1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 #include <uapi/linux/mount.h> 92 93 #include "avc.h" 94 #include "objsec.h" 95 #include "netif.h" 96 #include "netnode.h" 97 #include "netport.h" 98 #include "ibpkey.h" 99 #include "xfrm.h" 100 #include "netlabel.h" 101 #include "audit.h" 102 #include "avc_ss.h" 103 104 struct selinux_state selinux_state; 105 106 /* SECMARK reference count */ 107 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 108 109 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 110 static int selinux_enforcing_boot; 111 112 static int __init enforcing_setup(char *str) 113 { 114 unsigned long enforcing; 115 if (!kstrtoul(str, 0, &enforcing)) 116 selinux_enforcing_boot = enforcing ? 1 : 0; 117 return 1; 118 } 119 __setup("enforcing=", enforcing_setup); 120 #else 121 #define selinux_enforcing_boot 1 122 #endif 123 124 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 125 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 126 127 static int __init selinux_enabled_setup(char *str) 128 { 129 unsigned long enabled; 130 if (!kstrtoul(str, 0, &enabled)) 131 selinux_enabled = enabled ? 1 : 0; 132 return 1; 133 } 134 __setup("selinux=", selinux_enabled_setup); 135 #else 136 int selinux_enabled = 1; 137 #endif 138 139 static unsigned int selinux_checkreqprot_boot = 140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 148 return 1; 149 } 150 __setup("checkreqprot=", checkreqprot_setup); 151 152 static struct kmem_cache *sel_inode_cache; 153 static struct kmem_cache *file_security_cache; 154 155 /** 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 157 * 158 * Description: 159 * This function checks the SECMARK reference counter to see if any SECMARK 160 * targets are currently configured, if the reference counter is greater than 161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network 163 * policy capability is enabled, SECMARK is always considered enabled. 164 * 165 */ 166 static int selinux_secmark_enabled(void) 167 { 168 return (selinux_policycap_alwaysnetwork() || 169 atomic_read(&selinux_secmark_refcount)); 170 } 171 172 /** 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 174 * 175 * Description: 176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 177 * (1) if any are enabled or false (0) if neither are enabled. If the 178 * always_check_network policy capability is enabled, peer labeling 179 * is always considered enabled. 180 * 181 */ 182 static int selinux_peerlbl_enabled(void) 183 { 184 return (selinux_policycap_alwaysnetwork() || 185 netlbl_enabled() || selinux_xfrm_enabled()); 186 } 187 188 static int selinux_netcache_avc_callback(u32 event) 189 { 190 if (event == AVC_CALLBACK_RESET) { 191 sel_netif_flush(); 192 sel_netnode_flush(); 193 sel_netport_flush(); 194 synchronize_net(); 195 } 196 return 0; 197 } 198 199 static int selinux_lsm_notifier_avc_callback(u32 event) 200 { 201 if (event == AVC_CALLBACK_RESET) { 202 sel_ib_pkey_flush(); 203 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 204 } 205 206 return 0; 207 } 208 209 /* 210 * initialise the security for the init task 211 */ 212 static void cred_init_security(void) 213 { 214 struct cred *cred = (struct cred *) current->real_cred; 215 struct task_security_struct *tsec; 216 217 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 218 if (!tsec) 219 panic("SELinux: Failed to initialize initial task.\n"); 220 221 tsec->osid = tsec->sid = SECINITSID_KERNEL; 222 cred->security = tsec; 223 } 224 225 /* 226 * get the security ID of a set of credentials 227 */ 228 static inline u32 cred_sid(const struct cred *cred) 229 { 230 const struct task_security_struct *tsec; 231 232 tsec = cred->security; 233 return tsec->sid; 234 } 235 236 /* 237 * get the objective security ID of a task 238 */ 239 static inline u32 task_sid(const struct task_struct *task) 240 { 241 u32 sid; 242 243 rcu_read_lock(); 244 sid = cred_sid(__task_cred(task)); 245 rcu_read_unlock(); 246 return sid; 247 } 248 249 /* Allocate and free functions for each kind of security blob. */ 250 251 static int inode_alloc_security(struct inode *inode) 252 { 253 struct inode_security_struct *isec; 254 u32 sid = current_sid(); 255 256 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 257 if (!isec) 258 return -ENOMEM; 259 260 spin_lock_init(&isec->lock); 261 INIT_LIST_HEAD(&isec->list); 262 isec->inode = inode; 263 isec->sid = SECINITSID_UNLABELED; 264 isec->sclass = SECCLASS_FILE; 265 isec->task_sid = sid; 266 isec->initialized = LABEL_INVALID; 267 inode->i_security = isec; 268 269 return 0; 270 } 271 272 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 273 274 /* 275 * Try reloading inode security labels that have been marked as invalid. The 276 * @may_sleep parameter indicates when sleeping and thus reloading labels is 277 * allowed; when set to false, returns -ECHILD when the label is 278 * invalid. The @dentry parameter should be set to a dentry of the inode. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *dentry, 282 bool may_sleep) 283 { 284 struct inode_security_struct *isec = inode->i_security; 285 286 might_sleep_if(may_sleep); 287 288 if (selinux_state.initialized && 289 isec->initialized != LABEL_INITIALIZED) { 290 if (!may_sleep) 291 return -ECHILD; 292 293 /* 294 * Try reloading the inode security label. This will fail if 295 * @opt_dentry is NULL and no dentry for this inode can be 296 * found; in that case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, dentry); 299 } 300 return 0; 301 } 302 303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 304 { 305 return inode->i_security; 306 } 307 308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 309 { 310 int error; 311 312 error = __inode_security_revalidate(inode, NULL, !rcu); 313 if (error) 314 return ERR_PTR(error); 315 return inode->i_security; 316 } 317 318 /* 319 * Get the security label of an inode. 320 */ 321 static struct inode_security_struct *inode_security(struct inode *inode) 322 { 323 __inode_security_revalidate(inode, NULL, true); 324 return inode->i_security; 325 } 326 327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 328 { 329 struct inode *inode = d_backing_inode(dentry); 330 331 return inode->i_security; 332 } 333 334 /* 335 * Get the security label of a dentry's backing inode. 336 */ 337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 338 { 339 struct inode *inode = d_backing_inode(dentry); 340 341 __inode_security_revalidate(inode, dentry, true); 342 return inode->i_security; 343 } 344 345 static void inode_free_rcu(struct rcu_head *head) 346 { 347 struct inode_security_struct *isec; 348 349 isec = container_of(head, struct inode_security_struct, rcu); 350 kmem_cache_free(sel_inode_cache, isec); 351 } 352 353 static void inode_free_security(struct inode *inode) 354 { 355 struct inode_security_struct *isec = inode->i_security; 356 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 357 358 /* 359 * As not all inode security structures are in a list, we check for 360 * empty list outside of the lock to make sure that we won't waste 361 * time taking a lock doing nothing. 362 * 363 * The list_del_init() function can be safely called more than once. 364 * It should not be possible for this function to be called with 365 * concurrent list_add(), but for better safety against future changes 366 * in the code, we use list_empty_careful() here. 367 */ 368 if (!list_empty_careful(&isec->list)) { 369 spin_lock(&sbsec->isec_lock); 370 list_del_init(&isec->list); 371 spin_unlock(&sbsec->isec_lock); 372 } 373 374 /* 375 * The inode may still be referenced in a path walk and 376 * a call to selinux_inode_permission() can be made 377 * after inode_free_security() is called. Ideally, the VFS 378 * wouldn't do this, but fixing that is a much harder 379 * job. For now, simply free the i_security via RCU, and 380 * leave the current inode->i_security pointer intact. 381 * The inode will be freed after the RCU grace period too. 382 */ 383 call_rcu(&isec->rcu, inode_free_rcu); 384 } 385 386 static int file_alloc_security(struct file *file) 387 { 388 struct file_security_struct *fsec; 389 u32 sid = current_sid(); 390 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 392 if (!fsec) 393 return -ENOMEM; 394 395 fsec->sid = sid; 396 fsec->fown_sid = sid; 397 file->f_security = fsec; 398 399 return 0; 400 } 401 402 static void file_free_security(struct file *file) 403 { 404 struct file_security_struct *fsec = file->f_security; 405 file->f_security = NULL; 406 kmem_cache_free(file_security_cache, fsec); 407 } 408 409 static int superblock_alloc_security(struct super_block *sb) 410 { 411 struct superblock_security_struct *sbsec; 412 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 414 if (!sbsec) 415 return -ENOMEM; 416 417 mutex_init(&sbsec->lock); 418 INIT_LIST_HEAD(&sbsec->isec_head); 419 spin_lock_init(&sbsec->isec_lock); 420 sbsec->sb = sb; 421 sbsec->sid = SECINITSID_UNLABELED; 422 sbsec->def_sid = SECINITSID_FILE; 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 424 sb->s_security = sbsec; 425 426 return 0; 427 } 428 429 static void superblock_free_security(struct super_block *sb) 430 { 431 struct superblock_security_struct *sbsec = sb->s_security; 432 sb->s_security = NULL; 433 kfree(sbsec); 434 } 435 436 struct selinux_mnt_opts { 437 const char *fscontext, *context, *rootcontext, *defcontext; 438 }; 439 440 static void selinux_free_mnt_opts(void *mnt_opts) 441 { 442 struct selinux_mnt_opts *opts = mnt_opts; 443 kfree(opts->fscontext); 444 kfree(opts->context); 445 kfree(opts->rootcontext); 446 kfree(opts->defcontext); 447 kfree(opts); 448 } 449 450 static inline int inode_doinit(struct inode *inode) 451 { 452 return inode_doinit_with_dentry(inode, NULL); 453 } 454 455 enum { 456 Opt_error = -1, 457 Opt_context = 1, 458 Opt_fscontext = 2, 459 Opt_defcontext = 3, 460 Opt_rootcontext = 4, 461 Opt_seclabel = 5, 462 }; 463 464 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 465 static struct { 466 const char *name; 467 int len; 468 int opt; 469 bool has_arg; 470 } tokens[] = { 471 A(context, true), 472 A(fscontext, true), 473 A(defcontext, true), 474 A(rootcontext, true), 475 A(seclabel, false), 476 }; 477 #undef A 478 479 static int match_opt_prefix(char *s, int l, char **arg) 480 { 481 int i; 482 483 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 484 size_t len = tokens[i].len; 485 if (len > l || memcmp(s, tokens[i].name, len)) 486 continue; 487 if (tokens[i].has_arg) { 488 if (len == l || s[len] != '=') 489 continue; 490 *arg = s + len + 1; 491 } else if (len != l) 492 continue; 493 return tokens[i].opt; 494 } 495 return Opt_error; 496 } 497 498 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 499 500 static int may_context_mount_sb_relabel(u32 sid, 501 struct superblock_security_struct *sbsec, 502 const struct cred *cred) 503 { 504 const struct task_security_struct *tsec = cred->security; 505 int rc; 506 507 rc = avc_has_perm(&selinux_state, 508 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 509 FILESYSTEM__RELABELFROM, NULL); 510 if (rc) 511 return rc; 512 513 rc = avc_has_perm(&selinux_state, 514 tsec->sid, sid, SECCLASS_FILESYSTEM, 515 FILESYSTEM__RELABELTO, NULL); 516 return rc; 517 } 518 519 static int may_context_mount_inode_relabel(u32 sid, 520 struct superblock_security_struct *sbsec, 521 const struct cred *cred) 522 { 523 const struct task_security_struct *tsec = cred->security; 524 int rc; 525 rc = avc_has_perm(&selinux_state, 526 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 527 FILESYSTEM__RELABELFROM, NULL); 528 if (rc) 529 return rc; 530 531 rc = avc_has_perm(&selinux_state, 532 sid, sbsec->sid, SECCLASS_FILESYSTEM, 533 FILESYSTEM__ASSOCIATE, NULL); 534 return rc; 535 } 536 537 static int selinux_is_sblabel_mnt(struct super_block *sb) 538 { 539 struct superblock_security_struct *sbsec = sb->s_security; 540 541 return sbsec->behavior == SECURITY_FS_USE_XATTR || 542 sbsec->behavior == SECURITY_FS_USE_TRANS || 543 sbsec->behavior == SECURITY_FS_USE_TASK || 544 sbsec->behavior == SECURITY_FS_USE_NATIVE || 545 /* Special handling. Genfs but also in-core setxattr handler */ 546 !strcmp(sb->s_type->name, "sysfs") || 547 !strcmp(sb->s_type->name, "pstore") || 548 !strcmp(sb->s_type->name, "debugfs") || 549 !strcmp(sb->s_type->name, "tracefs") || 550 !strcmp(sb->s_type->name, "rootfs") || 551 (selinux_policycap_cgroupseclabel() && 552 (!strcmp(sb->s_type->name, "cgroup") || 553 !strcmp(sb->s_type->name, "cgroup2"))); 554 } 555 556 static int sb_finish_set_opts(struct super_block *sb) 557 { 558 struct superblock_security_struct *sbsec = sb->s_security; 559 struct dentry *root = sb->s_root; 560 struct inode *root_inode = d_backing_inode(root); 561 int rc = 0; 562 563 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 564 /* Make sure that the xattr handler exists and that no 565 error other than -ENODATA is returned by getxattr on 566 the root directory. -ENODATA is ok, as this may be 567 the first boot of the SELinux kernel before we have 568 assigned xattr values to the filesystem. */ 569 if (!(root_inode->i_opflags & IOP_XATTR)) { 570 pr_warn("SELinux: (dev %s, type %s) has no " 571 "xattr support\n", sb->s_id, sb->s_type->name); 572 rc = -EOPNOTSUPP; 573 goto out; 574 } 575 576 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 577 if (rc < 0 && rc != -ENODATA) { 578 if (rc == -EOPNOTSUPP) 579 pr_warn("SELinux: (dev %s, type " 580 "%s) has no security xattr handler\n", 581 sb->s_id, sb->s_type->name); 582 else 583 pr_warn("SELinux: (dev %s, type " 584 "%s) getxattr errno %d\n", sb->s_id, 585 sb->s_type->name, -rc); 586 goto out; 587 } 588 } 589 590 sbsec->flags |= SE_SBINITIALIZED; 591 592 /* 593 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 594 * leave the flag untouched because sb_clone_mnt_opts might be handing 595 * us a superblock that needs the flag to be cleared. 596 */ 597 if (selinux_is_sblabel_mnt(sb)) 598 sbsec->flags |= SBLABEL_MNT; 599 else 600 sbsec->flags &= ~SBLABEL_MNT; 601 602 /* Initialize the root inode. */ 603 rc = inode_doinit_with_dentry(root_inode, root); 604 605 /* Initialize any other inodes associated with the superblock, e.g. 606 inodes created prior to initial policy load or inodes created 607 during get_sb by a pseudo filesystem that directly 608 populates itself. */ 609 spin_lock(&sbsec->isec_lock); 610 while (!list_empty(&sbsec->isec_head)) { 611 struct inode_security_struct *isec = 612 list_first_entry(&sbsec->isec_head, 613 struct inode_security_struct, list); 614 struct inode *inode = isec->inode; 615 list_del_init(&isec->list); 616 spin_unlock(&sbsec->isec_lock); 617 inode = igrab(inode); 618 if (inode) { 619 if (!IS_PRIVATE(inode)) 620 inode_doinit(inode); 621 iput(inode); 622 } 623 spin_lock(&sbsec->isec_lock); 624 } 625 spin_unlock(&sbsec->isec_lock); 626 out: 627 return rc; 628 } 629 630 static int bad_option(struct superblock_security_struct *sbsec, char flag, 631 u32 old_sid, u32 new_sid) 632 { 633 char mnt_flags = sbsec->flags & SE_MNTMASK; 634 635 /* check if the old mount command had the same options */ 636 if (sbsec->flags & SE_SBINITIALIZED) 637 if (!(sbsec->flags & flag) || 638 (old_sid != new_sid)) 639 return 1; 640 641 /* check if we were passed the same options twice, 642 * aka someone passed context=a,context=b 643 */ 644 if (!(sbsec->flags & SE_SBINITIALIZED)) 645 if (mnt_flags & flag) 646 return 1; 647 return 0; 648 } 649 650 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 651 { 652 int rc = security_context_str_to_sid(&selinux_state, s, 653 sid, GFP_KERNEL); 654 if (rc) 655 pr_warn("SELinux: security_context_str_to_sid" 656 "(%s) failed for (dev %s, type %s) errno=%d\n", 657 s, sb->s_id, sb->s_type->name, rc); 658 return rc; 659 } 660 661 /* 662 * Allow filesystems with binary mount data to explicitly set mount point 663 * labeling information. 664 */ 665 static int selinux_set_mnt_opts(struct super_block *sb, 666 void *mnt_opts, 667 unsigned long kern_flags, 668 unsigned long *set_kern_flags) 669 { 670 const struct cred *cred = current_cred(); 671 struct superblock_security_struct *sbsec = sb->s_security; 672 struct dentry *root = sbsec->sb->s_root; 673 struct selinux_mnt_opts *opts = mnt_opts; 674 struct inode_security_struct *root_isec; 675 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 676 u32 defcontext_sid = 0; 677 int rc = 0; 678 679 mutex_lock(&sbsec->lock); 680 681 if (!selinux_state.initialized) { 682 if (!opts) { 683 /* Defer initialization until selinux_complete_init, 684 after the initial policy is loaded and the security 685 server is ready to handle calls. */ 686 goto out; 687 } 688 rc = -EINVAL; 689 pr_warn("SELinux: Unable to set superblock options " 690 "before the security server is initialized\n"); 691 goto out; 692 } 693 if (kern_flags && !set_kern_flags) { 694 /* Specifying internal flags without providing a place to 695 * place the results is not allowed */ 696 rc = -EINVAL; 697 goto out; 698 } 699 700 /* 701 * Binary mount data FS will come through this function twice. Once 702 * from an explicit call and once from the generic calls from the vfs. 703 * Since the generic VFS calls will not contain any security mount data 704 * we need to skip the double mount verification. 705 * 706 * This does open a hole in which we will not notice if the first 707 * mount using this sb set explict options and a second mount using 708 * this sb does not set any security options. (The first options 709 * will be used for both mounts) 710 */ 711 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 712 && !opts) 713 goto out; 714 715 root_isec = backing_inode_security_novalidate(root); 716 717 /* 718 * parse the mount options, check if they are valid sids. 719 * also check if someone is trying to mount the same sb more 720 * than once with different security options. 721 */ 722 if (opts) { 723 if (opts->fscontext) { 724 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 725 if (rc) 726 goto out; 727 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 728 fscontext_sid)) 729 goto out_double_mount; 730 sbsec->flags |= FSCONTEXT_MNT; 731 } 732 if (opts->context) { 733 rc = parse_sid(sb, opts->context, &context_sid); 734 if (rc) 735 goto out; 736 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 737 context_sid)) 738 goto out_double_mount; 739 sbsec->flags |= CONTEXT_MNT; 740 } 741 if (opts->rootcontext) { 742 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 743 if (rc) 744 goto out; 745 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 746 rootcontext_sid)) 747 goto out_double_mount; 748 sbsec->flags |= ROOTCONTEXT_MNT; 749 } 750 if (opts->defcontext) { 751 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 752 if (rc) 753 goto out; 754 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 755 defcontext_sid)) 756 goto out_double_mount; 757 sbsec->flags |= DEFCONTEXT_MNT; 758 } 759 } 760 761 if (sbsec->flags & SE_SBINITIALIZED) { 762 /* previously mounted with options, but not on this attempt? */ 763 if ((sbsec->flags & SE_MNTMASK) && !opts) 764 goto out_double_mount; 765 rc = 0; 766 goto out; 767 } 768 769 if (strcmp(sb->s_type->name, "proc") == 0) 770 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 771 772 if (!strcmp(sb->s_type->name, "debugfs") || 773 !strcmp(sb->s_type->name, "tracefs") || 774 !strcmp(sb->s_type->name, "sysfs") || 775 !strcmp(sb->s_type->name, "pstore") || 776 !strcmp(sb->s_type->name, "cgroup") || 777 !strcmp(sb->s_type->name, "cgroup2")) 778 sbsec->flags |= SE_SBGENFS; 779 780 if (!sbsec->behavior) { 781 /* 782 * Determine the labeling behavior to use for this 783 * filesystem type. 784 */ 785 rc = security_fs_use(&selinux_state, sb); 786 if (rc) { 787 pr_warn("%s: security_fs_use(%s) returned %d\n", 788 __func__, sb->s_type->name, rc); 789 goto out; 790 } 791 } 792 793 /* 794 * If this is a user namespace mount and the filesystem type is not 795 * explicitly whitelisted, then no contexts are allowed on the command 796 * line and security labels must be ignored. 797 */ 798 if (sb->s_user_ns != &init_user_ns && 799 strcmp(sb->s_type->name, "tmpfs") && 800 strcmp(sb->s_type->name, "ramfs") && 801 strcmp(sb->s_type->name, "devpts")) { 802 if (context_sid || fscontext_sid || rootcontext_sid || 803 defcontext_sid) { 804 rc = -EACCES; 805 goto out; 806 } 807 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 808 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 809 rc = security_transition_sid(&selinux_state, 810 current_sid(), 811 current_sid(), 812 SECCLASS_FILE, NULL, 813 &sbsec->mntpoint_sid); 814 if (rc) 815 goto out; 816 } 817 goto out_set_opts; 818 } 819 820 /* sets the context of the superblock for the fs being mounted. */ 821 if (fscontext_sid) { 822 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 823 if (rc) 824 goto out; 825 826 sbsec->sid = fscontext_sid; 827 } 828 829 /* 830 * Switch to using mount point labeling behavior. 831 * sets the label used on all file below the mountpoint, and will set 832 * the superblock context if not already set. 833 */ 834 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 835 sbsec->behavior = SECURITY_FS_USE_NATIVE; 836 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 837 } 838 839 if (context_sid) { 840 if (!fscontext_sid) { 841 rc = may_context_mount_sb_relabel(context_sid, sbsec, 842 cred); 843 if (rc) 844 goto out; 845 sbsec->sid = context_sid; 846 } else { 847 rc = may_context_mount_inode_relabel(context_sid, sbsec, 848 cred); 849 if (rc) 850 goto out; 851 } 852 if (!rootcontext_sid) 853 rootcontext_sid = context_sid; 854 855 sbsec->mntpoint_sid = context_sid; 856 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 857 } 858 859 if (rootcontext_sid) { 860 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 861 cred); 862 if (rc) 863 goto out; 864 865 root_isec->sid = rootcontext_sid; 866 root_isec->initialized = LABEL_INITIALIZED; 867 } 868 869 if (defcontext_sid) { 870 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 871 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 872 rc = -EINVAL; 873 pr_warn("SELinux: defcontext option is " 874 "invalid for this filesystem type\n"); 875 goto out; 876 } 877 878 if (defcontext_sid != sbsec->def_sid) { 879 rc = may_context_mount_inode_relabel(defcontext_sid, 880 sbsec, cred); 881 if (rc) 882 goto out; 883 } 884 885 sbsec->def_sid = defcontext_sid; 886 } 887 888 out_set_opts: 889 rc = sb_finish_set_opts(sb); 890 out: 891 mutex_unlock(&sbsec->lock); 892 return rc; 893 out_double_mount: 894 rc = -EINVAL; 895 pr_warn("SELinux: mount invalid. Same superblock, different " 896 "security settings for (dev %s, type %s)\n", sb->s_id, 897 sb->s_type->name); 898 goto out; 899 } 900 901 static int selinux_cmp_sb_context(const struct super_block *oldsb, 902 const struct super_block *newsb) 903 { 904 struct superblock_security_struct *old = oldsb->s_security; 905 struct superblock_security_struct *new = newsb->s_security; 906 char oldflags = old->flags & SE_MNTMASK; 907 char newflags = new->flags & SE_MNTMASK; 908 909 if (oldflags != newflags) 910 goto mismatch; 911 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 912 goto mismatch; 913 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 914 goto mismatch; 915 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 916 goto mismatch; 917 if (oldflags & ROOTCONTEXT_MNT) { 918 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 919 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 920 if (oldroot->sid != newroot->sid) 921 goto mismatch; 922 } 923 return 0; 924 mismatch: 925 pr_warn("SELinux: mount invalid. Same superblock, " 926 "different security settings for (dev %s, " 927 "type %s)\n", newsb->s_id, newsb->s_type->name); 928 return -EBUSY; 929 } 930 931 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 932 struct super_block *newsb, 933 unsigned long kern_flags, 934 unsigned long *set_kern_flags) 935 { 936 int rc = 0; 937 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 938 struct superblock_security_struct *newsbsec = newsb->s_security; 939 940 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 941 int set_context = (oldsbsec->flags & CONTEXT_MNT); 942 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 943 944 /* 945 * if the parent was able to be mounted it clearly had no special lsm 946 * mount options. thus we can safely deal with this superblock later 947 */ 948 if (!selinux_state.initialized) 949 return 0; 950 951 /* 952 * Specifying internal flags without providing a place to 953 * place the results is not allowed. 