 rcu_read_lock(); 2305 tracer = ptrace_parent(current); 2306 if (tracer) 2307 sid = task_sid(tracer); 2308 rcu_read_unlock(); 2309 2310 return sid; 2311 } 2312 2313 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2314 const struct task_security_struct *old_tsec, 2315 const struct task_security_struct *new_tsec) 2316 { 2317 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2318 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2319 int rc; 2320 2321 if (!nnp && !nosuid) 2322 return 0; /* neither NNP nor nosuid */ 2323 2324 if (new_tsec->sid == old_tsec->sid) 2325 return 0; /* No change in credentials */ 2326 2327 /* 2328 * The only transitions we permit under NNP or nosuid 2329 * are transitions to bounded SIDs, i.e. SIDs that are 2330 * guaranteed to only be allowed a subset of the permissions 2331 * of the current SID. 2332 */ 2333 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2334 if (rc) { 2335 /* 2336 * On failure, preserve the errno values for NNP vs nosuid. 2337 * NNP: Operation not permitted for caller. 2338 * nosuid: Permission denied to file. 2339 */ 2340 if (nnp) 2341 return -EPERM; 2342 else 2343 return -EACCES; 2344 } 2345 return 0; 2346 } 2347 2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2349 { 2350 const struct task_security_struct *old_tsec; 2351 struct task_security_struct *new_tsec; 2352 struct inode_security_struct *isec; 2353 struct common_audit_data ad; 2354 struct inode *inode = file_inode(bprm->file); 2355 int rc; 2356 2357 /* SELinux context only depends on initial program or script and not 2358 * the script interpreter */ 2359 if (bprm->called_set_creds) 2360 return 0; 2361 2362 old_tsec = current_security(); 2363 new_tsec = bprm->cred->security; 2364 isec = inode_security(inode); 2365 2366 /* Default to the current task SID. */ 2367 new_tsec->sid = old_tsec->sid; 2368 new_tsec->osid = old_tsec->sid; 2369 2370 /* Reset fs, key, and sock SIDs on execve. */ 2371 new_tsec->create_sid = 0; 2372 new_tsec->keycreate_sid = 0; 2373 new_tsec->sockcreate_sid = 0; 2374 2375 if (old_tsec->exec_sid) { 2376 new_tsec->sid = old_tsec->exec_sid; 2377 /* Reset exec SID on execve. */ 2378 new_tsec->exec_sid = 0; 2379 2380 /* Fail on NNP or nosuid if not an allowed transition. */ 2381 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2382 if (rc) 2383 return rc; 2384 } else { 2385 /* Check for a default transition on this program. */ 2386 rc = security_transition_sid(old_tsec->sid, isec->sid, 2387 SECCLASS_PROCESS, NULL, 2388 &new_tsec->sid); 2389 if (rc) 2390 return rc; 2391 2392 /* 2393 * Fallback to old SID on NNP or nosuid if not an allowed 2394 * transition. 2395 */ 2396 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2397 if (rc) 2398 new_tsec->sid = old_tsec->sid; 2399 } 2400 2401 ad.type = LSM_AUDIT_DATA_FILE; 2402 ad.u.file = bprm->file; 2403 2404 if (new_tsec->sid == old_tsec->sid) { 2405 rc = avc_has_perm(old_tsec->sid, isec->sid, 2406 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2407 if (rc) 2408 return rc; 2409 } else { 2410 /* Check permissions for the transition. */ 2411 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2412 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2413 if (rc) 2414 return rc; 2415 2416 rc = avc_has_perm(new_tsec->sid, isec->sid, 2417 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2418 if (rc) 2419 return rc; 2420 2421 /* Check for shared state */ 2422 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2423 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2424 SECCLASS_PROCESS, PROCESS__SHARE, 2425 NULL); 2426 if (rc) 2427 return -EPERM; 2428 } 2429 2430 /* Make sure that anyone attempting to ptrace over a task that 2431 * changes its SID has the appropriate permit */ 2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2433 u32 ptsid = ptrace_parent_sid(); 2434 if (ptsid != 0) { 2435 rc = avc_has_perm(ptsid, new_tsec->sid, 2436 SECCLASS_PROCESS, 2437 PROCESS__PTRACE, NULL); 2438 if (rc) 2439 return -EPERM; 2440 } 2441 } 2442 2443 /* Clear any possibly unsafe personality bits on exec: */ 2444 bprm->per_clear |= PER_CLEAR_ON_SETID; 2445 2446 /* Enable secure mode for SIDs transitions unless 2447 the noatsecure permission is granted between 2448 the two SIDs, i.e. ahp returns 0. */ 2449 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2450 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2451 NULL); 2452 bprm->secureexec |= !!rc; 2453 } 2454 2455 return 0; 2456 } 2457 2458 static int match_file(const void *p, struct file *file, unsigned fd) 2459 { 2460 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2461 } 2462 2463 /* Derived from fs/exec.c:flush_old_files. */ 2464 static inline void flush_unauthorized_files(const struct cred *cred, 2465 struct files_struct *files) 2466 { 2467 struct file *file, *devnull = NULL; 2468 struct tty_struct *tty; 2469 int drop_tty = 0; 2470 unsigned n; 2471 2472 tty = get_current_tty(); 2473 if (tty) { 2474 spin_lock(&tty->files_lock); 2475 if (!list_empty(&tty->tty_files)) { 2476 struct tty_file_private *file_priv; 2477 2478 /* Revalidate access to controlling tty. 2479 Use file_path_has_perm on the tty path directly 2480 rather than using file_has_perm, as this particular 2481 open file may belong to another process and we are 2482 only interested in the inode-based check here. */ 2483 file_priv = list_first_entry(&tty->tty_files, 2484 struct tty_file_private, list); 2485 file = file_priv->file; 2486 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2487 drop_tty = 1; 2488 } 2489 spin_unlock(&tty->files_lock); 2490 tty_kref_put(tty); 2491 } 2492 /* Reset controlling tty. */ 2493 if (drop_tty) 2494 no_tty(); 2495 2496 /* Revalidate access to inherited open files. */ 2497 n = iterate_fd(files, 0, match_file, cred); 2498 if (!n) /* none found? */ 2499 return; 2500 2501 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2502 if (IS_ERR(devnull)) 2503 devnull = NULL; 2504 /* replace all the matching ones with this */ 2505 do { 2506 replace_fd(n - 1, devnull, 0); 2507 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2508 if (devnull) 2509 fput(devnull); 2510 } 2511 2512 /* 2513 * Prepare a process for imminent new credential changes due to exec 2514 */ 2515 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2516 { 2517 struct task_security_struct *new_tsec; 2518 struct rlimit *rlim, *initrlim; 2519 int rc, i; 2520 2521 new_tsec = bprm->cred->security; 2522 if (new_tsec->sid == new_tsec->osid) 2523 return; 2524 2525 /* Close files for which the new task SID is not authorized. */ 2526 flush_unauthorized_files(bprm->cred, current->files); 2527 2528 /* Always clear parent death signal on SID transitions. */ 2529 current->pdeath_signal = 0; 2530 2531 /* Check whether the new SID can inherit resource limits from the old 2532 * SID. If not, reset all soft limits to the lower of the current 2533 * task's hard limit and the init task's soft limit. 2534 * 2535 * Note that the setting of hard limits (even to lower them) can be 2536 * controlled by the setrlimit check. The inclusion of the init task's 2537 * soft limit into the computation is to avoid resetting soft limits 2538 * higher than the default soft limit for cases where the default is 2539 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2540 */ 2541 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2542 PROCESS__RLIMITINH, NULL); 2543 if (rc) { 2544 /* protect against do_prlimit() */ 2545 task_lock(current); 2546 for (i = 0; i < RLIM_NLIMITS; i++) { 2547 rlim = current->signal->rlim + i; 2548 initrlim = init_task.signal->rlim + i; 2549 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2550 } 2551 task_unlock(current); 2552 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2553 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2554 } 2555 } 2556 2557 /* 2558 * Clean up the process immediately after the installation of new credentials 2559 * due to exec 2560 */ 2561 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2562 { 2563 const struct task_security_struct *tsec = current_security(); 2564 struct itimerval itimer; 2565 u32 osid, sid; 2566 int rc, i; 2567 2568 osid = tsec->osid; 2569 sid = tsec->sid; 2570 2571 if (sid == osid) 2572 return; 2573 2574 /* Check whether the new SID can inherit signal state from the old SID. 2575 * If not, clear itimers to avoid subsequent signal generation and 2576 * flush and unblock signals. 2577 * 2578 * This must occur _after_ the task SID has been updated so that any 2579 * kill done after the flush will be checked against the new SID. 2580 */ 2581 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2582 if (rc) { 2583 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2584 memset(&itimer, 0, sizeof itimer); 2585 for (i = 0; i < 3; i++) 2586 do_setitimer(i, &itimer, NULL); 2587 } 2588 spin_lock_irq(¤t->sighand->siglock); 2589 if (!fatal_signal_pending(current)) { 2590 flush_sigqueue(¤t->pending); 2591 flush_sigqueue(¤t->signal->shared_pending); 2592 flush_signal_handlers(current, 1); 2593 sigemptyset(¤t->blocked); 2594 recalc_sigpending(); 2595 } 2596 spin_unlock_irq(¤t->sighand->siglock); 2597 } 2598 2599 /* Wake up the parent if it is waiting so that it can recheck 2600 * wait permission to the new task SID. */ 2601 read_lock(&tasklist_lock); 2602 __wake_up_parent(current, current->real_parent); 2603 read_unlock(&tasklist_lock); 2604 } 2605 2606 /* superblock security operations */ 2607 2608 static int selinux_sb_alloc_security(struct super_block *sb) 2609 { 2610 return superblock_alloc_security(sb); 2611 } 2612 2613 static void selinux_sb_free_security(struct super_block *sb) 2614 { 2615 superblock_free_security(sb); 2616 } 2617 2618 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2619 { 2620 if (plen > olen) 2621 return 0; 2622 2623 return !memcmp(prefix, option, plen); 2624 } 2625 2626 static inline int selinux_option(char *option, int len) 2627 { 2628 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2629 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2630 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2631 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2632 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2633 } 2634 2635 static inline void take_option(char **to, char *from, int *first, int len) 2636 { 2637 if (!*first) { 2638 **to = ','; 2639 *to += 1; 2640 } else 2641 *first = 0; 2642 memcpy(*to, from, len); 2643 *to += len; 2644 } 2645 2646 static inline void take_selinux_option(char **to, char *from, int *first, 2647 int len) 2648 { 2649 int current_size = 0; 2650 2651 if (!*first) { 2652 **to = '|'; 2653 *to += 1; 2654 } else 2655 *first = 0; 2656 2657 while (current_size < len) { 2658 if (*from != '"') { 2659 **to = *from; 2660 *to += 1; 2661 } 2662 from += 1; 2663 current_size += 1; 2664 } 2665 } 2666 2667 static int selinux_sb_copy_data(char *orig, char *copy) 2668 { 2669 int fnosec, fsec, rc = 0; 2670 char *in_save, *in_curr, *in_end; 2671 char *sec_curr, *nosec_save, *nosec; 2672 int open_quote = 0; 2673 2674 in_curr = orig; 2675 sec_curr = copy; 2676 2677 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2678 if (!nosec) { 2679 rc = -ENOMEM; 2680 goto out; 2681 } 2682 2683 nosec_save = nosec; 2684 fnosec = fsec = 1; 2685 in_save = in_end = orig; 2686 2687 do { 2688 if (*in_end == '"') 2689 open_quote = !open_quote; 2690 if ((*in_end == ',' && open_quote == 0) || 2691 *in_end == '\0') { 2692 int len = in_end - in_curr; 2693 2694 if (selinux_option(in_curr, len)) 2695 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2696 else 2697 take_option(&nosec, in_curr, &fnosec, len); 2698 2699 in_curr = in_end + 1; 2700 } 2701 } while (*in_end++); 2702 2703 strcpy(in_save, nosec_save); 2704 free_page((unsigned long)nosec_save); 2705 out: 2706 return rc; 2707 } 2708 2709 static int selinux_sb_remount(struct super_block *sb, void *data) 2710 { 2711 int rc, i, *flags; 2712 struct security_mnt_opts opts; 2713 char *secdata, **mount_options; 2714 struct superblock_security_struct *sbsec = sb->s_security; 2715 2716 if (!(sbsec->flags & SE_SBINITIALIZED)) 2717 return 0; 2718 2719 if (!data) 2720 return 0; 2721 2722 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2723 return 0; 2724 2725 security_init_mnt_opts(&opts); 2726 secdata = alloc_secdata(); 2727 if (!secdata) 2728 return -ENOMEM; 2729 rc = selinux_sb_copy_data(data, secdata); 2730 if (rc) 2731 goto out_free_secdata; 2732 2733 rc = selinux_parse_opts_str(secdata, &opts); 2734 if (rc) 2735 goto out_free_secdata; 2736 2737 mount_options = opts.mnt_opts; 2738 flags = opts.mnt_opts_flags; 2739 2740 for (i = 0; i < opts.num_mnt_opts; i++) { 2741 u32 sid; 2742 2743 if (flags[i] == SBLABEL_MNT) 2744 continue; 2745 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2746 if (rc) { 2747 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2748 "(%s) failed for (dev %s, type %s) errno=%d\n", 2749 mount_options[i], sb->s_id, sb->s_type->name, rc); 2750 goto out_free_opts; 2751 } 2752 rc = -EINVAL; 2753 switch (flags[i]) { 2754 case FSCONTEXT_MNT: 2755 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2756 goto out_bad_option; 2757 break; 2758 case CONTEXT_MNT: 2759 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2760 goto out_bad_option; 2761 break; 2762 case ROOTCONTEXT_MNT: { 2763 struct inode_security_struct *root_isec; 2764 root_isec = backing_inode_security(sb->s_root); 2765 2766 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2767 goto out_bad_option; 2768 break; 2769 } 2770 case DEFCONTEXT_MNT: 2771 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2772 goto out_bad_option; 2773 break; 2774 default: 2775 goto out_free_opts; 2776 } 2777 } 2778 2779 rc = 0; 2780 out_free_opts: 2781 security_free_mnt_opts(&opts); 2782 out_free_secdata: 2783 free_secdata(secdata); 2784 return rc; 2785 out_bad_option: 2786 printk(KERN_WARNING "SELinux: unable to change security options " 2787 "during remount (dev %s, type=%s)\n", sb->s_id, 2788 sb->s_type->name); 2789 goto out_free_opts; 2790 } 2791 2792 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2793 { 2794 const struct cred *cred = current_cred(); 2795 struct common_audit_data ad; 2796 int rc; 2797 2798 rc = superblock_doinit(sb, data); 2799 if (rc) 2800 return rc; 2801 2802 /* Allow all mounts performed by the kernel */ 2803 if (flags & MS_KERNMOUNT) 2804 return 0; 2805 2806 ad.type = LSM_AUDIT_DATA_DENTRY; 2807 ad.u.dentry = sb->s_root; 2808 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2809 } 2810 2811 static int selinux_sb_statfs(struct dentry *dentry) 2812 { 2813 const struct cred *cred = current_cred(); 2814 struct common_audit_data ad; 2815 2816 ad.type = LSM_AUDIT_DATA_DENTRY; 2817 ad.u.dentry = dentry->d_sb->s_root; 2818 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2819 } 2820 2821 static int selinux_mount(const char *dev_name, 2822 const struct path *path, 2823 const char *type, 2824 unsigned long flags, 2825 void *data) 2826 { 2827 const struct cred *cred = current_cred(); 2828 2829 if (flags & MS_REMOUNT) 2830 return superblock_has_perm(cred, path->dentry->d_sb, 2831 FILESYSTEM__REMOUNT, NULL); 2832 else 2833 return path_has_perm(cred, path, FILE__MOUNTON); 2834 } 2835 2836 static int selinux_umount(struct vfsmount *mnt, int flags) 2837 { 2838 const struct cred *cred = current_cred(); 2839 2840 return superblock_has_perm(cred, mnt->mnt_sb, 