xref: /openbmc/linux/security/selinux/hooks.c (revision 45958425)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 #define SELINUX_INODE_INIT_XATTRS 1
108 
109 struct selinux_state selinux_state;
110 
111 /* SECMARK reference count */
112 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
113 
114 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
115 static int selinux_enforcing_boot __initdata;
116 
enforcing_setup(char * str)117 static int __init enforcing_setup(char *str)
118 {
119 	unsigned long enforcing;
120 	if (!kstrtoul(str, 0, &enforcing))
121 		selinux_enforcing_boot = enforcing ? 1 : 0;
122 	return 1;
123 }
124 __setup("enforcing=", enforcing_setup);
125 #else
126 #define selinux_enforcing_boot 1
127 #endif
128 
129 int selinux_enabled_boot __initdata = 1;
130 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)131 static int __init selinux_enabled_setup(char *str)
132 {
133 	unsigned long enabled;
134 	if (!kstrtoul(str, 0, &enabled))
135 		selinux_enabled_boot = enabled ? 1 : 0;
136 	return 1;
137 }
138 __setup("selinux=", selinux_enabled_setup);
139 #endif
140 
checkreqprot_setup(char * str)141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		if (checkreqprot)
147 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
148 	}
149 	return 1;
150 }
151 __setup("checkreqprot=", checkreqprot_setup);
152 
153 /**
154  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155  *
156  * Description:
157  * This function checks the SECMARK reference counter to see if any SECMARK
158  * targets are currently configured, if the reference counter is greater than
159  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
160  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
161  * policy capability is enabled, SECMARK is always considered enabled.
162  *
163  */
selinux_secmark_enabled(void)164 static int selinux_secmark_enabled(void)
165 {
166 	return (selinux_policycap_alwaysnetwork() ||
167 		atomic_read(&selinux_secmark_refcount));
168 }
169 
170 /**
171  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172  *
173  * Description:
174  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
175  * (1) if any are enabled or false (0) if neither are enabled.  If the
176  * always_check_network policy capability is enabled, peer labeling
177  * is always considered enabled.
178  *
179  */
selinux_peerlbl_enabled(void)180 static int selinux_peerlbl_enabled(void)
181 {
182 	return (selinux_policycap_alwaysnetwork() ||
183 		netlbl_enabled() || selinux_xfrm_enabled());
184 }
185 
selinux_netcache_avc_callback(u32 event)186 static int selinux_netcache_avc_callback(u32 event)
187 {
188 	if (event == AVC_CALLBACK_RESET) {
189 		sel_netif_flush();
190 		sel_netnode_flush();
191 		sel_netport_flush();
192 		synchronize_net();
193 	}
194 	return 0;
195 }
196 
selinux_lsm_notifier_avc_callback(u32 event)197 static int selinux_lsm_notifier_avc_callback(u32 event)
198 {
199 	if (event == AVC_CALLBACK_RESET) {
200 		sel_ib_pkey_flush();
201 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
202 	}
203 
204 	return 0;
205 }
206 
207 /*
208  * initialise the security for the init task
209  */
cred_init_security(void)210 static void cred_init_security(void)
211 {
212 	struct task_security_struct *tsec;
213 
214 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
215 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
216 }
217 
218 /*
219  * get the security ID of a set of credentials
220  */
cred_sid(const struct cred * cred)221 static inline u32 cred_sid(const struct cred *cred)
222 {
223 	const struct task_security_struct *tsec;
224 
225 	tsec = selinux_cred(cred);
226 	return tsec->sid;
227 }
228 
__ad_net_init(struct common_audit_data * ad,struct lsm_network_audit * net,int ifindex,struct sock * sk,u16 family)229 static void __ad_net_init(struct common_audit_data *ad,
230 			  struct lsm_network_audit *net,
231 			  int ifindex, struct sock *sk, u16 family)
232 {
233 	ad->type = LSM_AUDIT_DATA_NET;