954 */ 955 if (kern_flags && !set_kern_flags) 956 return -EINVAL; 957 958 /* how can we clone if the old one wasn't set up?? */ 959 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 960 961 /* if fs is reusing a sb, make sure that the contexts match */ 962 if (newsbsec->flags & SE_SBINITIALIZED) 963 return selinux_cmp_sb_context(oldsb, newsb); 964 965 mutex_lock(&newsbsec->lock); 966 967 newsbsec->flags = oldsbsec->flags; 968 969 newsbsec->sid = oldsbsec->sid; 970 newsbsec->def_sid = oldsbsec->def_sid; 971 newsbsec->behavior = oldsbsec->behavior; 972 973 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 974 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 975 rc = security_fs_use(&selinux_state, newsb); 976 if (rc) 977 goto out; 978 } 979 980 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 981 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 982 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 983 } 984 985 if (set_context) { 986 u32 sid = oldsbsec->mntpoint_sid; 987 988 if (!set_fscontext) 989 newsbsec->sid = sid; 990 if (!set_rootcontext) { 991 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 992 newisec->sid = sid; 993 } 994 newsbsec->mntpoint_sid = sid; 995 } 996 if (set_rootcontext) { 997 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 998 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 999 1000 newisec->sid = oldisec->sid; 1001 } 1002 1003 sb_finish_set_opts(newsb); 1004 out: 1005 mutex_unlock(&newsbsec->lock); 1006 return rc; 1007 } 1008 1009 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1010 { 1011 struct selinux_mnt_opts *opts = *mnt_opts; 1012 1013 if (token == Opt_seclabel) /* eaten and completely ignored */ 1014 return 0; 1015 1016 if (!opts) { 1017 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1018 if (!opts) 1019 return -ENOMEM; 1020 *mnt_opts = opts; 1021 } 1022 if (!s) 1023 return -ENOMEM; 1024 switch (token) { 1025 case Opt_context: 1026 if (opts->context || opts->defcontext) 1027 goto Einval; 1028 opts->context = s; 1029 break; 1030 case Opt_fscontext: 1031 if (opts->fscontext) 1032 goto Einval; 1033 opts->fscontext = s; 1034 break; 1035 case Opt_rootcontext: 1036 if (opts->rootcontext) 1037 goto Einval; 1038 opts->rootcontext = s; 1039 break; 1040 case Opt_defcontext: 1041 if (opts->context || opts->defcontext) 1042 goto Einval; 1043 opts->defcontext = s; 1044 break; 1045 } 1046 return 0; 1047 Einval: 1048 pr_warn(SEL_MOUNT_FAIL_MSG); 1049 return -EINVAL; 1050 } 1051 1052 static int selinux_parse_opts_str(char *options, 1053 void **mnt_opts) 1054 { 1055 char *p = options, *next; 1056 int rc; 1057 1058 /* Standard string-based options. */ 1059 for (p = options; *p; p = next) { 1060 int token, len; 1061 char *arg = NULL; 1062 1063 next = strchr(p, '|'); 1064 if (next) { 1065 len = next++ - p; 1066 } else { 1067 len = strlen(p); 1068 next = p + len; 1069 } 1070 1071 if (!len) 1072 continue; 1073 1074 token = match_opt_prefix(p, len, &arg); 1075 if (arg) 1076 arg = kmemdup_nul(arg, p + len - arg, GFP_KERNEL); 1077 rc = selinux_add_opt(token, arg, mnt_opts); 1078 if (rc) { 1079 kfree(arg); 1080 selinux_free_mnt_opts(*mnt_opts); 1081 *mnt_opts = NULL; 1082 return rc; 1083 } 1084 } 1085 return 0; 1086 } 1087 1088 static int show_sid(struct seq_file *m, u32 sid) 1089 { 1090 char *context = NULL; 1091 u32 len; 1092 int rc; 1093 1094 rc = security_sid_to_context(&selinux_state, sid, 1095 &context, &len); 1096 if (!rc) { 1097 bool has_comma = context && strchr(context, ','); 1098 1099 if (has_comma) 1100 seq_putc(m, '\"'); 1101 seq_escape(m, context, "\"\n\\"); 1102 if (has_comma) 1103 seq_putc(m, '\"'); 1104 } 1105 kfree(context); 1106 return rc; 1107 } 1108 1109 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1110 { 1111 struct superblock_security_struct *sbsec = sb->s_security; 1112 int rc; 1113 1114 if (!(sbsec->flags & SE_SBINITIALIZED)) 1115 return 0; 1116 1117 if (!selinux_state.initialized) 1118 return 0; 1119 1120 if (sbsec->flags & FSCONTEXT_MNT) { 1121 seq_putc(m, ','); 1122 seq_puts(m, FSCONTEXT_STR); 1123 rc = show_sid(m, sbsec->sid); 1124 if (rc) 1125 return rc; 1126 } 1127 if (sbsec->flags & CONTEXT_MNT) { 1128 seq_putc(m, ','); 1129 seq_puts(m, CONTEXT_STR); 1130 rc = show_sid(m, sbsec->mntpoint_sid); 1131 if (rc) 1132 return rc; 1133 } 1134 if (sbsec->flags & DEFCONTEXT_MNT) { 1135 seq_putc(m, ','); 1136 seq_puts(m, DEFCONTEXT_STR); 1137 rc = show_sid(m, sbsec->def_sid); 1138 if (rc) 1139 return rc; 1140 } 1141 if (sbsec->flags & ROOTCONTEXT_MNT) { 1142 struct dentry *root = sbsec->sb->s_root; 1143 struct inode_security_struct *isec = backing_inode_security(root); 1144 seq_putc(m, ','); 1145 seq_puts(m, ROOTCONTEXT_STR); 1146 rc = show_sid(m, isec->sid); 1147 if (rc) 1148 return rc; 1149 } 1150 if (sbsec->flags & SBLABEL_MNT) { 1151 seq_putc(m, ','); 1152 seq_puts(m, LABELSUPP_STR); 1153 } 1154 return 0; 1155 } 1156 1157 static inline u16 inode_mode_to_security_class(umode_t mode) 1158 { 1159 switch (mode & S_IFMT) { 1160 case S_IFSOCK: 1161 return SECCLASS_SOCK_FILE; 1162 case S_IFLNK: 1163 return SECCLASS_LNK_FILE; 1164 case S_IFREG: 1165 return SECCLASS_FILE; 1166 case S_IFBLK: 1167 return SECCLASS_BLK_FILE; 1168 case S_IFDIR: 1169 return SECCLASS_DIR; 1170 case S_IFCHR: 1171 return SECCLASS_CHR_FILE; 1172 case S_IFIFO: 1173 return SECCLASS_FIFO_FILE; 1174 1175 } 1176 1177 return SECCLASS_FILE; 1178 } 1179 1180 static inline int default_protocol_stream(int protocol) 1181 { 1182 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1183 } 1184 1185 static inline int default_protocol_dgram(int protocol) 1186 { 1187 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1188 } 1189 1190 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1191 { 1192 int extsockclass = selinux_policycap_extsockclass(); 1193 1194 switch (family) { 1195 case PF_UNIX: 1196 switch (type) { 1197 case SOCK_STREAM: 1198 case SOCK_SEQPACKET: 1199 return SECCLASS_UNIX_STREAM_SOCKET; 1200 case SOCK_DGRAM: 1201 case SOCK_RAW: 1202 return SECCLASS_UNIX_DGRAM_SOCKET; 1203 } 1204 break; 1205 case PF_INET: 1206 case PF_INET6: 1207 switch (type) { 1208 case SOCK_STREAM: 1209 case SOCK_SEQPACKET: 1210 if (default_protocol_stream(protocol)) 1211 return SECCLASS_TCP_SOCKET; 1212 else if (extsockclass && protocol == IPPROTO_SCTP) 1213 return SECCLASS_SCTP_SOCKET; 1214 else 1215 return SECCLASS_RAWIP_SOCKET; 1216 case SOCK_DGRAM: 1217 if (default_protocol_dgram(protocol)) 1218 return SECCLASS_UDP_SOCKET; 1219 else if (extsockclass && (protocol == IPPROTO_ICMP || 1220 protocol == IPPROTO_ICMPV6)) 1221 return SECCLASS_ICMP_SOCKET; 1222 else 1223 return SECCLASS_RAWIP_SOCKET; 1224 case SOCK_DCCP: 1225 return SECCLASS_DCCP_SOCKET; 1226 default: 1227 return SECCLASS_RAWIP_SOCKET; 1228 } 1229 break; 1230 case PF_NETLINK: 1231 switch (protocol) { 1232 case NETLINK_ROUTE: 1233 return SECCLASS_NETLINK_ROUTE_SOCKET; 1234 case NETLINK_SOCK_DIAG: 1235 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1236 case NETLINK_NFLOG: 1237 return SECCLASS_NETLINK_NFLOG_SOCKET; 1238 case NETLINK_XFRM: 1239 return SECCLASS_NETLINK_XFRM_SOCKET; 1240 case NETLINK_SELINUX: 1241 return SECCLASS_NETLINK_SELINUX_SOCKET; 1242 case NETLINK_ISCSI: 1243 return SECCLASS_NETLINK_ISCSI_SOCKET; 1244 case NETLINK_AUDIT: 1245 return SECCLASS_NETLINK_AUDIT_SOCKET; 1246 case NETLINK_FIB_LOOKUP: 1247 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1248 case NETLINK_CONNECTOR: 1249 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1250 case NETLINK_NETFILTER: 1251 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1252 case NETLINK_DNRTMSG: 1253 return SECCLASS_NETLINK_DNRT_SOCKET; 1254 case NETLINK_KOBJECT_UEVENT: 1255 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1256 case NETLINK_GENERIC: 1257 return SECCLASS_NETLINK_GENERIC_SOCKET; 1258 case NETLINK_SCSITRANSPORT: 1259 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1260 case NETLINK_RDMA: 1261 return SECCLASS_NETLINK_RDMA_SOCKET; 1262 case NETLINK_CRYPTO: 1263 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1264 default: 1265 return SECCLASS_NETLINK_SOCKET; 1266 } 1267 case PF_PACKET: 1268 return SECCLASS_PACKET_SOCKET; 1269 case PF_KEY: 1270 return SECCLASS_KEY_SOCKET; 1271 case PF_APPLETALK: 1272 return SECCLASS_APPLETALK_SOCKET; 1273 } 1274 1275 if (extsockclass) { 1276 switch (family) { 1277 case PF_AX25: 1278 return SECCLASS_AX25_SOCKET; 1279 case PF_IPX: 1280 return SECCLASS_IPX_SOCKET; 1281 case PF_NETROM: 1282 return SECCLASS_NETROM_SOCKET; 1283 case PF_ATMPVC: 1284 return SECCLASS_ATMPVC_SOCKET; 1285 case PF_X25: 1286 return SECCLASS_X25_SOCKET; 1287 case PF_ROSE: 1288 return SECCLASS_ROSE_SOCKET; 1289 case PF_DECnet: 1290 return SECCLASS_DECNET_SOCKET; 1291 case PF_ATMSVC: 1292 return SECCLASS_ATMSVC_SOCKET; 1293 case PF_RDS: 1294 return SECCLASS_RDS_SOCKET; 1295 case PF_IRDA: 1296 return SECCLASS_IRDA_SOCKET; 1297 case PF_PPPOX: 1298 return SECCLASS_PPPOX_SOCKET; 1299 case PF_LLC: 1300 return SECCLASS_LLC_SOCKET; 1301 case PF_CAN: 1302 return SECCLASS_CAN_SOCKET; 1303 case PF_TIPC: 1304 return SECCLASS_TIPC_SOCKET; 1305 case PF_BLUETOOTH: 1306 return SECCLASS_BLUETOOTH_SOCKET; 1307 case PF_IUCV: 1308 return SECCLASS_IUCV_SOCKET; 1309 case PF_RXRPC: 1310 return SECCLASS_RXRPC_SOCKET; 1311 case PF_ISDN: 1312 return SECCLASS_ISDN_SOCKET; 1313 case PF_PHONET: 1314 return SECCLASS_PHONET_SOCKET; 1315 case PF_IEEE802154: 1316 return SECCLASS_IEEE802154_SOCKET; 1317 case PF_CAIF: 1318 return SECCLASS_CAIF_SOCKET; 1319 case PF_ALG: 1320 return SECCLASS_ALG_SOCKET; 1321 case PF_NFC: 1322 return SECCLASS_NFC_SOCKET; 1323 case PF_VSOCK: 1324 return SECCLASS_VSOCK_SOCKET; 1325 case PF_KCM: 1326 return SECCLASS_KCM_SOCKET; 1327 case PF_QIPCRTR: 1328 return SECCLASS_QIPCRTR_SOCKET; 1329 case PF_SMC: 1330 return SECCLASS_SMC_SOCKET; 1331 case PF_XDP: 1332 return SECCLASS_XDP_SOCKET; 1333 #if PF_MAX > 45 1334 #error New address family defined, please update this function. 1335 #endif 1336 } 1337 } 1338 1339 return SECCLASS_SOCKET; 1340 } 1341 1342 static int selinux_genfs_get_sid(struct dentry *dentry, 1343 u16 tclass, 1344 u16 flags, 1345 u32 *sid) 1346 { 1347 int rc; 1348 struct super_block *sb = dentry->d_sb; 1349 char *buffer, *path; 1350 1351 buffer = (char *)__get_free_page(GFP_KERNEL); 1352 if (!buffer) 1353 return -ENOMEM; 1354 1355 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1356 if (IS_ERR(path)) 1357 rc = PTR_ERR(path); 1358 else { 1359 if (flags & SE_SBPROC) { 1360 /* each process gets a /proc/PID/ entry. Strip off the 1361 * PID part to get a valid selinux labeling. 1362 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1363 while (path[1] >= '0' && path[1] <= '9') { 1364 path[1] = '/'; 1365 path++; 1366 } 1367 } 1368 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1369 path, tclass, sid); 1370 if (rc == -ENOENT) { 1371 /* No match in policy, mark as unlabeled. */ 1372 *sid = SECINITSID_UNLABELED; 1373 rc = 0; 1374 } 1375 } 1376 free_page((unsigned long)buffer); 1377 return rc; 1378 } 1379 1380 /* The inode's security attributes must be initialized before first use. */ 1381 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1382 { 1383 struct superblock_security_struct *sbsec = NULL; 1384 struct inode_security_struct *isec = inode->i_security; 1385 u32 task_sid, sid = 0; 1386 u16 sclass; 1387 struct dentry *dentry; 1388 #define INITCONTEXTLEN 255 1389 char *context = NULL; 1390 unsigned len = 0; 1391 int rc = 0; 1392 1393 if (isec->initialized == LABEL_INITIALIZED) 1394 return 0; 1395 1396 spin_lock(&isec->lock); 1397 if (isec->initialized == LABEL_INITIALIZED) 1398 goto out_unlock; 1399 1400 if (isec->sclass == SECCLASS_FILE) 1401 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1402 1403 sbsec = inode->i_sb->s_security; 1404 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1405 /* Defer initialization until selinux_complete_init, 1406 after the initial policy is loaded and the security 1407 server is ready to handle calls. */ 1408 spin_lock(&sbsec->isec_lock); 1409 if (list_empty(&isec->list)) 1410 list_add(&isec->list, &sbsec->isec_head); 1411 spin_unlock(&sbsec->isec_lock); 1412 goto out_unlock; 1413 } 1414 1415 sclass = isec->sclass; 1416 task_sid = isec->task_sid; 1417 sid = isec->sid; 1418 isec->initialized = LABEL_PENDING; 1419 spin_unlock(&isec->lock); 1420 1421 switch (sbsec->behavior) { 1422 case SECURITY_FS_USE_NATIVE: 1423 break; 1424 case SECURITY_FS_USE_XATTR: 1425 if (!(inode->i_opflags & IOP_XATTR)) { 1426 sid = sbsec->def_sid; 1427 break; 1428 } 1429 /* Need a dentry, since the xattr API requires one. 1430 Life would be simpler if we could just pass the inode. */ 1431 if (opt_dentry) { 1432 /* Called from d_instantiate or d_splice_alias. */ 1433 dentry = dget(opt_dentry); 1434 } else { 1435 /* 1436 * Called from selinux_complete_init, try to find a dentry. 1437 * Some filesystems really want a connected one, so try 1438 * that first. We could split SECURITY_FS_USE_XATTR in 1439 * two, depending upon that... 1440 */ 1441 dentry = d_find_alias(inode); 1442 if (!dentry) 1443 dentry = d_find_any_alias(inode); 1444 } 1445 if (!dentry) { 1446 /* 1447 * this is can be hit on boot when a file is accessed 1448 * before the policy is loaded. When we load policy we 1449 * may find inodes that have no dentry on the 1450 * sbsec->isec_head list. No reason to complain as these 1451 * will get fixed up the next time we go through 1452 * inode_doinit with a dentry, before these inodes could 1453 * be used again by userspace. 1454 */ 1455 goto out; 1456 } 1457 1458 len = INITCONTEXTLEN; 1459 context = kmalloc(len+1, GFP_NOFS); 1460 if (!context) { 1461 rc = -ENOMEM; 1462 dput(dentry); 1463 goto out; 1464 } 1465 context[len] = '\0'; 1466 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1467 if (rc == -ERANGE) { 1468 kfree(context); 1469 1470 /* Need a larger buffer. Query for the right size. */ 1471 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1472 if (rc < 0) { 1473 dput(dentry); 1474 goto out; 1475 } 1476 len = rc; 1477 context = kmalloc(len+1, GFP_NOFS); 1478 if (!context) { 1479 rc = -ENOMEM; 1480 dput(dentry); 1481 goto out; 1482 } 1483 context[len] = '\0'; 1484 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1485 } 1486 dput(dentry); 1487 if (rc < 0) { 1488 if (rc != -ENODATA) { 1489 pr_warn("SELinux: %s: getxattr returned " 1490 "%d for dev=%s ino=%ld\n", __func__, 1491 -rc, inode->i_sb->s_id, inode->i_ino); 1492 kfree(context); 1493 goto out; 1494 } 1495 /* Map ENODATA to the default file SID */ 1496 sid = sbsec->def_sid; 1497 rc = 0; 1498 } else { 1499 rc = security_context_to_sid_default(&selinux_state, 1500 context, rc, &sid, 1501 sbsec->def_sid, 1502 GFP_NOFS); 1503 if (rc) { 1504 char *dev = inode->i_sb->s_id; 1505 unsigned long ino = inode->i_ino; 1506 1507 if (rc == -EINVAL) { 1508 if (printk_ratelimit()) 1509 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid " 1510 "context=%s. This indicates you may need to relabel the inode or the " 1511 "filesystem in question.\n", ino, dev, context); 1512 } else { 1513 pr_warn("SELinux: %s: context_to_sid(%s) " 1514 "returned %d for dev=%s ino=%ld\n", 1515 __func__, context, -rc, dev, ino); 1516 } 1517 kfree(context); 1518 /* Leave with the unlabeled SID */ 1519 rc = 0; 1520 break; 1521 } 1522 } 1523 kfree(context); 1524 break; 1525 case SECURITY_FS_USE_TASK: 1526 sid = task_sid; 1527 break; 1528 case SECURITY_FS_USE_TRANS: 1529 /* Default to the fs SID. */ 1530 sid = sbsec->sid; 1531 1532 /* Try to obtain a transition SID. */ 1533 rc = security_transition_sid(&selinux_state, task_sid, sid, 1534 sclass, NULL, &sid); 1535 if (rc) 1536 goto out; 1537 break; 1538 case SECURITY_FS_USE_MNTPOINT: 1539 sid = sbsec->mntpoint_sid; 1540 break; 1541 default: 1542 /* Default to the fs superblock SID. */ 1543 sid = sbsec->sid; 1544 1545 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1546 /* We must have a dentry to determine the label on 1547 * procfs inodes */ 1548 if (opt_dentry) { 1549 /* Called from d_instantiate or 1550 * d_splice_alias. */ 1551 dentry = dget(opt_dentry); 1552 } else { 1553 /* Called from selinux_complete_init, try to 1554 * find a dentry. Some filesystems really want 1555 * a connected one, so try that first. 1556 */ 1557 dentry = d_find_alias(inode); 1558 if (!dentry) 1559 dentry = d_find_any_alias(inode); 1560 } 1561 /* 1562 * This can be hit on boot when a file is accessed 1563 * before the policy is loaded. When we load policy we 1564 * may find inodes that have no dentry on the 1565 * sbsec->isec_head list. No reason to complain as 1566 * these will get fixed up the next time we go through 1567 * inode_doinit() with a dentry, before these inodes 1568 * could be used again by userspace. 1569 */ 1570 if (!dentry) 1571 goto out; 1572 rc = selinux_genfs_get_sid(dentry, sclass, 1573 sbsec->flags, &sid); 1574 dput(dentry); 1575 if (rc) 1576 goto out; 1577 } 1578 break; 1579 } 1580 1581 out: 1582 spin_lock(&isec->lock); 1583 if (isec->initialized == LABEL_PENDING) { 1584 if (!sid || rc) { 1585 isec->initialized = LABEL_INVALID; 1586 goto out_unlock; 1587 } 1588 1589 isec->initialized = LABEL_INITIALIZED; 1590 isec->sid = sid; 1591 } 1592 1593 out_unlock: 1594 spin_unlock(&isec->lock); 1595 return rc; 1596 } 1597 1598 /* Convert a Linux signal to an access vector. */ 1599 static inline u32 signal_to_av(int sig) 1600 { 1601 u32 perm = 0; 1602 1603 switch (sig) { 1604 case SIGCHLD: 1605 /* Commonly granted from child to parent. */ 1606 perm = PROCESS__SIGCHLD; 1607 break; 1608 case SIGKILL: 1609 /* Cannot be caught or ignored */ 1610 perm = PROCESS__SIGKILL; 1611 break; 1612 case SIGSTOP: 1613 /* Cannot be caught or ignored */ 1614 perm = PROCESS__SIGSTOP; 1615 break; 1616 default: 1617 /* All other signals. */ 1618 perm = PROCESS__SIGNAL; 1619 break; 1620 } 1621 1622 return perm; 1623 } 1624 1625 #if CAP_LAST_CAP > 63 1626 #error Fix SELinux to handle capabilities > 63. 1627 #endif 1628 1629 /* Check whether a task is allowed to use a capability. */ 1630 static int cred_has_capability(const struct cred *cred, 1631 int cap, int audit, bool initns) 1632 { 1633 struct common_audit_data ad; 1634 struct av_decision avd; 1635 u16 sclass; 1636 u32 sid = cred_sid(cred); 1637 u32 av = CAP_TO_MASK(cap); 1638 int rc; 1639 1640 ad.type = LSM_AUDIT_DATA_CAP; 1641 ad.u.cap = cap; 1642 1643 switch (CAP_TO_INDEX(cap)) { 1644 case 0: 1645 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1646 break; 1647 case 1: 1648 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1649 break; 1650 default: 1651 pr_err("SELinux: out of range capability %d\n", cap); 1652 BUG(); 1653 return -EINVAL; 1654 } 1655 1656 rc = avc_has_perm_noaudit(&selinux_state, 1657 sid, sid, sclass, av, 0, &avd); 1658 if (audit == SECURITY_CAP_AUDIT) { 1659 int rc2 = avc_audit(&selinux_state, 1660 sid, sid, sclass, av, &avd, rc, &ad, 0); 1661 if (rc2) 1662 return rc2; 1663 } 1664 return rc; 1665 } 1666 1667 /* Check whether a task has a particular permission to an inode. 1668 The 'adp' parameter is optional and allows other audit 1669 data to be passed (e.g. the dentry). */ 1670 static int inode_has_perm(const struct cred *cred, 1671 struct inode *inode, 1672 u32 perms, 1673 struct common_audit_data *adp) 1674 { 1675 struct inode_security_struct *isec; 1676 u32 sid; 1677 1678 validate_creds(cred); 1679 1680 if (unlikely(IS_PRIVATE(inode))) 1681 return 0; 1682 1683 sid = cred_sid(cred); 1684 isec = inode->i_security; 1685 1686 return avc_has_perm(&selinux_state, 1687 sid, isec->sid, isec->sclass, perms, adp); 1688 } 1689 1690 /* Same as inode_has_perm, but pass explicit audit data containing 1691 the dentry to help the auditing code to more easily generate the 1692 pathname if needed. */ 1693 static inline int dentry_has_perm(const struct cred *cred, 1694 struct dentry *dentry, 1695 u32 av) 1696 { 1697 struct inode *inode = d_backing_inode(dentry); 1698 struct common_audit_data ad; 1699 1700 ad.type = LSM_AUDIT_DATA_DENTRY; 1701 ad.u.dentry = dentry; 1702 __inode_security_revalidate(inode, dentry, true); 1703 return inode_has_perm(cred, inode, av, &ad); 1704 } 1705 1706 /* Same as inode_has_perm, but pass explicit audit data containing 1707 the path to help the auditing code to more easily generate the 1708 pathname if needed. */ 1709 static inline int path_has_perm(const struct cred *cred, 1710 const struct path *path, 1711 u32 av) 1712 { 1713 struct inode *inode = d_backing_inode(path->dentry); 1714 struct common_audit_data ad; 1715 1716 ad.type = LSM_AUDIT_DATA_PATH; 1717 ad.u.path = *path; 1718 __inode_security_revalidate(inode, path->dentry, true); 1719 return inode_has_perm(cred, inode, av, &ad); 1720 } 1721 1722 /* Same as path_has_perm, but uses the inode from the file struct. */ 1723 static inline int file_path_has_perm(const struct cred *cred, 1724 struct file *file, 1725 u32 av) 1726 { 1727 struct common_audit_data ad; 1728 1729 ad.type = LSM_AUDIT_DATA_FILE; 1730 ad.u.file = file; 1731 return inode_has_perm(cred, file_inode(file), av, &ad); 1732 } 1733 1734 #ifdef CONFIG_BPF_SYSCALL 1735 static int bpf_fd_pass(struct file *file, u32 sid); 1736 #endif 1737 1738 /* Check whether a task can use an open file descriptor to 1739 access an inode in a given way. Check access to the 1740 descriptor itself, and then use dentry_has_perm to 1741 check a particular permission to the file. 1742 Access to the descriptor is implicitly granted if it 1743 has the same SID as the process. If av is zero, then 1744 access to the file is not checked, e.g. for cases 1745 where only the descriptor is affected like seek. */ 1746 static int file_has_perm(const struct cred *cred, 1747 struct file *file, 1748 u32 av) 1749 { 1750 struct file_security_struct *fsec = file->f_security; 1751 struct inode *inode = file_inode(file); 1752 struct common_audit_data ad; 1753 u32 sid = cred_sid(cred); 1754 int rc; 1755 1756 ad.type = LSM_AUDIT_DATA_FILE; 1757 ad.u.file = file; 1758 1759 if (sid != fsec->sid) { 1760 rc = avc_has_perm(&selinux_state, 1761 sid, fsec->sid, 1762 SECCLASS_FD, 1763 FD__USE, 1764 &ad); 1765 if (rc) 1766 goto out; 1767 } 1768 1769 #ifdef CONFIG_BPF_SYSCALL 1770 rc = bpf_fd_pass(file, cred_sid(cred)); 1771 if (rc) 1772 return rc; 1773 #endif 1774 1775 /* av is zero if only checking access to the descriptor. */ 1776 rc = 0; 1777 if (av) 1778 rc = inode_has_perm(cred, inode, av, &ad); 1779 1780 out: 1781 return rc; 1782 } 1783 1784 /* 1785 * Determine the label for an inode that might be unioned. 