2841 FILESYSTEM__UNMOUNT, NULL); 2842 } 2843 2844 /* inode security operations */ 2845 2846 static int selinux_inode_alloc_security(struct inode *inode) 2847 { 2848 return inode_alloc_security(inode); 2849 } 2850 2851 static void selinux_inode_free_security(struct inode *inode) 2852 { 2853 inode_free_security(inode); 2854 } 2855 2856 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2857 const struct qstr *name, void **ctx, 2858 u32 *ctxlen) 2859 { 2860 u32 newsid; 2861 int rc; 2862 2863 rc = selinux_determine_inode_label(current_security(), 2864 d_inode(dentry->d_parent), name, 2865 inode_mode_to_security_class(mode), 2866 &newsid); 2867 if (rc) 2868 return rc; 2869 2870 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2871 } 2872 2873 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2874 struct qstr *name, 2875 const struct cred *old, 2876 struct cred *new) 2877 { 2878 u32 newsid; 2879 int rc; 2880 struct task_security_struct *tsec; 2881 2882 rc = selinux_determine_inode_label(old->security, 2883 d_inode(dentry->d_parent), name, 2884 inode_mode_to_security_class(mode), 2885 &newsid); 2886 if (rc) 2887 return rc; 2888 2889 tsec = new->security; 2890 tsec->create_sid = newsid; 2891 return 0; 2892 } 2893 2894 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2895 const struct qstr *qstr, 2896 const char **name, 2897 void **value, size_t *len) 2898 { 2899 const struct task_security_struct *tsec = current_security(); 2900 struct superblock_security_struct *sbsec; 2901 u32 sid, newsid, clen; 2902 int rc; 2903 char *context; 2904 2905 sbsec = dir->i_sb->s_security; 2906 2907 sid = tsec->sid; 2908 newsid = tsec->create_sid; 2909 2910 rc = selinux_determine_inode_label(current_security(), 2911 dir, qstr, 2912 inode_mode_to_security_class(inode->i_mode), 2913 &newsid); 2914 if (rc) 2915 return rc; 2916 2917 /* Possibly defer initialization to selinux_complete_init. */ 2918 if (sbsec->flags & SE_SBINITIALIZED) { 2919 struct inode_security_struct *isec = inode->i_security; 2920 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2921 isec->sid = newsid; 2922 isec->initialized = LABEL_INITIALIZED; 2923 } 2924 2925 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2926 return -EOPNOTSUPP; 2927 2928 if (name) 2929 *name = XATTR_SELINUX_SUFFIX; 2930 2931 if (value && len) { 2932 rc = security_sid_to_context_force(newsid, &context, &clen); 2933 if (rc) 2934 return rc; 2935 *value = context; 2936 *len = clen; 2937 } 2938 2939 return 0; 2940 } 2941 2942 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2943 { 2944 return may_create(dir, dentry, SECCLASS_FILE); 2945 } 2946 2947 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2948 { 2949 return may_link(dir, old_dentry, MAY_LINK); 2950 } 2951 2952 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2953 { 2954 return may_link(dir, dentry, MAY_UNLINK); 2955 } 2956 2957 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2958 { 2959 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2960 } 2961 2962 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2963 { 2964 return may_create(dir, dentry, SECCLASS_DIR); 2965 } 2966 2967 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2968 { 2969 return may_link(dir, dentry, MAY_RMDIR); 2970 } 2971 2972 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2973 { 2974 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2975 } 2976 2977 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2978 struct inode *new_inode, struct dentry *new_dentry) 2979 { 2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2981 } 2982 2983 static int selinux_inode_readlink(struct dentry *dentry) 2984 { 2985 const struct cred *cred = current_cred(); 2986 2987 return dentry_has_perm(cred, dentry, FILE__READ); 2988 } 2989 2990 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2991 bool rcu) 2992 { 2993 const struct cred *cred = current_cred(); 2994 struct common_audit_data ad; 2995 struct inode_security_struct *isec; 2996 u32 sid; 2997 2998 validate_creds(cred); 2999 3000 ad.type = LSM_AUDIT_DATA_DENTRY; 3001 ad.u.dentry = dentry; 3002 sid = cred_sid(cred); 3003 isec = inode_security_rcu(inode, rcu); 3004 if (IS_ERR(isec)) 3005 return PTR_ERR(isec); 3006 3007 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3008 rcu ? MAY_NOT_BLOCK : 0); 3009 } 3010 3011 static noinline int audit_inode_permission(struct inode *inode, 3012 u32 perms, u32 audited, u32 denied, 3013 int result, 3014 unsigned flags) 3015 { 3016 struct common_audit_data ad; 3017 struct inode_security_struct *isec = inode->i_security; 3018 int rc; 3019 3020 ad.type = LSM_AUDIT_DATA_INODE; 3021 ad.u.inode = inode; 3022 3023 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3024 audited, denied, result, &ad, flags); 3025 if (rc) 3026 return rc; 3027 return 0; 3028 } 3029 3030 static int selinux_inode_permission(struct inode *inode, int mask) 3031 { 3032 const struct cred *cred = current_cred(); 3033 u32 perms; 3034 bool from_access; 3035 unsigned flags = mask & MAY_NOT_BLOCK; 3036 struct inode_security_struct *isec; 3037 u32 sid; 3038 struct av_decision avd; 3039 int rc, rc2; 3040 u32 audited, denied; 3041 3042 from_access = mask & MAY_ACCESS; 3043 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3044 3045 /* No permission to check. Existence test. */ 3046 if (!mask) 3047 return 0; 3048 3049 validate_creds(cred); 3050 3051 if (unlikely(IS_PRIVATE(inode))) 3052 return 0; 3053 3054 perms = file_mask_to_av(inode->i_mode, mask); 3055 3056 sid = cred_sid(cred); 3057 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3058 if (IS_ERR(isec)) 3059 return PTR_ERR(isec); 3060 3061 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3062 audited = avc_audit_required(perms, &avd, rc, 3063 from_access ? FILE__AUDIT_ACCESS : 0, 3064 &denied); 3065 if (likely(!audited)) 3066 return rc; 3067 3068 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3069 if (rc2) 3070 return rc2; 3071 return rc; 3072 } 3073 3074 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3075 { 3076 const struct cred *cred = current_cred(); 3077 struct inode *inode = d_backing_inode(dentry); 3078 unsigned int ia_valid = iattr->ia_valid; 3079 __u32 av = FILE__WRITE; 3080 3081 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3082 if (ia_valid & ATTR_FORCE) { 3083 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3084 ATTR_FORCE); 3085 if (!ia_valid) 3086 return 0; 3087 } 3088 3089 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3090 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3091 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3092 3093 if (selinux_policycap_openperm && 3094 inode->i_sb->s_magic != SOCKFS_MAGIC && 3095 (ia_valid & ATTR_SIZE) && 3096 !(ia_valid & ATTR_FILE)) 3097 av |= FILE__OPEN; 3098 3099 return dentry_has_perm(cred, dentry, av); 3100 } 3101 3102 static int selinux_inode_getattr(const struct path *path) 3103 { 3104 return path_has_perm(current_cred(), path, FILE__GETATTR); 3105 } 3106 3107 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 3108 { 3109 const struct cred *cred = current_cred(); 3110 3111 if (!strncmp(name, XATTR_SECURITY_PREFIX, 3112 sizeof XATTR_SECURITY_PREFIX - 1)) { 3113 if (!strcmp(name, XATTR_NAME_CAPS)) { 3114 if (!capable(CAP_SETFCAP)) 3115 return -EPERM; 3116 } else if (!capable(CAP_SYS_ADMIN)) { 3117 /* A different attribute in the security namespace. 3118 Restrict to administrator. */ 3119 return -EPERM; 3120 } 3121 } 3122 3123 /* Not an attribute we recognize, so just check the 3124 ordinary setattr permission. */ 3125 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3126 } 3127 3128 static bool has_cap_mac_admin(bool audit) 3129 { 3130 const struct cred *cred = current_cred(); 3131 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3132 3133 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3134 return false; 3135 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3136 return false; 3137 return true; 3138 } 3139 3140 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3141 const void *value, size_t size, int flags) 3142 { 3143 struct inode *inode = d_backing_inode(dentry); 3144 struct inode_security_struct *isec; 3145 struct superblock_security_struct *sbsec; 3146 struct common_audit_data ad; 3147 u32 newsid, sid = current_sid(); 3148 int rc = 0; 3149 3150 if (strcmp(name, XATTR_NAME_SELINUX)) 3151 return selinux_inode_setotherxattr(dentry, name); 3152 3153 sbsec = inode->i_sb->s_security; 3154 if (!(sbsec->flags & SBLABEL_MNT)) 3155 return -EOPNOTSUPP; 3156 3157 if (!inode_owner_or_capable(inode)) 3158 return -EPERM; 3159 3160 ad.type = LSM_AUDIT_DATA_DENTRY; 3161 ad.u.dentry = dentry; 3162 3163 isec = backing_inode_security(dentry); 3164 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3165 FILE__RELABELFROM, &ad); 3166 if (rc) 3167 return rc; 3168 3169 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3170 if (rc == -EINVAL) { 3171 if (!has_cap_mac_admin(true)) { 3172 struct audit_buffer *ab; 3173 size_t audit_size; 3174 const char *str; 3175 3176 /* We strip a nul only if it is at the end, otherwise the 3177 * context contains a nul and we should audit that */ 3178 if (value) { 3179 str = value; 3180 if (str[size - 1] == '\0') 3181 audit_size = size - 1; 3182 else 3183 audit_size = size; 3184 } else { 3185 str = ""; 3186 audit_size = 0; 3187 } 3188 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3189 audit_log_format(ab, "op=setxattr invalid_context="); 3190 audit_log_n_untrustedstring(ab, value, audit_size); 3191 audit_log_end(ab); 3192 3193 return rc; 3194 } 3195 rc = security_context_to_sid_force(value, size, &newsid); 3196 } 3197 if (rc) 3198 return rc; 3199 3200 rc = avc_has_perm(sid, newsid, isec->sclass, 3201 FILE__RELABELTO, &ad); 3202 if (rc) 3203 return rc; 3204 3205 rc = security_validate_transition(isec->sid, newsid, sid, 3206 isec->sclass); 3207 if (rc) 3208 return rc; 3209 3210 return avc_has_perm(newsid, 3211 sbsec->sid, 3212 SECCLASS_FILESYSTEM, 3213 FILESYSTEM__ASSOCIATE, 3214 &ad); 3215 } 3216 3217 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3218 const void *value, size_t size, 3219 int flags) 3220 { 3221 struct inode *inode = d_backing_inode(dentry); 3222 struct inode_security_struct *isec; 3223 u32 newsid; 3224 int rc; 3225 3226 if (strcmp(name, XATTR_NAME_SELINUX)) { 3227 /* Not an attribute we recognize, so nothing to do. */ 3228 return; 3229 } 3230 3231 rc = security_context_to_sid_force(value, size, &newsid); 3232 if (rc) { 3233 printk(KERN_ERR "SELinux: unable to map context to SID" 3234 "for (%s, %lu), rc=%d\n", 3235 inode->i_sb->s_id, inode->i_ino, -rc); 3236 return; 3237 } 3238 3239 isec = backing_inode_security(dentry); 3240 spin_lock(&isec->lock); 3241 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3242 isec->sid = newsid; 3243 isec->initialized = LABEL_INITIALIZED; 3244 spin_unlock(&isec->lock); 3245 3246 return; 3247 } 3248 3249 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3250 { 3251 const struct cred *cred = current_cred(); 3252 3253 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3254 } 3255 3256 static int selinux_inode_listxattr(struct dentry *dentry) 3257 { 3258 const struct cred *cred = current_cred(); 3259 3260 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3261 } 3262 3263 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3264 { 3265 if (strcmp(name, XATTR_NAME_SELINUX)) 3266 return selinux_inode_setotherxattr(dentry, name); 3267 3268 /* No one is allowed to remove a SELinux security label. 3269 You can change the label, but all data must be labeled. */ 3270 return -EACCES; 3271 } 3272 3273 /* 3274 * Copy the inode security context value to the user. 3275 * 3276 * Permission check is handled by selinux_inode_getxattr hook. 3277 */ 3278 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3279 { 3280 u32 size; 3281 int error; 3282 char *context = NULL; 3283 struct inode_security_struct *isec; 3284 3285 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3286 return -EOPNOTSUPP; 3287 3288 /* 3289 * If the caller has CAP_MAC_ADMIN, then get the raw context 3290 * value even if it is not defined by current policy; otherwise, 3291 * use the in-core value under current policy. 3292 * Use the non-auditing forms of the permission checks since 3293 * getxattr may be called by unprivileged processes commonly 3294 * and lack of permission just means that we fall back to the 3295 * in-core context value, not a denial. 3296 */ 3297 isec = inode_security(inode); 3298 if (has_cap_mac_admin(false)) 3299 error = security_sid_to_context_force(isec->sid, &context, 3300 &size); 3301 else 3302 error = security_sid_to_context(isec->sid, &context, &size); 3303 if (error) 3304 return error; 3305 error = size; 3306 if (alloc) { 3307 *buffer = context; 3308 goto out_nofree; 3309 } 3310 kfree(context); 3311 out_nofree: 3312 return error; 3313 } 3314 3315 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3316 const void *value, size_t size, int flags) 3317 { 3318 struct inode_security_struct *isec = inode_security_novalidate(inode); 3319 u32 newsid; 3320 int rc; 3321 3322 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3323 return -EOPNOTSUPP; 3324 3325 if (!value || !size) 3326 return -EACCES; 3327 3328 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3329 if (rc) 3330 return rc; 3331 3332 spin_lock(&isec->lock); 3333 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3334 isec->sid = newsid; 3335 isec->initialized = LABEL_INITIALIZED; 3336 spin_unlock(&isec->lock); 3337 return 0; 3338 } 3339 3340 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3341 { 3342 const int len = sizeof(XATTR_NAME_SELINUX); 3343 if (buffer && len <= buffer_size) 3344 memcpy(buffer, XATTR_NAME_SELINUX, len); 3345 return len; 3346 } 3347 3348 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3349 { 3350 struct inode_security_struct *isec = inode_security_novalidate(inode); 3351 *secid = isec->sid; 3352 } 3353 3354 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3355 { 3356 u32 sid; 3357 struct task_security_struct *tsec; 3358 struct cred *new_creds = *new; 3359 3360 if (new_creds == NULL) { 3361 new_creds = prepare_creds(); 3362 if (!new_creds) 3363 return -ENOMEM; 3364 } 3365 3366 tsec = new_creds->security; 3367 /* Get label from overlay inode and set it in create_sid */ 3368 selinux_inode_getsecid(d_inode(src), &sid); 3369 tsec->create_sid = sid; 3370 *new = new_creds; 3371 return 0; 3372 } 3373 3374 static int selinux_inode_copy_up_xattr(const char *name) 3375 { 3376 /* The copy_up hook above sets the initial context on an inode, but we 3377 * don't then want to overwrite it by blindly copying all the lower 3378 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3379 */ 3380 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3381 return 1; /* Discard */ 3382 /* 3383 * Any other attribute apart from SELINUX is not claimed, supported 3384 * by selinux. 