234 	ad->u.net = net;
235 	net->netif = ifindex;
236 	net->sk = sk;
237 	net->family = family;
238 }
239 
ad_net_init_from_sk(struct common_audit_data * ad,struct lsm_network_audit * net,struct sock * sk)240 static void ad_net_init_from_sk(struct common_audit_data *ad,
241 				struct lsm_network_audit *net,
242 				struct sock *sk)
243 {
244 	__ad_net_init(ad, net, 0, sk, 0);
245 }
246 
ad_net_init_from_iif(struct common_audit_data * ad,struct lsm_network_audit * net,int ifindex,u16 family)247 static void ad_net_init_from_iif(struct common_audit_data *ad,
248 				 struct lsm_network_audit *net,
249 				 int ifindex, u16 family)
250 {
251 	__ad_net_init(ad, net, ifindex, NULL, family);
252 }
253 
254 /*
255  * get the objective security ID of a task
256  */
task_sid_obj(const struct task_struct * task)257 static inline u32 task_sid_obj(const struct task_struct *task)
258 {
259 	u32 sid;
260 
261 	rcu_read_lock();
262 	sid = cred_sid(__task_cred(task));
263 	rcu_read_unlock();
264 	return sid;
265 }
266 
267 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
268 
269 /*
270  * Try reloading inode security labels that have been marked as invalid.  The
271  * @may_sleep parameter indicates when sleeping and thus reloading labels is
272  * allowed; when set to false, returns -ECHILD when the label is
273  * invalid.  The @dentry parameter should be set to a dentry of the inode.
274  */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)275 static int __inode_security_revalidate(struct inode *inode,
276 				       struct dentry *dentry,
277 				       bool may_sleep)
278 {
279 	struct inode_security_struct *isec = selinux_inode(inode);
280 
281 	might_sleep_if(may_sleep);
282 
283 	if (selinux_initialized() &&
284 	    isec->initialized != LABEL_INITIALIZED) {
285 		if (!may_sleep)
286 			return -ECHILD;
287 
288 		/*
289 		 * Try reloading the inode security label.  This will fail if
290 		 * @opt_dentry is NULL and no dentry for this inode can be
291 		 * found; in that case, continue using the old label.
292 		 */
293 		inode_doinit_with_dentry(inode, dentry);
294 	}
295 	return 0;
296 }
297 
inode_security_novalidate(struct inode * inode)298 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
299 {
300 	return selinux_inode(inode);
301 }
302 
inode_security_rcu(struct inode * inode,bool rcu)303 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
304 {
305 	int error;
306 
307 	error = __inode_security_revalidate(inode, NULL, !rcu);
308 	if (error)
309 		return ERR_PTR(error);
310 	return selinux_inode(inode);
311 }
312 
313 /*
314  * Get the security label of an inode.
315  */
inode_security(struct inode * inode)316 static struct inode_security_struct *inode_security(struct inode *inode)
317 {
318 	__inode_security_revalidate(inode, NULL, true);
319 	return selinux_inode(inode);
320 }
321 
backing_inode_security_novalidate(struct dentry * dentry)322 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
323 {
324 	struct inode *inode = d_backing_inode(dentry);
325 
326 	return selinux_inode(inode);
327 }
328 
329 /*
330  * Get the security label of a dentry's backing inode.
331  */
backing_inode_security(struct dentry * dentry)332 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
333 {
334 	struct inode *inode = d_backing_inode(dentry);
335 
336 	__inode_security_revalidate(inode, dentry, true);
337 	return selinux_inode(inode);
338 }
339 
inode_free_security(struct inode * inode)340 static void inode_free_security(struct inode *inode)
341 {
342 	struct inode_security_struct *isec = selinux_inode(inode);
343 	struct superblock_security_struct *sbsec;
344 
345 	if (!isec)
346 		return;
347 	sbsec = selinux_superblock(inode->i_sb);
348 	/*
349 	 * As not all inode security structures are in a list, we check for
350 	 * empty list outside of the lock to make sure that we won't waste
351 	 * time taking a lock doing nothing.
352 	 *
353 	 * The list_del_init() function can be safely called more than once.