1786 */ 1787 static int 1788 selinux_determine_inode_label(const struct task_security_struct *tsec, 1789 struct inode *dir, 1790 const struct qstr *name, u16 tclass, 1791 u32 *_new_isid) 1792 { 1793 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1794 1795 if ((sbsec->flags & SE_SBINITIALIZED) && 1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1797 *_new_isid = sbsec->mntpoint_sid; 1798 } else if ((sbsec->flags & SBLABEL_MNT) && 1799 tsec->create_sid) { 1800 *_new_isid = tsec->create_sid; 1801 } else { 1802 const struct inode_security_struct *dsec = inode_security(dir); 1803 return security_transition_sid(&selinux_state, tsec->sid, 1804 dsec->sid, tclass, 1805 name, _new_isid); 1806 } 1807 1808 return 0; 1809 } 1810 1811 /* Check whether a task can create a file. */ 1812 static int may_create(struct inode *dir, 1813 struct dentry *dentry, 1814 u16 tclass) 1815 { 1816 const struct task_security_struct *tsec = current_security(); 1817 struct inode_security_struct *dsec; 1818 struct superblock_security_struct *sbsec; 1819 u32 sid, newsid; 1820 struct common_audit_data ad; 1821 int rc; 1822 1823 dsec = inode_security(dir); 1824 sbsec = dir->i_sb->s_security; 1825 1826 sid = tsec->sid; 1827 1828 ad.type = LSM_AUDIT_DATA_DENTRY; 1829 ad.u.dentry = dentry; 1830 1831 rc = avc_has_perm(&selinux_state, 1832 sid, dsec->sid, SECCLASS_DIR, 1833 DIR__ADD_NAME | DIR__SEARCH, 1834 &ad); 1835 if (rc) 1836 return rc; 1837 1838 rc = selinux_determine_inode_label(current_security(), dir, 1839 &dentry->d_name, tclass, &newsid); 1840 if (rc) 1841 return rc; 1842 1843 rc = avc_has_perm(&selinux_state, 1844 sid, newsid, tclass, FILE__CREATE, &ad); 1845 if (rc) 1846 return rc; 1847 1848 return avc_has_perm(&selinux_state, 1849 newsid, sbsec->sid, 1850 SECCLASS_FILESYSTEM, 1851 FILESYSTEM__ASSOCIATE, &ad); 1852 } 1853 1854 #define MAY_LINK 0 1855 #define MAY_UNLINK 1 1856 #define MAY_RMDIR 2 1857 1858 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1859 static int may_link(struct inode *dir, 1860 struct dentry *dentry, 1861 int kind) 1862 1863 { 1864 struct inode_security_struct *dsec, *isec; 1865 struct common_audit_data ad; 1866 u32 sid = current_sid(); 1867 u32 av; 1868 int rc; 1869 1870 dsec = inode_security(dir); 1871 isec = backing_inode_security(dentry); 1872 1873 ad.type = LSM_AUDIT_DATA_DENTRY; 1874 ad.u.dentry = dentry; 1875 1876 av = DIR__SEARCH; 1877 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1878 rc = avc_has_perm(&selinux_state, 1879 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1880 if (rc) 1881 return rc; 1882 1883 switch (kind) { 1884 case MAY_LINK: 1885 av = FILE__LINK; 1886 break; 1887 case MAY_UNLINK: 1888 av = FILE__UNLINK; 1889 break; 1890 case MAY_RMDIR: 1891 av = DIR__RMDIR; 1892 break; 1893 default: 1894 pr_warn("SELinux: %s: unrecognized kind %d\n", 1895 __func__, kind); 1896 return 0; 1897 } 1898 1899 rc = avc_has_perm(&selinux_state, 1900 sid, isec->sid, isec->sclass, av, &ad); 1901 return rc; 1902 } 1903 1904 static inline int may_rename(struct inode *old_dir, 1905 struct dentry *old_dentry, 1906 struct inode *new_dir, 1907 struct dentry *new_dentry) 1908 { 1909 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1910 struct common_audit_data ad; 1911 u32 sid = current_sid(); 1912 u32 av; 1913 int old_is_dir, new_is_dir; 1914 int rc; 1915 1916 old_dsec = inode_security(old_dir); 1917 old_isec = backing_inode_security(old_dentry); 1918 old_is_dir = d_is_dir(old_dentry); 1919 new_dsec = inode_security(new_dir); 1920 1921 ad.type = LSM_AUDIT_DATA_DENTRY; 1922 1923 ad.u.dentry = old_dentry; 1924 rc = avc_has_perm(&selinux_state, 1925 sid, old_dsec->sid, SECCLASS_DIR, 1926 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1927 if (rc) 1928 return rc; 1929 rc = avc_has_perm(&selinux_state, 1930 sid, old_isec->sid, 1931 old_isec->sclass, FILE__RENAME, &ad); 1932 if (rc) 1933 return rc; 1934 if (old_is_dir && new_dir != old_dir) { 1935 rc = avc_has_perm(&selinux_state, 1936 sid, old_isec->sid, 1937 old_isec->sclass, DIR__REPARENT, &ad); 1938 if (rc) 1939 return rc; 1940 } 1941 1942 ad.u.dentry = new_dentry; 1943 av = DIR__ADD_NAME | DIR__SEARCH; 1944 if (d_is_positive(new_dentry)) 1945 av |= DIR__REMOVE_NAME; 1946 rc = avc_has_perm(&selinux_state, 1947 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1948 if (rc) 1949 return rc; 1950 if (d_is_positive(new_dentry)) { 1951 new_isec = backing_inode_security(new_dentry); 1952 new_is_dir = d_is_dir(new_dentry); 1953 rc = avc_has_perm(&selinux_state, 1954 sid, new_isec->sid, 1955 new_isec->sclass, 1956 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1957 if (rc) 1958 return rc; 1959 } 1960 1961 return 0; 1962 } 1963 1964 /* Check whether a task can perform a filesystem operation. */ 1965 static int superblock_has_perm(const struct cred *cred, 1966 struct super_block *sb, 1967 u32 perms, 1968 struct common_audit_data *ad) 1969 { 1970 struct superblock_security_struct *sbsec; 1971 u32 sid = cred_sid(cred); 1972 1973 sbsec = sb->s_security; 1974 return avc_has_perm(&selinux_state, 1975 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1976 } 1977 1978 /* Convert a Linux mode and permission mask to an access vector. */ 1979 static inline u32 file_mask_to_av(int mode, int mask) 1980 { 1981 u32 av = 0; 1982 1983 if (!S_ISDIR(mode)) { 1984 if (mask & MAY_EXEC) 1985 av |= FILE__EXECUTE; 1986 if (mask & MAY_READ) 1987 av |= FILE__READ; 1988 1989 if (mask & MAY_APPEND) 1990 av |= FILE__APPEND; 1991 else if (mask & MAY_WRITE) 1992 av |= FILE__WRITE; 1993 1994 } else { 1995 if (mask & MAY_EXEC) 1996 av |= DIR__SEARCH; 1997 if (mask & MAY_WRITE) 1998 av |= DIR__WRITE; 1999 if (mask & MAY_READ) 2000 av |= DIR__READ; 2001 } 2002 2003 return av; 2004 } 2005 2006 /* Convert a Linux file to an access vector. */ 2007 static inline u32 file_to_av(struct file *file) 2008 { 2009 u32 av = 0; 2010 2011 if (file->f_mode & FMODE_READ) 2012 av |= FILE__READ; 2013 if (file->f_mode & FMODE_WRITE) { 2014 if (file->f_flags & O_APPEND) 2015 av |= FILE__APPEND; 2016 else 2017 av |= FILE__WRITE; 2018 } 2019 if (!av) { 2020 /* 2021 * Special file opened with flags 3 for ioctl-only use. 2022 */ 2023 av = FILE__IOCTL; 2024 } 2025 2026 return av; 2027 } 2028 2029 /* 2030 * Convert a file to an access vector and include the correct open 2031 * open permission. 2032 */ 2033 static inline u32 open_file_to_av(struct file *file) 2034 { 2035 u32 av = file_to_av(file); 2036 struct inode *inode = file_inode(file); 2037 2038 if (selinux_policycap_openperm() && 2039 inode->i_sb->s_magic != SOCKFS_MAGIC) 2040 av |= FILE__OPEN; 2041 2042 return av; 2043 } 2044 2045 /* Hook functions begin here. */ 2046 2047 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2048 { 2049 u32 mysid = current_sid(); 2050 u32 mgrsid = task_sid(mgr); 2051 2052 return avc_has_perm(&selinux_state, 2053 mysid, mgrsid, SECCLASS_BINDER, 2054 BINDER__SET_CONTEXT_MGR, NULL); 2055 } 2056 2057 static int selinux_binder_transaction(struct task_struct *from, 2058 struct task_struct *to) 2059 { 2060 u32 mysid = current_sid(); 2061 u32 fromsid = task_sid(from); 2062 u32 tosid = task_sid(to); 2063 int rc; 2064 2065 if (mysid != fromsid) { 2066 rc = avc_has_perm(&selinux_state, 2067 mysid, fromsid, SECCLASS_BINDER, 2068 BINDER__IMPERSONATE, NULL); 2069 if (rc) 2070 return rc; 2071 } 2072 2073 return avc_has_perm(&selinux_state, 2074 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2075 NULL); 2076 } 2077 2078 static int selinux_binder_transfer_binder(struct task_struct *from, 2079 struct task_struct *to) 2080 { 2081 u32 fromsid = task_sid(from); 2082 u32 tosid = task_sid(to); 2083 2084 return avc_has_perm(&selinux_state, 2085 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2086 NULL); 2087 } 2088 2089 static int selinux_binder_transfer_file(struct task_struct *from, 2090 struct task_struct *to, 2091 struct file *file) 2092 { 2093 u32 sid = task_sid(to); 2094 struct file_security_struct *fsec = file->f_security; 2095 struct dentry *dentry = file->f_path.dentry; 2096 struct inode_security_struct *isec; 2097 struct common_audit_data ad; 2098 int rc; 2099 2100 ad.type = LSM_AUDIT_DATA_PATH; 2101 ad.u.path = file->f_path; 2102 2103 if (sid != fsec->sid) { 2104 rc = avc_has_perm(&selinux_state, 2105 sid, fsec->sid, 2106 SECCLASS_FD, 2107 FD__USE, 2108 &ad); 2109 if (rc) 2110 return rc; 2111 } 2112 2113 #ifdef CONFIG_BPF_SYSCALL 2114 rc = bpf_fd_pass(file, sid); 2115 if (rc) 2116 return rc; 2117 #endif 2118 2119 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2120 return 0; 2121 2122 isec = backing_inode_security(dentry); 2123 return avc_has_perm(&selinux_state, 2124 sid, isec->sid, isec->sclass, file_to_av(file), 2125 &ad); 2126 } 2127 2128 static int selinux_ptrace_access_check(struct task_struct *child, 2129 unsigned int mode) 2130 { 2131 u32 sid = current_sid(); 2132 u32 csid = task_sid(child); 2133 2134 if (mode & PTRACE_MODE_READ) 2135 return avc_has_perm(&selinux_state, 2136 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2137 2138 return avc_has_perm(&selinux_state, 2139 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2140 } 2141 2142 static int selinux_ptrace_traceme(struct task_struct *parent) 2143 { 2144 return avc_has_perm(&selinux_state, 2145 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2146 PROCESS__PTRACE, NULL); 2147 } 2148 2149 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2150 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2151 { 2152 return avc_has_perm(&selinux_state, 2153 current_sid(), task_sid(target), SECCLASS_PROCESS, 2154 PROCESS__GETCAP, NULL); 2155 } 2156 2157 static int selinux_capset(struct cred *new, const struct cred *old, 2158 const kernel_cap_t *effective, 2159 const kernel_cap_t *inheritable, 2160 const kernel_cap_t *permitted) 2161 { 2162 return avc_has_perm(&selinux_state, 2163 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2164 PROCESS__SETCAP, NULL); 2165 } 2166 2167 /* 2168 * (This comment used to live with the selinux_task_setuid hook, 2169 * which was removed). 2170 * 2171 * Since setuid only affects the current process, and since the SELinux 2172 * controls are not based on the Linux identity attributes, SELinux does not 2173 * need to control this operation. However, SELinux does control the use of 2174 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2175 */ 2176 2177 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2178 int cap, int audit) 2179 { 2180 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2181 } 2182 2183 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2184 { 2185 const struct cred *cred = current_cred(); 2186 int rc = 0; 2187 2188 if (!sb) 2189 return 0; 2190 2191 switch (cmds) { 2192 case Q_SYNC: 2193 case Q_QUOTAON: 2194 case Q_QUOTAOFF: 2195 case Q_SETINFO: 2196 case Q_SETQUOTA: 2197 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2198 break; 2199 case Q_GETFMT: 2200 case Q_GETINFO: 2201 case Q_GETQUOTA: 2202 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2203 break; 2204 default: 2205 rc = 0; /* let the kernel handle invalid cmds */ 2206 break; 2207 } 2208 return rc; 2209 } 2210 2211 static int selinux_quota_on(struct dentry *dentry) 2212 { 2213 const struct cred *cred = current_cred(); 2214 2215 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2216 } 2217 2218 static int selinux_syslog(int type) 2219 { 2220 switch (type) { 2221 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2222 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2223 return avc_has_perm(&selinux_state, 2224 current_sid(), SECINITSID_KERNEL, 2225 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2226 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2227 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2228 /* Set level of messages printed to console */ 2229 case SYSLOG_ACTION_CONSOLE_LEVEL: 2230 return avc_has_perm(&selinux_state, 2231 current_sid(), SECINITSID_KERNEL, 2232 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2233 NULL); 2234 } 2235 /* All other syslog types */ 2236 return avc_has_perm(&selinux_state, 2237 current_sid(), SECINITSID_KERNEL, 2238 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2239 } 2240 2241 /* 2242 * Check that a process has enough memory to allocate a new virtual 2243 * mapping. 0 means there is enough memory for the allocation to 2244 * succeed and -ENOMEM implies there is not. 2245 * 2246 * Do not audit the selinux permission check, as this is applied to all 2247 * processes that allocate mappings. 2248 */ 2249 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2250 { 2251 int rc, cap_sys_admin = 0; 2252 2253 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2254 SECURITY_CAP_NOAUDIT, true); 2255 if (rc == 0) 2256 cap_sys_admin = 1; 2257 2258 return cap_sys_admin; 2259 } 2260 2261 /* binprm security operations */ 2262 2263 static u32 ptrace_parent_sid(void) 2264 { 2265 u32 sid = 0; 2266 struct task_struct *tracer; 2267 2268 rcu_read_lock(); 2269 tracer = ptrace_parent(current); 2270 if (tracer) 2271 sid = task_sid(tracer); 2272 rcu_read_unlock(); 2273 2274 return sid; 2275 } 2276 2277 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2278 const struct task_security_struct *old_tsec, 2279 const struct task_security_struct *new_tsec) 2280 { 2281 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2282 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2283 int rc; 2284 u32 av; 2285 2286 if (!nnp && !nosuid) 2287 return 0; /* neither NNP nor nosuid */ 2288 2289 if (new_tsec->sid == old_tsec->sid) 2290 return 0; /* No change in credentials */ 2291 2292 /* 2293 * If the policy enables the nnp_nosuid_transition policy capability, 2294 * then we permit transitions under NNP or nosuid if the 2295 * policy allows the corresponding permission between 2296 * the old and new contexts. 2297 */ 2298 if (selinux_policycap_nnp_nosuid_transition()) { 2299 av = 0; 2300 if (nnp) 2301 av |= PROCESS2__NNP_TRANSITION; 2302 if (nosuid) 2303 av |= PROCESS2__NOSUID_TRANSITION; 2304 rc = avc_has_perm(&selinux_state, 2305 old_tsec->sid, new_tsec->sid, 2306 SECCLASS_PROCESS2, av, NULL); 2307 if (!rc) 2308 return 0; 2309 } 2310 2311 /* 2312 * We also permit NNP or nosuid transitions to bounded SIDs, 2313 * i.e. SIDs that are guaranteed to only be allowed a subset 2314 * of the permissions of the current SID. 2315 */ 2316 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2317 new_tsec->sid); 2318 if (!rc) 2319 return 0; 2320 2321 /* 2322 * On failure, preserve the errno values for NNP vs nosuid. 2323 * NNP: Operation not permitted for caller. 2324 * nosuid: Permission denied to file. 2325 */ 2326 if (nnp) 2327 return -EPERM; 2328 return -EACCES; 2329 } 2330 2331 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2332 { 2333 const struct task_security_struct *old_tsec; 2334 struct task_security_struct *new_tsec; 2335 struct inode_security_struct *isec; 2336 struct common_audit_data ad; 2337 struct inode *inode = file_inode(bprm->file); 2338 int rc; 2339 2340 /* SELinux context only depends on initial program or script and not 2341 * the script interpreter */ 2342 if (bprm->called_set_creds) 2343 return 0; 2344 2345 old_tsec = current_security(); 2346 new_tsec = bprm->cred->security; 2347 isec = inode_security(inode); 2348 2349 /* Default to the current task SID. */ 2350 new_tsec->sid = old_tsec->sid; 2351 new_tsec->osid = old_tsec->sid; 2352 2353 /* Reset fs, key, and sock SIDs on execve. */ 2354 new_tsec->create_sid = 0; 2355 new_tsec->keycreate_sid = 0; 2356 new_tsec->sockcreate_sid = 0; 2357 2358 if (old_tsec->exec_sid) { 2359 new_tsec->sid = old_tsec->exec_sid; 2360 /* Reset exec SID on execve. */ 2361 new_tsec->exec_sid = 0; 2362 2363 /* Fail on NNP or nosuid if not an allowed transition. */ 2364 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2365 if (rc) 2366 return rc; 2367 } else { 2368 /* Check for a default transition on this program. */ 2369 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2370 isec->sid, SECCLASS_PROCESS, NULL, 2371 &new_tsec->sid); 2372 if (rc) 2373 return rc; 2374 2375 /* 2376 * Fallback to old SID on NNP or nosuid if not an allowed 2377 * transition. 2378 */ 2379 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2380 if (rc) 2381 new_tsec->sid = old_tsec->sid; 2382 } 2383 2384 ad.type = LSM_AUDIT_DATA_FILE; 2385 ad.u.file = bprm->file; 2386 2387 if (new_tsec->sid == old_tsec->sid) { 2388 rc = avc_has_perm(&selinux_state, 2389 old_tsec->sid, isec->sid, 2390 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2391 if (rc) 2392 return rc; 2393 } else { 2394 /* Check permissions for the transition. */ 2395 rc = avc_has_perm(&selinux_state, 2396 old_tsec->sid, new_tsec->sid, 2397 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2398 if (rc) 2399 return rc; 2400 2401 rc = avc_has_perm(&selinux_state, 2402 new_tsec->sid, isec->sid, 2403 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2404 if (rc) 2405 return rc; 2406 2407 /* Check for shared state */ 2408 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2409 rc = avc_has_perm(&selinux_state, 2410 old_tsec->sid, new_tsec->sid, 2411 SECCLASS_PROCESS, PROCESS__SHARE, 2412 NULL); 2413 if (rc) 2414 return -EPERM; 2415 } 2416 2417 /* Make sure that anyone attempting to ptrace over a task that 2418 * changes its SID has the appropriate permit */ 2419 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2420 u32 ptsid = ptrace_parent_sid(); 2421 if (ptsid != 0) { 2422 rc = avc_has_perm(&selinux_state, 2423 ptsid, new_tsec->sid, 2424 SECCLASS_PROCESS, 2425 PROCESS__PTRACE, NULL); 2426 if (rc) 2427 return -EPERM; 2428 } 2429 } 2430 2431 /* Clear any possibly unsafe personality bits on exec: */ 2432 bprm->per_clear |= PER_CLEAR_ON_SETID; 2433 2434 /* Enable secure mode for SIDs transitions unless 2435 the noatsecure permission is granted between 2436 the two SIDs, i.e. ahp returns 0. */ 2437 rc = avc_has_perm(&selinux_state, 2438 old_tsec->sid, new_tsec->sid, 2439 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2440 NULL); 2441 bprm->secureexec |= !!rc; 2442 } 2443 2444 return 0; 2445 } 2446 2447 static int match_file(const void *p, struct file *file, unsigned fd) 2448 { 2449 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2450 } 2451 2452 /* Derived from fs/exec.c:flush_old_files. */ 2453 static inline void flush_unauthorized_files(const struct cred *cred, 2454 struct files_struct *files) 2455 { 2456 struct file *file, *devnull = NULL; 2457 struct tty_struct *tty; 2458 int drop_tty = 0; 2459 unsigned n; 2460 2461 tty = get_current_tty(); 2462 if (tty) { 2463 spin_lock(&tty->files_lock); 2464 if (!list_empty(&tty->tty_files)) { 2465 struct tty_file_private *file_priv; 2466 2467 /* Revalidate access to controlling tty. 2468 Use file_path_has_perm on the tty path directly 2469 rather than using file_has_perm, as this particular 2470 open file may belong to another process and we are 2471 only interested in the inode-based check here. */ 2472 file_priv = list_first_entry(&tty->tty_files, 2473 struct tty_file_private, list); 2474 file = file_priv->file; 2475 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2476 drop_tty = 1; 2477 } 2478 spin_unlock(&tty->files_lock); 2479 tty_kref_put(tty); 2480 } 2481 /* Reset controlling tty. */ 2482 if (drop_tty) 2483 no_tty(); 2484 2485 /* Revalidate access to inherited open files. */ 2486 n = iterate_fd(files, 0, match_file, cred); 2487 if (!n) /* none found? */ 2488 return; 2489 2490 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2491 if (IS_ERR(devnull)) 2492 devnull = NULL; 2493 /* replace all the matching ones with this */ 2494 do { 2495 replace_fd(n - 1, devnull, 0); 2496 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2497 if (devnull) 2498 fput(devnull); 2499 } 2500 2501 /* 2502 * Prepare a process for imminent new credential changes due to exec 2503 */ 2504 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2505 { 2506 struct task_security_struct *new_tsec; 2507 struct rlimit *rlim, *initrlim; 2508 int rc, i; 2509 2510 new_tsec = bprm->cred->security; 2511 if (new_tsec->sid == new_tsec->osid) 2512 return; 2513 2514 /* Close files for which the new task SID is not authorized. */ 2515 flush_unauthorized_files(bprm->cred, current->files); 2516 2517 /* Always clear parent death signal on SID transitions. */ 2518 current->pdeath_signal = 0; 2519 2520 /* Check whether the new SID can inherit resource limits from the old 2521 * SID. If not, reset all soft limits to the lower of the current 2522 * task's hard limit and the init task's soft limit. 2523 * 2524 * Note that the setting of hard limits (even to lower them) can be 2525 * controlled by the setrlimit check. The inclusion of the init task's 2526 * soft limit into the computation is to avoid resetting soft limits 2527 * higher than the default soft limit for cases where the default is 2528 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2529 */ 2530 rc = avc_has_perm(&selinux_state, 2531 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2532 PROCESS__RLIMITINH, NULL); 2533 if (rc) { 2534 /* protect against do_prlimit() */ 2535 task_lock(current); 2536 for (i = 0; i < RLIM_NLIMITS; i++) { 2537 rlim = current->signal->rlim + i; 2538 initrlim = init_task.signal->rlim + i; 2539 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2540 } 2541 task_unlock(current); 2542 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2543 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2544 } 2545 } 2546 2547 /* 2548 * Clean up the process immediately after the installation of new credentials 2549 * due to exec 2550 */ 2551 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2552 { 2553 const struct task_security_struct *tsec = current_security(); 2554 struct itimerval itimer; 2555 u32 osid, sid; 2556 int rc, i; 2557 2558 osid = tsec->osid; 2559 sid = tsec->sid; 2560 2561 if (sid == osid) 2562 return; 2563 2564 /* Check whether the new SID can inherit signal state from the old SID. 2565 * If not, clear itimers to avoid subsequent signal generation and 2566 * flush and unblock signals. 2567 * 2568 * This must occur _after_ the task SID has been updated so that any 2569 * kill done after the flush will be checked against the new SID. 2570 */ 2571 rc = avc_has_perm(&selinux_state, 2572 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2573 if (rc) { 2574 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2575 memset(&itimer, 0, sizeof itimer); 2576 for (i = 0; i < 3; i++) 2577 do_setitimer(i, &itimer, NULL); 2578 } 2579 spin_lock_irq(¤t->sighand->siglock); 2580 if (!fatal_signal_pending(current)) { 2581 flush_sigqueue(¤t->pending); 2582 flush_sigqueue(¤t->signal->shared_pending); 2583 flush_signal_handlers(current, 1); 2584 sigemptyset(¤t->blocked); 2585 recalc_sigpending(); 2586 } 2587 spin_unlock_irq(¤t->sighand->siglock); 2588 } 2589 2590 /* Wake up the parent if it is waiting so that it can recheck 2591 * wait permission to the new task SID. */ 2592 read_lock(&tasklist_lock); 2593 __wake_up_parent(current, current->real_parent); 2594 read_unlock(&tasklist_lock); 2595 } 2596 2597 /* superblock security operations */ 2598 2599 static int selinux_sb_alloc_security(struct super_block *sb) 2600 { 2601 return superblock_alloc_security(sb); 2602 } 2603 2604 static void selinux_sb_free_security(struct super_block *sb) 2605 { 2606 superblock_free_security(sb); 2607 } 2608 2609 static inline int opt_len(const char *s) 2610 { 2611 bool open_quote = false; 2612 int len; 2613 char c; 2614 2615 for (len = 0; (c = s[len]) != '\0'; len++) { 2616 if (c == '"') 2617 open_quote = !open_quote; 2618 if (c == ',' && !open_quote) 2619 break; 2620 } 2621 return len; 2622 } 2623 2624 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2625 { 2626 char *from = options; 2627 char *to = options; 2628 bool first = true; 2629 2630 while (1) { 2631 int len = opt_len(from); 2632 int token, rc; 2633 char *arg = NULL; 2634 2635 token = match_opt_prefix(from, len, &arg); 2636 2637 if (token != Opt_error) { 2638 char *p, *q; 2639 2640 /* strip quotes */ 2641 if (arg) { 2642 for (p = q = arg; p < from + len; p++) { 2643 char c = *p; 2644 if (c != '"') 2645 *q++ = c; 2646 } 2647 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2648 } 2649 rc = selinux_add_opt(token, arg, mnt_opts); 2650 if (unlikely(rc)) { 2651 kfree(arg); 2652 if (*mnt_opts) { 2653 selinux_free_mnt_opts(*mnt_opts); 2654 *mnt_opts = NULL; 2655 } 2656 return rc; 2657 } 2658 } else { 2659 if (!first) { // copy with preceding comma 2660 from--; 2661 len++; 2662 } 2663 if (to != from) 2664 memmove(to, from, len); 2665 to += len; 2666 first = false; 2667 } 2668 if (!from[len]) 2669 break; 2670 from += len + 1; 2671 } 2672 *to = '\0'; 2673 return 0; 2674 } 2675 2676 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2677 { 2678 struct selinux_mnt_opts *opts = mnt_opts; 2679 struct superblock_security_struct *sbsec = sb->s_security; 2680 u32 sid; 2681 int rc; 2682 2683 if (!