3385 */ 3386 return -EOPNOTSUPP; 3387 } 3388 3389 /* file security operations */ 3390 3391 static int selinux_revalidate_file_permission(struct file *file, int mask) 3392 { 3393 const struct cred *cred = current_cred(); 3394 struct inode *inode = file_inode(file); 3395 3396 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3397 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3398 mask |= MAY_APPEND; 3399 3400 return file_has_perm(cred, file, 3401 file_mask_to_av(inode->i_mode, mask)); 3402 } 3403 3404 static int selinux_file_permission(struct file *file, int mask) 3405 { 3406 struct inode *inode = file_inode(file); 3407 struct file_security_struct *fsec = file->f_security; 3408 struct inode_security_struct *isec; 3409 u32 sid = current_sid(); 3410 3411 if (!mask) 3412 /* No permission to check. Existence test. */ 3413 return 0; 3414 3415 isec = inode_security(inode); 3416 if (sid == fsec->sid && fsec->isid == isec->sid && 3417 fsec->pseqno == avc_policy_seqno()) 3418 /* No change since file_open check. */ 3419 return 0; 3420 3421 return selinux_revalidate_file_permission(file, mask); 3422 } 3423 3424 static int selinux_file_alloc_security(struct file *file) 3425 { 3426 return file_alloc_security(file); 3427 } 3428 3429 static void selinux_file_free_security(struct file *file) 3430 { 3431 file_free_security(file); 3432 } 3433 3434 /* 3435 * Check whether a task has the ioctl permission and cmd 3436 * operation to an inode. 3437 */ 3438 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3439 u32 requested, u16 cmd) 3440 { 3441 struct common_audit_data ad; 3442 struct file_security_struct *fsec = file->f_security; 3443 struct inode *inode = file_inode(file); 3444 struct inode_security_struct *isec; 3445 struct lsm_ioctlop_audit ioctl; 3446 u32 ssid = cred_sid(cred); 3447 int rc; 3448 u8 driver = cmd >> 8; 3449 u8 xperm = cmd & 0xff; 3450 3451 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3452 ad.u.op = &ioctl; 3453 ad.u.op->cmd = cmd; 3454 ad.u.op->path = file->f_path; 3455 3456 if (ssid != fsec->sid) { 3457 rc = avc_has_perm(ssid, fsec->sid, 3458 SECCLASS_FD, 3459 FD__USE, 3460 &ad); 3461 if (rc) 3462 goto out; 3463 } 3464 3465 if (unlikely(IS_PRIVATE(inode))) 3466 return 0; 3467 3468 isec = inode_security(inode); 3469 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3470 requested, driver, xperm, &ad); 3471 out: 3472 return rc; 3473 } 3474 3475 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3476 unsigned long arg) 3477 { 3478 const struct cred *cred = current_cred(); 3479 int error = 0; 3480 3481 switch (cmd) { 3482 case FIONREAD: 3483 /* fall through */ 3484 case FIBMAP: 3485 /* fall through */ 3486 case FIGETBSZ: 3487 /* fall through */ 3488 case FS_IOC_GETFLAGS: 3489 /* fall through */ 3490 case FS_IOC_GETVERSION: 3491 error = file_has_perm(cred, file, FILE__GETATTR); 3492 break; 3493 3494 case FS_IOC_SETFLAGS: 3495 /* fall through */ 3496 case FS_IOC_SETVERSION: 3497 error = file_has_perm(cred, file, FILE__SETATTR); 3498 break; 3499 3500 /* sys_ioctl() checks */ 3501 case FIONBIO: 3502 /* fall through */ 3503 case FIOASYNC: 3504 error = file_has_perm(cred, file, 0); 3505 break; 3506 3507 case KDSKBENT: 3508 case KDSKBSENT: 3509 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3510 SECURITY_CAP_AUDIT, true); 3511 break; 3512 3513 /* default case assumes that the command will go 3514 * to the file's ioctl() function. 3515 */ 3516 default: 3517 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3518 } 3519 return error; 3520 } 3521 3522 static int default_noexec; 3523 3524 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3525 { 3526 const struct cred *cred = current_cred(); 3527 u32 sid = cred_sid(cred); 3528 int rc = 0; 3529 3530 if (default_noexec && 3531 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3532 (!shared && (prot & PROT_WRITE)))) { 3533 /* 3534 * We are making executable an anonymous mapping or a 3535 * private file mapping that will also be writable. 3536 * This has an additional check. 3537 */ 3538 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3539 PROCESS__EXECMEM, NULL); 3540 if (rc) 3541 goto error; 3542 } 3543 3544 if (file) { 3545 /* read access is always possible with a mapping */ 3546 u32 av = FILE__READ; 3547 3548 /* write access only matters if the mapping is shared */ 3549 if (shared && (prot & PROT_WRITE)) 3550 av |= FILE__WRITE; 3551 3552 if (prot & PROT_EXEC) 3553 av |= FILE__EXECUTE; 3554 3555 return file_has_perm(cred, file, av); 3556 } 3557 3558 error: 3559 return rc; 3560 } 3561 3562 static int selinux_mmap_addr(unsigned long addr) 3563 { 3564 int rc = 0; 3565 3566 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3567 u32 sid = current_sid(); 3568 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3569 MEMPROTECT__MMAP_ZERO, NULL); 3570 } 3571 3572 return rc; 3573 } 3574 3575 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3576 unsigned long prot, unsigned long flags) 3577 { 3578 struct common_audit_data ad; 3579 int rc; 3580 3581 if (file) { 3582 ad.type = LSM_AUDIT_DATA_FILE; 3583 ad.u.file = file; 3584 rc = inode_has_perm(current_cred(), file_inode(file), 3585 FILE__MAP, &ad); 3586 if (rc) 3587 return rc; 3588 } 3589 3590 if (selinux_checkreqprot) 3591 prot = reqprot; 3592 3593 return file_map_prot_check(file, prot, 3594 (flags & MAP_TYPE) == MAP_SHARED); 3595 } 3596 3597 static int selinux_file_mprotect(struct vm_area_struct *vma, 3598 unsigned long reqprot, 3599 unsigned long prot) 3600 { 3601 const struct cred *cred = current_cred(); 3602 u32 sid = cred_sid(cred); 3603 3604 if (selinux_checkreqprot) 3605 prot = reqprot; 3606 3607 if (default_noexec && 3608 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3609 int rc = 0; 3610 if (vma->vm_start >= vma->vm_mm->start_brk && 3611 vma->vm_end <= vma->vm_mm->brk) { 3612 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3613 PROCESS__EXECHEAP, NULL); 3614 } else if (!vma->vm_file && 3615 ((vma->vm_start <= vma->vm_mm->start_stack && 3616 vma->vm_end >= vma->vm_mm->start_stack) || 3617 vma_is_stack_for_current(vma))) { 3618 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3619 PROCESS__EXECSTACK, NULL); 3620 } else if (vma->vm_file && vma->anon_vma) { 3621 /* 3622 * We are making executable a file mapping that has 3623 * had some COW done. Since pages might have been 3624 * written, check ability to execute the possibly 3625 * modified content. This typically should only 3626 * occur for text relocations. 3627 */ 3628 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3629 } 3630 if (rc) 3631 return rc; 3632 } 3633 3634 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3635 } 3636 3637 static int selinux_file_lock(struct file *file, unsigned int cmd) 3638 { 3639 const struct cred *cred = current_cred(); 3640 3641 return file_has_perm(cred, file, FILE__LOCK); 3642 } 3643 3644 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3645 unsigned long arg) 3646 { 3647 const struct cred *cred = current_cred(); 3648 int err = 0; 3649 3650 switch (cmd) { 3651 case F_SETFL: 3652 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3653 err = file_has_perm(cred, file, FILE__WRITE); 3654 break; 3655 } 3656 /* fall through */ 3657 case F_SETOWN: 3658 case F_SETSIG: 3659 case F_GETFL: 3660 case F_GETOWN: 3661 case F_GETSIG: 3662 case F_GETOWNER_UIDS: 3663 /* Just check FD__USE permission */ 3664 err = file_has_perm(cred, file, 0); 3665 break; 3666 case F_GETLK: 3667 case F_SETLK: 3668 case F_SETLKW: 3669 case F_OFD_GETLK: 3670 case F_OFD_SETLK: 3671 case F_OFD_SETLKW: 3672 #if BITS_PER_LONG == 32 3673 case F_GETLK64: 3674 case F_SETLK64: 3675 case F_SETLKW64: 3676 #endif 3677 err = file_has_perm(cred, file, FILE__LOCK); 3678 break; 3679 } 3680 3681 return err; 3682 } 3683 3684 static void selinux_file_set_fowner(struct file *file) 3685 { 3686 struct file_security_struct *fsec; 3687 3688 fsec = file->f_security; 3689 fsec->fown_sid = current_sid(); 3690 } 3691 3692 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3693 struct fown_struct *fown, int signum) 3694 { 3695 struct file *file; 3696 u32 sid = task_sid(tsk); 3697 u32 perm; 3698 struct file_security_struct *fsec; 3699 3700 /* struct fown_struct is never outside the context of a struct file */ 3701 file = container_of(fown, struct file, f_owner); 3702 3703 fsec = file->f_security; 3704 3705 if (!signum) 3706 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3707 else 3708 perm = signal_to_av(signum); 3709 3710 return avc_has_perm(fsec->fown_sid, sid, 3711 SECCLASS_PROCESS, perm, NULL); 3712 } 3713 3714 static int selinux_file_receive(struct file *file) 3715 { 3716 const struct cred *cred = current_cred(); 3717 3718 return file_has_perm(cred, file, file_to_av(file)); 3719 } 3720 3721 static int selinux_file_open(struct file *file, const struct cred *cred) 3722 { 3723 struct file_security_struct *fsec; 3724 struct inode_security_struct *isec; 3725 3726 fsec = file->f_security; 3727 isec = inode_security(file_inode(file)); 3728 /* 3729 * Save inode label and policy sequence number 3730 * at open-time so that selinux_file_permission 3731 * can determine whether revalidation is necessary. 3732 * Task label is already saved in the file security 3733 * struct as its SID. 3734 */ 3735 fsec->isid = isec->sid; 3736 fsec->pseqno = avc_policy_seqno(); 3737 /* 3738 * Since the inode label or policy seqno may have changed 3739 * between the selinux_inode_permission check and the saving 3740 * of state above, recheck that access is still permitted. 3741 * Otherwise, access might never be revalidated against the 3742 * new inode label or new policy. 3743 * This check is not redundant - do not remove. 3744 */ 3745 return file_path_has_perm(cred, file, open_file_to_av(file)); 3746 } 3747 3748 /* task security operations */ 3749 3750 static int selinux_task_alloc(struct task_struct *task, 3751 unsigned long clone_flags) 3752 { 3753 u32 sid = current_sid(); 3754 3755 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3756 } 3757 3758 /* 3759 * allocate the SELinux part of blank credentials 3760 */ 3761 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3762 { 3763 struct task_security_struct *tsec; 3764 3765 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3766 if (!tsec) 3767 return -ENOMEM; 3768 3769 cred->security = tsec; 3770 return 0; 3771 } 3772 3773 /* 3774 * detach and free the LSM part of a set of credentials 3775 */ 3776 static void selinux_cred_free(struct cred *cred) 3777 { 3778 struct task_security_struct *tsec = cred->security; 3779 3780 /* 3781 * cred->security == NULL if security_cred_alloc_blank() or 3782 * security_prepare_creds() returned an error. 3783 */ 3784 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3785 cred->security = (void *) 0x7UL; 3786 kfree(tsec); 3787 } 3788 3789 /* 3790 * prepare a new set of credentials for modification 3791 */ 3792 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3793 gfp_t gfp) 3794 { 3795 const struct task_security_struct *old_tsec; 3796 struct task_security_struct *tsec; 3797 3798 old_tsec = old->security; 3799 3800 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3801 if (!tsec) 3802 return -ENOMEM; 3803 3804 new->security = tsec; 3805 return 0; 3806 } 3807 3808 /* 3809 * transfer the SELinux data to a blank set of creds 3810 */ 3811 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3812 { 3813 const struct task_security_struct *old_tsec = old->security; 3814 struct task_security_struct *tsec = new->security; 3815 3816 *tsec = *old_tsec; 3817 } 3818 3819 /* 3820 * set the security data for a kernel service 3821 * - all the creation contexts are set to unlabelled 3822 */ 3823 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3824 { 3825 struct task_security_struct *tsec = new->security; 3826 u32 sid = current_sid(); 3827 int ret; 3828 3829 ret = avc_has_perm(sid, secid, 3830 SECCLASS_KERNEL_SERVICE, 3831 KERNEL_SERVICE__USE_AS_OVERRIDE, 3832 NULL); 3833 if (ret == 0) { 3834 tsec->sid = secid; 3835 tsec->create_sid = 0; 3836 tsec->keycreate_sid = 0; 3837 tsec->sockcreate_sid = 0; 3838 } 3839 return ret; 3840 } 3841 3842 /* 3843 * set the file creation context in a security record to the same as the 3844 * objective context of the specified inode 3845 */ 3846 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3847 { 3848 struct inode_security_struct *isec = inode_security(inode); 3849 struct task_security_struct *tsec = new->security; 3850 u32 sid = current_sid(); 3851 int ret; 3852 3853 ret = avc_has_perm(sid, isec->sid, 3854 SECCLASS_KERNEL_SERVICE, 3855 KERNEL_SERVICE__CREATE_FILES_AS, 3856 NULL); 3857 3858 if (ret == 0) 3859 tsec->create_sid = isec->sid; 3860 return ret; 3861 } 3862 3863 static int selinux_kernel_module_request(char *kmod_name) 3864 { 3865 struct common_audit_data ad; 3866 3867 ad.type = LSM_AUDIT_DATA_KMOD; 3868 ad.u.kmod_name = kmod_name; 3869 3870 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3871 SYSTEM__MODULE_REQUEST, &ad); 3872 } 3873 3874 static int selinux_kernel_module_from_file(struct file *file) 3875 { 3876 struct common_audit_data ad; 3877 struct inode_security_struct *isec; 3878 struct file_security_struct *fsec; 3879 u32 sid = current_sid(); 3880 int rc; 3881 3882 /* init_module */ 3883 if (file == NULL) 3884 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3885 SYSTEM__MODULE_LOAD, NULL); 3886 3887 /* finit_module */ 3888 3889 ad.type = LSM_AUDIT_DATA_FILE; 3890 ad.u.file = file; 3891 3892 fsec = file->f_security; 3893 if (sid != fsec->sid) { 3894 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3895 if (rc) 3896 return rc; 3897 } 3898 3899 isec = inode_security(file_inode(file)); 3900 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3901 SYSTEM__MODULE_LOAD, &ad); 3902 } 3903 3904 static int selinux_kernel_read_file(struct file *file, 3905 enum kernel_read_file_id id) 3906 { 3907 int rc = 0; 3908 3909 switch (id) { 3910 case READING_MODULE: 3911 rc = selinux_kernel_module_from_file(file); 3912 break; 3913 default: 3914 break; 3915 } 3916 3917 return rc; 3918 } 3919 3920 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3921 { 3922 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3923 PROCESS__SETPGID, NULL); 3924 } 3925 3926 static int selinux_task_getpgid(struct task_struct *p) 3927 { 3928 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3929 PROCESS__GETPGID, NULL); 3930 } 3931 3932 static int selinux_task_getsid(struct task_struct *p) 3933 { 3934 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3935 PROCESS__GETSESSION, NULL); 3936 } 3937 3938 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3939 { 3940 *secid = task_sid(p); 3941 } 3942 3943 static int selinux_task_setnice(struct task_struct *p, int nice) 3944 { 3945 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3946 PROCESS__SETSCHED, NULL); 3947 } 3948 3949 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3950 { 3951 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3952 PROCESS__SETSCHED, NULL); 3953 } 3954 3955 static int selinux_task_getioprio(struct task_struct *p) 3956 { 3957 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3958 PROCESS__GETSCHED, NULL); 3959 } 3960 3961 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3962 unsigned int flags) 3963 { 3964 u32 av = 0; 3965 3966 if (!flags) 3967 return 0; 3968 if (flags & LSM_PRLIMIT_WRITE) 3969 av |= PROCESS__SETRLIMIT; 3970 if (flags & LSM_PRLIMIT_READ) 3971 av |= PROCESS__GETRLIMIT; 3972 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 3973 SECCLASS_PROCESS, av, NULL); 3974 } 3975 3976 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3977 struct rlimit *new_rlim) 3978 { 3979 struct rlimit *old_rlim = p->signal->rlim + resource; 3980 3981 /* Control the ability to change the hard limit (whether 3982 lowering or raising it), so that the hard limit can 