354 	 * It should not be possible for this function to be called with
355 	 * concurrent list_add(), but for better safety against future changes
356 	 * in the code, we use list_empty_careful() here.
357 	 */
358 	if (!list_empty_careful(&isec->list)) {
359 		spin_lock(&sbsec->isec_lock);
360 		list_del_init(&isec->list);
361 		spin_unlock(&sbsec->isec_lock);
362 	}
363 }
364 
365 struct selinux_mnt_opts {
366 	u32 fscontext_sid;
367 	u32 context_sid;
368 	u32 rootcontext_sid;
369 	u32 defcontext_sid;
370 };
371 
selinux_free_mnt_opts(void * mnt_opts)372 static void selinux_free_mnt_opts(void *mnt_opts)
373 {
374 	kfree(mnt_opts);
375 }
376 
377 enum {
378 	Opt_error = -1,
379 	Opt_context = 0,
380 	Opt_defcontext = 1,
381 	Opt_fscontext = 2,
382 	Opt_rootcontext = 3,
383 	Opt_seclabel = 4,
384 };
385 
386 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
387 static const struct {
388 	const char *name;
389 	int len;
390 	int opt;
391 	bool has_arg;
392 } tokens[] = {
393 	A(context, true),
394 	A(fscontext, true),
395 	A(defcontext, true),
396 	A(rootcontext, true),
397 	A(seclabel, false),
398 };
399 #undef A
400 
match_opt_prefix(char * s,int l,char ** arg)401 static int match_opt_prefix(char *s, int l, char **arg)
402 {
403 	int i;
404 
405 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
406 		size_t len = tokens[i].len;
407 		if (len > l || memcmp(s, tokens[i].name, len))
408 			continue;
409 		if (tokens[i].has_arg) {
410 			if (len == l || s[len] != '=')
411 				continue;
412 			*arg = s + len + 1;
413 		} else if (len != l)
414 			continue;
415 		return tokens[i].opt;
416 	}
417 	return Opt_error;
418 }
419 
420 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
421 
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)422 static int may_context_mount_sb_relabel(u32 sid,
423 			struct superblock_security_struct *sbsec,
424 			const struct cred *cred)
425 {
426 	const struct task_security_struct *tsec = selinux_cred(cred);
427 	int rc;
428 
429 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
430 			  FILESYSTEM__RELABELFROM, NULL);
431 	if (rc)
432 		return rc;
433 
434 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__RELABELTO, NULL);
436 	return rc;
437 }
438 
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)439 static int may_context_mount_inode_relabel(u32 sid,
440 			struct superblock_security_struct *sbsec,
441 			const struct cred *cred)
442 {
443 	const struct task_security_struct *tsec = selinux_cred(cred);
444 	int rc;
445 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 			  FILESYSTEM__RELABELFROM, NULL);
447 	if (rc)
448 		return rc;
449 
450 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
451 			  FILESYSTEM__ASSOCIATE, NULL);
452 	return rc;
453 }
454 
selinux_is_genfs_special_handling(struct super_block * sb)455 static int selinux_is_genfs_special_handling(struct super_block *sb)
456 {
457 	/* Special handling. Genfs but also in-core setxattr handler */
458 	return	!strcmp(sb->s_type->name, "sysfs") ||
459 		!strcmp(sb->s_type->name, "pstore") ||
460 		!strcmp(sb->s_type->name, "debugfs") ||
461 		!strcmp(sb->s_type->name, "tracefs") ||
462 		!strcmp(sb->s_type->name, "rootfs") ||
463 		(selinux_policycap_cgroupseclabel() &&
464 		 (!strcmp(sb->s_type->name, "cgroup") ||
465 		  !strcmp(sb->s_type->name, "cgroup2")));
466 }
467 
selinux_is_sblabel_mnt(struct super_block * sb)468 static int selinux_is_sblabel_mnt(struct super_block *sb)
469 {
470 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
471 
472 	/*
473 	 * IMPORTANT: Double-check logic in this function when adding a new
474 	 * SECURITY_FS_USE_* definition!