(sbsec->flags & SE_SBINITIALIZED)) 2684 return 0; 2685 2686 if (!opts) 2687 return 0; 2688 2689 if (opts->fscontext) { 2690 rc = parse_sid(sb, opts->fscontext, &sid); 2691 if (rc) 2692 return rc; 2693 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2694 goto out_bad_option; 2695 } 2696 if (opts->context) { 2697 rc = parse_sid(sb, opts->context, &sid); 2698 if (rc) 2699 return rc; 2700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2701 goto out_bad_option; 2702 } 2703 if (opts->rootcontext) { 2704 struct inode_security_struct *root_isec; 2705 root_isec = backing_inode_security(sb->s_root); 2706 rc = parse_sid(sb, opts->rootcontext, &sid); 2707 if (rc) 2708 return rc; 2709 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2710 goto out_bad_option; 2711 } 2712 if (opts->defcontext) { 2713 rc = parse_sid(sb, opts->defcontext, &sid); 2714 if (rc) 2715 return rc; 2716 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2717 goto out_bad_option; 2718 } 2719 return 0; 2720 2721 out_bad_option: 2722 pr_warn("SELinux: unable to change security options " 2723 "during remount (dev %s, type=%s)\n", sb->s_id, 2724 sb->s_type->name); 2725 return -EINVAL; 2726 } 2727 2728 static int selinux_sb_kern_mount(struct super_block *sb) 2729 { 2730 const struct cred *cred = current_cred(); 2731 struct common_audit_data ad; 2732 2733 ad.type = LSM_AUDIT_DATA_DENTRY; 2734 ad.u.dentry = sb->s_root; 2735 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2736 } 2737 2738 static int selinux_sb_statfs(struct dentry *dentry) 2739 { 2740 const struct cred *cred = current_cred(); 2741 struct common_audit_data ad; 2742 2743 ad.type = LSM_AUDIT_DATA_DENTRY; 2744 ad.u.dentry = dentry->d_sb->s_root; 2745 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2746 } 2747 2748 static int selinux_mount(const char *dev_name, 2749 const struct path *path, 2750 const char *type, 2751 unsigned long flags, 2752 void *data) 2753 { 2754 const struct cred *cred = current_cred(); 2755 2756 if (flags & MS_REMOUNT) 2757 return superblock_has_perm(cred, path->dentry->d_sb, 2758 FILESYSTEM__REMOUNT, NULL); 2759 else 2760 return path_has_perm(cred, path, FILE__MOUNTON); 2761 } 2762 2763 static int selinux_umount(struct vfsmount *mnt, int flags) 2764 { 2765 const struct cred *cred = current_cred(); 2766 2767 return superblock_has_perm(cred, mnt->mnt_sb, 2768 FILESYSTEM__UNMOUNT, NULL); 2769 } 2770 2771 /* inode security operations */ 2772 2773 static int selinux_inode_alloc_security(struct inode *inode) 2774 { 2775 return inode_alloc_security(inode); 2776 } 2777 2778 static void selinux_inode_free_security(struct inode *inode) 2779 { 2780 inode_free_security(inode); 2781 } 2782 2783 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2784 const struct qstr *name, void **ctx, 2785 u32 *ctxlen) 2786 { 2787 u32 newsid; 2788 int rc; 2789 2790 rc = selinux_determine_inode_label(current_security(), 2791 d_inode(dentry->d_parent), name, 2792 inode_mode_to_security_class(mode), 2793 &newsid); 2794 if (rc) 2795 return rc; 2796 2797 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2798 ctxlen); 2799 } 2800 2801 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2802 struct qstr *name, 2803 const struct cred *old, 2804 struct cred *new) 2805 { 2806 u32 newsid; 2807 int rc; 2808 struct task_security_struct *tsec; 2809 2810 rc = selinux_determine_inode_label(old->security, 2811 d_inode(dentry->d_parent), name, 2812 inode_mode_to_security_class(mode), 2813 &newsid); 2814 if (rc) 2815 return rc; 2816 2817 tsec = new->security; 2818 tsec->create_sid = newsid; 2819 return 0; 2820 } 2821 2822 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2823 const struct qstr *qstr, 2824 const char **name, 2825 void **value, size_t *len) 2826 { 2827 const struct task_security_struct *tsec = current_security(); 2828 struct superblock_security_struct *sbsec; 2829 u32 newsid, clen; 2830 int rc; 2831 char *context; 2832 2833 sbsec = dir->i_sb->s_security; 2834 2835 newsid = tsec->create_sid; 2836 2837 rc = selinux_determine_inode_label(current_security(), 2838 dir, qstr, 2839 inode_mode_to_security_class(inode->i_mode), 2840 &newsid); 2841 if (rc) 2842 return rc; 2843 2844 /* Possibly defer initialization to selinux_complete_init. */ 2845 if (sbsec->flags & SE_SBINITIALIZED) { 2846 struct inode_security_struct *isec = inode->i_security; 2847 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2848 isec->sid = newsid; 2849 isec->initialized = LABEL_INITIALIZED; 2850 } 2851 2852 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 2853 return -EOPNOTSUPP; 2854 2855 if (name) 2856 *name = XATTR_SELINUX_SUFFIX; 2857 2858 if (value && len) { 2859 rc = security_sid_to_context_force(&selinux_state, newsid, 2860 &context, &clen); 2861 if (rc) 2862 return rc; 2863 *value = context; 2864 *len = clen; 2865 } 2866 2867 return 0; 2868 } 2869 2870 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2871 { 2872 return may_create(dir, dentry, SECCLASS_FILE); 2873 } 2874 2875 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2876 { 2877 return may_link(dir, old_dentry, MAY_LINK); 2878 } 2879 2880 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2881 { 2882 return may_link(dir, dentry, MAY_UNLINK); 2883 } 2884 2885 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2886 { 2887 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2888 } 2889 2890 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2891 { 2892 return may_create(dir, dentry, SECCLASS_DIR); 2893 } 2894 2895 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2896 { 2897 return may_link(dir, dentry, MAY_RMDIR); 2898 } 2899 2900 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2901 { 2902 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2903 } 2904 2905 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2906 struct inode *new_inode, struct dentry *new_dentry) 2907 { 2908 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2909 } 2910 2911 static int selinux_inode_readlink(struct dentry *dentry) 2912 { 2913 const struct cred *cred = current_cred(); 2914 2915 return dentry_has_perm(cred, dentry, FILE__READ); 2916 } 2917 2918 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2919 bool rcu) 2920 { 2921 const struct cred *cred = current_cred(); 2922 struct common_audit_data ad; 2923 struct inode_security_struct *isec; 2924 u32 sid; 2925 2926 validate_creds(cred); 2927 2928 ad.type = LSM_AUDIT_DATA_DENTRY; 2929 ad.u.dentry = dentry; 2930 sid = cred_sid(cred); 2931 isec = inode_security_rcu(inode, rcu); 2932 if (IS_ERR(isec)) 2933 return PTR_ERR(isec); 2934 2935 return avc_has_perm_flags(&selinux_state, 2936 sid, isec->sid, isec->sclass, FILE__READ, &ad, 2937 rcu ? MAY_NOT_BLOCK : 0); 2938 } 2939 2940 static noinline int audit_inode_permission(struct inode *inode, 2941 u32 perms, u32 audited, u32 denied, 2942 int result, 2943 unsigned flags) 2944 { 2945 struct common_audit_data ad; 2946 struct inode_security_struct *isec = inode->i_security; 2947 int rc; 2948 2949 ad.type = LSM_AUDIT_DATA_INODE; 2950 ad.u.inode = inode; 2951 2952 rc = slow_avc_audit(&selinux_state, 2953 current_sid(), isec->sid, isec->sclass, perms, 2954 audited, denied, result, &ad, flags); 2955 if (rc) 2956 return rc; 2957 return 0; 2958 } 2959 2960 static int selinux_inode_permission(struct inode *inode, int mask) 2961 { 2962 const struct cred *cred = current_cred(); 2963 u32 perms; 2964 bool from_access; 2965 unsigned flags = mask & MAY_NOT_BLOCK; 2966 struct inode_security_struct *isec; 2967 u32 sid; 2968 struct av_decision avd; 2969 int rc, rc2; 2970 u32 audited, denied; 2971 2972 from_access = mask & MAY_ACCESS; 2973 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2974 2975 /* No permission to check. Existence test. */ 2976 if (!mask) 2977 return 0; 2978 2979 validate_creds(cred); 2980 2981 if (unlikely(IS_PRIVATE(inode))) 2982 return 0; 2983 2984 perms = file_mask_to_av(inode->i_mode, mask); 2985 2986 sid = cred_sid(cred); 2987 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 2988 if (IS_ERR(isec)) 2989 return PTR_ERR(isec); 2990 2991 rc = avc_has_perm_noaudit(&selinux_state, 2992 sid, isec->sid, isec->sclass, perms, 0, &avd); 2993 audited = avc_audit_required(perms, &avd, rc, 2994 from_access ? FILE__AUDIT_ACCESS : 0, 2995 &denied); 2996 if (likely(!audited)) 2997 return rc; 2998 2999 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3000 if (rc2) 3001 return rc2; 3002 return rc; 3003 } 3004 3005 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3006 { 3007 const struct cred *cred = current_cred(); 3008 struct inode *inode = d_backing_inode(dentry); 3009 unsigned int ia_valid = iattr->ia_valid; 3010 __u32 av = FILE__WRITE; 3011 3012 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3013 if (ia_valid & ATTR_FORCE) { 3014 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3015 ATTR_FORCE); 3016 if (!ia_valid) 3017 return 0; 3018 } 3019 3020 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3021 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3022 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3023 3024 if (selinux_policycap_openperm() && 3025 inode->i_sb->s_magic != SOCKFS_MAGIC && 3026 (ia_valid & ATTR_SIZE) && 3027 !(ia_valid & ATTR_FILE)) 3028 av |= FILE__OPEN; 3029 3030 return dentry_has_perm(cred, dentry, av); 3031 } 3032 3033 static int selinux_inode_getattr(const struct path *path) 3034 { 3035 return path_has_perm(current_cred(), path, FILE__GETATTR); 3036 } 3037 3038 static bool has_cap_mac_admin(bool audit) 3039 { 3040 const struct cred *cred = current_cred(); 3041 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3042 3043 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3044 return false; 3045 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3046 return false; 3047 return true; 3048 } 3049 3050 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3051 const void *value, size_t size, int flags) 3052 { 3053 struct inode *inode = d_backing_inode(dentry); 3054 struct inode_security_struct *isec; 3055 struct superblock_security_struct *sbsec; 3056 struct common_audit_data ad; 3057 u32 newsid, sid = current_sid(); 3058 int rc = 0; 3059 3060 if (strcmp(name, XATTR_NAME_SELINUX)) { 3061 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3062 if (rc) 3063 return rc; 3064 3065 /* Not an attribute we recognize, so just check the 3066 ordinary setattr permission. */ 3067 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3068 } 3069 3070 sbsec = inode->i_sb->s_security; 3071 if (!(sbsec->flags & SBLABEL_MNT)) 3072 return -EOPNOTSUPP; 3073 3074 if (!inode_owner_or_capable(inode)) 3075 return -EPERM; 3076 3077 ad.type = LSM_AUDIT_DATA_DENTRY; 3078 ad.u.dentry = dentry; 3079 3080 isec = backing_inode_security(dentry); 3081 rc = avc_has_perm(&selinux_state, 3082 sid, isec->sid, isec->sclass, 3083 FILE__RELABELFROM, &ad); 3084 if (rc) 3085 return rc; 3086 3087 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3088 GFP_KERNEL); 3089 if (rc == -EINVAL) { 3090 if (!has_cap_mac_admin(true)) { 3091 struct audit_buffer *ab; 3092 size_t audit_size; 3093 3094 /* We strip a nul only if it is at the end, otherwise the 3095 * context contains a nul and we should audit that */ 3096 if (value) { 3097 const char *str = value; 3098 3099 if (str[size - 1] == '\0') 3100 audit_size = size - 1; 3101 else 3102 audit_size = size; 3103 } else { 3104 audit_size = 0; 3105 } 3106 ab = audit_log_start(audit_context(), 3107 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3108 audit_log_format(ab, "op=setxattr invalid_context="); 3109 audit_log_n_untrustedstring(ab, value, audit_size); 3110 audit_log_end(ab); 3111 3112 return rc; 3113 } 3114 rc = security_context_to_sid_force(&selinux_state, value, 3115 size, &newsid); 3116 } 3117 if (rc) 3118 return rc; 3119 3120 rc = avc_has_perm(&selinux_state, 3121 sid, newsid, isec->sclass, 3122 FILE__RELABELTO, &ad); 3123 if (rc) 3124 return rc; 3125 3126 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3127 sid, isec->sclass); 3128 if (rc) 3129 return rc; 3130 3131 return avc_has_perm(&selinux_state, 3132 newsid, 3133 sbsec->sid, 3134 SECCLASS_FILESYSTEM, 3135 FILESYSTEM__ASSOCIATE, 3136 &ad); 3137 } 3138 3139 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3140 const void *value, size_t size, 3141 int flags) 3142 { 3143 struct inode *inode = d_backing_inode(dentry); 3144 struct inode_security_struct *isec; 3145 u32 newsid; 3146 int rc; 3147 3148 if (strcmp(name, XATTR_NAME_SELINUX)) { 3149 /* Not an attribute we recognize, so nothing to do. */ 3150 return; 3151 } 3152 3153 rc = security_context_to_sid_force(&selinux_state, value, size, 3154 &newsid); 3155 if (rc) { 3156 pr_err("SELinux: unable to map context to SID" 3157 "for (%s, %lu), rc=%d\n", 3158 inode->i_sb->s_id, inode->i_ino, -rc); 3159 return; 3160 } 3161 3162 isec = backing_inode_security(dentry); 3163 spin_lock(&isec->lock); 3164 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3165 isec->sid = newsid; 3166 isec->initialized = LABEL_INITIALIZED; 3167 spin_unlock(&isec->lock); 3168 3169 return; 3170 } 3171 3172 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3173 { 3174 const struct cred *cred = current_cred(); 3175 3176 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3177 } 3178 3179 static int selinux_inode_listxattr(struct dentry *dentry) 3180 { 3181 const struct cred *cred = current_cred(); 3182 3183 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3184 } 3185 3186 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3187 { 3188 if (strcmp(name, XATTR_NAME_SELINUX)) { 3189 int rc = cap_inode_removexattr(dentry, name); 3190 if (rc) 3191 return rc; 3192 3193 /* Not an attribute we recognize, so just check the 3194 ordinary setattr permission. */ 3195 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3196 } 3197 3198 /* No one is allowed to remove a SELinux security label. 3199 You can change the label, but all data must be labeled. */ 3200 return -EACCES; 3201 } 3202 3203 /* 3204 * Copy the inode security context value to the user. 3205 * 3206 * Permission check is handled by selinux_inode_getxattr hook. 3207 */ 3208 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3209 { 3210 u32 size; 3211 int error; 3212 char *context = NULL; 3213 struct inode_security_struct *isec; 3214 3215 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3216 return -EOPNOTSUPP; 3217 3218 /* 3219 * If the caller has CAP_MAC_ADMIN, then get the raw context 3220 * value even if it is not defined by current policy; otherwise, 3221 * use the in-core value under current policy. 3222 * Use the non-auditing forms of the permission checks since 3223 * getxattr may be called by unprivileged processes commonly 3224 * and lack of permission just means that we fall back to the 3225 * in-core context value, not a denial. 3226 */ 3227 isec = inode_security(inode); 3228 if (has_cap_mac_admin(false)) 3229 error = security_sid_to_context_force(&selinux_state, 3230 isec->sid, &context, 3231 &size); 3232 else 3233 error = security_sid_to_context(&selinux_state, isec->sid, 3234 &context, &size); 3235 if (error) 3236 return error; 3237 error = size; 3238 if (alloc) { 3239 *buffer = context; 3240 goto out_nofree; 3241 } 3242 kfree(context); 3243 out_nofree: 3244 return error; 3245 } 3246 3247 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3248 const void *value, size_t size, int flags) 3249 { 3250 struct inode_security_struct *isec = inode_security_novalidate(inode); 3251 u32 newsid; 3252 int rc; 3253 3254 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3255 return -EOPNOTSUPP; 3256 3257 if (!value || !size) 3258 return -EACCES; 3259 3260 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3261 GFP_KERNEL); 3262 if (rc) 3263 return rc; 3264 3265 spin_lock(&isec->lock); 3266 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3267 isec->sid = newsid; 3268 isec->initialized = LABEL_INITIALIZED; 3269 spin_unlock(&isec->lock); 3270 return 0; 3271 } 3272 3273 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3274 { 3275 const int len = sizeof(XATTR_NAME_SELINUX); 3276 if (buffer && len <= buffer_size) 3277 memcpy(buffer, XATTR_NAME_SELINUX, len); 3278 return len; 3279 } 3280 3281 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3282 { 3283 struct inode_security_struct *isec = inode_security_novalidate(inode); 3284 *secid = isec->sid; 3285 } 3286 3287 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3288 { 3289 u32 sid; 3290 struct task_security_struct *tsec; 3291 struct cred *new_creds = *new; 3292 3293 if (new_creds == NULL) { 3294 new_creds = prepare_creds(); 3295 if (!new_creds) 3296 return -ENOMEM; 3297 } 3298 3299 tsec = new_creds->security; 3300 /* Get label from overlay inode and set it in create_sid */ 3301 selinux_inode_getsecid(d_inode(src), &sid); 3302 tsec->create_sid = sid; 3303 *new = new_creds; 3304 return 0; 3305 } 3306 3307 static int selinux_inode_copy_up_xattr(const char *name) 3308 { 3309 /* The copy_up hook above sets the initial context on an inode, but we 3310 * don't then want to overwrite it by blindly copying all the lower 3311 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3312 */ 3313 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3314 return 1; /* Discard */ 3315 /* 3316 * Any other attribute apart from SELINUX is not claimed, supported 3317 * by selinux. 3318 */ 3319 return -EOPNOTSUPP; 3320 } 3321 3322 /* file security operations */ 3323 3324 static int selinux_revalidate_file_permission(struct file *file, int mask) 3325 { 3326 const struct cred *cred = current_cred(); 3327 struct inode *inode = file_inode(file); 3328 3329 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3330 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3331 mask |= MAY_APPEND; 3332 3333 return file_has_perm(cred, file, 3334 file_mask_to_av(inode->i_mode, mask)); 3335 } 3336 3337 static int selinux_file_permission(struct file *file, int mask) 3338 { 3339 struct inode *inode = file_inode(file); 3340 struct file_security_struct *fsec = file->f_security; 3341 struct inode_security_struct *isec; 3342 u32 sid = current_sid(); 3343 3344 if (!mask) 3345 /* No permission to check. Existence test. */ 3346 return 0; 3347 3348 isec = inode_security(inode); 3349 if (sid == fsec->sid && fsec->isid == isec->sid && 3350 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3351 /* No change since file_open check. */ 3352 return 0; 3353 3354 return selinux_revalidate_file_permission(file, mask); 3355 } 3356 3357 static int selinux_file_alloc_security(struct file *file) 3358 { 3359 return file_alloc_security(file); 3360 } 3361 3362 static void selinux_file_free_security(struct file *file) 3363 { 3364 file_free_security(file); 3365 } 3366 3367 /* 3368 * Check whether a task has the ioctl permission and cmd 3369 * operation to an inode. 3370 */ 3371 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3372 u32 requested, u16 cmd) 3373 { 3374 struct common_audit_data ad; 3375 struct file_security_struct *fsec = file->f_security; 3376 struct inode *inode = file_inode(file); 3377 struct inode_security_struct *isec; 3378 struct lsm_ioctlop_audit ioctl; 3379 u32 ssid = cred_sid(cred); 3380 int rc; 3381 u8 driver = cmd >> 8; 3382 u8 xperm = cmd & 0xff; 3383 3384 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3385 ad.u.op = &ioctl; 3386 ad.u.op->cmd = cmd; 3387 ad.u.op->path = file->f_path; 3388 3389 if (ssid != fsec->sid) { 3390 rc = avc_has_perm(&selinux_state, 3391 ssid, fsec->sid, 3392 SECCLASS_FD, 3393 FD__USE, 3394 &ad); 3395 if (rc) 3396 goto out; 3397 } 3398 3399 if (unlikely(IS_PRIVATE(inode))) 3400 return 0; 3401 3402 isec = inode_security(inode); 3403 rc = avc_has_extended_perms(&selinux_state, 3404 ssid, isec->sid, isec->sclass, 3405 requested, driver, xperm, &ad); 3406 out: 3407 return rc; 3408 } 3409 3410 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3411 unsigned long arg) 3412 { 3413 const struct cred *cred = current_cred(); 3414 int error = 0; 3415 3416 switch (cmd) { 3417 case FIONREAD: 3418 /* fall through */ 3419 case FIBMAP: 3420 /* fall through */ 3421 case FIGETBSZ: 3422 /* fall through */ 3423 case FS_IOC_GETFLAGS: 3424 /* fall through */ 3425 case FS_IOC_GETVERSION: 3426 error = file_has_perm(cred, file, FILE__GETATTR); 3427 break; 3428 3429 case FS_IOC_SETFLAGS: 3430 /* fall through */ 3431 case FS_IOC_SETVERSION: 3432 error = file_has_perm(cred, file, FILE__SETATTR); 3433 break; 3434 3435 /* sys_ioctl() checks */ 3436 case FIONBIO: 3437 /* fall through */ 3438 case FIOASYNC: 3439 error = file_has_perm(cred, file, 0); 3440 break; 3441 3442 case KDSKBENT: 3443 case KDSKBSENT: 3444 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3445 SECURITY_CAP_AUDIT, true); 3446 break; 3447 3448 /* default case assumes that the command will go 3449 * to the file's ioctl() function. 3450 */ 3451 default: 3452 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3453 } 3454 return error; 3455 } 3456 3457 static int default_noexec; 3458 3459 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3460 { 3461 const struct cred *cred = current_cred(); 3462 u32 sid = cred_sid(cred); 3463 int rc = 0; 3464 3465 if (default_noexec && 3466 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3467 (!shared && (prot & PROT_WRITE)))) { 3468 /* 3469 * We are making executable an anonymous mapping or a 3470 * private file mapping that will also be writable. 3471 * This has an additional check. 3472 */ 3473 rc = avc_has_perm(&selinux_state, 3474 sid, sid, SECCLASS_PROCESS, 3475 PROCESS__EXECMEM, NULL); 3476 if (rc) 3477 goto error; 3478 } 3479 3480 if (file) { 3481 /* read access is always possible with a mapping */ 3482 u32 av = FILE__READ; 3483 3484 /* write access only matters if the mapping is shared */ 3485 if (shared && (prot & PROT_WRITE)) 3486 av |= FILE__WRITE; 3487 3488 if (prot & PROT_EXEC) 3489 av |= FILE__EXECUTE; 3490 3491 return file_has_perm(cred, file, av); 3492 } 3493 3494 error: 3495 return rc; 3496 } 3497 3498 static int selinux_mmap_addr(unsigned long addr) 3499 { 3500 int rc = 0; 3501 3502 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3503 u32 sid = current_sid(); 3504 rc = avc_has_perm(&selinux_state, 3505 sid, sid, SECCLASS_MEMPROTECT, 3506 MEMPROTECT__MMAP_ZERO, NULL); 3507 } 3508 3509 return rc; 3510 } 3511 3512 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3513 unsigned long prot, unsigned long flags) 3514 { 3515 struct common_audit_data ad; 3516 int rc; 3517 3518 if (file) { 3519 ad.type = LSM_AUDIT_DATA_FILE; 3520 ad.u.file = file; 3521 rc = inode_has_perm(current_cred(), file_inode(file), 3522 FILE__MAP, &ad); 3523 if (rc) 3524 return rc; 3525 } 3526 3527 if (selinux_state.checkreqprot) 3528 prot = reqprot; 3529 3530 return file_map_prot_check(file, prot, 3531 (flags & MAP_TYPE) == MAP_SHARED); 3532 } 3533 3534 static int selinux_file_mprotect(struct vm_area_struct *vma, 3535 unsigned long reqprot, 3536 unsigned long prot) 3537 { 3538 const struct cred *cred = current_cred(); 3539 u32 sid = cred_sid(cred); 3540 3541 if (selinux_state.checkreqprot) 3542 prot = reqprot; 3543 3544 if (default_noexec && 3545 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3546 int rc = 0; 3547 if (vma->vm_start >= vma->vm_mm->start_brk && 3548 vma->vm_end <= vma->vm_mm->brk) { 3549 rc = avc_has_perm(&selinux_state, 3550 sid, sid, SECCLASS_PROCESS, 3551 PROCESS__EXECHEAP, NULL); 3552 } else if (!vma->vm_file && 3553 ((vma->vm_start <= vma->vm_mm->start_stack && 3554 vma->vm_end >= vma->vm_mm->start_stack) || 3555 vma_is_stack_for_current(vma))) { 3556 rc = avc_has_perm(&selinux_state, 3557 sid, sid, SECCLASS_PROCESS, 3558 PROCESS__EXECSTACK, NULL); 3559 } else if (vma->vm_file && vma->anon_vma) { 3560 /* 3561 * We are making executable a file mapping that has 3562 * had some COW done. Since pages might have been 3563 * written, check ability to execute the possibly 3564 * modified content. This typically should only 3565 * occur for text relocations. 3566 */ 3567 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3568 } 3569 if (rc) 3570 return rc; 3571 } 3572 3573 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3574 } 3575 3576 static int selinux_file_lock(struct file *file, unsigned int cmd) 3577 { 3578 const struct cred *cred = current_cred(); 3579 3580 return file_has_perm(cred, file, FILE__LOCK); 3581 } 3582 3583 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3584 unsigned long arg) 3585 { 3586 const struct cred *cred = current_cred(); 3587 int err = 0; 3588 3589 switch (cmd) { 3590 case F_SETFL: 3591 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3592 err = file_has_perm(cred, file, FILE__WRITE); 3593 break; 3594 } 3595 /* fall through */ 3596 case F_SETOWN: 3597 case F_SETSIG: 3598 case F_GETFL: 3599 case F_GETOWN: 3600 case F_GETSIG: 3601 case F_GETOWNER_UIDS: 3602 /* Just check FD__USE permission */ 3603 err = file_has_perm(cred, file, 0); 3604 break; 3605 case F_GETLK: 3606 case F_SETLK: 3607 case F_SETLKW: 3608 case F_OFD_GETLK: 3609 case F_OFD_SETLK: 3610 case F_OFD_SETLKW: 3611 #if BITS_PER_LONG == 32 3612 case F_GETLK64: 3613 case F_SETLK64: 3614 case F_SETLKW64: 3615 #endif 3616 err = file_has_perm(cred, file, FILE__LOCK); 3617 break; 3618 } 3619 3620 return err; 3621 } 3622 3623 static void selinux_file_set_fowner(struct file *file) 3624 { 3625 struct file_security_struct *fsec; 3626 3627 fsec = file->f_security; 3628 fsec->fown_sid = current_sid(); 3629 } 3630 3631 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3632 struct fown_struct *fown, int signum) 3633 { 3634 struct file *file; 3635 u32 sid = task_sid(tsk); 3636 u32 perm; 3637 struct file_security_struct *fsec; 3638 3639 /* struct fown_struct is never outside the context of a struct file */ 3640 file = container_of(fown, struct file, f_owner); 3641 3642 fsec = file->f_security; 3643 3644 if (!signum) 3645 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3646 else 3647 perm = signal_to_av(signum); 3648 3649 return avc_has_perm(&selinux_state, 3650 fsec->fown_sid, sid, 3651 SECCLASS_PROCESS, perm, NULL); 3652 } 3653 3654 static int selinux_file_receive(struct file *file) 3655 { 3656 const struct cred *cred = current_cred(); 3657 3658 return file_has_perm(cred, file, file_to_av(file)); 3659 } 3660 3661 static int selinux_file_open(struct file *file) 3662 { 3663 struct file_security_struct *fsec; 3664 struct inode_security_struct *isec; 3665 3666 fsec = file->f_security; 3667 isec = inode_security(file_inode(file)); 3668 /* 3669 * Save inode label and policy sequence number 3670 * at open-time so that selinux_file_permission 3671 * can determine whether revalidation is necessary. 