1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/tracehook.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/dccp.h> 69 #include <linux/sctp.h> 70 #include <net/sctp/structs.h> 71 #include <linux/quota.h> 72 #include <linux/un.h> /* for Unix socket types */ 73 #include <net/af_unix.h> /* for Unix socket types */ 74 #include <linux/parser.h> 75 #include <linux/nfs_mount.h> 76 #include <net/ipv6.h> 77 #include <linux/hugetlb.h> 78 #include <linux/personality.h> 79 #include <linux/audit.h> 80 #include <linux/string.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 95 #include "avc.h" 96 #include "objsec.h" 97 #include "netif.h" 98 #include "netnode.h" 99 #include "netport.h" 100 #include "ibpkey.h" 101 #include "xfrm.h" 102 #include "netlabel.h" 103 #include "audit.h" 104 #include "avc_ss.h" 105 106 struct selinux_state selinux_state; 107 108 /* SECMARK reference count */ 109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 110 111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 112 static int selinux_enforcing_boot __initdata; 113 114 static int __init enforcing_setup(char *str) 115 { 116 unsigned long enforcing; 117 if (!kstrtoul(str, 0, &enforcing)) 118 selinux_enforcing_boot = enforcing ? 1 : 0; 119 return 1; 120 } 121 __setup("enforcing=", enforcing_setup); 122 #else 123 #define selinux_enforcing_boot 1 124 #endif 125 126 int selinux_enabled_boot __initdata = 1; 127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 128 static int __init selinux_enabled_setup(char *str) 129 { 130 unsigned long enabled; 131 if (!kstrtoul(str, 0, &enabled)) 132 selinux_enabled_boot = enabled ? 1 : 0; 133 return 1; 134 } 135 __setup("selinux=", selinux_enabled_setup); 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 /** 152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 153 * 154 * Description: 155 * This function checks the SECMARK reference counter to see if any SECMARK 156 * targets are currently configured, if the reference counter is greater than 157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network 159 * policy capability is enabled, SECMARK is always considered enabled. 160 * 161 */ 162 static int selinux_secmark_enabled(void) 163 { 164 return (selinux_policycap_alwaysnetwork() || 165 atomic_read(&selinux_secmark_refcount)); 166 } 167 168 /** 169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 170 * 171 * Description: 172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 173 * (1) if any are enabled or false (0) if neither are enabled. If the 174 * always_check_network policy capability is enabled, peer labeling 175 * is always considered enabled. 176 * 177 */ 178 static int selinux_peerlbl_enabled(void) 179 { 180 return (selinux_policycap_alwaysnetwork() || 181 netlbl_enabled() || selinux_xfrm_enabled()); 182 } 183 184 static int selinux_netcache_avc_callback(u32 event) 185 { 186 if (event == AVC_CALLBACK_RESET) { 187 sel_netif_flush(); 188 sel_netnode_flush(); 189 sel_netport_flush(); 190 synchronize_net(); 191 } 192 return 0; 193 } 194 195 static int selinux_lsm_notifier_avc_callback(u32 event) 196 { 197 if (event == AVC_CALLBACK_RESET) { 198 sel_ib_pkey_flush(); 199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 200 } 201 202 return 0; 203 } 204 205 /* 206 * initialise the security for the init task 207 */ 208 static void cred_init_security(void) 209 { 210 struct cred *cred = (struct cred *) current->real_cred; 211 struct task_security_struct *tsec; 212 213 tsec = selinux_cred(cred); 214 tsec->osid = tsec->sid = SECINITSID_KERNEL; 215 } 216 217 /* 218 * get the security ID of a set of credentials 219 */ 220 static inline u32 cred_sid(const struct cred *cred) 221 { 222 const struct task_security_struct *tsec; 223 224 tsec = selinux_cred(cred); 225 return tsec->sid; 226 } 227 228 /* 229 * get the objective security ID of a task 230 */ 231 static inline u32 task_sid(const struct task_struct *task) 232 { 233 u32 sid; 234 235 rcu_read_lock(); 236 sid = cred_sid(__task_cred(task)); 237 rcu_read_unlock(); 238 return sid; 239 } 240 241 /* Allocate and free functions for each kind of security blob. */ 242 243 static int inode_alloc_security(struct inode *inode) 244 { 245 struct inode_security_struct *isec = selinux_inode(inode); 246 u32 sid = current_sid(); 247 248 spin_lock_init(&isec->lock); 249 INIT_LIST_HEAD(&isec->list); 250 isec->inode = inode; 251 isec->sid = SECINITSID_UNLABELED; 252 isec->sclass = SECCLASS_FILE; 253 isec->task_sid = sid; 254 isec->initialized = LABEL_INVALID; 255 256 return 0; 257 } 258 259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 260 261 /* 262 * Try reloading inode security labels that have been marked as invalid. The 263 * @may_sleep parameter indicates when sleeping and thus reloading labels is 264 * allowed; when set to false, returns -ECHILD when the label is 265 * invalid. The @dentry parameter should be set to a dentry of the inode. 266 */ 267 static int __inode_security_revalidate(struct inode *inode, 268 struct dentry *dentry, 269 bool may_sleep) 270 { 271 struct inode_security_struct *isec = selinux_inode(inode); 272 273 might_sleep_if(may_sleep); 274 275 if (selinux_state.initialized && 276 isec->initialized != LABEL_INITIALIZED) { 277 if (!may_sleep) 278 return -ECHILD; 279 280 /* 281 * Try reloading the inode security label. This will fail if 282 * @opt_dentry is NULL and no dentry for this inode can be 283 * found; in that case, continue using the old label. 284 */ 285 inode_doinit_with_dentry(inode, dentry); 286 } 287 return 0; 288 } 289 290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 291 { 292 return selinux_inode(inode); 293 } 294 295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 296 { 297 int error; 298 299 error = __inode_security_revalidate(inode, NULL, !rcu); 300 if (error) 301 return ERR_PTR(error); 302 return selinux_inode(inode); 303 } 304 305 /* 306 * Get the security label of an inode. 307 */ 308 static struct inode_security_struct *inode_security(struct inode *inode) 309 { 310 __inode_security_revalidate(inode, NULL, true); 311 return selinux_inode(inode); 312 } 313 314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 315 { 316 struct inode *inode = d_backing_inode(dentry); 317 318 return selinux_inode(inode); 319 } 320 321 /* 322 * Get the security label of a dentry's backing inode. 323 */ 324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 325 { 326 struct inode *inode = d_backing_inode(dentry); 327 328 __inode_security_revalidate(inode, dentry, true); 329 return selinux_inode(inode); 330 } 331 332 static void inode_free_security(struct inode *inode) 333 { 334 struct inode_security_struct *isec = selinux_inode(inode); 335 struct superblock_security_struct *sbsec; 336 337 if (!isec) 338 return; 339 sbsec = inode->i_sb->s_security; 340 /* 341 * As not all inode security structures are in a list, we check for 342 * empty list outside of the lock to make sure that we won't waste 343 * time taking a lock doing nothing. 344 * 345 * The list_del_init() function can be safely called more than once. 346 * It should not be possible for this function to be called with 347 * concurrent list_add(), but for better safety against future changes 348 * in the code, we use list_empty_careful() here. 349 */ 350 if (!list_empty_careful(&isec->list)) { 351 spin_lock(&sbsec->isec_lock); 352 list_del_init(&isec->list); 353 spin_unlock(&sbsec->isec_lock); 354 } 355 } 356 357 static int file_alloc_security(struct file *file) 358 { 359 struct file_security_struct *fsec = selinux_file(file); 360 u32 sid = current_sid(); 361 362 fsec->sid = sid; 363 fsec->fown_sid = sid; 364 365 return 0; 366 } 367 368 static int superblock_alloc_security(struct super_block *sb) 369 { 370 struct superblock_security_struct *sbsec; 371 372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 373 if (!sbsec) 374 return -ENOMEM; 375 376 mutex_init(&sbsec->lock); 377 INIT_LIST_HEAD(&sbsec->isec_head); 378 spin_lock_init(&sbsec->isec_lock); 379 sbsec->sb = sb; 380 sbsec->sid = SECINITSID_UNLABELED; 381 sbsec->def_sid = SECINITSID_FILE; 382 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 383 sb->s_security = sbsec; 384 385 return 0; 386 } 387 388 static void superblock_free_security(struct super_block *sb) 389 { 390 struct superblock_security_struct *sbsec = sb->s_security; 391 sb->s_security = NULL; 392 kfree(sbsec); 393 } 394 395 struct selinux_mnt_opts { 396 const char *fscontext, *context, *rootcontext, *defcontext; 397 }; 398 399 static void selinux_free_mnt_opts(void *mnt_opts) 400 { 401 struct selinux_mnt_opts *opts = mnt_opts; 402 kfree(opts->fscontext); 403 kfree(opts->context); 404 kfree(opts->rootcontext); 405 kfree(opts->defcontext); 406 kfree(opts); 407 } 408 409 static inline int inode_doinit(struct inode *inode) 410 { 411 return inode_doinit_with_dentry(inode, NULL); 412 } 413 414 enum { 415 Opt_error = -1, 416 Opt_context = 0, 417 Opt_defcontext = 1, 418 Opt_fscontext = 2, 419 Opt_rootcontext = 3, 420 Opt_seclabel = 4, 421 }; 422 423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 424 static struct { 425 const char *name; 426 int len; 427 int opt; 428 bool has_arg; 429 } tokens[] = { 430 A(context, true), 431 A(fscontext, true), 432 A(defcontext, true), 433 A(rootcontext, true), 434 A(seclabel, false), 435 }; 436 #undef A 437 438 static int match_opt_prefix(char *s, int l, char **arg) 439 { 440 int i; 441 442 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 443 size_t len = tokens[i].len; 444 if (len > l || memcmp(s, tokens[i].name, len)) 445 continue; 446 if (tokens[i].has_arg) { 447 if (len == l || s[len] != '=') 448 continue; 449 *arg = s + len + 1; 450 } else if (len != l) 451 continue; 452 return tokens[i].opt; 453 } 454 return Opt_error; 455 } 456 457 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 458 459 static int may_context_mount_sb_relabel(u32 sid, 460 struct superblock_security_struct *sbsec, 461 const struct cred *cred) 462 { 463 const struct task_security_struct *tsec = selinux_cred(cred); 464 int rc; 465 466 rc = avc_has_perm(&selinux_state, 467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 468 FILESYSTEM__RELABELFROM, NULL); 469 if (rc) 470 return rc; 471 472 rc = avc_has_perm(&selinux_state, 473 tsec->sid, sid, SECCLASS_FILESYSTEM, 474 FILESYSTEM__RELABELTO, NULL); 475 return rc; 476 } 477 478 static int may_context_mount_inode_relabel(u32 sid, 479 struct superblock_security_struct *sbsec, 480 const struct cred *cred) 481 { 482 const struct task_security_struct *tsec = selinux_cred(cred); 483 int rc; 484 rc = avc_has_perm(&selinux_state, 485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 486 FILESYSTEM__RELABELFROM, NULL); 487 if (rc) 488 return rc; 489 490 rc = avc_has_perm(&selinux_state, 491 sid, sbsec->sid, SECCLASS_FILESYSTEM, 492 FILESYSTEM__ASSOCIATE, NULL); 493 return rc; 494 } 495 496 static int selinux_is_genfs_special_handling(struct super_block *sb) 497 { 498 /* Special handling. Genfs but also in-core setxattr handler */ 499 return !strcmp(sb->s_type->name, "sysfs") || 500 !strcmp(sb->s_type->name, "pstore") || 501 !strcmp(sb->s_type->name, "debugfs") || 502 !strcmp(sb->s_type->name, "tracefs") || 503 !strcmp(sb->s_type->name, "rootfs") || 504 (selinux_policycap_cgroupseclabel() && 505 (!strcmp(sb->s_type->name, "cgroup") || 506 !strcmp(sb->s_type->name, "cgroup2"))); 507 } 508 509 static int selinux_is_sblabel_mnt(struct super_block *sb) 510 { 511 struct superblock_security_struct *sbsec = sb->s_security; 512 513 /* 514 * IMPORTANT: Double-check logic in this function when adding a new 515 * SECURITY_FS_USE_* definition! 516 */ 517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 518 519 switch (sbsec->behavior) { 520 case SECURITY_FS_USE_XATTR: 521 case SECURITY_FS_USE_TRANS: 522 case SECURITY_FS_USE_TASK: 523 case SECURITY_FS_USE_NATIVE: 524 return 1; 525 526 case SECURITY_FS_USE_GENFS: 527 return selinux_is_genfs_special_handling(sb); 528 529 /* Never allow relabeling on context mounts */ 530 case SECURITY_FS_USE_MNTPOINT: 531 case SECURITY_FS_USE_NONE: 532 default: 533 return 0; 534 } 535 } 536 537 static int sb_finish_set_opts(struct super_block *sb) 538 { 539 struct superblock_security_struct *sbsec = sb->s_security; 540 struct dentry *root = sb->s_root; 541 struct inode *root_inode = d_backing_inode(root); 542 int rc = 0; 543 544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 545 /* Make sure that the xattr handler exists and that no 546 error other than -ENODATA is returned by getxattr on 547 the root directory. -ENODATA is ok, as this may be 548 the first boot of the SELinux kernel before we have 549 assigned xattr values to the filesystem. */ 550 if (!(root_inode->i_opflags & IOP_XATTR)) { 551 pr_warn("SELinux: (dev %s, type %s) has no " 552 "xattr support\n", sb->s_id, sb->s_type->name); 553 rc = -EOPNOTSUPP; 554 goto out; 555 } 556 557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 558 if (rc < 0 && rc != -ENODATA) { 559 if (rc == -EOPNOTSUPP) 560 pr_warn("SELinux: (dev %s, type " 561 "%s) has no security xattr handler\n", 562 sb->s_id, sb->s_type->name); 563 else 564 pr_warn("SELinux: (dev %s, type " 565 "%s) getxattr errno %d\n", sb->s_id, 566 sb->s_type->name, -rc); 567 goto out; 568 } 569 } 570 571 sbsec->flags |= SE_SBINITIALIZED; 572 573 /* 574 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 575 * leave the flag untouched because sb_clone_mnt_opts might be handing 576 * us a superblock that needs the flag to be cleared. 577 */ 578 if (selinux_is_sblabel_mnt(sb)) 579 sbsec->flags |= SBLABEL_MNT; 580 else 581 sbsec->flags &= ~SBLABEL_MNT; 582 583 /* Initialize the root inode. */ 584 rc = inode_doinit_with_dentry(root_inode, root); 585 586 /* Initialize any other inodes associated with the superblock, e.g. 587 inodes created prior to initial policy load or inodes created 588 during get_sb by a pseudo filesystem that directly 589 populates itself. */ 590 spin_lock(&sbsec->isec_lock); 591 while (!list_empty(&sbsec->isec_head)) { 592 struct inode_security_struct *isec = 593 list_first_entry(&sbsec->isec_head, 594 struct inode_security_struct, list); 595 struct inode *inode = isec->inode; 596 list_del_init(&isec->list); 597 spin_unlock(&sbsec->isec_lock); 598 inode = igrab(inode); 599 if (inode) { 600 if (!IS_PRIVATE(inode)) 601 inode_doinit(inode); 602 iput(inode); 603 } 604 spin_lock(&sbsec->isec_lock); 605 } 606 spin_unlock(&sbsec->isec_lock); 607 out: 608 return rc; 609 } 610 611 static int bad_option(struct superblock_security_struct *sbsec, char flag, 612 u32 old_sid, u32 new_sid) 613 { 614 char mnt_flags = sbsec->flags & SE_MNTMASK; 615 616 /* check if the old mount command had the same options */ 617 if (sbsec->flags & SE_SBINITIALIZED) 618 if (!(sbsec->flags & flag) || 619 (old_sid != new_sid)) 620 return 1; 621 622 /* check if we were passed the same options twice, 623 * aka someone passed context=a,context=b 624 */ 625 if (!(sbsec->flags & SE_SBINITIALIZED)) 626 if (mnt_flags & flag) 627 return 1; 628 return 0; 629 } 630 631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 632 { 633 int rc = security_context_str_to_sid(&selinux_state, s, 634 sid, GFP_KERNEL); 635 if (rc) 636 pr_warn("SELinux: security_context_str_to_sid" 637 "(%s) failed for (dev %s, type %s) errno=%d\n", 638 s, sb->s_id, sb->s_type->name, rc); 639 return rc; 640 } 641 642 /* 643 * Allow filesystems with binary mount data to explicitly set mount point 644 * labeling information. 645 */ 646 static int selinux_set_mnt_opts(struct super_block *sb, 647 void *mnt_opts, 648 unsigned long kern_flags, 649 unsigned long *set_kern_flags) 650 { 651 const struct cred *cred = current_cred(); 652 struct superblock_security_struct *sbsec = sb->s_security; 653 struct dentry *root = sbsec->sb->s_root; 654 struct selinux_mnt_opts *opts = mnt_opts; 655 struct inode_security_struct *root_isec; 656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 657 u32 defcontext_sid = 0; 658 int rc = 0; 659 660 mutex_lock(&sbsec->lock); 661 662 if (!selinux_state.initialized) { 663 if (!opts) { 664 /* Defer initialization until selinux_complete_init, 665 after the initial policy is loaded and the security 666 server is ready to handle calls. */ 667 goto out; 668 } 669 rc = -EINVAL; 670 pr_warn("SELinux: Unable to set superblock options " 671 "before the security server is initialized\n"); 672 goto out; 673 } 674 if (kern_flags && !set_kern_flags) { 675 /* Specifying internal flags without providing a place to 676 * place the results is not allowed */ 677 rc = -EINVAL; 678 goto out; 679 } 680 681 /* 682 * Binary mount data FS will come through this function twice. Once 683 * from an explicit call and once from the generic calls from the vfs. 684 * Since the generic VFS calls will not contain any security mount data 685 * we need to skip the double mount verification. 686 * 687 * This does open a hole in which we will not notice if the first 688 * mount using this sb set explict options and a second mount using 689 * this sb does not set any security options. (The first options 690 * will be used for both mounts) 691 */ 692 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 693 && !opts) 694 goto out; 695 696 root_isec = backing_inode_security_novalidate(root); 697 698 /* 699 * parse the mount options, check if they are valid sids. 700 * also check if someone is trying to mount the same sb more 701 * than once with different security options. 702 */ 703 if (opts) { 704 if (opts->fscontext) { 705 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 706 if (rc) 707 goto out; 708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 709 fscontext_sid)) 710 goto out_double_mount; 711 sbsec->flags |= FSCONTEXT_MNT; 712 } 713 if (opts->context) { 714 rc = parse_sid(sb, opts->context, &context_sid); 715 if (rc) 716 goto out; 717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 718 context_sid)) 719 goto out_double_mount; 720 sbsec->flags |= CONTEXT_MNT; 721 } 722 if (opts->rootcontext) { 723 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 724 if (rc) 725 goto out; 726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 727 rootcontext_sid)) 728 goto out_double_mount; 729 sbsec->flags |= ROOTCONTEXT_MNT; 730 } 731 if (opts->defcontext) { 732 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 733 if (rc) 734 goto out; 735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 736 defcontext_sid)) 737 goto out_double_mount; 738 sbsec->flags |= DEFCONTEXT_MNT; 739 } 740 } 741 742 if (sbsec->flags & SE_SBINITIALIZED) { 743 /* previously mounted with options, but not on this attempt? */ 744 if ((sbsec->flags & SE_MNTMASK) && !opts) 745 goto out_double_mount; 746 rc = 0; 747 goto out; 748 } 749 750 if (strcmp(sb->s_type->name, "proc") == 0) 751 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 752 753 if (!strcmp(sb->s_type->name, "debugfs") || 754 !strcmp(sb->s_type->name, "tracefs") || 755 !strcmp(sb->s_type->name, "binderfs") || 756 !strcmp(sb->s_type->name, "pstore")) 757 sbsec->flags |= SE_SBGENFS; 758 759 if (!strcmp(sb->s_type->name, "sysfs") || 760 !strcmp(sb->s_type->name, "cgroup") || 761 !strcmp(sb->s_type->name, "cgroup2")) 762 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 763 764 if (!sbsec->behavior) { 765 /* 766 * Determine the labeling behavior to use for this 767 * filesystem type. 768 */ 769 rc = security_fs_use(&selinux_state, sb); 770 if (rc) { 771 pr_warn("%s: security_fs_use(%s) returned %d\n", 772 __func__, sb->s_type->name, rc); 773 goto out; 774 } 775 } 776 777 /* 778 * If this is a user namespace mount and the filesystem type is not 779 * explicitly whitelisted, then no contexts are allowed on the command 780 * line and security labels must be ignored. 781 */ 782 if (sb->s_user_ns != &init_user_ns && 783 strcmp(sb->s_type->name, "tmpfs") && 784 strcmp(sb->s_type->name, "ramfs") && 785 strcmp(sb->s_type->name, "devpts")) { 786 if (context_sid || fscontext_sid || rootcontext_sid || 787 defcontext_sid) { 788 rc = -EACCES; 789 goto out; 790 } 791 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 792 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 793 rc = security_transition_sid(&selinux_state, 794 current_sid(), 795 current_sid(), 796 SECCLASS_FILE, NULL, 797 &sbsec->mntpoint_sid); 798 if (rc) 799 goto out; 800 } 801 goto out_set_opts; 802 } 803 804 /* sets the context of the superblock for the fs being mounted. */ 805 if (fscontext_sid) { 806 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 807 if (rc) 808 goto out; 809 810 sbsec->sid = fscontext_sid; 811 } 812 813 /* 814 * Switch to using mount point labeling behavior. 815 * sets the label used on all file below the mountpoint, and will set 816 * the superblock context if not already set. 817 */ 818 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 819 sbsec->behavior = SECURITY_FS_USE_NATIVE; 820 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 821 } 822 823 if (context_sid) { 824 if (!fscontext_sid) { 825 rc = may_context_mount_sb_relabel(context_sid, sbsec, 826 cred); 827 if (rc) 828 goto out; 829 sbsec->sid = context_sid; 830 } else { 831 rc = may_context_mount_inode_relabel(context_sid, sbsec, 832 cred); 833 if (rc) 834 goto out; 835 } 836 if (!rootcontext_sid) 837 rootcontext_sid = context_sid; 838 839 sbsec->mntpoint_sid = context_sid; 840 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 841 } 842 843 if (rootcontext_sid) { 844 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 845 cred); 846 if (rc) 847 goto out; 848 849 root_isec->sid = rootcontext_sid; 850 root_isec->initialized = LABEL_INITIALIZED; 851 } 852 853 if (defcontext_sid) { 854 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 855 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 856 rc = -EINVAL; 857 pr_warn("SELinux: defcontext option is " 858 "invalid for this filesystem type\n"); 859 goto out; 860 } 861 862 if (defcontext_sid != sbsec->def_sid) { 863 rc = may_context_mount_inode_relabel(defcontext_sid, 864 sbsec, cred); 865 if (rc) 866 goto out; 867 } 868 869 sbsec->def_sid = defcontext_sid; 870 } 871 872 out_set_opts: 873 rc = sb_finish_set_opts(sb); 874 out: 875 mutex_unlock(&sbsec->lock); 876 return rc; 877 out_double_mount: 878 rc = -EINVAL; 879 pr_warn("SELinux: mount invalid. Same superblock, different " 880 "security settings for (dev %s, type %s)\n", sb->s_id, 881 sb->s_type->name); 882 goto out; 883 } 884 885 static int selinux_cmp_sb_context(const struct super_block *oldsb, 886 const struct super_block *newsb) 887 { 888 struct superblock_security_struct *old = oldsb->s_security; 889 struct superblock_security_struct *new = newsb->s_security; 890 char oldflags = old->flags & SE_MNTMASK; 891 char newflags = new->flags & SE_MNTMASK; 892 893 if (oldflags != newflags) 894 goto mismatch; 895 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 896 goto mismatch; 897 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 898 goto mismatch; 899 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 900 goto mismatch; 901 if (oldflags & ROOTCONTEXT_MNT) { 902 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 903 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 904 if (oldroot->sid != newroot->sid) 905 goto mismatch; 906 } 907 return 0; 908 mismatch: 909 pr_warn("SELinux: mount invalid. Same superblock, " 910 "different security settings for (dev %s, " 911 "type %s)\n", newsb->s_id, newsb->s_type->name); 912 return -EBUSY; 913 } 914 915 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 916 struct super_block *newsb, 917 unsigned long kern_flags, 918 unsigned long *set_kern_flags) 919 { 920 int rc = 0; 921 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 922 struct superblock_security_struct *newsbsec = newsb->s_security; 923 924 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 925 int set_context = (oldsbsec->flags & CONTEXT_MNT); 926 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 927 928 /* 929 * if the parent was able to be mounted it clearly had no special lsm 930 * mount options. thus we can safely deal with this superblock later 931 */ 932 if (!selinux_state.initialized) 933 return 0; 934 935 /* 936 * Specifying internal flags without providing a place to 937 * place the results is not allowed. 