475 	 */
476 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
477 
478 	switch (sbsec->behavior) {
479 	case SECURITY_FS_USE_XATTR:
480 	case SECURITY_FS_USE_TRANS:
481 	case SECURITY_FS_USE_TASK:
482 	case SECURITY_FS_USE_NATIVE:
483 		return 1;
484 
485 	case SECURITY_FS_USE_GENFS:
486 		return selinux_is_genfs_special_handling(sb);
487 
488 	/* Never allow relabeling on context mounts */
489 	case SECURITY_FS_USE_MNTPOINT:
490 	case SECURITY_FS_USE_NONE:
491 	default:
492 		return 0;
493 	}
494 }
495 
sb_check_xattr_support(struct super_block * sb)496 static int sb_check_xattr_support(struct super_block *sb)
497 {
498 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
499 	struct dentry *root = sb->s_root;
500 	struct inode *root_inode = d_backing_inode(root);
501 	u32 sid;
502 	int rc;
503 
504 	/*
505 	 * Make sure that the xattr handler exists and that no
506 	 * error other than -ENODATA is returned by getxattr on
507 	 * the root directory.  -ENODATA is ok, as this may be
508 	 * the first boot of the SELinux kernel before we have
509 	 * assigned xattr values to the filesystem.
510 	 */
511 	if (!(root_inode->i_opflags & IOP_XATTR)) {
512 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
513 			sb->s_id, sb->s_type->name);
514 		goto fallback;
515 	}
516 
517 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 	if (rc < 0 && rc != -ENODATA) {
519 		if (rc == -EOPNOTSUPP) {
520 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
521 				sb->s_id, sb->s_type->name);
522 			goto fallback;
523 		} else {
524 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
525 				sb->s_id, sb->s_type->name, -rc);
526 			return rc;
527 		}
528 	}
529 	return 0;
530 
531 fallback:
532 	/* No xattr support - try to fallback to genfs if possible. */
533 	rc = security_genfs_sid(sb->s_type->name, "/",
534 				SECCLASS_DIR, &sid);
535 	if (rc)
536 		return -EOPNOTSUPP;
537 
538 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
539 		sb->s_id, sb->s_type->name);
540 	sbsec->behavior = SECURITY_FS_USE_GENFS;
541 	sbsec->sid = sid;
542 	return 0;
543 }
544 
sb_finish_set_opts(struct super_block * sb)545 static int sb_finish_set_opts(struct super_block *sb)
546 {
547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
548 	struct dentry *root = sb->s_root;
549 	struct inode *root_inode = d_backing_inode(root);
550 	int rc = 0;
551 
552 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
553 		rc = sb_check_xattr_support(sb);
554 		if (rc)
555 			return rc;
556 	}
557 
558 	sbsec->flags |= SE_SBINITIALIZED;
559 
560 	/*
561 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
562 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
563 	 * us a superblock that needs the flag to be cleared.
564 	 */
565 	if (selinux_is_sblabel_mnt(sb))
566 		sbsec->flags |= SBLABEL_MNT;
567 	else
568 		sbsec->flags &= ~SBLABEL_MNT;
569 
570 	/* Initialize the root inode. */
571 	rc = inode_doinit_with_dentry(root_inode, root);
572 
573 	/* Initialize any other inodes associated with the superblock, e.g.
