1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/selinux.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 #include <linux/bpf.h> 89 90 #include "avc.h" 91 #include "objsec.h" 92 #include "netif.h" 93 #include "netnode.h" 94 #include "netport.h" 95 #include "ibpkey.h" 96 #include "xfrm.h" 97 #include "netlabel.h" 98 #include "audit.h" 99 #include "avc_ss.h" 100 101 /* SECMARK reference count */ 102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 103 104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 105 int selinux_enforcing; 106 107 static int __init enforcing_setup(char *str) 108 { 109 unsigned long enforcing; 110 if (!kstrtoul(str, 0, &enforcing)) 111 selinux_enforcing = enforcing ? 1 : 0; 112 return 1; 113 } 114 __setup("enforcing=", enforcing_setup); 115 #endif 116 117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 119 120 static int __init selinux_enabled_setup(char *str) 121 { 122 unsigned long enabled; 123 if (!kstrtoul(str, 0, &enabled)) 124 selinux_enabled = enabled ? 1 : 0; 125 return 1; 126 } 127 __setup("selinux=", selinux_enabled_setup); 128 #else 129 int selinux_enabled = 1; 130 #endif 131 132 static struct kmem_cache *sel_inode_cache; 133 static struct kmem_cache *file_security_cache; 134 135 /** 136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 137 * 138 * Description: 139 * This function checks the SECMARK reference counter to see if any SECMARK 140 * targets are currently configured, if the reference counter is greater than 141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 142 * enabled, false (0) if SECMARK is disabled. If the always_check_network 143 * policy capability is enabled, SECMARK is always considered enabled. 144 * 145 */ 146 static int selinux_secmark_enabled(void) 147 { 148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 149 } 150 151 /** 152 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 153 * 154 * Description: 155 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 156 * (1) if any are enabled or false (0) if neither are enabled. If the 157 * always_check_network policy capability is enabled, peer labeling 158 * is always considered enabled. 159 * 160 */ 161 static int selinux_peerlbl_enabled(void) 162 { 163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 164 } 165 166 static int selinux_netcache_avc_callback(u32 event) 167 { 168 if (event == AVC_CALLBACK_RESET) { 169 sel_netif_flush(); 170 sel_netnode_flush(); 171 sel_netport_flush(); 172 synchronize_net(); 173 } 174 return 0; 175 } 176 177 static int selinux_lsm_notifier_avc_callback(u32 event) 178 { 179 if (event == AVC_CALLBACK_RESET) { 180 sel_ib_pkey_flush(); 181 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 182 } 183 184 return 0; 185 } 186 187 /* 188 * initialise the security for the init task 189 */ 190 static void cred_init_security(void) 191 { 192 struct cred *cred = (struct cred *) current->real_cred; 193 struct task_security_struct *tsec; 194 195 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 196 if (!tsec) 197 panic("SELinux: Failed to initialize initial task.\n"); 198 199 tsec->osid = tsec->sid = SECINITSID_KERNEL; 200 cred->security = tsec; 201 } 202 203 /* 204 * get the security ID of a set of credentials 205 */ 206 static inline u32 cred_sid(const struct cred *cred) 207 { 208 const struct task_security_struct *tsec; 209 210 tsec = cred->security; 211 return tsec->sid; 212 } 213 214 /* 215 * get the objective security ID of a task 216 */ 217 static inline u32 task_sid(const struct task_struct *task) 218 { 219 u32 sid; 220 221 rcu_read_lock(); 222 sid = cred_sid(__task_cred(task)); 223 rcu_read_unlock(); 224 return sid; 225 } 226 227 /* Allocate and free functions for each kind of security blob. */ 228 229 static int inode_alloc_security(struct inode *inode) 230 { 231 struct inode_security_struct *isec; 232 u32 sid = current_sid(); 233 234 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 235 if (!isec) 236 return -ENOMEM; 237 238 spin_lock_init(&isec->lock); 239 INIT_LIST_HEAD(&isec->list); 240 isec->inode = inode; 241 isec->sid = SECINITSID_UNLABELED; 242 isec->sclass = SECCLASS_FILE; 243 isec->task_sid = sid; 244 isec->initialized = LABEL_INVALID; 245 inode->i_security = isec; 246 247 return 0; 248 } 249 250 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 251 252 /* 253 * Try reloading inode security labels that have been marked as invalid. The 254 * @may_sleep parameter indicates when sleeping and thus reloading labels is 255 * allowed; when set to false, returns -ECHILD when the label is 256 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 257 * when no dentry is available, set it to NULL instead. 258 */ 259 static int __inode_security_revalidate(struct inode *inode, 260 struct dentry *opt_dentry, 261 bool may_sleep) 262 { 263 struct inode_security_struct *isec = inode->i_security; 264 265 might_sleep_if(may_sleep); 266 267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 268 if (!may_sleep) 269 return -ECHILD; 270 271 /* 272 * Try reloading the inode security label. This will fail if 273 * @opt_dentry is NULL and no dentry for this inode can be 274 * found; in that case, continue using the old label. 275 */ 276 inode_doinit_with_dentry(inode, opt_dentry); 277 } 278 return 0; 279 } 280 281 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 282 { 283 return inode->i_security; 284 } 285 286 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 287 { 288 int error; 289 290 error = __inode_security_revalidate(inode, NULL, !rcu); 291 if (error) 292 return ERR_PTR(error); 293 return inode->i_security; 294 } 295 296 /* 297 * Get the security label of an inode. 298 */ 299 static struct inode_security_struct *inode_security(struct inode *inode) 300 { 301 __inode_security_revalidate(inode, NULL, true); 302 return inode->i_security; 303 } 304 305 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 306 { 307 struct inode *inode = d_backing_inode(dentry); 308 309 return inode->i_security; 310 } 311 312 /* 313 * Get the security label of a dentry's backing inode. 314 */ 315 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 316 { 317 struct inode *inode = d_backing_inode(dentry); 318 319 __inode_security_revalidate(inode, dentry, true); 320 return inode->i_security; 321 } 322 323 static void inode_free_rcu(struct rcu_head *head) 324 { 325 struct inode_security_struct *isec; 326 327 isec = container_of(head, struct inode_security_struct, rcu); 328 kmem_cache_free(sel_inode_cache, isec); 329 } 330 331 static void inode_free_security(struct inode *inode) 332 { 333 struct inode_security_struct *isec = inode->i_security; 334 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 335 336 /* 337 * As not all inode security structures are in a list, we check for 338 * empty list outside of the lock to make sure that we won't waste 339 * time taking a lock doing nothing. 340 * 341 * The list_del_init() function can be safely called more than once. 342 * It should not be possible for this function to be called with 343 * concurrent list_add(), but for better safety against future changes 344 * in the code, we use list_empty_careful() here. 345 */ 346 if (!list_empty_careful(&isec->list)) { 347 spin_lock(&sbsec->isec_lock); 348 list_del_init(&isec->list); 349 spin_unlock(&sbsec->isec_lock); 350 } 351 352 /* 353 * The inode may still be referenced in a path walk and 354 * a call to selinux_inode_permission() can be made 355 * after inode_free_security() is called. Ideally, the VFS 356 * wouldn't do this, but fixing that is a much harder 357 * job. For now, simply free the i_security via RCU, and 358 * leave the current inode->i_security pointer intact. 359 * The inode will be freed after the RCU grace period too. 360 */ 361 call_rcu(&isec->rcu, inode_free_rcu); 362 } 363 364 static int file_alloc_security(struct file *file) 365 { 366 struct file_security_struct *fsec; 367 u32 sid = current_sid(); 368 369 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 370 if (!fsec) 371 return -ENOMEM; 372 373 fsec->sid = sid; 374 fsec->fown_sid = sid; 375 file->f_security = fsec; 376 377 return 0; 378 } 379 380 static void file_free_security(struct file *file) 381 { 382 struct file_security_struct *fsec = file->f_security; 383 file->f_security = NULL; 384 kmem_cache_free(file_security_cache, fsec); 385 } 386 387 static int superblock_alloc_security(struct super_block *sb) 388 { 389 struct superblock_security_struct *sbsec; 390 391 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 392 if (!sbsec) 393 return -ENOMEM; 394 395 mutex_init(&sbsec->lock); 396 INIT_LIST_HEAD(&sbsec->isec_head); 397 spin_lock_init(&sbsec->isec_lock); 398 sbsec->sb = sb; 399 sbsec->sid = SECINITSID_UNLABELED; 400 sbsec->def_sid = SECINITSID_FILE; 401 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 402 sb->s_security = sbsec; 403 404 return 0; 405 } 406 407 static void superblock_free_security(struct super_block *sb) 408 { 409 struct superblock_security_struct *sbsec = sb->s_security; 410 sb->s_security = NULL; 411 kfree(sbsec); 412 } 413 414 static inline int inode_doinit(struct inode *inode) 415 { 416 return inode_doinit_with_dentry(inode, NULL); 417 } 418 419 enum { 420 Opt_error = -1, 421 Opt_context = 1, 422 Opt_fscontext = 2, 423 Opt_defcontext = 3, 424 Opt_rootcontext = 4, 425 Opt_labelsupport = 5, 426 Opt_nextmntopt = 6, 427 }; 428 429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 430 431 static const match_table_t tokens = { 432 {Opt_context, CONTEXT_STR "%s"}, 433 {Opt_fscontext, FSCONTEXT_STR "%s"}, 434 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 436 {Opt_labelsupport, LABELSUPP_STR}, 437 {Opt_error, NULL}, 438 }; 439 440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 441 442 static int may_context_mount_sb_relabel(u32 sid, 443 struct superblock_security_struct *sbsec, 444 const struct cred *cred) 445 { 446 const struct task_security_struct *tsec = cred->security; 447 int rc; 448 449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 450 FILESYSTEM__RELABELFROM, NULL); 451 if (rc) 452 return rc; 453 454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 455 FILESYSTEM__RELABELTO, NULL); 456 return rc; 457 } 458 459 static int may_context_mount_inode_relabel(u32 sid, 460 struct superblock_security_struct *sbsec, 461 const struct cred *cred) 462 { 463 const struct task_security_struct *tsec = cred->security; 464 int rc; 465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 466 FILESYSTEM__RELABELFROM, NULL); 467 if (rc) 468 return rc; 469 470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 FILESYSTEM__ASSOCIATE, NULL); 472 return rc; 473 } 474 475 static int selinux_is_sblabel_mnt(struct super_block *sb) 476 { 477 struct superblock_security_struct *sbsec = sb->s_security; 478 479 return sbsec->behavior == SECURITY_FS_USE_XATTR || 480 sbsec->behavior == SECURITY_FS_USE_TRANS || 481 sbsec->behavior == SECURITY_FS_USE_TASK || 482 sbsec->behavior == SECURITY_FS_USE_NATIVE || 483 /* Special handling. Genfs but also in-core setxattr handler */ 484 !strcmp(sb->s_type->name, "sysfs") || 485 !strcmp(sb->s_type->name, "pstore") || 486 !strcmp(sb->s_type->name, "debugfs") || 487 !strcmp(sb->s_type->name, "tracefs") || 488 !strcmp(sb->s_type->name, "rootfs") || 489 (selinux_policycap_cgroupseclabel && 490 (!strcmp(sb->s_type->name, "cgroup") || 491 !strcmp(sb->s_type->name, "cgroup2"))); 492 } 493 494 static int sb_finish_set_opts(struct super_block *sb) 495 { 496 struct superblock_security_struct *sbsec = sb->s_security; 497 struct dentry *root = sb->s_root; 498 struct inode *root_inode = d_backing_inode(root); 499 int rc = 0; 500 501 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 502 /* Make sure that the xattr handler exists and that no 503 error other than -ENODATA is returned by getxattr on 504 the root directory. -ENODATA is ok, as this may be 505 the first boot of the SELinux kernel before we have 506 assigned xattr values to the filesystem. */ 507 if (!(root_inode->i_opflags & IOP_XATTR)) { 508 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 509 "xattr support\n", sb->s_id, sb->s_type->name); 510 rc = -EOPNOTSUPP; 511 goto out; 512 } 513 514 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 515 if (rc < 0 && rc != -ENODATA) { 516 if (rc == -EOPNOTSUPP) 517 printk(KERN_WARNING "SELinux: (dev %s, type " 518 "%s) has no security xattr handler\n", 519 sb->s_id, sb->s_type->name); 520 else 521 printk(KERN_WARNING "SELinux: (dev %s, type " 522 "%s) getxattr errno %d\n", sb->s_id, 523 sb->s_type->name, -rc); 524 goto out; 525 } 526 } 527 528 sbsec->flags |= SE_SBINITIALIZED; 529 530 /* 531 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 532 * leave the flag untouched because sb_clone_mnt_opts might be handing 533 * us a superblock that needs the flag to be cleared. 534 */ 535 if (selinux_is_sblabel_mnt(sb)) 536 sbsec->flags |= SBLABEL_MNT; 537 else 538 sbsec->flags &= ~SBLABEL_MNT; 539 540 /* Initialize the root inode. */ 541 rc = inode_doinit_with_dentry(root_inode, root); 542 543 /* Initialize any other inodes associated with the superblock, e.g. 544 inodes created prior to initial policy load or inodes created 545 during get_sb by a pseudo filesystem that directly 546 populates itself. */ 547 spin_lock(&sbsec->isec_lock); 548 next_inode: 549 if (!list_empty(&sbsec->isec_head)) { 550 struct inode_security_struct *isec = 551 list_entry(sbsec->isec_head.next, 552 struct inode_security_struct, list); 553 struct inode *inode = isec->inode; 554 list_del_init(&isec->list); 555 spin_unlock(&sbsec->isec_lock); 556 inode = igrab(inode); 557 if (inode) { 558 if (!IS_PRIVATE(inode)) 559 inode_doinit(inode); 560 iput(inode); 561 } 562 spin_lock(&sbsec->isec_lock); 563 goto next_inode; 564 } 565 spin_unlock(&sbsec->isec_lock); 566 out: 567 return rc; 568 } 569 570 /* 571 * This function should allow an FS to ask what it's mount security 572 * options were so it can use those later for submounts, displaying 573 * mount options, or whatever. 574 */ 575 static int selinux_get_mnt_opts(const struct super_block *sb, 576 struct security_mnt_opts *opts) 577 { 578 int rc = 0, i; 579 struct superblock_security_struct *sbsec = sb->s_security; 580 char *context = NULL; 581 u32 len; 582 char tmp; 583 584 security_init_mnt_opts(opts); 585 586 if (!(sbsec->flags & SE_SBINITIALIZED)) 587 return -EINVAL; 588 589 if (!ss_initialized) 590 return -EINVAL; 591 592 /* make sure we always check enough bits to cover the mask */ 593 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 594 595 tmp = sbsec->flags & SE_MNTMASK; 596 /* count the number of mount options for this sb */ 597 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 598 if (tmp & 0x01) 599 opts->num_mnt_opts++; 600 tmp >>= 1; 601 } 602 /* Check if the Label support flag is set */ 603 if (sbsec->flags & SBLABEL_MNT) 604 opts->num_mnt_opts++; 605 606 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 607 if (!opts->mnt_opts) { 608 rc = -ENOMEM; 609 goto out_free; 610 } 611 612 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 613 if (!opts->mnt_opts_flags) { 614 rc = -ENOMEM; 615 goto out_free; 616 } 617 618 i = 0; 619 if (sbsec->flags & FSCONTEXT_MNT) { 620 rc = security_sid_to_context(sbsec->sid, &context, &len); 621 if (rc) 622 goto out_free; 623 opts->mnt_opts[i] = context; 624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 625 } 626 if (sbsec->flags & CONTEXT_MNT) { 627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 628 if (rc) 629 goto out_free; 630 opts->mnt_opts[i] = context; 631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 632 } 633 if (sbsec->flags & DEFCONTEXT_MNT) { 634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 635 if (rc) 636 goto out_free; 637 opts->mnt_opts[i] = context; 638 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 639 } 640 if (sbsec->flags & ROOTCONTEXT_MNT) { 641 struct dentry *root = sbsec->sb->s_root; 642 struct inode_security_struct *isec = backing_inode_security(root); 643 644 rc = security_sid_to_context(isec->sid, &context, &len); 645 if (rc) 646 goto out_free; 647 opts->mnt_opts[i] = context; 648 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 649 } 650 if (sbsec->flags & SBLABEL_MNT) { 651 opts->mnt_opts[i] = NULL; 652 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 653 } 654 655 BUG_ON(i != opts->num_mnt_opts); 656 657 return 0; 658 659 out_free: 660 security_free_mnt_opts(opts); 661 return rc; 662 } 663 664 static int bad_option(struct superblock_security_struct *sbsec, char flag, 665 u32 old_sid, u32 new_sid) 666 { 667 char mnt_flags = sbsec->flags & SE_MNTMASK; 668 669 /* check if the old mount command had the same options */ 670 if (sbsec->flags & SE_SBINITIALIZED) 671 if (!(sbsec->flags & flag) || 672 (old_sid != new_sid)) 673 return 1; 674 675 /* check if we were passed the same options twice, 676 * aka someone passed context=a,context=b 677 */ 678 if (!(sbsec->flags & SE_SBINITIALIZED)) 679 if (mnt_flags & flag) 680 return 1; 681 return 0; 682 } 683 684 /* 685 * Allow filesystems with binary mount data to explicitly set mount point 686 * labeling information. 687 */ 688 static int selinux_set_mnt_opts(struct super_block *sb, 689 struct security_mnt_opts *opts, 690 unsigned long kern_flags, 691 unsigned long *set_kern_flags) 692 { 693 const struct cred *cred = current_cred(); 694 int rc = 0, i; 695 struct superblock_security_struct *sbsec = sb->s_security; 696 const char *name = sb->s_type->name; 697 struct dentry *root = sbsec->sb->s_root; 698 struct inode_security_struct *root_isec; 699 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 700 u32 defcontext_sid = 0; 701 char **mount_options = opts->mnt_opts; 702 int *flags = opts->mnt_opts_flags; 703 int num_opts = opts->num_mnt_opts; 704 705 mutex_lock(&sbsec->lock); 706 707 if (!ss_initialized) { 708 if (!num_opts) { 709 /* Defer initialization until selinux_complete_init, 710 after the initial policy is loaded and the security 711 server is ready to handle calls. */ 712 goto out; 713 } 714 rc = -EINVAL; 715 printk(KERN_WARNING "SELinux: Unable to set superblock options " 716 "before the security server is initialized\n"); 717 goto out; 718 } 719 if (kern_flags && !set_kern_flags) { 720 /* Specifying internal flags without providing a place to 721 * place the results is not allowed */ 722 rc = -EINVAL; 723 goto out; 724 } 725 726 /* 727 * Binary mount data FS will come through this function twice. Once 728 * from an explicit call and once from the generic calls from the vfs. 729 * Since the generic VFS calls will not contain any security mount data 730 * we need to skip the double mount verification. 731 * 732 * This does open a hole in which we will not notice if the first 733 * mount using this sb set explict options and a second mount using 734 * this sb does not set any security options. (The first options 735 * will be used for both mounts) 736 */ 737 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 738 && (num_opts == 0)) 739 goto out; 740 741 root_isec = backing_inode_security_novalidate(root); 742 743 /* 744 * parse the mount options, check if they are valid sids. 745 * also check if someone is trying to mount the same sb more 746 * than once with different security options. 747 */ 748 for (i = 0; i < num_opts; i++) { 749 u32 sid; 750 751 if (flags[i] == SBLABEL_MNT) 752 continue; 753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 754 if (rc) { 755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 756 "(%s) failed for (dev %s, type %s) errno=%d\n", 757 mount_options[i], sb->s_id, name, rc); 758 goto out; 759 } 760 switch (flags[i]) { 761 case FSCONTEXT_MNT: 762 fscontext_sid = sid; 763 764 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 765 fscontext_sid)) 766 goto out_double_mount; 767 768 sbsec->flags |= FSCONTEXT_MNT; 769 break; 770 case CONTEXT_MNT: 771 context_sid = sid; 772 773 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 774 context_sid)) 775 goto out_double_mount; 776 777 sbsec->flags |= CONTEXT_MNT; 778 break; 779 case ROOTCONTEXT_MNT: 780 rootcontext_sid = sid; 781 782 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 783 rootcontext_sid)) 784 goto out_double_mount; 785 786 sbsec->flags |= ROOTCONTEXT_MNT; 787 788 break; 789 case DEFCONTEXT_MNT: 790 defcontext_sid = sid; 791 792 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 793 defcontext_sid)) 794 goto out_double_mount; 795 796 sbsec->flags |= DEFCONTEXT_MNT; 797 798 break; 799 default: 800 rc = -EINVAL; 801 goto out; 802 } 803 } 804 805 if (sbsec->flags & SE_SBINITIALIZED) { 806 /* previously mounted with options, but not on this attempt? */ 807 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 808 goto out_double_mount; 809 rc = 0; 810 goto out; 811 } 812 813 if (strcmp(sb->s_type->name, "proc") == 0) 814 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 815 816 if (!strcmp(sb->s_type->name, "debugfs") || 817 !strcmp(sb->s_type->name, "tracefs") || 818 !strcmp(sb->s_type->name, "sysfs") || 819 !strcmp(sb->s_type->name, "pstore") || 820 !strcmp(sb->s_type->name, "cgroup") || 821 !strcmp(sb->s_type->name, "cgroup2")) 822 sbsec->flags |= SE_SBGENFS; 823 824 if (!sbsec->behavior) { 825 /* 826 * Determine the labeling behavior to use for this 827 * filesystem type. 828 */ 829 rc = security_fs_use(sb); 830 if (rc) { 831 printk(KERN_WARNING 832 "%s: security_fs_use(%s) returned %d\n", 833 __func__, sb->s_type->name, rc); 834 goto out; 835 } 836 } 837 838 /* 839 * If this is a user namespace mount and the filesystem type is not 840 * explicitly whitelisted, then no contexts are allowed on the command 841 * line and security labels must be ignored. 842 */ 843 if (sb->s_user_ns != &init_user_ns && 844 strcmp(sb->s_type->name, "tmpfs") && 845 strcmp(sb->s_type->name, "ramfs") && 846 strcmp(sb->s_type->name, "devpts")) { 847 if (context_sid || fscontext_sid || rootcontext_sid || 848 defcontext_sid) { 849 rc = -EACCES; 850 goto out; 851 } 852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 854 rc = security_transition_sid(current_sid(), current_sid(), 855 SECCLASS_FILE, NULL, 856 &sbsec->mntpoint_sid); 857 if (rc) 858 goto out; 859 } 860 goto out_set_opts; 861 } 862 863 /* sets the context of the superblock for the fs being mounted. */ 864 if (fscontext_sid) { 865 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 866 if (rc) 867 goto out; 868 869 sbsec->sid = fscontext_sid; 870 } 871 872 /* 873 * Switch to using mount point labeling behavior. 