3672 * Task label is already saved in the file security 3673 * struct as its SID. 3674 */ 3675 fsec->isid = isec->sid; 3676 fsec->pseqno = avc_policy_seqno(&selinux_state); 3677 /* 3678 * Since the inode label or policy seqno may have changed 3679 * between the selinux_inode_permission check and the saving 3680 * of state above, recheck that access is still permitted. 3681 * Otherwise, access might never be revalidated against the 3682 * new inode label or new policy. 3683 * This check is not redundant - do not remove. 3684 */ 3685 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3686 } 3687 3688 /* task security operations */ 3689 3690 static int selinux_task_alloc(struct task_struct *task, 3691 unsigned long clone_flags) 3692 { 3693 u32 sid = current_sid(); 3694 3695 return avc_has_perm(&selinux_state, 3696 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3697 } 3698 3699 /* 3700 * allocate the SELinux part of blank credentials 3701 */ 3702 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3703 { 3704 struct task_security_struct *tsec; 3705 3706 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3707 if (!tsec) 3708 return -ENOMEM; 3709 3710 cred->security = tsec; 3711 return 0; 3712 } 3713 3714 /* 3715 * detach and free the LSM part of a set of credentials 3716 */ 3717 static void selinux_cred_free(struct cred *cred) 3718 { 3719 struct task_security_struct *tsec = cred->security; 3720 3721 /* 3722 * cred->security == NULL if security_cred_alloc_blank() or 3723 * security_prepare_creds() returned an error. 3724 */ 3725 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3726 cred->security = (void *) 0x7UL; 3727 kfree(tsec); 3728 } 3729 3730 /* 3731 * prepare a new set of credentials for modification 3732 */ 3733 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3734 gfp_t gfp) 3735 { 3736 const struct task_security_struct *old_tsec; 3737 struct task_security_struct *tsec; 3738 3739 old_tsec = old->security; 3740 3741 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3742 if (!tsec) 3743 return -ENOMEM; 3744 3745 new->security = tsec; 3746 return 0; 3747 } 3748 3749 /* 3750 * transfer the SELinux data to a blank set of creds 3751 */ 3752 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3753 { 3754 const struct task_security_struct *old_tsec = old->security; 3755 struct task_security_struct *tsec = new->security; 3756 3757 *tsec = *old_tsec; 3758 } 3759 3760 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3761 { 3762 *secid = cred_sid(c); 3763 } 3764 3765 /* 3766 * set the security data for a kernel service 3767 * - all the creation contexts are set to unlabelled 3768 */ 3769 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3770 { 3771 struct task_security_struct *tsec = new->security; 3772 u32 sid = current_sid(); 3773 int ret; 3774 3775 ret = avc_has_perm(&selinux_state, 3776 sid, secid, 3777 SECCLASS_KERNEL_SERVICE, 3778 KERNEL_SERVICE__USE_AS_OVERRIDE, 3779 NULL); 3780 if (ret == 0) { 3781 tsec->sid = secid; 3782 tsec->create_sid = 0; 3783 tsec->keycreate_sid = 0; 3784 tsec->sockcreate_sid = 0; 3785 } 3786 return ret; 3787 } 3788 3789 /* 3790 * set the file creation context in a security record to the same as the 3791 * objective context of the specified inode 3792 */ 3793 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3794 { 3795 struct inode_security_struct *isec = inode_security(inode); 3796 struct task_security_struct *tsec = new->security; 3797 u32 sid = current_sid(); 3798 int ret; 3799 3800 ret = avc_has_perm(&selinux_state, 3801 sid, isec->sid, 3802 SECCLASS_KERNEL_SERVICE, 3803 KERNEL_SERVICE__CREATE_FILES_AS, 3804 NULL); 3805 3806 if (ret == 0) 3807 tsec->create_sid = isec->sid; 3808 return ret; 3809 } 3810 3811 static int selinux_kernel_module_request(char *kmod_name) 3812 { 3813 struct common_audit_data ad; 3814 3815 ad.type = LSM_AUDIT_DATA_KMOD; 3816 ad.u.kmod_name = kmod_name; 3817 3818 return avc_has_perm(&selinux_state, 3819 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3820 SYSTEM__MODULE_REQUEST, &ad); 3821 } 3822 3823 static int selinux_kernel_module_from_file(struct file *file) 3824 { 3825 struct common_audit_data ad; 3826 struct inode_security_struct *isec; 3827 struct file_security_struct *fsec; 3828 u32 sid = current_sid(); 3829 int rc; 3830 3831 /* init_module */ 3832 if (file == NULL) 3833 return avc_has_perm(&selinux_state, 3834 sid, sid, SECCLASS_SYSTEM, 3835 SYSTEM__MODULE_LOAD, NULL); 3836 3837 /* finit_module */ 3838 3839 ad.type = LSM_AUDIT_DATA_FILE; 3840 ad.u.file = file; 3841 3842 fsec = file->f_security; 3843 if (sid != fsec->sid) { 3844 rc = avc_has_perm(&selinux_state, 3845 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3846 if (rc) 3847 return rc; 3848 } 3849 3850 isec = inode_security(file_inode(file)); 3851 return avc_has_perm(&selinux_state, 3852 sid, isec->sid, SECCLASS_SYSTEM, 3853 SYSTEM__MODULE_LOAD, &ad); 3854 } 3855 3856 static int selinux_kernel_read_file(struct file *file, 3857 enum kernel_read_file_id id) 3858 { 3859 int rc = 0; 3860 3861 switch (id) { 3862 case READING_MODULE: 3863 rc = selinux_kernel_module_from_file(file); 3864 break; 3865 default: 3866 break; 3867 } 3868 3869 return rc; 3870 } 3871 3872 static int selinux_kernel_load_data(enum kernel_load_data_id id) 3873 { 3874 int rc = 0; 3875 3876 switch (id) { 3877 case LOADING_MODULE: 3878 rc = selinux_kernel_module_from_file(NULL); 3879 default: 3880 break; 3881 } 3882 3883 return rc; 3884 } 3885 3886 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3887 { 3888 return avc_has_perm(&selinux_state, 3889 current_sid(), task_sid(p), SECCLASS_PROCESS, 3890 PROCESS__SETPGID, NULL); 3891 } 3892 3893 static int selinux_task_getpgid(struct task_struct *p) 3894 { 3895 return avc_has_perm(&selinux_state, 3896 current_sid(), task_sid(p), SECCLASS_PROCESS, 3897 PROCESS__GETPGID, NULL); 3898 } 3899 3900 static int selinux_task_getsid(struct task_struct *p) 3901 { 3902 return avc_has_perm(&selinux_state, 3903 current_sid(), task_sid(p), SECCLASS_PROCESS, 3904 PROCESS__GETSESSION, NULL); 3905 } 3906 3907 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3908 { 3909 *secid = task_sid(p); 3910 } 3911 3912 static int selinux_task_setnice(struct task_struct *p, int nice) 3913 { 3914 return avc_has_perm(&selinux_state, 3915 current_sid(), task_sid(p), SECCLASS_PROCESS, 3916 PROCESS__SETSCHED, NULL); 3917 } 3918 3919 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3920 { 3921 return avc_has_perm(&selinux_state, 3922 current_sid(), task_sid(p), SECCLASS_PROCESS, 3923 PROCESS__SETSCHED, NULL); 3924 } 3925 3926 static int selinux_task_getioprio(struct task_struct *p) 3927 { 3928 return avc_has_perm(&selinux_state, 3929 current_sid(), task_sid(p), SECCLASS_PROCESS, 3930 PROCESS__GETSCHED, NULL); 3931 } 3932 3933 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3934 unsigned int flags) 3935 { 3936 u32 av = 0; 3937 3938 if (!flags) 3939 return 0; 3940 if (flags & LSM_PRLIMIT_WRITE) 3941 av |= PROCESS__SETRLIMIT; 3942 if (flags & LSM_PRLIMIT_READ) 3943 av |= PROCESS__GETRLIMIT; 3944 return avc_has_perm(&selinux_state, 3945 cred_sid(cred), cred_sid(tcred), 3946 SECCLASS_PROCESS, av, NULL); 3947 } 3948 3949 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3950 struct rlimit *new_rlim) 3951 { 3952 struct rlimit *old_rlim = p->signal->rlim + resource; 3953 3954 /* Control the ability to change the hard limit (whether 3955 lowering or raising it), so that the hard limit can 3956 later be used as a safe reset point for the soft limit 3957 upon context transitions. See selinux_bprm_committing_creds. */ 3958 if (old_rlim->rlim_max != new_rlim->rlim_max) 3959 return avc_has_perm(&selinux_state, 3960 current_sid(), task_sid(p), 3961 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 3962 3963 return 0; 3964 } 3965 3966 static int selinux_task_setscheduler(struct task_struct *p) 3967 { 3968 return avc_has_perm(&selinux_state, 3969 current_sid(), task_sid(p), SECCLASS_PROCESS, 3970 PROCESS__SETSCHED, NULL); 3971 } 3972 3973 static int selinux_task_getscheduler(struct task_struct *p) 3974 { 3975 return avc_has_perm(&selinux_state, 3976 current_sid(), task_sid(p), SECCLASS_PROCESS, 3977 PROCESS__GETSCHED, NULL); 3978 } 3979 3980 static int selinux_task_movememory(struct task_struct *p) 3981 { 3982 return avc_has_perm(&selinux_state, 3983 current_sid(), task_sid(p), SECCLASS_PROCESS, 3984 PROCESS__SETSCHED, NULL); 3985 } 3986 3987 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 3988 int sig, const struct cred *cred) 3989 { 3990 u32 secid; 3991 u32 perm; 3992 3993 if (!sig) 3994 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3995 else 3996 perm = signal_to_av(sig); 3997 if (!cred) 3998 secid = current_sid(); 3999 else 4000 secid = cred_sid(cred); 4001 return avc_has_perm(&selinux_state, 4002 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4003 } 4004 4005 static void selinux_task_to_inode(struct task_struct *p, 4006 struct inode *inode) 4007 { 4008 struct inode_security_struct *isec = inode->i_security; 4009 u32 sid = task_sid(p); 4010 4011 spin_lock(&isec->lock); 4012 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4013 isec->sid = sid; 4014 isec->initialized = LABEL_INITIALIZED; 4015 spin_unlock(&isec->lock); 4016 } 4017 4018 /* Returns error only if unable to parse addresses */ 4019 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4020 struct common_audit_data *ad, u8 *proto) 4021 { 4022 int offset, ihlen, ret = -EINVAL; 4023 struct iphdr _iph, *ih; 4024 4025 offset = skb_network_offset(skb); 4026 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4027 if (ih == NULL) 4028 goto out; 4029 4030 ihlen = ih->ihl * 4; 4031 if (ihlen < sizeof(_iph)) 4032 goto out; 4033 4034 ad->u.net->v4info.saddr = ih->saddr; 4035 ad->u.net->v4info.daddr = ih->daddr; 4036 ret = 0; 4037 4038 if (proto) 4039 *proto = ih->protocol; 4040 4041 switch (ih->protocol) { 4042 case IPPROTO_TCP: { 4043 struct tcphdr _tcph, *th; 4044 4045 if (ntohs(ih->frag_off) & IP_OFFSET) 4046 break; 4047 4048 offset += ihlen; 4049 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4050 if (th == NULL) 4051 break; 4052 4053 ad->u.net->sport = th->source; 4054 ad->u.net->dport = th->dest; 4055 break; 4056 } 4057 4058 case IPPROTO_UDP: { 4059 struct udphdr _udph, *uh; 4060 4061 if (ntohs(ih->frag_off) & IP_OFFSET) 4062 break; 4063 4064 offset += ihlen; 4065 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4066 if (uh == NULL) 4067 break; 4068 4069 ad->u.net->sport = uh->source; 4070 ad->u.net->dport = uh->dest; 4071 break; 4072 } 4073 4074 case IPPROTO_DCCP: { 4075 struct dccp_hdr _dccph, *dh; 4076 4077 if (ntohs(ih->frag_off) & IP_OFFSET) 4078 break; 4079 4080 offset += ihlen; 4081 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4082 if (dh == NULL) 4083 break; 4084 4085 ad->u.net->sport = dh->dccph_sport; 4086 ad->u.net->dport = dh->dccph_dport; 4087 break; 4088 } 4089 4090 #if IS_ENABLED(CONFIG_IP_SCTP) 4091 case IPPROTO_SCTP: { 4092 struct sctphdr _sctph, *sh; 4093 4094 if (ntohs(ih->frag_off) & IP_OFFSET) 4095 break; 4096 4097 offset += ihlen; 4098 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4099 if (sh == NULL) 4100 break; 4101 4102 ad->u.net->sport = sh->source; 4103 ad->u.net->dport = sh->dest; 4104 break; 4105 } 4106 #endif 4107 default: 4108 break; 4109 } 4110 out: 4111 return ret; 4112 } 4113 4114 #if IS_ENABLED(CONFIG_IPV6) 4115 4116 /* Returns error only if unable to parse addresses */ 4117 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4118 struct common_audit_data *ad, u8 *proto) 4119 { 4120 u8 nexthdr; 4121 int ret = -EINVAL, offset; 4122 struct ipv6hdr _ipv6h, *ip6; 4123 __be16 frag_off; 4124 4125 offset = skb_network_offset(skb); 4126 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4127 if (ip6 == NULL) 4128 goto out; 4129 4130 ad->u.net->v6info.saddr = ip6->saddr; 4131 ad->u.net->v6info.daddr = ip6->daddr; 4132 ret = 0; 4133 4134 nexthdr = ip6->nexthdr; 4135 offset += sizeof(_ipv6h); 4136 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4137 if (offset < 0) 4138 goto out; 4139 4140 if (proto) 4141 *proto = nexthdr; 4142 4143 switch (nexthdr) { 4144 case IPPROTO_TCP: { 4145 struct tcphdr _tcph, *th; 4146 4147 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4148 if (th == NULL) 4149 break; 4150 4151 ad->u.net->sport = th->source; 4152 ad->u.net->dport = th->dest; 4153 break; 4154 } 4155 4156 case IPPROTO_UDP: { 4157 struct udphdr _udph, *uh; 4158 4159 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4160 if (uh == NULL) 4161 break; 4162 4163 ad->u.net->sport = uh->source; 4164 ad->u.net->dport = uh->dest; 4165 break; 4166 } 4167 4168 case IPPROTO_DCCP: { 4169 struct dccp_hdr _dccph, *dh; 4170 4171 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4172 if (dh == NULL) 4173 break; 4174 4175 ad->u.net->sport = dh->dccph_sport; 4176 ad->u.net->dport = dh->dccph_dport; 4177 break; 4178 } 4179 4180 #if IS_ENABLED(CONFIG_IP_SCTP) 4181 case IPPROTO_SCTP: { 4182 struct sctphdr _sctph, *sh; 4183 4184 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4185 if (sh == NULL) 4186 break; 4187 4188 ad->u.net->sport = sh->source; 4189 ad->u.net->dport = sh->dest; 4190 break; 4191 } 4192 #endif 4193 /* includes fragments */ 4194 default: 4195 break; 4196 } 4197 out: 4198 return ret; 4199 } 4200 4201 #endif /* IPV6 */ 4202 4203 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4204 char **_addrp, int src, u8 *proto) 4205 { 4206 char *addrp; 4207 int ret; 4208 4209 switch (ad->u.net->family) { 4210 case PF_INET: 4211 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4212 if (ret) 4213 goto parse_error; 4214 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4215 &ad->u.net->v4info.daddr); 4216 goto okay; 4217 4218 #if IS_ENABLED(CONFIG_IPV6) 4219 case PF_INET6: 4220 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4221 if (ret) 4222 goto parse_error; 4223 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4224 &ad->u.net->v6info.daddr); 4225 goto okay; 4226 #endif /* IPV6 */ 4227 default: 4228 addrp = NULL; 4229 goto okay; 4230 } 4231 4232 parse_error: 4233 pr_warn( 4234 "SELinux: failure in selinux_parse_skb()," 4235 " unable to parse packet\n"); 4236 return ret; 4237 4238 okay: 4239 if (_addrp) 4240 *_addrp = addrp; 4241 return 0; 4242 } 4243 4244 /** 4245 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4246 * @skb: the packet 4247 * @family: protocol family 4248 * @sid: the packet's peer label SID 4249 * 4250 * Description: 4251 * Check the various different forms of network peer labeling and determine 4252 * the peer label/SID for the packet; most of the magic actually occurs in 4253 * the security server function security_net_peersid_cmp(). The function 4254 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4255 * or -EACCES if @sid is invalid due to inconsistencies with the different 4256 * peer labels. 4257 * 4258 */ 4259 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4260 { 4261 int err; 4262 u32 xfrm_sid; 4263 u32 nlbl_sid; 4264 u32 nlbl_type; 4265 4266 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4267 if (unlikely(err)) 4268 return -EACCES; 4269 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4270 if (unlikely(err)) 4271 return -EACCES; 4272 4273 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4274 nlbl_type, xfrm_sid, sid); 4275 if (unlikely(err)) { 4276 pr_warn( 4277 "SELinux: failure in selinux_skb_peerlbl_sid()," 4278 " unable to determine packet's peer label\n"); 4279 return -EACCES; 4280 } 4281 4282 return 0; 4283 } 4284 4285 /** 4286 * selinux_conn_sid - Determine the child socket label for a connection 4287 * @sk_sid: the parent socket's SID 4288 * @skb_sid: the packet's SID 4289 * @conn_sid: the resulting connection SID 4290 * 4291 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4292 * combined with the MLS information from @skb_sid in order to create 4293 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4294 * of @sk_sid. Returns zero on success, negative values on failure. 4295 * 4296 */ 4297 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4298 { 4299 int err = 0; 4300 4301 if (skb_sid != SECSID_NULL) 4302 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4303 conn_sid); 4304 else 4305 *conn_sid = sk_sid; 4306 4307 return err; 4308 } 4309 4310 /* socket security operations */ 4311 4312 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4313 u16 secclass, u32 *socksid) 4314 { 4315 if (tsec->sockcreate_sid > SECSID_NULL) { 4316 *socksid = tsec->sockcreate_sid; 4317 return 0; 4318 } 4319 4320 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4321 secclass, NULL, socksid); 4322 } 4323 4324 static int sock_has_perm(struct sock *sk, u32 perms) 4325 { 4326 struct sk_security_struct *sksec = sk->sk_security; 4327 struct common_audit_data ad; 4328 struct lsm_network_audit net = {0,}; 4329 4330 if (sksec->sid == SECINITSID_KERNEL) 4331 return 0; 4332 4333 ad.type = LSM_AUDIT_DATA_NET; 4334 ad.u.net = &net; 4335 ad.u.net->sk = sk; 4336 4337 return avc_has_perm(&selinux_state, 4338 current_sid(), sksec->sid, sksec->sclass, perms, 4339 &ad); 4340 } 4341 4342 static int selinux_socket_create(int family, int type, 4343 int protocol, int kern) 4344 { 4345 const struct task_security_struct *tsec = current_security(); 4346 u32 newsid; 4347 u16 secclass; 4348 int rc; 4349 4350 if (kern) 4351 return 0; 4352 4353 secclass = socket_type_to_security_class(family, type, protocol); 4354 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4355 if (rc) 4356 return rc; 4357 4358 return avc_has_perm(&selinux_state, 4359 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4360 } 4361 4362 static int selinux_socket_post_create(struct socket *sock, int family, 4363 int type, int protocol, int kern) 4364 { 4365 const struct task_security_struct *tsec = current_security(); 4366 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4367 struct sk_security_struct *sksec; 4368 u16 sclass = socket_type_to_security_class(family, type, protocol); 4369 u32 sid = SECINITSID_KERNEL; 4370 int err = 0; 4371 4372 if (!kern) { 4373 err = socket_sockcreate_sid(tsec, sclass, &sid); 4374 if (err) 4375 return err; 4376 } 4377 4378 isec->sclass = sclass; 4379 isec->sid = sid; 4380 isec->initialized = LABEL_INITIALIZED; 4381 4382 if (sock->sk) { 4383 sksec = sock->sk->sk_security; 4384 sksec->sclass = sclass; 4385 sksec->sid = sid; 4386 /* Allows detection of the first association on this socket */ 4387 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4388 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4389 4390 err = selinux_netlbl_socket_post_create(sock->sk, family); 4391 } 4392 4393 return err; 4394 } 4395 4396 static int selinux_socket_socketpair(struct socket *socka, 4397 struct socket *sockb) 4398 { 4399 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4400 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4401 4402 sksec_a->peer_sid = sksec_b->sid; 4403 sksec_b->peer_sid = sksec_a->sid; 4404 4405 return 0; 4406 } 4407 4408 /* Range of port numbers used to automatically bind. 4409 Need to determine whether we should perform a name_bind 4410 permission check between the socket and the port number. */ 4411 4412 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4413 { 4414 struct sock *sk = sock->sk; 4415 struct sk_security_struct *sksec = sk->sk_security; 4416 u16 family; 4417 int err; 4418 4419 err = sock_has_perm(sk, SOCKET__BIND); 4420 if (err) 4421 goto out; 4422 4423 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4424 family = sk->sk_family; 4425 if (family == PF_INET || family == PF_INET6) { 4426 char *addrp; 4427 struct common_audit_data ad; 4428 struct lsm_network_audit net = {0,}; 4429 struct sockaddr_in *addr4 = NULL; 4430 struct sockaddr_in6 *addr6 = NULL; 4431 u16 family_sa = address->sa_family; 4432 unsigned short snum; 4433 u32 sid, node_perm; 4434 4435 /* 4436 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4437 * that validates multiple binding addresses. Because of this 4438 * need to check address->sa_family as it is possible to have 4439 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4440 */ 4441 switch (family_sa) { 4442 case AF_UNSPEC: 4443 case AF_INET: 4444 if (addrlen < sizeof(struct sockaddr_in)) 4445 return -EINVAL; 4446 addr4 = (struct sockaddr_in *)address; 4447 if (family_sa == AF_UNSPEC) { 4448 /* see __inet_bind(), we only want to allow 4449 * AF_UNSPEC if the address is INADDR_ANY 4450 */ 4451 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4452 goto err_af; 4453 family_sa = AF_INET; 4454 } 4455 snum = ntohs(addr4->sin_port); 4456 addrp = (char *)&addr4->sin_addr.s_addr; 4457 break; 4458 case AF_INET6: 4459 if (addrlen < SIN6_LEN_RFC2133) 4460 return -EINVAL; 4461 addr6 = (struct sockaddr_in6 *)address; 4462 snum = ntohs(addr6->sin6_port); 4463 addrp = (char *)&addr6->sin6_addr.s6_addr; 4464 break; 4465 default: 4466 goto err_af; 4467 } 4468 4469 ad.type = LSM_AUDIT_DATA_NET; 4470 ad.u.net = &net; 4471 ad.u.net->sport = htons(snum); 4472 ad.u.net->family = family_sa; 4473 4474 if (snum) { 4475 int low, high; 4476 4477 inet_get_local_port_range(sock_net(sk), &low, &high); 4478 4479 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4480 snum > high) { 4481 err = sel_netport_sid(sk->sk_protocol, 4482 snum, &sid); 4483 if (err) 4484 goto out; 4485 err = avc_has_perm(&selinux_state, 4486 sksec->sid, sid, 4487 sksec->sclass, 4488 SOCKET__NAME_BIND, &ad); 4489 if (err) 4490 goto out; 4491 } 4492 } 4493 4494 switch (sksec->sclass) { 4495 case SECCLASS_TCP_SOCKET: 4496 node_perm = TCP_SOCKET__NODE_BIND; 4497 break; 4498 4499 case SECCLASS_UDP_SOCKET: 4500 node_perm = UDP_SOCKET__NODE_BIND; 4501 break; 4502 4503 case SECCLASS_DCCP_SOCKET: 4504 node_perm = DCCP_SOCKET__NODE_BIND; 4505 break; 4506 4507 case SECCLASS_SCTP_SOCKET: 4508 node_perm = SCTP_SOCKET__NODE_BIND; 4509 break; 4510 4511 default: 4512 node_perm = RAWIP_SOCKET__NODE_BIND; 4513 break; 4514 } 4515 4516 err = sel_netnode_sid(addrp, family_sa, &sid); 4517 if (err) 4518 goto out; 4519 4520 if (family_sa == AF_INET) 4521 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4522 else 4523 ad.u.net->v6info.saddr = addr6->sin6_addr; 4524 4525 err = avc_has_perm(&selinux_state, 4526 sksec->sid, sid, 4527 sksec->sclass, node_perm, &ad); 4528 if (err) 4529 goto out; 4530 } 4531 out: 4532 return err; 4533 err_af: 4534 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4535 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4536 return -EINVAL; 4537 return -EAFNOSUPPORT; 4538 } 4539 4540 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4541 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst 4542 */ 4543 static int selinux_socket_connect_helper(struct socket *sock, 4544 struct sockaddr *address, int addrlen) 4545 { 4546 struct sock *sk = sock->sk; 4547 struct sk_security_struct *sksec = sk->sk_security; 4548 int err; 4549 4550 err = sock_has_perm(sk, SOCKET__CONNECT); 4551 if (err) 4552 return err; 4553 4554 /* 4555 * If a TCP, DCCP or SCTP socket, check name_connect permission 4556 * for the port. 4557 */ 4558 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4559 sksec->sclass == SECCLASS_DCCP_SOCKET || 4560 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4561 struct common_audit_data ad; 4562 struct lsm_network_audit net = {0,}; 4563 struct sockaddr_in *addr4 = NULL; 4564 struct sockaddr_in6 *addr6 = NULL; 4565 unsigned short snum; 4566 u32 sid, perm; 4567 4568 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4569 * that validates multiple connect addresses. Because of this 4570 * need to check address->sa_family as it is possible to have 4571 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4572 */ 4573 switch (address->sa_family) { 4574 case AF_INET: 4575 addr4 = (struct sockaddr_in *)address; 4576 if (addrlen < sizeof(struct sockaddr_in)) 4577 return -EINVAL; 4578 snum = ntohs(addr4->sin_port); 4579 break; 4580 case AF_INET6: 4581 addr6 = (struct sockaddr_in6 *)address; 4582 if (addrlen < SIN6_LEN_RFC2133) 4583 return -EINVAL; 4584 snum = ntohs(addr6->sin6_port); 4585 break; 4586 default: 4587 /* Note that SCTP services expect -EINVAL, whereas 4588 * others expect -EAFNOSUPPORT. 