3983 later be used as a safe reset point for the soft limit 3984 upon context transitions. See selinux_bprm_committing_creds. */ 3985 if (old_rlim->rlim_max != new_rlim->rlim_max) 3986 return avc_has_perm(current_sid(), task_sid(p), 3987 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 3988 3989 return 0; 3990 } 3991 3992 static int selinux_task_setscheduler(struct task_struct *p) 3993 { 3994 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3995 PROCESS__SETSCHED, NULL); 3996 } 3997 3998 static int selinux_task_getscheduler(struct task_struct *p) 3999 { 4000 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4001 PROCESS__GETSCHED, NULL); 4002 } 4003 4004 static int selinux_task_movememory(struct task_struct *p) 4005 { 4006 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4007 PROCESS__SETSCHED, NULL); 4008 } 4009 4010 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4011 int sig, u32 secid) 4012 { 4013 u32 perm; 4014 4015 if (!sig) 4016 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4017 else 4018 perm = signal_to_av(sig); 4019 if (!secid) 4020 secid = current_sid(); 4021 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4022 } 4023 4024 static void selinux_task_to_inode(struct task_struct *p, 4025 struct inode *inode) 4026 { 4027 struct inode_security_struct *isec = inode->i_security; 4028 u32 sid = task_sid(p); 4029 4030 spin_lock(&isec->lock); 4031 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4032 isec->sid = sid; 4033 isec->initialized = LABEL_INITIALIZED; 4034 spin_unlock(&isec->lock); 4035 } 4036 4037 /* Returns error only if unable to parse addresses */ 4038 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4039 struct common_audit_data *ad, u8 *proto) 4040 { 4041 int offset, ihlen, ret = -EINVAL; 4042 struct iphdr _iph, *ih; 4043 4044 offset = skb_network_offset(skb); 4045 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4046 if (ih == NULL) 4047 goto out; 4048 4049 ihlen = ih->ihl * 4; 4050 if (ihlen < sizeof(_iph)) 4051 goto out; 4052 4053 ad->u.net->v4info.saddr = ih->saddr; 4054 ad->u.net->v4info.daddr = ih->daddr; 4055 ret = 0; 4056 4057 if (proto) 4058 *proto = ih->protocol; 4059 4060 switch (ih->protocol) { 4061 case IPPROTO_TCP: { 4062 struct tcphdr _tcph, *th; 4063 4064 if (ntohs(ih->frag_off) & IP_OFFSET) 4065 break; 4066 4067 offset += ihlen; 4068 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4069 if (th == NULL) 4070 break; 4071 4072 ad->u.net->sport = th->source; 4073 ad->u.net->dport = th->dest; 4074 break; 4075 } 4076 4077 case IPPROTO_UDP: { 4078 struct udphdr _udph, *uh; 4079 4080 if (ntohs(ih->frag_off) & IP_OFFSET) 4081 break; 4082 4083 offset += ihlen; 4084 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4085 if (uh == NULL) 4086 break; 4087 4088 ad->u.net->sport = uh->source; 4089 ad->u.net->dport = uh->dest; 4090 break; 4091 } 4092 4093 case IPPROTO_DCCP: { 4094 struct dccp_hdr _dccph, *dh; 4095 4096 if (ntohs(ih->frag_off) & IP_OFFSET) 4097 break; 4098 4099 offset += ihlen; 4100 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4101 if (dh == NULL) 4102 break; 4103 4104 ad->u.net->sport = dh->dccph_sport; 4105 ad->u.net->dport = dh->dccph_dport; 4106 break; 4107 } 4108 4109 default: 4110 break; 4111 } 4112 out: 4113 return ret; 4114 } 4115 4116 #if IS_ENABLED(CONFIG_IPV6) 4117 4118 /* Returns error only if unable to parse addresses */ 4119 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4120 struct common_audit_data *ad, u8 *proto) 4121 { 4122 u8 nexthdr; 4123 int ret = -EINVAL, offset; 4124 struct ipv6hdr _ipv6h, *ip6; 4125 __be16 frag_off; 4126 4127 offset = skb_network_offset(skb); 4128 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4129 if (ip6 == NULL) 4130 goto out; 4131 4132 ad->u.net->v6info.saddr = ip6->saddr; 4133 ad->u.net->v6info.daddr = ip6->daddr; 4134 ret = 0; 4135 4136 nexthdr = ip6->nexthdr; 4137 offset += sizeof(_ipv6h); 4138 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4139 if (offset < 0) 4140 goto out; 4141 4142 if (proto) 4143 *proto = nexthdr; 4144 4145 switch (nexthdr) { 4146 case IPPROTO_TCP: { 4147 struct tcphdr _tcph, *th; 4148 4149 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4150 if (th == NULL) 4151 break; 4152 4153 ad->u.net->sport = th->source; 4154 ad->u.net->dport = th->dest; 4155 break; 4156 } 4157 4158 case IPPROTO_UDP: { 4159 struct udphdr _udph, *uh; 4160 4161 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4162 if (uh == NULL) 4163 break; 4164 4165 ad->u.net->sport = uh->source; 4166 ad->u.net->dport = uh->dest; 4167 break; 4168 } 4169 4170 case IPPROTO_DCCP: { 4171 struct dccp_hdr _dccph, *dh; 4172 4173 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4174 if (dh == NULL) 4175 break; 4176 4177 ad->u.net->sport = dh->dccph_sport; 4178 ad->u.net->dport = dh->dccph_dport; 4179 break; 4180 } 4181 4182 /* includes fragments */ 4183 default: 4184 break; 4185 } 4186 out: 4187 return ret; 4188 } 4189 4190 #endif /* IPV6 */ 4191 4192 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4193 char **_addrp, int src, u8 *proto) 4194 { 4195 char *addrp; 4196 int ret; 4197 4198 switch (ad->u.net->family) { 4199 case PF_INET: 4200 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4201 if (ret) 4202 goto parse_error; 4203 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4204 &ad->u.net->v4info.daddr); 4205 goto okay; 4206 4207 #if IS_ENABLED(CONFIG_IPV6) 4208 case PF_INET6: 4209 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4210 if (ret) 4211 goto parse_error; 4212 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4213 &ad->u.net->v6info.daddr); 4214 goto okay; 4215 #endif /* IPV6 */ 4216 default: 4217 addrp = NULL; 4218 goto okay; 4219 } 4220 4221 parse_error: 4222 printk(KERN_WARNING 4223 "SELinux: failure in selinux_parse_skb()," 4224 " unable to parse packet\n"); 4225 return ret; 4226 4227 okay: 4228 if (_addrp) 4229 *_addrp = addrp; 4230 return 0; 4231 } 4232 4233 /** 4234 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4235 * @skb: the packet 4236 * @family: protocol family 4237 * @sid: the packet's peer label SID 4238 * 4239 * Description: 4240 * Check the various different forms of network peer labeling and determine 4241 * the peer label/SID for the packet; most of the magic actually occurs in 4242 * the security server function security_net_peersid_cmp(). The function 4243 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4244 * or -EACCES if @sid is invalid due to inconsistencies with the different 4245 * peer labels. 4246 * 4247 */ 4248 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4249 { 4250 int err; 4251 u32 xfrm_sid; 4252 u32 nlbl_sid; 4253 u32 nlbl_type; 4254 4255 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4256 if (unlikely(err)) 4257 return -EACCES; 4258 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4259 if (unlikely(err)) 4260 return -EACCES; 4261 4262 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4263 if (unlikely(err)) { 4264 printk(KERN_WARNING 4265 "SELinux: failure in selinux_skb_peerlbl_sid()," 4266 " unable to determine packet's peer label\n"); 4267 return -EACCES; 4268 } 4269 4270 return 0; 4271 } 4272 4273 /** 4274 * selinux_conn_sid - Determine the child socket label for a connection 4275 * @sk_sid: the parent socket's SID 4276 * @skb_sid: the packet's SID 4277 * @conn_sid: the resulting connection SID 4278 * 4279 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4280 * combined with the MLS information from @skb_sid in order to create 4281 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4282 * of @sk_sid. Returns zero on success, negative values on failure. 4283 * 4284 */ 4285 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4286 { 4287 int err = 0; 4288 4289 if (skb_sid != SECSID_NULL) 4290 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4291 else 4292 *conn_sid = sk_sid; 4293 4294 return err; 4295 } 4296 4297 /* socket security operations */ 4298 4299 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4300 u16 secclass, u32 *socksid) 4301 { 4302 if (tsec->sockcreate_sid > SECSID_NULL) { 4303 *socksid = tsec->sockcreate_sid; 4304 return 0; 4305 } 4306 4307 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4308 socksid); 4309 } 4310 4311 static int sock_has_perm(struct sock *sk, u32 perms) 4312 { 4313 struct sk_security_struct *sksec = sk->sk_security; 4314 struct common_audit_data ad; 4315 struct lsm_network_audit net = {0,}; 4316 4317 if (sksec->sid == SECINITSID_KERNEL) 4318 return 0; 4319 4320 ad.type = LSM_AUDIT_DATA_NET; 4321 ad.u.net = &net; 4322 ad.u.net->sk = sk; 4323 4324 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4325 &ad); 4326 } 4327 4328 static int selinux_socket_create(int family, int type, 4329 int protocol, int kern) 4330 { 4331 const struct task_security_struct *tsec = current_security(); 4332 u32 newsid; 4333 u16 secclass; 4334 int rc; 4335 4336 if (kern) 4337 return 0; 4338 4339 secclass = socket_type_to_security_class(family, type, protocol); 4340 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4341 if (rc) 4342 return rc; 4343 4344 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4345 } 4346 4347 static int selinux_socket_post_create(struct socket *sock, int family, 4348 int type, int protocol, int kern) 4349 { 4350 const struct task_security_struct *tsec = current_security(); 4351 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4352 struct sk_security_struct *sksec; 4353 u16 sclass = socket_type_to_security_class(family, type, protocol); 4354 u32 sid = SECINITSID_KERNEL; 4355 int err = 0; 4356 4357 if (!kern) { 4358 err = socket_sockcreate_sid(tsec, sclass, &sid); 4359 if (err) 4360 return err; 4361 } 4362 4363 isec->sclass = sclass; 4364 isec->sid = sid; 4365 isec->initialized = LABEL_INITIALIZED; 4366 4367 if (sock->sk) { 4368 sksec = sock->sk->sk_security; 4369 sksec->sclass = sclass; 4370 sksec->sid = sid; 4371 err = selinux_netlbl_socket_post_create(sock->sk, family); 4372 } 4373 4374 return err; 4375 } 4376 4377 /* Range of port numbers used to automatically bind. 4378 Need to determine whether we should perform a name_bind 4379 permission check between the socket and the port number. */ 4380 4381 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4382 { 4383 struct sock *sk = sock->sk; 4384 u16 family; 4385 int err; 4386 4387 err = sock_has_perm(sk, SOCKET__BIND); 4388 if (err) 4389 goto out; 4390 4391 /* 4392 * If PF_INET or PF_INET6, check name_bind permission for the port. 4393 * Multiple address binding for SCTP is not supported yet: we just 4394 * check the first address now. 4395 */ 4396 family = sk->sk_family; 4397 if (family == PF_INET || family == PF_INET6) { 4398 char *addrp; 4399 struct sk_security_struct *sksec = sk->sk_security; 4400 struct common_audit_data ad; 4401 struct lsm_network_audit net = {0,}; 4402 struct sockaddr_in *addr4 = NULL; 4403 struct sockaddr_in6 *addr6 = NULL; 4404 unsigned short snum; 4405 u32 sid, node_perm; 4406 4407 if (family == PF_INET) { 4408 if (addrlen < sizeof(struct sockaddr_in)) { 4409 err = -EINVAL; 4410 goto out; 4411 } 4412 addr4 = (struct sockaddr_in *)address; 4413 snum = ntohs(addr4->sin_port); 4414 addrp = (char *)&addr4->sin_addr.s_addr; 4415 } else { 4416 if (addrlen < SIN6_LEN_RFC2133) { 4417 err = -EINVAL; 4418 goto out; 4419 } 4420 addr6 = (struct sockaddr_in6 *)address; 4421 snum = ntohs(addr6->sin6_port); 4422 addrp = (char *)&addr6->sin6_addr.s6_addr; 4423 } 4424 4425 if (snum) { 4426 int low, high; 4427 4428 inet_get_local_port_range(sock_net(sk), &low, &high); 4429 4430 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4431 snum > high) { 4432 err = sel_netport_sid(sk->sk_protocol, 4433 snum, &sid); 4434 if (err) 4435 goto out; 4436 ad.type = LSM_AUDIT_DATA_NET; 4437 ad.u.net = &net; 4438 ad.u.net->sport = htons(snum); 4439 ad.u.net->family = family; 4440 err = avc_has_perm(sksec->sid, sid, 4441 sksec->sclass, 4442 SOCKET__NAME_BIND, &ad); 4443 if (err) 4444 goto out; 4445 } 4446 } 4447 4448 switch (sksec->sclass) { 4449 case SECCLASS_TCP_SOCKET: 4450 node_perm = TCP_SOCKET__NODE_BIND; 4451 break; 4452 4453 case SECCLASS_UDP_SOCKET: 4454 node_perm = UDP_SOCKET__NODE_BIND; 4455 break; 4456 4457 case SECCLASS_DCCP_SOCKET: 4458 node_perm = DCCP_SOCKET__NODE_BIND; 4459 break; 4460 4461 default: 4462 node_perm = RAWIP_SOCKET__NODE_BIND; 4463 break; 4464 } 4465 4466 err = sel_netnode_sid(addrp, family, &sid); 4467 if (err) 4468 goto out; 4469 4470 ad.type = LSM_AUDIT_DATA_NET; 4471 ad.u.net = &net; 4472 ad.u.net->sport = htons(snum); 4473 ad.u.net->family = family; 4474 4475 if (family == PF_INET) 4476 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4477 else 4478 ad.u.net->v6info.saddr = addr6->sin6_addr; 4479 4480 err = avc_has_perm(sksec->sid, sid, 4481 sksec->sclass, node_perm, &ad); 4482 if (err) 4483 goto out; 4484 } 4485 out: 4486 return err; 4487 } 4488 4489 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4490 { 4491 struct sock *sk = sock->sk; 4492 struct sk_security_struct *sksec = sk->sk_security; 4493 int err; 4494 4495 err = sock_has_perm(sk, SOCKET__CONNECT); 4496 if (err) 4497 return err; 4498 4499 /* 4500 * If a TCP or DCCP socket, check name_connect permission for the port. 4501 */ 4502 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4503 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4504 struct common_audit_data ad; 4505 struct lsm_network_audit net = {0,}; 4506 struct sockaddr_in *addr4 = NULL; 4507 struct sockaddr_in6 *addr6 = NULL; 4508 unsigned short snum; 4509 u32 sid, perm; 4510 4511 if (sk->sk_family == PF_INET) { 4512 addr4 = (struct sockaddr_in *)address; 4513 if (addrlen < sizeof(struct sockaddr_in)) 4514 return -EINVAL; 4515 snum = ntohs(addr4->sin_port); 4516 } else { 4517 addr6 = (struct sockaddr_in6 *)address; 4518 if (addrlen < SIN6_LEN_RFC2133) 4519 return -EINVAL; 4520 snum = ntohs(addr6->sin6_port); 4521 } 4522 4523 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4524 if (err) 4525 goto out; 4526 4527 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4528 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4529 4530 ad.type = LSM_AUDIT_DATA_NET; 4531 ad.u.net = &net; 4532 ad.u.net->dport = htons(snum); 4533 ad.u.net->family = sk->sk_family; 4534 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4535 if (err) 4536 goto out; 4537 } 4538 4539 err = selinux_netlbl_socket_connect(sk, address); 4540 4541 out: 4542 return err; 4543 } 4544 4545 static int selinux_socket_listen(struct socket *sock, int backlog) 4546 { 4547 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4548 } 4549 4550 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4551 { 4552 int err; 4553 struct inode_security_struct *isec; 4554 struct inode_security_struct *newisec; 4555 u16 sclass; 4556 u32 sid; 4557 4558 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4559 if (err) 4560 return err; 4561 4562 isec = inode_security_novalidate(SOCK_INODE(sock)); 4563 spin_lock(&isec->lock); 4564 sclass = isec->sclass; 4565 sid = isec->sid; 4566 spin_unlock(&isec->lock); 4567 4568 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4569 newisec->sclass = sclass; 4570 newisec->sid = sid; 4571 newisec->initialized = LABEL_INITIALIZED; 4572 4573 return 0; 4574 } 4575 4576 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4577 int size) 4578 { 4579 return sock_has_perm(sock->sk, SOCKET__WRITE); 