938 */ 939 if (kern_flags && !set_kern_flags) 940 return -EINVAL; 941 942 /* how can we clone if the old one wasn't set up?? */ 943 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 944 945 /* if fs is reusing a sb, make sure that the contexts match */ 946 if (newsbsec->flags & SE_SBINITIALIZED) { 947 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 948 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 949 return selinux_cmp_sb_context(oldsb, newsb); 950 } 951 952 mutex_lock(&newsbsec->lock); 953 954 newsbsec->flags = oldsbsec->flags; 955 956 newsbsec->sid = oldsbsec->sid; 957 newsbsec->def_sid = oldsbsec->def_sid; 958 newsbsec->behavior = oldsbsec->behavior; 959 960 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 961 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 962 rc = security_fs_use(&selinux_state, newsb); 963 if (rc) 964 goto out; 965 } 966 967 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 968 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 969 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 970 } 971 972 if (set_context) { 973 u32 sid = oldsbsec->mntpoint_sid; 974 975 if (!set_fscontext) 976 newsbsec->sid = sid; 977 if (!set_rootcontext) { 978 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 979 newisec->sid = sid; 980 } 981 newsbsec->mntpoint_sid = sid; 982 } 983 if (set_rootcontext) { 984 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 985 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 986 987 newisec->sid = oldisec->sid; 988 } 989 990 sb_finish_set_opts(newsb); 991 out: 992 mutex_unlock(&newsbsec->lock); 993 return rc; 994 } 995 996 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 997 { 998 struct selinux_mnt_opts *opts = *mnt_opts; 999 1000 if (token == Opt_seclabel) /* eaten and completely ignored */ 1001 return 0; 1002 1003 if (!opts) { 1004 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1005 if (!opts) 1006 return -ENOMEM; 1007 *mnt_opts = opts; 1008 } 1009 if (!s) 1010 return -ENOMEM; 1011 switch (token) { 1012 case Opt_context: 1013 if (opts->context || opts->defcontext) 1014 goto Einval; 1015 opts->context = s; 1016 break; 1017 case Opt_fscontext: 1018 if (opts->fscontext) 1019 goto Einval; 1020 opts->fscontext = s; 1021 break; 1022 case Opt_rootcontext: 1023 if (opts->rootcontext) 1024 goto Einval; 1025 opts->rootcontext = s; 1026 break; 1027 case Opt_defcontext: 1028 if (opts->context || opts->defcontext) 1029 goto Einval; 1030 opts->defcontext = s; 1031 break; 1032 } 1033 return 0; 1034 Einval: 1035 pr_warn(SEL_MOUNT_FAIL_MSG); 1036 return -EINVAL; 1037 } 1038 1039 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1040 void **mnt_opts) 1041 { 1042 int token = Opt_error; 1043 int rc, i; 1044 1045 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1046 if (strcmp(option, tokens[i].name) == 0) { 1047 token = tokens[i].opt; 1048 break; 1049 } 1050 } 1051 1052 if (token == Opt_error) 1053 return -EINVAL; 1054 1055 if (token != Opt_seclabel) { 1056 val = kmemdup_nul(val, len, GFP_KERNEL); 1057 if (!val) { 1058 rc = -ENOMEM; 1059 goto free_opt; 1060 } 1061 } 1062 rc = selinux_add_opt(token, val, mnt_opts); 1063 if (unlikely(rc)) { 1064 kfree(val); 1065 goto free_opt; 1066 } 1067 return rc; 1068 1069 free_opt: 1070 if (*mnt_opts) { 1071 selinux_free_mnt_opts(*mnt_opts); 1072 *mnt_opts = NULL; 1073 } 1074 return rc; 1075 } 1076 1077 static int show_sid(struct seq_file *m, u32 sid) 1078 { 1079 char *context = NULL; 1080 u32 len; 1081 int rc; 1082 1083 rc = security_sid_to_context(&selinux_state, sid, 1084 &context, &len); 1085 if (!rc) { 1086 bool has_comma = context && strchr(context, ','); 1087 1088 seq_putc(m, '='); 1089 if (has_comma) 1090 seq_putc(m, '\"'); 1091 seq_escape(m, context, "\"\n\\"); 1092 if (has_comma) 1093 seq_putc(m, '\"'); 1094 } 1095 kfree(context); 1096 return rc; 1097 } 1098 1099 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1100 { 1101 struct superblock_security_struct *sbsec = sb->s_security; 1102 int rc; 1103 1104 if (!(sbsec->flags & SE_SBINITIALIZED)) 1105 return 0; 1106 1107 if (!selinux_state.initialized) 1108 return 0; 1109 1110 if (sbsec->flags & FSCONTEXT_MNT) { 1111 seq_putc(m, ','); 1112 seq_puts(m, FSCONTEXT_STR); 1113 rc = show_sid(m, sbsec->sid); 1114 if (rc) 1115 return rc; 1116 } 1117 if (sbsec->flags & CONTEXT_MNT) { 1118 seq_putc(m, ','); 1119 seq_puts(m, CONTEXT_STR); 1120 rc = show_sid(m, sbsec->mntpoint_sid); 1121 if (rc) 1122 return rc; 1123 } 1124 if (sbsec->flags & DEFCONTEXT_MNT) { 1125 seq_putc(m, ','); 1126 seq_puts(m, DEFCONTEXT_STR); 1127 rc = show_sid(m, sbsec->def_sid); 1128 if (rc) 1129 return rc; 1130 } 1131 if (sbsec->flags & ROOTCONTEXT_MNT) { 1132 struct dentry *root = sbsec->sb->s_root; 1133 struct inode_security_struct *isec = backing_inode_security(root); 1134 seq_putc(m, ','); 1135 seq_puts(m, ROOTCONTEXT_STR); 1136 rc = show_sid(m, isec->sid); 1137 if (rc) 1138 return rc; 1139 } 1140 if (sbsec->flags & SBLABEL_MNT) { 1141 seq_putc(m, ','); 1142 seq_puts(m, SECLABEL_STR); 1143 } 1144 return 0; 1145 } 1146 1147 static inline u16 inode_mode_to_security_class(umode_t mode) 1148 { 1149 switch (mode & S_IFMT) { 1150 case S_IFSOCK: 1151 return SECCLASS_SOCK_FILE; 1152 case S_IFLNK: 1153 return SECCLASS_LNK_FILE; 1154 case S_IFREG: 1155 return SECCLASS_FILE; 1156 case S_IFBLK: 1157 return SECCLASS_BLK_FILE; 1158 case S_IFDIR: 1159 return SECCLASS_DIR; 1160 case S_IFCHR: 1161 return SECCLASS_CHR_FILE; 1162 case S_IFIFO: 1163 return SECCLASS_FIFO_FILE; 1164 1165 } 1166 1167 return SECCLASS_FILE; 1168 } 1169 1170 static inline int default_protocol_stream(int protocol) 1171 { 1172 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1173 } 1174 1175 static inline int default_protocol_dgram(int protocol) 1176 { 1177 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1178 } 1179 1180 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1181 { 1182 int extsockclass = selinux_policycap_extsockclass(); 1183 1184 switch (family) { 1185 case PF_UNIX: 1186 switch (type) { 1187 case SOCK_STREAM: 1188 case SOCK_SEQPACKET: 1189 return SECCLASS_UNIX_STREAM_SOCKET; 1190 case SOCK_DGRAM: 1191 case SOCK_RAW: 1192 return SECCLASS_UNIX_DGRAM_SOCKET; 1193 } 1194 break; 1195 case PF_INET: 1196 case PF_INET6: 1197 switch (type) { 1198 case SOCK_STREAM: 1199 case SOCK_SEQPACKET: 1200 if (default_protocol_stream(protocol)) 1201 return SECCLASS_TCP_SOCKET; 1202 else if (extsockclass && protocol == IPPROTO_SCTP) 1203 return SECCLASS_SCTP_SOCKET; 1204 else 1205 return SECCLASS_RAWIP_SOCKET; 1206 case SOCK_DGRAM: 1207 if (default_protocol_dgram(protocol)) 1208 return SECCLASS_UDP_SOCKET; 1209 else if (extsockclass && (protocol == IPPROTO_ICMP || 1210 protocol == IPPROTO_ICMPV6)) 1211 return SECCLASS_ICMP_SOCKET; 1212 else 1213 return SECCLASS_RAWIP_SOCKET; 1214 case SOCK_DCCP: 1215 return SECCLASS_DCCP_SOCKET; 1216 default: 1217 return SECCLASS_RAWIP_SOCKET; 1218 } 1219 break; 1220 case PF_NETLINK: 1221 switch (protocol) { 1222 case NETLINK_ROUTE: 1223 return SECCLASS_NETLINK_ROUTE_SOCKET; 1224 case NETLINK_SOCK_DIAG: 1225 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1226 case NETLINK_NFLOG: 1227 return SECCLASS_NETLINK_NFLOG_SOCKET; 1228 case NETLINK_XFRM: 1229 return SECCLASS_NETLINK_XFRM_SOCKET; 1230 case NETLINK_SELINUX: 1231 return SECCLASS_NETLINK_SELINUX_SOCKET; 1232 case NETLINK_ISCSI: 1233 return SECCLASS_NETLINK_ISCSI_SOCKET; 1234 case NETLINK_AUDIT: 1235 return SECCLASS_NETLINK_AUDIT_SOCKET; 1236 case NETLINK_FIB_LOOKUP: 1237 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1238 case NETLINK_CONNECTOR: 1239 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1240 case NETLINK_NETFILTER: 1241 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1242 case NETLINK_DNRTMSG: 1243 return SECCLASS_NETLINK_DNRT_SOCKET; 1244 case NETLINK_KOBJECT_UEVENT: 1245 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1246 case NETLINK_GENERIC: 1247 return SECCLASS_NETLINK_GENERIC_SOCKET; 1248 case NETLINK_SCSITRANSPORT: 1249 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1250 case NETLINK_RDMA: 1251 return SECCLASS_NETLINK_RDMA_SOCKET; 1252 case NETLINK_CRYPTO: 1253 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1254 default: 1255 return SECCLASS_NETLINK_SOCKET; 1256 } 1257 case PF_PACKET: 1258 return SECCLASS_PACKET_SOCKET; 1259 case PF_KEY: 1260 return SECCLASS_KEY_SOCKET; 1261 case PF_APPLETALK: 1262 return SECCLASS_APPLETALK_SOCKET; 1263 } 1264 1265 if (extsockclass) { 1266 switch (family) { 1267 case PF_AX25: 1268 return SECCLASS_AX25_SOCKET; 1269 case PF_IPX: 1270 return SECCLASS_IPX_SOCKET; 1271 case PF_NETROM: 1272 return SECCLASS_NETROM_SOCKET; 1273 case PF_ATMPVC: 1274 return SECCLASS_ATMPVC_SOCKET; 1275 case PF_X25: 1276 return SECCLASS_X25_SOCKET; 1277 case PF_ROSE: 1278 return SECCLASS_ROSE_SOCKET; 1279 case PF_DECnet: 1280 return SECCLASS_DECNET_SOCKET; 1281 case PF_ATMSVC: 1282 return SECCLASS_ATMSVC_SOCKET; 1283 case PF_RDS: 1284 return SECCLASS_RDS_SOCKET; 1285 case PF_IRDA: 1286 return SECCLASS_IRDA_SOCKET; 1287 case PF_PPPOX: 1288 return SECCLASS_PPPOX_SOCKET; 1289 case PF_LLC: 1290 return SECCLASS_LLC_SOCKET; 1291 case PF_CAN: 1292 return SECCLASS_CAN_SOCKET; 1293 case PF_TIPC: 1294 return SECCLASS_TIPC_SOCKET; 1295 case PF_BLUETOOTH: 1296 return SECCLASS_BLUETOOTH_SOCKET; 1297 case PF_IUCV: 1298 return SECCLASS_IUCV_SOCKET; 1299 case PF_RXRPC: 1300 return SECCLASS_RXRPC_SOCKET; 1301 case PF_ISDN: 1302 return SECCLASS_ISDN_SOCKET; 1303 case PF_PHONET: 1304 return SECCLASS_PHONET_SOCKET; 1305 case PF_IEEE802154: 1306 return SECCLASS_IEEE802154_SOCKET; 1307 case PF_CAIF: 1308 return SECCLASS_CAIF_SOCKET; 1309 case PF_ALG: 1310 return SECCLASS_ALG_SOCKET; 1311 case PF_NFC: 1312 return SECCLASS_NFC_SOCKET; 1313 case PF_VSOCK: 1314 return SECCLASS_VSOCK_SOCKET; 1315 case PF_KCM: 1316 return SECCLASS_KCM_SOCKET; 1317 case PF_QIPCRTR: 1318 return SECCLASS_QIPCRTR_SOCKET; 1319 case PF_SMC: 1320 return SECCLASS_SMC_SOCKET; 1321 case PF_XDP: 1322 return SECCLASS_XDP_SOCKET; 1323 #if PF_MAX > 45 1324 #error New address family defined, please update this function. 1325 #endif 1326 } 1327 } 1328 1329 return SECCLASS_SOCKET; 1330 } 1331 1332 static int selinux_genfs_get_sid(struct dentry *dentry, 1333 u16 tclass, 1334 u16 flags, 1335 u32 *sid) 1336 { 1337 int rc; 1338 struct super_block *sb = dentry->d_sb; 1339 char *buffer, *path; 1340 1341 buffer = (char *)__get_free_page(GFP_KERNEL); 1342 if (!buffer) 1343 return -ENOMEM; 1344 1345 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1346 if (IS_ERR(path)) 1347 rc = PTR_ERR(path); 1348 else { 1349 if (flags & SE_SBPROC) { 1350 /* each process gets a /proc/PID/ entry. Strip off the 1351 * PID part to get a valid selinux labeling. 1352 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1353 while (path[1] >= '0' && path[1] <= '9') { 1354 path[1] = '/'; 1355 path++; 1356 } 1357 } 1358 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1359 path, tclass, sid); 1360 if (rc == -ENOENT) { 1361 /* No match in policy, mark as unlabeled. */ 1362 *sid = SECINITSID_UNLABELED; 1363 rc = 0; 1364 } 1365 } 1366 free_page((unsigned long)buffer); 1367 return rc; 1368 } 1369 1370 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1371 u32 def_sid, u32 *sid) 1372 { 1373 #define INITCONTEXTLEN 255 1374 char *context; 1375 unsigned int len; 1376 int rc; 1377 1378 len = INITCONTEXTLEN; 1379 context = kmalloc(len + 1, GFP_NOFS); 1380 if (!context) 1381 return -ENOMEM; 1382 1383 context[len] = '\0'; 1384 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1385 if (rc == -ERANGE) { 1386 kfree(context); 1387 1388 /* Need a larger buffer. Query for the right size. */ 1389 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1390 if (rc < 0) 1391 return rc; 1392 1393 len = rc; 1394 context = kmalloc(len + 1, GFP_NOFS); 1395 if (!context) 1396 return -ENOMEM; 1397 1398 context[len] = '\0'; 1399 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1400 context, len); 1401 } 1402 if (rc < 0) { 1403 kfree(context); 1404 if (rc != -ENODATA) { 1405 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1406 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1407 return rc; 1408 } 1409 *sid = def_sid; 1410 return 0; 1411 } 1412 1413 rc = security_context_to_sid_default(&selinux_state, context, rc, sid, 1414 def_sid, GFP_NOFS); 1415 if (rc) { 1416 char *dev = inode->i_sb->s_id; 1417 unsigned long ino = inode->i_ino; 1418 1419 if (rc == -EINVAL) { 1420 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1421 ino, dev, context); 1422 } else { 1423 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1424 __func__, context, -rc, dev, ino); 1425 } 1426 } 1427 kfree(context); 1428 return 0; 1429 } 1430 1431 /* The inode's security attributes must be initialized before first use. */ 1432 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1433 { 1434 struct superblock_security_struct *sbsec = NULL; 1435 struct inode_security_struct *isec = selinux_inode(inode); 1436 u32 task_sid, sid = 0; 1437 u16 sclass; 1438 struct dentry *dentry; 1439 int rc = 0; 1440 1441 if (isec->initialized == LABEL_INITIALIZED) 1442 return 0; 1443 1444 spin_lock(&isec->lock); 1445 if (isec->initialized == LABEL_INITIALIZED) 1446 goto out_unlock; 1447 1448 if (isec->sclass == SECCLASS_FILE) 1449 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1450 1451 sbsec = inode->i_sb->s_security; 1452 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1453 /* Defer initialization until selinux_complete_init, 1454 after the initial policy is loaded and the security 1455 server is ready to handle calls. */ 1456 spin_lock(&sbsec->isec_lock); 1457 if (list_empty(&isec->list)) 1458 list_add(&isec->list, &sbsec->isec_head); 1459 spin_unlock(&sbsec->isec_lock); 1460 goto out_unlock; 1461 } 1462 1463 sclass = isec->sclass; 1464 task_sid = isec->task_sid; 1465 sid = isec->sid; 1466 isec->initialized = LABEL_PENDING; 1467 spin_unlock(&isec->lock); 1468 1469 switch (sbsec->behavior) { 1470 case SECURITY_FS_USE_NATIVE: 1471 break; 1472 case SECURITY_FS_USE_XATTR: 1473 if (!(inode->i_opflags & IOP_XATTR)) { 1474 sid = sbsec->def_sid; 1475 break; 1476 } 1477 /* Need a dentry, since the xattr API requires one. 1478 Life would be simpler if we could just pass the inode. */ 1479 if (opt_dentry) { 1480 /* Called from d_instantiate or d_splice_alias. */ 1481 dentry = dget(opt_dentry); 1482 } else { 1483 /* 1484 * Called from selinux_complete_init, try to find a dentry. 1485 * Some filesystems really want a connected one, so try 1486 * that first. We could split SECURITY_FS_USE_XATTR in 1487 * two, depending upon that... 1488 */ 1489 dentry = d_find_alias(inode); 1490 if (!dentry) 1491 dentry = d_find_any_alias(inode); 1492 } 1493 if (!dentry) { 1494 /* 1495 * this is can be hit on boot when a file is accessed 1496 * before the policy is loaded. When we load policy we 1497 * may find inodes that have no dentry on the 1498 * sbsec->isec_head list. No reason to complain as these 1499 * will get fixed up the next time we go through 1500 * inode_doinit with a dentry, before these inodes could 1501 * be used again by userspace. 1502 */ 1503 goto out; 1504 } 1505 1506 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1507 &sid); 1508 dput(dentry); 1509 if (rc) 1510 goto out; 1511 break; 1512 case SECURITY_FS_USE_TASK: 1513 sid = task_sid; 1514 break; 1515 case SECURITY_FS_USE_TRANS: 1516 /* Default to the fs SID. */ 1517 sid = sbsec->sid; 1518 1519 /* Try to obtain a transition SID. */ 1520 rc = security_transition_sid(&selinux_state, task_sid, sid, 1521 sclass, NULL, &sid); 1522 if (rc) 1523 goto out; 1524 break; 1525 case SECURITY_FS_USE_MNTPOINT: 1526 sid = sbsec->mntpoint_sid; 1527 break; 1528 default: 1529 /* Default to the fs superblock SID. */ 1530 sid = sbsec->sid; 1531 1532 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1533 /* We must have a dentry to determine the label on 1534 * procfs inodes */ 1535 if (opt_dentry) { 1536 /* Called from d_instantiate or 1537 * d_splice_alias. */ 1538 dentry = dget(opt_dentry); 1539 } else { 1540 /* Called from selinux_complete_init, try to 1541 * find a dentry. Some filesystems really want 1542 * a connected one, so try that first. 1543 */ 1544 dentry = d_find_alias(inode); 1545 if (!dentry) 1546 dentry = d_find_any_alias(inode); 1547 } 1548 /* 1549 * This can be hit on boot when a file is accessed 1550 * before the policy is loaded. When we load policy we 1551 * may find inodes that have no dentry on the 1552 * sbsec->isec_head list. No reason to complain as 1553 * these will get fixed up the next time we go through 1554 * inode_doinit() with a dentry, before these inodes 1555 * could be used again by userspace. 1556 */ 1557 if (!dentry) 1558 goto out; 1559 rc = selinux_genfs_get_sid(dentry, sclass, 1560 sbsec->flags, &sid); 1561 if (rc) { 1562 dput(dentry); 1563 goto out; 1564 } 1565 1566 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1567 (inode->i_opflags & IOP_XATTR)) { 1568 rc = inode_doinit_use_xattr(inode, dentry, 1569 sid, &sid); 1570 if (rc) { 1571 dput(dentry); 1572 goto out; 1573 } 1574 } 1575 dput(dentry); 1576 } 1577 break; 1578 } 1579 1580 out: 1581 spin_lock(&isec->lock); 1582 if (isec->initialized == LABEL_PENDING) { 1583 if (!sid || rc) { 1584 isec->initialized = LABEL_INVALID; 1585 goto out_unlock; 1586 } 1587 1588 isec->initialized = LABEL_INITIALIZED; 1589 isec->sid = sid; 1590 } 1591 1592 out_unlock: 1593 spin_unlock(&isec->lock); 1594 return rc; 1595 } 1596 1597 /* Convert a Linux signal to an access vector. */ 1598 static inline u32 signal_to_av(int sig) 1599 { 1600 u32 perm = 0; 1601 1602 switch (sig) { 1603 case SIGCHLD: 1604 /* Commonly granted from child to parent. */ 1605 perm = PROCESS__SIGCHLD; 1606 break; 1607 case SIGKILL: 1608 /* Cannot be caught or ignored */ 1609 perm = PROCESS__SIGKILL; 1610 break; 1611 case SIGSTOP: 1612 /* Cannot be caught or ignored */ 1613 perm = PROCESS__SIGSTOP; 1614 break; 1615 default: 1616 /* All other signals. */ 1617 perm = PROCESS__SIGNAL; 1618 break; 1619 } 1620 1621 return perm; 1622 } 1623 1624 #if CAP_LAST_CAP > 63 1625 #error Fix SELinux to handle capabilities > 63. 1626 #endif 1627 1628 /* Check whether a task is allowed to use a capability. */ 1629 static int cred_has_capability(const struct cred *cred, 1630 int cap, unsigned int opts, bool initns) 1631 { 1632 struct common_audit_data ad; 1633 struct av_decision avd; 1634 u16 sclass; 1635 u32 sid = cred_sid(cred); 1636 u32 av = CAP_TO_MASK(cap); 1637 int rc; 1638 1639 ad.type = LSM_AUDIT_DATA_CAP; 1640 ad.u.cap = cap; 1641 1642 switch (CAP_TO_INDEX(cap)) { 1643 case 0: 1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1645 break; 1646 case 1: 1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1648 break; 1649 default: 1650 pr_err("SELinux: out of range capability %d\n", cap); 1651 BUG(); 1652 return -EINVAL; 1653 } 1654 1655 rc = avc_has_perm_noaudit(&selinux_state, 1656 sid, sid, sclass, av, 0, &avd); 1657 if (!(opts & CAP_OPT_NOAUDIT)) { 1658 int rc2 = avc_audit(&selinux_state, 1659 sid, sid, sclass, av, &avd, rc, &ad, 0); 1660 if (rc2) 1661 return rc2; 1662 } 1663 return rc; 1664 } 1665 1666 /* Check whether a task has a particular permission to an inode. 1667 The 'adp' parameter is optional and allows other audit 1668 data to be passed (e.g. the dentry). */ 1669 static int inode_has_perm(const struct cred *cred, 1670 struct inode *inode, 1671 u32 perms, 1672 struct common_audit_data *adp) 1673 { 1674 struct inode_security_struct *isec; 1675 u32 sid; 1676 1677 validate_creds(cred); 1678 1679 if (unlikely(IS_PRIVATE(inode))) 1680 return 0; 1681 1682 sid = cred_sid(cred); 1683 isec = selinux_inode(inode); 1684 1685 return avc_has_perm(&selinux_state, 1686 sid, isec->sid, isec->sclass, perms, adp); 1687 } 1688 1689 /* Same as inode_has_perm, but pass explicit audit data containing 1690 the dentry to help the auditing code to more easily generate the 1691 pathname if needed. */ 1692 static inline int dentry_has_perm(const struct cred *cred, 1693 struct dentry *dentry, 1694 u32 av) 1695 { 1696 struct inode *inode = d_backing_inode(dentry); 1697 struct common_audit_data ad; 1698 1699 ad.type = LSM_AUDIT_DATA_DENTRY; 1700 ad.u.dentry = dentry; 1701 __inode_security_revalidate(inode, dentry, true); 1702 return inode_has_perm(cred, inode, av, &ad); 1703 } 1704 1705 /* Same as inode_has_perm, but pass explicit audit data containing 1706 the path to help the auditing code to more easily generate the 1707 pathname if needed. */ 1708 static inline int path_has_perm(const struct cred *cred, 1709 const struct path *path, 1710 u32 av) 1711 { 1712 struct inode *inode = d_backing_inode(path->dentry); 1713 struct common_audit_data ad; 1714 1715 ad.type = LSM_AUDIT_DATA_PATH; 1716 ad.u.path = *path; 1717 __inode_security_revalidate(inode, path->dentry, true); 1718 return inode_has_perm(cred, inode, av, &ad); 1719 } 1720 1721 /* Same as path_has_perm, but uses the inode from the file struct. */ 1722 static inline int file_path_has_perm(const struct cred *cred, 1723 struct file *file, 1724 u32 av) 1725 { 1726 struct common_audit_data ad; 1727 1728 ad.type = LSM_AUDIT_DATA_FILE; 1729 ad.u.file = file; 1730 return inode_has_perm(cred, file_inode(file), av, &ad); 1731 } 1732 1733 #ifdef CONFIG_BPF_SYSCALL 1734 static int bpf_fd_pass(struct file *file, u32 sid); 1735 #endif 1736 1737 /* Check whether a task can use an open file descriptor to 1738 access an inode in a given way. Check access to the 1739 descriptor itself, and then use dentry_has_perm to 1740 check a particular permission to the file. 1741 Access to the descriptor is implicitly granted if it 1742 has the same SID as the process. If av is zero, then 1743 access to the file is not checked, e.g. for cases 1744 where only the descriptor is affected like seek. */ 1745 static int file_has_perm(const struct cred *cred, 1746 struct file *file, 1747 u32 av) 1748 { 1749 struct file_security_struct *fsec = selinux_file(file); 1750 struct inode *inode = file_inode(file); 1751 struct common_audit_data ad; 1752 u32 sid = cred_sid(cred); 1753 int rc; 1754 1755 ad.type = LSM_AUDIT_DATA_FILE; 1756 ad.u.file = file; 1757 1758 if (sid != fsec->sid) { 1759 rc = avc_has_perm(&selinux_state, 1760 sid, fsec->sid, 1761 SECCLASS_FD, 1762 FD__USE, 1763 &ad); 1764 if (rc) 1765 goto out; 1766 } 1767 1768 #ifdef CONFIG_BPF_SYSCALL 1769 rc = bpf_fd_pass(file, cred_sid(cred)); 1770 if (rc) 1771 return rc; 1772 #endif 1773 1774 /* av is zero if only checking access to the descriptor. */ 1775 rc = 0; 1776 if (av) 1777 rc = inode_has_perm(cred, inode, av, &ad); 1778 1779 out: 1780 return rc; 1781 } 1782 1783 /* 1784 * Determine the label for an inode that might be unioned. 1785 */ 1786 static int 1787 selinux_determine_inode_label(const struct task_security_struct *tsec, 1788 struct inode *dir, 1789 const struct qstr *name, u16 tclass, 1790 u32 *_new_isid) 1791 { 1792 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1793 1794 if ((sbsec->flags & SE_SBINITIALIZED) && 1795 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1796 *_new_isid = sbsec->mntpoint_sid; 1797 } else if ((sbsec->flags & SBLABEL_MNT) && 1798 tsec->create_sid) { 1799 *_new_isid = tsec->create_sid; 1800 } else { 1801 const struct inode_security_struct *dsec = inode_security(dir); 1802 return security_transition_sid(&selinux_state, tsec->sid, 1803 dsec->sid, tclass, 1804 name, _new_isid); 1805 } 1806 1807 return 0; 1808 } 1809 1810 /* Check whether a task can create a file. */ 1811 static int may_create(struct inode *dir, 1812 struct dentry *dentry, 1813 u16 tclass) 1814 { 1815 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1816 struct inode_security_struct *dsec; 1817 struct superblock_security_struct *sbsec; 1818 u32 sid, newsid; 1819 struct common_audit_data ad; 1820 int rc; 1821 1822 dsec = inode_security(dir); 1823 sbsec = dir->i_sb->s_security; 1824 1825 sid = tsec->sid; 1826 1827 ad.type = LSM_AUDIT_DATA_DENTRY; 1828 ad.u.dentry = dentry; 1829 1830 rc = avc_has_perm(&selinux_state, 1831 sid, dsec->sid, SECCLASS_DIR, 1832 DIR__ADD_NAME | DIR__SEARCH, 1833 &ad); 1834 if (rc) 1835 return rc; 1836 1837 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1838 &newsid); 1839 if (rc) 1840 return rc; 1841 1842 rc = avc_has_perm(&selinux_state, 1843 sid, newsid, tclass, FILE__CREATE, &ad); 1844 if (rc) 1845 return rc; 1846 1847 return avc_has_perm(&selinux_state, 1848 newsid, sbsec->sid, 1849 SECCLASS_FILESYSTEM, 1850 FILESYSTEM__ASSOCIATE, &ad); 1851 } 1852 1853 #define MAY_LINK 0 1854 #define MAY_UNLINK 1 1855 #define MAY_RMDIR 2 1856 1857 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1858 static int may_link(struct inode *dir, 1859 struct dentry *dentry, 1860 int kind) 1861 1862 { 1863 struct inode_security_struct *dsec, *isec; 1864 struct common_audit_data ad; 1865 u32 sid = current_sid(); 1866 u32 av; 1867 int rc; 1868 1869 dsec = inode_security(dir); 1870 isec = backing_inode_security(dentry); 1871 1872 ad.type = LSM_AUDIT_DATA_DENTRY; 1873 ad.u.dentry = dentry; 1874 1875 av = DIR__SEARCH; 1876 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1877 rc = avc_has_perm(&selinux_state, 1878 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1879 if (rc) 1880 return rc; 1881 1882 switch (kind) { 1883 case MAY_LINK: 1884 av = FILE__LINK; 1885 break; 1886 case MAY_UNLINK: 1887 av = FILE__UNLINK; 1888 break; 1889 case MAY_RMDIR: 1890 av = DIR__RMDIR; 1891 break; 1892 default: 1893 pr_warn("SELinux: %s: unrecognized kind %d\n", 1894 __func__, kind); 1895 return 0; 1896 } 1897 1898 rc = avc_has_perm(&selinux_state, 1899 sid, isec->sid, isec->sclass, av, &ad); 1900 return rc; 1901 } 1902 1903 static inline int may_rename(struct inode *old_dir, 1904 struct dentry *old_dentry, 1905 struct inode *new_dir, 1906 struct dentry *new_dentry) 1907 { 1908 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1909 struct common_audit_data ad; 1910 u32 sid = current_sid(); 1911 u32 av; 1912 int old_is_dir, new_is_dir; 1913 int rc; 1914 1915 old_dsec = inode_security(old_dir); 1916 old_isec = backing_inode_security(old_dentry); 1917 old_is_dir = d_is_dir(old_dentry); 1918 new_dsec = inode_security(new_dir); 1919 1920 ad.type = LSM_AUDIT_DATA_DENTRY; 1921 1922 ad.u.dentry = old_dentry; 1923 rc = avc_has_perm(&selinux_state, 1924 sid, old_dsec->sid, SECCLASS_DIR, 1925 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1926 if (rc) 1927 return rc; 1928 rc = avc_has_perm(&selinux_state, 1929 sid, old_isec->sid, 1930 old_isec->sclass, FILE__RENAME, &ad); 1931 if (rc) 1932 return rc; 1933 if (old_is_dir && new_dir != old_dir) { 1934 rc = avc_has_perm(&selinux_state, 1935 sid, old_isec->sid, 1936 old_isec->sclass, DIR__REPARENT, &ad); 1937 if (rc) 1938 return rc; 1939 } 1940 1941 ad.u.dentry = new_dentry; 1942 av = DIR__ADD_NAME | DIR__SEARCH; 1943 if (d_is_positive(new_dentry)) 1944 av |= DIR__REMOVE_NAME; 1945 rc = avc_has_perm(&selinux_state, 1946 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1947 if (rc) 1948 return rc; 1949 if (d_is_positive(new_dentry)) { 1950 new_isec = backing_inode_security(new_dentry); 1951 new_is_dir = d_is_dir(new_dentry); 1952 rc = avc_has_perm(&selinux_state, 1953 sid, new_isec->sid, 1954 new_isec->sclass, 1955 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1956 if (rc) 1957 return rc; 1958 } 1959 1960 return 0; 1961 } 1962 1963 /* Check whether a task can perform a filesystem operation. */ 1964 static int superblock_has_perm(const struct cred *cred, 1965 struct super_block *sb, 1966 u32 perms, 1967 struct common_audit_data *ad) 1968 { 1969 struct superblock_security_struct *sbsec; 1970 u32 sid = cred_sid(cred); 1971 1972 sbsec = sb->s_security; 1973 return avc_has_perm(&selinux_state, 1974 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1975 } 1976 1977 /* Convert a Linux mode and permission mask to an access vector. */ 1978 static inline u32 file_mask_to_av(int mode, int mask) 1979 { 1980 u32 av = 0; 1981 1982 if (!S_ISDIR(mode)) { 1983 if (mask & MAY_EXEC) 1984 av |= FILE__EXECUTE; 1985 if (mask & MAY_READ) 1986 av |= FILE__READ; 1987 1988 if (mask & MAY_APPEND) 1989 av |= FILE__APPEND; 1990 else if (mask & MAY_WRITE) 1991 av |= FILE__WRITE; 1992 1993 } else { 1994 if (mask & MAY_EXEC) 1995 av |= DIR__SEARCH; 1996 if (mask & MAY_WRITE) 1997 av |= DIR__WRITE; 1998 if (mask & MAY_READ) 1999 av |= DIR__READ; 2000 } 2001 2002 return av; 2003 } 2004 2005 /* Convert a Linux file to an access vector. */ 2006 static inline u32 file_to_av(struct file *file) 2007 { 2008 u32 av = 0; 2009 2010 if (file->f_mode & FMODE_READ) 2011 av |= FILE__READ; 2012 if (file->f_mode & FMODE_WRITE) { 2013 if (file->f_flags & O_APPEND) 2014 av |= FILE__APPEND; 2015 else 2016 av |= FILE__WRITE; 2017 } 2018 if (!av) { 2019 /* 2020 * Special file opened with flags 3 for ioctl-only use. 2021 */ 2022 av = FILE__IOCTL; 2023 } 2024 2025 return av; 2026 } 2027 2028 /* 2029 * Convert a file to an access vector and include the correct open 2030 * open permission. 