4589 */ 4590 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4591 return -EINVAL; 4592 else 4593 return -EAFNOSUPPORT; 4594 } 4595 4596 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4597 if (err) 4598 return err; 4599 4600 switch (sksec->sclass) { 4601 case SECCLASS_TCP_SOCKET: 4602 perm = TCP_SOCKET__NAME_CONNECT; 4603 break; 4604 case SECCLASS_DCCP_SOCKET: 4605 perm = DCCP_SOCKET__NAME_CONNECT; 4606 break; 4607 case SECCLASS_SCTP_SOCKET: 4608 perm = SCTP_SOCKET__NAME_CONNECT; 4609 break; 4610 } 4611 4612 ad.type = LSM_AUDIT_DATA_NET; 4613 ad.u.net = &net; 4614 ad.u.net->dport = htons(snum); 4615 ad.u.net->family = address->sa_family; 4616 err = avc_has_perm(&selinux_state, 4617 sksec->sid, sid, sksec->sclass, perm, &ad); 4618 if (err) 4619 return err; 4620 } 4621 4622 return 0; 4623 } 4624 4625 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4626 static int selinux_socket_connect(struct socket *sock, 4627 struct sockaddr *address, int addrlen) 4628 { 4629 int err; 4630 struct sock *sk = sock->sk; 4631 4632 err = selinux_socket_connect_helper(sock, address, addrlen); 4633 if (err) 4634 return err; 4635 4636 return selinux_netlbl_socket_connect(sk, address); 4637 } 4638 4639 static int selinux_socket_listen(struct socket *sock, int backlog) 4640 { 4641 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4642 } 4643 4644 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4645 { 4646 int err; 4647 struct inode_security_struct *isec; 4648 struct inode_security_struct *newisec; 4649 u16 sclass; 4650 u32 sid; 4651 4652 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4653 if (err) 4654 return err; 4655 4656 isec = inode_security_novalidate(SOCK_INODE(sock)); 4657 spin_lock(&isec->lock); 4658 sclass = isec->sclass; 4659 sid = isec->sid; 4660 spin_unlock(&isec->lock); 4661 4662 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4663 newisec->sclass = sclass; 4664 newisec->sid = sid; 4665 newisec->initialized = LABEL_INITIALIZED; 4666 4667 return 0; 4668 } 4669 4670 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4671 int size) 4672 { 4673 return sock_has_perm(sock->sk, SOCKET__WRITE); 4674 } 4675 4676 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4677 int size, int flags) 4678 { 4679 return sock_has_perm(sock->sk, SOCKET__READ); 4680 } 4681 4682 static int selinux_socket_getsockname(struct socket *sock) 4683 { 4684 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4685 } 4686 4687 static int selinux_socket_getpeername(struct socket *sock) 4688 { 4689 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4690 } 4691 4692 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4693 { 4694 int err; 4695 4696 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4697 if (err) 4698 return err; 4699 4700 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4701 } 4702 4703 static int selinux_socket_getsockopt(struct socket *sock, int level, 4704 int optname) 4705 { 4706 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4707 } 4708 4709 static int selinux_socket_shutdown(struct socket *sock, int how) 4710 { 4711 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4712 } 4713 4714 static int selinux_socket_unix_stream_connect(struct sock *sock, 4715 struct sock *other, 4716 struct sock *newsk) 4717 { 4718 struct sk_security_struct *sksec_sock = sock->sk_security; 4719 struct sk_security_struct *sksec_other = other->sk_security; 4720 struct sk_security_struct *sksec_new = newsk->sk_security; 4721 struct common_audit_data ad; 4722 struct lsm_network_audit net = {0,}; 4723 int err; 4724 4725 ad.type = LSM_AUDIT_DATA_NET; 4726 ad.u.net = &net; 4727 ad.u.net->sk = other; 4728 4729 err = avc_has_perm(&selinux_state, 4730 sksec_sock->sid, sksec_other->sid, 4731 sksec_other->sclass, 4732 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4733 if (err) 4734 return err; 4735 4736 /* server child socket */ 4737 sksec_new->peer_sid = sksec_sock->sid; 4738 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4739 sksec_sock->sid, &sksec_new->sid); 4740 if (err) 4741 return err; 4742 4743 /* connecting socket */ 4744 sksec_sock->peer_sid = sksec_new->sid; 4745 4746 return 0; 4747 } 4748 4749 static int selinux_socket_unix_may_send(struct socket *sock, 4750 struct socket *other) 4751 { 4752 struct sk_security_struct *ssec = sock->sk->sk_security; 4753 struct sk_security_struct *osec = other->sk->sk_security; 4754 struct common_audit_data ad; 4755 struct lsm_network_audit net = {0,}; 4756 4757 ad.type = LSM_AUDIT_DATA_NET; 4758 ad.u.net = &net; 4759 ad.u.net->sk = other->sk; 4760 4761 return avc_has_perm(&selinux_state, 4762 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4763 &ad); 4764 } 4765 4766 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4767 char *addrp, u16 family, u32 peer_sid, 4768 struct common_audit_data *ad) 4769 { 4770 int err; 4771 u32 if_sid; 4772 u32 node_sid; 4773 4774 err = sel_netif_sid(ns, ifindex, &if_sid); 4775 if (err) 4776 return err; 4777 err = avc_has_perm(&selinux_state, 4778 peer_sid, if_sid, 4779 SECCLASS_NETIF, NETIF__INGRESS, ad); 4780 if (err) 4781 return err; 4782 4783 err = sel_netnode_sid(addrp, family, &node_sid); 4784 if (err) 4785 return err; 4786 return avc_has_perm(&selinux_state, 4787 peer_sid, node_sid, 4788 SECCLASS_NODE, NODE__RECVFROM, ad); 4789 } 4790 4791 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4792 u16 family) 4793 { 4794 int err = 0; 4795 struct sk_security_struct *sksec = sk->sk_security; 4796 u32 sk_sid = sksec->sid; 4797 struct common_audit_data ad; 4798 struct lsm_network_audit net = {0,}; 4799 char *addrp; 4800 4801 ad.type = LSM_AUDIT_DATA_NET; 4802 ad.u.net = &net; 4803 ad.u.net->netif = skb->skb_iif; 4804 ad.u.net->family = family; 4805 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4806 if (err) 4807 return err; 4808 4809 if (selinux_secmark_enabled()) { 4810 err = avc_has_perm(&selinux_state, 4811 sk_sid, skb->secmark, SECCLASS_PACKET, 4812 PACKET__RECV, &ad); 4813 if (err) 4814 return err; 4815 } 4816 4817 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4818 if (err) 4819 return err; 4820 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4821 4822 return err; 4823 } 4824 4825 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4826 { 4827 int err; 4828 struct sk_security_struct *sksec = sk->sk_security; 4829 u16 family = sk->sk_family; 4830 u32 sk_sid = sksec->sid; 4831 struct common_audit_data ad; 4832 struct lsm_network_audit net = {0,}; 4833 char *addrp; 4834 u8 secmark_active; 4835 u8 peerlbl_active; 4836 4837 if (family != PF_INET && family != PF_INET6) 4838 return 0; 4839 4840 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4841 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4842 family = PF_INET; 4843 4844 /* If any sort of compatibility mode is enabled then handoff processing 4845 * to the selinux_sock_rcv_skb_compat() function to deal with the 4846 * special handling. We do this in an attempt to keep this function 4847 * as fast and as clean as possible. */ 4848 if (!selinux_policycap_netpeer()) 4849 return selinux_sock_rcv_skb_compat(sk, skb, family); 4850 4851 secmark_active = selinux_secmark_enabled(); 4852 peerlbl_active = selinux_peerlbl_enabled(); 4853 if (!secmark_active && !peerlbl_active) 4854 return 0; 4855 4856 ad.type = LSM_AUDIT_DATA_NET; 4857 ad.u.net = &net; 4858 ad.u.net->netif = skb->skb_iif; 4859 ad.u.net->family = family; 4860 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4861 if (err) 4862 return err; 4863 4864 if (peerlbl_active) { 4865 u32 peer_sid; 4866 4867 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4868 if (err) 4869 return err; 4870 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4871 addrp, family, peer_sid, &ad); 4872 if (err) { 4873 selinux_netlbl_err(skb, family, err, 0); 4874 return err; 4875 } 4876 err = avc_has_perm(&selinux_state, 4877 sk_sid, peer_sid, SECCLASS_PEER, 4878 PEER__RECV, &ad); 4879 if (err) { 4880 selinux_netlbl_err(skb, family, err, 0); 4881 return err; 4882 } 4883 } 4884 4885 if (secmark_active) { 4886 err = avc_has_perm(&selinux_state, 4887 sk_sid, skb->secmark, SECCLASS_PACKET, 4888 PACKET__RECV, &ad); 4889 if (err) 4890 return err; 4891 } 4892 4893 return err; 4894 } 4895 4896 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4897 int __user *optlen, unsigned len) 4898 { 4899 int err = 0; 4900 char *scontext; 4901 u32 scontext_len; 4902 struct sk_security_struct *sksec = sock->sk->sk_security; 4903 u32 peer_sid = SECSID_NULL; 4904 4905 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4906 sksec->sclass == SECCLASS_TCP_SOCKET || 4907 sksec->sclass == SECCLASS_SCTP_SOCKET) 4908 peer_sid = sksec->peer_sid; 4909 if (peer_sid == SECSID_NULL) 4910 return -ENOPROTOOPT; 4911 4912 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 4913 &scontext_len); 4914 if (err) 4915 return err; 4916 4917 if (scontext_len > len) { 4918 err = -ERANGE; 4919 goto out_len; 4920 } 4921 4922 if (copy_to_user(optval, scontext, scontext_len)) 4923 err = -EFAULT; 4924 4925 out_len: 4926 if (put_user(scontext_len, optlen)) 4927 err = -EFAULT; 4928 kfree(scontext); 4929 return err; 4930 } 4931 4932 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4933 { 4934 u32 peer_secid = SECSID_NULL; 4935 u16 family; 4936 struct inode_security_struct *isec; 4937 4938 if (skb && skb->protocol == htons(ETH_P_IP)) 4939 family = PF_INET; 4940 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4941 family = PF_INET6; 4942 else if (sock) 4943 family = sock->sk->sk_family; 4944 else 4945 goto out; 4946 4947 if (sock && family == PF_UNIX) { 4948 isec = inode_security_novalidate(SOCK_INODE(sock)); 4949 peer_secid = isec->sid; 4950 } else if (skb) 4951 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4952 4953 out: 4954 *secid = peer_secid; 4955 if (peer_secid == SECSID_NULL) 4956 return -EINVAL; 4957 return 0; 4958 } 4959 4960 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4961 { 4962 struct sk_security_struct *sksec; 4963 4964 sksec = kzalloc(sizeof(*sksec), priority); 4965 if (!sksec) 4966 return -ENOMEM; 4967 4968 sksec->peer_sid = SECINITSID_UNLABELED; 4969 sksec->sid = SECINITSID_UNLABELED; 4970 sksec->sclass = SECCLASS_SOCKET; 4971 selinux_netlbl_sk_security_reset(sksec); 4972 sk->sk_security = sksec; 4973 4974 return 0; 4975 } 4976 4977 static void selinux_sk_free_security(struct sock *sk) 4978 { 4979 struct sk_security_struct *sksec = sk->sk_security; 4980 4981 sk->sk_security = NULL; 4982 selinux_netlbl_sk_security_free(sksec); 4983 kfree(sksec); 4984 } 4985 4986 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4987 { 4988 struct sk_security_struct *sksec = sk->sk_security; 4989 struct sk_security_struct *newsksec = newsk->sk_security; 4990 4991 newsksec->sid = sksec->sid; 4992 newsksec->peer_sid = sksec->peer_sid; 4993 newsksec->sclass = sksec->sclass; 4994 4995 selinux_netlbl_sk_security_reset(newsksec); 4996 } 4997 4998 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4999 { 5000 if (!sk) 5001 *secid = SECINITSID_ANY_SOCKET; 5002 else { 5003 struct sk_security_struct *sksec = sk->sk_security; 5004 5005 *secid = sksec->sid; 5006 } 5007 } 5008 5009 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5010 { 5011 struct inode_security_struct *isec = 5012 inode_security_novalidate(SOCK_INODE(parent)); 5013 struct sk_security_struct *sksec = sk->sk_security; 5014 5015 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5016 sk->sk_family == PF_UNIX) 5017 isec->sid = sksec->sid; 5018 sksec->sclass = isec->sclass; 5019 } 5020 5021 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5022 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5023 * already present). 5024 */ 5025 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5026 struct sk_buff *skb) 5027 { 5028 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5029 struct common_audit_data ad; 5030 struct lsm_network_audit net = {0,}; 5031 u8 peerlbl_active; 5032 u32 peer_sid = SECINITSID_UNLABELED; 5033 u32 conn_sid; 5034 int err = 0; 5035 5036 if (!selinux_policycap_extsockclass()) 5037 return 0; 5038 5039 peerlbl_active = selinux_peerlbl_enabled(); 5040 5041 if (peerlbl_active) { 5042 /* This will return peer_sid = SECSID_NULL if there are 5043 * no peer labels, see security_net_peersid_resolve(). 5044 */ 5045 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5046 &peer_sid); 5047 if (err) 5048 return err; 5049 5050 if (peer_sid == SECSID_NULL) 5051 peer_sid = SECINITSID_UNLABELED; 5052 } 5053 5054 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5055 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5056 5057 /* Here as first association on socket. As the peer SID 5058 * was allowed by peer recv (and the netif/node checks), 5059 * then it is approved by policy and used as the primary 5060 * peer SID for getpeercon(3). 5061 */ 5062 sksec->peer_sid = peer_sid; 5063 } else if (sksec->peer_sid != peer_sid) { 5064 /* Other association peer SIDs are checked to enforce 5065 * consistency among the peer SIDs. 5066 */ 5067 ad.type = LSM_AUDIT_DATA_NET; 5068 ad.u.net = &net; 5069 ad.u.net->sk = ep->base.sk; 5070 err = avc_has_perm(&selinux_state, 5071 sksec->peer_sid, peer_sid, sksec->sclass, 5072 SCTP_SOCKET__ASSOCIATION, &ad); 5073 if (err) 5074 return err; 5075 } 5076 5077 /* Compute the MLS component for the connection and store 5078 * the information in ep. This will be used by SCTP TCP type 5079 * sockets and peeled off connections as they cause a new 5080 * socket to be generated. selinux_sctp_sk_clone() will then 5081 * plug this into the new socket. 5082 */ 5083 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5084 if (err) 5085 return err; 5086 5087 ep->secid = conn_sid; 5088 ep->peer_secid = peer_sid; 5089 5090 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5091 return selinux_netlbl_sctp_assoc_request(ep, skb); 5092 } 5093 5094 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5095 * based on their @optname. 5096 */ 5097 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5098 struct sockaddr *address, 5099 int addrlen) 5100 { 5101 int len, err = 0, walk_size = 0; 5102 void *addr_buf; 5103 struct sockaddr *addr; 5104 struct socket *sock; 5105 5106 if (!selinux_policycap_extsockclass()) 5107 return 0; 5108 5109 /* Process one or more addresses that may be IPv4 or IPv6 */ 5110 sock = sk->sk_socket; 5111 addr_buf = address; 5112 5113 while (walk_size < addrlen) { 5114 addr = addr_buf; 5115 switch (addr->sa_family) { 5116 case AF_UNSPEC: 5117 case AF_INET: 5118 len = sizeof(struct sockaddr_in); 5119 break; 5120 case AF_INET6: 5121 len = sizeof(struct sockaddr_in6); 5122 break; 5123 default: 5124 return -EINVAL; 5125 } 5126 5127 err = -EINVAL; 5128 switch (optname) { 5129 /* Bind checks */ 5130 case SCTP_PRIMARY_ADDR: 5131 case SCTP_SET_PEER_PRIMARY_ADDR: 5132 case SCTP_SOCKOPT_BINDX_ADD: 5133 err = selinux_socket_bind(sock, addr, len); 5134 break; 5135 /* Connect checks */ 5136 case SCTP_SOCKOPT_CONNECTX: 5137 case SCTP_PARAM_SET_PRIMARY: 5138 case SCTP_PARAM_ADD_IP: 5139 case SCTP_SENDMSG_CONNECT: 5140 err = selinux_socket_connect_helper(sock, addr, len); 5141 if (err) 5142 return err; 5143 5144 /* As selinux_sctp_bind_connect() is called by the 5145 * SCTP protocol layer, the socket is already locked, 5146 * therefore selinux_netlbl_socket_connect_locked() is 5147 * is called here. The situations handled are: 5148 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5149 * whenever a new IP address is added or when a new 5150 * primary address is selected. 5151 * Note that an SCTP connect(2) call happens before 5152 * the SCTP protocol layer and is handled via 5153 * selinux_socket_connect(). 5154 */ 5155 err = selinux_netlbl_socket_connect_locked(sk, addr); 5156 break; 5157 } 5158 5159 if (err) 5160 return err; 5161 5162 addr_buf += len; 5163 walk_size += len; 5164 } 5165 5166 return 0; 5167 } 5168 5169 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5170 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5171 struct sock *newsk) 5172 { 5173 struct sk_security_struct *sksec = sk->sk_security; 5174 struct sk_security_struct *newsksec = newsk->sk_security; 5175 5176 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5177 * the non-sctp clone version. 5178 */ 5179 if (!selinux_policycap_extsockclass()) 5180 return selinux_sk_clone_security(sk, newsk); 5181 5182 newsksec->sid = ep->secid; 5183 newsksec->peer_sid = ep->peer_secid; 5184 newsksec->sclass = sksec->sclass; 5185 selinux_netlbl_sctp_sk_clone(sk, newsk); 5186 } 5187 5188 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5189 struct request_sock *req) 5190 { 5191 struct sk_security_struct *sksec = sk->sk_security; 5192 int err; 5193 u16 family = req->rsk_ops->family; 5194 u32 connsid; 5195 u32 peersid; 5196 5197 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5198 if (err) 5199 return err; 5200 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5201 if (err) 5202 return err; 5203 req->secid = connsid; 5204 req->peer_secid = peersid; 5205 5206 return selinux_netlbl_inet_conn_request(req, family); 5207 } 5208 5209 static void selinux_inet_csk_clone(struct sock *newsk, 5210 const struct request_sock *req) 5211 { 5212 struct sk_security_struct *newsksec = newsk->sk_security; 5213 5214 newsksec->sid = req->secid; 5215 newsksec->peer_sid = req->peer_secid; 5216 /* NOTE: Ideally, we should also get the isec->sid for the 5217 new socket in sync, but we don't have the isec available yet. 5218 So we will wait until sock_graft to do it, by which 5219 time it will have been created and available. */ 5220 5221 /* We don't need to take any sort of lock here as we are the only 5222 * thread with access to newsksec */ 5223 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5224 } 5225 5226 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5227 { 5228 u16 family = sk->sk_family; 5229 struct sk_security_struct *sksec = sk->sk_security; 5230 5231 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5232 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5233 family = PF_INET; 5234 5235 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5236 } 5237 5238 static int selinux_secmark_relabel_packet(u32 sid) 5239 { 5240 const struct task_security_struct *__tsec; 5241 u32 tsid; 5242 5243 __tsec = current_security(); 5244 tsid = __tsec->sid; 5245 5246 return avc_has_perm(&selinux_state, 5247 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5248 NULL); 5249 } 5250 5251 static void selinux_secmark_refcount_inc(void) 5252 { 5253 atomic_inc(&selinux_secmark_refcount); 5254 } 5255 5256 static void selinux_secmark_refcount_dec(void) 5257 { 5258 atomic_dec(&selinux_secmark_refcount); 5259 } 5260 5261 static void selinux_req_classify_flow(const struct request_sock *req, 5262 struct flowi *fl) 5263 { 5264 fl->flowi_secid = req->secid; 5265 } 5266 5267 static int selinux_tun_dev_alloc_security(void **security) 5268 { 5269 struct tun_security_struct *tunsec; 5270 5271 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5272 if (!tunsec) 5273 return -ENOMEM; 5274 tunsec->sid = current_sid(); 5275 5276 *security = tunsec; 5277 return 0; 5278 } 5279 5280 static void selinux_tun_dev_free_security(void *security) 5281 { 5282 kfree(security); 5283 } 5284 5285 static int selinux_tun_dev_create(void) 5286 { 5287 u32 sid = current_sid(); 5288 5289 /* we aren't taking into account the "sockcreate" SID since the socket 5290 * that is being created here is not a socket in the traditional sense, 5291 * instead it is a private sock, accessible only to the kernel, and 5292 * representing a wide range of network traffic spanning multiple 5293 * connections unlike traditional sockets - check the TUN driver to 5294 * get a better understanding of why this socket is special */ 5295 5296 return avc_has_perm(&selinux_state, 5297 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5298 NULL); 5299 } 5300 5301 static int selinux_tun_dev_attach_queue(void *security) 5302 { 5303 struct tun_security_struct *tunsec = security; 5304 5305 return avc_has_perm(&selinux_state, 5306 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5307 TUN_SOCKET__ATTACH_QUEUE, NULL); 5308 } 5309 5310 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5311 { 5312 struct tun_security_struct *tunsec = security; 5313 struct sk_security_struct *sksec = sk->sk_security; 5314 5315 /* we don't currently perform any NetLabel based labeling here and it 5316 * isn't clear that we would want to do so anyway; while we could apply 5317 * labeling without the support of the TUN user the resulting labeled 5318 * traffic from the other end of the connection would almost certainly 5319 * cause confusion to the TUN user that had no idea network labeling 5320 * protocols were being used */ 5321 5322 sksec->sid = tunsec->sid; 5323 sksec->sclass = SECCLASS_TUN_SOCKET; 5324 5325 return 0; 5326 } 5327 5328 static int selinux_tun_dev_open(void *security) 5329 { 5330 struct tun_security_struct *tunsec = security; 5331 u32 sid = current_sid(); 5332 int err; 5333 5334 err = avc_has_perm(&selinux_state, 5335 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5336 TUN_SOCKET__RELABELFROM, NULL); 5337 if (err) 5338 return err; 5339 err = avc_has_perm(&selinux_state, 5340 sid, sid, SECCLASS_TUN_SOCKET, 5341 TUN_SOCKET__RELABELTO, NULL); 5342 if (err) 5343 return err; 5344 tunsec->sid = sid; 5345 5346 return 0; 5347 } 5348 5349 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5350 { 5351 int err = 0; 5352 u32 perm; 5353 struct nlmsghdr *nlh; 5354 struct sk_security_struct *sksec = sk->sk_security; 5355 5356 if (skb->len < NLMSG_HDRLEN) { 5357 err = -EINVAL; 5358 goto out; 5359 } 5360 nlh = nlmsg_hdr(skb); 5361 5362 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5363 if (err) { 5364 if (err == -EINVAL) { 5365 pr_warn_ratelimited("SELinux: unrecognized netlink" 5366 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5367 " pig=%d comm=%s\n", 5368 sk->sk_protocol, nlh->nlmsg_type, 5369 secclass_map[sksec->sclass - 1].name, 5370 task_pid_nr(current), current->comm); 5371 if (!enforcing_enabled(&selinux_state) || 5372 security_get_allow_unknown(&selinux_state)) 5373 err = 0; 5374 } 5375 5376 /* Ignore */ 5377 if (err == -ENOENT) 5378 err = 0; 5379 goto out; 5380 } 5381 5382 err = sock_has_perm(sk, perm); 5383 out: 5384 return err; 5385 } 5386 5387 #ifdef CONFIG_NETFILTER 5388 5389 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5390 const struct net_device *indev, 5391 u16 family) 5392 { 5393 int err; 5394 char *addrp; 5395 u32 peer_sid; 5396 struct common_audit_data ad; 5397 struct lsm_network_audit net = {0,}; 5398 u8 secmark_active; 5399 u8 netlbl_active; 5400 u8 peerlbl_active; 5401 5402 if (!selinux_policycap_netpeer()) 5403 return NF_ACCEPT; 5404 5405 secmark_active = selinux_secmark_enabled(); 5406 netlbl_active = netlbl_enabled(); 5407 peerlbl_active = selinux_peerlbl_enabled(); 5408 if (!secmark_active && !peerlbl_active) 5409 return NF_ACCEPT; 5410 5411 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5412 return NF_DROP; 5413 5414 ad.type = LSM_AUDIT_DATA_NET; 5415 ad.u.net = &net; 5416 ad.u.net->netif = indev->ifindex; 5417 ad.u.net->family = family; 5418 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5419 return NF_DROP; 5420 5421 if (peerlbl_active) { 5422 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5423 addrp, family, peer_sid, &ad); 5424 if (err) { 5425 selinux_netlbl_err(skb, family, err, 1); 5426 return NF_DROP; 5427 } 5428 } 5429 5430 if (secmark_active) 5431 if (avc_has_perm(&selinux_state, 5432 peer_sid, skb->secmark, 5433 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5434 return NF_DROP; 5435 5436 if (netlbl_active) 5437 /* we do this in the FORWARD path and not the POST_ROUTING 5438 * path because we want to make sure we apply the necessary 5439 * labeling before IPsec is applied so we can leverage AH 5440 * protection */ 5441 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5442 return NF_DROP; 5443 5444 return NF_ACCEPT; 5445 } 5446 5447 static unsigned int selinux_ipv4_forward(void *priv, 5448 struct sk_buff *skb, 5449 const struct nf_hook_state *state) 5450 { 5451 return selinux_ip_forward(skb, state->in, PF_INET); 5452 } 5453 5454 #if IS_ENABLED(CONFIG_IPV6) 5455 static unsigned int selinux_ipv6_forward(void *priv, 5456 struct sk_buff *skb, 5457 const struct nf_hook_state *state) 5458 { 5459 return selinux_ip_forward(skb, state->in, PF_INET6); 5460 } 5461 #endif /* IPV6 */ 5462 5463 static unsigned int selinux_ip_output(struct sk_buff *skb, 5464 u16 family) 5465 { 5466 struct sock *sk; 5467 u32 sid; 5468 5469 if (!netlbl_enabled()) 5470 return NF_ACCEPT; 5471 5472 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5473 * because we want to make sure we apply the necessary labeling 5474 * before IPsec is applied so we can leverage AH protection */ 5475 sk = skb->sk; 5476 if (sk) { 5477 struct sk_security_struct *sksec; 5478 5479 if (sk_listener(sk)) 5480 /* if the socket is the listening state then this 5481 * packet is a SYN-ACK packet which means it needs to 5482 * be labeled based on the connection/request_sock and 5483 * not the parent socket. unfortunately, we can't 5484 * lookup the request_sock yet as it isn't queued on 5485 * the parent socket until after the SYN-ACK is sent. 5486 * the "solution" is to simply pass the packet as-is 5487 * as any IP option based labeling should be copied 5488 * from the initial connection request (in the IP 5489 * layer). it is far from ideal, but until we get a 5490 * security label in the packet itself this is the 5491 * best we can do. */ 5492 return NF_ACCEPT; 5493 5494 /* standard practice, label using the parent socket */ 5495 sksec = sk->sk_security; 5496 sid = sksec->sid; 5497 } else 5498 sid = SECINITSID_KERNEL; 5499 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5500 return NF_DROP; 5501 5502 return NF_ACCEPT; 5503 } 5504 5505 static unsigned int selinux_ipv4_output(void *priv, 5506 struct sk_buff *skb, 5507 const struct nf_hook_state *state) 5508 { 5509 return selinux_ip_output(skb, PF_INET); 5510 } 5511 5512 #if IS_ENABLED(CONFIG_IPV6) 5513 static unsigned int selinux_ipv6_output(void *priv, 5514 struct sk_buff *skb, 5515 const struct nf_hook_state *state) 5516 { 5517 return selinux_ip_output(skb, PF_INET6); 5518 } 5519 #endif /* IPV6 */ 5520 5521 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5522 int ifindex, 5523 u16 family) 5524 { 5525 struct sock *sk = skb_to_full_sk(skb); 5526 struct sk_security_struct *sksec; 5527 struct common_audit_data ad; 5528 struct lsm_network_audit net = {0,}; 5529 char *addrp; 5530 u8 proto; 5531 5532 if (sk == NULL) 5533 return NF_ACCEPT; 5534 sksec = sk->sk_security; 5535 5536 ad.type = LSM_AUDIT_DATA_NET; 5537 ad.u.net = &net; 5538 ad.u.net->netif = ifindex; 5539 ad.u.net->family = family; 5540 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5541 return NF_DROP; 5542 5543 if (selinux_secmark_enabled()) 5544 if (avc_has_perm(&selinux_state, 5545 sksec->sid, skb->secmark, 5546 SECCLASS_PACKET, PACKET__SEND, &ad)) 5547 return NF_DROP_ERR(-ECONNREFUSED); 5548 5549 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5550 return NF_DROP_ERR(-ECONNREFUSED); 5551 5552 return NF_ACCEPT; 5553 } 5554 5555 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5556 const struct net_device *outdev, 5557 u16 family) 5558 { 5559 u32 secmark_perm; 5560 u32 peer_sid; 5561 int ifindex = outdev->ifindex; 5562 struct sock *sk; 5563 struct common_audit_data ad; 5564 struct lsm_network_audit net = {0,}; 5565 char *addrp; 5566 u8 secmark_active; 5567 u8 peerlbl_active; 5568 5569 /* If any sort of compatibility mode is enabled then handoff processing 5570 * to the selinux_ip_postroute_compat() function to deal with the 5571 * special handling. We do this in an attempt to keep this function 5572 * as fast and as clean as possible. */ 5573 if (!selinux_policycap_netpeer()) 5574 return selinux_ip_postroute_compat(skb, ifindex, family); 5575 5576 secmark_active = selinux_secmark_enabled(); 5577 peerlbl_active = selinux_peerlbl_enabled(); 5578 if (!secmark_active && !peerlbl_active) 5579 return NF_ACCEPT; 5580 5581 sk = skb_to_full_sk(skb); 5582 5583 #ifdef CONFIG_XFRM 5584 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5585 * packet transformation so allow the packet to pass without any checks 5586 * since we'll have another chance to perform access control checks 5587 * when the packet is on it's final way out. 5588 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5589 * is NULL, in this case go ahead and apply access control. 