574 	   inodes created prior to initial policy load or inodes created
575 	   during get_sb by a pseudo filesystem that directly
576 	   populates itself. */
577 	spin_lock(&sbsec->isec_lock);
578 	while (!list_empty(&sbsec->isec_head)) {
579 		struct inode_security_struct *isec =
580 				list_first_entry(&sbsec->isec_head,
581 					   struct inode_security_struct, list);
582 		struct inode *inode = isec->inode;
583 		list_del_init(&isec->list);
584 		spin_unlock(&sbsec->isec_lock);
585 		inode = igrab(inode);
586 		if (inode) {
587 			if (!IS_PRIVATE(inode))
588 				inode_doinit_with_dentry(inode, NULL);
589 			iput(inode);
590 		}
591 		spin_lock(&sbsec->isec_lock);
592 	}
593 	spin_unlock(&sbsec->isec_lock);
594 	return rc;
595 }
596 
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)597 static int bad_option(struct superblock_security_struct *sbsec, char flag,
598 		      u32 old_sid, u32 new_sid)
599 {
600 	char mnt_flags = sbsec->flags & SE_MNTMASK;
601 
602 	/* check if the old mount command had the same options */
603 	if (sbsec->flags & SE_SBINITIALIZED)
604 		if (!(sbsec->flags & flag) ||
605 		    (old_sid != new_sid))
606 			return 1;
607 
608 	/* check if we were passed the same options twice,
609 	 * aka someone passed context=a,context=b
610 	 */
611 	if (!(sbsec->flags & SE_SBINITIALIZED))
612 		if (mnt_flags & flag)
613 			return 1;
614 	return 0;
615 }
616 
617 /*
618  * Allow filesystems with binary mount data to explicitly set mount point
619  * labeling information.
620  */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)621 static int selinux_set_mnt_opts(struct super_block *sb,
622 				void *mnt_opts,
623 				unsigned long kern_flags,
624 				unsigned long *set_kern_flags)
625 {
626 	const struct cred *cred = current_cred();
627 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
628 	struct dentry *root = sb->s_root;
629 	struct selinux_mnt_opts *opts = mnt_opts;
630 	struct inode_security_struct *root_isec;
631 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
632 	u32 defcontext_sid = 0;
633 	int rc = 0;
634 
635 	/*
636 	 * Specifying internal flags without providing a place to
637 	 * place the results is not allowed
638 	 */
639 	if (kern_flags && !set_kern_flags)
640 		return -EINVAL;
641 
642 	mutex_lock(&sbsec->lock);
643 
644 	if (!selinux_initialized()) {
645 		if (!opts) {
646 			/* Defer initialization until selinux_complete_init,
647 			   after the initial policy is loaded and the security
648 			   server is ready to handle calls. */
649 			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
650 				sbsec->flags |= SE_SBNATIVE;
651 				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
652 			}
653 			goto out;
654 		}
655 		rc = -EINVAL;
656 		pr_warn("SELinux: Unable to set superblock options "
657 			"before the security server is initialized\n");
658 		goto out;
659 	}
660 
661 	/*
662 	 * Binary mount data FS will come through this function twice.  Once
663 	 * from an explicit call and once from the generic calls from the vfs.
664 	 * Since the generic VFS calls will not contain any security mount data
665 	 * we need to skip the double mount verification.
666 	 *
667 	 * This does open a hole in which we will not notice if the first
668 	 * mount using this sb set explicit options and a second mount using
669 	 * this sb does not set any security options.  (The first options
670 	 * will be used for both mounts)
671 	 */
672 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
673 	    && !opts)
674 		goto out;
675 
676 	root_isec = backing_inode_security_novalidate(root);
677 
678 	/*
679 	 * parse the mount options, check if they are valid sids.
680 	 * also check if someone is trying to mount the same sb more
681 	 * than once with different security options.