2031 */ 2032 static inline u32 open_file_to_av(struct file *file) 2033 { 2034 u32 av = file_to_av(file); 2035 struct inode *inode = file_inode(file); 2036 2037 if (selinux_policycap_openperm() && 2038 inode->i_sb->s_magic != SOCKFS_MAGIC) 2039 av |= FILE__OPEN; 2040 2041 return av; 2042 } 2043 2044 /* Hook functions begin here. */ 2045 2046 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2047 { 2048 u32 mysid = current_sid(); 2049 u32 mgrsid = task_sid(mgr); 2050 2051 return avc_has_perm(&selinux_state, 2052 mysid, mgrsid, SECCLASS_BINDER, 2053 BINDER__SET_CONTEXT_MGR, NULL); 2054 } 2055 2056 static int selinux_binder_transaction(struct task_struct *from, 2057 struct task_struct *to) 2058 { 2059 u32 mysid = current_sid(); 2060 u32 fromsid = task_sid(from); 2061 u32 tosid = task_sid(to); 2062 int rc; 2063 2064 if (mysid != fromsid) { 2065 rc = avc_has_perm(&selinux_state, 2066 mysid, fromsid, SECCLASS_BINDER, 2067 BINDER__IMPERSONATE, NULL); 2068 if (rc) 2069 return rc; 2070 } 2071 2072 return avc_has_perm(&selinux_state, 2073 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2074 NULL); 2075 } 2076 2077 static int selinux_binder_transfer_binder(struct task_struct *from, 2078 struct task_struct *to) 2079 { 2080 u32 fromsid = task_sid(from); 2081 u32 tosid = task_sid(to); 2082 2083 return avc_has_perm(&selinux_state, 2084 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2085 NULL); 2086 } 2087 2088 static int selinux_binder_transfer_file(struct task_struct *from, 2089 struct task_struct *to, 2090 struct file *file) 2091 { 2092 u32 sid = task_sid(to); 2093 struct file_security_struct *fsec = selinux_file(file); 2094 struct dentry *dentry = file->f_path.dentry; 2095 struct inode_security_struct *isec; 2096 struct common_audit_data ad; 2097 int rc; 2098 2099 ad.type = LSM_AUDIT_DATA_PATH; 2100 ad.u.path = file->f_path; 2101 2102 if (sid != fsec->sid) { 2103 rc = avc_has_perm(&selinux_state, 2104 sid, fsec->sid, 2105 SECCLASS_FD, 2106 FD__USE, 2107 &ad); 2108 if (rc) 2109 return rc; 2110 } 2111 2112 #ifdef CONFIG_BPF_SYSCALL 2113 rc = bpf_fd_pass(file, sid); 2114 if (rc) 2115 return rc; 2116 #endif 2117 2118 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2119 return 0; 2120 2121 isec = backing_inode_security(dentry); 2122 return avc_has_perm(&selinux_state, 2123 sid, isec->sid, isec->sclass, file_to_av(file), 2124 &ad); 2125 } 2126 2127 static int selinux_ptrace_access_check(struct task_struct *child, 2128 unsigned int mode) 2129 { 2130 u32 sid = current_sid(); 2131 u32 csid = task_sid(child); 2132 2133 if (mode & PTRACE_MODE_READ) 2134 return avc_has_perm(&selinux_state, 2135 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2136 2137 return avc_has_perm(&selinux_state, 2138 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2139 } 2140 2141 static int selinux_ptrace_traceme(struct task_struct *parent) 2142 { 2143 return avc_has_perm(&selinux_state, 2144 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2145 PROCESS__PTRACE, NULL); 2146 } 2147 2148 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2149 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2150 { 2151 return avc_has_perm(&selinux_state, 2152 current_sid(), task_sid(target), SECCLASS_PROCESS, 2153 PROCESS__GETCAP, NULL); 2154 } 2155 2156 static int selinux_capset(struct cred *new, const struct cred *old, 2157 const kernel_cap_t *effective, 2158 const kernel_cap_t *inheritable, 2159 const kernel_cap_t *permitted) 2160 { 2161 return avc_has_perm(&selinux_state, 2162 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2163 PROCESS__SETCAP, NULL); 2164 } 2165 2166 /* 2167 * (This comment used to live with the selinux_task_setuid hook, 2168 * which was removed). 2169 * 2170 * Since setuid only affects the current process, and since the SELinux 2171 * controls are not based on the Linux identity attributes, SELinux does not 2172 * need to control this operation. However, SELinux does control the use of 2173 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2174 */ 2175 2176 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2177 int cap, unsigned int opts) 2178 { 2179 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2180 } 2181 2182 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2183 { 2184 const struct cred *cred = current_cred(); 2185 int rc = 0; 2186 2187 if (!sb) 2188 return 0; 2189 2190 switch (cmds) { 2191 case Q_SYNC: 2192 case Q_QUOTAON: 2193 case Q_QUOTAOFF: 2194 case Q_SETINFO: 2195 case Q_SETQUOTA: 2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2197 break; 2198 case Q_GETFMT: 2199 case Q_GETINFO: 2200 case Q_GETQUOTA: 2201 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2202 break; 2203 default: 2204 rc = 0; /* let the kernel handle invalid cmds */ 2205 break; 2206 } 2207 return rc; 2208 } 2209 2210 static int selinux_quota_on(struct dentry *dentry) 2211 { 2212 const struct cred *cred = current_cred(); 2213 2214 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2215 } 2216 2217 static int selinux_syslog(int type) 2218 { 2219 switch (type) { 2220 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2221 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2222 return avc_has_perm(&selinux_state, 2223 current_sid(), SECINITSID_KERNEL, 2224 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2225 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2226 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2227 /* Set level of messages printed to console */ 2228 case SYSLOG_ACTION_CONSOLE_LEVEL: 2229 return avc_has_perm(&selinux_state, 2230 current_sid(), SECINITSID_KERNEL, 2231 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2232 NULL); 2233 } 2234 /* All other syslog types */ 2235 return avc_has_perm(&selinux_state, 2236 current_sid(), SECINITSID_KERNEL, 2237 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2238 } 2239 2240 /* 2241 * Check that a process has enough memory to allocate a new virtual 2242 * mapping. 0 means there is enough memory for the allocation to 2243 * succeed and -ENOMEM implies there is not. 2244 * 2245 * Do not audit the selinux permission check, as this is applied to all 2246 * processes that allocate mappings. 2247 */ 2248 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2249 { 2250 int rc, cap_sys_admin = 0; 2251 2252 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2253 CAP_OPT_NOAUDIT, true); 2254 if (rc == 0) 2255 cap_sys_admin = 1; 2256 2257 return cap_sys_admin; 2258 } 2259 2260 /* binprm security operations */ 2261 2262 static u32 ptrace_parent_sid(void) 2263 { 2264 u32 sid = 0; 2265 struct task_struct *tracer; 2266 2267 rcu_read_lock(); 2268 tracer = ptrace_parent(current); 2269 if (tracer) 2270 sid = task_sid(tracer); 2271 rcu_read_unlock(); 2272 2273 return sid; 2274 } 2275 2276 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2277 const struct task_security_struct *old_tsec, 2278 const struct task_security_struct *new_tsec) 2279 { 2280 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2281 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2282 int rc; 2283 u32 av; 2284 2285 if (!nnp && !nosuid) 2286 return 0; /* neither NNP nor nosuid */ 2287 2288 if (new_tsec->sid == old_tsec->sid) 2289 return 0; /* No change in credentials */ 2290 2291 /* 2292 * If the policy enables the nnp_nosuid_transition policy capability, 2293 * then we permit transitions under NNP or nosuid if the 2294 * policy allows the corresponding permission between 2295 * the old and new contexts. 2296 */ 2297 if (selinux_policycap_nnp_nosuid_transition()) { 2298 av = 0; 2299 if (nnp) 2300 av |= PROCESS2__NNP_TRANSITION; 2301 if (nosuid) 2302 av |= PROCESS2__NOSUID_TRANSITION; 2303 rc = avc_has_perm(&selinux_state, 2304 old_tsec->sid, new_tsec->sid, 2305 SECCLASS_PROCESS2, av, NULL); 2306 if (!rc) 2307 return 0; 2308 } 2309 2310 /* 2311 * We also permit NNP or nosuid transitions to bounded SIDs, 2312 * i.e. SIDs that are guaranteed to only be allowed a subset 2313 * of the permissions of the current SID. 2314 */ 2315 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2316 new_tsec->sid); 2317 if (!rc) 2318 return 0; 2319 2320 /* 2321 * On failure, preserve the errno values for NNP vs nosuid. 2322 * NNP: Operation not permitted for caller. 2323 * nosuid: Permission denied to file. 2324 */ 2325 if (nnp) 2326 return -EPERM; 2327 return -EACCES; 2328 } 2329 2330 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2331 { 2332 const struct task_security_struct *old_tsec; 2333 struct task_security_struct *new_tsec; 2334 struct inode_security_struct *isec; 2335 struct common_audit_data ad; 2336 struct inode *inode = file_inode(bprm->file); 2337 int rc; 2338 2339 /* SELinux context only depends on initial program or script and not 2340 * the script interpreter */ 2341 if (bprm->called_set_creds) 2342 return 0; 2343 2344 old_tsec = selinux_cred(current_cred()); 2345 new_tsec = selinux_cred(bprm->cred); 2346 isec = inode_security(inode); 2347 2348 /* Default to the current task SID. */ 2349 new_tsec->sid = old_tsec->sid; 2350 new_tsec->osid = old_tsec->sid; 2351 2352 /* Reset fs, key, and sock SIDs on execve. */ 2353 new_tsec->create_sid = 0; 2354 new_tsec->keycreate_sid = 0; 2355 new_tsec->sockcreate_sid = 0; 2356 2357 if (old_tsec->exec_sid) { 2358 new_tsec->sid = old_tsec->exec_sid; 2359 /* Reset exec SID on execve. */ 2360 new_tsec->exec_sid = 0; 2361 2362 /* Fail on NNP or nosuid if not an allowed transition. */ 2363 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2364 if (rc) 2365 return rc; 2366 } else { 2367 /* Check for a default transition on this program. */ 2368 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2369 isec->sid, SECCLASS_PROCESS, NULL, 2370 &new_tsec->sid); 2371 if (rc) 2372 return rc; 2373 2374 /* 2375 * Fallback to old SID on NNP or nosuid if not an allowed 2376 * transition. 2377 */ 2378 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2379 if (rc) 2380 new_tsec->sid = old_tsec->sid; 2381 } 2382 2383 ad.type = LSM_AUDIT_DATA_FILE; 2384 ad.u.file = bprm->file; 2385 2386 if (new_tsec->sid == old_tsec->sid) { 2387 rc = avc_has_perm(&selinux_state, 2388 old_tsec->sid, isec->sid, 2389 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2390 if (rc) 2391 return rc; 2392 } else { 2393 /* Check permissions for the transition. */ 2394 rc = avc_has_perm(&selinux_state, 2395 old_tsec->sid, new_tsec->sid, 2396 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2397 if (rc) 2398 return rc; 2399 2400 rc = avc_has_perm(&selinux_state, 2401 new_tsec->sid, isec->sid, 2402 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2403 if (rc) 2404 return rc; 2405 2406 /* Check for shared state */ 2407 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2408 rc = avc_has_perm(&selinux_state, 2409 old_tsec->sid, new_tsec->sid, 2410 SECCLASS_PROCESS, PROCESS__SHARE, 2411 NULL); 2412 if (rc) 2413 return -EPERM; 2414 } 2415 2416 /* Make sure that anyone attempting to ptrace over a task that 2417 * changes its SID has the appropriate permit */ 2418 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2419 u32 ptsid = ptrace_parent_sid(); 2420 if (ptsid != 0) { 2421 rc = avc_has_perm(&selinux_state, 2422 ptsid, new_tsec->sid, 2423 SECCLASS_PROCESS, 2424 PROCESS__PTRACE, NULL); 2425 if (rc) 2426 return -EPERM; 2427 } 2428 } 2429 2430 /* Clear any possibly unsafe personality bits on exec: */ 2431 bprm->per_clear |= PER_CLEAR_ON_SETID; 2432 2433 /* Enable secure mode for SIDs transitions unless 2434 the noatsecure permission is granted between 2435 the two SIDs, i.e. ahp returns 0. */ 2436 rc = avc_has_perm(&selinux_state, 2437 old_tsec->sid, new_tsec->sid, 2438 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2439 NULL); 2440 bprm->secureexec |= !!rc; 2441 } 2442 2443 return 0; 2444 } 2445 2446 static int match_file(const void *p, struct file *file, unsigned fd) 2447 { 2448 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2449 } 2450 2451 /* Derived from fs/exec.c:flush_old_files. */ 2452 static inline void flush_unauthorized_files(const struct cred *cred, 2453 struct files_struct *files) 2454 { 2455 struct file *file, *devnull = NULL; 2456 struct tty_struct *tty; 2457 int drop_tty = 0; 2458 unsigned n; 2459 2460 tty = get_current_tty(); 2461 if (tty) { 2462 spin_lock(&tty->files_lock); 2463 if (!list_empty(&tty->tty_files)) { 2464 struct tty_file_private *file_priv; 2465 2466 /* Revalidate access to controlling tty. 2467 Use file_path_has_perm on the tty path directly 2468 rather than using file_has_perm, as this particular 2469 open file may belong to another process and we are 2470 only interested in the inode-based check here. */ 2471 file_priv = list_first_entry(&tty->tty_files, 2472 struct tty_file_private, list); 2473 file = file_priv->file; 2474 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2475 drop_tty = 1; 2476 } 2477 spin_unlock(&tty->files_lock); 2478 tty_kref_put(tty); 2479 } 2480 /* Reset controlling tty. */ 2481 if (drop_tty) 2482 no_tty(); 2483 2484 /* Revalidate access to inherited open files. */ 2485 n = iterate_fd(files, 0, match_file, cred); 2486 if (!n) /* none found? */ 2487 return; 2488 2489 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2490 if (IS_ERR(devnull)) 2491 devnull = NULL; 2492 /* replace all the matching ones with this */ 2493 do { 2494 replace_fd(n - 1, devnull, 0); 2495 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2496 if (devnull) 2497 fput(devnull); 2498 } 2499 2500 /* 2501 * Prepare a process for imminent new credential changes due to exec 2502 */ 2503 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2504 { 2505 struct task_security_struct *new_tsec; 2506 struct rlimit *rlim, *initrlim; 2507 int rc, i; 2508 2509 new_tsec = selinux_cred(bprm->cred); 2510 if (new_tsec->sid == new_tsec->osid) 2511 return; 2512 2513 /* Close files for which the new task SID is not authorized. */ 2514 flush_unauthorized_files(bprm->cred, current->files); 2515 2516 /* Always clear parent death signal on SID transitions. */ 2517 current->pdeath_signal = 0; 2518 2519 /* Check whether the new SID can inherit resource limits from the old 2520 * SID. If not, reset all soft limits to the lower of the current 2521 * task's hard limit and the init task's soft limit. 2522 * 2523 * Note that the setting of hard limits (even to lower them) can be 2524 * controlled by the setrlimit check. The inclusion of the init task's 2525 * soft limit into the computation is to avoid resetting soft limits 2526 * higher than the default soft limit for cases where the default is 2527 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2528 */ 2529 rc = avc_has_perm(&selinux_state, 2530 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2531 PROCESS__RLIMITINH, NULL); 2532 if (rc) { 2533 /* protect against do_prlimit() */ 2534 task_lock(current); 2535 for (i = 0; i < RLIM_NLIMITS; i++) { 2536 rlim = current->signal->rlim + i; 2537 initrlim = init_task.signal->rlim + i; 2538 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2539 } 2540 task_unlock(current); 2541 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2542 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2543 } 2544 } 2545 2546 /* 2547 * Clean up the process immediately after the installation of new credentials 2548 * due to exec 2549 */ 2550 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2551 { 2552 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2553 u32 osid, sid; 2554 int rc; 2555 2556 osid = tsec->osid; 2557 sid = tsec->sid; 2558 2559 if (sid == osid) 2560 return; 2561 2562 /* Check whether the new SID can inherit signal state from the old SID. 2563 * If not, clear itimers to avoid subsequent signal generation and 2564 * flush and unblock signals. 2565 * 2566 * This must occur _after_ the task SID has been updated so that any 2567 * kill done after the flush will be checked against the new SID. 2568 */ 2569 rc = avc_has_perm(&selinux_state, 2570 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2571 if (rc) { 2572 clear_itimer(); 2573 2574 spin_lock_irq(¤t->sighand->siglock); 2575 if (!fatal_signal_pending(current)) { 2576 flush_sigqueue(¤t->pending); 2577 flush_sigqueue(¤t->signal->shared_pending); 2578 flush_signal_handlers(current, 1); 2579 sigemptyset(¤t->blocked); 2580 recalc_sigpending(); 2581 } 2582 spin_unlock_irq(¤t->sighand->siglock); 2583 } 2584 2585 /* Wake up the parent if it is waiting so that it can recheck 2586 * wait permission to the new task SID. */ 2587 read_lock(&tasklist_lock); 2588 __wake_up_parent(current, current->real_parent); 2589 read_unlock(&tasklist_lock); 2590 } 2591 2592 /* superblock security operations */ 2593 2594 static int selinux_sb_alloc_security(struct super_block *sb) 2595 { 2596 return superblock_alloc_security(sb); 2597 } 2598 2599 static void selinux_sb_free_security(struct super_block *sb) 2600 { 2601 superblock_free_security(sb); 2602 } 2603 2604 static inline int opt_len(const char *s) 2605 { 2606 bool open_quote = false; 2607 int len; 2608 char c; 2609 2610 for (len = 0; (c = s[len]) != '\0'; len++) { 2611 if (c == '"') 2612 open_quote = !open_quote; 2613 if (c == ',' && !open_quote) 2614 break; 2615 } 2616 return len; 2617 } 2618 2619 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2620 { 2621 char *from = options; 2622 char *to = options; 2623 bool first = true; 2624 int rc; 2625 2626 while (1) { 2627 int len = opt_len(from); 2628 int token; 2629 char *arg = NULL; 2630 2631 token = match_opt_prefix(from, len, &arg); 2632 2633 if (token != Opt_error) { 2634 char *p, *q; 2635 2636 /* strip quotes */ 2637 if (arg) { 2638 for (p = q = arg; p < from + len; p++) { 2639 char c = *p; 2640 if (c != '"') 2641 *q++ = c; 2642 } 2643 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2644 if (!arg) { 2645 rc = -ENOMEM; 2646 goto free_opt; 2647 } 2648 } 2649 rc = selinux_add_opt(token, arg, mnt_opts); 2650 if (unlikely(rc)) { 2651 kfree(arg); 2652 goto free_opt; 2653 } 2654 } else { 2655 if (!first) { // copy with preceding comma 2656 from--; 2657 len++; 2658 } 2659 if (to != from) 2660 memmove(to, from, len); 2661 to += len; 2662 first = false; 2663 } 2664 if (!from[len]) 2665 break; 2666 from += len + 1; 2667 } 2668 *to = '\0'; 2669 return 0; 2670 2671 free_opt: 2672 if (*mnt_opts) { 2673 selinux_free_mnt_opts(*mnt_opts); 2674 *mnt_opts = NULL; 2675 } 2676 return rc; 2677 } 2678 2679 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2680 { 2681 struct selinux_mnt_opts *opts = mnt_opts; 2682 struct superblock_security_struct *sbsec = sb->s_security; 2683 u32 sid; 2684 int rc; 2685 2686 if (!(sbsec->flags & SE_SBINITIALIZED)) 2687 return 0; 2688 2689 if (!opts) 2690 return 0; 2691 2692 if (opts->fscontext) { 2693 rc = parse_sid(sb, opts->fscontext, &sid); 2694 if (rc) 2695 return rc; 2696 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2697 goto out_bad_option; 2698 } 2699 if (opts->context) { 2700 rc = parse_sid(sb, opts->context, &sid); 2701 if (rc) 2702 return rc; 2703 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2704 goto out_bad_option; 2705 } 2706 if (opts->rootcontext) { 2707 struct inode_security_struct *root_isec; 2708 root_isec = backing_inode_security(sb->s_root); 2709 rc = parse_sid(sb, opts->rootcontext, &sid); 2710 if (rc) 2711 return rc; 2712 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2713 goto out_bad_option; 2714 } 2715 if (opts->defcontext) { 2716 rc = parse_sid(sb, opts->defcontext, &sid); 2717 if (rc) 2718 return rc; 2719 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2720 goto out_bad_option; 2721 } 2722 return 0; 2723 2724 out_bad_option: 2725 pr_warn("SELinux: unable to change security options " 2726 "during remount (dev %s, type=%s)\n", sb->s_id, 2727 sb->s_type->name); 2728 return -EINVAL; 2729 } 2730 2731 static int selinux_sb_kern_mount(struct super_block *sb) 2732 { 2733 const struct cred *cred = current_cred(); 2734 struct common_audit_data ad; 2735 2736 ad.type = LSM_AUDIT_DATA_DENTRY; 2737 ad.u.dentry = sb->s_root; 2738 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2739 } 2740 2741 static int selinux_sb_statfs(struct dentry *dentry) 2742 { 2743 const struct cred *cred = current_cred(); 2744 struct common_audit_data ad; 2745 2746 ad.type = LSM_AUDIT_DATA_DENTRY; 2747 ad.u.dentry = dentry->d_sb->s_root; 2748 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2749 } 2750 2751 static int selinux_mount(const char *dev_name, 2752 const struct path *path, 2753 const char *type, 2754 unsigned long flags, 2755 void *data) 2756 { 2757 const struct cred *cred = current_cred(); 2758 2759 if (flags & MS_REMOUNT) 2760 return superblock_has_perm(cred, path->dentry->d_sb, 2761 FILESYSTEM__REMOUNT, NULL); 2762 else 2763 return path_has_perm(cred, path, FILE__MOUNTON); 2764 } 2765 2766 static int selinux_umount(struct vfsmount *mnt, int flags) 2767 { 2768 const struct cred *cred = current_cred(); 2769 2770 return superblock_has_perm(cred, mnt->mnt_sb, 2771 FILESYSTEM__UNMOUNT, NULL); 2772 } 2773 2774 static int selinux_fs_context_dup(struct fs_context *fc, 2775 struct fs_context *src_fc) 2776 { 2777 const struct selinux_mnt_opts *src = src_fc->security; 2778 struct selinux_mnt_opts *opts; 2779 2780 if (!src) 2781 return 0; 2782 2783 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 2784 if (!fc->security) 2785 return -ENOMEM; 2786 2787 opts = fc->security; 2788 2789 if (src->fscontext) { 2790 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL); 2791 if (!opts->fscontext) 2792 return -ENOMEM; 2793 } 2794 if (src->context) { 2795 opts->context = kstrdup(src->context, GFP_KERNEL); 2796 if (!opts->context) 2797 return -ENOMEM; 2798 } 2799 if (src->rootcontext) { 2800 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL); 2801 if (!opts->rootcontext) 2802 return -ENOMEM; 2803 } 2804 if (src->defcontext) { 2805 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL); 2806 if (!opts->defcontext) 2807 return -ENOMEM; 2808 } 2809 return 0; 2810 } 2811 2812 static const struct fs_parameter_spec selinux_param_specs[] = { 2813 fsparam_string(CONTEXT_STR, Opt_context), 2814 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2815 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2816 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2817 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2818 {} 2819 }; 2820 2821 static const struct fs_parameter_description selinux_fs_parameters = { 2822 .name = "SELinux", 2823 .specs = selinux_param_specs, 2824 }; 2825 2826 static int selinux_fs_context_parse_param(struct fs_context *fc, 2827 struct fs_parameter *param) 2828 { 2829 struct fs_parse_result result; 2830 int opt, rc; 2831 2832 opt = fs_parse(fc, &selinux_fs_parameters, param, &result); 2833 if (opt < 0) 2834 return opt; 2835 2836 rc = selinux_add_opt(opt, param->string, &fc->security); 2837 if (!rc) { 2838 param->string = NULL; 2839 rc = 1; 2840 } 2841 return rc; 2842 } 2843 2844 /* inode security operations */ 2845 2846 static int selinux_inode_alloc_security(struct inode *inode) 2847 { 2848 return inode_alloc_security(inode); 2849 } 2850 2851 static void