874 * sets the label used on all file below the mountpoint, and will set 875 * the superblock context if not already set. 876 */ 877 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 878 sbsec->behavior = SECURITY_FS_USE_NATIVE; 879 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 880 } 881 882 if (context_sid) { 883 if (!fscontext_sid) { 884 rc = may_context_mount_sb_relabel(context_sid, sbsec, 885 cred); 886 if (rc) 887 goto out; 888 sbsec->sid = context_sid; 889 } else { 890 rc = may_context_mount_inode_relabel(context_sid, sbsec, 891 cred); 892 if (rc) 893 goto out; 894 } 895 if (!rootcontext_sid) 896 rootcontext_sid = context_sid; 897 898 sbsec->mntpoint_sid = context_sid; 899 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 900 } 901 902 if (rootcontext_sid) { 903 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 904 cred); 905 if (rc) 906 goto out; 907 908 root_isec->sid = rootcontext_sid; 909 root_isec->initialized = LABEL_INITIALIZED; 910 } 911 912 if (defcontext_sid) { 913 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 914 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 915 rc = -EINVAL; 916 printk(KERN_WARNING "SELinux: defcontext option is " 917 "invalid for this filesystem type\n"); 918 goto out; 919 } 920 921 if (defcontext_sid != sbsec->def_sid) { 922 rc = may_context_mount_inode_relabel(defcontext_sid, 923 sbsec, cred); 924 if (rc) 925 goto out; 926 } 927 928 sbsec->def_sid = defcontext_sid; 929 } 930 931 out_set_opts: 932 rc = sb_finish_set_opts(sb); 933 out: 934 mutex_unlock(&sbsec->lock); 935 return rc; 936 out_double_mount: 937 rc = -EINVAL; 938 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 939 "security settings for (dev %s, type %s)\n", sb->s_id, name); 940 goto out; 941 } 942 943 static int selinux_cmp_sb_context(const struct super_block *oldsb, 944 const struct super_block *newsb) 945 { 946 struct superblock_security_struct *old = oldsb->s_security; 947 struct superblock_security_struct *new = newsb->s_security; 948 char oldflags = old->flags & SE_MNTMASK; 949 char newflags = new->flags & SE_MNTMASK; 950 951 if (oldflags != newflags) 952 goto mismatch; 953 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 954 goto mismatch; 955 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 956 goto mismatch; 957 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 958 goto mismatch; 959 if (oldflags & ROOTCONTEXT_MNT) { 960 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 961 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 962 if (oldroot->sid != newroot->sid) 963 goto mismatch; 964 } 965 return 0; 966 mismatch: 967 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 968 "different security settings for (dev %s, " 969 "type %s)\n", newsb->s_id, newsb->s_type->name); 970 return -EBUSY; 971 } 972 973 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 974 struct super_block *newsb, 975 unsigned long kern_flags, 976 unsigned long *set_kern_flags) 977 { 978 int rc = 0; 979 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 980 struct superblock_security_struct *newsbsec = newsb->s_security; 981 982 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 983 int set_context = (oldsbsec->flags & CONTEXT_MNT); 984 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 985 986 /* 987 * if the parent was able to be mounted it clearly had no special lsm 988 * mount options. thus we can safely deal with this superblock later 989 */ 990 if (!ss_initialized) 991 return 0; 992 993 /* 994 * Specifying internal flags without providing a place to 995 * place the results is not allowed. 996 */ 997 if (kern_flags && !set_kern_flags) 998 return -EINVAL; 999 1000 /* how can we clone if the old one wasn't set up?? */ 1001 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1002 1003 /* if fs is reusing a sb, make sure that the contexts match */ 1004 if (newsbsec->flags & SE_SBINITIALIZED) 1005 return selinux_cmp_sb_context(oldsb, newsb); 1006 1007 mutex_lock(&newsbsec->lock); 1008 1009 newsbsec->flags = oldsbsec->flags; 1010 1011 newsbsec->sid = oldsbsec->sid; 1012 newsbsec->def_sid = oldsbsec->def_sid; 1013 newsbsec->behavior = oldsbsec->behavior; 1014 1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1017 rc = security_fs_use(newsb); 1018 if (rc) 1019 goto out; 1020 } 1021 1022 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1023 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1024 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1025 } 1026 1027 if (set_context) { 1028 u32 sid = oldsbsec->mntpoint_sid; 1029 1030 if (!set_fscontext) 1031 newsbsec->sid = sid; 1032 if (!set_rootcontext) { 1033 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1034 newisec->sid = sid; 1035 } 1036 newsbsec->mntpoint_sid = sid; 1037 } 1038 if (set_rootcontext) { 1039 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1040 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1041 1042 newisec->sid = oldisec->sid; 1043 } 1044 1045 sb_finish_set_opts(newsb); 1046 out: 1047 mutex_unlock(&newsbsec->lock); 1048 return rc; 1049 } 1050 1051 static int selinux_parse_opts_str(char *options, 1052 struct security_mnt_opts *opts) 1053 { 1054 char *p; 1055 char *context = NULL, *defcontext = NULL; 1056 char *fscontext = NULL, *rootcontext = NULL; 1057 int rc, num_mnt_opts = 0; 1058 1059 opts->num_mnt_opts = 0; 1060 1061 /* Standard string-based options. */ 1062 while ((p = strsep(&options, "|")) != NULL) { 1063 int token; 1064 substring_t args[MAX_OPT_ARGS]; 1065 1066 if (!*p) 1067 continue; 1068 1069 token = match_token(p, tokens, args); 1070 1071 switch (token) { 1072 case Opt_context: 1073 if (context || defcontext) { 1074 rc = -EINVAL; 1075 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1076 goto out_err; 1077 } 1078 context = match_strdup(&args[0]); 1079 if (!context) { 1080 rc = -ENOMEM; 1081 goto out_err; 1082 } 1083 break; 1084 1085 case Opt_fscontext: 1086 if (fscontext) { 1087 rc = -EINVAL; 1088 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1089 goto out_err; 1090 } 1091 fscontext = match_strdup(&args[0]); 1092 if (!fscontext) { 1093 rc = -ENOMEM; 1094 goto out_err; 1095 } 1096 break; 1097 1098 case Opt_rootcontext: 1099 if (rootcontext) { 1100 rc = -EINVAL; 1101 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1102 goto out_err; 1103 } 1104 rootcontext = match_strdup(&args[0]); 1105 if (!rootcontext) { 1106 rc = -ENOMEM; 1107 goto out_err; 1108 } 1109 break; 1110 1111 case Opt_defcontext: 1112 if (context || defcontext) { 1113 rc = -EINVAL; 1114 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1115 goto out_err; 1116 } 1117 defcontext = match_strdup(&args[0]); 1118 if (!defcontext) { 1119 rc = -ENOMEM; 1120 goto out_err; 1121 } 1122 break; 1123 case Opt_labelsupport: 1124 break; 1125 default: 1126 rc = -EINVAL; 1127 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1128 goto out_err; 1129 1130 } 1131 } 1132 1133 rc = -ENOMEM; 1134 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1135 if (!opts->mnt_opts) 1136 goto out_err; 1137 1138 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1139 GFP_KERNEL); 1140 if (!opts->mnt_opts_flags) 1141 goto out_err; 1142 1143 if (fscontext) { 1144 opts->mnt_opts[num_mnt_opts] = fscontext; 1145 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1146 } 1147 if (context) { 1148 opts->mnt_opts[num_mnt_opts] = context; 1149 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1150 } 1151 if (rootcontext) { 1152 opts->mnt_opts[num_mnt_opts] = rootcontext; 1153 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1154 } 1155 if (defcontext) { 1156 opts->mnt_opts[num_mnt_opts] = defcontext; 1157 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1158 } 1159 1160 opts->num_mnt_opts = num_mnt_opts; 1161 return 0; 1162 1163 out_err: 1164 security_free_mnt_opts(opts); 1165 kfree(context); 1166 kfree(defcontext); 1167 kfree(fscontext); 1168 kfree(rootcontext); 1169 return rc; 1170 } 1171 /* 1172 * string mount options parsing and call set the sbsec 1173 */ 1174 static int superblock_doinit(struct super_block *sb, void *data) 1175 { 1176 int rc = 0; 1177 char *options = data; 1178 struct security_mnt_opts opts; 1179 1180 security_init_mnt_opts(&opts); 1181 1182 if (!data) 1183 goto out; 1184 1185 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1186 1187 rc = selinux_parse_opts_str(options, &opts); 1188 if (rc) 1189 goto out_err; 1190 1191 out: 1192 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1193 1194 out_err: 1195 security_free_mnt_opts(&opts); 1196 return rc; 1197 } 1198 1199 static void selinux_write_opts(struct seq_file *m, 1200 struct security_mnt_opts *opts) 1201 { 1202 int i; 1203 char *prefix; 1204 1205 for (i = 0; i < opts->num_mnt_opts; i++) { 1206 char *has_comma; 1207 1208 if (opts->mnt_opts[i]) 1209 has_comma = strchr(opts->mnt_opts[i], ','); 1210 else 1211 has_comma = NULL; 1212 1213 switch (opts->mnt_opts_flags[i]) { 1214 case CONTEXT_MNT: 1215 prefix = CONTEXT_STR; 1216 break; 1217 case FSCONTEXT_MNT: 1218 prefix = FSCONTEXT_STR; 1219 break; 1220 case ROOTCONTEXT_MNT: 1221 prefix = ROOTCONTEXT_STR; 1222 break; 1223 case DEFCONTEXT_MNT: 1224 prefix = DEFCONTEXT_STR; 1225 break; 1226 case SBLABEL_MNT: 1227 seq_putc(m, ','); 1228 seq_puts(m, LABELSUPP_STR); 1229 continue; 1230 default: 1231 BUG(); 1232 return; 1233 }; 1234 /* we need a comma before each option */ 1235 seq_putc(m, ','); 1236 seq_puts(m, prefix); 1237 if (has_comma) 1238 seq_putc(m, '\"'); 1239 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1240 if (has_comma) 1241 seq_putc(m, '\"'); 1242 } 1243 } 1244 1245 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1246 { 1247 struct security_mnt_opts opts; 1248 int rc; 1249 1250 rc = selinux_get_mnt_opts(sb, &opts); 1251 if (rc) { 1252 /* before policy load we may get EINVAL, don't show anything */ 1253 if (rc == -EINVAL) 1254 rc = 0; 1255 return rc; 1256 } 1257 1258 selinux_write_opts(m, &opts); 1259 1260 security_free_mnt_opts(&opts); 1261 1262 return rc; 1263 } 1264 1265 static inline u16 inode_mode_to_security_class(umode_t mode) 1266 { 1267 switch (mode & S_IFMT) { 1268 case S_IFSOCK: 1269 return SECCLASS_SOCK_FILE; 1270 case S_IFLNK: 1271 return SECCLASS_LNK_FILE; 1272 case S_IFREG: 1273 return SECCLASS_FILE; 1274 case S_IFBLK: 1275 return SECCLASS_BLK_FILE; 1276 case S_IFDIR: 1277 return SECCLASS_DIR; 1278 case S_IFCHR: 1279 return SECCLASS_CHR_FILE; 1280 case S_IFIFO: 1281 return SECCLASS_FIFO_FILE; 1282 1283 } 1284 1285 return SECCLASS_FILE; 1286 } 1287 1288 static inline int default_protocol_stream(int protocol) 1289 { 1290 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1291 } 1292 1293 static inline int default_protocol_dgram(int protocol) 1294 { 1295 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1296 } 1297 1298 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1299 { 1300 int extsockclass = selinux_policycap_extsockclass; 1301 1302 switch (family) { 1303 case PF_UNIX: 1304 switch (type) { 1305 case SOCK_STREAM: 1306 case SOCK_SEQPACKET: 1307 return SECCLASS_UNIX_STREAM_SOCKET; 1308 case SOCK_DGRAM: 1309 case SOCK_RAW: 1310 return SECCLASS_UNIX_DGRAM_SOCKET; 1311 } 1312 break; 1313 case PF_INET: 1314 case PF_INET6: 1315 switch (type) { 1316 case SOCK_STREAM: 1317 case SOCK_SEQPACKET: 1318 if (default_protocol_stream(protocol)) 1319 return SECCLASS_TCP_SOCKET; 1320 else if (extsockclass && protocol == IPPROTO_SCTP) 1321 return SECCLASS_SCTP_SOCKET; 1322 else 1323 return SECCLASS_RAWIP_SOCKET; 1324 case SOCK_DGRAM: 1325 if (default_protocol_dgram(protocol)) 1326 return SECCLASS_UDP_SOCKET; 1327 else if (extsockclass && (protocol == IPPROTO_ICMP || 1328 protocol == IPPROTO_ICMPV6)) 1329 return SECCLASS_ICMP_SOCKET; 1330 else 1331 return SECCLASS_RAWIP_SOCKET; 1332 case SOCK_DCCP: 1333 return SECCLASS_DCCP_SOCKET; 1334 default: 1335 return SECCLASS_RAWIP_SOCKET; 1336 } 1337 break; 1338 case PF_NETLINK: 1339 switch (protocol) { 1340 case NETLINK_ROUTE: 1341 return SECCLASS_NETLINK_ROUTE_SOCKET; 1342 case NETLINK_SOCK_DIAG: 1343 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1344 case NETLINK_NFLOG: 1345 return SECCLASS_NETLINK_NFLOG_SOCKET; 1346 case NETLINK_XFRM: 1347 return SECCLASS_NETLINK_XFRM_SOCKET; 1348 case NETLINK_SELINUX: 1349 return SECCLASS_NETLINK_SELINUX_SOCKET; 1350 case NETLINK_ISCSI: 1351 return SECCLASS_NETLINK_ISCSI_SOCKET; 1352 case NETLINK_AUDIT: 1353 return SECCLASS_NETLINK_AUDIT_SOCKET; 1354 case NETLINK_FIB_LOOKUP: 1355 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1356 case NETLINK_CONNECTOR: 1357 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1358 case NETLINK_NETFILTER: 1359 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1360 case NETLINK_DNRTMSG: 1361 return SECCLASS_NETLINK_DNRT_SOCKET; 1362 case NETLINK_KOBJECT_UEVENT: 1363 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1364 case NETLINK_GENERIC: 1365 return SECCLASS_NETLINK_GENERIC_SOCKET; 1366 case NETLINK_SCSITRANSPORT: 1367 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1368 case NETLINK_RDMA: 1369 return SECCLASS_NETLINK_RDMA_SOCKET; 1370 case NETLINK_CRYPTO: 1371 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1372 default: 1373 return SECCLASS_NETLINK_SOCKET; 1374 } 1375 case PF_PACKET: 1376 return SECCLASS_PACKET_SOCKET; 1377 case PF_KEY: 1378 return SECCLASS_KEY_SOCKET; 1379 case PF_APPLETALK: 1380 return SECCLASS_APPLETALK_SOCKET; 1381 } 1382 1383 if (extsockclass) { 1384 switch (family) { 1385 case PF_AX25: 1386 return SECCLASS_AX25_SOCKET; 1387 case PF_IPX: 1388 return SECCLASS_IPX_SOCKET; 1389 case PF_NETROM: 1390 return SECCLASS_NETROM_SOCKET; 1391 case PF_ATMPVC: 1392 return SECCLASS_ATMPVC_SOCKET; 1393 case PF_X25: 1394 return SECCLASS_X25_SOCKET; 1395 case PF_ROSE: 1396 return SECCLASS_ROSE_SOCKET; 1397 case PF_DECnet: 1398 return SECCLASS_DECNET_SOCKET; 1399 case PF_ATMSVC: 1400 return SECCLASS_ATMSVC_SOCKET; 1401 case PF_RDS: 1402 return SECCLASS_RDS_SOCKET; 1403 case PF_IRDA: 1404 return SECCLASS_IRDA_SOCKET; 1405 case PF_PPPOX: 1406 return SECCLASS_PPPOX_SOCKET; 1407 case PF_LLC: 1408 return SECCLASS_LLC_SOCKET; 1409 case PF_CAN: 1410 return SECCLASS_CAN_SOCKET; 1411 case PF_TIPC: 1412 return SECCLASS_TIPC_SOCKET; 1413 case PF_BLUETOOTH: 1414 return SECCLASS_BLUETOOTH_SOCKET; 1415 case PF_IUCV: 1416 return SECCLASS_IUCV_SOCKET; 1417 case PF_RXRPC: 1418 return SECCLASS_RXRPC_SOCKET; 1419 case PF_ISDN: 1420 return SECCLASS_ISDN_SOCKET; 1421 case PF_PHONET: 1422 return SECCLASS_PHONET_SOCKET; 1423 case PF_IEEE802154: 1424 return SECCLASS_IEEE802154_SOCKET; 1425 case PF_CAIF: 1426 return SECCLASS_CAIF_SOCKET; 1427 case PF_ALG: 1428 return SECCLASS_ALG_SOCKET; 1429 case PF_NFC: 1430 return SECCLASS_NFC_SOCKET; 1431 case PF_VSOCK: 1432 return SECCLASS_VSOCK_SOCKET; 1433 case PF_KCM: 1434 return SECCLASS_KCM_SOCKET; 1435 case PF_QIPCRTR: 1436 return SECCLASS_QIPCRTR_SOCKET; 1437 case PF_SMC: 1438 return SECCLASS_SMC_SOCKET; 1439 #if PF_MAX > 44 1440 #error New address family defined, please update this function. 1441 #endif 1442 } 1443 } 1444 1445 return SECCLASS_SOCKET; 1446 } 1447 1448 static int selinux_genfs_get_sid(struct dentry *dentry, 1449 u16 tclass, 1450 u16 flags, 1451 u32 *sid) 1452 { 1453 int rc; 1454 struct super_block *sb = dentry->d_sb; 1455 char *buffer, *path; 1456 1457 buffer = (char *)__get_free_page(GFP_KERNEL); 1458 if (!buffer) 1459 return -ENOMEM; 1460 1461 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1462 if (IS_ERR(path)) 1463 rc = PTR_ERR(path); 1464 else { 1465 if (flags & SE_SBPROC) { 1466 /* each process gets a /proc/PID/ entry. Strip off the 1467 * PID part to get a valid selinux labeling. 1468 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1469 while (path[1] >= '0' && path[1] <= '9') { 1470 path[1] = '/'; 1471 path++; 1472 } 1473 } 1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1475 } 1476 free_page((unsigned long)buffer); 1477 return rc; 1478 } 1479 1480 /* The inode's security attributes must be initialized before first use. */ 1481 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1482 { 1483 struct superblock_security_struct *sbsec = NULL; 1484 struct inode_security_struct *isec = inode->i_security; 1485 u32 task_sid, sid = 0; 1486 u16 sclass; 1487 struct dentry *dentry; 1488 #define INITCONTEXTLEN 255 1489 char *context = NULL; 1490 unsigned len = 0; 1491 int rc = 0; 1492 1493 if (isec->initialized == LABEL_INITIALIZED) 1494 return 0; 1495 1496 spin_lock(&isec->lock); 1497 if (isec->initialized == LABEL_INITIALIZED) 1498 goto out_unlock; 1499 1500 if (isec->sclass == SECCLASS_FILE) 1501 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1502 1503 sbsec = inode->i_sb->s_security; 1504 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1505 /* Defer initialization until selinux_complete_init, 1506 after the initial policy is loaded and the security 1507 server is ready to handle calls. */ 1508 spin_lock(&sbsec->isec_lock); 1509 if (list_empty(&isec->list)) 1510 list_add(&isec->list, &sbsec->isec_head); 1511 spin_unlock(&sbsec->isec_lock); 1512 goto out_unlock; 1513 } 1514 1515 sclass = isec->sclass; 1516 task_sid = isec->task_sid; 1517 sid = isec->sid; 1518 isec->initialized = LABEL_PENDING; 1519 spin_unlock(&isec->lock); 1520 1521 switch (sbsec->behavior) { 1522 case SECURITY_FS_USE_NATIVE: 1523 break; 1524 case SECURITY_FS_USE_XATTR: 1525 if (!(inode->i_opflags & IOP_XATTR)) { 1526 sid = sbsec->def_sid; 1527 break; 1528 } 1529 /* Need a dentry, since the xattr API requires one. 1530 Life would be simpler if we could just pass the inode. */ 1531 if (opt_dentry) { 1532 /* Called from d_instantiate or d_splice_alias. */ 1533 dentry = dget(opt_dentry); 1534 } else { 1535 /* Called from selinux_complete_init, try to find a dentry. */ 1536 dentry = d_find_alias(inode); 1537 } 1538 if (!dentry) { 1539 /* 1540 * this is can be hit on boot when a file is accessed 1541 * before the policy is loaded. When we load policy we 1542 * may find inodes that have no dentry on the 1543 * sbsec->isec_head list. No reason to complain as these 1544 * will get fixed up the next time we go through 1545 * inode_doinit with a dentry, before these inodes could 1546 * be used again by userspace. 1547 */ 1548 goto out; 1549 } 1550 1551 len = INITCONTEXTLEN; 1552 context = kmalloc(len+1, GFP_NOFS); 1553 if (!context) { 1554 rc = -ENOMEM; 1555 dput(dentry); 1556 goto out; 1557 } 1558 context[len] = '\0'; 1559 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1560 if (rc == -ERANGE) { 1561 kfree(context); 1562 1563 /* Need a larger buffer. Query for the right size. */ 1564 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1565 if (rc < 0) { 1566 dput(dentry); 1567 goto out; 1568 } 1569 len = rc; 1570 context = kmalloc(len+1, GFP_NOFS); 1571 if (!context) { 1572 rc = -ENOMEM; 1573 dput(dentry); 1574 goto out; 1575 } 1576 context[len] = '\0'; 1577 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1578 } 1579 dput(dentry); 1580 if (rc < 0) { 1581 if (rc != -ENODATA) { 1582 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1583 "%d for dev=%s ino=%ld\n", __func__, 1584 -rc, inode->i_sb->s_id, inode->i_ino); 1585 kfree(context); 1586 goto out; 1587 } 1588 /* Map ENODATA to the default file SID */ 1589 sid = sbsec->def_sid; 1590 rc = 0; 1591 } else { 1592 rc = security_context_to_sid_default(context, rc, &sid, 1593 sbsec->def_sid, 1594 GFP_NOFS); 1595 if (rc) { 1596 char *dev = inode->i_sb->s_id; 1597 unsigned long ino = inode->i_ino; 1598 1599 if (rc == -EINVAL) { 1600 if (printk_ratelimit()) 1601 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1602 "context=%s. This indicates you may need to relabel the inode or the " 1603 "filesystem in question.\n", ino, dev, context); 1604 } else { 1605 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1606 "returned %d for dev=%s ino=%ld\n", 1607 __func__, context, -rc, dev, ino); 1608 } 1609 kfree(context); 1610 /* Leave with the unlabeled SID */ 1611 rc = 0; 1612 break; 1613 } 1614 } 1615 kfree(context); 1616 break; 1617 case SECURITY_FS_USE_TASK: 1618 sid = task_sid; 1619 break; 1620 case SECURITY_FS_USE_TRANS: 1621 /* Default to the fs SID. */ 1622 sid = sbsec->sid; 1623 1624 /* Try to obtain a transition SID. */ 1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1626 if (rc) 1627 goto out; 1628 break; 1629 case SECURITY_FS_USE_MNTPOINT: 1630 sid = sbsec->mntpoint_sid; 1631 break; 1632 default: 1633 /* Default to the fs superblock SID. */ 1634 sid = sbsec->sid; 1635 1636 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1637 /* We must have a dentry to determine the label on 1638 * procfs inodes */ 1639 if (opt_dentry) 1640 /* Called from d_instantiate or 1641 * d_splice_alias. */ 1642 dentry = dget(opt_dentry); 1643 else 1644 /* Called from selinux_complete_init, try to 1645 * find a dentry. */ 1646 dentry = d_find_alias(inode); 1647 /* 1648 * This can be hit on boot when a file is accessed 1649 * before the policy is loaded. When we load policy we 1650 * may find inodes that have no dentry on the 1651 * sbsec->isec_head list. No reason to complain as 1652 * these will get fixed up the next time we go through 1653 * inode_doinit() with a dentry, before these inodes 1654 * could be used again by userspace. 1655 */ 1656 if (!dentry) 1657 goto out; 1658 rc = selinux_genfs_get_sid(dentry, sclass, 1659 sbsec->flags, &sid); 1660 dput(dentry); 1661 if (rc) 1662 goto out; 1663 } 1664 break; 1665 } 1666 1667 out: 1668 spin_lock(&isec->lock); 1669 if (isec->initialized == LABEL_PENDING) { 1670 if (!sid || rc) { 1671 isec->initialized = LABEL_INVALID; 1672 goto out_unlock; 1673 } 1674 1675 isec->initialized = LABEL_INITIALIZED; 1676 isec->sid = sid; 1677 } 1678 1679 out_unlock: 1680 spin_unlock(&isec->lock); 1681 return rc; 1682 } 1683 1684 /* Convert a Linux signal to an access vector. */ 1685 static inline u32 signal_to_av(int sig) 1686 { 1687 u32 perm = 0; 1688 1689 switch (sig) { 1690 case SIGCHLD: 1691 /* Commonly granted from child to parent. */ 1692 perm = PROCESS__SIGCHLD; 1693 break; 1694 case SIGKILL: 1695 /* Cannot be caught or ignored */ 1696 perm = PROCESS__SIGKILL; 1697 break; 1698 case SIGSTOP: 1699 /* Cannot be caught or ignored */ 1700 perm = PROCESS__SIGSTOP; 1701 break; 1702 default: 1703 /* All other signals. */ 1704 perm = PROCESS__SIGNAL; 1705 break; 1706 } 1707 1708 return perm; 1709 } 1710 1711 #if CAP_LAST_CAP > 63 1712 #error Fix SELinux to handle capabilities > 63. 1713 #endif 1714 1715 /* Check whether a task is allowed to use a capability. */ 1716 static int cred_has_capability(const struct cred *cred, 1717 int cap, int audit, bool initns) 1718 { 1719 struct common_audit_data ad; 1720 struct av_decision avd; 1721 u16 sclass; 1722 u32 sid = cred_sid(cred); 1723 u32 av = CAP_TO_MASK(cap); 1724 int rc; 1725 1726 ad.type = LSM_AUDIT_DATA_CAP; 1727 ad.u.cap = cap; 1728 1729 switch (CAP_TO_INDEX(cap)) { 1730 case 0: 1731 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1732 break; 1733 case 1: 1734 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1735 break; 1736 default: 1737 printk(KERN_ERR 1738 "SELinux: out of range capability %d\n", cap); 1739 BUG(); 1740 return -EINVAL; 1741 } 1742 1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1744 if (audit == SECURITY_CAP_AUDIT) { 1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1746 if (rc2) 1747 return rc2; 1748 } 1749 return rc; 1750 } 1751 1752 /* Check whether a task has a particular permission to an inode. 