4580 } 4581 4582 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4583 int size, int flags) 4584 { 4585 return sock_has_perm(sock->sk, SOCKET__READ); 4586 } 4587 4588 static int selinux_socket_getsockname(struct socket *sock) 4589 { 4590 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4591 } 4592 4593 static int selinux_socket_getpeername(struct socket *sock) 4594 { 4595 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4596 } 4597 4598 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4599 { 4600 int err; 4601 4602 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4603 if (err) 4604 return err; 4605 4606 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4607 } 4608 4609 static int selinux_socket_getsockopt(struct socket *sock, int level, 4610 int optname) 4611 { 4612 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4613 } 4614 4615 static int selinux_socket_shutdown(struct socket *sock, int how) 4616 { 4617 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4618 } 4619 4620 static int selinux_socket_unix_stream_connect(struct sock *sock, 4621 struct sock *other, 4622 struct sock *newsk) 4623 { 4624 struct sk_security_struct *sksec_sock = sock->sk_security; 4625 struct sk_security_struct *sksec_other = other->sk_security; 4626 struct sk_security_struct *sksec_new = newsk->sk_security; 4627 struct common_audit_data ad; 4628 struct lsm_network_audit net = {0,}; 4629 int err; 4630 4631 ad.type = LSM_AUDIT_DATA_NET; 4632 ad.u.net = &net; 4633 ad.u.net->sk = other; 4634 4635 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4636 sksec_other->sclass, 4637 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4638 if (err) 4639 return err; 4640 4641 /* server child socket */ 4642 sksec_new->peer_sid = sksec_sock->sid; 4643 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4644 &sksec_new->sid); 4645 if (err) 4646 return err; 4647 4648 /* connecting socket */ 4649 sksec_sock->peer_sid = sksec_new->sid; 4650 4651 return 0; 4652 } 4653 4654 static int selinux_socket_unix_may_send(struct socket *sock, 4655 struct socket *other) 4656 { 4657 struct sk_security_struct *ssec = sock->sk->sk_security; 4658 struct sk_security_struct *osec = other->sk->sk_security; 4659 struct common_audit_data ad; 4660 struct lsm_network_audit net = {0,}; 4661 4662 ad.type = LSM_AUDIT_DATA_NET; 4663 ad.u.net = &net; 4664 ad.u.net->sk = other->sk; 4665 4666 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4667 &ad); 4668 } 4669 4670 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4671 char *addrp, u16 family, u32 peer_sid, 4672 struct common_audit_data *ad) 4673 { 4674 int err; 4675 u32 if_sid; 4676 u32 node_sid; 4677 4678 err = sel_netif_sid(ns, ifindex, &if_sid); 4679 if (err) 4680 return err; 4681 err = avc_has_perm(peer_sid, if_sid, 4682 SECCLASS_NETIF, NETIF__INGRESS, ad); 4683 if (err) 4684 return err; 4685 4686 err = sel_netnode_sid(addrp, family, &node_sid); 4687 if (err) 4688 return err; 4689 return avc_has_perm(peer_sid, node_sid, 4690 SECCLASS_NODE, NODE__RECVFROM, ad); 4691 } 4692 4693 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4694 u16 family) 4695 { 4696 int err = 0; 4697 struct sk_security_struct *sksec = sk->sk_security; 4698 u32 sk_sid = sksec->sid; 4699 struct common_audit_data ad; 4700 struct lsm_network_audit net = {0,}; 4701 char *addrp; 4702 4703 ad.type = LSM_AUDIT_DATA_NET; 4704 ad.u.net = &net; 4705 ad.u.net->netif = skb->skb_iif; 4706 ad.u.net->family = family; 4707 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4708 if (err) 4709 return err; 4710 4711 if (selinux_secmark_enabled()) { 4712 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4713 PACKET__RECV, &ad); 4714 if (err) 4715 return err; 4716 } 4717 4718 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4719 if (err) 4720 return err; 4721 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4722 4723 return err; 4724 } 4725 4726 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4727 { 4728 int err; 4729 struct sk_security_struct *sksec = sk->sk_security; 4730 u16 family = sk->sk_family; 4731 u32 sk_sid = sksec->sid; 4732 struct common_audit_data ad; 4733 struct lsm_network_audit net = {0,}; 4734 char *addrp; 4735 u8 secmark_active; 4736 u8 peerlbl_active; 4737 4738 if (family != PF_INET && family != PF_INET6) 4739 return 0; 4740 4741 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4742 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4743 family = PF_INET; 4744 4745 /* If any sort of compatibility mode is enabled then handoff processing 4746 * to the selinux_sock_rcv_skb_compat() function to deal with the 4747 * special handling. We do this in an attempt to keep this function 4748 * as fast and as clean as possible. */ 4749 if (!selinux_policycap_netpeer) 4750 return selinux_sock_rcv_skb_compat(sk, skb, family); 4751 4752 secmark_active = selinux_secmark_enabled(); 4753 peerlbl_active = selinux_peerlbl_enabled(); 4754 if (!secmark_active && !peerlbl_active) 4755 return 0; 4756 4757 ad.type = LSM_AUDIT_DATA_NET; 4758 ad.u.net = &net; 4759 ad.u.net->netif = skb->skb_iif; 4760 ad.u.net->family = family; 4761 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4762 if (err) 4763 return err; 4764 4765 if (peerlbl_active) { 4766 u32 peer_sid; 4767 4768 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4769 if (err) 4770 return err; 4771 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4772 addrp, family, peer_sid, &ad); 4773 if (err) { 4774 selinux_netlbl_err(skb, family, err, 0); 4775 return err; 4776 } 4777 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4778 PEER__RECV, &ad); 4779 if (err) { 4780 selinux_netlbl_err(skb, family, err, 0); 4781 return err; 4782 } 4783 } 4784 4785 if (secmark_active) { 4786 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4787 PACKET__RECV, &ad); 4788 if (err) 4789 return err; 4790 } 4791 4792 return err; 4793 } 4794 4795 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4796 int __user *optlen, unsigned len) 4797 { 4798 int err = 0; 4799 char *scontext; 4800 u32 scontext_len; 4801 struct sk_security_struct *sksec = sock->sk->sk_security; 4802 u32 peer_sid = SECSID_NULL; 4803 4804 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4805 sksec->sclass == SECCLASS_TCP_SOCKET) 4806 peer_sid = sksec->peer_sid; 4807 if (peer_sid == SECSID_NULL) 4808 return -ENOPROTOOPT; 4809 4810 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4811 if (err) 4812 return err; 4813 4814 if (scontext_len > len) { 4815 err = -ERANGE; 4816 goto out_len; 4817 } 4818 4819 if (copy_to_user(optval, scontext, scontext_len)) 4820 err = -EFAULT; 4821 4822 out_len: 4823 if (put_user(scontext_len, optlen)) 4824 err = -EFAULT; 4825 kfree(scontext); 4826 return err; 4827 } 4828 4829 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4830 { 4831 u32 peer_secid = SECSID_NULL; 4832 u16 family; 4833 struct inode_security_struct *isec; 4834 4835 if (skb && skb->protocol == htons(ETH_P_IP)) 4836 family = PF_INET; 4837 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4838 family = PF_INET6; 4839 else if (sock) 4840 family = sock->sk->sk_family; 4841 else 4842 goto out; 4843 4844 if (sock && family == PF_UNIX) { 4845 isec = inode_security_novalidate(SOCK_INODE(sock)); 4846 peer_secid = isec->sid; 4847 } else if (skb) 4848 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4849 4850 out: 4851 *secid = peer_secid; 4852 if (peer_secid == SECSID_NULL) 4853 return -EINVAL; 4854 return 0; 4855 } 4856 4857 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4858 { 4859 struct sk_security_struct *sksec; 4860 4861 sksec = kzalloc(sizeof(*sksec), priority); 4862 if (!sksec) 4863 return -ENOMEM; 4864 4865 sksec->peer_sid = SECINITSID_UNLABELED; 4866 sksec->sid = SECINITSID_UNLABELED; 4867 sksec->sclass = SECCLASS_SOCKET; 4868 selinux_netlbl_sk_security_reset(sksec); 4869 sk->sk_security = sksec; 4870 4871 return 0; 4872 } 4873 4874 static void selinux_sk_free_security(struct sock *sk) 4875 { 4876 struct sk_security_struct *sksec = sk->sk_security; 4877 4878 sk->sk_security = NULL; 4879 selinux_netlbl_sk_security_free(sksec); 4880 kfree(sksec); 4881 } 4882 4883 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4884 { 4885 struct sk_security_struct *sksec = sk->sk_security; 4886 struct sk_security_struct *newsksec = newsk->sk_security; 4887 4888 newsksec->sid = sksec->sid; 4889 newsksec->peer_sid = sksec->peer_sid; 4890 newsksec->sclass = sksec->sclass; 4891 4892 selinux_netlbl_sk_security_reset(newsksec); 4893 } 4894 4895 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4896 { 4897 if (!sk) 4898 *secid = SECINITSID_ANY_SOCKET; 4899 else { 4900 struct sk_security_struct *sksec = sk->sk_security; 4901 4902 *secid = sksec->sid; 4903 } 4904 } 4905 4906 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4907 { 4908 struct inode_security_struct *isec = 4909 inode_security_novalidate(SOCK_INODE(parent)); 4910 struct sk_security_struct *sksec = sk->sk_security; 4911 4912 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4913 sk->sk_family == PF_UNIX) 4914 isec->sid = sksec->sid; 4915 sksec->sclass = isec->sclass; 4916 } 4917 4918 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4919 struct request_sock *req) 4920 { 4921 struct sk_security_struct *sksec = sk->sk_security; 4922 int err; 4923 u16 family = req->rsk_ops->family; 4924 u32 connsid; 4925 u32 peersid; 4926 4927 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4928 if (err) 4929 return err; 4930 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4931 if (err) 4932 return err; 4933 req->secid = connsid; 4934 req->peer_secid = peersid; 4935 4936 return selinux_netlbl_inet_conn_request(req, family); 4937 } 4938 4939 static void selinux_inet_csk_clone(struct sock *newsk, 4940 const struct request_sock *req) 4941 { 4942 struct sk_security_struct *newsksec = newsk->sk_security; 4943 4944 newsksec->sid = req->secid; 4945 newsksec->peer_sid = req->peer_secid; 4946 /* NOTE: Ideally, we should also get the isec->sid for the 4947 new socket in sync, but we don't have the isec available yet. 4948 So we will wait until sock_graft to do it, by which 4949 time it will have been created and available. */ 4950 4951 /* We don't need to take any sort of lock here as we are the only 4952 * thread with access to newsksec */ 4953 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4954 } 4955 4956 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4957 { 4958 u16 family = sk->sk_family; 4959 struct sk_security_struct *sksec = sk->sk_security; 4960 4961 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4962 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4963 family = PF_INET; 4964 4965 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4966 } 4967 4968 static int selinux_secmark_relabel_packet(u32 sid) 4969 { 4970 const struct task_security_struct *__tsec; 4971 u32 tsid; 4972 4973 __tsec = current_security(); 4974 tsid = __tsec->sid; 4975 4976 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4977 } 4978 4979 static void selinux_secmark_refcount_inc(void) 4980 { 4981 atomic_inc(&selinux_secmark_refcount); 4982 } 4983 4984 static void selinux_secmark_refcount_dec(void) 4985 { 4986 atomic_dec(&selinux_secmark_refcount); 4987 } 4988 4989 static void selinux_req_classify_flow(const struct request_sock *req, 4990 struct flowi *fl) 4991 { 4992 fl->flowi_secid = req->secid; 4993 } 4994 4995 static int selinux_tun_dev_alloc_security(void **security) 4996 { 4997 struct tun_security_struct *tunsec; 4998 4999 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5000 if (!tunsec) 5001 return -ENOMEM; 5002 tunsec->sid = current_sid(); 5003 5004 *security = tunsec; 5005 return 0; 5006 } 5007 5008 static void selinux_tun_dev_free_security(void *security) 5009 { 5010 kfree(security); 5011 } 5012 5013 static int selinux_tun_dev_create(void) 5014 { 5015 u32 sid = current_sid(); 5016 5017 /* we aren't taking into account the "sockcreate" SID since the socket 5018 * that is being created here is not a socket in the traditional sense, 5019 * instead it is a private sock, accessible only to the kernel, and 5020 * representing a wide range of network traffic spanning multiple 5021 * connections unlike traditional sockets - check the TUN driver to 5022 * get a better understanding of why this socket is special */ 5023 5024 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5025 NULL); 5026 } 5027 5028 static int selinux_tun_dev_attach_queue(void *security) 5029 { 5030 struct tun_security_struct *tunsec = security; 5031 5032 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5033 TUN_SOCKET__ATTACH_QUEUE, NULL); 5034 } 5035 5036 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5037 { 5038 struct tun_security_struct *tunsec = security; 5039 struct sk_security_struct *sksec = sk->sk_security; 5040 5041 /* we don't currently perform any NetLabel based labeling here and it 5042 * isn't clear that we would want to do so anyway; while we could apply 5043 * labeling without the support of the TUN user the resulting labeled 5044 * traffic from the other end of the connection would almost certainly 5045 * cause confusion to the TUN user that had no idea network labeling 5046 * protocols were being used */ 5047 5048 sksec->sid = tunsec->sid; 5049 sksec->sclass = SECCLASS_TUN_SOCKET; 5050 5051 return 0; 5052 } 5053 5054 static int selinux_tun_dev_open(void *security) 5055 { 5056 struct tun_security_struct *tunsec = security; 5057 u32 sid = current_sid(); 5058 int err; 5059 5060 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5061 TUN_SOCKET__RELABELFROM, NULL); 5062 if (err) 5063 return err; 5064 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5065 TUN_SOCKET__RELABELTO, NULL); 5066 if (err) 5067 return err; 5068 tunsec->sid = sid; 5069 5070 return 0; 5071 } 5072 5073 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5074 { 5075 int err = 0; 5076 u32 perm; 5077 struct nlmsghdr *nlh; 5078 struct sk_security_struct *sksec = sk->sk_security; 5079 5080 if (skb->len < NLMSG_HDRLEN) { 5081 err = -EINVAL; 5082 goto out; 5083 } 5084 nlh = nlmsg_hdr(skb); 5085 5086 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5087 if (err) { 5088 if (err == -EINVAL) { 5089 pr_warn_ratelimited("SELinux: unrecognized netlink" 5090 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5091 " pig=%d comm=%s\n", 5092 sk->sk_protocol, nlh->nlmsg_type, 5093 secclass_map[sksec->sclass - 1].name, 5094 task_pid_nr(current), current->comm); 5095 if (!selinux_enforcing || security_get_allow_unknown()) 5096 err = 0; 5097 } 5098 5099 /* Ignore */ 5100 if (err == -ENOENT) 5101 err = 0; 5102 goto out; 5103 } 5104 5105 err = sock_has_perm(sk, perm); 5106 out: 5107 return err; 5108 } 5109 5110 #ifdef CONFIG_NETFILTER 5111 5112 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5113 const struct net_device *indev, 5114 u16 family) 5115 { 5116 int err; 5117 char *addrp; 5118 u32 peer_sid; 5119 struct common_audit_data ad; 5120 struct lsm_network_audit net = {0,}; 5121 u8 secmark_active; 5122 u8 netlbl_active; 5123 u8 peerlbl_active; 5124 5125 if (!selinux_policycap_netpeer) 5126 return NF_ACCEPT; 5127 5128 secmark_active = selinux_secmark_enabled(); 5129 netlbl_active = netlbl_enabled(); 5130 peerlbl_active = selinux_peerlbl_enabled(); 5131 if (!secmark_active && !peerlbl_active) 5132 return NF_ACCEPT; 5133 5134 