selinux_inode_free_security(struct inode *inode) 2852 { 2853 inode_free_security(inode); 2854 } 2855 2856 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2857 const struct qstr *name, void **ctx, 2858 u32 *ctxlen) 2859 { 2860 u32 newsid; 2861 int rc; 2862 2863 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2864 d_inode(dentry->d_parent), name, 2865 inode_mode_to_security_class(mode), 2866 &newsid); 2867 if (rc) 2868 return rc; 2869 2870 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2871 ctxlen); 2872 } 2873 2874 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2875 struct qstr *name, 2876 const struct cred *old, 2877 struct cred *new) 2878 { 2879 u32 newsid; 2880 int rc; 2881 struct task_security_struct *tsec; 2882 2883 rc = selinux_determine_inode_label(selinux_cred(old), 2884 d_inode(dentry->d_parent), name, 2885 inode_mode_to_security_class(mode), 2886 &newsid); 2887 if (rc) 2888 return rc; 2889 2890 tsec = selinux_cred(new); 2891 tsec->create_sid = newsid; 2892 return 0; 2893 } 2894 2895 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2896 const struct qstr *qstr, 2897 const char **name, 2898 void **value, size_t *len) 2899 { 2900 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2901 struct superblock_security_struct *sbsec; 2902 u32 newsid, clen; 2903 int rc; 2904 char *context; 2905 2906 sbsec = dir->i_sb->s_security; 2907 2908 newsid = tsec->create_sid; 2909 2910 rc = selinux_determine_inode_label(tsec, dir, qstr, 2911 inode_mode_to_security_class(inode->i_mode), 2912 &newsid); 2913 if (rc) 2914 return rc; 2915 2916 /* Possibly defer initialization to selinux_complete_init. */ 2917 if (sbsec->flags & SE_SBINITIALIZED) { 2918 struct inode_security_struct *isec = selinux_inode(inode); 2919 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2920 isec->sid = newsid; 2921 isec->initialized = LABEL_INITIALIZED; 2922 } 2923 2924 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 2925 return -EOPNOTSUPP; 2926 2927 if (name) 2928 *name = XATTR_SELINUX_SUFFIX; 2929 2930 if (value && len) { 2931 rc = security_sid_to_context_force(&selinux_state, newsid, 2932 &context, &clen); 2933 if (rc) 2934 return rc; 2935 *value = context; 2936 *len = clen; 2937 } 2938 2939 return 0; 2940 } 2941 2942 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2943 { 2944 return may_create(dir, dentry, SECCLASS_FILE); 2945 } 2946 2947 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2948 { 2949 return may_link(dir, old_dentry, MAY_LINK); 2950 } 2951 2952 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2953 { 2954 return may_link(dir, dentry, MAY_UNLINK); 2955 } 2956 2957 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2958 { 2959 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2960 } 2961 2962 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2963 { 2964 return may_create(dir, dentry, SECCLASS_DIR); 2965 } 2966 2967 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2968 { 2969 return may_link(dir, dentry, MAY_RMDIR); 2970 } 2971 2972 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2973 { 2974 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2975 } 2976 2977 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2978 struct inode *new_inode, struct dentry *new_dentry) 2979 { 2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2981 } 2982 2983 static int selinux_inode_readlink(struct dentry *dentry) 2984 { 2985 const struct cred *cred = current_cred(); 2986 2987 return dentry_has_perm(cred, dentry, FILE__READ); 2988 } 2989 2990 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2991 bool rcu) 2992 { 2993 const struct cred *cred = current_cred(); 2994 struct common_audit_data ad; 2995 struct inode_security_struct *isec; 2996 u32 sid; 2997 2998 validate_creds(cred); 2999 3000 ad.type = LSM_AUDIT_DATA_DENTRY; 3001 ad.u.dentry = dentry; 3002 sid = cred_sid(cred); 3003 isec = inode_security_rcu(inode, rcu); 3004 if (IS_ERR(isec)) 3005 return PTR_ERR(isec); 3006 3007 return avc_has_perm_flags(&selinux_state, 3008 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3009 rcu ? MAY_NOT_BLOCK : 0); 3010 } 3011 3012 static noinline int audit_inode_permission(struct inode *inode, 3013 u32 perms, u32 audited, u32 denied, 3014 int result) 3015 { 3016 struct common_audit_data ad; 3017 struct inode_security_struct *isec = selinux_inode(inode); 3018 int rc; 3019 3020 ad.type = LSM_AUDIT_DATA_INODE; 3021 ad.u.inode = inode; 3022 3023 rc = slow_avc_audit(&selinux_state, 3024 current_sid(), isec->sid, isec->sclass, perms, 3025 audited, denied, result, &ad); 3026 if (rc) 3027 return rc; 3028 return 0; 3029 } 3030 3031 static int selinux_inode_permission(struct inode *inode, int mask) 3032 { 3033 const struct cred *cred = current_cred(); 3034 u32 perms; 3035 bool from_access; 3036 bool no_block = mask & MAY_NOT_BLOCK; 3037 struct inode_security_struct *isec; 3038 u32 sid; 3039 struct av_decision avd; 3040 int rc, rc2; 3041 u32 audited, denied; 3042 3043 from_access = mask & MAY_ACCESS; 3044 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3045 3046 /* No permission to check. Existence test. */ 3047 if (!mask) 3048 return 0; 3049 3050 validate_creds(cred); 3051 3052 if (unlikely(IS_PRIVATE(inode))) 3053 return 0; 3054 3055 perms = file_mask_to_av(inode->i_mode, mask); 3056 3057 sid = cred_sid(cred); 3058 isec = inode_security_rcu(inode, no_block); 3059 if (IS_ERR(isec)) 3060 return PTR_ERR(isec); 3061 3062 rc = avc_has_perm_noaudit(&selinux_state, 3063 sid, isec->sid, isec->sclass, perms, 3064 no_block ? AVC_NONBLOCKING : 0, 3065 &avd); 3066 audited = avc_audit_required(perms, &avd, rc, 3067 from_access ? FILE__AUDIT_ACCESS : 0, 3068 &denied); 3069 if (likely(!audited)) 3070 return rc; 3071 3072 /* fall back to ref-walk if we have to generate audit */ 3073 if (no_block) 3074 return -ECHILD; 3075 3076 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3077 if (rc2) 3078 return rc2; 3079 return rc; 3080 } 3081 3082 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3083 { 3084 const struct cred *cred = current_cred(); 3085 struct inode *inode = d_backing_inode(dentry); 3086 unsigned int ia_valid = iattr->ia_valid; 3087 __u32 av = FILE__WRITE; 3088 3089 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3090 if (ia_valid & ATTR_FORCE) { 3091 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3092 ATTR_FORCE); 3093 if (!ia_valid) 3094 return 0; 3095 } 3096 3097 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3098 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3099 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3100 3101 if (selinux_policycap_openperm() && 3102 inode->i_sb->s_magic != SOCKFS_MAGIC && 3103 (ia_valid & ATTR_SIZE) && 3104 !(ia_valid & ATTR_FILE)) 3105 av |= FILE__OPEN; 3106 3107 return dentry_has_perm(cred, dentry, av); 3108 } 3109 3110 static int selinux_inode_getattr(const struct path *path) 3111 { 3112 return path_has_perm(current_cred(), path, FILE__GETATTR); 3113 } 3114 3115 static bool has_cap_mac_admin(bool audit) 3116 { 3117 const struct cred *cred = current_cred(); 3118 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3119 3120 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3121 return false; 3122 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3123 return false; 3124 return true; 3125 } 3126 3127 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3128 const void *value, size_t size, int flags) 3129 { 3130 struct inode *inode = d_backing_inode(dentry); 3131 struct inode_security_struct *isec; 3132 struct superblock_security_struct *sbsec; 3133 struct common_audit_data ad; 3134 u32 newsid, sid = current_sid(); 3135 int rc = 0; 3136 3137 if (strcmp(name, XATTR_NAME_SELINUX)) { 3138 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3139 if (rc) 3140 return rc; 3141 3142 /* Not an attribute we recognize, so just check the 3143 ordinary setattr permission. */ 3144 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3145 } 3146 3147 if (!selinux_state.initialized) 3148 return (inode_owner_or_capable(inode) ? 0 : -EPERM); 3149 3150 sbsec = inode->i_sb->s_security; 3151 if (!(sbsec->flags & SBLABEL_MNT)) 3152 return -EOPNOTSUPP; 3153 3154 if (!inode_owner_or_capable(inode)) 3155 return -EPERM; 3156 3157 ad.type = LSM_AUDIT_DATA_DENTRY; 3158 ad.u.dentry = dentry; 3159 3160 isec = backing_inode_security(dentry); 3161 rc = avc_has_perm(&selinux_state, 3162 sid, isec->sid, isec->sclass, 3163 FILE__RELABELFROM, &ad); 3164 if (rc) 3165 return rc; 3166 3167 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3168 GFP_KERNEL); 3169 if (rc == -EINVAL) { 3170 if (!has_cap_mac_admin(true)) { 3171 struct audit_buffer *ab; 3172 size_t audit_size; 3173 3174 /* We strip a nul only if it is at the end, otherwise the 3175 * context contains a nul and we should audit that */ 3176 if (value) { 3177 const char *str = value; 3178 3179 if (str[size - 1] == '\0') 3180 audit_size = size - 1; 3181 else 3182 audit_size = size; 3183 } else { 3184 audit_size = 0; 3185 } 3186 ab = audit_log_start(audit_context(), 3187 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3188 audit_log_format(ab, "op=setxattr invalid_context="); 3189 audit_log_n_untrustedstring(ab, value, audit_size); 3190 audit_log_end(ab); 3191 3192 return rc; 3193 } 3194 rc = security_context_to_sid_force(&selinux_state, value, 3195 size, &newsid); 3196 } 3197 if (rc) 3198 return rc; 3199 3200 rc = avc_has_perm(&selinux_state, 3201 sid, newsid, isec->sclass, 3202 FILE__RELABELTO, &ad); 3203 if (rc) 3204 return rc; 3205 3206 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3207 sid, isec->sclass); 3208 if (rc) 3209 return rc; 3210 3211 return avc_has_perm(&selinux_state, 3212 newsid, 3213 sbsec->sid, 3214 SECCLASS_FILESYSTEM, 3215 FILESYSTEM__ASSOCIATE, 3216 &ad); 3217 } 3218 3219 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3220 const void *value, size_t size, 3221 int flags) 3222 { 3223 struct inode *inode = d_backing_inode(dentry); 3224 struct inode_security_struct *isec; 3225 u32 newsid; 3226 int rc; 3227 3228 if (strcmp(name, XATTR_NAME_SELINUX)) { 3229 /* Not an attribute we recognize, so nothing to do. */ 3230 return; 3231 } 3232 3233 if (!selinux_state.initialized) { 3234 /* If we haven't even been initialized, then we can't validate 3235 * against a policy, so leave the label as invalid. It may 3236 * resolve to a valid label on the next revalidation try if 3237 * we've since initialized. 3238 */ 3239 return; 3240 } 3241 3242 rc = security_context_to_sid_force(&selinux_state, value, size, 3243 &newsid); 3244 if (rc) { 3245 pr_err("SELinux: unable to map context to SID" 3246 "for (%s, %lu), rc=%d\n", 3247 inode->i_sb->s_id, inode->i_ino, -rc); 3248 return; 3249 } 3250 3251 isec = backing_inode_security(dentry); 3252 spin_lock(&isec->lock); 3253 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3254 isec->sid = newsid; 3255 isec->initialized = LABEL_INITIALIZED; 3256 spin_unlock(&isec->lock); 3257 3258 return; 3259 } 3260 3261 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3262 { 3263 const struct cred *cred = current_cred(); 3264 3265 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3266 } 3267 3268 static int selinux_inode_listxattr(struct dentry *dentry) 3269 { 3270 const struct cred *cred = current_cred(); 3271 3272 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3273 } 3274 3275 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3276 { 3277 if (strcmp(name, XATTR_NAME_SELINUX)) { 3278 int rc = cap_inode_removexattr(dentry, name); 3279 if (rc) 3280 return rc; 3281 3282 /* Not an attribute we recognize, so just check the 3283 ordinary setattr permission. */ 3284 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3285 } 3286 3287 /* No one is allowed to remove a SELinux security label. 3288 You can change the label, but all data must be labeled. */ 3289 return -EACCES; 3290 } 3291 3292 static int selinux_path_notify(const struct path *path, u64 mask, 3293 unsigned int obj_type) 3294 { 3295 int ret; 3296 u32 perm; 3297 3298 struct common_audit_data ad; 3299 3300 ad.type = LSM_AUDIT_DATA_PATH; 3301 ad.u.path = *path; 3302 3303 /* 3304 * Set permission needed based on the type of mark being set. 3305 * Performs an additional check for sb watches. 3306 */ 3307 switch (obj_type) { 3308 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3309 perm = FILE__WATCH_MOUNT; 3310 break; 3311 case FSNOTIFY_OBJ_TYPE_SB: 3312 perm = FILE__WATCH_SB; 3313 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3314 FILESYSTEM__WATCH, &ad); 3315 if (ret) 3316 return ret; 3317 break; 3318 case FSNOTIFY_OBJ_TYPE_INODE: 3319 perm = FILE__WATCH; 3320 break; 3321 default: 3322 return -EINVAL; 3323 } 3324 3325 /* blocking watches require the file:watch_with_perm permission */ 3326 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3327 perm |= FILE__WATCH_WITH_PERM; 3328 3329 /* watches on read-like events need the file:watch_reads permission */ 3330 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3331 perm |= FILE__WATCH_READS; 3332 3333 return path_has_perm(current_cred(), path, perm); 3334 } 3335 3336 /* 3337 * Copy the inode security context value to the user. 3338 * 3339 * Permission check is handled by selinux_inode_getxattr hook. 3340 */ 3341 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3342 { 3343 u32 size; 3344 int error; 3345 char *context = NULL; 3346 struct inode_security_struct *isec; 3347 3348 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3349 return -EOPNOTSUPP; 3350 3351 /* 3352 * If the caller has CAP_MAC_ADMIN, then get the raw context 3353 * value even if it is not defined by current policy; otherwise, 3354 * use the in-core value under current policy. 3355 * Use the non-auditing forms of the permission checks since 3356 * getxattr may be called by unprivileged processes commonly 3357 * and lack of permission just means that we fall back to the 3358 * in-core context value, not a denial. 3359 */ 3360 isec = inode_security(inode); 3361 if (has_cap_mac_admin(false)) 3362 error = security_sid_to_context_force(&selinux_state, 3363 isec->sid, &context, 3364 &size); 3365 else 3366 error = security_sid_to_context(&selinux_state, isec->sid, 3367 &context, &size); 3368 if (error) 3369 return error; 3370 error = size; 3371 if (alloc) { 3372 *buffer = context; 3373 goto out_nofree; 3374 } 3375 kfree(context); 3376 out_nofree: 3377 return error; 3378 } 3379 3380 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3381 const void *value, size_t size, int flags) 3382 { 3383 struct inode_security_struct *isec = inode_security_novalidate(inode); 3384 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 3385 u32 newsid; 3386 int rc; 3387 3388 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3389 return -EOPNOTSUPP; 3390 3391 if (!(sbsec->flags & SBLABEL_MNT)) 3392 return -EOPNOTSUPP; 3393 3394 if (!value || !size) 3395 return -EACCES; 3396 3397 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3398 GFP_KERNEL); 3399 if (rc) 3400 return rc; 3401 3402 spin_lock(&isec->lock); 3403 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3404 isec->sid = newsid; 3405 isec->initialized = LABEL_INITIALIZED; 3406 spin_unlock(&isec->lock); 3407 return 0; 3408 } 3409 3410 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3411 { 3412 const int len = sizeof(XATTR_NAME_SELINUX); 3413 if (buffer && len <= buffer_size) 3414 memcpy(buffer, XATTR_NAME_SELINUX, len); 3415 return len; 3416 } 3417 3418 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3419 { 3420 struct inode_security_struct *isec = inode_security_novalidate(inode); 3421 *secid = isec->sid; 3422 } 3423 3424 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3425 { 3426 u32 sid; 3427 struct task_security_struct *tsec; 3428 struct cred *new_creds = *new; 3429 3430 if (new_creds == NULL) { 3431 new_creds = prepare_creds(); 3432 if (!new_creds) 3433 return -ENOMEM; 3434 } 3435 3436 tsec = selinux_cred(new_creds); 3437 /* Get label from overlay inode and set it in create_sid */ 3438 selinux_inode_getsecid(d_inode(src), &sid); 3439 tsec->create_sid = sid; 3440 *new = new_creds; 3441 return 0; 3442 } 3443 3444 static int selinux_inode_copy_up_xattr(const char *name) 3445 { 3446 /* The copy_up hook above sets the initial context on an inode, but we 3447 * don't then want to overwrite it by blindly copying all the lower 3448 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3449 */ 3450 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3451 return 1; /* Discard */ 3452 /* 3453 * Any other attribute apart from SELINUX is not claimed, supported 3454 * by selinux. 3455 */ 3456 return -EOPNOTSUPP; 3457 } 3458 3459 /* kernfs node operations */ 3460 3461 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3462 struct kernfs_node *kn) 3463 { 3464 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3465 u32 parent_sid, newsid, clen; 3466 int rc; 3467 char *context; 3468 3469 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3470 if (rc == -ENODATA) 3471 return 0; 3472 else if (rc < 0) 3473 return rc; 3474 3475 clen = (u32)rc; 3476 context = kmalloc(clen, GFP_KERNEL); 3477 if (!context) 3478 return -ENOMEM; 3479 3480 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3481 if (rc < 0) { 3482 kfree(context); 3483 return rc; 3484 } 3485 3486 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid, 3487 GFP_KERNEL); 3488 kfree(context); 3489 if (rc) 3490 return rc; 3491 3492 if (tsec->create_sid) { 3493 newsid = tsec->create_sid; 3494 } else { 3495 u16 secclass = inode_mode_to_security_class(kn->mode); 3496 struct qstr q; 3497 3498 q.name = kn->name; 3499 q.hash_len = hashlen_string(kn_dir, kn->name); 3500 3501 rc = security_transition_sid(&selinux_state, tsec->sid, 3502 parent_sid, secclass, &q, 3503 &newsid); 3504 if (rc) 3505 return rc; 3506 } 3507 3508 rc = security_sid_to_context_force(&selinux_state, newsid, 3509 &context, &clen); 3510 if (rc) 3511 return rc; 3512 3513 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3514 XATTR_CREATE); 3515 kfree(context); 3516 return rc; 3517 } 3518 3519 3520 /* file security operations */ 3521 3522 static int selinux_revalidate_file_permission(struct file *file, int mask) 3523 { 3524 const struct cred *cred = current_cred(); 3525 struct inode *inode = file_inode(file); 3526 3527 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3528 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3529 mask |= MAY_APPEND; 3530 3531 return file_has_perm(cred, file, 3532 file_mask_to_av(inode->i_mode, mask)); 3533 } 3534 3535 static int selinux_file_permission(struct file *file, int mask) 3536 { 3537 struct inode *inode = file_inode(file); 3538 struct file_security_struct *fsec = selinux_file(file); 3539 struct inode_security_struct *isec; 3540 u32 sid = current_sid(); 3541 3542 if (!mask) 3543 /* No permission to check. Existence test. */ 3544 return 0; 3545 3546 isec = inode_security(inode); 3547 if (sid == fsec->sid && fsec->isid == isec->sid && 3548 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3549 /* No change since file_open check. */ 3550 return 0; 3551 3552 return selinux_revalidate_file_permission(file, mask); 3553 } 3554 3555 static int selinux_file_alloc_security(struct file *file) 3556 { 3557 return file_alloc_security(file); 3558 } 3559 3560 /* 3561 * Check whether a task has the ioctl permission and cmd 3562 * operation to an inode. 3563 */ 3564 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3565 u32 requested, u16 cmd) 3566 { 3567 struct common_audit_data ad; 3568 struct file_security_struct *fsec = selinux_file(file); 3569 struct inode *inode = file_inode(file); 3570 struct inode_security_struct *isec; 3571 struct lsm_ioctlop_audit ioctl; 3572 u32 ssid = cred_sid(cred); 3573 int rc; 3574 u8 driver = cmd >> 8; 3575 u8 xperm = cmd & 0xff; 3576 3577 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3578 ad.u.op = &ioctl; 3579 ad.u.op->cmd = cmd; 3580 ad.u.op->path = file->f_path; 3581 3582 if (ssid != fsec->sid) { 3583 rc = avc_has_perm(&selinux_state, 3584 ssid, fsec->sid, 3585 SECCLASS_FD, 3586 FD__USE, 3587 &ad); 3588 if (rc) 3589 goto out; 3590 } 3591 3592 if (unlikely(IS_PRIVATE(inode))) 3593 return 0; 3594 3595 isec = inode_security(inode); 3596 rc = avc_has_extended_perms(&selinux_state, 3597 ssid, isec->sid, isec->sclass, 3598 requested, driver, xperm, &ad); 3599 out: 3600 return rc; 3601 } 3602 3603 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3604 unsigned long arg) 3605 { 3606 const struct cred *cred = current_cred(); 3607 int error = 0; 3608 3609 switch (cmd) { 3610 case FIONREAD: 3611 /* fall through */ 3612 case FIBMAP: 3613 /* fall through */ 3614 case FIGETBSZ: 3615 /* fall through */ 3616 case FS_IOC_GETFLAGS: 3617 /* fall through */ 3618 case FS_IOC_GETVERSION: 3619 error = file_has_perm(cred, file, FILE__GETATTR); 3620 break; 3621 3622 case FS_IOC_SETFLAGS: 3623 /* fall through */ 3624 case FS_IOC_SETVERSION: 3625 error = file_has_perm(cred, file, FILE__SETATTR); 3626 break; 3627 3628 /* sys_ioctl() checks */ 3629 case FIONBIO: 3630 /* fall through */ 3631 case FIOASYNC: 3632 error = file_has_perm(cred, file, 0); 3633 break; 3634 3635 case KDSKBENT: 3636 case KDSKBSENT: 3637 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3638 CAP_OPT_NONE, true); 3639 break; 3640 3641 /* default case assumes that the command will go 3642 * to the file's ioctl() function. 3643 */ 3644 default: 3645 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3646 } 3647 return error; 3648 } 3649 3650 static int default_noexec __ro_after_init; 3651 3652 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3653 { 3654 const struct cred *cred = current_cred(); 3655 u32 sid = cred_sid(cred); 3656 int rc = 0; 3657 3658 if (default_noexec && 3659 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3660 (!shared && (prot & PROT_WRITE)))) { 3661 /* 3662 * We are making executable an anonymous mapping or a 3663 * private file mapping that will also be writable. 3664 * This has an additional check. 3665 */ 3666 rc = avc_has_perm(&selinux_state, 3667 sid, sid, SECCLASS_PROCESS, 3668 PROCESS__EXECMEM, NULL); 3669 if (rc) 3670 goto error; 3671 } 3672 3673 if (file) { 3674 /* read access is always possible with a mapping */ 3675 u32 av = FILE__READ; 3676 3677 /* write access only matters if the mapping is shared */ 3678 if (shared && (prot & PROT_WRITE)) 3679 av |= FILE__WRITE; 3680 3681 if (prot & PROT_EXEC) 3682 av |= FILE__EXECUTE; 3683 3684 return file_has_perm(cred, file, av); 3685 } 3686 3687 error: 3688 return rc; 3689 } 3690 3691 static int selinux_mmap_addr(unsigned long addr) 3692 { 3693 int rc = 0; 3694 3695 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3696 u32 sid = current_sid(); 3697 rc = avc_has_perm(&selinux_state, 3698 sid, sid, SECCLASS_MEMPROTECT, 3699 MEMPROTECT__MMAP_ZERO, NULL); 3700 } 3701 3702 return rc; 3703 } 3704 3705 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3706 unsigned long prot, unsigned long flags) 3707 { 3708 struct common_audit_data ad; 3709 int rc; 3710 3711 if (file) { 3712 ad.type = LSM_AUDIT_DATA_FILE; 3713 ad.u.file = file; 3714 rc = inode_has_perm(current_cred(), file_inode(file), 3715 FILE__MAP, &ad); 3716 if (rc) 3717 return rc; 3718 } 3719 3720 if (selinux_state.checkreqprot) 3721 prot = reqprot; 3722 3723 return file_map_prot_check(file, prot, 3724 (flags & MAP_TYPE) == MAP_SHARED); 3725 } 3726 3727 static int selinux_file_mprotect(struct vm_area_struct *vma, 3728 unsigned long reqprot, 3729 unsigned long prot) 3730 { 3731 const struct cred *cred = current_cred(); 3732 u32 sid = cred_sid(cred); 3733 3734 if (selinux_state.checkreqprot) 3735 prot = reqprot; 3736 3737 if (default_noexec && 3738 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3739 int rc = 0; 3740 if (vma->vm_start >= vma->vm_mm->start_brk && 3741 vma->vm_end <= vma->vm_mm->brk) { 3742 rc = avc_has_perm(&selinux_state, 3743 sid, sid, SECCLASS_PROCESS, 3744 PROCESS__EXECHEAP, NULL); 3745 } else if (!vma->vm_file && 3746 ((vma->vm_start <= vma->vm_mm->start_stack && 3747 vma->vm_end >= vma->vm_mm->start_stack) || 3748 vma_is_stack_for_current(vma))) { 3749 rc = avc_has_perm(&selinux_state, 3750 sid, sid, SECCLASS_PROCESS, 3751 PROCESS__EXECSTACK, NULL); 3752 } else if (vma->vm_file && vma->anon_vma) { 3753 /* 3754 * We are making executable a file mapping that has 3755 * had some COW done. Since pages might have been 3756 * written, check ability to execute the possibly 3757 * modified content. This typically should only 3758 * occur for text relocations. 