1753 The 'adp' parameter is optional and allows other audit 1754 data to be passed (e.g. the dentry). */ 1755 static int inode_has_perm(const struct cred *cred, 1756 struct inode *inode, 1757 u32 perms, 1758 struct common_audit_data *adp) 1759 { 1760 struct inode_security_struct *isec; 1761 u32 sid; 1762 1763 validate_creds(cred); 1764 1765 if (unlikely(IS_PRIVATE(inode))) 1766 return 0; 1767 1768 sid = cred_sid(cred); 1769 isec = inode->i_security; 1770 1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1772 } 1773 1774 /* Same as inode_has_perm, but pass explicit audit data containing 1775 the dentry to help the auditing code to more easily generate the 1776 pathname if needed. */ 1777 static inline int dentry_has_perm(const struct cred *cred, 1778 struct dentry *dentry, 1779 u32 av) 1780 { 1781 struct inode *inode = d_backing_inode(dentry); 1782 struct common_audit_data ad; 1783 1784 ad.type = LSM_AUDIT_DATA_DENTRY; 1785 ad.u.dentry = dentry; 1786 __inode_security_revalidate(inode, dentry, true); 1787 return inode_has_perm(cred, inode, av, &ad); 1788 } 1789 1790 /* Same as inode_has_perm, but pass explicit audit data containing 1791 the path to help the auditing code to more easily generate the 1792 pathname if needed. */ 1793 static inline int path_has_perm(const struct cred *cred, 1794 const struct path *path, 1795 u32 av) 1796 { 1797 struct inode *inode = d_backing_inode(path->dentry); 1798 struct common_audit_data ad; 1799 1800 ad.type = LSM_AUDIT_DATA_PATH; 1801 ad.u.path = *path; 1802 __inode_security_revalidate(inode, path->dentry, true); 1803 return inode_has_perm(cred, inode, av, &ad); 1804 } 1805 1806 /* Same as path_has_perm, but uses the inode from the file struct. */ 1807 static inline int file_path_has_perm(const struct cred *cred, 1808 struct file *file, 1809 u32 av) 1810 { 1811 struct common_audit_data ad; 1812 1813 ad.type = LSM_AUDIT_DATA_FILE; 1814 ad.u.file = file; 1815 return inode_has_perm(cred, file_inode(file), av, &ad); 1816 } 1817 1818 #ifdef CONFIG_BPF_SYSCALL 1819 static int bpf_fd_pass(struct file *file, u32 sid); 1820 #endif 1821 1822 /* Check whether a task can use an open file descriptor to 1823 access an inode in a given way. Check access to the 1824 descriptor itself, and then use dentry_has_perm to 1825 check a particular permission to the file. 1826 Access to the descriptor is implicitly granted if it 1827 has the same SID as the process. If av is zero, then 1828 access to the file is not checked, e.g. for cases 1829 where only the descriptor is affected like seek. */ 1830 static int file_has_perm(const struct cred *cred, 1831 struct file *file, 1832 u32 av) 1833 { 1834 struct file_security_struct *fsec = file->f_security; 1835 struct inode *inode = file_inode(file); 1836 struct common_audit_data ad; 1837 u32 sid = cred_sid(cred); 1838 int rc; 1839 1840 ad.type = LSM_AUDIT_DATA_FILE; 1841 ad.u.file = file; 1842 1843 if (sid != fsec->sid) { 1844 rc = avc_has_perm(sid, fsec->sid, 1845 SECCLASS_FD, 1846 FD__USE, 1847 &ad); 1848 if (rc) 1849 goto out; 1850 } 1851 1852 #ifdef CONFIG_BPF_SYSCALL 1853 rc = bpf_fd_pass(file, cred_sid(cred)); 1854 if (rc) 1855 return rc; 1856 #endif 1857 1858 /* av is zero if only checking access to the descriptor. */ 1859 rc = 0; 1860 if (av) 1861 rc = inode_has_perm(cred, inode, av, &ad); 1862 1863 out: 1864 return rc; 1865 } 1866 1867 /* 1868 * Determine the label for an inode that might be unioned. 1869 */ 1870 static int 1871 selinux_determine_inode_label(const struct task_security_struct *tsec, 1872 struct inode *dir, 1873 const struct qstr *name, u16 tclass, 1874 u32 *_new_isid) 1875 { 1876 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1877 1878 if ((sbsec->flags & SE_SBINITIALIZED) && 1879 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1880 *_new_isid = sbsec->mntpoint_sid; 1881 } else if ((sbsec->flags & SBLABEL_MNT) && 1882 tsec->create_sid) { 1883 *_new_isid = tsec->create_sid; 1884 } else { 1885 const struct inode_security_struct *dsec = inode_security(dir); 1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1887 name, _new_isid); 1888 } 1889 1890 return 0; 1891 } 1892 1893 /* Check whether a task can create a file. */ 1894 static int may_create(struct inode *dir, 1895 struct dentry *dentry, 1896 u16 tclass) 1897 { 1898 const struct task_security_struct *tsec = current_security(); 1899 struct inode_security_struct *dsec; 1900 struct superblock_security_struct *sbsec; 1901 u32 sid, newsid; 1902 struct common_audit_data ad; 1903 int rc; 1904 1905 dsec = inode_security(dir); 1906 sbsec = dir->i_sb->s_security; 1907 1908 sid = tsec->sid; 1909 1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1911 ad.u.dentry = dentry; 1912 1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1914 DIR__ADD_NAME | DIR__SEARCH, 1915 &ad); 1916 if (rc) 1917 return rc; 1918 1919 rc = selinux_determine_inode_label(current_security(), dir, 1920 &dentry->d_name, tclass, &newsid); 1921 if (rc) 1922 return rc; 1923 1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1925 if (rc) 1926 return rc; 1927 1928 return avc_has_perm(newsid, sbsec->sid, 1929 SECCLASS_FILESYSTEM, 1930 FILESYSTEM__ASSOCIATE, &ad); 1931 } 1932 1933 #define MAY_LINK 0 1934 #define MAY_UNLINK 1 1935 #define MAY_RMDIR 2 1936 1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1938 static int may_link(struct inode *dir, 1939 struct dentry *dentry, 1940 int kind) 1941 1942 { 1943 struct inode_security_struct *dsec, *isec; 1944 struct common_audit_data ad; 1945 u32 sid = current_sid(); 1946 u32 av; 1947 int rc; 1948 1949 dsec = inode_security(dir); 1950 isec = backing_inode_security(dentry); 1951 1952 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.u.dentry = dentry; 1954 1955 av = DIR__SEARCH; 1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1958 if (rc) 1959 return rc; 1960 1961 switch (kind) { 1962 case MAY_LINK: 1963 av = FILE__LINK; 1964 break; 1965 case MAY_UNLINK: 1966 av = FILE__UNLINK; 1967 break; 1968 case MAY_RMDIR: 1969 av = DIR__RMDIR; 1970 break; 1971 default: 1972 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1973 __func__, kind); 1974 return 0; 1975 } 1976 1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1978 return rc; 1979 } 1980 1981 static inline int may_rename(struct inode *old_dir, 1982 struct dentry *old_dentry, 1983 struct inode *new_dir, 1984 struct dentry *new_dentry) 1985 { 1986 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1987 struct common_audit_data ad; 1988 u32 sid = current_sid(); 1989 u32 av; 1990 int old_is_dir, new_is_dir; 1991 int rc; 1992 1993 old_dsec = inode_security(old_dir); 1994 old_isec = backing_inode_security(old_dentry); 1995 old_is_dir = d_is_dir(old_dentry); 1996 new_dsec = inode_security(new_dir); 1997 1998 ad.type = LSM_AUDIT_DATA_DENTRY; 1999 2000 ad.u.dentry = old_dentry; 2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2003 if (rc) 2004 return rc; 2005 rc = avc_has_perm(sid, old_isec->sid, 2006 old_isec->sclass, FILE__RENAME, &ad); 2007 if (rc) 2008 return rc; 2009 if (old_is_dir && new_dir != old_dir) { 2010 rc = avc_has_perm(sid, old_isec->sid, 2011 old_isec->sclass, DIR__REPARENT, &ad); 2012 if (rc) 2013 return rc; 2014 } 2015 2016 ad.u.dentry = new_dentry; 2017 av = DIR__ADD_NAME | DIR__SEARCH; 2018 if (d_is_positive(new_dentry)) 2019 av |= DIR__REMOVE_NAME; 2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2021 if (rc) 2022 return rc; 2023 if (d_is_positive(new_dentry)) { 2024 new_isec = backing_inode_security(new_dentry); 2025 new_is_dir = d_is_dir(new_dentry); 2026 rc = avc_has_perm(sid, new_isec->sid, 2027 new_isec->sclass, 2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2029 if (rc) 2030 return rc; 2031 } 2032 2033 return 0; 2034 } 2035 2036 /* Check whether a task can perform a filesystem operation. */ 2037 static int superblock_has_perm(const struct cred *cred, 2038 struct super_block *sb, 2039 u32 perms, 2040 struct common_audit_data *ad) 2041 { 2042 struct superblock_security_struct *sbsec; 2043 u32 sid = cred_sid(cred); 2044 2045 sbsec = sb->s_security; 2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2047 } 2048 2049 /* Convert a Linux mode and permission mask to an access vector. */ 2050 static inline u32 file_mask_to_av(int mode, int mask) 2051 { 2052 u32 av = 0; 2053 2054 if (!S_ISDIR(mode)) { 2055 if (mask & MAY_EXEC) 2056 av |= FILE__EXECUTE; 2057 if (mask & MAY_READ) 2058 av |= FILE__READ; 2059 2060 if (mask & MAY_APPEND) 2061 av |= FILE__APPEND; 2062 else if (mask & MAY_WRITE) 2063 av |= FILE__WRITE; 2064 2065 } else { 2066 if (mask & MAY_EXEC) 2067 av |= DIR__SEARCH; 2068 if (mask & MAY_WRITE) 2069 av |= DIR__WRITE; 2070 if (mask & MAY_READ) 2071 av |= DIR__READ; 2072 } 2073 2074 return av; 2075 } 2076 2077 /* Convert a Linux file to an access vector. */ 2078 static inline u32 file_to_av(struct file *file) 2079 { 2080 u32 av = 0; 2081 2082 if (file->f_mode & FMODE_READ) 2083 av |= FILE__READ; 2084 if (file->f_mode & FMODE_WRITE) { 2085 if (file->f_flags & O_APPEND) 2086 av |= FILE__APPEND; 2087 else 2088 av |= FILE__WRITE; 2089 } 2090 if (!av) { 2091 /* 2092 * Special file opened with flags 3 for ioctl-only use. 2093 */ 2094 av = FILE__IOCTL; 2095 } 2096 2097 return av; 2098 } 2099 2100 /* 2101 * Convert a file to an access vector and include the correct open 2102 * open permission. 2103 */ 2104 static inline u32 open_file_to_av(struct file *file) 2105 { 2106 u32 av = file_to_av(file); 2107 struct inode *inode = file_inode(file); 2108 2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2110 av |= FILE__OPEN; 2111 2112 return av; 2113 } 2114 2115 /* Hook functions begin here. */ 2116 2117 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2118 { 2119 u32 mysid = current_sid(); 2120 u32 mgrsid = task_sid(mgr); 2121 2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2123 BINDER__SET_CONTEXT_MGR, NULL); 2124 } 2125 2126 static int selinux_binder_transaction(struct task_struct *from, 2127 struct task_struct *to) 2128 { 2129 u32 mysid = current_sid(); 2130 u32 fromsid = task_sid(from); 2131 u32 tosid = task_sid(to); 2132 int rc; 2133 2134 if (mysid != fromsid) { 2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2136 BINDER__IMPERSONATE, NULL); 2137 if (rc) 2138 return rc; 2139 } 2140 2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2142 NULL); 2143 } 2144 2145 static int selinux_binder_transfer_binder(struct task_struct *from, 2146 struct task_struct *to) 2147 { 2148 u32 fromsid = task_sid(from); 2149 u32 tosid = task_sid(to); 2150 2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2152 NULL); 2153 } 2154 2155 static int selinux_binder_transfer_file(struct task_struct *from, 2156 struct task_struct *to, 2157 struct file *file) 2158 { 2159 u32 sid = task_sid(to); 2160 struct file_security_struct *fsec = file->f_security; 2161 struct dentry *dentry = file->f_path.dentry; 2162 struct inode_security_struct *isec; 2163 struct common_audit_data ad; 2164 int rc; 2165 2166 ad.type = LSM_AUDIT_DATA_PATH; 2167 ad.u.path = file->f_path; 2168 2169 if (sid != fsec->sid) { 2170 rc = avc_has_perm(sid, fsec->sid, 2171 SECCLASS_FD, 2172 FD__USE, 2173 &ad); 2174 if (rc) 2175 return rc; 2176 } 2177 2178 #ifdef CONFIG_BPF_SYSCALL 2179 rc = bpf_fd_pass(file, sid); 2180 if (rc) 2181 return rc; 2182 #endif 2183 2184 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2185 return 0; 2186 2187 isec = backing_inode_security(dentry); 2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2189 &ad); 2190 } 2191 2192 static int selinux_ptrace_access_check(struct task_struct *child, 2193 unsigned int mode) 2194 { 2195 u32 sid = current_sid(); 2196 u32 csid = task_sid(child); 2197 2198 if (mode & PTRACE_MODE_READ) 2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2200 2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2202 } 2203 2204 static int selinux_ptrace_traceme(struct task_struct *parent) 2205 { 2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2207 PROCESS__PTRACE, NULL); 2208 } 2209 2210 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2212 { 2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2214 PROCESS__GETCAP, NULL); 2215 } 2216 2217 static int selinux_capset(struct cred *new, const struct cred *old, 2218 const kernel_cap_t *effective, 2219 const kernel_cap_t *inheritable, 2220 const kernel_cap_t *permitted) 2221 { 2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2223 PROCESS__SETCAP, NULL); 2224 } 2225 2226 /* 2227 * (This comment used to live with the selinux_task_setuid hook, 2228 * which was removed). 2229 * 2230 * Since setuid only affects the current process, and since the SELinux 2231 * controls are not based on the Linux identity attributes, SELinux does not 2232 * need to control this operation. However, SELinux does control the use of 2233 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2234 */ 2235 2236 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2237 int cap, int audit) 2238 { 2239 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2240 } 2241 2242 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2243 { 2244 const struct cred *cred = current_cred(); 2245 int rc = 0; 2246 2247 if (!sb) 2248 return 0; 2249 2250 switch (cmds) { 2251 case Q_SYNC: 2252 case Q_QUOTAON: 2253 case Q_QUOTAOFF: 2254 case Q_SETINFO: 2255 case Q_SETQUOTA: 2256 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2257 break; 2258 case Q_GETFMT: 2259 case Q_GETINFO: 2260 case Q_GETQUOTA: 2261 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2262 break; 2263 default: 2264 rc = 0; /* let the kernel handle invalid cmds */ 2265 break; 2266 } 2267 return rc; 2268 } 2269 2270 static int selinux_quota_on(struct dentry *dentry) 2271 { 2272 const struct cred *cred = current_cred(); 2273 2274 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2275 } 2276 2277 static int selinux_syslog(int type) 2278 { 2279 switch (type) { 2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2286 /* Set level of messages printed to console */ 2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2290 NULL); 2291 } 2292 /* All other syslog types */ 2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2295 } 2296 2297 /* 2298 * Check that a process has enough memory to allocate a new virtual 2299 * mapping. 0 means there is enough memory for the allocation to 2300 * succeed and -ENOMEM implies there is not. 2301 * 2302 * Do not audit the selinux permission check, as this is applied to all 2303 * processes that allocate mappings. 2304 */ 2305 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2306 { 2307 int rc, cap_sys_admin = 0; 2308 2309 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2310 SECURITY_CAP_NOAUDIT, true); 2311 if (rc == 0) 2312 cap_sys_admin = 1; 2313 2314 return cap_sys_admin; 2315 } 2316 2317 /* binprm security operations */ 2318 2319 static u32 ptrace_parent_sid(void) 2320 { 2321 u32 sid = 0; 2322 struct task_struct *tracer; 2323 2324 rcu_read_lock(); 2325 tracer = ptrace_parent(current); 2326 if (tracer) 2327 sid = task_sid(tracer); 2328 rcu_read_unlock(); 2329 2330 return sid; 2331 } 2332 2333 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2334 const struct task_security_struct *old_tsec, 2335 const struct task_security_struct *new_tsec) 2336 { 2337 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2338 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2339 int rc; 2340 u32 av; 2341 2342 if (!nnp && !nosuid) 2343 return 0; /* neither NNP nor nosuid */ 2344 2345 if (new_tsec->sid == old_tsec->sid) 2346 return 0; /* No change in credentials */ 2347 2348 /* 2349 * If the policy enables the nnp_nosuid_transition policy capability, 2350 * then we permit transitions under NNP or nosuid if the 2351 * policy allows the corresponding permission between 2352 * the old and new contexts. 2353 */ 2354 if (selinux_policycap_nnp_nosuid_transition) { 2355 av = 0; 2356 if (nnp) 2357 av |= PROCESS2__NNP_TRANSITION; 2358 if (nosuid) 2359 av |= PROCESS2__NOSUID_TRANSITION; 2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2361 SECCLASS_PROCESS2, av, NULL); 2362 if (!rc) 2363 return 0; 2364 } 2365 2366 /* 2367 * We also permit NNP or nosuid transitions to bounded SIDs, 2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2369 * of the permissions of the current SID. 2370 */ 2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2372 if (!rc) 2373 return 0; 2374 2375 /* 2376 * On failure, preserve the errno values for NNP vs nosuid. 2377 * NNP: Operation not permitted for caller. 2378 * nosuid: Permission denied to file. 2379 */ 2380 if (nnp) 2381 return -EPERM; 2382 return -EACCES; 2383 } 2384 2385 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2386 { 2387 const struct task_security_struct *old_tsec; 2388 struct task_security_struct *new_tsec; 2389 struct inode_security_struct *isec; 2390 struct common_audit_data ad; 2391 struct inode *inode = file_inode(bprm->file); 2392 int rc; 2393 2394 /* SELinux context only depends on initial program or script and not 2395 * the script interpreter */ 2396 if (bprm->called_set_creds) 2397 return 0; 2398 2399 old_tsec = current_security(); 2400 new_tsec = bprm->cred->security; 2401 isec = inode_security(inode); 2402 2403 /* Default to the current task SID. */ 2404 new_tsec->sid = old_tsec->sid; 2405 new_tsec->osid = old_tsec->sid; 2406 2407 /* Reset fs, key, and sock SIDs on execve. */ 2408 new_tsec->create_sid = 0; 2409 new_tsec->keycreate_sid = 0; 2410 new_tsec->sockcreate_sid = 0; 2411 2412 if (old_tsec->exec_sid) { 2413 new_tsec->sid = old_tsec->exec_sid; 2414 /* Reset exec SID on execve. */ 2415 new_tsec->exec_sid = 0; 2416 2417 /* Fail on NNP or nosuid if not an allowed transition. */ 2418 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2419 if (rc) 2420 return rc; 2421 } else { 2422 /* Check for a default transition on this program. */ 2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2424 SECCLASS_PROCESS, NULL, 2425 &new_tsec->sid); 2426 if (rc) 2427 return rc; 2428 2429 /* 2430 * Fallback to old SID on NNP or nosuid if not an allowed 2431 * transition. 2432 */ 2433 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2434 if (rc) 2435 new_tsec->sid = old_tsec->sid; 2436 } 2437 2438 ad.type = LSM_AUDIT_DATA_FILE; 2439 ad.u.file = bprm->file; 2440 2441 if (new_tsec->sid == old_tsec->sid) { 2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2444 if (rc) 2445 return rc; 2446 } else { 2447 /* Check permissions for the transition. */ 2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2450 if (rc) 2451 return rc; 2452 2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2455 if (rc) 2456 return rc; 2457 2458 /* Check for shared state */ 2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2461 SECCLASS_PROCESS, PROCESS__SHARE, 2462 NULL); 2463 if (rc) 2464 return -EPERM; 2465 } 2466 2467 /* Make sure that anyone attempting to ptrace over a task that 2468 * changes its SID has the appropriate permit */ 2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2470 u32 ptsid = ptrace_parent_sid(); 2471 if (ptsid != 0) { 2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2473 SECCLASS_PROCESS, 2474 PROCESS__PTRACE, NULL); 2475 if (rc) 2476 return -EPERM; 2477 } 2478 } 2479 2480 /* Clear any possibly unsafe personality bits on exec: */ 2481 bprm->per_clear |= PER_CLEAR_ON_SETID; 2482 2483 /* Enable secure mode for SIDs transitions unless 2484 the noatsecure permission is granted between 2485 the two SIDs, i.e. ahp returns 0. */ 2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2488 NULL); 2489 bprm->secureexec |= !!rc; 2490 } 2491 2492 return 0; 2493 } 2494 2495 static int match_file(const void *p, struct file *file, unsigned fd) 2496 { 2497 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2498 } 2499 2500 /* Derived from fs/exec.c:flush_old_files. */ 2501 static inline void flush_unauthorized_files(const struct cred *cred, 2502 struct files_struct *files) 2503 { 2504 struct file *file, *devnull = NULL; 2505 struct tty_struct *tty; 2506 int drop_tty = 0; 2507 unsigned n; 2508 2509 tty = get_current_tty(); 2510 if (tty) { 2511 spin_lock(&tty->files_lock); 2512 if (!list_empty(&tty->tty_files)) { 2513 struct tty_file_private *file_priv; 2514 2515 /* Revalidate access to controlling tty. 2516 Use file_path_has_perm on the tty path directly 2517 rather than using file_has_perm, as this particular 2518 open file may belong to another process and we are 2519 only interested in the inode-based check here. */ 2520 file_priv = list_first_entry(&tty->tty_files, 2521 struct tty_file_private, list); 2522 file = file_priv->file; 2523 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2524 drop_tty = 1; 2525 } 2526 spin_unlock(&tty->files_lock); 2527 tty_kref_put(tty); 2528 } 2529 /* Reset controlling tty. */ 2530 if (drop_tty) 2531 no_tty(); 2532 2533 /* Revalidate access to inherited open files. */ 2534 n = iterate_fd(files, 0, match_file, cred); 2535 if (!n) /* none found? */ 2536 return; 2537 2538 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2539 if (IS_ERR(devnull)) 2540 devnull = NULL; 2541 /* replace all the matching ones with this */ 2542 do { 2543 replace_fd(n - 1, devnull, 0); 2544 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2545 if (devnull) 2546 fput(devnull); 2547 } 2548 2549 /* 2550 * Prepare a process for imminent new credential changes due to exec 2551 */ 2552 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2553 { 2554 struct task_security_struct *new_tsec; 2555 struct rlimit *rlim, *initrlim; 2556 int rc, i; 2557 2558 new_tsec = bprm->cred->security; 2559 if (new_tsec->sid == new_tsec->osid) 2560 return; 2561 2562 /* Close files for which the new task SID is not authorized. */ 2563 flush_unauthorized_files(bprm->cred, current->files); 2564 2565 /* Always clear parent death signal on SID transitions. */ 2566 current->pdeath_signal = 0; 2567 2568 /* Check whether the new SID can inherit resource limits from the old 2569 * SID. If not, reset all soft limits to the lower of the current 2570 * task's hard limit and the init task's soft limit. 2571 * 2572 * Note that the setting of hard limits (even to lower them) can be 2573 * controlled by the setrlimit check. The inclusion of the init task's 2574 * soft limit into the computation is to avoid resetting soft limits 2575 * higher than the default soft limit for cases where the default is 2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2577 */ 2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2579 PROCESS__RLIMITINH, NULL); 2580 if (rc) { 2581 /* protect against do_prlimit() */ 2582 task_lock(current); 2583 for (i = 0; i < RLIM_NLIMITS; i++) { 2584 rlim = current->signal->rlim + i; 2585 initrlim = init_task.signal->rlim + i; 2586 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2587 } 2588 task_unlock(current); 2589 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2590 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2591 } 2592 } 2593 2594 /* 2595 * Clean up the process immediately after the installation of new credentials 2596 * due to exec 2597 */ 2598 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2599 { 2600 const struct task_security_struct *tsec = current_security(); 2601 struct itimerval itimer; 2602 u32 osid, sid; 2603 int rc, i; 2604 2605 osid = tsec->osid; 2606 sid = tsec->sid; 2607 2608 if (sid == osid) 2609 return; 2610 2611 /* Check whether the new SID can inherit signal state from the old SID. 2612 * If not, clear itimers to avoid subsequent signal generation and 2613 * flush and unblock signals. 