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5135 return NF_DROP; 5136 5137 ad.type = LSM_AUDIT_DATA_NET; 5138 ad.u.net = &net; 5139 ad.u.net->netif = indev->ifindex; 5140 ad.u.net->family = family; 5141 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5142 return NF_DROP; 5143 5144 if (peerlbl_active) { 5145 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5146 addrp, family, peer_sid, &ad); 5147 if (err) { 5148 selinux_netlbl_err(skb, family, err, 1); 5149 return NF_DROP; 5150 } 5151 } 5152 5153 if (secmark_active) 5154 if (avc_has_perm(peer_sid, skb->secmark, 5155 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5156 return NF_DROP; 5157 5158 if (netlbl_active) 5159 /* we do this in the FORWARD path and not the POST_ROUTING 5160 * path because we want to make sure we apply the necessary 5161 * labeling before IPsec is applied so we can leverage AH 5162 * protection */ 5163 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5164 return NF_DROP; 5165 5166 return NF_ACCEPT; 5167 } 5168 5169 static unsigned int selinux_ipv4_forward(void *priv, 5170 struct sk_buff *skb, 5171 const struct nf_hook_state *state) 5172 { 5173 return selinux_ip_forward(skb, state->in, PF_INET); 5174 } 5175 5176 #if IS_ENABLED(CONFIG_IPV6) 5177 static unsigned int selinux_ipv6_forward(void *priv, 5178 struct sk_buff *skb, 5179 const struct nf_hook_state *state) 5180 { 5181 return selinux_ip_forward(skb, state->in, PF_INET6); 5182 } 5183 #endif /* IPV6 */ 5184 5185 static unsigned int selinux_ip_output(struct sk_buff *skb, 5186 u16 family) 5187 { 5188 struct sock *sk; 5189 u32 sid; 5190 5191 if (!netlbl_enabled()) 5192 return NF_ACCEPT; 5193 5194 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5195 * because we want to make sure we apply the necessary labeling 5196 * before IPsec is applied so we can leverage AH protection */ 5197 sk = skb->sk; 5198 if (sk) { 5199 struct sk_security_struct *sksec; 5200 5201 if (sk_listener(sk)) 5202 /* if the socket is the listening state then this 5203 * packet is a SYN-ACK packet which means it needs to 5204 * be labeled based on the connection/request_sock and 5205 * not the parent socket. unfortunately, we can't 5206 * lookup the request_sock yet as it isn't queued on 5207 * the parent socket until after the SYN-ACK is sent. 5208 * the "solution" is to simply pass the packet as-is 5209 * as any IP option based labeling should be copied 5210 * from the initial connection request (in the IP 5211 * layer). it is far from ideal, but until we get a 5212 * security label in the packet itself this is the 5213 * best we can do. */ 5214 return NF_ACCEPT; 5215 5216 /* standard practice, label using the parent socket */ 5217 sksec = sk->sk_security; 5218 sid = sksec->sid; 5219 } else 5220 sid = SECINITSID_KERNEL; 5221 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5222 return NF_DROP; 5223 5224 return NF_ACCEPT; 5225 } 5226 5227 static unsigned int selinux_ipv4_output(void *priv, 5228 struct sk_buff *skb, 5229 const struct nf_hook_state *state) 5230 { 5231 return selinux_ip_output(skb, PF_INET); 5232 } 5233 5234 #if IS_ENABLED(CONFIG_IPV6) 5235 static unsigned int selinux_ipv6_output(void *priv, 5236 struct sk_buff *skb, 5237 const struct nf_hook_state *state) 5238 { 5239 return selinux_ip_output(skb, PF_INET6); 5240 } 5241 #endif /* IPV6 */ 5242 5243 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5244 int ifindex, 5245 u16 family) 5246 { 5247 struct sock *sk = skb_to_full_sk(skb); 5248 struct sk_security_struct *sksec; 5249 struct common_audit_data ad; 5250 struct lsm_network_audit net = {0,}; 5251 char *addrp; 5252 u8 proto; 5253 5254 if (sk == NULL) 5255 return NF_ACCEPT; 5256 sksec = sk->sk_security; 5257 5258 ad.type = LSM_AUDIT_DATA_NET; 5259 ad.u.net = &net; 5260 ad.u.net->netif = ifindex; 5261 ad.u.net->family = family; 5262 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5263 return NF_DROP; 5264 5265 if (selinux_secmark_enabled()) 5266 if (avc_has_perm(sksec->sid, skb->secmark, 5267 SECCLASS_PACKET, PACKET__SEND, &ad)) 5268 return NF_DROP_ERR(-ECONNREFUSED); 5269 5270 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5271 return NF_DROP_ERR(-ECONNREFUSED); 5272 5273 return NF_ACCEPT; 5274 } 5275 5276 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5277 const struct net_device *outdev, 5278 u16 family) 5279 { 5280 u32 secmark_perm; 5281 u32 peer_sid; 5282 int ifindex = outdev->ifindex; 5283 struct sock *sk; 5284 struct common_audit_data ad; 5285 struct lsm_network_audit net = {0,}; 5286 char *addrp; 5287 u8 secmark_active; 5288 u8 peerlbl_active; 5289 5290 /* If any sort of compatibility mode is enabled then handoff processing 5291 * to the selinux_ip_postroute_compat() function to deal with the 5292 * special handling. We do this in an attempt to keep this function 5293 * as fast and as clean as possible. */ 5294 if (!selinux_policycap_netpeer) 5295 return selinux_ip_postroute_compat(skb, ifindex, family); 5296 5297 secmark_active = selinux_secmark_enabled(); 5298 peerlbl_active = selinux_peerlbl_enabled(); 5299 if (!secmark_active && !peerlbl_active) 5300 return NF_ACCEPT; 5301 5302 sk = skb_to_full_sk(skb); 5303 5304 #ifdef CONFIG_XFRM 5305 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5306 * packet transformation so allow the packet to pass without any checks 5307 * since we'll have another chance to perform access control checks 5308 * when the packet is on it's final way out. 5309 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5310 * is NULL, in this case go ahead and apply access control. 5311 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5312 * TCP listening state we cannot wait until the XFRM processing 5313 * is done as we will miss out on the SA label if we do; 5314 * unfortunately, this means more work, but it is only once per 5315 * connection. */ 5316 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5317 !(sk && sk_listener(sk))) 5318 return NF_ACCEPT; 5319 #endif 5320 5321 if (sk == NULL) { 5322 /* Without an associated socket the packet is either coming 5323 * from the kernel or it is being forwarded; check the packet 5324 * to determine which and if the packet is being forwarded 5325 * query the packet directly to determine the security label. */ 5326 if (skb->skb_iif) { 5327 secmark_perm = PACKET__FORWARD_OUT; 5328 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5329 return NF_DROP; 5330 } else { 5331 secmark_perm = PACKET__SEND; 5332 peer_sid = SECINITSID_KERNEL; 5333 } 5334 } else if (sk_listener(sk)) { 5335 /* Locally generated packet but the associated socket is in the 5336 * listening state which means this is a SYN-ACK packet. In 5337 * this particular case the correct security label is assigned 5338 * to the connection/request_sock but unfortunately we can't 5339 * query the request_sock as it isn't queued on the parent 5340 * socket until after the SYN-ACK packet is sent; the only 5341 * viable choice is to regenerate the label like we do in 5342 * selinux_inet_conn_request(). See also selinux_ip_output() 5343 * for similar problems. */ 5344 u32 skb_sid; 5345 struct sk_security_struct *sksec; 5346 5347 sksec = sk->sk_security; 5348 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5349 return NF_DROP; 5350 /* At this point, if the returned skb peerlbl is SECSID_NULL 5351 * and the packet has been through at least one XFRM 5352 * transformation then we must be dealing with the "final" 5353 * form of labeled IPsec packet; since we've already applied 5354 * all of our access controls on this packet we can safely 5355 * pass the packet. */ 5356 if (skb_sid == SECSID_NULL) { 5357 switch (family) { 5358 case PF_INET: 5359 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5360 return NF_ACCEPT; 5361 break; 5362 case PF_INET6: 5363 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5364 return NF_ACCEPT; 5365 break; 5366 default: 5367 return NF_DROP_ERR(-ECONNREFUSED); 5368 } 5369 } 5370 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5371 return NF_DROP; 5372 secmark_perm = PACKET__SEND; 5373 } else { 5374 /* Locally generated packet, fetch the security label from the 5375 * associated socket. */ 5376 struct sk_security_struct *sksec = sk->sk_security; 5377 peer_sid = sksec->sid; 5378 secmark_perm = PACKET__SEND; 5379 } 5380 5381 ad.type = LSM_AUDIT_DATA_NET; 5382 ad.u.net = &net; 5383 ad.u.net->netif = ifindex; 5384 ad.u.net->family = family; 5385 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5386 return NF_DROP; 5387 5388 if (secmark_active) 5389 if (avc_has_perm(peer_sid, skb->secmark, 5390 SECCLASS_PACKET, secmark_perm, &ad)) 5391 return NF_DROP_ERR(-ECONNREFUSED); 5392 5393 if (peerlbl_active) { 5394 u32 if_sid; 5395 u32 node_sid; 5396 5397 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5398 return NF_DROP; 5399 if (avc_has_perm(peer_sid, if_sid, 5400 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5401 return NF_DROP_ERR(-ECONNREFUSED); 5402 5403 if (sel_netnode_sid(addrp, family, &node_sid)) 5404 return NF_DROP; 5405 if (avc_has_perm(peer_sid, node_sid, 5406 SECCLASS_NODE, NODE__SENDTO, &ad)) 5407 return NF_DROP_ERR(-ECONNREFUSED); 5408 } 5409 5410 return NF_ACCEPT; 5411 } 5412 5413 static unsigned int selinux_ipv4_postroute(void *priv, 5414 struct sk_buff *skb, 5415 const struct nf_hook_state *state) 5416 { 5417 return selinux_ip_postroute(skb, state->out, PF_INET); 5418 } 5419 5420 #if IS_ENABLED(CONFIG_IPV6) 5421 static unsigned int selinux_ipv6_postroute(void *priv, 5422 struct sk_buff *skb, 5423 const struct nf_hook_state *state) 5424 { 5425 return selinux_ip_postroute(skb, state->out, PF_INET6); 5426 } 5427 #endif /* IPV6 */ 5428 5429 #endif /* CONFIG_NETFILTER */ 5430 5431 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5432 { 5433 return selinux_nlmsg_perm(sk, skb); 5434 } 5435 5436 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5437 u16 sclass) 5438 { 5439 struct ipc_security_struct *isec; 5440 5441 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5442 if (!isec) 5443 return -ENOMEM; 5444 5445 isec->sclass = sclass; 5446 isec->sid = current_sid(); 5447 perm->security = isec; 5448 5449 return 0; 5450 } 5451 5452 static void ipc_free_security(struct kern_ipc_perm *perm) 5453 { 5454 struct ipc_security_struct *isec = perm->security; 5455 perm->security = NULL; 5456 kfree(isec); 5457 } 5458 5459 static int msg_msg_alloc_security(struct msg_msg *msg) 5460 { 5461 struct msg_security_struct *msec; 5462 5463 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5464 if (!msec) 5465 return -ENOMEM; 5466 5467 msec->sid = SECINITSID_UNLABELED; 5468 msg->security = msec; 5469 5470 return 0; 5471 } 5472 5473 static void msg_msg_free_security(struct msg_msg *msg) 5474 { 5475 struct msg_security_struct *msec = msg->security; 5476 5477 msg->security = NULL; 5478 kfree(msec); 5479 } 5480 5481 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5482 u32 perms) 5483 { 5484 struct ipc_security_struct *isec; 5485 struct common_audit_data ad; 5486 u32 sid = current_sid(); 5487 5488 isec = ipc_perms->security; 5489 5490 ad.type = LSM_AUDIT_DATA_IPC; 5491 ad.u.ipc_id = ipc_perms->key; 5492 5493 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5494 } 5495 5496 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5497 { 5498 return msg_msg_alloc_security(msg); 5499 } 5500 5501 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5502 { 5503 msg_msg_free_security(msg); 5504 } 5505 5506 /* message queue security operations */ 5507 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5508 { 5509 struct ipc_security_struct *isec; 5510 struct common_audit_data ad; 5511 u32 sid = current_sid(); 5512 int rc; 5513 5514 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5515 if (rc) 5516 return rc; 5517 5518 isec = msq->q_perm.security; 5519 5520 ad.type = LSM_AUDIT_DATA_IPC; 5521 ad.u.ipc_id = msq->q_perm.key; 5522 5523 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5524 MSGQ__CREATE, &ad); 5525 if (rc) { 5526 ipc_free_security(&msq->q_perm); 5527 return rc; 5528 } 5529 return 0; 5530 } 5531 5532 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5533 { 5534 ipc_free_security(&msq->q_perm); 5535 } 5536 5537 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5538 { 5539 struct ipc_security_struct *isec; 5540 struct common_audit_data ad; 5541 u32 sid = current_sid(); 5542 5543 isec = msq->q_perm.security; 5544 5545 ad.type = LSM_AUDIT_DATA_IPC; 5546 ad.u.ipc_id = msq->q_perm.key; 5547 5548 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5549 MSGQ__ASSOCIATE, &ad); 5550 } 5551 5552 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5553 { 5554 int err; 5555 int perms; 5556 5557 switch (cmd) { 5558 case IPC_INFO: 5559 case MSG_INFO: 5560 /* No specific object, just general system-wide information. */ 5561 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5562 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5563 case IPC_STAT: 5564 case MSG_STAT: 5565 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5566 break; 5567 case IPC_SET: 5568 perms = MSGQ__SETATTR; 5569 break; 5570 case IPC_RMID: 5571 perms = MSGQ__DESTROY; 5572 break; 5573 default: 5574 return 0; 5575 } 5576 5577 err = ipc_has_perm(&msq->q_perm, perms); 5578 return err; 5579 } 5580 5581 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5582 { 5583 struct ipc_security_struct *isec; 5584 struct msg_security_struct *msec; 5585 struct common_audit_data ad; 5586 u32 sid = current_sid(); 5587 int rc; 5588 5589 isec = msq->q_perm.security; 5590 msec = msg->security; 5591 5592 /* 5593 * First time through, need to assign label to the message 5594 */ 5595 if (msec->sid == SECINITSID_UNLABELED) { 5596 /* 5597 * Compute new sid based on current process and 5598 * message queue this message will be stored in 5599 */ 5600 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5601 NULL, &msec->sid); 5602 if (rc) 5603 return rc; 5604 } 5605 5606 ad.type = LSM_AUDIT_DATA_IPC; 5607 ad.u.ipc_id = msq->q_perm.key; 5608 5609 /* Can this process write to the queue? */ 5610 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5611 MSGQ__WRITE, &ad); 5612 if (!rc) 5613 /* Can this process send the message */ 5614 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5615 MSG__SEND, &ad); 5616 if (!rc) 5617 /* Can the message be put in the queue? */ 5618 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5619 MSGQ__ENQUEUE, &ad); 5620 5621 return rc; 5622 } 5623 5624 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5625 struct task_struct *target, 5626 long type, int mode) 5627 { 5628 struct ipc_security_struct *isec; 5629 struct msg_security_struct *msec; 5630 struct common_audit_data ad; 5631 u32 sid = task_sid(target); 5632 int rc; 5633 5634 isec = msq->q_perm.security; 5635 msec = msg->security; 5636 5637 ad.type = LSM_AUDIT_DATA_IPC; 5638 ad.u.ipc_id = msq->q_perm.key; 5639 5640 rc = avc_has_perm(sid, isec->sid, 5641 SECCLASS_MSGQ, MSGQ__READ, &ad); 5642 if (!rc) 5643 rc = avc_has_perm(sid, msec->sid, 5644 SECCLASS_MSG, MSG__RECEIVE, &ad); 5645 return rc; 5646 } 5647 5648 /* Shared Memory security operations */ 5649 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5650 { 5651 struct ipc_security_struct *isec; 5652 struct common_audit_data ad; 5653 u32 sid = current_sid(); 5654 int rc; 5655 5656 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 5657 if (rc) 5658 return