3759 */ 3760 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3761 } 3762 if (rc) 3763 return rc; 3764 } 3765 3766 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3767 } 3768 3769 static int selinux_file_lock(struct file *file, unsigned int cmd) 3770 { 3771 const struct cred *cred = current_cred(); 3772 3773 return file_has_perm(cred, file, FILE__LOCK); 3774 } 3775 3776 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3777 unsigned long arg) 3778 { 3779 const struct cred *cred = current_cred(); 3780 int err = 0; 3781 3782 switch (cmd) { 3783 case F_SETFL: 3784 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3785 err = file_has_perm(cred, file, FILE__WRITE); 3786 break; 3787 } 3788 /* fall through */ 3789 case F_SETOWN: 3790 case F_SETSIG: 3791 case F_GETFL: 3792 case F_GETOWN: 3793 case F_GETSIG: 3794 case F_GETOWNER_UIDS: 3795 /* Just check FD__USE permission */ 3796 err = file_has_perm(cred, file, 0); 3797 break; 3798 case F_GETLK: 3799 case F_SETLK: 3800 case F_SETLKW: 3801 case F_OFD_GETLK: 3802 case F_OFD_SETLK: 3803 case F_OFD_SETLKW: 3804 #if BITS_PER_LONG == 32 3805 case F_GETLK64: 3806 case F_SETLK64: 3807 case F_SETLKW64: 3808 #endif 3809 err = file_has_perm(cred, file, FILE__LOCK); 3810 break; 3811 } 3812 3813 return err; 3814 } 3815 3816 static void selinux_file_set_fowner(struct file *file) 3817 { 3818 struct file_security_struct *fsec; 3819 3820 fsec = selinux_file(file); 3821 fsec->fown_sid = current_sid(); 3822 } 3823 3824 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3825 struct fown_struct *fown, int signum) 3826 { 3827 struct file *file; 3828 u32 sid = task_sid(tsk); 3829 u32 perm; 3830 struct file_security_struct *fsec; 3831 3832 /* struct fown_struct is never outside the context of a struct file */ 3833 file = container_of(fown, struct file, f_owner); 3834 3835 fsec = selinux_file(file); 3836 3837 if (!signum) 3838 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3839 else 3840 perm = signal_to_av(signum); 3841 3842 return avc_has_perm(&selinux_state, 3843 fsec->fown_sid, sid, 3844 SECCLASS_PROCESS, perm, NULL); 3845 } 3846 3847 static int selinux_file_receive(struct file *file) 3848 { 3849 const struct cred *cred = current_cred(); 3850 3851 return file_has_perm(cred, file, file_to_av(file)); 3852 } 3853 3854 static int selinux_file_open(struct file *file) 3855 { 3856 struct file_security_struct *fsec; 3857 struct inode_security_struct *isec; 3858 3859 fsec = selinux_file(file); 3860 isec = inode_security(file_inode(file)); 3861 /* 3862 * Save inode label and policy sequence number 3863 * at open-time so that selinux_file_permission 3864 * can determine whether revalidation is necessary. 3865 * Task label is already saved in the file security 3866 * struct as its SID. 3867 */ 3868 fsec->isid = isec->sid; 3869 fsec->pseqno = avc_policy_seqno(&selinux_state); 3870 /* 3871 * Since the inode label or policy seqno may have changed 3872 * between the selinux_inode_permission check and the saving 3873 * of state above, recheck that access is still permitted. 3874 * Otherwise, access might never be revalidated against the 3875 * new inode label or new policy. 3876 * This check is not redundant - do not remove. 3877 */ 3878 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3879 } 3880 3881 /* task security operations */ 3882 3883 static int selinux_task_alloc(struct task_struct *task, 3884 unsigned long clone_flags) 3885 { 3886 u32 sid = current_sid(); 3887 3888 return avc_has_perm(&selinux_state, 3889 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3890 } 3891 3892 /* 3893 * prepare a new set of credentials for modification 3894 */ 3895 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3896 gfp_t gfp) 3897 { 3898 const struct task_security_struct *old_tsec = selinux_cred(old); 3899 struct task_security_struct *tsec = selinux_cred(new); 3900 3901 *tsec = *old_tsec; 3902 return 0; 3903 } 3904 3905 /* 3906 * transfer the SELinux data to a blank set of creds 3907 */ 3908 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3909 { 3910 const struct task_security_struct *old_tsec = selinux_cred(old); 3911 struct task_security_struct *tsec = selinux_cred(new); 3912 3913 *tsec = *old_tsec; 3914 } 3915 3916 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3917 { 3918 *secid = cred_sid(c); 3919 } 3920 3921 /* 3922 * set the security data for a kernel service 3923 * - all the creation contexts are set to unlabelled 3924 */ 3925 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3926 { 3927 struct task_security_struct *tsec = selinux_cred(new); 3928 u32 sid = current_sid(); 3929 int ret; 3930 3931 ret = avc_has_perm(&selinux_state, 3932 sid, secid, 3933 SECCLASS_KERNEL_SERVICE, 3934 KERNEL_SERVICE__USE_AS_OVERRIDE, 3935 NULL); 3936 if (ret == 0) { 3937 tsec->sid = secid; 3938 tsec->create_sid = 0; 3939 tsec->keycreate_sid = 0; 3940 tsec->sockcreate_sid = 0; 3941 } 3942 return ret; 3943 } 3944 3945 /* 3946 * set the file creation context in a security record to the same as the 3947 * objective context of the specified inode 3948 */ 3949 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3950 { 3951 struct inode_security_struct *isec = inode_security(inode); 3952 struct task_security_struct *tsec = selinux_cred(new); 3953 u32 sid = current_sid(); 3954 int ret; 3955 3956 ret = avc_has_perm(&selinux_state, 3957 sid, isec->sid, 3958 SECCLASS_KERNEL_SERVICE, 3959 KERNEL_SERVICE__CREATE_FILES_AS, 3960 NULL); 3961 3962 if (ret == 0) 3963 tsec->create_sid = isec->sid; 3964 return ret; 3965 } 3966 3967 static int selinux_kernel_module_request(char *kmod_name) 3968 { 3969 struct common_audit_data ad; 3970 3971 ad.type = LSM_AUDIT_DATA_KMOD; 3972 ad.u.kmod_name = kmod_name; 3973 3974 return avc_has_perm(&selinux_state, 3975 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3976 SYSTEM__MODULE_REQUEST, &ad); 3977 } 3978 3979 static int selinux_kernel_module_from_file(struct file *file) 3980 { 3981 struct common_audit_data ad; 3982 struct inode_security_struct *isec; 3983 struct file_security_struct *fsec; 3984 u32 sid = current_sid(); 3985 int rc; 3986 3987 /* init_module */ 3988 if (file == NULL) 3989 return avc_has_perm(&selinux_state, 3990 sid, sid, SECCLASS_SYSTEM, 3991 SYSTEM__MODULE_LOAD, NULL); 3992 3993 /* finit_module */ 3994 3995 ad.type = LSM_AUDIT_DATA_FILE; 3996 ad.u.file = file; 3997 3998 fsec = selinux_file(file); 3999 if (sid != fsec->sid) { 4000 rc = avc_has_perm(&selinux_state, 4001 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4002 if (rc) 4003 return rc; 4004 } 4005 4006 isec = inode_security(file_inode(file)); 4007 return avc_has_perm(&selinux_state, 4008 sid, isec->sid, SECCLASS_SYSTEM, 4009 SYSTEM__MODULE_LOAD, &ad); 4010 } 4011 4012 static int selinux_kernel_read_file(struct file *file, 4013 enum kernel_read_file_id id) 4014 { 4015 int rc = 0; 4016 4017 switch (id) { 4018 case READING_MODULE: 4019 rc = selinux_kernel_module_from_file(file); 4020 break; 4021 default: 4022 break; 4023 } 4024 4025 return rc; 4026 } 4027 4028 static int selinux_kernel_load_data(enum kernel_load_data_id id) 4029 { 4030 int rc = 0; 4031 4032 switch (id) { 4033 case LOADING_MODULE: 4034 rc = selinux_kernel_module_from_file(NULL); 4035 default: 4036 break; 4037 } 4038 4039 return rc; 4040 } 4041 4042 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4043 { 4044 return avc_has_perm(&selinux_state, 4045 current_sid(), task_sid(p), SECCLASS_PROCESS, 4046 PROCESS__SETPGID, NULL); 4047 } 4048 4049 static int selinux_task_getpgid(struct task_struct *p) 4050 { 4051 return avc_has_perm(&selinux_state, 4052 current_sid(), task_sid(p), SECCLASS_PROCESS, 4053 PROCESS__GETPGID, NULL); 4054 } 4055 4056 static int selinux_task_getsid(struct task_struct *p) 4057 { 4058 return avc_has_perm(&selinux_state, 4059 current_sid(), task_sid(p), SECCLASS_PROCESS, 4060 PROCESS__GETSESSION, NULL); 4061 } 4062 4063 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4064 { 4065 *secid = task_sid(p); 4066 } 4067 4068 static int selinux_task_setnice(struct task_struct *p, int nice) 4069 { 4070 return avc_has_perm(&selinux_state, 4071 current_sid(), task_sid(p), SECCLASS_PROCESS, 4072 PROCESS__SETSCHED, NULL); 4073 } 4074 4075 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4076 { 4077 return avc_has_perm(&selinux_state, 4078 current_sid(), task_sid(p), SECCLASS_PROCESS, 4079 PROCESS__SETSCHED, NULL); 4080 } 4081 4082 static int selinux_task_getioprio(struct task_struct *p) 4083 { 4084 return avc_has_perm(&selinux_state, 4085 current_sid(), task_sid(p), SECCLASS_PROCESS, 4086 PROCESS__GETSCHED, NULL); 4087 } 4088 4089 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4090 unsigned int flags) 4091 { 4092 u32 av = 0; 4093 4094 if (!flags) 4095 return 0; 4096 if (flags & LSM_PRLIMIT_WRITE) 4097 av |= PROCESS__SETRLIMIT; 4098 if (flags & LSM_PRLIMIT_READ) 4099 av |= PROCESS__GETRLIMIT; 4100 return avc_has_perm(&selinux_state, 4101 cred_sid(cred), cred_sid(tcred), 4102 SECCLASS_PROCESS, av, NULL); 4103 } 4104 4105 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4106 struct rlimit *new_rlim) 4107 { 4108 struct rlimit *old_rlim = p->signal->rlim + resource; 4109 4110 /* Control the ability to change the hard limit (whether 4111 lowering or raising it), so that the hard limit can 4112 later be used as a safe reset point for the soft limit 4113 upon context transitions. See selinux_bprm_committing_creds. */ 4114 if (old_rlim->rlim_max != new_rlim->rlim_max) 4115 return avc_has_perm(&selinux_state, 4116 current_sid(), task_sid(p), 4117 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4118 4119 return 0; 4120 } 4121 4122 static int selinux_task_setscheduler(struct task_struct *p) 4123 { 4124 return avc_has_perm(&selinux_state, 4125 current_sid(), task_sid(p), SECCLASS_PROCESS, 4126 PROCESS__SETSCHED, NULL); 4127 } 4128 4129 static int selinux_task_getscheduler(struct task_struct *p) 4130 { 4131 return avc_has_perm(&selinux_state, 4132 current_sid(), task_sid(p), SECCLASS_PROCESS, 4133 PROCESS__GETSCHED, NULL); 4134 } 4135 4136 static int selinux_task_movememory(struct task_struct *p) 4137 { 4138 return avc_has_perm(&selinux_state, 4139 current_sid(), task_sid(p), SECCLASS_PROCESS, 4140 PROCESS__SETSCHED, NULL); 4141 } 4142 4143 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4144 int sig, const struct cred *cred) 4145 { 4146 u32 secid; 4147 u32 perm; 4148 4149 if (!sig) 4150 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4151 else 4152 perm = signal_to_av(sig); 4153 if (!cred) 4154 secid = current_sid(); 4155 else 4156 secid = cred_sid(cred); 4157 return avc_has_perm(&selinux_state, 4158 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4159 } 4160 4161 static void selinux_task_to_inode(struct task_struct *p, 4162 struct inode *inode) 4163 { 4164 struct inode_security_struct *isec = selinux_inode(inode); 4165 u32 sid = task_sid(p); 4166 4167 spin_lock(&isec->lock); 4168 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4169 isec->sid = sid; 4170 isec->initialized = LABEL_INITIALIZED; 4171 spin_unlock(&isec->lock); 4172 } 4173 4174 /* Returns error only if unable to parse addresses */ 4175 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4176 struct common_audit_data *ad, u8 *proto) 4177 { 4178 int offset, ihlen, ret = -EINVAL; 4179 struct iphdr _iph, *ih; 4180 4181 offset = skb_network_offset(skb); 4182 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4183 if (ih == NULL) 4184 goto out; 4185 4186 ihlen = ih->ihl * 4; 4187 if (ihlen < sizeof(_iph)) 4188 goto out; 4189 4190 ad->u.net->v4info.saddr = ih->saddr; 4191 ad->u.net->v4info.daddr = ih->daddr; 4192 ret = 0; 4193 4194 if (proto) 4195 *proto = ih->protocol; 4196 4197 switch (ih->protocol) { 4198 case IPPROTO_TCP: { 4199 struct tcphdr _tcph, *th; 4200 4201 if (ntohs(ih->frag_off) & IP_OFFSET) 4202 break; 4203 4204 offset += ihlen; 4205 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4206 if (th == NULL) 4207 break; 4208 4209 ad->u.net->sport = th->source; 4210 ad->u.net->dport = th->dest; 4211 break; 4212 } 4213 4214 case IPPROTO_UDP: { 4215 struct udphdr _udph, *uh; 4216 4217 if (ntohs(ih->frag_off) & IP_OFFSET) 4218 break; 4219 4220 offset += ihlen; 4221 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4222 if (uh == NULL) 4223 break; 4224 4225 ad->u.net->sport = uh->source; 4226 ad->u.net->dport = uh->dest; 4227 break; 4228 } 4229 4230 case IPPROTO_DCCP: { 4231 struct dccp_hdr _dccph, *dh; 4232 4233 if (ntohs(ih->frag_off) & IP_OFFSET) 4234 break; 4235 4236 offset += ihlen; 4237 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4238 if (dh == NULL) 4239 break; 4240 4241 ad->u.net->sport = dh->dccph_sport; 4242 ad->u.net->dport = dh->dccph_dport; 4243 break; 4244 } 4245 4246 #if IS_ENABLED(CONFIG_IP_SCTP) 4247 case IPPROTO_SCTP: { 4248 struct sctphdr _sctph, *sh; 4249 4250 if (ntohs(ih->frag_off) & IP_OFFSET) 4251 break; 4252 4253 offset += ihlen; 4254 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4255 if (sh == NULL) 4256 break; 4257 4258 ad->u.net->sport = sh->source; 4259 ad->u.net->dport = sh->dest; 4260 break; 4261 } 4262 #endif 4263 default: 4264 break; 4265 } 4266 out: 4267 return ret; 4268 } 4269 4270 #if IS_ENABLED(CONFIG_IPV6) 4271 4272 /* Returns error only if unable to parse addresses */ 4273 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4274 struct common_audit_data *ad, u8 *proto) 4275 { 4276 u8 nexthdr; 4277 int ret = -EINVAL, offset; 4278 struct ipv6hdr _ipv6h, *ip6; 4279 __be16 frag_off; 4280 4281 offset = skb_network_offset(skb); 4282 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4283 if (ip6 == NULL) 4284 goto out; 4285 4286 ad->u.net->v6info.saddr = ip6->saddr; 4287 ad->u.net->v6info.daddr = ip6->daddr; 4288 ret = 0; 4289 4290 nexthdr = ip6->nexthdr; 4291 offset += sizeof(_ipv6h); 4292 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4293 if (offset < 0) 4294 goto out; 4295 4296 if (proto) 4297 *proto = nexthdr; 4298 4299 switch (nexthdr) { 4300 case IPPROTO_TCP: { 4301 struct tcphdr _tcph, *th; 4302 4303 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4304 if (th == NULL) 4305 break; 4306 4307 ad->u.net->sport = th->source; 4308 ad->u.net->dport = th->dest; 4309 break; 4310 } 4311 4312 case IPPROTO_UDP: { 4313 struct udphdr _udph, *uh; 4314 4315 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4316 if (uh == NULL) 4317 break; 4318 4319 ad->u.net->sport = uh->source; 4320 ad->u.net->dport = uh->dest; 4321 break; 4322 } 4323 4324 case IPPROTO_DCCP: { 4325 struct dccp_hdr _dccph, *dh; 4326 4327 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4328 if (dh == NULL) 4329 break; 4330 4331 ad->u.net->sport = dh->dccph_sport; 4332 ad->u.net->dport = dh->dccph_dport; 4333 break; 4334 } 4335 4336 #if IS_ENABLED(CONFIG_IP_SCTP) 4337 case IPPROTO_SCTP: { 4338 struct sctphdr _sctph, *sh; 4339 4340 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4341 if (sh == NULL) 4342 break; 4343 4344 ad->u.net->sport = sh->source; 4345 ad->u.net->dport = sh->dest; 4346 break; 4347 } 4348 #endif 4349 /* includes fragments */ 4350 default: 4351 break; 4352 } 4353 out: 4354 return ret; 4355 } 4356 4357 #endif /* IPV6 */ 4358 4359 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4360 char **_addrp, int src, u8 *proto) 4361 { 4362 char *addrp; 4363 int ret; 4364 4365 switch (ad->u.net->family) { 4366 case PF_INET: 4367 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4368 if (ret) 4369 goto parse_error; 4370 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4371 &ad->u.net->v4info.daddr); 4372 goto okay; 4373 4374 #if IS_ENABLED(CONFIG_IPV6) 4375 case PF_INET6: 4376 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4377 if (ret) 4378 goto parse_error; 4379 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4380 &ad->u.net->v6info.daddr); 4381 goto okay; 4382 #endif /* IPV6 */ 4383 default: 4384 addrp = NULL; 4385 goto okay; 4386 } 4387 4388 parse_error: 4389 pr_warn( 4390 "SELinux: failure in selinux_parse_skb()," 4391 " unable to parse packet\n"); 4392 return ret; 4393 4394 okay: 4395 if (_addrp) 4396 *_addrp = addrp; 4397 return 0; 4398 } 4399 4400 /** 4401 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4402 * @skb: the packet 4403 * @family: protocol family 4404 * @sid: the packet's peer label SID 4405 * 4406 * Description: 4407 * Check the various different forms of network peer labeling and determine 4408 * the peer label/SID for the packet; most of the magic actually occurs in 4409 * the security server function security_net_peersid_cmp(). The function 4410 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4411 * or -EACCES if @sid is invalid due to inconsistencies with the different 4412 * peer labels. 4413 * 4414 */ 4415 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4416 { 4417 int err; 4418 u32 xfrm_sid; 4419 u32 nlbl_sid; 4420 u32 nlbl_type; 4421 4422 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4423 if (unlikely(err)) 4424 return -EACCES; 4425 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4426 if (unlikely(err)) 4427 return -EACCES; 4428 4429 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4430 nlbl_type, xfrm_sid, sid); 4431 if (unlikely(err)) { 4432 pr_warn( 4433 "SELinux: failure in selinux_skb_peerlbl_sid()," 4434 " unable to determine packet's peer label\n"); 4435 return -EACCES; 4436 } 4437 4438 return 0; 4439 } 4440 4441 /** 4442 * selinux_conn_sid - Determine the child socket label for a connection 4443 * @sk_sid: the parent socket's SID 4444 * @skb_sid: the packet's SID 4445 * @conn_sid: the resulting connection SID 4446 * 4447 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4448 * combined with the MLS information from @skb_sid in order to create 4449 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4450 * of @sk_sid. Returns zero on success, negative values on failure. 4451 * 4452 */ 4453 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4454 { 4455 int err = 0; 4456 4457 if (skb_sid != SECSID_NULL) 4458 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4459 conn_sid); 4460 else 4461 *conn_sid = sk_sid; 4462 4463 return err; 4464 } 4465 4466 /* socket security operations */ 4467 4468 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4469 u16 secclass, u32 *socksid) 4470 { 4471 if (tsec->sockcreate_sid > SECSID_NULL) { 4472 *socksid = tsec->sockcreate_sid; 4473 return 0; 4474 } 4475 4476 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4477 secclass, NULL, socksid); 4478 } 4479 4480 static int sock_has_perm(struct sock *sk, u32 perms) 4481 { 4482 struct sk_security_struct *sksec = sk->sk_security; 4483 struct common_audit_data ad; 4484 struct lsm_network_audit net = {0,}; 4485 4486 if (sksec->sid == SECINITSID_KERNEL) 4487 return 0; 4488 4489 ad.type = LSM_AUDIT_DATA_NET; 4490 ad.u.net = &net; 4491 ad.u.net->sk = sk; 4492 4493 return avc_has_perm(&selinux_state, 4494 current_sid(), sksec->sid, sksec->sclass, perms, 4495 &ad); 4496 } 4497 4498 static int selinux_socket_create(int family, int type, 4499 int protocol, int kern) 4500 { 4501 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4502 u32 newsid; 4503 u16 secclass; 4504 int rc; 4505 4506 if (kern) 4507 return 0; 4508 4509 secclass = socket_type_to_security_class(family, type, protocol); 4510 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4511 if (rc) 4512 return rc; 4513 4514 return avc_has_perm(&selinux_state, 4515 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4516 } 4517 4518 static int selinux_socket_post_create(struct socket *sock, int family, 4519 int type, int protocol, int kern) 4520 { 4521 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4522 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4523 struct sk_security_struct *sksec; 4524 u16 sclass = socket_type_to_security_class(family, type, protocol); 4525 u32 sid = SECINITSID_KERNEL; 4526 int err = 0; 4527 4528 if (!kern) { 4529 err = socket_sockcreate_sid(tsec, sclass, &sid); 4530 if (err) 4531 return err; 4532 } 4533 4534 isec->sclass = sclass; 4535 isec->sid = sid; 4536 isec->initialized = LABEL_INITIALIZED; 4537 4538 if (sock->sk) { 4539 sksec = sock->sk->sk_security; 4540 sksec->sclass = sclass; 4541 sksec->sid = sid; 4542 /* Allows detection of the first association on this socket */ 4543 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4544 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4545 4546 err = selinux_netlbl_socket_post_create(sock->sk, family); 4547 } 4548 4549 return err; 4550 } 4551 4552 static int selinux_socket_socketpair(struct socket *socka, 4553 struct socket *sockb) 4554 { 4555 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4556 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4557 4558 sksec_a->peer_sid = sksec_b->sid; 4559 sksec_b->peer_sid = sksec_a->sid; 4560 4561 return 0; 4562 } 4563 4564 /* Range of port numbers used to automatically bind. 4565 Need to determine whether we should perform a name_bind 4566 permission check between the socket and the port number. */ 4567 4568 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4569 { 4570 struct sock *sk = sock->sk; 4571 struct sk_security_struct *sksec = sk->sk_security; 4572 u16 family; 4573 int err; 4574 4575 err = sock_has_perm(sk, SOCKET__BIND); 4576 if (err) 4577 goto out; 4578 4579 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4580 family = sk->sk_family; 4581 if (family == PF_INET || family == PF_INET6) { 4582 char *addrp; 4583 struct common_audit_data ad; 4584 struct lsm_network_audit net = {0,}; 4585 struct sockaddr_in *addr4 = NULL; 4586 struct sockaddr_in6 *addr6 = NULL; 4587 u16 family_sa; 4588 unsigned short snum; 4589 u32 sid, node_perm; 4590 4591 /* 4592 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4593 * that validates multiple binding addresses. Because of this 4594 * need to check address->sa_family as it is possible to have 4595 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4596 */ 4597 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4598 return -EINVAL; 4599 family_sa = address->sa_family; 4600 switch (family_sa) { 4601 case AF_UNSPEC: 4602 case AF_INET: 4603 if (addrlen < sizeof(struct sockaddr_in)) 4604 return -EINVAL; 4605 addr4 = (struct sockaddr_in *)address; 4606 if (family_sa == AF_UNSPEC) { 4607 /* see __inet_bind(), we only want to allow 4608 * AF_UNSPEC if the address is INADDR_ANY 4609 */ 4610 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4611 goto err_af; 4612 family_sa = AF_INET; 4613 } 4614 snum = ntohs(addr4->sin_port); 4615 addrp = (char *)&addr4->sin_addr.s_addr; 4616 break; 4617 case AF_INET6: 4618 if (addrlen < SIN6_LEN_RFC2133) 4619 return -EINVAL; 4620 addr6 = (struct sockaddr_in6 *)address; 4621 snum = ntohs(addr6->sin6_port); 4622 addrp = (char *)&addr6->sin6_addr.s6_addr; 4623 break; 4624 default: 4625 goto err_af; 4626 } 4627 4628 ad.type = LSM_AUDIT_DATA_NET; 4629 ad.u.net = &net; 4630 ad.u.net->sport = htons(snum); 4631 ad.u.net->family = family_sa; 4632 4633 if (snum) { 4634 int low, high; 4635 4636 inet_get_local_port_range(sock_net(sk), &low, &high); 4637 4638 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4639 snum < low || snum > high) { 4640 err = sel_netport_sid(sk->sk_protocol, 4641 snum, &sid); 4642 if (err) 4643 goto out; 4644 err = avc_has_perm(&selinux_state, 4645 sksec->sid, sid, 4646 sksec->sclass, 4647 SOCKET__NAME_BIND, &ad); 4648 if (err) 4649 goto out; 4650 } 4651 } 4652 4653 switch (sksec->sclass) { 4654 case SECCLASS_TCP_SOCKET: 4655 node_perm = TCP_SOCKET__NODE_BIND; 4656 break; 4657 4658 case SECCLASS_UDP_SOCKET: 4659 node_perm = UDP_SOCKET__NODE_BIND; 4660 break; 4661 4662 case SECCLASS_DCCP_SOCKET: 4663 node_perm = DCCP_SOCKET__NODE_BIND; 4664 break; 4665 4666 case SECCLASS_SCTP_SOCKET: 4667 node_perm = SCTP_SOCKET__NODE_BIND; 4668 break; 4669 4670 default: 4671 node_perm = RAWIP_SOCKET__NODE_BIND; 4672 break; 4673 } 4674 4675 err = sel_netnode_sid(addrp, family_sa, &sid); 4676 if (err) 4677 goto out; 4678 4679 if (family_sa == AF_INET) 4680 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4681 else 4682 ad.u.net->v6info.saddr = addr6->sin6_addr; 4683 4684 err = avc_has_perm(&selinux_state, 4685 sksec->sid, sid, 4686 sksec->sclass, node_perm, &ad); 4687 if (err) 4688 goto out; 4689 } 4690 out: 4691 return err; 4692 err_af: 4693 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4694 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4695 return -EINVAL; 4696 return -EAFNOSUPPORT; 4697 } 4698 4699 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4700 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4701 */ 4702 static int selinux_socket_connect_helper(struct socket *sock, 4703 struct sockaddr *address, int addrlen) 4704 { 4705 struct sock *sk = sock->sk; 4706 struct sk_security_struct *sksec = sk->sk_security; 4707 int err; 4708 4709 err = sock_has_perm(sk, SOCKET__CONNECT); 4710 if (err) 4711 return err; 4712 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4713 return -EINVAL; 4714 4715 /* connect(AF_UNSPEC) has special handling, as it is a documented 4716 * way to disconnect the socket 4717 */ 4718 if (address->sa_family == AF_UNSPEC) 4719 return 0; 4720 4721 /* 4722 * If a TCP, DCCP or SCTP socket, check name_connect permission 4723 * for the port. 4724 */ 4725 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4726 sksec->sclass == SECCLASS_DCCP_SOCKET || 4727 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4728 struct common_audit_data ad; 4729 struct lsm_network_audit net = {0,}; 4730 struct sockaddr_in *addr4 = NULL; 4731 struct sockaddr_in6 *addr6 = NULL; 4732 unsigned short snum; 4733 u32 sid, perm; 4734 4735 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4736 * that validates multiple connect addresses. Because of this 4737 * need to check address->sa_family as it is possible to have 4738 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4739 */ 4740 switch (address->sa_family) { 4741 case AF_INET: 4742 addr4 = (struct sockaddr_in *)address; 4743 if (addrlen < sizeof(struct sockaddr_in)) 4744 return -EINVAL; 4745 snum = ntohs(addr4->sin_port); 4746 break; 4747 case AF_INET6: 4748 addr6 = (struct sockaddr_in6 *)address; 4749 if (addrlen < SIN6_LEN_RFC2133) 4750 return -EINVAL; 4751 snum = ntohs(addr6->sin6_port); 4752 break; 4753 default: 4754 /* Note that SCTP services expect -EINVAL, whereas 4755 * others expect -EAFNOSUPPORT. 