2614 * 2615 * This must occur _after_ the task SID has been updated so that any 2616 * kill done after the flush will be checked against the new SID. 2617 */ 2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2619 if (rc) { 2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2621 memset(&itimer, 0, sizeof itimer); 2622 for (i = 0; i < 3; i++) 2623 do_setitimer(i, &itimer, NULL); 2624 } 2625 spin_lock_irq(¤t->sighand->siglock); 2626 if (!fatal_signal_pending(current)) { 2627 flush_sigqueue(¤t->pending); 2628 flush_sigqueue(¤t->signal->shared_pending); 2629 flush_signal_handlers(current, 1); 2630 sigemptyset(¤t->blocked); 2631 recalc_sigpending(); 2632 } 2633 spin_unlock_irq(¤t->sighand->siglock); 2634 } 2635 2636 /* Wake up the parent if it is waiting so that it can recheck 2637 * wait permission to the new task SID. */ 2638 read_lock(&tasklist_lock); 2639 __wake_up_parent(current, current->real_parent); 2640 read_unlock(&tasklist_lock); 2641 } 2642 2643 /* superblock security operations */ 2644 2645 static int selinux_sb_alloc_security(struct super_block *sb) 2646 { 2647 return superblock_alloc_security(sb); 2648 } 2649 2650 static void selinux_sb_free_security(struct super_block *sb) 2651 { 2652 superblock_free_security(sb); 2653 } 2654 2655 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2656 { 2657 if (plen > olen) 2658 return 0; 2659 2660 return !memcmp(prefix, option, plen); 2661 } 2662 2663 static inline int selinux_option(char *option, int len) 2664 { 2665 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2666 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2667 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2668 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2669 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2670 } 2671 2672 static inline void take_option(char **to, char *from, int *first, int len) 2673 { 2674 if (!*first) { 2675 **to = ','; 2676 *to += 1; 2677 } else 2678 *first = 0; 2679 memcpy(*to, from, len); 2680 *to += len; 2681 } 2682 2683 static inline void take_selinux_option(char **to, char *from, int *first, 2684 int len) 2685 { 2686 int current_size = 0; 2687 2688 if (!*first) { 2689 **to = '|'; 2690 *to += 1; 2691 } else 2692 *first = 0; 2693 2694 while (current_size < len) { 2695 if (*from != '"') { 2696 **to = *from; 2697 *to += 1; 2698 } 2699 from += 1; 2700 current_size += 1; 2701 } 2702 } 2703 2704 static int selinux_sb_copy_data(char *orig, char *copy) 2705 { 2706 int fnosec, fsec, rc = 0; 2707 char *in_save, *in_curr, *in_end; 2708 char *sec_curr, *nosec_save, *nosec; 2709 int open_quote = 0; 2710 2711 in_curr = orig; 2712 sec_curr = copy; 2713 2714 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2715 if (!nosec) { 2716 rc = -ENOMEM; 2717 goto out; 2718 } 2719 2720 nosec_save = nosec; 2721 fnosec = fsec = 1; 2722 in_save = in_end = orig; 2723 2724 do { 2725 if (*in_end == '"') 2726 open_quote = !open_quote; 2727 if ((*in_end == ',' && open_quote == 0) || 2728 *in_end == '\0') { 2729 int len = in_end - in_curr; 2730 2731 if (selinux_option(in_curr, len)) 2732 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2733 else 2734 take_option(&nosec, in_curr, &fnosec, len); 2735 2736 in_curr = in_end + 1; 2737 } 2738 } while (*in_end++); 2739 2740 strcpy(in_save, nosec_save); 2741 free_page((unsigned long)nosec_save); 2742 out: 2743 return rc; 2744 } 2745 2746 static int selinux_sb_remount(struct super_block *sb, void *data) 2747 { 2748 int rc, i, *flags; 2749 struct security_mnt_opts opts; 2750 char *secdata, **mount_options; 2751 struct superblock_security_struct *sbsec = sb->s_security; 2752 2753 if (!(sbsec->flags & SE_SBINITIALIZED)) 2754 return 0; 2755 2756 if (!data) 2757 return 0; 2758 2759 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2760 return 0; 2761 2762 security_init_mnt_opts(&opts); 2763 secdata = alloc_secdata(); 2764 if (!secdata) 2765 return -ENOMEM; 2766 rc = selinux_sb_copy_data(data, secdata); 2767 if (rc) 2768 goto out_free_secdata; 2769 2770 rc = selinux_parse_opts_str(secdata, &opts); 2771 if (rc) 2772 goto out_free_secdata; 2773 2774 mount_options = opts.mnt_opts; 2775 flags = opts.mnt_opts_flags; 2776 2777 for (i = 0; i < opts.num_mnt_opts; i++) { 2778 u32 sid; 2779 2780 if (flags[i] == SBLABEL_MNT) 2781 continue; 2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2783 if (rc) { 2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2786 mount_options[i], sb->s_id, sb->s_type->name, rc); 2787 goto out_free_opts; 2788 } 2789 rc = -EINVAL; 2790 switch (flags[i]) { 2791 case FSCONTEXT_MNT: 2792 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2793 goto out_bad_option; 2794 break; 2795 case CONTEXT_MNT: 2796 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2797 goto out_bad_option; 2798 break; 2799 case ROOTCONTEXT_MNT: { 2800 struct inode_security_struct *root_isec; 2801 root_isec = backing_inode_security(sb->s_root); 2802 2803 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2804 goto out_bad_option; 2805 break; 2806 } 2807 case DEFCONTEXT_MNT: 2808 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2809 goto out_bad_option; 2810 break; 2811 default: 2812 goto out_free_opts; 2813 } 2814 } 2815 2816 rc = 0; 2817 out_free_opts: 2818 security_free_mnt_opts(&opts); 2819 out_free_secdata: 2820 free_secdata(secdata); 2821 return rc; 2822 out_bad_option: 2823 printk(KERN_WARNING "SELinux: unable to change security options " 2824 "during remount (dev %s, type=%s)\n", sb->s_id, 2825 sb->s_type->name); 2826 goto out_free_opts; 2827 } 2828 2829 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2830 { 2831 const struct cred *cred = current_cred(); 2832 struct common_audit_data ad; 2833 int rc; 2834 2835 rc = superblock_doinit(sb, data); 2836 if (rc) 2837 return rc; 2838 2839 /* Allow all mounts performed by the kernel */ 2840 if (flags & MS_KERNMOUNT) 2841 return 0; 2842 2843 ad.type = LSM_AUDIT_DATA_DENTRY; 2844 ad.u.dentry = sb->s_root; 2845 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2846 } 2847 2848 static int selinux_sb_statfs(struct dentry *dentry) 2849 { 2850 const struct cred *cred = current_cred(); 2851 struct common_audit_data ad; 2852 2853 ad.type = LSM_AUDIT_DATA_DENTRY; 2854 ad.u.dentry = dentry->d_sb->s_root; 2855 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2856 } 2857 2858 static int selinux_mount(const char *dev_name, 2859 const struct path *path, 2860 const char *type, 2861 unsigned long flags, 2862 void *data) 2863 { 2864 const struct cred *cred = current_cred(); 2865 2866 if (flags & MS_REMOUNT) 2867 return superblock_has_perm(cred, path->dentry->d_sb, 2868 FILESYSTEM__REMOUNT, NULL); 2869 else 2870 return path_has_perm(cred, path, FILE__MOUNTON); 2871 } 2872 2873 static int selinux_umount(struct vfsmount *mnt, int flags) 2874 { 2875 const struct cred *cred = current_cred(); 2876 2877 return superblock_has_perm(cred, mnt->mnt_sb, 2878 FILESYSTEM__UNMOUNT, NULL); 2879 } 2880 2881 /* inode security operations */ 2882 2883 static int selinux_inode_alloc_security(struct inode *inode) 2884 { 2885 return inode_alloc_security(inode); 2886 } 2887 2888 static void selinux_inode_free_security(struct inode *inode) 2889 { 2890 inode_free_security(inode); 2891 } 2892 2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2894 const struct qstr *name, void **ctx, 2895 u32 *ctxlen) 2896 { 2897 u32 newsid; 2898 int rc; 2899 2900 rc = selinux_determine_inode_label(current_security(), 2901 d_inode(dentry->d_parent), name, 2902 inode_mode_to_security_class(mode), 2903 &newsid); 2904 if (rc) 2905 return rc; 2906 2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2908 } 2909 2910 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2911 struct qstr *name, 2912 const struct cred *old, 2913 struct cred *new) 2914 { 2915 u32 newsid; 2916 int rc; 2917 struct task_security_struct *tsec; 2918 2919 rc = selinux_determine_inode_label(old->security, 2920 d_inode(dentry->d_parent), name, 2921 inode_mode_to_security_class(mode), 2922 &newsid); 2923 if (rc) 2924 return rc; 2925 2926 tsec = new->security; 2927 tsec->create_sid = newsid; 2928 return 0; 2929 } 2930 2931 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2932 const struct qstr *qstr, 2933 const char **name, 2934 void **value, size_t *len) 2935 { 2936 const struct task_security_struct *tsec = current_security(); 2937 struct superblock_security_struct *sbsec; 2938 u32 newsid, clen; 2939 int rc; 2940 char *context; 2941 2942 sbsec = dir->i_sb->s_security; 2943 2944 newsid = tsec->create_sid; 2945 2946 rc = selinux_determine_inode_label(current_security(), 2947 dir, qstr, 2948 inode_mode_to_security_class(inode->i_mode), 2949 &newsid); 2950 if (rc) 2951 return rc; 2952 2953 /* Possibly defer initialization to selinux_complete_init. */ 2954 if (sbsec->flags & SE_SBINITIALIZED) { 2955 struct inode_security_struct *isec = inode->i_security; 2956 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2957 isec->sid = newsid; 2958 isec->initialized = LABEL_INITIALIZED; 2959 } 2960 2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2962 return -EOPNOTSUPP; 2963 2964 if (name) 2965 *name = XATTR_SELINUX_SUFFIX; 2966 2967 if (value && len) { 2968 rc = security_sid_to_context_force(newsid, &context, &clen); 2969 if (rc) 2970 return rc; 2971 *value = context; 2972 *len = clen; 2973 } 2974 2975 return 0; 2976 } 2977 2978 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2979 { 2980 return may_create(dir, dentry, SECCLASS_FILE); 2981 } 2982 2983 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2984 { 2985 return may_link(dir, old_dentry, MAY_LINK); 2986 } 2987 2988 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2989 { 2990 return may_link(dir, dentry, MAY_UNLINK); 2991 } 2992 2993 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2994 { 2995 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2996 } 2997 2998 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2999 { 3000 return may_create(dir, dentry, SECCLASS_DIR); 3001 } 3002 3003 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3004 { 3005 return may_link(dir, dentry, MAY_RMDIR); 3006 } 3007 3008 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3009 { 3010 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3011 } 3012 3013 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3014 struct inode *new_inode, struct dentry *new_dentry) 3015 { 3016 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3017 } 3018 3019 static int selinux_inode_readlink(struct dentry *dentry) 3020 { 3021 const struct cred *cred = current_cred(); 3022 3023 return dentry_has_perm(cred, dentry, FILE__READ); 3024 } 3025 3026 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3027 bool rcu) 3028 { 3029 const struct cred *cred = current_cred(); 3030 struct common_audit_data ad; 3031 struct inode_security_struct *isec; 3032 u32 sid; 3033 3034 validate_creds(cred); 3035 3036 ad.type = LSM_AUDIT_DATA_DENTRY; 3037 ad.u.dentry = dentry; 3038 sid = cred_sid(cred); 3039 isec = inode_security_rcu(inode, rcu); 3040 if (IS_ERR(isec)) 3041 return PTR_ERR(isec); 3042 3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3044 rcu ? MAY_NOT_BLOCK : 0); 3045 } 3046 3047 static noinline int audit_inode_permission(struct inode *inode, 3048 u32 perms, u32 audited, u32 denied, 3049 int result, 3050 unsigned flags) 3051 { 3052 struct common_audit_data ad; 3053 struct inode_security_struct *isec = inode->i_security; 3054 int rc; 3055 3056 ad.type = LSM_AUDIT_DATA_INODE; 3057 ad.u.inode = inode; 3058 3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3060 audited, denied, result, &ad, flags); 3061 if (rc) 3062 return rc; 3063 return 0; 3064 } 3065 3066 static int selinux_inode_permission(struct inode *inode, int mask) 3067 { 3068 const struct cred *cred = current_cred(); 3069 u32 perms; 3070 bool from_access; 3071 unsigned flags = mask & MAY_NOT_BLOCK; 3072 struct inode_security_struct *isec; 3073 u32 sid; 3074 struct av_decision avd; 3075 int rc, rc2; 3076 u32 audited, denied; 3077 3078 from_access = mask & MAY_ACCESS; 3079 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3080 3081 /* No permission to check. Existence test. */ 3082 if (!mask) 3083 return 0; 3084 3085 validate_creds(cred); 3086 3087 if (unlikely(IS_PRIVATE(inode))) 3088 return 0; 3089 3090 perms = file_mask_to_av(inode->i_mode, mask); 3091 3092 sid = cred_sid(cred); 3093 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3094 if (IS_ERR(isec)) 3095 return PTR_ERR(isec); 3096 3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3098 audited = avc_audit_required(perms, &avd, rc, 3099 from_access ? FILE__AUDIT_ACCESS : 0, 3100 &denied); 3101 if (likely(!audited)) 3102 return rc; 3103 3104 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3105 if (rc2) 3106 return rc2; 3107 return rc; 3108 } 3109 3110 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3111 { 3112 const struct cred *cred = current_cred(); 3113 struct inode *inode = d_backing_inode(dentry); 3114 unsigned int ia_valid = iattr->ia_valid; 3115 __u32 av = FILE__WRITE; 3116 3117 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3118 if (ia_valid & ATTR_FORCE) { 3119 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3120 ATTR_FORCE); 3121 if (!ia_valid) 3122 return 0; 3123 } 3124 3125 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3127 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3128 3129 if (selinux_policycap_openperm && 3130 inode->i_sb->s_magic != SOCKFS_MAGIC && 3131 (ia_valid & ATTR_SIZE) && 3132 !(ia_valid & ATTR_FILE)) 3133 av |= FILE__OPEN; 3134 3135 return dentry_has_perm(cred, dentry, av); 3136 } 3137 3138 static int selinux_inode_getattr(const struct path *path) 3139 { 3140 return path_has_perm(current_cred(), path, FILE__GETATTR); 3141 } 3142 3143 static bool has_cap_mac_admin(bool audit) 3144 { 3145 const struct cred *cred = current_cred(); 3146 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3147 3148 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3149 return false; 3150 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3151 return false; 3152 return true; 3153 } 3154 3155 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3156 const void *value, size_t size, int flags) 3157 { 3158 struct inode *inode = d_backing_inode(dentry); 3159 struct inode_security_struct *isec; 3160 struct superblock_security_struct *sbsec; 3161 struct common_audit_data ad; 3162 u32 newsid, sid = current_sid(); 3163 int rc = 0; 3164 3165 if (strcmp(name, XATTR_NAME_SELINUX)) { 3166 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3167 if (rc) 3168 return rc; 3169 3170 /* Not an attribute we recognize, so just check the 3171 ordinary setattr permission. */ 3172 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3173 } 3174 3175 sbsec = inode->i_sb->s_security; 3176 if (!(sbsec->flags & SBLABEL_MNT)) 3177 return -EOPNOTSUPP; 3178 3179 if (!inode_owner_or_capable(inode)) 3180 return -EPERM; 3181 3182 ad.type = LSM_AUDIT_DATA_DENTRY; 3183 ad.u.dentry = dentry; 3184 3185 isec = backing_inode_security(dentry); 3186 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3187 FILE__RELABELFROM, &ad); 3188 if (rc) 3189 return rc; 3190 3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3192 if (rc == -EINVAL) { 3193 if (!has_cap_mac_admin(true)) { 3194 struct audit_buffer *ab; 3195 size_t audit_size; 3196 3197 /* We strip a nul only if it is at the end, otherwise the 3198 * context contains a nul and we should audit that */ 3199 if (value) { 3200 const char *str = value; 3201 3202 if (str[size - 1] == '\0') 3203 audit_size = size - 1; 3204 else 3205 audit_size = size; 3206 } else { 3207 audit_size = 0; 3208 } 3209 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3210 audit_log_format(ab, "op=setxattr invalid_context="); 3211 audit_log_n_untrustedstring(ab, value, audit_size); 3212 audit_log_end(ab); 3213 3214 return rc; 3215 } 3216 rc = security_context_to_sid_force(value, size, &newsid); 3217 } 3218 if (rc) 3219 return rc; 3220 3221 rc = avc_has_perm(sid, newsid, isec->sclass, 3222 FILE__RELABELTO, &ad); 3223 if (rc) 3224 return rc; 3225 3226 rc = security_validate_transition(isec->sid, newsid, sid, 3227 isec->sclass); 3228 if (rc) 3229 return rc; 3230 3231 return avc_has_perm(newsid, 3232 sbsec->sid, 3233 SECCLASS_FILESYSTEM, 3234 FILESYSTEM__ASSOCIATE, 3235 &ad); 3236 } 3237 3238 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3239 const void *value, size_t size, 3240 int flags) 3241 { 3242 struct inode *inode = d_backing_inode(dentry); 3243 struct inode_security_struct *isec; 3244 u32 newsid; 3245 int rc; 3246 3247 if (strcmp(name, XATTR_NAME_SELINUX)) { 3248 /* Not an attribute we recognize, so nothing to do. */ 3249 return; 3250 } 3251 3252 rc = security_context_to_sid_force(value, size, &newsid); 3253 if (rc) { 3254 printk(KERN_ERR "SELinux: unable to map context to SID" 3255 "for (%s, %lu), rc=%d\n", 3256 inode->i_sb->s_id, inode->i_ino, -rc); 3257 return; 3258 } 3259 3260 isec = backing_inode_security(dentry); 3261 spin_lock(&isec->lock); 3262 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3263 isec->sid = newsid; 3264 isec->initialized = LABEL_INITIALIZED; 3265 spin_unlock(&isec->lock); 3266 3267 return; 3268 } 3269 3270 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3271 { 3272 const struct cred *cred = current_cred(); 3273 3274 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3275 } 3276 3277 static int selinux_inode_listxattr(struct dentry *dentry) 3278 { 3279 const struct cred *cred = current_cred(); 3280 3281 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3282 } 3283 3284 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3285 { 3286 if (strcmp(name, XATTR_NAME_SELINUX)) { 3287 int rc = cap_inode_removexattr(dentry, name); 3288 if (rc) 3289 return rc; 3290 3291 /* Not an attribute we recognize, so just check the 3292 ordinary setattr permission. */ 3293 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3294 } 3295 3296 /* No one is allowed to remove a SELinux security label. 3297 You can change the label, but all data must be labeled. */ 3298 return -EACCES; 3299 } 3300 3301 /* 3302 * Copy the inode security context value to the user. 3303 * 3304 * Permission check is handled by selinux_inode_getxattr hook. 3305 */ 3306 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3307 { 3308 u32 size; 3309 int error; 3310 char *context = NULL; 3311 struct inode_security_struct *isec; 3312 3313 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3314 return -EOPNOTSUPP; 3315 3316 /* 3317 * If the caller has CAP_MAC_ADMIN, then get the raw context 3318 * value even if it is not defined by current policy; otherwise, 3319 * use the in-core value under current policy. 3320 * Use the non-auditing forms of the permission checks since 3321 * getxattr may be called by unprivileged processes commonly 3322 * and lack of permission just means that we fall back to the 3323 * in-core context value, not a denial. 3324 */ 3325 isec = inode_security(inode); 3326 if (has_cap_mac_admin(false)) 3327 error = security_sid_to_context_force(isec->sid, &context, 3328 &size); 3329 else 3330 error = security_sid_to_context(isec->sid, &context, &size); 3331 if (error) 3332 return error; 3333 error = size; 3334 if (alloc) { 3335 *buffer = context; 3336 goto out_nofree; 3337 } 3338 kfree(context); 3339 out_nofree: 3340 return error; 3341 } 3342 3343 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3344 const void *value, size_t size, int flags) 3345 { 3346 struct inode_security_struct *isec = inode_security_novalidate(inode); 3347 u32 newsid; 3348 int rc; 3349 3350 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3351 return -EOPNOTSUPP; 3352 3353 if (!value || !size) 3354 return -EACCES; 3355 3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3357 if (rc) 3358 return rc; 3359 3360 spin_lock(&isec->lock); 3361 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3362 isec->sid = newsid; 3363 isec->initialized = LABEL_INITIALIZED; 3364 spin_unlock(&isec->lock); 3365 return 0; 3366 } 3367 3368 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3369 { 3370 const int len = sizeof(XATTR_NAME_SELINUX); 3371 if (buffer && len <= buffer_size) 3372 memcpy(buffer, XATTR_NAME_SELINUX, len); 3373 return len; 3374 } 3375 3376 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3377 { 3378 struct inode_security_struct *isec = inode_security_novalidate(inode); 3379 *secid = isec->sid; 3380 } 3381 3382 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3383 { 3384 u32 sid; 3385 struct task_security_struct *tsec; 3386 struct cred *new_creds = *new; 3387 3388 if (new_creds == NULL) { 3389 new_creds = prepare_creds(); 3390 if (!new_creds) 3391 return -ENOMEM; 3392 } 3393 3394 tsec = new_creds->security; 3395 /* Get label from overlay inode and set it in create_sid */ 3396 selinux_inode_getsecid(d_inode(src), &sid); 3397 tsec->create_sid = sid; 3398 *new = new_creds; 3399 return 0; 3400 } 3401 3402 static int selinux_inode_copy_up_xattr(const char *name) 3403 { 3404 /* The copy_up hook above sets the initial context on an inode, but we 3405 * don't then want to overwrite it by blindly copying all the lower 3406 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3407 */ 3408 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3409 return 1; /* Discard */ 3410 /* 3411 * Any other attribute apart from SELINUX is not claimed, supported 3412 * by selinux. 3413 */ 3414 return -EOPNOTSUPP; 3415 } 3416 3417 /* file security operations */ 3418 3419 static int selinux_revalidate_file_permission(struct file *file, int mask) 3420 { 3421 const struct cred *cred = current_cred(); 3422 struct inode *inode = file_inode(file); 3423 3424 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3425 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3426 mask |= MAY_APPEND; 3427 3428 return file_has_perm(cred, file, 3429 file_mask_to_av(inode->i_mode, mask)); 3430 } 3431 3432 static int selinux_file_permission(struct file *file, int mask) 3433 { 3434 struct inode *inode = file_inode(file); 3435 struct file_security_struct *fsec = file->f_security; 3436 struct inode_security_struct *isec; 3437 u32 sid = current_sid(); 3438 3439 if (!mask) 3440 /* No permission to check. Existence test. */ 3441 return 0; 3442 3443 isec = inode_security(inode); 3444 if (sid == fsec->sid && fsec->isid == isec->sid && 3445 fsec->pseqno == avc_policy_seqno()) 3446 /* No change since file_open check. */ 3447 return 0; 3448 3449 return selinux_revalidate_file_permission(file, mask); 3450 } 3451 3452 static int selinux_file_alloc_security(struct file *file) 3453 { 3454 return file_alloc_security(file); 3455 } 3456 3457 static void selinux_file_free_security(struct file *file) 3458 { 3459 file_free_security(file); 3460 } 3461 3462 /* 3463 * Check whether a task has the ioctl permission and cmd 3464 * operation to an inode. 3465 */ 3466 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3467 u32 requested, u16 cmd) 3468 { 3469 struct common_audit_data ad; 3470 struct file_security_struct *fsec = file->f_security; 3471 struct inode *inode = file_inode(file); 3472 struct inode_security_struct *isec; 3473 struct lsm_ioctlop_audit ioctl; 3474 u32 ssid = cred_sid(cred); 3475 int rc; 3476 u8 driver = cmd >> 8; 3477 u8 xperm = cmd & 0xff; 3478 3479 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3480 ad.u.op = &ioctl; 3481 ad.u.op->cmd = cmd; 3482 ad.u.op->path = file->f_path; 3483 3484 if (ssid != fsec->sid) { 3485 rc = avc_has_perm(ssid, fsec->sid, 3486 SECCLASS_FD, 3487 FD__USE, 3488 &ad); 3489 if (rc) 3490 goto out; 3491 } 3492 3493 if (unlikely(IS_PRIVATE(inode))) 3494 return 0; 3495 3496 isec = inode_security(inode); 3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3498 requested, driver, xperm, &ad); 3499 out: 3500 return rc; 3501 } 3502 3503 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3504 unsigned long arg) 3505 { 3506 const struct cred *cred = current_cred(); 3507 int error = 0; 3508 3509 switch (cmd) { 3510 case FIONREAD: 3511 /* fall through */ 3512 case FIBMAP: 3513 /* fall through */ 3514 case FIGETBSZ: 3515 /* fall through */ 3516 case FS_IOC_GETFLAGS: 3517 /* fall through */ 3518 case FS_IOC_GETVERSION: 3519 error = file_has_perm(cred, file, FILE__GETATTR); 3520 break; 3521 3522 case FS_IOC_SETFLAGS: 3523 /* fall through */ 3524 case FS_IOC_SETVERSION: 3525 error = file_has_perm(cred, file, FILE__SETATTR); 3526 break; 3527 3528 /* sys_ioctl() checks */ 3529 case FIONBIO: 3530 /* fall through */ 3531 case FIOASYNC: 3532 error = file_has_perm(cred, file, 0); 3533 break; 3534 3535 case KDSKBENT: 3536 case KDSKBSENT: 3537 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3538 SECURITY_CAP_AUDIT, true); 3539 break; 3540 3541 /* default case assumes that the command will go 3542 * to the file's ioctl() function. 