5590 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5591 * TCP listening state we cannot wait until the XFRM processing 5592 * is done as we will miss out on the SA label if we do; 5593 * unfortunately, this means more work, but it is only once per 5594 * connection. */ 5595 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5596 !(sk && sk_listener(sk))) 5597 return NF_ACCEPT; 5598 #endif 5599 5600 if (sk == NULL) { 5601 /* Without an associated socket the packet is either coming 5602 * from the kernel or it is being forwarded; check the packet 5603 * to determine which and if the packet is being forwarded 5604 * query the packet directly to determine the security label. */ 5605 if (skb->skb_iif) { 5606 secmark_perm = PACKET__FORWARD_OUT; 5607 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5608 return NF_DROP; 5609 } else { 5610 secmark_perm = PACKET__SEND; 5611 peer_sid = SECINITSID_KERNEL; 5612 } 5613 } else if (sk_listener(sk)) { 5614 /* Locally generated packet but the associated socket is in the 5615 * listening state which means this is a SYN-ACK packet. In 5616 * this particular case the correct security label is assigned 5617 * to the connection/request_sock but unfortunately we can't 5618 * query the request_sock as it isn't queued on the parent 5619 * socket until after the SYN-ACK packet is sent; the only 5620 * viable choice is to regenerate the label like we do in 5621 * selinux_inet_conn_request(). See also selinux_ip_output() 5622 * for similar problems. */ 5623 u32 skb_sid; 5624 struct sk_security_struct *sksec; 5625 5626 sksec = sk->sk_security; 5627 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5628 return NF_DROP; 5629 /* At this point, if the returned skb peerlbl is SECSID_NULL 5630 * and the packet has been through at least one XFRM 5631 * transformation then we must be dealing with the "final" 5632 * form of labeled IPsec packet; since we've already applied 5633 * all of our access controls on this packet we can safely 5634 * pass the packet. */ 5635 if (skb_sid == SECSID_NULL) { 5636 switch (family) { 5637 case PF_INET: 5638 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5639 return NF_ACCEPT; 5640 break; 5641 case PF_INET6: 5642 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5643 return NF_ACCEPT; 5644 break; 5645 default: 5646 return NF_DROP_ERR(-ECONNREFUSED); 5647 } 5648 } 5649 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5650 return NF_DROP; 5651 secmark_perm = PACKET__SEND; 5652 } else { 5653 /* Locally generated packet, fetch the security label from the 5654 * associated socket. */ 5655 struct sk_security_struct *sksec = sk->sk_security; 5656 peer_sid = sksec->sid; 5657 secmark_perm = PACKET__SEND; 5658 } 5659 5660 ad.type = LSM_AUDIT_DATA_NET; 5661 ad.u.net = &net; 5662 ad.u.net->netif = ifindex; 5663 ad.u.net->family = family; 5664 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5665 return NF_DROP; 5666 5667 if (secmark_active) 5668 if (avc_has_perm(&selinux_state, 5669 peer_sid, skb->secmark, 5670 SECCLASS_PACKET, secmark_perm, &ad)) 5671 return NF_DROP_ERR(-ECONNREFUSED); 5672 5673 if (peerlbl_active) { 5674 u32 if_sid; 5675 u32 node_sid; 5676 5677 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5678 return NF_DROP; 5679 if (avc_has_perm(&selinux_state, 5680 peer_sid, if_sid, 5681 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5682 return NF_DROP_ERR(-ECONNREFUSED); 5683 5684 if (sel_netnode_sid(addrp, family, &node_sid)) 5685 return NF_DROP; 5686 if (avc_has_perm(&selinux_state, 5687 peer_sid, node_sid, 5688 SECCLASS_NODE, NODE__SENDTO, &ad)) 5689 return NF_DROP_ERR(-ECONNREFUSED); 5690 } 5691 5692 return NF_ACCEPT; 5693 } 5694 5695 static unsigned int selinux_ipv4_postroute(void *priv, 5696 struct sk_buff *skb, 5697 const struct nf_hook_state *state) 5698 { 5699 return selinux_ip_postroute(skb, state->out, PF_INET); 5700 } 5701 5702 #if IS_ENABLED(CONFIG_IPV6) 5703 static unsigned int selinux_ipv6_postroute(void *priv, 5704 struct sk_buff *skb, 5705 const struct nf_hook_state *state) 5706 { 5707 return selinux_ip_postroute(skb, state->out, PF_INET6); 5708 } 5709 #endif /* IPV6 */ 5710 5711 #endif /* CONFIG_NETFILTER */ 5712 5713 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5714 { 5715 return selinux_nlmsg_perm(sk, skb); 5716 } 5717 5718 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5719 u16 sclass) 5720 { 5721 struct ipc_security_struct *isec; 5722 5723 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5724 if (!isec) 5725 return -ENOMEM; 5726 5727 isec->sclass = sclass; 5728 isec->sid = current_sid(); 5729 perm->security = isec; 5730 5731 return 0; 5732 } 5733 5734 static void ipc_free_security(struct kern_ipc_perm *perm) 5735 { 5736 struct ipc_security_struct *isec = perm->security; 5737 perm->security = NULL; 5738 kfree(isec); 5739 } 5740 5741 static int msg_msg_alloc_security(struct msg_msg *msg) 5742 { 5743 struct msg_security_struct *msec; 5744 5745 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5746 if (!msec) 5747 return -ENOMEM; 5748 5749 msec->sid = SECINITSID_UNLABELED; 5750 msg->security = msec; 5751 5752 return 0; 5753 } 5754 5755 static void msg_msg_free_security(struct msg_msg *msg) 5756 { 5757 struct msg_security_struct *msec = msg->security; 5758 5759 msg->security = NULL; 5760 kfree(msec); 5761 } 5762 5763 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5764 u32 perms) 5765 { 5766 struct ipc_security_struct *isec; 5767 struct common_audit_data ad; 5768 u32 sid = current_sid(); 5769 5770 isec = ipc_perms->security; 5771 5772 ad.type = LSM_AUDIT_DATA_IPC; 5773 ad.u.ipc_id = ipc_perms->key; 5774 5775 return avc_has_perm(&selinux_state, 5776 sid, isec->sid, isec->sclass, perms, &ad); 5777 } 5778 5779 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5780 { 5781 return msg_msg_alloc_security(msg); 5782 } 5783 5784 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5785 { 5786 msg_msg_free_security(msg); 5787 } 5788 5789 /* message queue security operations */ 5790 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5791 { 5792 struct ipc_security_struct *isec; 5793 struct common_audit_data ad; 5794 u32 sid = current_sid(); 5795 int rc; 5796 5797 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5798 if (rc) 5799 return rc; 5800 5801 isec = msq->security; 5802 5803 ad.type = LSM_AUDIT_DATA_IPC; 5804 ad.u.ipc_id = msq->key; 5805 5806 rc = avc_has_perm(&selinux_state, 5807 sid, isec->sid, SECCLASS_MSGQ, 5808 MSGQ__CREATE, &ad); 5809 if (rc) { 5810 ipc_free_security(msq); 5811 return rc; 5812 } 5813 return 0; 5814 } 5815 5816 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 5817 { 5818 ipc_free_security(msq); 5819 } 5820 5821 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5822 { 5823 struct ipc_security_struct *isec; 5824 struct common_audit_data ad; 5825 u32 sid = current_sid(); 5826 5827 isec = msq->security; 5828 5829 ad.type = LSM_AUDIT_DATA_IPC; 5830 ad.u.ipc_id = msq->key; 5831 5832 return avc_has_perm(&selinux_state, 5833 sid, isec->sid, SECCLASS_MSGQ, 5834 MSGQ__ASSOCIATE, &ad); 5835 } 5836 5837 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5838 { 5839 int err; 5840 int perms; 5841 5842 switch (cmd) { 5843 case IPC_INFO: 5844 case MSG_INFO: 5845 /* No specific object, just general system-wide information. */ 5846 return avc_has_perm(&selinux_state, 5847 current_sid(), SECINITSID_KERNEL, 5848 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5849 case IPC_STAT: 5850 case MSG_STAT: 5851 case MSG_STAT_ANY: 5852 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5853 break; 5854 case IPC_SET: 5855 perms = MSGQ__SETATTR; 5856 break; 5857 case IPC_RMID: 5858 perms = MSGQ__DESTROY; 5859 break; 5860 default: 5861 return 0; 5862 } 5863 5864 err = ipc_has_perm(msq, perms); 5865 return err; 5866 } 5867 5868 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 5869 { 5870 struct ipc_security_struct *isec; 5871 struct msg_security_struct *msec; 5872 struct common_audit_data ad; 5873 u32 sid = current_sid(); 5874 int rc; 5875 5876 isec = msq->security; 5877 msec = msg->security; 5878 5879 /* 5880 * First time through, need to assign label to the message 5881 */ 5882 if (msec->sid == SECINITSID_UNLABELED) { 5883 /* 5884 * Compute new sid based on current process and 5885 * message queue this message will be stored in 5886 */ 5887 rc = security_transition_sid(&selinux_state, sid, isec->sid, 5888 SECCLASS_MSG, NULL, &msec->sid); 5889 if (rc) 5890 return rc; 5891 } 5892 5893 ad.type = LSM_AUDIT_DATA_IPC; 5894 ad.u.ipc_id = msq->key; 5895 5896 /* Can this process write to the queue? */ 5897 rc = avc_has_perm(&selinux_state, 5898 sid, isec->sid, SECCLASS_MSGQ, 5899 MSGQ__WRITE, &ad); 5900 if (!rc) 5901 /* Can this process send the message */ 5902 rc = avc_has_perm(&selinux_state, 5903 sid, msec->sid, SECCLASS_MSG, 5904 MSG__SEND, &ad); 5905 if (!rc) 5906 /* Can the message be put in the queue? */ 5907 rc = avc_has_perm(&selinux_state, 5908 msec->sid, isec->sid, SECCLASS_MSGQ, 5909 MSGQ__ENQUEUE, &ad); 5910 5911 return rc; 5912 } 5913 5914 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 5915 struct task_struct *target, 5916 long type, int mode) 5917 { 5918 struct ipc_security_struct *isec; 5919 struct msg_security_struct *msec; 5920 struct common_audit_data ad; 5921 u32 sid = task_sid(target); 5922 int rc; 5923 5924 isec = msq->security; 5925 msec = msg->security; 5926 5927 ad.type = LSM_AUDIT_DATA_IPC; 5928 ad.u.ipc_id = msq->key; 5929 5930 rc = avc_has_perm(&selinux_state, 5931 sid, isec->sid, 5932 SECCLASS_MSGQ, MSGQ__READ, &ad); 5933 if (!rc) 5934 rc = avc_has_perm(&selinux_state, 5935 sid, msec->sid, 5936 SECCLASS_MSG, MSG__RECEIVE, &ad); 5937 return rc; 5938 } 5939 5940 /* Shared Memory security operations */ 5941 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 5942 { 5943 struct ipc_security_struct *isec; 5944 struct common_audit_data ad; 5945 u32 sid = current_sid(); 5946 int rc; 5947 5948 rc = ipc_alloc_security(shp, SECCLASS_SHM); 5949 if (rc) 5950 return rc; 5951 5952 isec = shp->security; 5953 5954 ad.type = LSM_AUDIT_DATA_IPC; 5955 ad.u.ipc_id = shp->key; 5956 5957 rc = avc_has_perm(&selinux_state, 5958 sid, isec->sid, SECCLASS_SHM, 5959 SHM__CREATE, &ad); 5960 if (rc) { 5961 ipc_free_security(shp); 5962 return rc; 5963 } 5964 return 0; 5965 } 5966 5967 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 5968 { 5969 ipc_free_security(shp); 5970 } 5971 5972 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 5973 { 5974 struct ipc_security_struct *isec; 5975 struct common_audit_data ad; 5976 u32 sid = current_sid(); 5977 5978 isec = shp->security; 5979 5980 ad.type = LSM_AUDIT_DATA_IPC; 5981 ad.u.ipc_id = shp->key; 5982 5983 return avc_has_perm(&selinux_state, 5984 sid, isec->sid, SECCLASS_SHM, 5985 SHM__ASSOCIATE, &ad); 5986 } 5987 5988 /* Note, at this point, shp is locked down */ 5989 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 5990 { 5991 int perms; 5992 int err; 5993 5994 switch (cmd) { 5995 case IPC_INFO: 5996 case SHM_INFO: 5997 /* No specific object, just general system-wide information. */ 5998 return avc_has_perm(&selinux_state, 5999 current_sid(), SECINITSID_KERNEL, 6000 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6001 case IPC_STAT: 6002 case SHM_STAT: 6003 case SHM_STAT_ANY: 6004 perms = SHM__GETATTR | SHM__ASSOCIATE; 6005 break; 6006 case IPC_SET: 6007 perms = SHM__SETATTR; 6008 break; 6009 case SHM_LOCK: 6010 case SHM_UNLOCK: 6011 perms = SHM__LOCK; 6012 break; 6013 case IPC_RMID: 6014 perms = SHM__DESTROY; 6015 break; 6016 default: 6017 return 0; 6018 } 6019 6020 err = ipc_has_perm(shp, perms); 6021 return err; 6022 } 6023 6024 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6025 char __user *shmaddr, int shmflg) 6026 { 6027 u32 perms; 6028 6029 if (shmflg & SHM_RDONLY) 6030 perms = SHM__READ; 6031 else 6032 perms = SHM__READ | SHM__WRITE; 6033 6034 return ipc_has_perm(shp, perms); 6035 } 6036 6037 /* Semaphore security operations */ 6038 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6039 { 6040 struct ipc_security_struct *isec; 6041 struct common_audit_data ad; 6042 u32 sid = current_sid(); 6043 int rc; 6044 6045 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6046 if (rc) 6047 return rc; 6048 6049 isec = sma->security; 6050 6051 ad.type = LSM_AUDIT_DATA_IPC; 6052 ad.u.ipc_id = sma->key; 6053 6054 rc = avc_has_perm(&selinux_state, 6055 sid, isec->sid, SECCLASS_SEM, 6056 SEM__CREATE, &ad); 6057 if (rc) { 6058 ipc_free_security(sma); 6059 return rc; 6060 } 6061 return 0; 6062 } 6063 6064 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6065 { 6066 ipc_free_security(sma); 6067 } 6068 6069 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6070 { 6071 struct ipc_security_struct *isec; 6072 struct common_audit_data ad; 6073 u32 sid = current_sid(); 6074 6075 isec = sma->security; 6076 6077 ad.type = LSM_AUDIT_DATA_IPC; 6078 ad.u.ipc_id = sma->key; 6079 6080 return avc_has_perm(&selinux_state, 6081 sid, isec->sid, SECCLASS_SEM, 6082 SEM__ASSOCIATE, &ad); 6083 } 6084 6085 /* Note, at this point, sma is locked down */ 6086 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6087 { 6088 int err; 6089 u32 perms; 6090 6091 switch (cmd) { 6092 case IPC_INFO: 6093 case SEM_INFO: 6094 /* No specific object, just general system-wide information. */ 6095 return avc_has_perm(&selinux_state, 6096 current_sid(), SECINITSID_KERNEL, 6097 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6098 case GETPID: 6099 case GETNCNT: 6100 case GETZCNT: 6101 perms = SEM__GETATTR; 6102 break; 6103 case GETVAL: 6104 case GETALL: 6105 perms = SEM__READ; 6106 break; 6107 case SETVAL: 6108 case SETALL: 6109 perms = SEM__WRITE; 6110 break; 6111 case IPC_RMID: 6112 perms = SEM__DESTROY; 6113 break; 6114 case IPC_SET: 6115 perms = SEM__SETATTR; 6116 break; 6117 case IPC_STAT: 6118 case SEM_STAT: 6119 case SEM_STAT_ANY: 6120 perms = SEM__GETATTR | SEM__ASSOCIATE; 6121 break; 6122 default: 6123 return 0; 6124 } 6125 6126 err = ipc_has_perm(sma, perms); 6127 return err; 6128 } 6129 6130 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6131 struct sembuf *sops, unsigned nsops, int alter) 6132 { 6133 u32 perms; 6134 6135 if (alter) 6136 perms = SEM__READ | SEM__WRITE; 6137 else 6138 perms = SEM__READ; 6139 6140 return ipc_has_perm(sma, perms); 6141 } 6142 6143 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6144 { 6145 u32 av = 0; 6146 6147 av = 0; 6148 if (flag & S_IRUGO) 6149 av |= IPC__UNIX_READ; 6150 if (flag & S_IWUGO) 6151 av |= IPC__UNIX_WRITE; 6152 6153 if (av == 0) 6154 return 0; 6155 6156 return ipc_has_perm(ipcp, av); 6157 } 6158 6159 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6160 { 6161 struct ipc_security_struct *isec = ipcp->security; 6162 *secid = isec->sid; 6163 } 6164 6165 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6166 { 6167 if (inode) 6168 inode_doinit_with_dentry(inode, dentry); 6169 } 6170 6171 static int selinux_getprocattr(struct task_struct *p, 6172 char *name, char **value) 6173 { 6174 const struct task_security_struct *__tsec; 6175 u32 sid; 6176 int error; 6177 unsigned len; 6178 6179 rcu_read_lock(); 6180 __tsec = __task_cred(p)->security; 6181 6182 if (current != p) { 6183 error = avc_has_perm(&selinux_state, 6184 current_sid(), __tsec->sid, 6185 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6186 if (error) 6187 goto bad; 6188 } 6189 6190 if (!strcmp(name, "current")) 6191 sid = __tsec->sid; 6192 else if (!strcmp(name, "prev")) 6193 sid = __tsec->osid; 6194 else if (!strcmp(name, "exec")) 6195 sid = __tsec->exec_sid; 6196 else if (!strcmp(name, "fscreate")) 6197 sid = __tsec->create_sid; 6198 else if (!strcmp(name, "keycreate")) 6199 sid = __tsec->keycreate_sid; 6200 else if (!strcmp(name, "sockcreate")) 6201 sid = __tsec->sockcreate_sid; 6202 else { 6203 error = -EINVAL; 6204 goto bad; 6205 } 6206 rcu_read_unlock(); 6207 6208 if (!sid) 6209 return 0; 6210 6211 error = security_sid_to_context(&selinux_state, sid, value, &len); 6212 if (error) 6213 return error; 6214 return len; 6215 6216 bad: 6217 rcu_read_unlock(); 6218 return error; 6219 } 6220 6221 static int selinux_setprocattr(const char *name, void *value, size_t size) 6222 { 6223 struct task_security_struct *tsec; 6224 struct cred *new; 6225 u32 mysid = current_sid(), sid = 0, ptsid; 6226 int error; 6227 char *str = value; 6228 6229 /* 6230 * Basic control over ability to set these attributes at all. 6231 */ 6232 if (!strcmp(name, "exec")) 6233 error = avc_has_perm(&selinux_state, 6234 mysid, mysid, SECCLASS_PROCESS, 6235 PROCESS__SETEXEC, NULL); 6236 else if (!strcmp(name, "fscreate")) 6237 error = avc_has_perm(&selinux_state, 6238 mysid, mysid, SECCLASS_PROCESS, 6239 PROCESS__SETFSCREATE, NULL); 6240 else if (!strcmp(name, "keycreate")) 6241 error = avc_has_perm(&selinux_state, 6242 mysid, mysid, SECCLASS_PROCESS, 6243 PROCESS__SETKEYCREATE, NULL); 6244 else if (!strcmp(name, "sockcreate")) 6245 error = avc_has_perm(&selinux_state, 6246 mysid, mysid, SECCLASS_PROCESS, 6247 PROCESS__SETSOCKCREATE, NULL); 6248 else if (!strcmp(name, "current")) 6249 error = avc_has_perm(&selinux_state, 6250 mysid, mysid, SECCLASS_PROCESS, 6251 PROCESS__SETCURRENT, NULL); 6252 else 6253 error = -EINVAL; 6254 if (error) 6255 return error; 6256 6257 /* Obtain a SID for the context, if one was specified. */ 6258 if (size && str[0] && str[0] != '\n') { 6259 if (str[size-1] == '\n') { 6260 str[size-1] = 0; 6261 size--; 6262 } 6263 error = security_context_to_sid(&selinux_state, value, size, 6264 &sid, GFP_KERNEL); 6265 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6266 if (!has_cap_mac_admin(true)) { 6267 struct audit_buffer *ab; 6268 size_t audit_size; 6269 6270 /* We strip a nul only if it is at the end, otherwise the 6271 * context contains a nul and we should audit that */ 6272 if (str[size - 1] == '\0') 6273 audit_size = size - 1; 6274 else 6275 audit_size = size; 6276 ab = audit_log_start(audit_context(), 6277 GFP_ATOMIC, 6278 AUDIT_SELINUX_ERR); 6279 audit_log_format(ab, "op=fscreate invalid_context="); 6280 audit_log_n_untrustedstring(ab, value, audit_size); 6281 audit_log_end(ab); 6282 6283 return error; 6284 } 6285 error = security_context_to_sid_force( 6286 &selinux_state, 6287 value, size, &sid); 6288 } 6289 if (error) 6290 return error; 6291 } 6292 6293 new = prepare_creds(); 6294 if (!new) 6295 return -ENOMEM; 6296 6297 /* Permission checking based on the specified context is 6298 performed during the actual operation (execve, 6299 open/mkdir/...), when we know the full context of the 6300 operation. See selinux_bprm_set_creds for the execve 6301 checks and may_create for the file creation checks. The 6302 operation will then fail if the context is not permitted. */ 6303 tsec = new->security; 6304 if (!strcmp(name, "exec")) { 6305 tsec->exec_sid = sid; 6306 } else if (!strcmp(name, "fscreate")) { 6307 tsec->create_sid = sid; 6308 } else if (!strcmp(name, "keycreate")) { 6309 error = avc_has_perm(&selinux_state, 6310 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6311 NULL); 6312 if (error) 6313 goto abort_change; 6314 tsec->keycreate_sid = sid; 6315 } else if (!strcmp(name, "sockcreate")) { 6316 tsec->sockcreate_sid = sid; 6317 } else if (!strcmp(name, "current")) { 6318 error = -EINVAL; 6319 if (sid == 0) 6320 goto abort_change; 6321 6322 /* Only allow single threaded processes to change context */ 6323 error = -EPERM; 6324 if (!current_is_single_threaded()) { 6325 error = security_bounded_transition(&selinux_state, 6326 tsec->sid, sid); 6327 if (error) 6328 goto abort_change; 6329 } 6330 6331 /* Check permissions for the transition. */ 6332 error = avc_has_perm(&selinux_state, 6333 tsec->sid, sid, SECCLASS_PROCESS, 6334 PROCESS__DYNTRANSITION, NULL); 6335 if (error) 6336 goto abort_change; 6337 6338 /* Check for ptracing, and update the task SID if ok. 6339 Otherwise, leave SID unchanged and fail. */ 6340 ptsid = ptrace_parent_sid(); 6341 if (ptsid != 0) { 6342 error = avc_has_perm(&selinux_state, 6343 ptsid, sid, SECCLASS_PROCESS, 6344 PROCESS__PTRACE, NULL); 6345 if (error) 6346 goto abort_change; 6347 } 6348 6349 tsec->sid = sid; 6350 } else { 6351 error = -EINVAL; 6352 goto abort_change; 6353 } 6354 6355 commit_creds(new); 6356 return size; 6357 6358 abort_change: 6359 abort_creds(new); 6360 return error; 6361 } 6362 6363 static int selinux_ismaclabel(const char *name) 6364 { 6365 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6366 } 6367 6368 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6369 { 6370 return security_sid_to_context(&selinux_state, secid, 6371 secdata, seclen); 6372 } 6373 6374 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6375 { 6376 return security_context_to_sid(&selinux_state, secdata, seclen, 6377 secid, GFP_KERNEL); 6378 } 6379 6380 static void selinux_release_secctx(char *secdata, u32 seclen) 6381 { 6382 kfree(secdata); 6383 } 6384 6385 static void selinux_inode_invalidate_secctx(struct inode *inode) 6386 { 6387 struct inode_security_struct *isec = inode->i_security; 6388 6389 spin_lock(&isec->lock); 6390 isec->initialized = LABEL_INVALID; 6391 spin_unlock(&isec->lock); 6392 } 6393 6394 /* 6395 * called with inode->i_mutex locked 6396 */ 6397 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6398 { 6399 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6400 } 6401 6402 /* 6403 * called with inode->i_mutex locked 6404 */ 6405 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6406 { 6407 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6408 } 6409 6410 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6411 { 6412 int len = 0; 6413 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6414 ctx, true); 6415 if (len < 0) 6416 return len; 6417 *ctxlen = len; 6418 return 0; 6419 } 6420 #ifdef CONFIG_KEYS 6421 6422 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6423 unsigned long flags) 6424 { 6425 const struct task_security_struct *tsec; 6426 struct key_security_struct *ksec; 6427 6428 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6429 if (!ksec) 6430 return -ENOMEM; 6431 6432 tsec = cred->security; 6433 if (tsec->keycreate_sid) 6434 ksec->sid = tsec->keycreate_sid; 6435 else 6436 ksec->sid = tsec->sid; 6437 6438 k->security = ksec; 6439 return 0; 6440 } 6441 6442 static void selinux_key_free(struct key *k) 6443 { 6444 struct key_security_struct *ksec = k->security; 6445 6446 k->security = NULL; 6447 kfree(ksec); 6448 } 6449 6450 static int selinux_key_permission(key_ref_t key_ref, 6451 const struct cred *cred, 6452 unsigned perm) 6453 { 6454 struct key *key; 6455 struct key_security_struct *ksec; 6456 u32 sid; 6457 6458 /* if no specific permissions are requested, we skip the 6459 permission check. No serious, additional covert channels 6460 appear to be created. */ 6461 if (perm == 0) 6462 return 0; 6463 6464 sid = cred_sid(cred); 6465 6466 key = key_ref_to_ptr(key_ref); 6467 ksec = key->security; 6468 6469 return avc_has_perm(&selinux_state, 6470 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6471 } 6472 6473 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6474 { 6475 struct key_security_struct *ksec = key->security; 6476 char *context = NULL; 6477 unsigned len; 6478 int rc; 6479 6480 rc = security_sid_to_context(&selinux_state, ksec->sid, 6481 &context, &len); 6482 if (!rc) 6483 rc = len; 6484 *_buffer = context; 6485 return rc; 6486 } 6487 #endif 6488 6489 #ifdef CONFIG_SECURITY_INFINIBAND 6490 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6491 { 6492 struct common_audit_data ad; 6493 int err; 6494 u32 sid = 0; 6495 struct ib_security_struct *sec = ib_sec; 6496 struct lsm_ibpkey_audit ibpkey; 6497 6498 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6499 if (err) 6500 return err; 6501 6502 ad.type = LSM_AUDIT_DATA_IBPKEY; 6503 ibpkey.subnet_prefix = subnet_prefix; 6504 ibpkey.pkey = pkey_val; 6505 ad.u.ibpkey = &ibpkey; 6506 return avc_has_perm(&selinux_state, 6507 sec->sid, sid, 6508 SECCLASS_INFINIBAND_PKEY, 6509 INFINIBAND_PKEY__ACCESS, &ad); 6510 } 6511 6512 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6513 u8 port_num) 6514 { 6515 struct common_audit_data ad; 6516 int err; 6517 u32 sid = 0; 6518 struct ib_security_struct *sec = ib_sec; 6519 struct lsm_ibendport_audit ibendport; 6520 6521 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6522 &sid); 6523 6524 if (err) 6525 return err; 6526 6527 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6528 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6529 ibendport.port = port_num; 6530 ad.u.ibendport = &ibendport; 6531 return avc_has_perm(&selinux_state, 6532 sec->sid, sid, 6533 SECCLASS_INFINIBAND_ENDPORT, 6534 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6535 } 6536 6537 static int selinux_ib_alloc_security(void **ib_sec) 6538 { 6539 struct ib_security_struct *sec; 6540 6541 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6542 if (!sec) 6543 return -ENOMEM; 6544 sec->sid = current_sid(); 6545 6546 *ib_sec = sec; 6547 return 0; 6548 } 6549 6550 static void selinux_ib_free_security(void *ib_sec) 6551 { 6552 kfree(ib_sec); 6553 } 6554 #endif 6555 6556 #ifdef CONFIG_BPF_SYSCALL 6557 static int selinux_bpf(int cmd, union bpf_attr *attr, 6558 unsigned int size) 6559 { 6560 u32 sid = current_sid(); 6561 int ret; 6562 6563 switch (cmd) { 6564 case BPF_MAP_CREATE: 6565 ret = avc_has_perm(&selinux_state, 6566 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6567 NULL); 6568 break; 6569 case BPF_PROG_LOAD: 6570 ret = avc_has_perm(&selinux_state, 6571 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6572 NULL); 6573 break; 6574 default: 6575 ret = 0; 6576 break; 6577 } 6578 6579 return ret; 6580 } 6581 6582 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6583 { 6584 u32 av = 0; 6585 6586 if (fmode & FMODE_READ) 6587 av |= BPF__MAP_READ; 6588 if (fmode & FMODE_WRITE) 6589 av |= BPF__MAP_WRITE; 6590 return av; 6591 } 6592 6593 /* This function will check the file pass through unix socket or binder to see 6594 * if it is a bpf related object. And apply correspinding checks on the bpf 6595 * object based on the type. The bpf maps and programs, not like other files and 6596 * socket, are using a shared anonymous inode inside the kernel as their inode. 6597 * So checking that inode cannot identify if the process have privilege to 6598 * access the bpf object and that's why we have to add this additional check in 6599 * selinux_file_receive and selinux_binder_transfer_files. 6600 */ 6601 static int bpf_fd_pass(struct file *file, u32 sid) 6602 { 6603 struct bpf_security_struct *bpfsec; 6604 struct bpf_prog *prog; 6605 struct bpf_map *map; 6606 int ret; 6607 6608 if (file->f_op == &bpf_map_fops) { 6609 map = file->private_data; 6610 bpfsec = map->security; 6611 ret = avc_has_perm(&selinux_state, 6612 sid, bpfsec->sid, SECCLASS_BPF, 6613 bpf_map_fmode_to_av(file->f_mode), NULL); 6614 if (ret) 6615 return ret; 6616 } else if (file->f_op == &bpf_prog_fops) { 6617 prog = file->private_data; 6618 bpfsec = prog->aux->security; 6619 ret = avc_has_perm(&selinux_state, 6620 sid, bpfsec->sid, SECCLASS_BPF, 6621 BPF__PROG_RUN, NULL); 6622 if (ret) 6623 return ret; 6624 } 6625 return 0; 6626 } 6627 6628 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6629 { 6630 u32 sid = current_sid(); 6631 struct bpf_security_struct *bpfsec; 6632 6633 bpfsec = map->security; 6634 return avc_has_perm(&selinux_state, 6635 sid, bpfsec->sid, SECCLASS_BPF, 6636 bpf_map_fmode_to_av(fmode), NULL); 6637 } 6638 6639 static int selinux_bpf_prog(struct bpf_prog *prog) 6640 { 6641 u32 sid = current_sid(); 6642 struct bpf_security_struct *bpfsec; 6643 6644 bpfsec = prog->aux->security; 6645 return avc_has_perm(&selinux_state, 6646 sid, bpfsec->sid, SECCLASS_BPF, 6647 BPF__PROG_RUN, NULL); 6648 } 6649 6650 static int selinux_bpf_map_alloc(struct bpf_map *map) 6651 { 6652 struct bpf_security_struct *bpfsec; 6653 6654 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6655 if (!bpfsec) 6656 return -ENOMEM; 6657 6658 bpfsec->sid = current_sid(); 6659 map->security = bpfsec; 6660 6661 return 0; 6662 } 6663 6664 static void selinux_bpf_map_free(struct bpf_map *map) 6665 { 6666 struct bpf_security_struct *bpfsec = map->security; 6667 6668 map->security = NULL; 6669 kfree(bpfsec); 6670 } 6671 6672 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6673 { 6674 struct bpf_security_struct *bpfsec; 6675 6676 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6677 if (!bpfsec) 6678 return -ENOMEM; 6679 6680 bpfsec->sid = current_sid(); 6681 aux->security = bpfsec; 6682 6683 return 0; 6684 } 6685 6686 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6687 { 6688 struct bpf_security_struct *bpfsec = aux->security; 6689 6690 aux->security = NULL; 6691 kfree(bpfsec); 6692 } 6693 #endif 6694 6695 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6696 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6697 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6698 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6699 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6700 6701 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6702 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6703 LSM_HOOK_INIT(capget, selinux_capget), 6704 LSM_HOOK_INIT(capset, selinux_capset), 6705 LSM_HOOK_INIT(capable, selinux_capable), 6706 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6707 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6708 LSM_HOOK_INIT(syslog, selinux_syslog), 6709 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6710 6711 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6712 6713 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6714 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6715 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6716 6717 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6718 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6719 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6720 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6721 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6722 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6723 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6724 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6725 LSM_HOOK_INIT(sb_mount, selinux_mount), 6726 LSM_HOOK_INIT(sb_umount, selinux_umount), 6727 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6728 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6729 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6730 6731 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6732 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6733 6734 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6735 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6736 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6737 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6738 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6739 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6740 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6741 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6742 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6743 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6744 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6745 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6746 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6747 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6748 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6749 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6750 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6751 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6752 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6753 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6754 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6755 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6756 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6757 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6758 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6759 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6760 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6761 6762 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6763 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6764 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6765 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6766 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6767 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6768 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6769 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6770 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6771 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6772 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6773 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6774 6775 LSM_HOOK_INIT(file_open, selinux_file_open), 6776 6777 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6778 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6779 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6780 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6781 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6782 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6783 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6784 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6785 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6786 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 6787 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6788 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6789 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6790 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6791 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6792 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6793 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6794 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6795 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6796 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6797 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6798 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6799 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6800 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6801 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6802 6803 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6804 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6805 6806 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6807 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6808 6809 LSM_HOOK_INIT(msg_queue_alloc_security, 6810 selinux_msg_queue_alloc_security), 6811 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6812 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6813 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6814 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6815 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6816 6817 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6818 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6819 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6820 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6821 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6822 6823 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6824 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6825 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6826 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6827 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6828 6829 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6830 6831 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6832 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6833 6834 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6835 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6836 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6837 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6838 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6839 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6840 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6841 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6842 6843 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6844 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6845 6846 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6847 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6848 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 6849 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6850 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6851 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6852 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6853 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6854 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6855 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6856 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6857 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6858 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6859 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6860 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6861 LSM_HOOK_INIT(socket_getpeersec_stream, 6862 selinux_socket_getpeersec_stream), 6863 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6864 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6865 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6866 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6867 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6868 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6869 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 6870 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 6871 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 6872 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6873 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6874 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6875 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6876 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6877 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6878 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6879 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6880 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6881 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6882 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6883 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6884 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6885 #ifdef CONFIG_SECURITY_INFINIBAND 6886 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6887 LSM_HOOK_INIT(ib_endport_manage_subnet, 6888 selinux_ib_endport_manage_subnet), 6889 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6890 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6891 #endif 6892 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6893 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6894 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6895 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6896 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6897 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6898 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6899 selinux_xfrm_state_alloc_acquire), 6900 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6901 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6902 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6903 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6904 selinux_xfrm_state_pol_flow_match), 6905 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6906 #endif 6907 6908 #ifdef CONFIG_KEYS 6909 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6910 LSM_HOOK_INIT(key_free, selinux_key_free), 6911 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6912 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6913 #endif 6914 6915 #ifdef CONFIG_AUDIT 6916 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6917 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6918 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6919 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6920 #endif 6921 6922 #ifdef CONFIG_BPF_SYSCALL 6923 LSM_HOOK_INIT(bpf, selinux_bpf), 6924 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 6925 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 6926 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 6927 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 6928 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 6929 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 6930 #endif 6931 }; 6932 6933 static __init int selinux_init(void) 6934 { 6935 if (!security_module_enable("selinux")) { 6936 selinux_enabled = 0; 6937 return 0; 6938 } 6939 6940 if (!selinux_enabled) { 6941 pr_info("SELinux: Disabled at boot.\n"); 6942 return 0; 6943 } 6944 6945 pr_info("SELinux: Initializing.\n"); 6946 6947 memset(&selinux_state, 0, sizeof(selinux_state)); 6948 enforcing_set(&selinux_state, selinux_enforcing_boot); 6949 selinux_state.checkreqprot = selinux_checkreqprot_boot; 6950 selinux_ss_init(&selinux_state.ss); 6951 selinux_avc_init(&selinux_state.avc); 6952 6953 /* Set the security state for the initial task. */ 6954 cred_init_security(); 6955 6956 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6957 6958 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6959 sizeof(struct inode_security_struct), 6960 0, SLAB_PANIC, NULL); 6961 file_security_cache = kmem_cache_create("selinux_file_security", 6962 sizeof(struct file_security_struct), 6963 0, SLAB_PANIC, NULL); 6964 avc_init(); 6965 6966 avtab_cache_init(); 6967 6968 ebitmap_cache_init(); 6969 6970 hashtab_cache_init(); 6971 6972 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6973 6974 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6975 panic("SELinux: Unable to register AVC netcache callback\n"); 6976 6977 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6978 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6979 6980 if (selinux_enforcing_boot) 6981 pr_debug("SELinux: Starting in enforcing mode\n"); 6982 else 6983 pr_debug("SELinux: Starting in permissive mode\n"); 6984 6985 return 0; 6986 } 6987 6988 static void delayed_superblock_init(struct super_block *sb, void *unused) 6989 { 6990 selinux_set_mnt_opts(sb, NULL, 0, NULL); 6991 } 6992 6993 void selinux_complete_init(void) 6994 { 6995 pr_debug("SELinux: Completing initialization.\n"); 6996 6997 /* Set up any superblocks initialized prior to the policy load. */ 6998 pr_debug("SELinux: Setting up existing superblocks.\n"); 6999 iterate_supers(delayed_superblock_init, NULL); 7000 } 7001 7002 /* SELinux requires early initialization in order to label 7003 all processes and objects when they are created. */ 7004 DEFINE_LSM(selinux) = { 7005 .name = "selinux", 7006 .init = selinux_init, 7007 }; 7008 7009 #if defined(CONFIG_NETFILTER) 7010 7011 static const struct nf_hook_ops selinux_nf_ops[] = { 7012 { 7013 .hook = selinux_ipv4_postroute, 7014 .pf = NFPROTO_IPV4, 7015 .hooknum = NF_INET_POST_ROUTING, 7016 .priority = NF_IP_PRI_SELINUX_LAST, 7017 }, 7018 { 7019 .hook = selinux_ipv4_forward, 7020 .pf = NFPROTO_IPV4, 7021 .hooknum = NF_INET_FORWARD, 7022 .priority = NF_IP_PRI_SELINUX_FIRST, 7023 }, 7024 { 7025 .hook = selinux_ipv4_output, 7026 .pf = NFPROTO_IPV4, 7027 .hooknum = NF_INET_LOCAL_OUT, 7028 .priority = NF_IP_PRI_SELINUX_FIRST, 7029 }, 7030 #if IS_ENABLED(CONFIG_IPV6) 7031 { 7032 .hook = selinux_ipv6_postroute, 7033 .pf = NFPROTO_IPV6, 7034 .hooknum = NF_INET_POST_ROUTING, 7035 .priority = NF_IP6_PRI_SELINUX_LAST, 7036 }, 7037 { 7038 .hook = selinux_ipv6_forward, 7039 .pf = NFPROTO_IPV6, 7040 .hooknum = NF_INET_FORWARD, 7041 .priority = NF_IP6_PRI_SELINUX_FIRST, 7042 }, 7043 { 7044 .hook = selinux_ipv6_output, 7045 .pf = NFPROTO_IPV6, 7046 .hooknum = NF_INET_LOCAL_OUT, 7047 .priority = NF_IP6_PRI_SELINUX_FIRST, 7048 }, 7049 #endif /* IPV6 */ 7050 }; 7051 7052 static int __net_init selinux_nf_register(struct net *net) 7053 { 7054 return nf_register_net_hooks(net, selinux_nf_ops, 7055 ARRAY_SIZE(selinux_nf_ops)); 7056 } 7057 7058 static void __net_exit selinux_nf_unregister(struct net *net) 7059 { 7060 nf_unregister_net_hooks(net, selinux_nf_ops, 7061 ARRAY_SIZE(selinux_nf_ops)); 7062 } 7063 7064 static struct pernet_operations selinux_net_ops = { 7065 .init = selinux_nf_register, 7066 .exit = selinux_nf_unregister, 7067 }; 7068 7069 static int __init selinux_nf_ip_init(void) 7070 { 7071 int err; 7072 7073 if (!selinux_enabled) 7074 return 0; 7075 7076 pr_debug("SELinux: Registering netfilter hooks\n"); 7077 7078 err = register_pernet_subsys(&selinux_net_ops); 7079 if (err) 7080 panic("SELinux: register_pernet_subsys: error %d\n", err); 7081 7082 return 0; 7083 } 7084 __initcall(selinux_nf_ip_init); 7085 7086 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7087 static void selinux_nf_ip_exit(void) 7088 { 7089 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7090 7091 unregister_pernet_subsys(&selinux_net_ops); 7092 } 7093 #endif 7094 7095 #else /* CONFIG_NETFILTER */ 7096 7097 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7098 #define selinux_nf_ip_exit() 7099 #endif 7100 7101 #endif /* CONFIG_NETFILTER */ 7102 7103 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7104 int selinux_disable(struct selinux_state *state) 7105 { 7106 if (state->initialized) { 7107 /* Not permitted after initial policy load. */ 7108 return -EINVAL; 7109 } 7110 7111 if (state->disabled) { 7112 /* Only do this once. */ 7113 return -EINVAL; 7114 } 7115 7116 state->disabled = 1; 7117 7118 pr_info("SELinux: Disabled at runtime.\n"); 7119 7120 selinux_enabled = 0; 7121 7122 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7123 7124 /* Try to destroy the avc node cache */ 7125 avc_disable(); 7126 7127 /* Unregister netfilter hooks. */ 7128 selinux_nf_ip_exit(); 7129 7130 /* Unregister selinuxfs. */ 7131 exit_sel_fs(); 7132 7133 return 0; 7134 } 7135 #endif 7136