4756 */ 4757 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4758 return -EINVAL; 4759 else 4760 return -EAFNOSUPPORT; 4761 } 4762 4763 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4764 if (err) 4765 return err; 4766 4767 switch (sksec->sclass) { 4768 case SECCLASS_TCP_SOCKET: 4769 perm = TCP_SOCKET__NAME_CONNECT; 4770 break; 4771 case SECCLASS_DCCP_SOCKET: 4772 perm = DCCP_SOCKET__NAME_CONNECT; 4773 break; 4774 case SECCLASS_SCTP_SOCKET: 4775 perm = SCTP_SOCKET__NAME_CONNECT; 4776 break; 4777 } 4778 4779 ad.type = LSM_AUDIT_DATA_NET; 4780 ad.u.net = &net; 4781 ad.u.net->dport = htons(snum); 4782 ad.u.net->family = address->sa_family; 4783 err = avc_has_perm(&selinux_state, 4784 sksec->sid, sid, sksec->sclass, perm, &ad); 4785 if (err) 4786 return err; 4787 } 4788 4789 return 0; 4790 } 4791 4792 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4793 static int selinux_socket_connect(struct socket *sock, 4794 struct sockaddr *address, int addrlen) 4795 { 4796 int err; 4797 struct sock *sk = sock->sk; 4798 4799 err = selinux_socket_connect_helper(sock, address, addrlen); 4800 if (err) 4801 return err; 4802 4803 return selinux_netlbl_socket_connect(sk, address); 4804 } 4805 4806 static int selinux_socket_listen(struct socket *sock, int backlog) 4807 { 4808 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4809 } 4810 4811 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4812 { 4813 int err; 4814 struct inode_security_struct *isec; 4815 struct inode_security_struct *newisec; 4816 u16 sclass; 4817 u32 sid; 4818 4819 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4820 if (err) 4821 return err; 4822 4823 isec = inode_security_novalidate(SOCK_INODE(sock)); 4824 spin_lock(&isec->lock); 4825 sclass = isec->sclass; 4826 sid = isec->sid; 4827 spin_unlock(&isec->lock); 4828 4829 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4830 newisec->sclass = sclass; 4831 newisec->sid = sid; 4832 newisec->initialized = LABEL_INITIALIZED; 4833 4834 return 0; 4835 } 4836 4837 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4838 int size) 4839 { 4840 return sock_has_perm(sock->sk, SOCKET__WRITE); 4841 } 4842 4843 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4844 int size, int flags) 4845 { 4846 return sock_has_perm(sock->sk, SOCKET__READ); 4847 } 4848 4849 static int selinux_socket_getsockname(struct socket *sock) 4850 { 4851 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4852 } 4853 4854 static int selinux_socket_getpeername(struct socket *sock) 4855 { 4856 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4857 } 4858 4859 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4860 { 4861 int err; 4862 4863 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4864 if (err) 4865 return err; 4866 4867 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4868 } 4869 4870 static int selinux_socket_getsockopt(struct socket *sock, int level, 4871 int optname) 4872 { 4873 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4874 } 4875 4876 static int selinux_socket_shutdown(struct socket *sock, int how) 4877 { 4878 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4879 } 4880 4881 static int selinux_socket_unix_stream_connect(struct sock *sock, 4882 struct sock *other, 4883 struct sock *newsk) 4884 { 4885 struct sk_security_struct *sksec_sock = sock->sk_security; 4886 struct sk_security_struct *sksec_other = other->sk_security; 4887 struct sk_security_struct *sksec_new = newsk->sk_security; 4888 struct common_audit_data ad; 4889 struct lsm_network_audit net = {0,}; 4890 int err; 4891 4892 ad.type = LSM_AUDIT_DATA_NET; 4893 ad.u.net = &net; 4894 ad.u.net->sk = other; 4895 4896 err = avc_has_perm(&selinux_state, 4897 sksec_sock->sid, sksec_other->sid, 4898 sksec_other->sclass, 4899 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4900 if (err) 4901 return err; 4902 4903 /* server child socket */ 4904 sksec_new->peer_sid = sksec_sock->sid; 4905 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4906 sksec_sock->sid, &sksec_new->sid); 4907 if (err) 4908 return err; 4909 4910 /* connecting socket */ 4911 sksec_sock->peer_sid = sksec_new->sid; 4912 4913 return 0; 4914 } 4915 4916 static int selinux_socket_unix_may_send(struct socket *sock, 4917 struct socket *other) 4918 { 4919 struct sk_security_struct *ssec = sock->sk->sk_security; 4920 struct sk_security_struct *osec = other->sk->sk_security; 4921 struct common_audit_data ad; 4922 struct lsm_network_audit net = {0,}; 4923 4924 ad.type = LSM_AUDIT_DATA_NET; 4925 ad.u.net = &net; 4926 ad.u.net->sk = other->sk; 4927 4928 return avc_has_perm(&selinux_state, 4929 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4930 &ad); 4931 } 4932 4933 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4934 char *addrp, u16 family, u32 peer_sid, 4935 struct common_audit_data *ad) 4936 { 4937 int err; 4938 u32 if_sid; 4939 u32 node_sid; 4940 4941 err = sel_netif_sid(ns, ifindex, &if_sid); 4942 if (err) 4943 return err; 4944 err = avc_has_perm(&selinux_state, 4945 peer_sid, if_sid, 4946 SECCLASS_NETIF, NETIF__INGRESS, ad); 4947 if (err) 4948 return err; 4949 4950 err = sel_netnode_sid(addrp, family, &node_sid); 4951 if (err) 4952 return err; 4953 return avc_has_perm(&selinux_state, 4954 peer_sid, node_sid, 4955 SECCLASS_NODE, NODE__RECVFROM, ad); 4956 } 4957 4958 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4959 u16 family) 4960 { 4961 int err = 0; 4962 struct sk_security_struct *sksec = sk->sk_security; 4963 u32 sk_sid = sksec->sid; 4964 struct common_audit_data ad; 4965 struct lsm_network_audit net = {0,}; 4966 char *addrp; 4967 4968 ad.type = LSM_AUDIT_DATA_NET; 4969 ad.u.net = &net; 4970 ad.u.net->netif = skb->skb_iif; 4971 ad.u.net->family = family; 4972 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4973 if (err) 4974 return err; 4975 4976 if (selinux_secmark_enabled()) { 4977 err = avc_has_perm(&selinux_state, 4978 sk_sid, skb->secmark, SECCLASS_PACKET, 4979 PACKET__RECV, &ad); 4980 if (err) 4981 return err; 4982 } 4983 4984 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4985 if (err) 4986 return err; 4987 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4988 4989 return err; 4990 } 4991 4992 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4993 { 4994 int err; 4995 struct sk_security_struct *sksec = sk->sk_security; 4996 u16 family = sk->sk_family; 4997 u32 sk_sid = sksec->sid; 4998 struct common_audit_data ad; 4999 struct lsm_network_audit net = {0,}; 5000 char *addrp; 5001 u8 secmark_active; 5002 u8 peerlbl_active; 5003 5004 if (family != PF_INET && family != PF_INET6) 5005 return 0; 5006 5007 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5008 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5009 family = PF_INET; 5010 5011 /* If any sort of compatibility mode is enabled then handoff processing 5012 * to the selinux_sock_rcv_skb_compat() function to deal with the 5013 * special handling. We do this in an attempt to keep this function 5014 * as fast and as clean as possible. */ 5015 if (!selinux_policycap_netpeer()) 5016 return selinux_sock_rcv_skb_compat(sk, skb, family); 5017 5018 secmark_active = selinux_secmark_enabled(); 5019 peerlbl_active = selinux_peerlbl_enabled(); 5020 if (!secmark_active && !peerlbl_active) 5021 return 0; 5022 5023 ad.type = LSM_AUDIT_DATA_NET; 5024 ad.u.net = &net; 5025 ad.u.net->netif = skb->skb_iif; 5026 ad.u.net->family = family; 5027 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5028 if (err) 5029 return err; 5030 5031 if (peerlbl_active) { 5032 u32 peer_sid; 5033 5034 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5035 if (err) 5036 return err; 5037 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5038 addrp, family, peer_sid, &ad); 5039 if (err) { 5040 selinux_netlbl_err(skb, family, err, 0); 5041 return err; 5042 } 5043 err = avc_has_perm(&selinux_state, 5044 sk_sid, peer_sid, SECCLASS_PEER, 5045 PEER__RECV, &ad); 5046 if (err) { 5047 selinux_netlbl_err(skb, family, err, 0); 5048 return err; 5049 } 5050 } 5051 5052 if (secmark_active) { 5053 err = avc_has_perm(&selinux_state, 5054 sk_sid, skb->secmark, SECCLASS_PACKET, 5055 PACKET__RECV, &ad); 5056 if (err) 5057 return err; 5058 } 5059 5060 return err; 5061 } 5062 5063 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5064 int __user *optlen, unsigned len) 5065 { 5066 int err = 0; 5067 char *scontext; 5068 u32 scontext_len; 5069 struct sk_security_struct *sksec = sock->sk->sk_security; 5070 u32 peer_sid = SECSID_NULL; 5071 5072 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5073 sksec->sclass == SECCLASS_TCP_SOCKET || 5074 sksec->sclass == SECCLASS_SCTP_SOCKET) 5075 peer_sid = sksec->peer_sid; 5076 if (peer_sid == SECSID_NULL) 5077 return -ENOPROTOOPT; 5078 5079 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5080 &scontext_len); 5081 if (err) 5082 return err; 5083 5084 if (scontext_len > len) { 5085 err = -ERANGE; 5086 goto out_len; 5087 } 5088 5089 if (copy_to_user(optval, scontext, scontext_len)) 5090 err = -EFAULT; 5091 5092 out_len: 5093 if (put_user(scontext_len, optlen)) 5094 err = -EFAULT; 5095 kfree(scontext); 5096 return err; 5097 } 5098 5099 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5100 { 5101 u32 peer_secid = SECSID_NULL; 5102 u16 family; 5103 struct inode_security_struct *isec; 5104 5105 if (skb && skb->protocol == htons(ETH_P_IP)) 5106 family = PF_INET; 5107 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5108 family = PF_INET6; 5109 else if (sock) 5110 family = sock->sk->sk_family; 5111 else 5112 goto out; 5113 5114 if (sock && family == PF_UNIX) { 5115 isec = inode_security_novalidate(SOCK_INODE(sock)); 5116 peer_secid = isec->sid; 5117 } else if (skb) 5118 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5119 5120 out: 5121 *secid = peer_secid; 5122 if (peer_secid == SECSID_NULL) 5123 return -EINVAL; 5124 return 0; 5125 } 5126 5127 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5128 { 5129 struct sk_security_struct *sksec; 5130 5131 sksec = kzalloc(sizeof(*sksec), priority); 5132 if (!sksec) 5133 return -ENOMEM; 5134 5135 sksec->peer_sid = SECINITSID_UNLABELED; 5136 sksec->sid = SECINITSID_UNLABELED; 5137 sksec->sclass = SECCLASS_SOCKET; 5138 selinux_netlbl_sk_security_reset(sksec); 5139 sk->sk_security = sksec; 5140 5141 return 0; 5142 } 5143 5144 static void selinux_sk_free_security(struct sock *sk) 5145 { 5146 struct sk_security_struct *sksec = sk->sk_security; 5147 5148 sk->sk_security = NULL; 5149 selinux_netlbl_sk_security_free(sksec); 5150 kfree(sksec); 5151 } 5152 5153 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5154 { 5155 struct sk_security_struct *sksec = sk->sk_security; 5156 struct sk_security_struct *newsksec = newsk->sk_security; 5157 5158 newsksec->sid = sksec->sid; 5159 newsksec->peer_sid = sksec->peer_sid; 5160 newsksec->sclass = sksec->sclass; 5161 5162 selinux_netlbl_sk_security_reset(newsksec); 5163 } 5164 5165 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5166 { 5167 if (!sk) 5168 *secid = SECINITSID_ANY_SOCKET; 5169 else { 5170 struct sk_security_struct *sksec = sk->sk_security; 5171 5172 *secid = sksec->sid; 5173 } 5174 } 5175 5176 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5177 { 5178 struct inode_security_struct *isec = 5179 inode_security_novalidate(SOCK_INODE(parent)); 5180 struct sk_security_struct *sksec = sk->sk_security; 5181 5182 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5183 sk->sk_family == PF_UNIX) 5184 isec->sid = sksec->sid; 5185 sksec->sclass = isec->sclass; 5186 } 5187 5188 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5189 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5190 * already present). 5191 */ 5192 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5193 struct sk_buff *skb) 5194 { 5195 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5196 struct common_audit_data ad; 5197 struct lsm_network_audit net = {0,}; 5198 u8 peerlbl_active; 5199 u32 peer_sid = SECINITSID_UNLABELED; 5200 u32 conn_sid; 5201 int err = 0; 5202 5203 if (!selinux_policycap_extsockclass()) 5204 return 0; 5205 5206 peerlbl_active = selinux_peerlbl_enabled(); 5207 5208 if (peerlbl_active) { 5209 /* This will return peer_sid = SECSID_NULL if there are 5210 * no peer labels, see security_net_peersid_resolve(). 5211 */ 5212 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5213 &peer_sid); 5214 if (err) 5215 return err; 5216 5217 if (peer_sid == SECSID_NULL) 5218 peer_sid = SECINITSID_UNLABELED; 5219 } 5220 5221 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5222 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5223 5224 /* Here as first association on socket. As the peer SID 5225 * was allowed by peer recv (and the netif/node checks), 5226 * then it is approved by policy and used as the primary 5227 * peer SID for getpeercon(3). 5228 */ 5229 sksec->peer_sid = peer_sid; 5230 } else if (sksec->peer_sid != peer_sid) { 5231 /* Other association peer SIDs are checked to enforce 5232 * consistency among the peer SIDs. 5233 */ 5234 ad.type = LSM_AUDIT_DATA_NET; 5235 ad.u.net = &net; 5236 ad.u.net->sk = ep->base.sk; 5237 err = avc_has_perm(&selinux_state, 5238 sksec->peer_sid, peer_sid, sksec->sclass, 5239 SCTP_SOCKET__ASSOCIATION, &ad); 5240 if (err) 5241 return err; 5242 } 5243 5244 /* Compute the MLS component for the connection and store 5245 * the information in ep. This will be used by SCTP TCP type 5246 * sockets and peeled off connections as they cause a new 5247 * socket to be generated. selinux_sctp_sk_clone() will then 5248 * plug this into the new socket. 5249 */ 5250 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5251 if (err) 5252 return err; 5253 5254 ep->secid = conn_sid; 5255 ep->peer_secid = peer_sid; 5256 5257 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5258 return selinux_netlbl_sctp_assoc_request(ep, skb); 5259 } 5260 5261 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5262 * based on their @optname. 5263 */ 5264 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5265 struct sockaddr *address, 5266 int addrlen) 5267 { 5268 int len, err = 0, walk_size = 0; 5269 void *addr_buf; 5270 struct sockaddr *addr; 5271 struct socket *sock; 5272 5273 if (!selinux_policycap_extsockclass()) 5274 return 0; 5275 5276 /* Process one or more addresses that may be IPv4 or IPv6 */ 5277 sock = sk->sk_socket; 5278 addr_buf = address; 5279 5280 while (walk_size < addrlen) { 5281 if (walk_size + sizeof(sa_family_t) > addrlen) 5282 return -EINVAL; 5283 5284 addr = addr_buf; 5285 switch (addr->sa_family) { 5286 case AF_UNSPEC: 5287 case AF_INET: 5288 len = sizeof(struct sockaddr_in); 5289 break; 5290 case AF_INET6: 5291 len = sizeof(struct sockaddr_in6); 5292 break; 5293 default: 5294 return -EINVAL; 5295 } 5296 5297 if (walk_size + len > addrlen) 5298 return -EINVAL; 5299 5300 err = -EINVAL; 5301 switch (optname) { 5302 /* Bind checks */ 5303 case SCTP_PRIMARY_ADDR: 5304 case SCTP_SET_PEER_PRIMARY_ADDR: 5305 case SCTP_SOCKOPT_BINDX_ADD: 5306 err = selinux_socket_bind(sock, addr, len); 5307 break; 5308 /* Connect checks */ 5309 case SCTP_SOCKOPT_CONNECTX: 5310 case SCTP_PARAM_SET_PRIMARY: 5311 case SCTP_PARAM_ADD_IP: 5312 case SCTP_SENDMSG_CONNECT: 5313 err = selinux_socket_connect_helper(sock, addr, len); 5314 if (err) 5315 return err; 5316 5317 /* As selinux_sctp_bind_connect() is called by the 5318 * SCTP protocol layer, the socket is already locked, 5319 * therefore selinux_netlbl_socket_connect_locked() is 5320 * is called here. The situations handled are: 5321 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5322 * whenever a new IP address is added or when a new 5323 * primary address is selected. 5324 * Note that an SCTP connect(2) call happens before 5325 * the SCTP protocol layer and is handled via 5326 * selinux_socket_connect(). 5327 */ 5328 err = selinux_netlbl_socket_connect_locked(sk, addr); 5329 break; 5330 } 5331 5332 if (err) 5333 return err; 5334 5335 addr_buf += len; 5336 walk_size += len; 5337 } 5338 5339 return 0; 5340 } 5341 5342 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5343 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5344 struct sock *newsk) 5345 { 5346 struct sk_security_struct *sksec = sk->sk_security; 5347 struct sk_security_struct *newsksec = newsk->sk_security; 5348 5349 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5350 * the non-sctp clone version. 5351 */ 5352 if (!selinux_policycap_extsockclass()) 5353 return selinux_sk_clone_security(sk, newsk); 5354 5355 newsksec->sid = ep->secid; 5356 newsksec->peer_sid = ep->peer_secid; 5357 newsksec->sclass = sksec->sclass; 5358 selinux_netlbl_sctp_sk_clone(sk, newsk); 5359 } 5360 5361 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5362 struct request_sock *req) 5363 { 5364 struct sk_security_struct *sksec = sk->sk_security; 5365 int err; 5366 u16 family = req->rsk_ops->family; 5367 u32 connsid; 5368 u32 peersid; 5369 5370 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5371 if (err) 5372 return err; 5373 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5374 if (err) 5375 return err; 5376 req->secid = connsid; 5377 req->peer_secid = peersid; 5378 5379 return selinux_netlbl_inet_conn_request(req, family); 5380 } 5381 5382 static void selinux_inet_csk_clone(struct sock *newsk, 5383 const struct request_sock *req) 5384 { 5385 struct sk_security_struct *newsksec = newsk->sk_security; 5386 5387 newsksec->sid = req->secid; 5388 newsksec->peer_sid = req->peer_secid; 5389 /* NOTE: Ideally, we should also get the isec->sid for the 5390 new socket in sync, but we don't have the isec available yet. 5391 So we will wait until sock_graft to do it, by which 5392 time it will have been created and available. */ 5393 5394 /* We don't need to take any sort of lock here as we are the only 5395 * thread with access to newsksec */ 5396 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5397 } 5398 5399 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5400 { 5401 u16 family = sk->sk_family; 5402 struct sk_security_struct *sksec = sk->sk_security; 5403 5404 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5405 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5406 family = PF_INET; 5407 5408 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5409 } 5410 5411 static int selinux_secmark_relabel_packet(u32 sid) 5412 { 5413 const struct task_security_struct *__tsec; 5414 u32 tsid; 5415 5416 __tsec = selinux_cred(current_cred()); 5417 tsid = __tsec->sid; 5418 5419 return avc_has_perm(&selinux_state, 5420 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5421 NULL); 5422 } 5423 5424 static void selinux_secmark_refcount_inc(void) 5425 { 5426 atomic_inc(&selinux_secmark_refcount); 5427 } 5428 5429 static void selinux_secmark_refcount_dec(void) 5430 { 5431 atomic_dec(&selinux_secmark_refcount); 5432 } 5433 5434 static void selinux_req_classify_flow(const struct request_sock *req, 5435 struct flowi *fl) 5436 { 5437 fl->flowi_secid = req->secid; 5438 } 5439 5440 static int selinux_tun_dev_alloc_security(void **security) 5441 { 5442 struct tun_security_struct *tunsec; 5443 5444 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5445 if (!tunsec) 5446 return -ENOMEM; 5447 tunsec->sid = current_sid(); 5448 5449 *security = tunsec; 5450 return 0; 5451 } 5452 5453 static void selinux_tun_dev_free_security(void *security) 5454 { 5455 kfree(security); 5456 } 5457 5458 static int selinux_tun_dev_create(void) 5459 { 5460 u32 sid = current_sid(); 5461 5462 /* we aren't taking into account the "sockcreate" SID since the socket 5463 * that is being created here is not a socket in the traditional sense, 5464 * instead it is a private sock, accessible only to the kernel, and 5465 * representing a wide range of network traffic spanning multiple 5466 * connections unlike traditional sockets - check the TUN driver to 5467 * get a better understanding of why this socket is special */ 5468 5469 return avc_has_perm(&selinux_state, 5470 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5471 NULL); 5472 } 5473 5474 static int selinux_tun_dev_attach_queue(void *security) 5475 { 5476 struct tun_security_struct *tunsec = security; 5477 5478 return avc_has_perm(&selinux_state, 5479 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5480 TUN_SOCKET__ATTACH_QUEUE, NULL); 5481 } 5482 5483 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5484 { 5485 struct tun_security_struct *tunsec = security; 5486 struct sk_security_struct *sksec = sk->sk_security; 5487 5488 /* we don't currently perform any NetLabel based labeling here and it 5489 * isn't clear that we would want to do so anyway; while we could apply 5490 * labeling without the support of the TUN user the resulting labeled 5491 * traffic from the other end of the connection would almost certainly 5492 * cause confusion to the TUN user that had no idea network labeling 5493 * protocols were being used */ 5494 5495 sksec->sid = tunsec->sid; 5496 sksec->sclass = SECCLASS_TUN_SOCKET; 5497 5498 return 0; 5499 } 5500 5501 static int selinux_tun_dev_open(void *security) 5502 { 5503 struct tun_security_struct *tunsec = security; 5504 u32 sid = current_sid(); 5505 int err; 5506 5507 err = avc_has_perm(&selinux_state, 5508 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5509 TUN_SOCKET__RELABELFROM, NULL); 5510 if (err) 5511 return err; 5512 err = avc_has_perm(&selinux_state, 5513 sid, sid, SECCLASS_TUN_SOCKET, 5514 TUN_SOCKET__RELABELTO, NULL); 5515 if (err) 5516 return err; 5517 tunsec->sid = sid; 5518 5519 return 0; 5520 } 5521 5522 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5523 { 5524 int err = 0; 5525 u32 perm; 5526 struct nlmsghdr *nlh; 5527 struct sk_security_struct *sksec = sk->sk_security; 5528 5529 if (skb->len < NLMSG_HDRLEN) { 5530 err = -EINVAL; 5531 goto out; 5532 } 5533 nlh = nlmsg_hdr(skb); 5534 5535 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5536 if (err) { 5537 if (err == -EINVAL) { 5538 pr_warn_ratelimited("SELinux: unrecognized netlink" 5539 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5540 " pig=%d comm=%s\n", 5541 sk->sk_protocol, nlh->nlmsg_type, 5542 secclass_map[sksec->sclass - 1].name, 5543 task_pid_nr(current), current->comm); 5544 if (!enforcing_enabled(&selinux_state) || 5545 security_get_allow_unknown(&selinux_state)) 5546 err = 0; 5547 } 5548 5549 /* Ignore */ 5550 if (err == -ENOENT) 5551 err = 0; 5552 goto out; 5553 } 5554 5555 err = sock_has_perm(sk, perm); 5556 out: 5557 return err; 5558 } 5559 5560 #ifdef CONFIG_NETFILTER 5561 5562 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5563 const struct net_device *indev, 5564 u16 family) 5565 { 5566 int err; 5567 char *addrp; 5568 u32 peer_sid; 5569 struct common_audit_data ad; 5570 struct lsm_network_audit net = {0,}; 5571 u8 secmark_active; 5572 u8 netlbl_active; 5573 u8 peerlbl_active; 5574 5575 if (!selinux_policycap_netpeer()) 5576 return NF_ACCEPT; 5577 5578 secmark_active = selinux_secmark_enabled(); 5579 netlbl_active = netlbl_enabled(); 5580 peerlbl_active = selinux_peerlbl_enabled(); 5581 if (!secmark_active && !peerlbl_active) 5582 return NF_ACCEPT; 5583 5584 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5585 return NF_DROP; 5586 5587 ad.type = LSM_AUDIT_DATA_NET; 5588 ad.u.net = &net; 5589 ad.u.net->netif = indev->ifindex; 5590 ad.u.net->family = family; 5591 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5592 return NF_DROP; 5593 5594 if (peerlbl_active) { 5595 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5596 addrp, family, peer_sid, &ad); 5597 if (err) { 5598 selinux_netlbl_err(skb, family, err, 1); 5599 return NF_DROP; 5600 } 5601 } 5602 5603 if (secmark_active) 5604 if (avc_has_perm(&selinux_state, 5605 peer_sid, skb->secmark, 5606 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5607 return NF_DROP; 5608 5609 if (netlbl_active) 5610 /* we do this in the FORWARD path and not the POST_ROUTING 5611 * path because we want to make sure we apply the necessary 5612 * labeling before IPsec is applied so we can leverage AH 5613 * protection */ 5614 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5615 return NF_DROP; 5616 5617 return NF_ACCEPT; 5618 } 5619 5620 static unsigned int selinux_ipv4_forward(void *priv, 5621 struct sk_buff *skb, 5622 const struct nf_hook_state *state) 5623 { 5624 return selinux_ip_forward(skb, state->in, PF_INET); 5625 } 5626 5627 #if IS_ENABLED(CONFIG_IPV6) 5628 static unsigned int selinux_ipv6_forward(void *priv, 5629 struct sk_buff *skb, 5630 const struct nf_hook_state *state) 5631 { 5632 return selinux_ip_forward(skb, state->in, PF_INET6); 5633 } 5634 #endif /* IPV6 */ 5635 5636 static unsigned int selinux_ip_output(struct sk_buff *skb, 5637 u16 family) 5638 { 5639 struct sock *sk; 5640 u32 sid; 5641 5642 if (!netlbl_enabled()) 5643 return NF_ACCEPT; 5644 5645 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5646 * because we want to make sure we apply the necessary labeling 5647 * before IPsec is applied so we can leverage AH protection */ 5648 sk = skb->sk; 5649 if (sk) { 5650 struct sk_security_struct *sksec; 5651 5652 if (sk_listener(sk)) 5653 /* if the socket is the listening state then this 5654 * packet is a SYN-ACK packet which means it needs to 5655 * be labeled based on the connection/request_sock and 5656 * not the parent socket. unfortunately, we can't 5657 * lookup the request_sock yet as it isn't queued on 5658 * the parent socket until after the SYN-ACK is sent. 5659 * the "solution" is to simply pass the packet as-is 5660 * as any IP option based labeling should be copied 5661 * from the initial connection request (in the IP 5662 * layer). it is far from ideal, but until we get a 5663 * security label in the packet itself this is the 5664 * best we can do. */ 5665 return NF_ACCEPT; 5666 5667 /* standard practice, label using the parent socket */ 5668 sksec = sk->sk_security; 5669 sid = sksec->sid; 5670 } else 5671 sid = SECINITSID_KERNEL; 5672 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5673 return NF_DROP; 5674 5675 return NF_ACCEPT; 5676 } 5677 5678 static unsigned int selinux_ipv4_output(void *priv, 5679 struct sk_buff *skb, 5680 const struct nf_hook_state *state) 5681 { 5682 return selinux_ip_output(skb, PF_INET); 5683 } 5684 5685 #if IS_ENABLED(CONFIG_IPV6) 5686 static unsigned int selinux_ipv6_output(void *priv, 5687 struct sk_buff *skb, 5688 const struct nf_hook_state *state) 5689 { 5690 return selinux_ip_output(skb, PF_INET6); 5691 } 5692 #endif /* IPV6 */ 5693 5694 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5695 int ifindex, 5696 u16 family) 5697 { 5698 struct sock *sk = skb_to_full_sk(skb); 5699 struct sk_security_struct *sksec; 5700 struct common_audit_data ad; 5701 struct lsm_network_audit net = {0,}; 5702 char *addrp; 5703 u8 proto; 5704 5705 if (sk == NULL) 5706 return NF_ACCEPT; 5707 sksec = sk->sk_security; 5708 5709 ad.type = LSM_AUDIT_DATA_NET; 5710 ad.u.net = &net; 5711 ad.u.net->netif = ifindex; 5712 ad.u.net->family = family; 5713 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5714 return NF_DROP; 5715 5716 if (selinux_secmark_enabled()) 5717 if (avc_has_perm(&selinux_state, 5718 sksec->sid, skb->secmark, 5719 SECCLASS_PACKET, PACKET__SEND, &ad)) 5720 return NF_DROP_ERR(-ECONNREFUSED); 5721 5722 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5723 return NF_DROP_ERR(-ECONNREFUSED); 5724 5725 return NF_ACCEPT; 5726 } 5727 5728 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5729 const struct net_device *outdev, 5730 u16 family) 5731 { 5732 u32 secmark_perm; 5733 u32 peer_sid; 5734 int ifindex = outdev->ifindex; 5735 struct sock *sk; 5736 struct common_audit_data ad; 5737 struct lsm_network_audit net = {0,}; 5738 char *addrp; 5739 u8 secmark_active; 5740 u8 peerlbl_active; 5741 5742 /* If any sort of compatibility mode is enabled then handoff processing 5743 * to the selinux_ip_postroute_compat() function to deal with the 5744 * special handling. We do this in an attempt to keep this function 5745 * as fast and as clean as possible. */ 5746 if (!selinux_policycap_netpeer()) 5747 return selinux_ip_postroute_compat(skb, ifindex, family); 5748 5749 secmark_active = selinux_secmark_enabled(); 5750 peerlbl_active = selinux_peerlbl_enabled(); 5751 if (!secmark_active && !peerlbl_active) 5752 return NF_ACCEPT; 5753 5754 sk = skb_to_full_sk(skb); 5755 5756 #ifdef CONFIG_XFRM 5757 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5758 * packet transformation so allow the packet to pass without any checks 5759 * since we'll have another chance to perform access control checks 5760 * when the packet is on it's final way out. 5761 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5762 * is NULL, in this case go ahead and apply access control. 