3543 */ 3544 default: 3545 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3546 } 3547 return error; 3548 } 3549 3550 static int default_noexec; 3551 3552 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3553 { 3554 const struct cred *cred = current_cred(); 3555 u32 sid = cred_sid(cred); 3556 int rc = 0; 3557 3558 if (default_noexec && 3559 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3560 (!shared && (prot & PROT_WRITE)))) { 3561 /* 3562 * We are making executable an anonymous mapping or a 3563 * private file mapping that will also be writable. 3564 * This has an additional check. 3565 */ 3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3567 PROCESS__EXECMEM, NULL); 3568 if (rc) 3569 goto error; 3570 } 3571 3572 if (file) { 3573 /* read access is always possible with a mapping */ 3574 u32 av = FILE__READ; 3575 3576 /* write access only matters if the mapping is shared */ 3577 if (shared && (prot & PROT_WRITE)) 3578 av |= FILE__WRITE; 3579 3580 if (prot & PROT_EXEC) 3581 av |= FILE__EXECUTE; 3582 3583 return file_has_perm(cred, file, av); 3584 } 3585 3586 error: 3587 return rc; 3588 } 3589 3590 static int selinux_mmap_addr(unsigned long addr) 3591 { 3592 int rc = 0; 3593 3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3595 u32 sid = current_sid(); 3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3597 MEMPROTECT__MMAP_ZERO, NULL); 3598 } 3599 3600 return rc; 3601 } 3602 3603 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3604 unsigned long prot, unsigned long flags) 3605 { 3606 struct common_audit_data ad; 3607 int rc; 3608 3609 if (file) { 3610 ad.type = LSM_AUDIT_DATA_FILE; 3611 ad.u.file = file; 3612 rc = inode_has_perm(current_cred(), file_inode(file), 3613 FILE__MAP, &ad); 3614 if (rc) 3615 return rc; 3616 } 3617 3618 if (selinux_checkreqprot) 3619 prot = reqprot; 3620 3621 return file_map_prot_check(file, prot, 3622 (flags & MAP_TYPE) == MAP_SHARED); 3623 } 3624 3625 static int selinux_file_mprotect(struct vm_area_struct *vma, 3626 unsigned long reqprot, 3627 unsigned long prot) 3628 { 3629 const struct cred *cred = current_cred(); 3630 u32 sid = cred_sid(cred); 3631 3632 if (selinux_checkreqprot) 3633 prot = reqprot; 3634 3635 if (default_noexec && 3636 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3637 int rc = 0; 3638 if (vma->vm_start >= vma->vm_mm->start_brk && 3639 vma->vm_end <= vma->vm_mm->brk) { 3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3641 PROCESS__EXECHEAP, NULL); 3642 } else if (!vma->vm_file && 3643 ((vma->vm_start <= vma->vm_mm->start_stack && 3644 vma->vm_end >= vma->vm_mm->start_stack) || 3645 vma_is_stack_for_current(vma))) { 3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3647 PROCESS__EXECSTACK, NULL); 3648 } else if (vma->vm_file && vma->anon_vma) { 3649 /* 3650 * We are making executable a file mapping that has 3651 * had some COW done. Since pages might have been 3652 * written, check ability to execute the possibly 3653 * modified content. This typically should only 3654 * occur for text relocations. 3655 */ 3656 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3657 } 3658 if (rc) 3659 return rc; 3660 } 3661 3662 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3663 } 3664 3665 static int selinux_file_lock(struct file *file, unsigned int cmd) 3666 { 3667 const struct cred *cred = current_cred(); 3668 3669 return file_has_perm(cred, file, FILE__LOCK); 3670 } 3671 3672 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3673 unsigned long arg) 3674 { 3675 const struct cred *cred = current_cred(); 3676 int err = 0; 3677 3678 switch (cmd) { 3679 case F_SETFL: 3680 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3681 err = file_has_perm(cred, file, FILE__WRITE); 3682 break; 3683 } 3684 /* fall through */ 3685 case F_SETOWN: 3686 case F_SETSIG: 3687 case F_GETFL: 3688 case F_GETOWN: 3689 case F_GETSIG: 3690 case F_GETOWNER_UIDS: 3691 /* Just check FD__USE permission */ 3692 err = file_has_perm(cred, file, 0); 3693 break; 3694 case F_GETLK: 3695 case F_SETLK: 3696 case F_SETLKW: 3697 case F_OFD_GETLK: 3698 case F_OFD_SETLK: 3699 case F_OFD_SETLKW: 3700 #if BITS_PER_LONG == 32 3701 case F_GETLK64: 3702 case F_SETLK64: 3703 case F_SETLKW64: 3704 #endif 3705 err = file_has_perm(cred, file, FILE__LOCK); 3706 break; 3707 } 3708 3709 return err; 3710 } 3711 3712 static void selinux_file_set_fowner(struct file *file) 3713 { 3714 struct file_security_struct *fsec; 3715 3716 fsec = file->f_security; 3717 fsec->fown_sid = current_sid(); 3718 } 3719 3720 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3721 struct fown_struct *fown, int signum) 3722 { 3723 struct file *file; 3724 u32 sid = task_sid(tsk); 3725 u32 perm; 3726 struct file_security_struct *fsec; 3727 3728 /* struct fown_struct is never outside the context of a struct file */ 3729 file = container_of(fown, struct file, f_owner); 3730 3731 fsec = file->f_security; 3732 3733 if (!signum) 3734 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3735 else 3736 perm = signal_to_av(signum); 3737 3738 return avc_has_perm(fsec->fown_sid, sid, 3739 SECCLASS_PROCESS, perm, NULL); 3740 } 3741 3742 static int selinux_file_receive(struct file *file) 3743 { 3744 const struct cred *cred = current_cred(); 3745 3746 return file_has_perm(cred, file, file_to_av(file)); 3747 } 3748 3749 static int selinux_file_open(struct file *file, const struct cred *cred) 3750 { 3751 struct file_security_struct *fsec; 3752 struct inode_security_struct *isec; 3753 3754 fsec = file->f_security; 3755 isec = inode_security(file_inode(file)); 3756 /* 3757 * Save inode label and policy sequence number 3758 * at open-time so that selinux_file_permission 3759 * can determine whether revalidation is necessary. 3760 * Task label is already saved in the file security 3761 * struct as its SID. 3762 */ 3763 fsec->isid = isec->sid; 3764 fsec->pseqno = avc_policy_seqno(); 3765 /* 3766 * Since the inode label or policy seqno may have changed 3767 * between the selinux_inode_permission check and the saving 3768 * of state above, recheck that access is still permitted. 3769 * Otherwise, access might never be revalidated against the 3770 * new inode label or new policy. 3771 * This check is not redundant - do not remove. 3772 */ 3773 return file_path_has_perm(cred, file, open_file_to_av(file)); 3774 } 3775 3776 /* task security operations */ 3777 3778 static int selinux_task_alloc(struct task_struct *task, 3779 unsigned long clone_flags) 3780 { 3781 u32 sid = current_sid(); 3782 3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3784 } 3785 3786 /* 3787 * allocate the SELinux part of blank credentials 3788 */ 3789 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3790 { 3791 struct task_security_struct *tsec; 3792 3793 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3794 if (!tsec) 3795 return -ENOMEM; 3796 3797 cred->security = tsec; 3798 return 0; 3799 } 3800 3801 /* 3802 * detach and free the LSM part of a set of credentials 3803 */ 3804 static void selinux_cred_free(struct cred *cred) 3805 { 3806 struct task_security_struct *tsec = cred->security; 3807 3808 /* 3809 * cred->security == NULL if security_cred_alloc_blank() or 3810 * security_prepare_creds() returned an error. 3811 */ 3812 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3813 cred->security = (void *) 0x7UL; 3814 kfree(tsec); 3815 } 3816 3817 /* 3818 * prepare a new set of credentials for modification 3819 */ 3820 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3821 gfp_t gfp) 3822 { 3823 const struct task_security_struct *old_tsec; 3824 struct task_security_struct *tsec; 3825 3826 old_tsec = old->security; 3827 3828 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3829 if (!tsec) 3830 return -ENOMEM; 3831 3832 new->security = tsec; 3833 return 0; 3834 } 3835 3836 /* 3837 * transfer the SELinux data to a blank set of creds 3838 */ 3839 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3840 { 3841 const struct task_security_struct *old_tsec = old->security; 3842 struct task_security_struct *tsec = new->security; 3843 3844 *tsec = *old_tsec; 3845 } 3846 3847 /* 3848 * set the security data for a kernel service 3849 * - all the creation contexts are set to unlabelled 3850 */ 3851 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3852 { 3853 struct task_security_struct *tsec = new->security; 3854 u32 sid = current_sid(); 3855 int ret; 3856 3857 ret = avc_has_perm(sid, secid, 3858 SECCLASS_KERNEL_SERVICE, 3859 KERNEL_SERVICE__USE_AS_OVERRIDE, 3860 NULL); 3861 if (ret == 0) { 3862 tsec->sid = secid; 3863 tsec->create_sid = 0; 3864 tsec->keycreate_sid = 0; 3865 tsec->sockcreate_sid = 0; 3866 } 3867 return ret; 3868 } 3869 3870 /* 3871 * set the file creation context in a security record to the same as the 3872 * objective context of the specified inode 3873 */ 3874 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3875 { 3876 struct inode_security_struct *isec = inode_security(inode); 3877 struct task_security_struct *tsec = new->security; 3878 u32 sid = current_sid(); 3879 int ret; 3880 3881 ret = avc_has_perm(sid, isec->sid, 3882 SECCLASS_KERNEL_SERVICE, 3883 KERNEL_SERVICE__CREATE_FILES_AS, 3884 NULL); 3885 3886 if (ret == 0) 3887 tsec->create_sid = isec->sid; 3888 return ret; 3889 } 3890 3891 static int selinux_kernel_module_request(char *kmod_name) 3892 { 3893 struct common_audit_data ad; 3894 3895 ad.type = LSM_AUDIT_DATA_KMOD; 3896 ad.u.kmod_name = kmod_name; 3897 3898 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3899 SYSTEM__MODULE_REQUEST, &ad); 3900 } 3901 3902 static int selinux_kernel_module_from_file(struct file *file) 3903 { 3904 struct common_audit_data ad; 3905 struct inode_security_struct *isec; 3906 struct file_security_struct *fsec; 3907 u32 sid = current_sid(); 3908 int rc; 3909 3910 /* init_module */ 3911 if (file == NULL) 3912 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3913 SYSTEM__MODULE_LOAD, NULL); 3914 3915 /* finit_module */ 3916 3917 ad.type = LSM_AUDIT_DATA_FILE; 3918 ad.u.file = file; 3919 3920 fsec = file->f_security; 3921 if (sid != fsec->sid) { 3922 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3923 if (rc) 3924 return rc; 3925 } 3926 3927 isec = inode_security(file_inode(file)); 3928 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3929 SYSTEM__MODULE_LOAD, &ad); 3930 } 3931 3932 static int selinux_kernel_read_file(struct file *file, 3933 enum kernel_read_file_id id) 3934 { 3935 int rc = 0; 3936 3937 switch (id) { 3938 case READING_MODULE: 3939 rc = selinux_kernel_module_from_file(file); 3940 break; 3941 default: 3942 break; 3943 } 3944 3945 return rc; 3946 } 3947 3948 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3949 { 3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3951 PROCESS__SETPGID, NULL); 3952 } 3953 3954 static int selinux_task_getpgid(struct task_struct *p) 3955 { 3956 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3957 PROCESS__GETPGID, NULL); 3958 } 3959 3960 static int selinux_task_getsid(struct task_struct *p) 3961 { 3962 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3963 PROCESS__GETSESSION, NULL); 3964 } 3965 3966 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3967 { 3968 *secid = task_sid(p); 3969 } 3970 3971 static int selinux_task_setnice(struct task_struct *p, int nice) 3972 { 3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3974 PROCESS__SETSCHED, NULL); 3975 } 3976 3977 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3978 { 3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3980 PROCESS__SETSCHED, NULL); 3981 } 3982 3983 static int selinux_task_getioprio(struct task_struct *p) 3984 { 3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3986 PROCESS__GETSCHED, NULL); 3987 } 3988 3989 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3990 unsigned int flags) 3991 { 3992 u32 av = 0; 3993 3994 if (!flags) 3995 return 0; 3996 if (flags & LSM_PRLIMIT_WRITE) 3997 av |= PROCESS__SETRLIMIT; 3998 if (flags & LSM_PRLIMIT_READ) 3999 av |= PROCESS__GETRLIMIT; 4000 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4001 SECCLASS_PROCESS, av, NULL); 4002 } 4003 4004 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4005 struct rlimit *new_rlim) 4006 { 4007 struct rlimit *old_rlim = p->signal->rlim + resource; 4008 4009 /* Control the ability to change the hard limit (whether 4010 lowering or raising it), so that the hard limit can 4011 later be used as a safe reset point for the soft limit 4012 upon context transitions. See selinux_bprm_committing_creds. */ 4013 if (old_rlim->rlim_max != new_rlim->rlim_max) 4014 return avc_has_perm(current_sid(), task_sid(p), 4015 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4016 4017 return 0; 4018 } 4019 4020 static int selinux_task_setscheduler(struct task_struct *p) 4021 { 4022 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4023 PROCESS__SETSCHED, NULL); 4024 } 4025 4026 static int selinux_task_getscheduler(struct task_struct *p) 4027 { 4028 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4029 PROCESS__GETSCHED, NULL); 4030 } 4031 4032 static int selinux_task_movememory(struct task_struct *p) 4033 { 4034 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4035 PROCESS__SETSCHED, NULL); 4036 } 4037 4038 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4039 int sig, const struct cred *cred) 4040 { 4041 u32 secid; 4042 u32 perm; 4043 4044 if (!sig) 4045 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4046 else 4047 perm = signal_to_av(sig); 4048 if (!cred) 4049 secid = current_sid(); 4050 else 4051 secid = cred_sid(cred); 4052 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4053 } 4054 4055 static void selinux_task_to_inode(struct task_struct *p, 4056 struct inode *inode) 4057 { 4058 struct inode_security_struct *isec = inode->i_security; 4059 u32 sid = task_sid(p); 4060 4061 spin_lock(&isec->lock); 4062 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4063 isec->sid = sid; 4064 isec->initialized = LABEL_INITIALIZED; 4065 spin_unlock(&isec->lock); 4066 } 4067 4068 /* Returns error only if unable to parse addresses */ 4069 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4070 struct common_audit_data *ad, u8 *proto) 4071 { 4072 int offset, ihlen, ret = -EINVAL; 4073 struct iphdr _iph, *ih; 4074 4075 offset = skb_network_offset(skb); 4076 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4077 if (ih == NULL) 4078 goto out; 4079 4080 ihlen = ih->ihl * 4; 4081 if (ihlen < sizeof(_iph)) 4082 goto out; 4083 4084 ad->u.net->v4info.saddr = ih->saddr; 4085 ad->u.net->v4info.daddr = ih->daddr; 4086 ret = 0; 4087 4088 if (proto) 4089 *proto = ih->protocol; 4090 4091 switch (ih->protocol) { 4092 case IPPROTO_TCP: { 4093 struct tcphdr _tcph, *th; 4094 4095 if (ntohs(ih->frag_off) & IP_OFFSET) 4096 break; 4097 4098 offset += ihlen; 4099 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4100 if (th == NULL) 4101 break; 4102 4103 ad->u.net->sport = th->source; 4104 ad->u.net->dport = th->dest; 4105 break; 4106 } 4107 4108 case IPPROTO_UDP: { 4109 struct udphdr _udph, *uh; 4110 4111 if (ntohs(ih->frag_off) & IP_OFFSET) 4112 break; 4113 4114 offset += ihlen; 4115 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4116 if (uh == NULL) 4117 break; 4118 4119 ad->u.net->sport = uh->source; 4120 ad->u.net->dport = uh->dest; 4121 break; 4122 } 4123 4124 case IPPROTO_DCCP: { 4125 struct dccp_hdr _dccph, *dh; 4126 4127 if (ntohs(ih->frag_off) & IP_OFFSET) 4128 break; 4129 4130 offset += ihlen; 4131 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4132 if (dh == NULL) 4133 break; 4134 4135 ad->u.net->sport = dh->dccph_sport; 4136 ad->u.net->dport = dh->dccph_dport; 4137 break; 4138 } 4139 4140 default: 4141 break; 4142 } 4143 out: 4144 return ret; 4145 } 4146 4147 #if IS_ENABLED(CONFIG_IPV6) 4148 4149 /* Returns error only if unable to parse addresses */ 4150 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4151 struct common_audit_data *ad, u8 *proto) 4152 { 4153 u8 nexthdr; 4154 int ret = -EINVAL, offset; 4155 struct ipv6hdr _ipv6h, *ip6; 4156 __be16 frag_off; 4157 4158 offset = skb_network_offset(skb); 4159 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4160 if (ip6 == NULL) 4161 goto out; 4162 4163 ad->u.net->v6info.saddr = ip6->saddr; 4164 ad->u.net->v6info.daddr = ip6->daddr; 4165 ret = 0; 4166 4167 nexthdr = ip6->nexthdr; 4168 offset += sizeof(_ipv6h); 4169 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4170 if (offset < 0) 4171 goto out; 4172 4173 if (proto) 4174 *proto = nexthdr; 4175 4176 switch (nexthdr) { 4177 case IPPROTO_TCP: { 4178 struct tcphdr _tcph, *th; 4179 4180 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4181 if (th == NULL) 4182 break; 4183 4184 ad->u.net->sport = th->source; 4185 ad->u.net->dport = th->dest; 4186 break; 4187 } 4188 4189 case IPPROTO_UDP: { 4190 struct udphdr _udph, *uh; 4191 4192 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4193 if (uh == NULL) 4194 break; 4195 4196 ad->u.net->sport = uh->source; 4197 ad->u.net->dport = uh->dest; 4198 break; 4199 } 4200 4201 case IPPROTO_DCCP: { 4202 struct dccp_hdr _dccph, *dh; 4203 4204 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4205 if (dh == NULL) 4206 break; 4207 4208 ad->u.net->sport = dh->dccph_sport; 4209 ad->u.net->dport = dh->dccph_dport; 4210 break; 4211 } 4212 4213 /* includes fragments */ 4214 default: 4215 break; 4216 } 4217 out: 4218 return ret; 4219 } 4220 4221 #endif /* IPV6 */ 4222 4223 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4224 char **_addrp, int src, u8 *proto) 4225 { 4226 char *addrp; 4227 int ret; 4228 4229 switch (ad->u.net->family) { 4230 case PF_INET: 4231 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4232 if (ret) 4233 goto parse_error; 4234 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4235 &ad->u.net->v4info.daddr); 4236 goto okay; 4237 4238 #if IS_ENABLED(CONFIG_IPV6) 4239 case PF_INET6: 4240 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4241 if (ret) 4242 goto parse_error; 4243 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4244 &ad->u.net->v6info.daddr); 4245 goto okay; 4246 #endif /* IPV6 */ 4247 default: 4248 addrp = NULL; 4249 goto okay; 4250 } 4251 4252 parse_error: 4253 printk(KERN_WARNING 4254 "SELinux: failure in selinux_parse_skb()," 4255 " unable to parse packet\n"); 4256 return ret; 4257 4258 okay: 4259 if (_addrp) 4260 *_addrp = addrp; 4261 return 0; 4262 } 4263 4264 /** 4265 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4266 * @skb: the packet 4267 * @family: protocol family 4268 * @sid: the packet's peer label SID 4269 * 4270 * Description: 4271 * Check the various different forms of network peer labeling and determine 4272 * the peer label/SID for the packet; most of the magic actually occurs in 4273 * the security server function security_net_peersid_cmp(). The function 4274 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4275 * or -EACCES if @sid is invalid due to inconsistencies with the different 4276 * peer labels. 4277 * 4278 */ 4279 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4280 { 4281 int err; 4282 u32 xfrm_sid; 4283 u32 nlbl_sid; 4284 u32 nlbl_type; 4285 4286 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4287 if (unlikely(err)) 4288 return -EACCES; 4289 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4290 if (unlikely(err)) 4291 return -EACCES; 4292 4293 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4294 if (unlikely(err)) { 4295 printk(KERN_WARNING 4296 "SELinux: failure in selinux_skb_peerlbl_sid()," 4297 " unable to determine packet's peer label\n"); 4298 return -EACCES; 4299 } 4300 4301 return 0; 4302 } 4303 4304 /** 4305 * selinux_conn_sid - Determine the child socket label for a connection 4306 * @sk_sid: the parent socket's SID 4307 * @skb_sid: the packet's SID 4308 * @conn_sid: the resulting connection SID 4309 * 4310 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4311 * combined with the MLS information from @skb_sid in order to create 4312 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4313 * of @sk_sid. Returns zero on success, negative values on failure. 