682 	 */
683 	if (opts) {
684 		if (opts->fscontext_sid) {
685 			fscontext_sid = opts->fscontext_sid;
686 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687 					fscontext_sid))
688 				goto out_double_mount;
689 			sbsec->flags |= FSCONTEXT_MNT;
690 		}
691 		if (opts->context_sid) {
692 			context_sid = opts->context_sid;
693 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694 					context_sid))
695 				goto out_double_mount;
696 			sbsec->flags |= CONTEXT_MNT;
697 		}
698 		if (opts->rootcontext_sid) {
699 			rootcontext_sid = opts->rootcontext_sid;
700 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701 					rootcontext_sid))
702 				goto out_double_mount;
703 			sbsec->flags |= ROOTCONTEXT_MNT;
704 		}
705 		if (opts->defcontext_sid) {
706 			defcontext_sid = opts->defcontext_sid;
707 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708 					defcontext_sid))
709 				goto out_double_mount;
710 			sbsec->flags |= DEFCONTEXT_MNT;
711 		}
712 	}
713 
714 	if (sbsec->flags & SE_SBINITIALIZED) {
715 		/* previously mounted with options, but not on this attempt? */
716 		if ((sbsec->flags & SE_MNTMASK) && !opts)
717 			goto out_double_mount;
718 		rc = 0;
719 		goto out;
720 	}
721 
722 	if (strcmp(sb->s_type->name, "proc") == 0)
723 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724 
725 	if (!strcmp(sb->s_type->name, "debugfs") ||
726 	    !strcmp(sb->s_type->name, "tracefs") ||
727 	    !strcmp(sb->s_type->name, "binder") ||
728 	    !strcmp(sb->s_type->name, "bpf") ||
729 	    !strcmp(sb->s_type->name, "pstore") ||
730 	    !strcmp(sb->s_type->name, "securityfs"))
731 		sbsec->flags |= SE_SBGENFS;
732 
733 	if (!strcmp(sb->s_type->name, "sysfs") ||
734 	    !strcmp(sb->s_type->name, "cgroup") ||
735 	    !strcmp(sb->s_type->name, "cgroup2"))
736 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
737 
738 	if (!sbsec->behavior) {
739 		/*
740 		 * Determine the labeling behavior to use for this
741 		 * filesystem type.
742 		 */
743 		rc = security_fs_use(sb);
744 		if (rc) {
745 			pr_warn("%s: security_fs_use(%s) returned %d\n",
746 					__func__, sb->s_type->name, rc);
747 			goto out;
748 		}
749 	}
750 
751 	/*
752 	 * If this is a user namespace mount and the filesystem type is not
753 	 * explicitly whitelisted, then no contexts are allowed on the command
754 	 * line and security labels must be ignored.
755 	 */
756 	if (sb->s_user_ns != &init_user_ns &&
757 	    strcmp(sb->s_type->name, "tmpfs") &&
758 	    strcmp(sb->s_type->name, "ramfs") &&
759 	    strcmp(sb->s_type->name, "devpts") &&
760 	    strcmp(sb->s_type->name, "overlay")) {
761 		if (context_sid || fscontext_sid || rootcontext_sid ||
762 		    defcontext_sid) {
763 			rc = -EACCES;
764 			goto out;
765 		}
766 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
767 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
768 			rc = security_transition_sid(current_sid(),
769 						     current_sid(),
770 						     SECCLASS_FILE, NULL,
771 						     &sbsec->mntpoint_sid);
772 			if (rc)
773 				goto out;
774 		}
775 		goto out_set_opts;
776 	}
777 
778 	/* sets the context of the superblock for the fs being mounted. */
779 	if (fscontext_sid) {
780 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
781 		if (rc)
782 			goto out;
783 
784 		sbsec->sid = fscontext_sid;
785 	}
786 
787 	/*
788 	 * Switch to using mount point labeling behavior.
789 	 * sets the label used on all file below the mountpoint, and will set
790 	 * the superblock context if not already set.
791 	 */
792 	if (sbsec->flags & SE_SBNATIVE) {
793 		/*
794 		 * This means we are initializing a superblock that has been
795 		 * mounted before the SELinux was initialized and the
796 		 * filesystem requested native labeling. We had already
797 		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
798 		 * in the original mount attempt, so now we just need to set
799 		 * the SECURITY_FS_USE_NATIVE behavior.