5763 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5764 * TCP listening state we cannot wait until the XFRM processing 5765 * is done as we will miss out on the SA label if we do; 5766 * unfortunately, this means more work, but it is only once per 5767 * connection. */ 5768 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5769 !(sk && sk_listener(sk))) 5770 return NF_ACCEPT; 5771 #endif 5772 5773 if (sk == NULL) { 5774 /* Without an associated socket the packet is either coming 5775 * from the kernel or it is being forwarded; check the packet 5776 * to determine which and if the packet is being forwarded 5777 * query the packet directly to determine the security label. */ 5778 if (skb->skb_iif) { 5779 secmark_perm = PACKET__FORWARD_OUT; 5780 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5781 return NF_DROP; 5782 } else { 5783 secmark_perm = PACKET__SEND; 5784 peer_sid = SECINITSID_KERNEL; 5785 } 5786 } else if (sk_listener(sk)) { 5787 /* Locally generated packet but the associated socket is in the 5788 * listening state which means this is a SYN-ACK packet. In 5789 * this particular case the correct security label is assigned 5790 * to the connection/request_sock but unfortunately we can't 5791 * query the request_sock as it isn't queued on the parent 5792 * socket until after the SYN-ACK packet is sent; the only 5793 * viable choice is to regenerate the label like we do in 5794 * selinux_inet_conn_request(). See also selinux_ip_output() 5795 * for similar problems. */ 5796 u32 skb_sid; 5797 struct sk_security_struct *sksec; 5798 5799 sksec = sk->sk_security; 5800 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5801 return NF_DROP; 5802 /* At this point, if the returned skb peerlbl is SECSID_NULL 5803 * and the packet has been through at least one XFRM 5804 * transformation then we must be dealing with the "final" 5805 * form of labeled IPsec packet; since we've already applied 5806 * all of our access controls on this packet we can safely 5807 * pass the packet. */ 5808 if (skb_sid == SECSID_NULL) { 5809 switch (family) { 5810 case PF_INET: 5811 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5812 return NF_ACCEPT; 5813 break; 5814 case PF_INET6: 5815 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5816 return NF_ACCEPT; 5817 break; 5818 default: 5819 return NF_DROP_ERR(-ECONNREFUSED); 5820 } 5821 } 5822 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5823 return NF_DROP; 5824 secmark_perm = PACKET__SEND; 5825 } else { 5826 /* Locally generated packet, fetch the security label from the 5827 * associated socket. */ 5828 struct sk_security_struct *sksec = sk->sk_security; 5829 peer_sid = sksec->sid; 5830 secmark_perm = PACKET__SEND; 5831 } 5832 5833 ad.type = LSM_AUDIT_DATA_NET; 5834 ad.u.net = &net; 5835 ad.u.net->netif = ifindex; 5836 ad.u.net->family = family; 5837 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5838 return NF_DROP; 5839 5840 if (secmark_active) 5841 if (avc_has_perm(&selinux_state, 5842 peer_sid, skb->secmark, 5843 SECCLASS_PACKET, secmark_perm, &ad)) 5844 return NF_DROP_ERR(-ECONNREFUSED); 5845 5846 if (peerlbl_active) { 5847 u32 if_sid; 5848 u32 node_sid; 5849 5850 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5851 return NF_DROP; 5852 if (avc_has_perm(&selinux_state, 5853 peer_sid, if_sid, 5854 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5855 return NF_DROP_ERR(-ECONNREFUSED); 5856 5857 if (sel_netnode_sid(addrp, family, &node_sid)) 5858 return NF_DROP; 5859 if (avc_has_perm(&selinux_state, 5860 peer_sid, node_sid, 5861 SECCLASS_NODE, NODE__SENDTO, &ad)) 5862 return NF_DROP_ERR(-ECONNREFUSED); 5863 } 5864 5865 return NF_ACCEPT; 5866 } 5867 5868 static unsigned int selinux_ipv4_postroute(void *priv, 5869 struct sk_buff *skb, 5870 const struct nf_hook_state *state) 5871 { 5872 return selinux_ip_postroute(skb, state->out, PF_INET); 5873 } 5874 5875 #if IS_ENABLED(CONFIG_IPV6) 5876 static unsigned int selinux_ipv6_postroute(void *priv, 5877 struct sk_buff *skb, 5878 const struct nf_hook_state *state) 5879 { 5880 return selinux_ip_postroute(skb, state->out, PF_INET6); 5881 } 5882 #endif /* IPV6 */ 5883 5884 #endif /* CONFIG_NETFILTER */ 5885 5886 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5887 { 5888 return selinux_nlmsg_perm(sk, skb); 5889 } 5890 5891 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 5892 { 5893 isec->sclass = sclass; 5894 isec->sid = current_sid(); 5895 } 5896 5897 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5898 u32 perms) 5899 { 5900 struct ipc_security_struct *isec; 5901 struct common_audit_data ad; 5902 u32 sid = current_sid(); 5903 5904 isec = selinux_ipc(ipc_perms); 5905 5906 ad.type = LSM_AUDIT_DATA_IPC; 5907 ad.u.ipc_id = ipc_perms->key; 5908 5909 return avc_has_perm(&selinux_state, 5910 sid, isec->sid, isec->sclass, perms, &ad); 5911 } 5912 5913 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5914 { 5915 struct msg_security_struct *msec; 5916 5917 msec = selinux_msg_msg(msg); 5918 msec->sid = SECINITSID_UNLABELED; 5919 5920 return 0; 5921 } 5922 5923 /* message queue security operations */ 5924 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5925 { 5926 struct ipc_security_struct *isec; 5927 struct common_audit_data ad; 5928 u32 sid = current_sid(); 5929 int rc; 5930 5931 isec = selinux_ipc(msq); 5932 ipc_init_security(isec, SECCLASS_MSGQ); 5933 5934 ad.type = LSM_AUDIT_DATA_IPC; 5935 ad.u.ipc_id = msq->key; 5936 5937 rc = avc_has_perm(&selinux_state, 5938 sid, isec->sid, SECCLASS_MSGQ, 5939 MSGQ__CREATE, &ad); 5940 return rc; 5941 } 5942 5943 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5944 { 5945 struct ipc_security_struct *isec; 5946 struct common_audit_data ad; 5947 u32 sid = current_sid(); 5948 5949 isec = selinux_ipc(msq); 5950 5951 ad.type = LSM_AUDIT_DATA_IPC; 5952 ad.u.ipc_id = msq->key; 5953 5954 return avc_has_perm(&selinux_state, 5955 sid, isec->sid, SECCLASS_MSGQ, 5956 MSGQ__ASSOCIATE, &ad); 5957 } 5958 5959 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5960 { 5961 int err; 5962 int perms; 5963 5964 switch (cmd) { 5965 case IPC_INFO: 5966 case MSG_INFO: 5967 /* No specific object, just general system-wide information. */ 5968 return avc_has_perm(&selinux_state, 5969 current_sid(), SECINITSID_KERNEL, 5970 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5971 case IPC_STAT: 5972 case MSG_STAT: 5973 case MSG_STAT_ANY: 5974 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5975 break; 5976 case IPC_SET: 5977 perms = MSGQ__SETATTR; 5978 break; 5979 case IPC_RMID: 5980 perms = MSGQ__DESTROY; 5981 break; 5982 default: 5983 return 0; 5984 } 5985 5986 err = ipc_has_perm(msq, perms); 5987 return err; 5988 } 5989 5990 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 5991 { 5992 struct ipc_security_struct *isec; 5993 struct msg_security_struct *msec; 5994 struct common_audit_data ad; 5995 u32 sid = current_sid(); 5996 int rc; 5997 5998 isec = selinux_ipc(msq); 5999 msec = selinux_msg_msg(msg); 6000 6001 /* 6002 * First time through, need to assign label to the message 6003 */ 6004 if (msec->sid == SECINITSID_UNLABELED) { 6005 /* 6006 * Compute new sid based on current process and 6007 * message queue this message will be stored in 6008 */ 6009 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6010 SECCLASS_MSG, NULL, &msec->sid); 6011 if (rc) 6012 return rc; 6013 } 6014 6015 ad.type = LSM_AUDIT_DATA_IPC; 6016 ad.u.ipc_id = msq->key; 6017 6018 /* Can this process write to the queue? */ 6019 rc = avc_has_perm(&selinux_state, 6020 sid, isec->sid, SECCLASS_MSGQ, 6021 MSGQ__WRITE, &ad); 6022 if (!rc) 6023 /* Can this process send the message */ 6024 rc = avc_has_perm(&selinux_state, 6025 sid, msec->sid, SECCLASS_MSG, 6026 MSG__SEND, &ad); 6027 if (!rc) 6028 /* Can the message be put in the queue? */ 6029 rc = avc_has_perm(&selinux_state, 6030 msec->sid, isec->sid, SECCLASS_MSGQ, 6031 MSGQ__ENQUEUE, &ad); 6032 6033 return rc; 6034 } 6035 6036 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6037 struct task_struct *target, 6038 long type, int mode) 6039 { 6040 struct ipc_security_struct *isec; 6041 struct msg_security_struct *msec; 6042 struct common_audit_data ad; 6043 u32 sid = task_sid(target); 6044 int rc; 6045 6046 isec = selinux_ipc(msq); 6047 msec = selinux_msg_msg(msg); 6048 6049 ad.type = LSM_AUDIT_DATA_IPC; 6050 ad.u.ipc_id = msq->key; 6051 6052 rc = avc_has_perm(&selinux_state, 6053 sid, isec->sid, 6054 SECCLASS_MSGQ, MSGQ__READ, &ad); 6055 if (!rc) 6056 rc = avc_has_perm(&selinux_state, 6057 sid, msec->sid, 6058 SECCLASS_MSG, MSG__RECEIVE, &ad); 6059 return rc; 6060 } 6061 6062 /* Shared Memory security operations */ 6063 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6064 { 6065 struct ipc_security_struct *isec; 6066 struct common_audit_data ad; 6067 u32 sid = current_sid(); 6068 int rc; 6069 6070 isec = selinux_ipc(shp); 6071 ipc_init_security(isec, SECCLASS_SHM); 6072 6073 ad.type = LSM_AUDIT_DATA_IPC; 6074 ad.u.ipc_id = shp->key; 6075 6076 rc = avc_has_perm(&selinux_state, 6077 sid, isec->sid, SECCLASS_SHM, 6078 SHM__CREATE, &ad); 6079 return rc; 6080 } 6081 6082 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6083 { 6084 struct ipc_security_struct *isec; 6085 struct common_audit_data ad; 6086 u32 sid = current_sid(); 6087 6088 isec = selinux_ipc(shp); 6089 6090 ad.type = LSM_AUDIT_DATA_IPC; 6091 ad.u.ipc_id = shp->key; 6092 6093 return avc_has_perm(&selinux_state, 6094 sid, isec->sid, SECCLASS_SHM, 6095 SHM__ASSOCIATE, &ad); 6096 } 6097 6098 /* Note, at this point, shp is locked down */ 6099 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6100 { 6101 int perms; 6102 int err; 6103 6104 switch (cmd) { 6105 case IPC_INFO: 6106 case SHM_INFO: 6107 /* No specific object, just general system-wide information. */ 6108 return avc_has_perm(&selinux_state, 6109 current_sid(), SECINITSID_KERNEL, 6110 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6111 case IPC_STAT: 6112 case SHM_STAT: 6113 case SHM_STAT_ANY: 6114 perms = SHM__GETATTR | SHM__ASSOCIATE; 6115 break; 6116 case IPC_SET: 6117 perms = SHM__SETATTR; 6118 break; 6119 case SHM_LOCK: 6120 case SHM_UNLOCK: 6121 perms = SHM__LOCK; 6122 break; 6123 case IPC_RMID: 6124 perms = SHM__DESTROY; 6125 break; 6126 default: 6127 return 0; 6128 } 6129 6130 err = ipc_has_perm(shp, perms); 6131 return err; 6132 } 6133 6134 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6135 char __user *shmaddr, int shmflg) 6136 { 6137 u32 perms; 6138 6139 if (shmflg & SHM_RDONLY) 6140 perms = SHM__READ; 6141 else 6142 perms = SHM__READ | SHM__WRITE; 6143 6144 return ipc_has_perm(shp, perms); 6145 } 6146 6147 /* Semaphore security operations */ 6148 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6149 { 6150 struct ipc_security_struct *isec; 6151 struct common_audit_data ad; 6152 u32 sid = current_sid(); 6153 int rc; 6154 6155 isec = selinux_ipc(sma); 6156 ipc_init_security(isec, SECCLASS_SEM); 6157 6158 ad.type = LSM_AUDIT_DATA_IPC; 6159 ad.u.ipc_id = sma->key; 6160 6161 rc = avc_has_perm(&selinux_state, 6162 sid, isec->sid, SECCLASS_SEM, 6163 SEM__CREATE, &ad); 6164 return rc; 6165 } 6166 6167 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6168 { 6169 struct ipc_security_struct *isec; 6170 struct common_audit_data ad; 6171 u32 sid = current_sid(); 6172 6173 isec = selinux_ipc(sma); 6174 6175 ad.type = LSM_AUDIT_DATA_IPC; 6176 ad.u.ipc_id = sma->key; 6177 6178 return avc_has_perm(&selinux_state, 6179 sid, isec->sid, SECCLASS_SEM, 6180 SEM__ASSOCIATE, &ad); 6181 } 6182 6183 /* Note, at this point, sma is locked down */ 6184 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6185 { 6186 int err; 6187 u32 perms; 6188 6189 switch (cmd) { 6190 case IPC_INFO: 6191 case SEM_INFO: 6192 /* No specific object, just general system-wide information. */ 6193 return avc_has_perm(&selinux_state, 6194 current_sid(), SECINITSID_KERNEL, 6195 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6196 case GETPID: 6197 case GETNCNT: 6198 case GETZCNT: 6199 perms = SEM__GETATTR; 6200 break; 6201 case GETVAL: 6202 case GETALL: 6203 perms = SEM__READ; 6204 break; 6205 case SETVAL: 6206 case SETALL: 6207 perms = SEM__WRITE; 6208 break; 6209 case IPC_RMID: 6210 perms = SEM__DESTROY; 6211 break; 6212 case IPC_SET: 6213 perms = SEM__SETATTR; 6214 break; 6215 case IPC_STAT: 6216 case SEM_STAT: 6217 case SEM_STAT_ANY: 6218 perms = SEM__GETATTR | SEM__ASSOCIATE; 6219 break; 6220 default: 6221 return 0; 6222 } 6223 6224 err = ipc_has_perm(sma, perms); 6225 return err; 6226 } 6227 6228 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6229 struct sembuf *sops, unsigned nsops, int alter) 6230 { 6231 u32 perms; 6232 6233 if (alter) 6234 perms = SEM__READ | SEM__WRITE; 6235 else 6236 perms = SEM__READ; 6237 6238 return ipc_has_perm(sma, perms); 6239 } 6240 6241 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6242 { 6243 u32 av = 0; 6244 6245 av = 0; 6246 if (flag & S_IRUGO) 6247 av |= IPC__UNIX_READ; 6248 if (flag & S_IWUGO) 6249 av |= IPC__UNIX_WRITE; 6250 6251 if (av == 0) 6252 return 0; 6253 6254 return ipc_has_perm(ipcp, av); 6255 } 6256 6257 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6258 { 6259 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6260 *secid = isec->sid; 6261 } 6262 6263 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6264 { 6265 if (inode) 6266 inode_doinit_with_dentry(inode, dentry); 6267 } 6268 6269 static int selinux_getprocattr(struct task_struct *p, 6270 char *name, char **value) 6271 { 6272 const struct task_security_struct *__tsec; 6273 u32 sid; 6274 int error; 6275 unsigned len; 6276 6277 rcu_read_lock(); 6278 __tsec = selinux_cred(__task_cred(p)); 6279 6280 if (current != p) { 6281 error = avc_has_perm(&selinux_state, 6282 current_sid(), __tsec->sid, 6283 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6284 if (error) 6285 goto bad; 6286 } 6287 6288 if (!strcmp(name, "current")) 6289 sid = __tsec->sid; 6290 else if (!strcmp(name, "prev")) 6291 sid = __tsec->osid; 6292 else if (!strcmp(name, "exec")) 6293 sid = __tsec->exec_sid; 6294 else if (!strcmp(name, "fscreate")) 6295 sid = __tsec->create_sid; 6296 else if (!strcmp(name, "keycreate")) 6297 sid = __tsec->keycreate_sid; 6298 else if (!strcmp(name, "sockcreate")) 6299 sid = __tsec->sockcreate_sid; 6300 else { 6301 error = -EINVAL; 6302 goto bad; 6303 } 6304 rcu_read_unlock(); 6305 6306 if (!sid) 6307 return 0; 6308 6309 error = security_sid_to_context(&selinux_state, sid, value, &len); 6310 if (error) 6311 return error; 6312 return len; 6313 6314 bad: 6315 rcu_read_unlock(); 6316 return error; 6317 } 6318 6319 static int selinux_setprocattr(const char *name, void *value, size_t size) 6320 { 6321 struct task_security_struct *tsec; 6322 struct cred *new; 6323 u32 mysid = current_sid(), sid = 0, ptsid; 6324 int error; 6325 char *str = value; 6326 6327 /* 6328 * Basic control over ability to set these attributes at all. 6329 */ 6330 if (!strcmp(name, "exec")) 6331 error = avc_has_perm(&selinux_state, 6332 mysid, mysid, SECCLASS_PROCESS, 6333 PROCESS__SETEXEC, NULL); 6334 else if (!strcmp(name, "fscreate")) 6335 error = avc_has_perm(&selinux_state, 6336 mysid, mysid, SECCLASS_PROCESS, 6337 PROCESS__SETFSCREATE, NULL); 6338 else if (!strcmp(name, "keycreate")) 6339 error = avc_has_perm(&selinux_state, 6340 mysid, mysid, SECCLASS_PROCESS, 6341 PROCESS__SETKEYCREATE, NULL); 6342 else if (!strcmp(name, "sockcreate")) 6343 error = avc_has_perm(&selinux_state, 6344 mysid, mysid, SECCLASS_PROCESS, 6345 PROCESS__SETSOCKCREATE, NULL); 6346 else if (!strcmp(name, "current")) 6347 error = avc_has_perm(&selinux_state, 6348 mysid, mysid, SECCLASS_PROCESS, 6349 PROCESS__SETCURRENT, NULL); 6350 else 6351 error = -EINVAL; 6352 if (error) 6353 return error; 6354 6355 /* Obtain a SID for the context, if one was specified. */ 6356 if (size && str[0] && str[0] != '\n') { 6357 if (str[size-1] == '\n') { 6358 str[size-1] = 0; 6359 size--; 6360 } 6361 error = security_context_to_sid(&selinux_state, value, size, 6362 &sid, GFP_KERNEL); 6363 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6364 if (!has_cap_mac_admin(true)) { 6365 struct audit_buffer *ab; 6366 size_t audit_size; 6367 6368 /* We strip a nul only if it is at the end, otherwise the 6369 * context contains a nul and we should audit that */ 6370 if (str[size - 1] == '\0') 6371 audit_size = size - 1; 6372 else 6373 audit_size = size; 6374 ab = audit_log_start(audit_context(), 6375 GFP_ATOMIC, 6376 AUDIT_SELINUX_ERR); 6377 audit_log_format(ab, "op=fscreate invalid_context="); 6378 audit_log_n_untrustedstring(ab, value, audit_size); 6379 audit_log_end(ab); 6380 6381 return error; 6382 } 6383 error = security_context_to_sid_force( 6384 &selinux_state, 6385 value, size, &sid); 6386 } 6387 if (error) 6388 return error; 6389 } 6390 6391 new = prepare_creds(); 6392 if (!new) 6393 return -ENOMEM; 6394 6395 /* Permission checking based on the specified context is 6396 performed during the actual operation (execve, 6397 open/mkdir/...), when we know the full context of the 6398 operation. See selinux_bprm_set_creds for the execve 6399 checks and may_create for the file creation checks. The 6400 operation will then fail if the context is not permitted. */ 6401 tsec = selinux_cred(new); 6402 if (!strcmp(name, "exec")) { 6403 tsec->exec_sid = sid; 6404 } else if (!strcmp(name, "fscreate")) { 6405 tsec->create_sid = sid; 6406 } else if (!strcmp(name, "keycreate")) { 6407 if (sid) { 6408 error = avc_has_perm(&selinux_state, mysid, sid, 6409 SECCLASS_KEY, KEY__CREATE, NULL); 6410 if (error) 6411 goto abort_change; 6412 } 6413 tsec->keycreate_sid = sid; 6414 } else if (!strcmp(name, "sockcreate")) { 6415 tsec->sockcreate_sid = sid; 6416 } else if (!strcmp(name, "current")) { 6417 error = -EINVAL; 6418 if (sid == 0) 6419 goto abort_change; 6420 6421 /* Only allow single threaded processes to change context */ 6422 error = -EPERM; 6423 if (!current_is_single_threaded()) { 6424 error = security_bounded_transition(&selinux_state, 6425 tsec->sid, sid); 6426 if (error) 6427 goto abort_change; 6428 } 6429 6430 /* Check permissions for the transition. */ 6431 error = avc_has_perm(&selinux_state, 6432 tsec->sid, sid, SECCLASS_PROCESS, 6433 PROCESS__DYNTRANSITION, NULL); 6434 if (error) 6435 goto abort_change; 6436 6437 /* Check for ptracing, and update the task SID if ok. 6438 Otherwise, leave SID unchanged and fail. */ 6439 ptsid = ptrace_parent_sid(); 6440 if (ptsid != 0) { 6441 error = avc_has_perm(&selinux_state, 6442 ptsid, sid, SECCLASS_PROCESS, 6443 PROCESS__PTRACE, NULL); 6444 if (error) 6445 goto abort_change; 6446 } 6447 6448 tsec->sid = sid; 6449 } else { 6450 error = -EINVAL; 6451 goto abort_change; 6452 } 6453 6454 commit_creds(new); 6455 return size; 6456 6457 abort_change: 6458 abort_creds(new); 6459 return error; 6460 } 6461 6462 static int selinux_ismaclabel(const char *name) 6463 { 6464 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6465 } 6466 6467 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6468 { 6469 return security_sid_to_context(&selinux_state, secid, 6470 secdata, seclen); 6471 } 6472 6473 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6474 { 6475 return security_context_to_sid(&selinux_state, secdata, seclen, 6476 secid, GFP_KERNEL); 6477 } 6478 6479 static void selinux_release_secctx(char *secdata, u32 seclen) 6480 { 6481 kfree(secdata); 6482 } 6483 6484 static void selinux_inode_invalidate_secctx(struct inode *inode) 6485 { 6486 struct inode_security_struct *isec = selinux_inode(inode); 6487 6488 spin_lock(&isec->lock); 6489 isec->initialized = LABEL_INVALID; 6490 spin_unlock(&isec->lock); 6491 } 6492 6493 /* 6494 * called with inode->i_mutex locked 6495 */ 6496 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6497 { 6498 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6499 ctx, ctxlen, 0); 6500 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6501 return rc == -EOPNOTSUPP ? 