4314 * 4315 */ 4316 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4317 { 4318 int err = 0; 4319 4320 if (skb_sid != SECSID_NULL) 4321 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4322 else 4323 *conn_sid = sk_sid; 4324 4325 return err; 4326 } 4327 4328 /* socket security operations */ 4329 4330 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4331 u16 secclass, u32 *socksid) 4332 { 4333 if (tsec->sockcreate_sid > SECSID_NULL) { 4334 *socksid = tsec->sockcreate_sid; 4335 return 0; 4336 } 4337 4338 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4339 socksid); 4340 } 4341 4342 static int sock_has_perm(struct sock *sk, u32 perms) 4343 { 4344 struct sk_security_struct *sksec = sk->sk_security; 4345 struct common_audit_data ad; 4346 struct lsm_network_audit net = {0,}; 4347 4348 if (sksec->sid == SECINITSID_KERNEL) 4349 return 0; 4350 4351 ad.type = LSM_AUDIT_DATA_NET; 4352 ad.u.net = &net; 4353 ad.u.net->sk = sk; 4354 4355 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4356 &ad); 4357 } 4358 4359 static int selinux_socket_create(int family, int type, 4360 int protocol, int kern) 4361 { 4362 const struct task_security_struct *tsec = current_security(); 4363 u32 newsid; 4364 u16 secclass; 4365 int rc; 4366 4367 if (kern) 4368 return 0; 4369 4370 secclass = socket_type_to_security_class(family, type, protocol); 4371 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4372 if (rc) 4373 return rc; 4374 4375 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4376 } 4377 4378 static int selinux_socket_post_create(struct socket *sock, int family, 4379 int type, int protocol, int kern) 4380 { 4381 const struct task_security_struct *tsec = current_security(); 4382 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4383 struct sk_security_struct *sksec; 4384 u16 sclass = socket_type_to_security_class(family, type, protocol); 4385 u32 sid = SECINITSID_KERNEL; 4386 int err = 0; 4387 4388 if (!kern) { 4389 err = socket_sockcreate_sid(tsec, sclass, &sid); 4390 if (err) 4391 return err; 4392 } 4393 4394 isec->sclass = sclass; 4395 isec->sid = sid; 4396 isec->initialized = LABEL_INITIALIZED; 4397 4398 if (sock->sk) { 4399 sksec = sock->sk->sk_security; 4400 sksec->sclass = sclass; 4401 sksec->sid = sid; 4402 err = selinux_netlbl_socket_post_create(sock->sk, family); 4403 } 4404 4405 return err; 4406 } 4407 4408 /* Range of port numbers used to automatically bind. 4409 Need to determine whether we should perform a name_bind 4410 permission check between the socket and the port number. */ 4411 4412 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4413 { 4414 struct sock *sk = sock->sk; 4415 u16 family; 4416 int err; 4417 4418 err = sock_has_perm(sk, SOCKET__BIND); 4419 if (err) 4420 goto out; 4421 4422 /* 4423 * If PF_INET or PF_INET6, check name_bind permission for the port. 4424 * Multiple address binding for SCTP is not supported yet: we just 4425 * check the first address now. 4426 */ 4427 family = sk->sk_family; 4428 if (family == PF_INET || family == PF_INET6) { 4429 char *addrp; 4430 struct sk_security_struct *sksec = sk->sk_security; 4431 struct common_audit_data ad; 4432 struct lsm_network_audit net = {0,}; 4433 struct sockaddr_in *addr4 = NULL; 4434 struct sockaddr_in6 *addr6 = NULL; 4435 unsigned short snum; 4436 u32 sid, node_perm; 4437 4438 if (family == PF_INET) { 4439 if (addrlen < sizeof(struct sockaddr_in)) { 4440 err = -EINVAL; 4441 goto out; 4442 } 4443 addr4 = (struct sockaddr_in *)address; 4444 snum = ntohs(addr4->sin_port); 4445 addrp = (char *)&addr4->sin_addr.s_addr; 4446 } else { 4447 if (addrlen < SIN6_LEN_RFC2133) { 4448 err = -EINVAL; 4449 goto out; 4450 } 4451 addr6 = (struct sockaddr_in6 *)address; 4452 snum = ntohs(addr6->sin6_port); 4453 addrp = (char *)&addr6->sin6_addr.s6_addr; 4454 } 4455 4456 if (snum) { 4457 int low, high; 4458 4459 inet_get_local_port_range(sock_net(sk), &low, &high); 4460 4461 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4462 snum > high) { 4463 err = sel_netport_sid(sk->sk_protocol, 4464 snum, &sid); 4465 if (err) 4466 goto out; 4467 ad.type = LSM_AUDIT_DATA_NET; 4468 ad.u.net = &net; 4469 ad.u.net->sport = htons(snum); 4470 ad.u.net->family = family; 4471 err = avc_has_perm(sksec->sid, sid, 4472 sksec->sclass, 4473 SOCKET__NAME_BIND, &ad); 4474 if (err) 4475 goto out; 4476 } 4477 } 4478 4479 switch (sksec->sclass) { 4480 case SECCLASS_TCP_SOCKET: 4481 node_perm = TCP_SOCKET__NODE_BIND; 4482 break; 4483 4484 case SECCLASS_UDP_SOCKET: 4485 node_perm = UDP_SOCKET__NODE_BIND; 4486 break; 4487 4488 case SECCLASS_DCCP_SOCKET: 4489 node_perm = DCCP_SOCKET__NODE_BIND; 4490 break; 4491 4492 default: 4493 node_perm = RAWIP_SOCKET__NODE_BIND; 4494 break; 4495 } 4496 4497 err = sel_netnode_sid(addrp, family, &sid); 4498 if (err) 4499 goto out; 4500 4501 ad.type = LSM_AUDIT_DATA_NET; 4502 ad.u.net = &net; 4503 ad.u.net->sport = htons(snum); 4504 ad.u.net->family = family; 4505 4506 if (family == PF_INET) 4507 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4508 else 4509 ad.u.net->v6info.saddr = addr6->sin6_addr; 4510 4511 err = avc_has_perm(sksec->sid, sid, 4512 sksec->sclass, node_perm, &ad); 4513 if (err) 4514 goto out; 4515 } 4516 out: 4517 return err; 4518 } 4519 4520 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4521 { 4522 struct sock *sk = sock->sk; 4523 struct sk_security_struct *sksec = sk->sk_security; 4524 int err; 4525 4526 err = sock_has_perm(sk, SOCKET__CONNECT); 4527 if (err) 4528 return err; 4529 4530 /* 4531 * If a TCP or DCCP socket, check name_connect permission for the port. 4532 */ 4533 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4534 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4535 struct common_audit_data ad; 4536 struct lsm_network_audit net = {0,}; 4537 struct sockaddr_in *addr4 = NULL; 4538 struct sockaddr_in6 *addr6 = NULL; 4539 unsigned short snum; 4540 u32 sid, perm; 4541 4542 if (sk->sk_family == PF_INET) { 4543 addr4 = (struct sockaddr_in *)address; 4544 if (addrlen < sizeof(struct sockaddr_in)) 4545 return -EINVAL; 4546 snum = ntohs(addr4->sin_port); 4547 } else { 4548 addr6 = (struct sockaddr_in6 *)address; 4549 if (addrlen < SIN6_LEN_RFC2133) 4550 return -EINVAL; 4551 snum = ntohs(addr6->sin6_port); 4552 } 4553 4554 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4555 if (err) 4556 goto out; 4557 4558 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4559 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4560 4561 ad.type = LSM_AUDIT_DATA_NET; 4562 ad.u.net = &net; 4563 ad.u.net->dport = htons(snum); 4564 ad.u.net->family = sk->sk_family; 4565 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4566 if (err) 4567 goto out; 4568 } 4569 4570 err = selinux_netlbl_socket_connect(sk, address); 4571 4572 out: 4573 return err; 4574 } 4575 4576 static int selinux_socket_listen(struct socket *sock, int backlog) 4577 { 4578 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4579 } 4580 4581 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4582 { 4583 int err; 4584 struct inode_security_struct *isec; 4585 struct inode_security_struct *newisec; 4586 u16 sclass; 4587 u32 sid; 4588 4589 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4590 if (err) 4591 return err; 4592 4593 isec = inode_security_novalidate(SOCK_INODE(sock)); 4594 spin_lock(&isec->lock); 4595 sclass = isec->sclass; 4596 sid = isec->sid; 4597 spin_unlock(&isec->lock); 4598 4599 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4600 newisec->sclass = sclass; 4601 newisec->sid = sid; 4602 newisec->initialized = LABEL_INITIALIZED; 4603 4604 return 0; 4605 } 4606 4607 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4608 int size) 4609 { 4610 return sock_has_perm(sock->sk, SOCKET__WRITE); 4611 } 4612 4613 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4614 int size, int flags) 4615 { 4616 return sock_has_perm(sock->sk, SOCKET__READ); 4617 } 4618 4619 static int selinux_socket_getsockname(struct socket *sock) 4620 { 4621 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4622 } 4623 4624 static int selinux_socket_getpeername(struct socket *sock) 4625 { 4626 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4627 } 4628 4629 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4630 { 4631 int err; 4632 4633 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4634 if (err) 4635 return err; 4636 4637 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4638 } 4639 4640 static int selinux_socket_getsockopt(struct socket *sock, int level, 4641 int optname) 4642 { 4643 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4644 } 4645 4646 static int selinux_socket_shutdown(struct socket *sock, int how) 4647 { 4648 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4649 } 4650 4651 static int selinux_socket_unix_stream_connect(struct sock *sock, 4652 struct sock *other, 4653 struct sock *newsk) 4654 { 4655 struct sk_security_struct *sksec_sock = sock->sk_security; 4656 struct sk_security_struct *sksec_other = other->sk_security; 4657 struct sk_security_struct *sksec_new = newsk->sk_security; 4658 struct common_audit_data ad; 4659 struct lsm_network_audit net = {0,}; 4660 int err; 4661 4662 ad.type = LSM_AUDIT_DATA_NET; 4663 ad.u.net = &net; 4664 ad.u.net->sk = other; 4665 4666 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4667 sksec_other->sclass, 4668 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4669 if (err) 4670 return err; 4671 4672 /* server child socket */ 4673 sksec_new->peer_sid = sksec_sock->sid; 4674 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4675 &sksec_new->sid); 4676 if (err) 4677 return err; 4678 4679 /* connecting socket */ 4680 sksec_sock->peer_sid = sksec_new->sid; 4681 4682 return 0; 4683 } 4684 4685 static int selinux_socket_unix_may_send(struct socket *sock, 4686 struct socket *other) 4687 { 4688 struct sk_security_struct *ssec = sock->sk->sk_security; 4689 struct sk_security_struct *osec = other->sk->sk_security; 4690 struct common_audit_data ad; 4691 struct lsm_network_audit net = {0,}; 4692 4693 ad.type = LSM_AUDIT_DATA_NET; 4694 ad.u.net = &net; 4695 ad.u.net->sk = other->sk; 4696 4697 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4698 &ad); 4699 } 4700 4701 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4702 char *addrp, u16 family, u32 peer_sid, 4703 struct common_audit_data *ad) 4704 { 4705 int err; 4706 u32 if_sid; 4707 u32 node_sid; 4708 4709 err = sel_netif_sid(ns, ifindex, &if_sid); 4710 if (err) 4711 return err; 4712 err = avc_has_perm(peer_sid, if_sid, 4713 SECCLASS_NETIF, NETIF__INGRESS, ad); 4714 if (err) 4715 return err; 4716 4717 err = sel_netnode_sid(addrp, family, &node_sid); 4718 if (err) 4719 return err; 4720 return avc_has_perm(peer_sid, node_sid, 4721 SECCLASS_NODE, NODE__RECVFROM, ad); 4722 } 4723 4724 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4725 u16 family) 4726 { 4727 int err = 0; 4728 struct sk_security_struct *sksec = sk->sk_security; 4729 u32 sk_sid = sksec->sid; 4730 struct common_audit_data ad; 4731 struct lsm_network_audit net = {0,}; 4732 char *addrp; 4733 4734 ad.type = LSM_AUDIT_DATA_NET; 4735 ad.u.net = &net; 4736 ad.u.net->netif = skb->skb_iif; 4737 ad.u.net->family = family; 4738 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4739 if (err) 4740 return err; 4741 4742 if (selinux_secmark_enabled()) { 4743 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4744 PACKET__RECV, &ad); 4745 if (err) 4746 return err; 4747 } 4748 4749 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4750 if (err) 4751 return err; 4752 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4753 4754 return err; 4755 } 4756 4757 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4758 { 4759 int err; 4760 struct sk_security_struct *sksec = sk->sk_security; 4761 u16 family = sk->sk_family; 4762 u32 sk_sid = sksec->sid; 4763 struct common_audit_data ad; 4764 struct lsm_network_audit net = {0,}; 4765 char *addrp; 4766 u8 secmark_active; 4767 u8 peerlbl_active; 4768 4769 if (family != PF_INET && family != PF_INET6) 4770 return 0; 4771 4772 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4773 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4774 family = PF_INET; 4775 4776 /* If any sort of compatibility mode is enabled then handoff processing 4777 * to the selinux_sock_rcv_skb_compat() function to deal with the 4778 * special handling. We do this in an attempt to keep this function 4779 * as fast and as clean as possible. */ 4780 if (!selinux_policycap_netpeer) 4781 return selinux_sock_rcv_skb_compat(sk, skb, family); 4782 4783 secmark_active = selinux_secmark_enabled(); 4784 peerlbl_active = selinux_peerlbl_enabled(); 4785 if (!secmark_active && !peerlbl_active) 4786 return 0; 4787 4788 ad.type = LSM_AUDIT_DATA_NET; 4789 ad.u.net = &net; 4790 ad.u.net->netif = skb->skb_iif; 4791 ad.u.net->family = family; 4792 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4793 if (err) 4794 return err; 4795 4796 if (peerlbl_active) { 4797 u32 peer_sid; 4798 4799 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4800 if (err) 4801 return err; 4802 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4803 addrp, family, peer_sid, &ad); 4804 if (err) { 4805 selinux_netlbl_err(skb, family, err, 0); 4806 return err; 4807 } 4808 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4809 PEER__RECV, &ad); 4810 if (err) { 4811 selinux_netlbl_err(skb, family, err, 0); 4812 return err; 4813 } 4814 } 4815 4816 if (secmark_active) { 4817 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4818 PACKET__RECV, &ad); 4819 if (err) 4820 return err; 4821 } 4822 4823 return err; 4824 } 4825 4826 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4827 int __user *optlen, unsigned len) 4828 { 4829 int err = 0; 4830 char *scontext; 4831 u32 scontext_len; 4832 struct sk_security_struct *sksec = sock->sk->sk_security; 4833 u32 peer_sid = SECSID_NULL; 4834 4835 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4836 sksec->sclass == SECCLASS_TCP_SOCKET) 4837 peer_sid = sksec->peer_sid; 4838 if (peer_sid == SECSID_NULL) 4839 return -ENOPROTOOPT; 4840 4841 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4842 if (err) 4843 return err; 4844 4845 if (scontext_len > len) { 4846 err = -ERANGE; 4847 goto out_len; 4848 } 4849 4850 if (copy_to_user(optval, scontext, scontext_len)) 4851 err = -EFAULT; 4852 4853 out_len: 4854 if (put_user(scontext_len, optlen)) 4855 err = -EFAULT; 4856 kfree(scontext); 4857 return err; 4858 } 4859 4860 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4861 { 4862 u32 peer_secid = SECSID_NULL; 4863 u16 family; 4864 struct inode_security_struct *isec; 4865 4866 if (skb && skb->protocol == htons(ETH_P_IP)) 4867 family = PF_INET; 4868 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4869 family = PF_INET6; 4870 else if (sock) 4871 family = sock->sk->sk_family; 4872 else 4873 goto out; 4874 4875 if (sock && family == PF_UNIX) { 4876 isec = inode_security_novalidate(SOCK_INODE(sock)); 4877 peer_secid = isec->sid; 4878 } else if (skb) 4879 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4880 4881 out: 4882 *secid = peer_secid; 4883 if (peer_secid == SECSID_NULL) 4884 return -EINVAL; 4885 return 0; 4886 } 4887 4888 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4889 { 4890 struct sk_security_struct *sksec; 4891 4892 sksec = kzalloc(sizeof(*sksec), priority); 4893 if (!sksec) 4894 return -ENOMEM; 4895 4896 sksec->peer_sid = SECINITSID_UNLABELED; 4897 sksec->sid = SECINITSID_UNLABELED; 4898 sksec->sclass = SECCLASS_SOCKET; 4899 selinux_netlbl_sk_security_reset(sksec); 4900 sk->sk_security = sksec; 4901 4902 return 0; 4903 } 4904 4905 static void selinux_sk_free_security(struct sock *sk) 4906 { 4907 struct sk_security_struct *sksec = sk->sk_security; 4908 4909 sk->sk_security = NULL; 4910 selinux_netlbl_sk_security_free(sksec); 4911 kfree(sksec); 4912 } 4913 4914 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4915 { 4916 struct sk_security_struct *sksec = sk->sk_security; 4917 struct sk_security_struct *newsksec = newsk->sk_security; 4918 4919 newsksec->sid = sksec->sid; 4920 newsksec->peer_sid = sksec->peer_sid; 4921 newsksec->sclass = sksec->sclass; 4922 4923 selinux_netlbl_sk_security_reset(newsksec); 4924 } 4925 4926 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4927 { 4928 if (!sk) 4929 *secid = SECINITSID_ANY_SOCKET; 4930 else { 4931 struct sk_security_struct *sksec = sk->sk_security; 4932 4933 *secid = sksec->sid; 4934 } 4935 } 4936 4937 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4938 { 4939 struct inode_security_struct *isec = 4940 inode_security_novalidate(SOCK_INODE(parent)); 4941 struct sk_security_struct *sksec = sk->sk_security; 4942 4943 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4944 sk->sk_family == PF_UNIX) 4945 isec->sid = sksec->sid; 4946 sksec->sclass = isec->sclass; 4947 } 4948 4949 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4950 struct request_sock *req) 4951 { 4952 struct sk_security_struct *sksec = sk->sk_security; 4953 int err; 4954 u16 family = req->rsk_ops->family; 4955 u32 connsid; 4956 u32 peersid; 4957 4958 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4959 if (err) 4960 return err; 4961 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4962 if (err) 4963 return err; 4964 req->secid = connsid; 4965 req->peer_secid = peersid; 4966 4967 return selinux_netlbl_inet_conn_request(req, family); 4968 } 4969 4970 static void selinux_inet_csk_clone(struct sock *newsk, 4971 const struct request_sock *req) 4972 { 4973 struct sk_security_struct *newsksec = newsk->sk_security; 4974 4975 newsksec->sid = req->secid; 4976 newsksec->peer_sid = req->peer_secid; 4977 /* NOTE: Ideally, we should also get the isec->sid for the 4978 new socket in sync, but we don't have the isec available yet. 4979 So we will wait until sock_graft to do it, by which 4980 time it will have been created and available. */ 4981 4982 /* We don't need to take any sort of lock here as we are the only 4983 * thread with access to newsksec */ 4984 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4985 } 4986 4987 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4988 { 4989 u16 family = sk->sk_family; 4990 struct sk_security_struct *sksec = sk->sk_security; 4991 4992 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4993 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4994 family = PF_INET; 4995 4996 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4997 } 4998 4999 static int selinux_secmark_relabel_packet(u32 sid) 5000 { 5001 const struct task_security_struct *__tsec; 5002 u32 tsid; 5003 5004 __tsec = current_security(); 5005 tsid = __tsec->sid; 5006 5007 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5008 } 5009 5010 static void selinux_secmark_refcount_inc(void) 5011 { 5012 atomic_inc(&selinux_secmark_refcount); 5013 } 5014 5015 static void selinux_secmark_refcount_dec(void) 5016 { 5017 atomic_dec(&selinux_secmark_refcount); 5018 } 5019 5020 static void selinux_req_classify_flow(const struct request_sock *req, 5021 struct flowi *fl) 5022 { 5023 fl->flowi_secid = req->secid; 5024 } 5025 5026 static int selinux_tun_dev_alloc_security(void **security) 5027 { 5028 struct tun_security_struct *tunsec; 5029 5030 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5031 if (!tunsec) 5032 return -ENOMEM; 5033 tunsec->sid = current_sid(); 5034 5035 *security = tunsec; 5036 return 0; 5037 } 5038 5039 static void selinux_tun_dev_free_security(void *security) 5040 { 5041 kfree(security); 5042 } 5043 5044 static int selinux_tun_dev_create(void) 5045 { 5046 u32 sid = current_sid(); 5047 5048 /* we aren't taking into account the "sockcreate" SID since the socket 5049 * that is being created here is not a socket in the traditional sense, 5050 * instead it is a private sock, accessible only to the kernel, and 5051 * representing a wide range of network traffic spanning multiple 5052 * connections unlike traditional sockets - check the TUN driver to 5053 * get a better understanding of why this socket is special */ 5054 5055 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5056 NULL); 5057 } 5058 5059 static int selinux_tun_dev_attach_queue(void *security) 5060 { 5061 struct tun_security_struct *tunsec = security; 5062 5063 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5064 TUN_SOCKET__ATTACH_QUEUE, NULL); 5065 } 5066 5067 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5068 { 5069 struct tun_security_struct *tunsec = security; 5070 struct sk_security_struct *sksec = sk->sk_security; 5071 5072 /* we don't currently perform any NetLabel based labeling here and it 5073 * isn't clear that we would want to do so anyway; while we could apply 5074 * labeling without the support of the TUN user the resulting labeled 5075 * traffic from the other end of the connection would almost certainly 5076 * cause confusion to the TUN user that had no idea network labeling 5077 * protocols were being used */ 5078 5079 sksec->sid = tunsec->sid; 5080 sksec->sclass = SECCLASS_TUN_SOCKET; 5081 5082 return 0; 5083 } 5084 5085 static int selinux_tun_dev_open(void *security) 5086 { 5087 struct tun_security_struct *tunsec = security; 5088 u32 sid = current_sid(); 5089 int err; 5090 5091 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5092 TUN_SOCKET__RELABELFROM, NULL); 5093 if (err) 5094 return err; 5095 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5096 TUN_SOCKET__RELABELTO, NULL); 5097 if (err) 5098 return err; 5099 tunsec->sid = sid; 5100 5101 return 0; 5102 } 5103 5104 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5105 { 5106 int err = 0; 5107 u32 perm; 5108 struct nlmsghdr *nlh; 5109 struct sk_security_struct *sksec = sk->sk_security; 5110 5111 if (skb->len < NLMSG_HDRLEN) { 5112 err = -EINVAL; 5113 goto out; 5114 } 5115 nlh = nlmsg_hdr(skb); 5116 5117 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5118 if (err) { 5119 if (err == -EINVAL) { 5120 pr_warn_ratelimited("SELinux: unrecognized netlink" 5121 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5122 " pig=%d comm=%s\n", 5123 sk->sk_protocol, nlh->nlmsg_type, 5124 secclass_map[sksec->sclass - 1].name, 5125 task_pid_nr(current), current->comm); 5126 if (!selinux_enforcing || security_get_allow_unknown()) 5127 err = 0; 5128 } 5129 5130 /* Ignore */ 5131 if (err == -ENOENT) 5132 err = 0; 5133 goto out; 5134 } 5135 5136 err = sock_has_perm(sk, perm); 5137 out: 5138 return err; 5139 } 5140 5141 #ifdef CONFIG_NETFILTER 5142 5143 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5144 const struct net_device *indev, 5145 u16 family) 5146 { 5147 int err; 5148 char *addrp; 5149 u32 peer_sid; 5150 struct common_audit_data ad; 5151 struct lsm_network_audit net = {0,}; 5152 u8 secmark_active; 5153 u8 netlbl_active; 5154 u8 peerlbl_active; 5155 5156 if (!selinux_policycap_netpeer) 5157 return NF_ACCEPT; 5158 5159 secmark_active = selinux_secmark_enabled(); 5160 netlbl_active = netlbl_enabled(); 5161 peerlbl_active = selinux_peerlbl_enabled(); 5162 if (!secmark_active && !peerlbl_active) 5163 return NF_ACCEPT; 5164 5165 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5166 return NF_DROP; 5167 5168 ad.type = LSM_AUDIT_DATA_NET; 5169 ad.u.net = &net; 5170 ad.u.net->netif = indev->ifindex; 5171 ad.u.net->family = family; 5172 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5173 return NF_DROP; 5174 5175 if (peerlbl_active) { 5176 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5177 addrp, family, peer_sid, &ad); 5178 if (err) { 5179 selinux_netlbl_err(skb, family, err, 1); 5180 return NF_DROP; 5181 } 5182 } 5183 5184 if (secmark_active) 5185 if (avc_has_perm(peer_sid, skb->secmark, 5186 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5187 return NF_DROP; 5188 5189 if (netlbl_active) 5190 /* we do this in the FORWARD path and not the POST_ROUTING 5191 * path because we want to make sure we apply the necessary 5192 * labeling before IPsec is applied so we can leverage AH 5193 * protection */ 5194 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5195 return NF_DROP; 5196 5197 return NF_ACCEPT; 5198 } 5199 5200 static unsigned int selinux_ipv4_forward(void *priv, 5201 struct sk_buff *skb, 5202 const struct nf_hook_state *state) 5203 { 5204 return selinux_ip_forward(skb, state->in, PF_INET); 5205 } 5206 5207 #if IS_ENABLED(CONFIG_IPV6) 5208 static unsigned int selinux_ipv6_forward(void *priv, 5209 struct sk_buff *skb, 5210 const struct nf_hook_state *state) 5211 { 5212 return selinux_ip_forward(skb, state->in, PF_INET6); 5213 } 5214 #endif /* IPV6 */ 5215 5216 static unsigned int selinux_ip_output(struct sk_buff *skb, 5217 u16 family) 5218 { 5219 struct sock *sk; 5220 u32 sid; 5221 5222 if (!netlbl_enabled()) 5223 return NF_ACCEPT; 5224 5225 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5226 * because we want to make sure we apply the necessary labeling 5227 * before IPsec is applied so we can leverage AH protection */ 5228 sk = skb->sk; 5229 if (sk) { 5230 struct sk_security_struct *sksec; 5231 5232 if (sk_listener(sk)) 5233 /* if the socket is the listening state then this 5234 * packet is a SYN-ACK packet which means it needs to 5235 * be labeled based on the connection/request_sock and 5236 * not the parent socket. unfortunately, we can't 5237 * lookup the request_sock yet as it isn't queued on 5238 * the parent socket until after the SYN-ACK is sent. 5239 * the "solution" is to simply pass the packet as-is 5240 * as any IP option based labeling should be copied 5241 * from the initial connection request (in the IP 5242 * layer). it is far from ideal, but until we get a 5243 * security label in the packet itself this is the 5244 * best we can do. */ 5245 return NF_ACCEPT; 5246 5247 /* standard practice, label using the parent socket */ 5248 sksec = sk->sk_security; 5249 sid = sksec->sid; 5250 } else 5251 sid = SECINITSID_KERNEL; 5252 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5253 return NF_DROP; 5254 5255 return NF_ACCEPT; 5256 } 5257 5258 static unsigned int selinux_ipv4_output(void *priv, 5259 struct sk_buff *skb, 5260 const struct nf_hook_state *state) 5261 { 5262 return selinux_ip_output(skb, PF_INET); 5263 } 5264 5265 #if IS_ENABLED(CONFIG_IPV6) 5266 static unsigned int selinux_ipv6_output(void *priv, 5267 struct sk_buff *skb, 5268 const struct nf_hook_state *state) 5269 { 5270 return selinux_ip_output(skb, PF_INET6); 5271 } 5272 #endif /* IPV6 */ 5273 5274 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5275 int ifindex, 5276 u16 family) 5277 { 5278 struct sock *sk = skb_to_full_sk(skb); 5279 struct sk_security_struct *sksec; 5280 struct common_audit_data ad; 5281 struct lsm_network_audit net = {0,}; 5282 char *addrp; 5283 u8 proto; 5284 5285 if (sk == NULL) 5286 return NF_ACCEPT; 5287 sksec = sk->sk_security; 5288 5289 ad.type = LSM_AUDIT_DATA_NET; 5290 ad.u.net = &net; 5291 ad.u.net->netif = ifindex; 5292 ad.u.net->family = family; 5293 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5294 return NF_DROP; 5295 5296 if (selinux_secmark_enabled()) 5297 if (avc_has_perm(sksec->sid, skb->secmark, 5298 SECCLASS_PACKET, PACKET__SEND, &ad)) 5299 return NF_DROP_ERR(-ECONNREFUSED); 5300 5301 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5302 return NF_DROP_ERR(-ECONNREFUSED); 5303 5304 return NF_ACCEPT; 5305 } 5306 5307 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5308 const struct net_device *outdev, 5309 u16 family) 5310 { 5311 u32 secmark_perm; 5312 u32 peer_sid; 5313 int ifindex = outdev->ifindex; 5314 struct sock *sk; 5315 struct common_audit_data ad; 5316 struct lsm_network_audit net = {0,}; 5317 char *addrp; 5318 u8 secmark_active; 5319 u8 peerlbl_active; 5320 5321 /* If any sort of compatibility mode is enabled then handoff processing 5322 * to the selinux_ip_postroute_compat() function to deal with the 5323 * special handling. We do this in an attempt to keep this function 5324 * as fast and as clean as possible. */ 5325 if (!selinux_policycap_netpeer) 5326 return selinux_ip_postroute_compat(skb, ifindex, family); 5327 5328 secmark_active = selinux_secmark_enabled(); 5329 peerlbl_active = selinux_peerlbl_enabled(); 5330 if (!secmark_active && !peerlbl_active) 5331 return NF_ACCEPT; 5332 5333 sk = skb_to_full_sk(skb); 5334 5335 #ifdef CONFIG_XFRM 5336 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5337 * packet transformation so allow the packet to pass without any checks 5338 * since we'll have another chance to perform access control checks 5339 * when the packet is on it's final way out. 5340 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5341 * is NULL, in this case go ahead and apply access control. 