rc; 5659 5660 isec = shp->shm_perm.security; 5661 5662 ad.type = LSM_AUDIT_DATA_IPC; 5663 ad.u.ipc_id = shp->shm_perm.key; 5664 5665 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5666 SHM__CREATE, &ad); 5667 if (rc) { 5668 ipc_free_security(&shp->shm_perm); 5669 return rc; 5670 } 5671 return 0; 5672 } 5673 5674 static void selinux_shm_free_security(struct shmid_kernel *shp) 5675 { 5676 ipc_free_security(&shp->shm_perm); 5677 } 5678 5679 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5680 { 5681 struct ipc_security_struct *isec; 5682 struct common_audit_data ad; 5683 u32 sid = current_sid(); 5684 5685 isec = shp->shm_perm.security; 5686 5687 ad.type = LSM_AUDIT_DATA_IPC; 5688 ad.u.ipc_id = shp->shm_perm.key; 5689 5690 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5691 SHM__ASSOCIATE, &ad); 5692 } 5693 5694 /* Note, at this point, shp is locked down */ 5695 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5696 { 5697 int perms; 5698 int err; 5699 5700 switch (cmd) { 5701 case IPC_INFO: 5702 case SHM_INFO: 5703 /* No specific object, just general system-wide information. */ 5704 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5705 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5706 case IPC_STAT: 5707 case SHM_STAT: 5708 perms = SHM__GETATTR | SHM__ASSOCIATE; 5709 break; 5710 case IPC_SET: 5711 perms = SHM__SETATTR; 5712 break; 5713 case SHM_LOCK: 5714 case SHM_UNLOCK: 5715 perms = SHM__LOCK; 5716 break; 5717 case IPC_RMID: 5718 perms = SHM__DESTROY; 5719 break; 5720 default: 5721 return 0; 5722 } 5723 5724 err = ipc_has_perm(&shp->shm_perm, perms); 5725 return err; 5726 } 5727 5728 static int selinux_shm_shmat(struct shmid_kernel *shp, 5729 char __user *shmaddr, int shmflg) 5730 { 5731 u32 perms; 5732 5733 if (shmflg & SHM_RDONLY) 5734 perms = SHM__READ; 5735 else 5736 perms = SHM__READ | SHM__WRITE; 5737 5738 return ipc_has_perm(&shp->shm_perm, perms); 5739 } 5740 5741 /* Semaphore security operations */ 5742 static int selinux_sem_alloc_security(struct sem_array *sma) 5743 { 5744 struct ipc_security_struct *isec; 5745 struct common_audit_data ad; 5746 u32 sid = current_sid(); 5747 int rc; 5748 5749 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 5750 if (rc) 5751 return rc; 5752 5753 isec = sma->sem_perm.security; 5754 5755 ad.type = LSM_AUDIT_DATA_IPC; 5756 ad.u.ipc_id = sma->sem_perm.key; 5757 5758 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5759 SEM__CREATE, &ad); 5760 if (rc) { 5761 ipc_free_security(&sma->sem_perm); 5762 return rc; 5763 } 5764 return 0; 5765 } 5766 5767 static void selinux_sem_free_security(struct sem_array *sma) 5768 { 5769 ipc_free_security(&sma->sem_perm); 5770 } 5771 5772 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5773 { 5774 struct ipc_security_struct *isec; 5775 struct common_audit_data ad; 5776 u32 sid = current_sid(); 5777 5778 isec = sma->sem_perm.security; 5779 5780 ad.type = LSM_AUDIT_DATA_IPC; 5781 ad.u.ipc_id = sma->sem_perm.key; 5782 5783 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5784 SEM__ASSOCIATE, &ad); 5785 } 5786 5787 /* Note, at this point, sma is locked down */ 5788 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5789 { 5790 int err; 5791 u32 perms; 5792 5793 switch (cmd) { 5794 case IPC_INFO: 5795 case SEM_INFO: 5796 /* No specific object, just general system-wide information. */ 5797 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5798 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5799 case GETPID: 5800 case GETNCNT: 5801 case GETZCNT: 5802 perms = SEM__GETATTR; 5803 break; 5804 case GETVAL: 5805 case GETALL: 5806 perms = SEM__READ; 5807 break; 5808 case SETVAL: 5809 case SETALL: 5810 perms = SEM__WRITE; 5811 break; 5812 case IPC_RMID: 5813 perms = SEM__DESTROY; 5814 break; 5815 case IPC_SET: 5816 perms = SEM__SETATTR; 5817 break; 5818 case IPC_STAT: 5819 case SEM_STAT: 5820 perms = SEM__GETATTR | SEM__ASSOCIATE; 5821 break; 5822 default: 5823 return 0; 5824 } 5825 5826 err = ipc_has_perm(&sma->sem_perm, perms); 5827 return err; 5828 } 5829 5830 static int selinux_sem_semop(struct sem_array *sma, 5831 struct sembuf *sops, unsigned nsops, int alter) 5832 { 5833 u32 perms; 5834 5835 if (alter) 5836 perms = SEM__READ | SEM__WRITE; 5837 else 5838 perms = SEM__READ; 5839 5840 return ipc_has_perm(&sma->sem_perm, perms); 5841 } 5842 5843 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5844 { 5845 u32 av = 0; 5846 5847 av = 0; 5848 if (flag & S_IRUGO) 5849 av |= IPC__UNIX_READ; 5850 if (flag & S_IWUGO) 5851 av |= IPC__UNIX_WRITE; 5852 5853 if (av == 0) 5854 return 0; 5855 5856 return ipc_has_perm(ipcp, av); 5857 } 5858 5859 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5860 { 5861 struct ipc_security_struct *isec = ipcp->security; 5862 *secid = isec->sid; 5863 } 5864 5865 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5866 { 5867 if (inode) 5868 inode_doinit_with_dentry(inode, dentry); 5869 } 5870 5871 static int selinux_getprocattr(struct task_struct *p, 5872 char *name, char **value) 5873 { 5874 const struct task_security_struct *__tsec; 5875 u32 sid; 5876 int error; 5877 unsigned len; 5878 5879 rcu_read_lock(); 5880 __tsec = __task_cred(p)->security; 5881 5882 if (current != p) { 5883 error = avc_has_perm(current_sid(), __tsec->sid, 5884 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 5885 if (error) 5886 goto bad; 5887 } 5888 5889 if (!strcmp(name, "current")) 5890 sid = __tsec->sid; 5891 else if (!strcmp(name, "prev")) 5892 sid = __tsec->osid; 5893 else if (!strcmp(name, "exec")) 5894 sid = __tsec->exec_sid; 5895 else if (!strcmp(name, "fscreate")) 5896 sid = __tsec->create_sid; 5897 else if (!strcmp(name, "keycreate")) 5898 sid = __tsec->keycreate_sid; 5899 else if (!strcmp(name, "sockcreate")) 5900 sid = __tsec->sockcreate_sid; 5901 else { 5902 error = -EINVAL; 5903 goto bad; 5904 } 5905 rcu_read_unlock(); 5906 5907 if (!sid) 5908 return 0; 5909 5910 error = security_sid_to_context(sid, value, &len); 5911 if (error) 5912 return error; 5913 return len; 5914 5915 bad: 5916 rcu_read_unlock(); 5917 return error; 5918 } 5919 5920 static int selinux_setprocattr(const char *name, void *value, size_t size) 5921 { 5922 struct task_security_struct *tsec; 5923 struct cred *new; 5924 u32 mysid = current_sid(), sid = 0, ptsid; 5925 int error; 5926 char *str = value; 5927 5928 /* 5929 * Basic control over ability to set these attributes at all. 5930 */ 5931 if (!strcmp(name, "exec")) 5932 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5933 PROCESS__SETEXEC, NULL); 5934 else if (!strcmp(name, "fscreate")) 5935 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5936 PROCESS__SETFSCREATE, NULL); 5937 else if (!strcmp(name, "keycreate")) 5938 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5939 PROCESS__SETKEYCREATE, NULL); 5940 else if (!strcmp(name, "sockcreate")) 5941 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5942 PROCESS__SETSOCKCREATE, NULL); 5943 else if (!strcmp(name, "current")) 5944 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5945 PROCESS__SETCURRENT, NULL); 5946 else 5947 error = -EINVAL; 5948 if (error) 5949 return error; 5950 5951 /* Obtain a SID for the context, if one was specified. */ 5952 if (size && str[0] && str[0] != '\n') { 5953 if (str[size-1] == '\n') { 5954 str[size-1] = 0; 5955 size--; 5956 } 5957 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5958 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5959 if (!has_cap_mac_admin(true)) { 5960 struct audit_buffer *ab; 5961 size_t audit_size; 5962 5963 /* We strip a nul only if it is at the end, otherwise the 5964 * context contains a nul and we should audit that */ 5965 if (str[size - 1] == '\0') 5966 audit_size = size - 1; 5967 else 5968 audit_size = size; 5969 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5970 audit_log_format(ab, "op=fscreate invalid_context="); 5971 audit_log_n_untrustedstring(ab, value, audit_size); 5972 audit_log_end(ab); 5973 5974 return error; 5975 } 5976 error = security_context_to_sid_force(value, size, 5977 &sid); 5978 } 5979 if (error) 5980 return error; 5981 } 5982 5983 new = prepare_creds(); 5984 if (!new) 5985 return -ENOMEM; 5986 5987 /* Permission checking based on the specified context is 5988 performed during the actual operation (execve, 5989 open/mkdir/...), when we know the full context of the 5990 operation. See selinux_bprm_set_creds for the execve 5991 checks and may_create for the file creation checks. The 5992 operation will then fail if the context is not permitted. */ 5993 tsec = new->security; 5994 if (!strcmp(name, "exec")) { 5995 tsec->exec_sid = sid; 5996 } else if (!strcmp(name, "fscreate")) { 5997 tsec->create_sid = sid; 5998 } else if (!strcmp(name, "keycreate")) { 5999 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6000 NULL); 6001 if (error) 6002 goto abort_change; 6003 tsec->keycreate_sid = sid; 6004 } else if (!strcmp(name, "sockcreate")) { 6005 tsec->sockcreate_sid = sid; 6006 } else if (!strcmp(name, "current")) { 6007 error = -EINVAL; 6008 if (sid == 0) 6009 goto abort_change; 6010 6011 /* Only allow single threaded processes to change context */ 6012 error = -EPERM; 6013 if (!current_is_single_threaded()) { 6014 error = security_bounded_transition(tsec->sid, sid); 6015 if (error) 6016 goto abort_change; 6017 } 6018 6019 /* Check permissions for the transition. */ 6020 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6021 PROCESS__DYNTRANSITION, NULL); 6022 if (error) 6023 goto abort_change; 6024 6025 /* Check for ptracing, and update the task SID if ok. 6026 Otherwise, leave SID unchanged and fail. */ 6027 ptsid = ptrace_parent_sid(); 6028 if (ptsid != 0) { 6029 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6030 PROCESS__PTRACE, NULL); 6031 if (error) 6032 goto abort_change; 6033 } 6034 6035 tsec->sid = sid; 6036 } else { 6037 error = -EINVAL; 6038 goto abort_change; 6039 } 6040 6041 commit_creds(new); 6042 return size; 6043 6044 abort_change: 6045 abort_creds(new); 6046 return error; 6047 } 6048 6049 static int selinux_ismaclabel(const char *name) 6050 { 6051 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6052 } 6053 6054 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6055 { 6056 return security_sid_to_context(secid, secdata, seclen); 6057 } 6058 6059 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6060 { 6061 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6062 } 6063 6064 static void selinux_release_secctx(char *secdata, u32 seclen) 6065 { 6066 kfree(secdata); 6067 } 6068 6069 static void selinux_inode_invalidate_secctx(struct inode *inode) 6070 { 6071 struct inode_security_struct *isec = inode->i_security; 6072 6073 spin_lock(&isec->lock); 6074 isec->initialized = LABEL_INVALID; 6075 spin_unlock(&isec->lock); 6076 } 6077 6078 /* 6079 * called with inode->i_mutex locked 6080 */ 6081 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6082 { 6083 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6084 } 6085 6086 /* 6087 * called with inode->i_mutex locked 6088 */ 6089 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6090 { 6091 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6092 } 6093 6094 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6095 { 6096 int len = 0; 6097 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6098 ctx, true); 6099 if (len < 0) 6100 return len; 6101 *ctxlen = len; 6102 return 0; 6103 } 6104 #ifdef CONFIG_KEYS 6105 6106 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6107 unsigned long flags) 6108 { 6109 const struct task_security_struct *tsec; 6110 struct key_security_struct *ksec; 6111 6112 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6113 if (!ksec) 6114 return -ENOMEM; 6115 6116 tsec = cred->security; 6117 if (tsec->keycreate_sid) 6118 ksec->sid = tsec->keycreate_sid; 6119 else 6120 ksec->sid = tsec->sid; 6121 6122 k->security = ksec; 6123 return 0; 6124 } 6125 6126 static void selinux_key_free(struct key *k) 6127 { 6128 struct key_security_struct *ksec = k->security; 6129 6130 k->security = NULL; 6131 kfree(ksec); 6132 } 6133 6134 static int selinux_key_permission(key_ref_t key_ref, 6135 const struct cred *cred, 6136 unsigned perm) 6137 { 6138 struct key *key; 6139 struct key_security_struct *ksec; 6140 u32 sid; 6141 6142 /* if no specific permissions are requested, we skip the 6143 permission check. No serious, additional covert channels 6144 appear to be created. */ 6145 if (perm == 0) 6146 return 0; 6147 6148 sid = cred_sid(cred); 6149 6150 key = key_ref_to_ptr(key_ref); 6151 ksec = key->security; 6152 6153 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6154 } 6155 6156 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6157 { 6158 struct key_security_struct *ksec = key->security; 6159 char *context = NULL; 6160 unsigned len; 6161 int rc; 6162 6163 rc = security_sid_to_context(ksec->sid, &context, &len); 6164 if (!rc) 6165 rc = len; 6166 *_buffer = context; 6167 return rc; 6168 } 6169 #endif 6170 6171 #ifdef CONFIG_SECURITY_INFINIBAND 6172 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6173 { 6174 struct common_audit_data ad; 6175 int err; 6176 u32 sid = 0; 6177 struct ib_security_struct *sec = ib_sec; 6178 struct lsm_ibpkey_audit ibpkey; 6179 6180 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6181 if (err) 6182 return err; 6183 6184 ad.type = LSM_AUDIT_DATA_IBPKEY; 6185 ibpkey.subnet_prefix = subnet_prefix; 6186 ibpkey.pkey = pkey_val; 6187 ad.u.ibpkey = &ibpkey; 6188 return avc_has_perm(sec->sid, sid, 6189 SECCLASS_INFINIBAND_PKEY, 6190 INFINIBAND_PKEY__ACCESS, &ad); 6191 } 6192 6193 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6194 u8 port_num) 6195 { 6196 struct common_audit_data ad; 6197 int err; 6198 u32 sid = 0; 6199 struct ib_security_struct *sec = ib_sec; 6200 struct lsm_ibendport_audit ibendport; 6201 6202 err = security_ib_endport_sid(dev_name, port_num, &sid); 6203 6204 if (err) 6205 return err; 6206 6207 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6208 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6209 ibendport.port = port_num; 6210 ad.u.ibendport = &ibendport; 6211 return avc_has_perm(sec->sid, sid, 6212 SECCLASS_INFINIBAND_ENDPORT, 6213 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6214 } 6215 6216 static int selinux_ib_alloc_security(void **ib_sec) 6217 { 6218 struct ib_security_struct *sec; 6219 6220 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6221 if (!sec) 6222 return -ENOMEM; 6223 sec->sid = current_sid(); 6224 6225 *ib_sec = sec; 6226 return 0; 6227 } 6228 6229 static void selinux_ib_free_security(void *ib_sec) 6230 { 6231 kfree(ib_sec); 6232 } 6233 #endif 6234 6235 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6236 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6237 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6238 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6239 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6240 6241 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6242 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6243 LSM_HOOK_INIT(capget, selinux_capget), 6244 LSM_HOOK_INIT(capset, selinux_capset), 6245 LSM_HOOK_INIT(capable, selinux_capable), 6246 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6247 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6248 LSM_HOOK_INIT(syslog, selinux_syslog), 6249 