0 : rc; 6502 } 6503 6504 /* 6505 * called with inode->i_mutex locked 6506 */ 6507 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6508 { 6509 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6510 } 6511 6512 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6513 { 6514 int len = 0; 6515 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6516 ctx, true); 6517 if (len < 0) 6518 return len; 6519 *ctxlen = len; 6520 return 0; 6521 } 6522 #ifdef CONFIG_KEYS 6523 6524 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6525 unsigned long flags) 6526 { 6527 const struct task_security_struct *tsec; 6528 struct key_security_struct *ksec; 6529 6530 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6531 if (!ksec) 6532 return -ENOMEM; 6533 6534 tsec = selinux_cred(cred); 6535 if (tsec->keycreate_sid) 6536 ksec->sid = tsec->keycreate_sid; 6537 else 6538 ksec->sid = tsec->sid; 6539 6540 k->security = ksec; 6541 return 0; 6542 } 6543 6544 static void selinux_key_free(struct key *k) 6545 { 6546 struct key_security_struct *ksec = k->security; 6547 6548 k->security = NULL; 6549 kfree(ksec); 6550 } 6551 6552 static int selinux_key_permission(key_ref_t key_ref, 6553 const struct cred *cred, 6554 unsigned perm) 6555 { 6556 struct key *key; 6557 struct key_security_struct *ksec; 6558 u32 sid; 6559 6560 /* if no specific permissions are requested, we skip the 6561 permission check. No serious, additional covert channels 6562 appear to be created. */ 6563 if (perm == 0) 6564 return 0; 6565 6566 sid = cred_sid(cred); 6567 6568 key = key_ref_to_ptr(key_ref); 6569 ksec = key->security; 6570 6571 return avc_has_perm(&selinux_state, 6572 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6573 } 6574 6575 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6576 { 6577 struct key_security_struct *ksec = key->security; 6578 char *context = NULL; 6579 unsigned len; 6580 int rc; 6581 6582 rc = security_sid_to_context(&selinux_state, ksec->sid, 6583 &context, &len); 6584 if (!rc) 6585 rc = len; 6586 *_buffer = context; 6587 return rc; 6588 } 6589 #endif 6590 6591 #ifdef CONFIG_SECURITY_INFINIBAND 6592 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6593 { 6594 struct common_audit_data ad; 6595 int err; 6596 u32 sid = 0; 6597 struct ib_security_struct *sec = ib_sec; 6598 struct lsm_ibpkey_audit ibpkey; 6599 6600 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6601 if (err) 6602 return err; 6603 6604 ad.type = LSM_AUDIT_DATA_IBPKEY; 6605 ibpkey.subnet_prefix = subnet_prefix; 6606 ibpkey.pkey = pkey_val; 6607 ad.u.ibpkey = &ibpkey; 6608 return avc_has_perm(&selinux_state, 6609 sec->sid, sid, 6610 SECCLASS_INFINIBAND_PKEY, 6611 INFINIBAND_PKEY__ACCESS, &ad); 6612 } 6613 6614 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6615 u8 port_num) 6616 { 6617 struct common_audit_data ad; 6618 int err; 6619 u32 sid = 0; 6620 struct ib_security_struct *sec = ib_sec; 6621 struct lsm_ibendport_audit ibendport; 6622 6623 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6624 &sid); 6625 6626 if (err) 6627 return err; 6628 6629 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6630 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6631 ibendport.port = port_num; 6632 ad.u.ibendport = &ibendport; 6633 return avc_has_perm(&selinux_state, 6634 sec->sid, sid, 6635 SECCLASS_INFINIBAND_ENDPORT, 6636 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6637 } 6638 6639 static int selinux_ib_alloc_security(void **ib_sec) 6640 { 6641 struct ib_security_struct *sec; 6642 6643 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6644 if (!sec) 6645 return -ENOMEM; 6646 sec->sid = current_sid(); 6647 6648 *ib_sec = sec; 6649 return 0; 6650 } 6651 6652 static void selinux_ib_free_security(void *ib_sec) 6653 { 6654 kfree(ib_sec); 6655 } 6656 #endif 6657 6658 #ifdef CONFIG_BPF_SYSCALL 6659 static int selinux_bpf(int cmd, union bpf_attr *attr, 6660 unsigned int size) 6661 { 6662 u32 sid = current_sid(); 6663 int ret; 6664 6665 switch (cmd) { 6666 case BPF_MAP_CREATE: 6667 ret = avc_has_perm(&selinux_state, 6668 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6669 NULL); 6670 break; 6671 case BPF_PROG_LOAD: 6672 ret = avc_has_perm(&selinux_state, 6673 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6674 NULL); 6675 break; 6676 default: 6677 ret = 0; 6678 break; 6679 } 6680 6681 return ret; 6682 } 6683 6684 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6685 { 6686 u32 av = 0; 6687 6688 if (fmode & FMODE_READ) 6689 av |= BPF__MAP_READ; 6690 if (fmode & FMODE_WRITE) 6691 av |= BPF__MAP_WRITE; 6692 return av; 6693 } 6694 6695 /* This function will check the file pass through unix socket or binder to see 6696 * if it is a bpf related object. And apply correspinding checks on the bpf 6697 * object based on the type. The bpf maps and programs, not like other files and 6698 * socket, are using a shared anonymous inode inside the kernel as their inode. 6699 * So checking that inode cannot identify if the process have privilege to 6700 * access the bpf object and that's why we have to add this additional check in 6701 * selinux_file_receive and selinux_binder_transfer_files. 6702 */ 6703 static int bpf_fd_pass(struct file *file, u32 sid) 6704 { 6705 struct bpf_security_struct *bpfsec; 6706 struct bpf_prog *prog; 6707 struct bpf_map *map; 6708 int ret; 6709 6710 if (file->f_op == &bpf_map_fops) { 6711 map = file->private_data; 6712 bpfsec = map->security; 6713 ret = avc_has_perm(&selinux_state, 6714 sid, bpfsec->sid, SECCLASS_BPF, 6715 bpf_map_fmode_to_av(file->f_mode), NULL); 6716 if (ret) 6717 return ret; 6718 } else if (file->f_op == &bpf_prog_fops) { 6719 prog = file->private_data; 6720 bpfsec = prog->aux->security; 6721 ret = avc_has_perm(&selinux_state, 6722 sid, bpfsec->sid, SECCLASS_BPF, 6723 BPF__PROG_RUN, NULL); 6724 if (ret) 6725 return ret; 6726 } 6727 return 0; 6728 } 6729 6730 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6731 { 6732 u32 sid = current_sid(); 6733 struct bpf_security_struct *bpfsec; 6734 6735 bpfsec = map->security; 6736 return avc_has_perm(&selinux_state, 6737 sid, bpfsec->sid, SECCLASS_BPF, 6738 bpf_map_fmode_to_av(fmode), NULL); 6739 } 6740 6741 static int selinux_bpf_prog(struct bpf_prog *prog) 6742 { 6743 u32 sid = current_sid(); 6744 struct bpf_security_struct *bpfsec; 6745 6746 bpfsec = prog->aux->security; 6747 return avc_has_perm(&selinux_state, 6748 sid, bpfsec->sid, SECCLASS_BPF, 6749 BPF__PROG_RUN, NULL); 6750 } 6751 6752 static int selinux_bpf_map_alloc(struct bpf_map *map) 6753 { 6754 struct bpf_security_struct *bpfsec; 6755 6756 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6757 if (!bpfsec) 6758 return -ENOMEM; 6759 6760 bpfsec->sid = current_sid(); 6761 map->security = bpfsec; 6762 6763 return 0; 6764 } 6765 6766 static void selinux_bpf_map_free(struct bpf_map *map) 6767 { 6768 struct bpf_security_struct *bpfsec = map->security; 6769 6770 map->security = NULL; 6771 kfree(bpfsec); 6772 } 6773 6774 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6775 { 6776 struct bpf_security_struct *bpfsec; 6777 6778 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6779 if (!bpfsec) 6780 return -ENOMEM; 6781 6782 bpfsec->sid = current_sid(); 6783 aux->security = bpfsec; 6784 6785 return 0; 6786 } 6787 6788 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6789 { 6790 struct bpf_security_struct *bpfsec = aux->security; 6791 6792 aux->security = NULL; 6793 kfree(bpfsec); 6794 } 6795 #endif 6796 6797 static int selinux_lockdown(enum lockdown_reason what) 6798 { 6799 struct common_audit_data ad; 6800 u32 sid = current_sid(); 6801 int invalid_reason = (what <= LOCKDOWN_NONE) || 6802 (what == LOCKDOWN_INTEGRITY_MAX) || 6803 (what >= LOCKDOWN_CONFIDENTIALITY_MAX); 6804 6805 if (WARN(invalid_reason, "Invalid lockdown reason")) { 6806 audit_log(audit_context(), 6807 GFP_ATOMIC, AUDIT_SELINUX_ERR, 6808 "lockdown_reason=invalid"); 6809 return -EINVAL; 6810 } 6811 6812 ad.type = LSM_AUDIT_DATA_LOCKDOWN; 6813 ad.u.reason = what; 6814 6815 if (what <= LOCKDOWN_INTEGRITY_MAX) 6816 return avc_has_perm(&selinux_state, 6817 sid, sid, SECCLASS_LOCKDOWN, 6818 LOCKDOWN__INTEGRITY, &ad); 6819 else 6820 return avc_has_perm(&selinux_state, 6821 sid, sid, SECCLASS_LOCKDOWN, 6822 LOCKDOWN__CONFIDENTIALITY, &ad); 6823 } 6824 6825 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6826 .lbs_cred = sizeof(struct task_security_struct), 6827 .lbs_file = sizeof(struct file_security_struct), 6828 .lbs_inode = sizeof(struct inode_security_struct), 6829 .lbs_ipc = sizeof(struct ipc_security_struct), 6830 .lbs_msg_msg = sizeof(struct msg_security_struct), 6831 }; 6832 6833 #ifdef CONFIG_PERF_EVENTS 6834 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6835 { 6836 u32 requested, sid = current_sid(); 6837 6838 if (type == PERF_SECURITY_OPEN) 6839 requested = PERF_EVENT__OPEN; 6840 else if (type == PERF_SECURITY_CPU) 6841 requested = PERF_EVENT__CPU; 6842 else if (type == PERF_SECURITY_KERNEL) 6843 requested = PERF_EVENT__KERNEL; 6844 else if (type == PERF_SECURITY_TRACEPOINT) 6845 requested = PERF_EVENT__TRACEPOINT; 6846 else 6847 return -EINVAL; 6848 6849 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT, 6850 requested, NULL); 6851 } 6852 6853 static int selinux_perf_event_alloc(struct perf_event *event) 6854 { 6855 struct perf_event_security_struct *perfsec; 6856 6857 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 6858 if (!perfsec) 6859 return -ENOMEM; 6860 6861 perfsec->sid = current_sid(); 6862 event->security = perfsec; 6863 6864 return 0; 6865 } 6866 6867 static void selinux_perf_event_free(struct perf_event *event) 6868 { 6869 struct perf_event_security_struct *perfsec = event->security; 6870 6871 event->security = NULL; 6872 kfree(perfsec); 6873 } 6874 6875 static int selinux_perf_event_read(struct perf_event *event) 6876 { 6877 struct perf_event_security_struct *perfsec = event->security; 6878 u32 sid = current_sid(); 6879 6880 return avc_has_perm(&selinux_state, sid, perfsec->sid, 6881 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 6882 } 6883 6884 static int selinux_perf_event_write(struct perf_event *event) 6885 { 6886 struct perf_event_security_struct *perfsec = event->security; 6887 u32 sid = current_sid(); 6888 6889 return avc_has_perm(&selinux_state, sid, perfsec->sid, 6890 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 6891 } 6892 #endif 6893 6894 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6895 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6896 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6897 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6898 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6899 6900 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6901 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6902 LSM_HOOK_INIT(capget, selinux_capget), 6903 LSM_HOOK_INIT(capset, selinux_capset), 6904 LSM_HOOK_INIT(capable, selinux_capable), 6905 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6906 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6907 LSM_HOOK_INIT(syslog, selinux_syslog), 6908 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6909 6910 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6911 6912 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6913 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6914 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6915 6916 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 6917 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 6918 6919 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6920 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6921 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6922 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6923 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6924 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6925 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6926 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6927 LSM_HOOK_INIT(sb_mount, selinux_mount), 6928 LSM_HOOK_INIT(sb_umount, selinux_umount), 6929 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6930 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6931 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 6932 6933 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6934 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6935 6936 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6937 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6938 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6939 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6940 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6941 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6942 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6943 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6944 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6945 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6946 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6947 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6948 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6949 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6950 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6951 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6952 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6953 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6954 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6955 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6956 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6957 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6958 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6959 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6960 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6961 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6962 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6963 LSM_HOOK_INIT(path_notify, selinux_path_notify), 6964 6965 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 6966 6967 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6968 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6969 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6970 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6971 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6972 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6973 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6974 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6975 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6976 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6977 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6978 6979 LSM_HOOK_INIT(file_open, selinux_file_open), 6980 6981 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6982 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6983 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6984 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6985 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6986 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6987 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6988 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 6989 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6990 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6991 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6992 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6993 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6994 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6995 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6996 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6997 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6998 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6999 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7000 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7001 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7002 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7003 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7004 7005 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7006 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7007 7008 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7009 7010 LSM_HOOK_INIT(msg_queue_alloc_security, 7011 selinux_msg_queue_alloc_security), 7012 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7013 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7014 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7015 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7016 7017 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7018 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7019 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7020 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7021 7022 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7023 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7024 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7025 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7026 7027 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7028 7029 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7030 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7031 7032 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7033 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7034 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7035 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7036 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7037 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7038 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7039 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7040 7041 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7042 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7043 7044 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7045 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7046 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7047 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7048 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7049 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7050 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7051 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7052 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7053 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7054 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7055 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7056 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7057 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7058 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7059 LSM_HOOK_INIT(socket_getpeersec_stream, 7060 selinux_socket_getpeersec_stream), 7061 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7062 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7063 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7064 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7065 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7066 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7067 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7068 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7069 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7070 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7071 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7072 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7073 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7074 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7075 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7076 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7077 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7078 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7079 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7080 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7081 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7082 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7083 #ifdef CONFIG_SECURITY_INFINIBAND 7084 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7085 LSM_HOOK_INIT(ib_endport_manage_subnet, 7086 selinux_ib_endport_manage_subnet), 7087 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7088 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7089 #endif 7090 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7091 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7092 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7093 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7094 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7095 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7096 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7097 selinux_xfrm_state_alloc_acquire), 7098 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7099 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7100 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7101 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7102 selinux_xfrm_state_pol_flow_match), 7103 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7104 #endif 7105 7106 #ifdef CONFIG_KEYS 7107 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7108 LSM_HOOK_INIT(key_free, selinux_key_free), 7109 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7110 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7111 #endif 7112 7113 #ifdef CONFIG_AUDIT 7114 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7115 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7116 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7117 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7118 #endif 7119 7120 #ifdef CONFIG_BPF_SYSCALL 7121 LSM_HOOK_INIT(bpf, selinux_bpf), 7122 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7123 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7124 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7125 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7126 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7127 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7128 #endif 7129 7130 #ifdef CONFIG_PERF_EVENTS 7131 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7132 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7133 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7134 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7135 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7136 #endif 7137 7138 LSM_HOOK_INIT(locked_down, selinux_lockdown), 7139 }; 7140 7141 static __init int selinux_init(void) 7142 { 7143 pr_info("SELinux: Initializing.\n"); 7144 7145 memset(&selinux_state, 0, sizeof(selinux_state)); 7146 enforcing_set(&selinux_state, selinux_enforcing_boot); 7147 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7148 selinux_ss_init(&selinux_state.ss); 7149 selinux_avc_init(&selinux_state.avc); 7150 7151 /* Set the security state for the initial task. */ 7152 cred_init_security(); 7153 7154 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7155 7156 avc_init(); 7157 7158 avtab_cache_init(); 7159 7160 ebitmap_cache_init(); 7161 7162 hashtab_cache_init(); 7163 7164 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7165 7166 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7167 panic("SELinux: Unable to register AVC netcache callback\n"); 7168 7169 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7170 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7171 7172 if (selinux_enforcing_boot) 7173 pr_debug("SELinux: Starting in enforcing mode\n"); 7174 else 7175 pr_debug("SELinux: Starting in permissive mode\n"); 7176 7177 fs_validate_description(&selinux_fs_parameters); 7178 7179 return 0; 7180 } 7181 7182 static void delayed_superblock_init(struct super_block *sb, void *unused) 7183 { 7184 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7185 } 7186 7187 void selinux_complete_init(void) 7188 { 7189 pr_debug("SELinux: Completing initialization.\n"); 7190 7191 /* Set up any superblocks initialized prior to the policy load. */ 7192 pr_debug("SELinux: Setting up existing superblocks.\n"); 7193 iterate_supers(delayed_superblock_init, NULL); 7194 } 7195 7196 /* SELinux requires early initialization in order to label 7197 all processes and objects when they are created. */ 7198 DEFINE_LSM(selinux) = { 7199 .name = "selinux", 7200 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7201 .enabled = &selinux_enabled_boot, 7202 .blobs = &selinux_blob_sizes, 7203 .init = selinux_init, 7204 }; 7205 7206 #if defined(CONFIG_NETFILTER) 7207 7208 static const struct nf_hook_ops selinux_nf_ops[] = { 7209 { 7210 .hook = selinux_ipv4_postroute, 7211 .pf = NFPROTO_IPV4, 7212 .hooknum = NF_INET_POST_ROUTING, 7213 .priority = NF_IP_PRI_SELINUX_LAST, 7214 }, 7215 { 7216 .hook = selinux_ipv4_forward, 7217 .pf = NFPROTO_IPV4, 7218 .hooknum = NF_INET_FORWARD, 7219 .priority = NF_IP_PRI_SELINUX_FIRST, 7220 }, 7221 { 7222 .hook = selinux_ipv4_output, 7223 .pf = NFPROTO_IPV4, 7224 .hooknum = NF_INET_LOCAL_OUT, 7225 .priority = NF_IP_PRI_SELINUX_FIRST, 7226 }, 7227 #if IS_ENABLED(CONFIG_IPV6) 7228 { 7229 .hook = selinux_ipv6_postroute, 7230 .pf = NFPROTO_IPV6, 7231 .hooknum = NF_INET_POST_ROUTING, 7232 .priority = NF_IP6_PRI_SELINUX_LAST, 7233 }, 7234 { 7235 .hook = selinux_ipv6_forward, 7236 .pf = NFPROTO_IPV6, 7237 .hooknum = NF_INET_FORWARD, 7238 .priority = NF_IP6_PRI_SELINUX_FIRST, 7239 }, 7240 { 7241 .hook = selinux_ipv6_output, 7242 .pf = NFPROTO_IPV6, 7243 .hooknum = NF_INET_LOCAL_OUT, 7244 .priority = NF_IP6_PRI_SELINUX_FIRST, 7245 }, 7246 #endif /* IPV6 */ 7247 }; 7248 7249 static int __net_init selinux_nf_register(struct net *net) 7250 { 7251 return nf_register_net_hooks(net, selinux_nf_ops, 7252 ARRAY_SIZE(selinux_nf_ops)); 7253 } 7254 7255 static void __net_exit selinux_nf_unregister(struct net *net) 7256 { 7257 nf_unregister_net_hooks(net, selinux_nf_ops, 7258 ARRAY_SIZE(selinux_nf_ops)); 7259 } 7260 7261 static struct pernet_operations selinux_net_ops = { 7262 .init = selinux_nf_register, 7263 .exit = selinux_nf_unregister, 7264 }; 7265 7266 static int __init selinux_nf_ip_init(void) 7267 { 7268 int err; 7269 7270 if (!selinux_enabled_boot) 7271 return 0; 7272 7273 pr_debug("SELinux: Registering netfilter hooks\n"); 7274 7275 err = register_pernet_subsys(&selinux_net_ops); 7276 if (err) 7277 panic("SELinux: register_pernet_subsys: error %d\n", err); 7278 7279 return 0; 7280 } 7281 __initcall(selinux_nf_ip_init); 7282 7283 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7284 static void selinux_nf_ip_exit(void) 7285 { 7286 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7287 7288 unregister_pernet_subsys(&selinux_net_ops); 7289 } 7290 #endif 7291 7292 #else /* CONFIG_NETFILTER */ 7293 7294 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7295 #define selinux_nf_ip_exit() 7296 #endif 7297 7298 #endif /* CONFIG_NETFILTER */ 7299 7300 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7301 int selinux_disable(struct selinux_state *state) 7302 { 7303 if (state->initialized) { 7304 /* Not permitted after initial policy load. */ 7305 return -EINVAL; 7306 } 7307 7308 if (state->disabled) { 7309 /* Only do this once. */ 7310 return -EINVAL; 7311 } 7312 7313 state->disabled = 1; 7314 7315 pr_info("SELinux: Disabled at runtime.\n"); 7316 7317 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7318 7319 /* Try to destroy the avc node cache */ 7320 avc_disable(); 7321 7322 /* Unregister netfilter hooks. */ 7323 selinux_nf_ip_exit(); 7324 7325 /* Unregister selinuxfs. */ 7326 exit_sel_fs(); 7327 7328 return 0; 7329 } 7330 #endif 7331