5342 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5343 * TCP listening state we cannot wait until the XFRM processing 5344 * is done as we will miss out on the SA label if we do; 5345 * unfortunately, this means more work, but it is only once per 5346 * connection. */ 5347 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5348 !(sk && sk_listener(sk))) 5349 return NF_ACCEPT; 5350 #endif 5351 5352 if (sk == NULL) { 5353 /* Without an associated socket the packet is either coming 5354 * from the kernel or it is being forwarded; check the packet 5355 * to determine which and if the packet is being forwarded 5356 * query the packet directly to determine the security label. */ 5357 if (skb->skb_iif) { 5358 secmark_perm = PACKET__FORWARD_OUT; 5359 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5360 return NF_DROP; 5361 } else { 5362 secmark_perm = PACKET__SEND; 5363 peer_sid = SECINITSID_KERNEL; 5364 } 5365 } else if (sk_listener(sk)) { 5366 /* Locally generated packet but the associated socket is in the 5367 * listening state which means this is a SYN-ACK packet. In 5368 * this particular case the correct security label is assigned 5369 * to the connection/request_sock but unfortunately we can't 5370 * query the request_sock as it isn't queued on the parent 5371 * socket until after the SYN-ACK packet is sent; the only 5372 * viable choice is to regenerate the label like we do in 5373 * selinux_inet_conn_request(). See also selinux_ip_output() 5374 * for similar problems. */ 5375 u32 skb_sid; 5376 struct sk_security_struct *sksec; 5377 5378 sksec = sk->sk_security; 5379 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5380 return NF_DROP; 5381 /* At this point, if the returned skb peerlbl is SECSID_NULL 5382 * and the packet has been through at least one XFRM 5383 * transformation then we must be dealing with the "final" 5384 * form of labeled IPsec packet; since we've already applied 5385 * all of our access controls on this packet we can safely 5386 * pass the packet. */ 5387 if (skb_sid == SECSID_NULL) { 5388 switch (family) { 5389 case PF_INET: 5390 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5391 return NF_ACCEPT; 5392 break; 5393 case PF_INET6: 5394 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5395 return NF_ACCEPT; 5396 break; 5397 default: 5398 return NF_DROP_ERR(-ECONNREFUSED); 5399 } 5400 } 5401 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5402 return NF_DROP; 5403 secmark_perm = PACKET__SEND; 5404 } else { 5405 /* Locally generated packet, fetch the security label from the 5406 * associated socket. */ 5407 struct sk_security_struct *sksec = sk->sk_security; 5408 peer_sid = sksec->sid; 5409 secmark_perm = PACKET__SEND; 5410 } 5411 5412 ad.type = LSM_AUDIT_DATA_NET; 5413 ad.u.net = &net; 5414 ad.u.net->netif = ifindex; 5415 ad.u.net->family = family; 5416 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5417 return NF_DROP; 5418 5419 if (secmark_active) 5420 if (avc_has_perm(peer_sid, skb->secmark, 5421 SECCLASS_PACKET, secmark_perm, &ad)) 5422 return NF_DROP_ERR(-ECONNREFUSED); 5423 5424 if (peerlbl_active) { 5425 u32 if_sid; 5426 u32 node_sid; 5427 5428 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5429 return NF_DROP; 5430 if (avc_has_perm(peer_sid, if_sid, 5431 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5432 return NF_DROP_ERR(-ECONNREFUSED); 5433 5434 if (sel_netnode_sid(addrp, family, &node_sid)) 5435 return NF_DROP; 5436 if (avc_has_perm(peer_sid, node_sid, 5437 SECCLASS_NODE, NODE__SENDTO, &ad)) 5438 return NF_DROP_ERR(-ECONNREFUSED); 5439 } 5440 5441 return NF_ACCEPT; 5442 } 5443 5444 static unsigned int selinux_ipv4_postroute(void *priv, 5445 struct sk_buff *skb, 5446 const struct nf_hook_state *state) 5447 { 5448 return selinux_ip_postroute(skb, state->out, PF_INET); 5449 } 5450 5451 #if IS_ENABLED(CONFIG_IPV6) 5452 static unsigned int selinux_ipv6_postroute(void *priv, 5453 struct sk_buff *skb, 5454 const struct nf_hook_state *state) 5455 { 5456 return selinux_ip_postroute(skb, state->out, PF_INET6); 5457 } 5458 #endif /* IPV6 */ 5459 5460 #endif /* CONFIG_NETFILTER */ 5461 5462 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5463 { 5464 return selinux_nlmsg_perm(sk, skb); 5465 } 5466 5467 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5468 u16 sclass) 5469 { 5470 struct ipc_security_struct *isec; 5471 5472 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5473 if (!isec) 5474 return -ENOMEM; 5475 5476 isec->sclass = sclass; 5477 isec->sid = current_sid(); 5478 perm->security = isec; 5479 5480 return 0; 5481 } 5482 5483 static void ipc_free_security(struct kern_ipc_perm *perm) 5484 { 5485 struct ipc_security_struct *isec = perm->security; 5486 perm->security = NULL; 5487 kfree(isec); 5488 } 5489 5490 static int msg_msg_alloc_security(struct msg_msg *msg) 5491 { 5492 struct msg_security_struct *msec; 5493 5494 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5495 if (!msec) 5496 return -ENOMEM; 5497 5498 msec->sid = SECINITSID_UNLABELED; 5499 msg->security = msec; 5500 5501 return 0; 5502 } 5503 5504 static void msg_msg_free_security(struct msg_msg *msg) 5505 { 5506 struct msg_security_struct *msec = msg->security; 5507 5508 msg->security = NULL; 5509 kfree(msec); 5510 } 5511 5512 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5513 u32 perms) 5514 { 5515 struct ipc_security_struct *isec; 5516 struct common_audit_data ad; 5517 u32 sid = current_sid(); 5518 5519 isec = ipc_perms->security; 5520 5521 ad.type = LSM_AUDIT_DATA_IPC; 5522 ad.u.ipc_id = ipc_perms->key; 5523 5524 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5525 } 5526 5527 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5528 { 5529 return msg_msg_alloc_security(msg); 5530 } 5531 5532 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5533 { 5534 msg_msg_free_security(msg); 5535 } 5536 5537 /* message queue security operations */ 5538 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5539 { 5540 struct ipc_security_struct *isec; 5541 struct common_audit_data ad; 5542 u32 sid = current_sid(); 5543 int rc; 5544 5545 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5546 if (rc) 5547 return rc; 5548 5549 isec = msq->q_perm.security; 5550 5551 ad.type = LSM_AUDIT_DATA_IPC; 5552 ad.u.ipc_id = msq->q_perm.key; 5553 5554 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5555 MSGQ__CREATE, &ad); 5556 if (rc) { 5557 ipc_free_security(&msq->q_perm); 5558 return rc; 5559 } 5560 return 0; 5561 } 5562 5563 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5564 { 5565 ipc_free_security(&msq->q_perm); 5566 } 5567 5568 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5569 { 5570 struct ipc_security_struct *isec; 5571 struct common_audit_data ad; 5572 u32 sid = current_sid(); 5573 5574 isec = msq->q_perm.security; 5575 5576 ad.type = LSM_AUDIT_DATA_IPC; 5577 ad.u.ipc_id = msq->q_perm.key; 5578 5579 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5580 MSGQ__ASSOCIATE, &ad); 5581 } 5582 5583 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5584 { 5585 int err; 5586 int perms; 5587 5588 switch (cmd) { 5589 case IPC_INFO: 5590 case MSG_INFO: 5591 /* No specific object, just general system-wide information. */ 5592 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5593 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5594 case IPC_STAT: 5595 case MSG_STAT: 5596 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5597 break; 5598 case IPC_SET: 5599 perms = MSGQ__SETATTR; 5600 break; 5601 case IPC_RMID: 5602 perms = MSGQ__DESTROY; 5603 break; 5604 default: 5605 return 0; 5606 } 5607 5608 err = ipc_has_perm(&msq->q_perm, perms); 5609 return err; 5610 } 5611 5612 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5613 { 5614 struct ipc_security_struct *isec; 5615 struct msg_security_struct *msec; 5616 struct common_audit_data ad; 5617 u32 sid = current_sid(); 5618 int rc; 5619 5620 isec = msq->q_perm.security; 5621 msec = msg->security; 5622 5623 /* 5624 * First time through, need to assign label to the message 5625 */ 5626 if (msec->sid == SECINITSID_UNLABELED) { 5627 /* 5628 * Compute new sid based on current process and 5629 * message queue this message will be stored in 5630 */ 5631 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5632 NULL, &msec->sid); 5633 if (rc) 5634 return rc; 5635 } 5636 5637 ad.type = LSM_AUDIT_DATA_IPC; 5638 ad.u.ipc_id = msq->q_perm.key; 5639 5640 /* Can this process write to the queue? */ 5641 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5642 MSGQ__WRITE, &ad); 5643 if (!rc) 5644 /* Can this process send the message */ 5645 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5646 MSG__SEND, &ad); 5647 if (!rc) 5648 /* Can the message be put in the queue? */ 5649 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5650 MSGQ__ENQUEUE, &ad); 5651 5652 return rc; 5653 } 5654 5655 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5656 struct task_struct *target, 5657 long type, int mode) 5658 { 5659 struct ipc_security_struct *isec; 5660 struct msg_security_struct *msec; 5661 struct common_audit_data ad; 5662 u32 sid = task_sid(target); 5663 int rc; 5664 5665 isec = msq->q_perm.security; 5666 msec = msg->security; 5667 5668 ad.type = LSM_AUDIT_DATA_IPC; 5669 ad.u.ipc_id = msq->q_perm.key; 5670 5671 rc = avc_has_perm(sid, isec->sid, 5672 SECCLASS_MSGQ, MSGQ__READ, &ad); 5673 if (!rc) 5674 rc = avc_has_perm(sid, msec->sid, 5675 SECCLASS_MSG, MSG__RECEIVE, &ad); 5676 return rc; 5677 } 5678 5679 /* Shared Memory security operations */ 5680 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5681 { 5682 struct ipc_security_struct *isec; 5683 struct common_audit_data ad; 5684 u32 sid = current_sid(); 5685 int rc; 5686 5687 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 5688 if (rc) 5689 return rc; 5690 5691 isec = shp->shm_perm.security; 5692 5693 ad.type = LSM_AUDIT_DATA_IPC; 5694 ad.u.ipc_id = shp->shm_perm.key; 5695 5696 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5697 SHM__CREATE, &ad); 5698 if (rc) { 5699 ipc_free_security(&shp->shm_perm); 5700 return rc; 5701 } 5702 return 0; 5703 } 5704 5705 static void selinux_shm_free_security(struct shmid_kernel *shp) 5706 { 5707 ipc_free_security(&shp->shm_perm); 5708 } 5709 5710 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5711 { 5712 struct ipc_security_struct *isec; 5713 struct common_audit_data ad; 5714 u32 sid = current_sid(); 5715 5716 isec = shp->shm_perm.security; 5717 5718 ad.type = LSM_AUDIT_DATA_IPC; 5719 ad.u.ipc_id = shp->shm_perm.key; 5720 5721 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5722 SHM__ASSOCIATE, &ad); 5723 } 5724 5725 /* Note, at this point, shp is locked down */ 5726 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5727 { 5728 int perms; 5729 int err; 5730 5731 switch (cmd) { 5732 case IPC_INFO: 5733 case SHM_INFO: 5734 /* No specific object, just general system-wide information. */ 5735 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5736 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5737 case IPC_STAT: 5738 case SHM_STAT: 5739 perms = SHM__GETATTR | SHM__ASSOCIATE; 5740 break; 5741 case IPC_SET: 5742 perms = SHM__SETATTR; 5743 break; 5744 case SHM_LOCK: 5745 case SHM_UNLOCK: 5746 perms = SHM__LOCK; 5747 break; 5748 case IPC_RMID: 5749 perms = SHM__DESTROY; 5750 break; 5751 default: 5752 return 0; 5753 } 5754 5755 err = ipc_has_perm(&shp->shm_perm, perms); 5756 return err; 5757 } 5758 5759 static int selinux_shm_shmat(struct shmid_kernel *shp, 5760 char __user *shmaddr, int shmflg) 5761 { 5762 u32 perms; 5763 5764 if (shmflg & SHM_RDONLY) 5765 perms = SHM__READ; 5766 else 5767 perms = SHM__READ | SHM__WRITE; 5768 5769 return ipc_has_perm(&shp->shm_perm, perms); 5770 } 5771 5772 /* Semaphore security operations */ 5773 static int selinux_sem_alloc_security(struct sem_array *sma) 5774 { 5775 struct ipc_security_struct *isec; 5776 struct common_audit_data ad; 5777 u32 sid = current_sid(); 5778 int rc; 5779 5780 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 5781 if (rc) 5782 return rc; 5783 5784 isec = sma->sem_perm.security; 5785 5786 ad.type = LSM_AUDIT_DATA_IPC; 5787 ad.u.ipc_id = sma->sem_perm.key; 5788 5789 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5790 SEM__CREATE, &ad); 5791 if (rc) { 5792 ipc_free_security(&sma->sem_perm); 5793 return rc; 5794 } 5795 return 0; 5796 } 5797 5798 static void selinux_sem_free_security(struct sem_array *sma) 5799 { 5800 ipc_free_security(&sma->sem_perm); 5801 } 5802 5803 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5804 { 5805 struct ipc_security_struct *isec; 5806 struct common_audit_data ad; 5807 u32 sid = current_sid(); 5808 5809 isec = sma->sem_perm.security; 5810 5811 ad.type = LSM_AUDIT_DATA_IPC; 5812 ad.u.ipc_id = sma->sem_perm.key; 5813 5814 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5815 SEM__ASSOCIATE, &ad); 5816 } 5817 5818 /* Note, at this point, sma is locked down */ 5819 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5820 { 5821 int err; 5822 u32 perms; 5823 5824 switch (cmd) { 5825 case IPC_INFO: 5826 case SEM_INFO: 5827 /* No specific object, just general system-wide information. */ 5828 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5829 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5830 case GETPID: 5831 case GETNCNT: 5832 case GETZCNT: 5833 perms = SEM__GETATTR; 5834 break; 5835 case GETVAL: 5836 case GETALL: 5837 perms = SEM__READ; 5838 break; 5839 case SETVAL: 5840 case SETALL: 5841 perms = SEM__WRITE; 5842 break; 5843 case IPC_RMID: 5844 perms = SEM__DESTROY; 5845 break; 5846 case IPC_SET: 5847 perms = SEM__SETATTR; 5848 break; 5849 case IPC_STAT: 5850 case SEM_STAT: 5851 perms = SEM__GETATTR | SEM__ASSOCIATE; 5852 break; 5853 default: 5854 return 0; 5855 } 5856 5857 err = ipc_has_perm(&sma->sem_perm, perms); 5858 return err; 5859 } 5860 5861 static int selinux_sem_semop(struct sem_array *sma, 5862 struct sembuf *sops, unsigned nsops, int alter) 5863 { 5864 u32 perms; 5865 5866 if (alter) 5867 perms = SEM__READ | SEM__WRITE; 5868 else 5869 perms = SEM__READ; 5870 5871 return ipc_has_perm(&sma->sem_perm, perms); 5872 } 5873 5874 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5875 { 5876 u32 av = 0; 5877 5878 av = 0; 5879 if (flag & S_IRUGO) 5880 av |= IPC__UNIX_READ; 5881 if (flag & S_IWUGO) 5882 av |= IPC__UNIX_WRITE; 5883 5884 if (av == 0) 5885 return 0; 5886 5887 return ipc_has_perm(ipcp, av); 5888 } 5889 5890 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5891 { 5892 struct ipc_security_struct *isec = ipcp->security; 5893 *secid = isec->sid; 5894 } 5895 5896 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5897 { 5898 if (inode) 5899 inode_doinit_with_dentry(inode, dentry); 5900 } 5901 5902 static int selinux_getprocattr(struct task_struct *p, 5903 char *name, char **value) 5904 { 5905 const struct task_security_struct *__tsec; 5906 u32 sid; 5907 int error; 5908 unsigned len; 5909 5910 rcu_read_lock(); 5911 __tsec = __task_cred(p)->security; 5912 5913 if (current != p) { 5914 error = avc_has_perm(current_sid(), __tsec->sid, 5915 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 5916 if (error) 5917 goto bad; 5918 } 5919 5920 if (!strcmp(name, "current")) 5921 sid = __tsec->sid; 5922 else if (!strcmp(name, "prev")) 5923 sid = __tsec->osid; 5924 else if (!strcmp(name, "exec")) 5925 sid = __tsec->exec_sid; 5926 else if (!strcmp(name, "fscreate")) 5927 sid = __tsec->create_sid; 5928 else if (!strcmp(name, "keycreate")) 5929 sid = __tsec->keycreate_sid; 5930 else if (!strcmp(name, "sockcreate")) 5931 sid = __tsec->sockcreate_sid; 5932 else { 5933 error = -EINVAL; 5934 goto bad; 5935 } 5936 rcu_read_unlock(); 5937 5938 if (!sid) 5939 return 0; 5940 5941 error = security_sid_to_context(sid, value, &len); 5942 if (error) 5943 return error; 5944 return len; 5945 5946 bad: 5947 rcu_read_unlock(); 5948 return error; 5949 } 5950 5951 static int selinux_setprocattr(const char *name, void *value, size_t size) 5952 { 5953 struct task_security_struct *tsec; 5954 struct cred *new; 5955 u32 mysid = current_sid(), sid = 0, ptsid; 5956 int error; 5957 char *str = value; 5958 5959 /* 5960 * Basic control over ability to set these attributes at all. 5961 */ 5962 if (!strcmp(name, "exec")) 5963 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5964 PROCESS__SETEXEC, NULL); 5965 else if (!strcmp(name, "fscreate")) 5966 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5967 PROCESS__SETFSCREATE, NULL); 5968 else if (!strcmp(name, "keycreate")) 5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5970 PROCESS__SETKEYCREATE, NULL); 5971 else if (!strcmp(name, "sockcreate")) 5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5973 PROCESS__SETSOCKCREATE, NULL); 5974 else if (!strcmp(name, "current")) 5975 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5976 PROCESS__SETCURRENT, NULL); 5977 else 5978 error = -EINVAL; 5979 if (error) 5980 return error; 5981 5982 /* Obtain a SID for the context, if one was specified. */ 5983 if (size && str[0] && str[0] != '\n') { 5984 if (str[size-1] == '\n') { 5985 str[size-1] = 0; 5986 size--; 5987 } 5988 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5989 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5990 if (!has_cap_mac_admin(true)) { 5991 struct audit_buffer *ab; 5992 size_t audit_size; 5993 5994 /* We strip a nul only if it is at the end, otherwise the 5995 * context contains a nul and we should audit that */ 5996 if (str[size - 1] == '\0') 5997 audit_size = size - 1; 5998 else 5999 audit_size = size; 6000 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6001 audit_log_format(ab, "op=fscreate invalid_context="); 6002 audit_log_n_untrustedstring(ab, value, audit_size); 6003 audit_log_end(ab); 6004 6005 return error; 6006 } 6007 error = security_context_to_sid_force(value, size, 6008 &sid); 6009 } 6010 if (error) 6011 return error; 6012 } 6013 6014 new = prepare_creds(); 6015 if (!new) 6016 return -ENOMEM; 6017 6018 /* Permission checking based on the specified context is 6019 performed during the actual operation (execve, 6020 open/mkdir/...), when we know the full context of the 6021 operation. See selinux_bprm_set_creds for the execve 6022 checks and may_create for the file creation checks. The 6023 operation will then fail if the context is not permitted. */ 6024 tsec = new->security; 6025 if (!strcmp(name, "exec")) { 6026 tsec->exec_sid = sid; 6027 } else if (!strcmp(name, "fscreate")) { 6028 tsec->create_sid = sid; 6029 } else if (!strcmp(name, "keycreate")) { 6030 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6031 NULL); 6032 if (error) 6033 goto abort_change; 6034 tsec->keycreate_sid = sid; 6035 } else if (!strcmp(name, "sockcreate")) { 6036 tsec->sockcreate_sid = sid; 6037 } else if (!strcmp(name, "current")) { 6038 error = -EINVAL; 6039 if (sid == 0) 6040 goto abort_change; 6041 6042 /* Only allow single threaded processes to change context */ 6043 error = -EPERM; 6044 if (!current_is_single_threaded()) { 6045 error = security_bounded_transition(tsec->sid, sid); 6046 if (error) 6047 goto abort_change; 6048 } 6049 6050 /* Check permissions for the transition. */ 6051 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6052 PROCESS__DYNTRANSITION, NULL); 6053 if (error) 6054 goto abort_change; 6055 6056 /* Check for ptracing, and update the task SID if ok. 6057 Otherwise, leave SID unchanged and fail. */ 6058 ptsid = ptrace_parent_sid(); 6059 if (ptsid != 0) { 6060 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6061 PROCESS__PTRACE, NULL); 6062 if (error) 6063 goto abort_change; 6064 } 6065 6066 tsec->sid = sid; 6067 } else { 6068 error = -EINVAL; 6069 goto abort_change; 6070 } 6071 6072 commit_creds(new); 6073 return size; 6074 6075 abort_change: 6076 abort_creds(new); 6077 return error; 6078 } 6079 6080 static int selinux_ismaclabel(const char *name) 6081 { 6082 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6083 } 6084 6085 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6086 { 6087 return security_sid_to_context(secid, secdata, seclen); 6088 } 6089 6090 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6091 { 6092 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6093 } 6094 6095 static void selinux_release_secctx(char *secdata, u32 seclen) 6096 { 6097 kfree(secdata); 6098 } 6099 6100 static void selinux_inode_invalidate_secctx(struct inode *inode) 6101 { 6102 struct inode_security_struct *isec = inode->i_security; 6103 6104 spin_lock(&isec->lock); 6105 isec->initialized = LABEL_INVALID; 6106 spin_unlock(&isec->lock); 6107 } 6108 6109 /* 6110 * called with inode->i_mutex locked 6111 */ 6112 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6113 { 6114 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6115 } 6116 6117 /* 6118 * called with inode->i_mutex locked 6119 */ 6120 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6121 { 6122 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6123 } 6124 6125 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6126 { 6127 int len = 0; 6128 