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6250 6251 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6252 6253 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6254 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6255 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6256 6257 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6258 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6259 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6260 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6261 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6262 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6263 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6264 LSM_HOOK_INIT(sb_mount, selinux_mount), 6265 LSM_HOOK_INIT(sb_umount, selinux_umount), 6266 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6267 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6268 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6269 6270 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6271 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6272 6273 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6274 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6275 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6276 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6277 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6278 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6279 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6280 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6281 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6282 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6283 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6284 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6285 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6286 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6287 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6288 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6289 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6290 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6291 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6292 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6293 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6294 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6295 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6296 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6297 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6298 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6299 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6300 6301 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6302 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6303 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6304 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6305 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6306 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6307 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6308 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6309 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6310 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6311 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6312 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6313 6314 LSM_HOOK_INIT(file_open, selinux_file_open), 6315 6316 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6317 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6318 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6319 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6320 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6321 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6322 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6323 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6324 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6325 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6326 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6327 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6328 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6329 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6330 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6331 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6332 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6333 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6334 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6335 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6336 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6337 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6338 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6339 6340 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6341 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6342 6343 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6344 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6345 6346 LSM_HOOK_INIT(msg_queue_alloc_security, 6347 selinux_msg_queue_alloc_security), 6348 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6349 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6350 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6351 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6352 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6353 6354 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6355 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6356 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6357 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6358 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6359 6360 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6361 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6362 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6363 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6364 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6365 6366 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6367 6368 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6369 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6370 6371 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6372 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6373 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6374 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6375 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6376 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6377 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6378 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6379 6380 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6381 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6382 6383 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6384 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6385 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6386 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6387 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6388 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6389 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6390 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6391 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6392 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6393 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6394 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6395 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6396 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6397 LSM_HOOK_INIT(socket_getpeersec_stream, 6398 selinux_socket_getpeersec_stream), 6399 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6400 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6401 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6402 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6403 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6404 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6405 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6406 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6407 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6408 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6409 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6410 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6411 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6412 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6413 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6414 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6415 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6416 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6417 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6418 #ifdef CONFIG_SECURITY_INFINIBAND 6419 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6420 LSM_HOOK_INIT(ib_endport_manage_subnet, 6421 selinux_ib_endport_manage_subnet), 6422 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6423 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6424 #endif 6425 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6426 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6427 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6428 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6429 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6430 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6431 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6432 selinux_xfrm_state_alloc_acquire), 6433 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6434 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6435 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6436 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6437 selinux_xfrm_state_pol_flow_match), 6438 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6439 #endif 6440 6441 #ifdef CONFIG_KEYS 6442 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6443 LSM_HOOK_INIT(key_free, selinux_key_free), 6444 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6445 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6446 #endif 6447 6448 #ifdef CONFIG_AUDIT 6449 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6450 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6451 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6452 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6453 #endif 6454 }; 6455 6456 static __init int selinux_init(void) 6457 { 6458 if (!security_module_enable("selinux")) { 6459 selinux_enabled = 0; 6460 return 0; 6461 } 6462 6463 if (!selinux_enabled) { 6464 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6465 return 0; 6466 } 6467 6468 printk(KERN_INFO "SELinux: Initializing.\n"); 6469 6470 /* Set the security state for the initial task. */ 6471 cred_init_security(); 6472 6473 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6474 6475 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6476 sizeof(struct inode_security_struct), 6477 0, SLAB_PANIC, NULL); 6478 file_security_cache = kmem_cache_create("selinux_file_security", 6479 sizeof(struct file_security_struct), 6480 0, SLAB_PANIC, NULL); 6481 avc_init(); 6482 6483 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6484 6485 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6486 panic("SELinux: Unable to register AVC netcache callback\n"); 6487 6488 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6489 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6490 6491 if (selinux_enforcing) 6492 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6493 else 6494 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6495 6496 return 0; 6497 } 6498 6499 static void delayed_superblock_init(struct super_block *sb, void *unused) 6500 { 6501 superblock_doinit(sb, NULL); 6502 } 6503 6504 void selinux_complete_init(void) 6505 { 6506 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6507 6508 /* Set up any superblocks initialized prior to the policy load. */ 6509 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6510 iterate_supers(delayed_superblock_init, NULL); 6511 } 6512 6513 /* SELinux requires early initialization in order to label 6514 all processes and objects when they are created. */ 6515 security_initcall(selinux_init); 6516 6517 #if defined(CONFIG_NETFILTER) 6518 6519 static struct nf_hook_ops selinux_nf_ops[] = { 6520 { 6521 .hook = selinux_ipv4_postroute, 6522 .pf = NFPROTO_IPV4, 6523 .hooknum = NF_INET_POST_ROUTING, 6524 .priority = NF_IP_PRI_SELINUX_LAST, 6525 }, 6526 { 6527 .hook = selinux_ipv4_forward, 6528 .pf = NFPROTO_IPV4, 6529 .hooknum = NF_INET_FORWARD, 6530 .priority = NF_IP_PRI_SELINUX_FIRST, 6531 }, 6532 { 6533 .hook = selinux_ipv4_output, 6534 .pf = NFPROTO_IPV4, 6535 .hooknum = NF_INET_LOCAL_OUT, 6536 .priority = NF_IP_PRI_SELINUX_FIRST, 6537 }, 6538 #if IS_ENABLED(CONFIG_IPV6) 6539 { 6540 .hook = selinux_ipv6_postroute, 6541 .pf = NFPROTO_IPV6, 6542 .hooknum = NF_INET_POST_ROUTING, 6543 .priority = NF_IP6_PRI_SELINUX_LAST, 6544 }, 6545 { 6546 .hook = selinux_ipv6_forward, 6547 .pf = NFPROTO_IPV6, 6548 .hooknum = NF_INET_FORWARD, 6549 .priority = NF_IP6_PRI_SELINUX_FIRST, 6550 }, 6551 { 6552 .hook = selinux_ipv6_output, 6553 .pf = NFPROTO_IPV6, 6554 .hooknum = NF_INET_LOCAL_OUT, 6555 .priority = NF_IP6_PRI_SELINUX_FIRST, 6556 }, 6557 #endif /* IPV6 */ 6558 }; 6559 6560 static int __net_init selinux_nf_register(struct net *net) 6561 { 6562 return nf_register_net_hooks(net, selinux_nf_ops, 6563 ARRAY_SIZE(selinux_nf_ops)); 6564 } 6565 6566 static void __net_exit selinux_nf_unregister(struct net *net) 6567 { 6568 nf_unregister_net_hooks(net, selinux_nf_ops, 6569 ARRAY_SIZE(selinux_nf_ops)); 6570 } 6571 6572 static struct pernet_operations selinux_net_ops = { 6573 .init = selinux_nf_register, 6574 .exit = selinux_nf_unregister, 6575 }; 6576 6577 static int __init selinux_nf_ip_init(void) 6578 { 6579 int err; 6580 6581 if (!selinux_enabled) 6582 return 0; 6583 6584 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6585 6586 err = register_pernet_subsys(&selinux_net_ops); 6587 if (err) 6588 panic("SELinux: register_pernet_subsys: error %d\n", err); 6589 6590 return 0; 6591 } 6592 __initcall(selinux_nf_ip_init); 6593 6594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6595 static void selinux_nf_ip_exit(void) 6596 { 6597 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6598 6599 unregister_pernet_subsys(&selinux_net_ops); 6600 } 6601 #endif 6602 6603 #else /* CONFIG_NETFILTER */ 6604 6605 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6606 #define selinux_nf_ip_exit() 6607 #endif 6608 6609 #endif /* CONFIG_NETFILTER */ 6610 6611 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6612 static int selinux_disabled; 6613 6614 int selinux_disable(void) 6615 { 6616 if (ss_initialized) { 6617 /* Not permitted after initial policy load. */ 6618 return -EINVAL; 6619 } 6620 6621 if (selinux_disabled) { 6622 /* Only do this once. */ 6623 return -EINVAL; 6624 } 6625 6626 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6627 6628 selinux_disabled = 1; 6629 selinux_enabled = 0; 6630 6631 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6632 6633 /* Try to destroy the avc node cache */ 6634 avc_disable(); 6635 6636 /* Unregister netfilter hooks. */ 6637 selinux_nf_ip_exit(); 6638 6639 /* Unregister selinuxfs. */ 6640 exit_sel_fs(); 6641 6642 return 0; 6643 } 6644 #endif 6645