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6129 ctx, true); 6130 if (len < 0) 6131 return len; 6132 *ctxlen = len; 6133 return 0; 6134 } 6135 #ifdef CONFIG_KEYS 6136 6137 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6138 unsigned long flags) 6139 { 6140 const struct task_security_struct *tsec; 6141 struct key_security_struct *ksec; 6142 6143 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6144 if (!ksec) 6145 return -ENOMEM; 6146 6147 tsec = cred->security; 6148 if (tsec->keycreate_sid) 6149 ksec->sid = tsec->keycreate_sid; 6150 else 6151 ksec->sid = tsec->sid; 6152 6153 k->security = ksec; 6154 return 0; 6155 } 6156 6157 static void selinux_key_free(struct key *k) 6158 { 6159 struct key_security_struct *ksec = k->security; 6160 6161 k->security = NULL; 6162 kfree(ksec); 6163 } 6164 6165 static int selinux_key_permission(key_ref_t key_ref, 6166 const struct cred *cred, 6167 unsigned perm) 6168 { 6169 struct key *key; 6170 struct key_security_struct *ksec; 6171 u32 sid; 6172 6173 /* if no specific permissions are requested, we skip the 6174 permission check. No serious, additional covert channels 6175 appear to be created. */ 6176 if (perm == 0) 6177 return 0; 6178 6179 sid = cred_sid(cred); 6180 6181 key = key_ref_to_ptr(key_ref); 6182 ksec = key->security; 6183 6184 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6185 } 6186 6187 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6188 { 6189 struct key_security_struct *ksec = key->security; 6190 char *context = NULL; 6191 unsigned len; 6192 int rc; 6193 6194 rc = security_sid_to_context(ksec->sid, &context, &len); 6195 if (!rc) 6196 rc = len; 6197 *_buffer = context; 6198 return rc; 6199 } 6200 #endif 6201 6202 #ifdef CONFIG_SECURITY_INFINIBAND 6203 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6204 { 6205 struct common_audit_data ad; 6206 int err; 6207 u32 sid = 0; 6208 struct ib_security_struct *sec = ib_sec; 6209 struct lsm_ibpkey_audit ibpkey; 6210 6211 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6212 if (err) 6213 return err; 6214 6215 ad.type = LSM_AUDIT_DATA_IBPKEY; 6216 ibpkey.subnet_prefix = subnet_prefix; 6217 ibpkey.pkey = pkey_val; 6218 ad.u.ibpkey = &ibpkey; 6219 return avc_has_perm(sec->sid, sid, 6220 SECCLASS_INFINIBAND_PKEY, 6221 INFINIBAND_PKEY__ACCESS, &ad); 6222 } 6223 6224 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6225 u8 port_num) 6226 { 6227 struct common_audit_data ad; 6228 int err; 6229 u32 sid = 0; 6230 struct ib_security_struct *sec = ib_sec; 6231 struct lsm_ibendport_audit ibendport; 6232 6233 err = security_ib_endport_sid(dev_name, port_num, &sid); 6234 6235 if (err) 6236 return err; 6237 6238 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6239 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6240 ibendport.port = port_num; 6241 ad.u.ibendport = &ibendport; 6242 return avc_has_perm(sec->sid, sid, 6243 SECCLASS_INFINIBAND_ENDPORT, 6244 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6245 } 6246 6247 static int selinux_ib_alloc_security(void **ib_sec) 6248 { 6249 struct ib_security_struct *sec; 6250 6251 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6252 if (!sec) 6253 return -ENOMEM; 6254 sec->sid = current_sid(); 6255 6256 *ib_sec = sec; 6257 return 0; 6258 } 6259 6260 static void selinux_ib_free_security(void *ib_sec) 6261 { 6262 kfree(ib_sec); 6263 } 6264 #endif 6265 6266 #ifdef CONFIG_BPF_SYSCALL 6267 static int selinux_bpf(int cmd, union bpf_attr *attr, 6268 unsigned int size) 6269 { 6270 u32 sid = current_sid(); 6271 int ret; 6272 6273 switch (cmd) { 6274 case BPF_MAP_CREATE: 6275 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6276 NULL); 6277 break; 6278 case BPF_PROG_LOAD: 6279 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6280 NULL); 6281 break; 6282 default: 6283 ret = 0; 6284 break; 6285 } 6286 6287 return ret; 6288 } 6289 6290 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6291 { 6292 u32 av = 0; 6293 6294 if (fmode & FMODE_READ) 6295 av |= BPF__MAP_READ; 6296 if (fmode & FMODE_WRITE) 6297 av |= BPF__MAP_WRITE; 6298 return av; 6299 } 6300 6301 /* This function will check the file pass through unix socket or binder to see 6302 * if it is a bpf related object. And apply correspinding checks on the bpf 6303 * object based on the type. The bpf maps and programs, not like other files and 6304 * socket, are using a shared anonymous inode inside the kernel as their inode. 6305 * So checking that inode cannot identify if the process have privilege to 6306 * access the bpf object and that's why we have to add this additional check in 6307 * selinux_file_receive and selinux_binder_transfer_files. 6308 */ 6309 static int bpf_fd_pass(struct file *file, u32 sid) 6310 { 6311 struct bpf_security_struct *bpfsec; 6312 struct bpf_prog *prog; 6313 struct bpf_map *map; 6314 int ret; 6315 6316 if (file->f_op == &bpf_map_fops) { 6317 map = file->private_data; 6318 bpfsec = map->security; 6319 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6320 bpf_map_fmode_to_av(file->f_mode), NULL); 6321 if (ret) 6322 return ret; 6323 } else if (file->f_op == &bpf_prog_fops) { 6324 prog = file->private_data; 6325 bpfsec = prog->aux->security; 6326 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6327 BPF__PROG_RUN, NULL); 6328 if (ret) 6329 return ret; 6330 } 6331 return 0; 6332 } 6333 6334 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6335 { 6336 u32 sid = current_sid(); 6337 struct bpf_security_struct *bpfsec; 6338 6339 bpfsec = map->security; 6340 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6341 bpf_map_fmode_to_av(fmode), NULL); 6342 } 6343 6344 static int selinux_bpf_prog(struct bpf_prog *prog) 6345 { 6346 u32 sid = current_sid(); 6347 struct bpf_security_struct *bpfsec; 6348 6349 bpfsec = prog->aux->security; 6350 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6351 BPF__PROG_RUN, NULL); 6352 } 6353 6354 static int selinux_bpf_map_alloc(struct bpf_map *map) 6355 { 6356 struct bpf_security_struct *bpfsec; 6357 6358 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6359 if (!bpfsec) 6360 return -ENOMEM; 6361 6362 bpfsec->sid = current_sid(); 6363 map->security = bpfsec; 6364 6365 return 0; 6366 } 6367 6368 static void selinux_bpf_map_free(struct bpf_map *map) 6369 { 6370 struct bpf_security_struct *bpfsec = map->security; 6371 6372 map->security = NULL; 6373 kfree(bpfsec); 6374 } 6375 6376 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6377 { 6378 struct bpf_security_struct *bpfsec; 6379 6380 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6381 if (!bpfsec) 6382 return -ENOMEM; 6383 6384 bpfsec->sid = current_sid(); 6385 aux->security = bpfsec; 6386 6387 return 0; 6388 } 6389 6390 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6391 { 6392 struct bpf_security_struct *bpfsec = aux->security; 6393 6394 aux->security = NULL; 6395 kfree(bpfsec); 6396 } 6397 #endif 6398 6399 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6400 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6401 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6402 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6403 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6404 6405 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6406 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6407 LSM_HOOK_INIT(capget, selinux_capget), 6408 LSM_HOOK_INIT(capset, selinux_capset), 6409 LSM_HOOK_INIT(capable, selinux_capable), 6410 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6411 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6412 LSM_HOOK_INIT(syslog, selinux_syslog), 6413 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6414 6415 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6416 6417 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6418 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6419 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6420 6421 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6422 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6423 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6424 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6425 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6426 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6427 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6428 LSM_HOOK_INIT(sb_mount, selinux_mount), 6429 LSM_HOOK_INIT(sb_umount, selinux_umount), 6430 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6431 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6432 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6433 6434 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6435 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6436 6437 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6438 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6439 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6440 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6441 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6442 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6443 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6444 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6445 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6446 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6447 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6448 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6449 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6450 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6451 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6452 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6453 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6454 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6455 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6456 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6457 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6458 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6459 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6460 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6461 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6462 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6463 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6464 6465 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6466 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6467 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6468 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6469 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6470 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6471 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6472 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6473 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6474 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6475 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6476 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6477 6478 LSM_HOOK_INIT(file_open, selinux_file_open), 6479 6480 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6481 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6482 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6483 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6484 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6485 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6486 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6487 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6488 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6489 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6490 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6491 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6492 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6493 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6494 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6495 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6496 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6497 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6498 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6499 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6500 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6501 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6502 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6503 6504 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6505 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6506 6507 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6508 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6509 6510 LSM_HOOK_INIT(msg_queue_alloc_security, 6511 selinux_msg_queue_alloc_security), 6512 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6513 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6514 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6515 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6516 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6517 6518 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6519 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6520 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6521 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6522 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6523 6524 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6525 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6526 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6527 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6528 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6529 6530 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6531 6532 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6533 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6534 6535 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6536 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6537 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6538 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6539 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6540 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6541 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6542 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6543 6544 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6545 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6546 6547 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6548 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6549 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6550 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6551 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6552 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6553 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6554 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6555 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6556 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6557 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6558 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6559 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6560 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6561 LSM_HOOK_INIT(socket_getpeersec_stream, 6562 selinux_socket_getpeersec_stream), 6563 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6564 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6565 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6566 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6567 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6568 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6569 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6570 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6571 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6572 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6573 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6574 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6575 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6576 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6577 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6578 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6579 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6580 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6581 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6582 #ifdef CONFIG_SECURITY_INFINIBAND 6583 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6584 LSM_HOOK_INIT(ib_endport_manage_subnet, 6585 selinux_ib_endport_manage_subnet), 6586 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6587 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6588 #endif 6589 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6590 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6591 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6592 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6593 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6594 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6595 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6596 selinux_xfrm_state_alloc_acquire), 6597 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6598 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6599 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6600 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6601 selinux_xfrm_state_pol_flow_match), 6602 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6603 #endif 6604 6605 #ifdef CONFIG_KEYS 6606 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6607 LSM_HOOK_INIT(key_free, selinux_key_free), 6608 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6609 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6610 #endif 6611 6612 #ifdef CONFIG_AUDIT 6613 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6614 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6615 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6616 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6617 #endif 6618 6619 #ifdef CONFIG_BPF_SYSCALL 6620 LSM_HOOK_INIT(bpf, selinux_bpf), 6621 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 6622 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 6623 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 6624 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 6625 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 6626 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 6627 #endif 6628 }; 6629 6630 static __init int selinux_init(void) 6631 { 6632 if (!security_module_enable("selinux")) { 6633 selinux_enabled = 0; 6634 return 0; 6635 } 6636 6637 if (!selinux_enabled) { 6638 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6639 return 0; 6640 } 6641 6642 printk(KERN_INFO "SELinux: Initializing.\n"); 6643 6644 /* Set the security state for the initial task. */ 6645 cred_init_security(); 6646 6647 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6648 6649 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6650 sizeof(struct inode_security_struct), 6651 0, SLAB_PANIC, NULL); 6652 file_security_cache = kmem_cache_create("selinux_file_security", 6653 sizeof(struct file_security_struct), 6654 0, SLAB_PANIC, NULL); 6655 avc_init(); 6656 6657 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6658 6659 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6660 panic("SELinux: Unable to register AVC netcache callback\n"); 6661 6662 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6663 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6664 6665 if (selinux_enforcing) 6666 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6667 else 6668 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6669 6670 return 0; 6671 } 6672 6673 static void delayed_superblock_init(struct super_block *sb, void *unused) 6674 { 6675 superblock_doinit(sb, NULL); 6676 } 6677 6678 void selinux_complete_init(void) 6679 { 6680 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6681 6682 /* Set up any superblocks initialized prior to the policy load. */ 6683 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6684 iterate_supers(delayed_superblock_init, NULL); 6685 } 6686 6687 /* SELinux requires early initialization in order to label 6688 all processes and objects when they are created. */ 6689 security_initcall(selinux_init); 6690 6691 #if defined(CONFIG_NETFILTER) 6692 6693 static const struct nf_hook_ops selinux_nf_ops[] = { 6694 { 6695 .hook = selinux_ipv4_postroute, 6696 .pf = NFPROTO_IPV4, 6697 .hooknum = NF_INET_POST_ROUTING, 6698 .priority = NF_IP_PRI_SELINUX_LAST, 6699 }, 6700 { 6701 .hook = selinux_ipv4_forward, 6702 .pf = NFPROTO_IPV4, 6703 .hooknum = NF_INET_FORWARD, 6704 .priority = NF_IP_PRI_SELINUX_FIRST, 6705 }, 6706 { 6707 .hook = selinux_ipv4_output, 6708 .pf = NFPROTO_IPV4, 6709 .hooknum = NF_INET_LOCAL_OUT, 6710 .priority = NF_IP_PRI_SELINUX_FIRST, 6711 }, 6712 #if IS_ENABLED(CONFIG_IPV6) 6713 { 6714 .hook = selinux_ipv6_postroute, 6715 .pf = NFPROTO_IPV6, 6716 .hooknum = NF_INET_POST_ROUTING, 6717 .priority = NF_IP6_PRI_SELINUX_LAST, 6718 }, 6719 { 6720 .hook = selinux_ipv6_forward, 6721 .pf = NFPROTO_IPV6, 6722 .hooknum = NF_INET_FORWARD, 6723 .priority = NF_IP6_PRI_SELINUX_FIRST, 6724 }, 6725 { 6726 .hook = selinux_ipv6_output, 6727 .pf = NFPROTO_IPV6, 6728 .hooknum = NF_INET_LOCAL_OUT, 6729 .priority = NF_IP6_PRI_SELINUX_FIRST, 6730 }, 6731 #endif /* IPV6 */ 6732 }; 6733 6734 static int __net_init selinux_nf_register(struct net *net) 6735 { 6736 return nf_register_net_hooks(net, selinux_nf_ops, 6737 ARRAY_SIZE(selinux_nf_ops)); 6738 } 6739 6740 static void __net_exit selinux_nf_unregister(struct net *net) 6741 { 6742 nf_unregister_net_hooks(net, selinux_nf_ops, 6743 ARRAY_SIZE(selinux_nf_ops)); 6744 } 6745 6746 static struct pernet_operations selinux_net_ops = { 6747 .init = selinux_nf_register, 6748 .exit = selinux_nf_unregister, 6749 }; 6750 6751 static int __init selinux_nf_ip_init(void) 6752 { 6753 int err; 6754 6755 if (!selinux_enabled) 6756 return 0; 6757 6758 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6759 6760 err = register_pernet_subsys(&selinux_net_ops); 6761 if (err) 6762 panic("SELinux: register_pernet_subsys: error %d\n", err); 6763 6764 return 0; 6765 } 6766 __initcall(selinux_nf_ip_init); 6767 6768 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6769 static void selinux_nf_ip_exit(void) 6770 { 6771 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6772 6773 unregister_pernet_subsys(&selinux_net_ops); 6774 } 6775 #endif 6776 6777 #else /* CONFIG_NETFILTER */ 6778 6779 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6780 #define selinux_nf_ip_exit() 6781 #endif 6782 6783 #endif /* CONFIG_NETFILTER */ 6784 6785 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6786 static int selinux_disabled; 6787 6788 int selinux_disable(void) 6789 { 6790 if (ss_initialized) { 6791 /* Not permitted after initial policy load. */ 6792 return -EINVAL; 6793 } 6794 6795 if (selinux_disabled) { 6796 /* Only do this once. */ 6797 return -EINVAL; 6798 } 6799 6800 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6801 6802 selinux_disabled = 1; 6803 selinux_enabled = 0; 6804 6805 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6806 6807 /* Try to destroy the avc node cache */ 6808 avc_disable(); 6809 6810 /* Unregister netfilter hooks. */ 6811 selinux_nf_ip_exit(); 6812 6813 /* Unregister selinuxfs. */ 6814 exit_sel_fs(); 6815 6816 return 0; 6817 } 6818 #endif 6819