800 		 */
801 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
802 	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
803 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
805 	}
806 
807 	if (context_sid) {
808 		if (!fscontext_sid) {
809 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
810 							  cred);
811 			if (rc)
812 				goto out;
813 			sbsec->sid = context_sid;
814 		} else {
815 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
816 							     cred);
817 			if (rc)
818 				goto out;
819 		}
820 		if (!rootcontext_sid)
821 			rootcontext_sid = context_sid;
822 
823 		sbsec->mntpoint_sid = context_sid;
824 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
825 	}
826 
827 	if (rootcontext_sid) {
828 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
829 						     cred);
830 		if (rc)
831 			goto out;
832 
833 		root_isec->sid = rootcontext_sid;
834 		root_isec->initialized = LABEL_INITIALIZED;
835 	}
836 
837 	if (defcontext_sid) {
838 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
839 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
840 			rc = -EINVAL;
841 			pr_warn("SELinux: defcontext option is "
842 			       "invalid for this filesystem type\n");
843 			goto out;
844 		}
845 
846 		if (defcontext_sid != sbsec->def_sid) {
847 			rc = may_context_mount_inode_relabel(defcontext_sid,
848 							     sbsec, cred);
849 			if (rc)
850 				goto out;
851 		}
852 
853 		sbsec->def_sid = defcontext_sid;
854 	}
855 
856 out_set_opts:
857 	rc = sb_finish_set_opts(sb);
858 out:
859 	mutex_unlock(&sbsec->lock);
860 	return rc;
861 out_double_mount:
862 	rc = -EINVAL;
863 	pr_warn("SELinux: mount invalid.  Same superblock, different "
864 	       "security settings for (dev %s, type %s)\n", sb->s_id,
865 	       sb->s_type->name);
866 	goto out;
867 }
868 
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)869 static int selinux_cmp_sb_context(const struct super_block *oldsb,
870 				    const struct super_block *newsb)
871 {
872 	struct superblock_security_struct *old = selinux_superblock(oldsb);
873 	struct superblock_security_struct *new = selinux_superblock(newsb);
874 	char oldflags = old->flags & SE_MNTMASK;
875 	char newflags = new->flags & SE_MNTMASK;
876 
877 	if (oldflags != newflags)
878 		goto mismatch;
879 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
880 		goto mismatch;
881 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
882 		goto mismatch;
883 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
884 		goto mismatch;
885 	if (oldflags & ROOTCONTEXT_MNT) {
886 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
887 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
888 		if (oldroot->sid != newroot->sid)
889 			goto mismatch;
890 	}
891 	return 0;
892 mismatch:
893 	pr_warn("SELinux: mount invalid.  Same superblock, "
894 			    "different security settings for (dev %s, "
895 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
896 	return -EBUSY;
897 }
898 
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)899 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
900 					struct super_block *newsb,
901 					unsigned long kern_flags,
902 					unsigned long *set_kern_flags)
903 {
904 	int rc = 0;
905 	const struct superblock_security_struct *oldsbsec =
906 						selinux_superblock(oldsb);
907 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
908 
909 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
910 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
911 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
912 
913 	/*
914 	 * Specifying internal flags without providing a place to
915 	 * place the results is not allowed.
916 	 */
917 	if (kern_flags && !set_kern_flags)
918 		return -EINVAL;
919 
920 	mutex_lock(&newsbsec->lock);
921 
922 	/*
923 	 * if the parent was able to be mounted it clearly had no special lsm
924 	 * mount options.  thus we can safely deal with this superblock later
925 	 */
926 	if (!selinux_initialized()) {
927 		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
928 			newsbsec->flags |= SE_SBNATIVE;
929 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
930 		}
931 		goto out;
932 	}
933 
934 	/* how can we clone if the old one wasn't set up?? */
935 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
936 
937 	/* if fs is reusing a sb, make sure that the contexts match */
938 	if (newsbsec->flags & SE_SBINITIALIZED) {
939 		mutex_unlock(&newsbsec->lock);
940 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
941 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
942 		return selinux_cmp_sb_context(oldsb, newsb);
943 	}
944 
945 	newsbsec->flags = oldsbsec->flags;
946 
947 	newsbsec->sid = oldsbsec->sid;
948 	newsbsec->def_sid = oldsbsec->def_sid;
949 	newsbsec->behavior = oldsbsec->behavior;
950 
951 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 		rc = security_fs_use(newsb);
954 		if (rc)
955 			goto out;
956 	}
957 
958 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961 	}
962 
963 	if (set_context) {
964 		u32 sid = oldsbsec->mntpoint_sid;
965 
966 		if (!set_fscontext)
967 			newsbsec->sid = sid;
968 		if (!set_rootcontext) {
969 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970 			newisec->sid = sid;
971 		}
972 		newsbsec->mntpoint_sid = sid;
973 	}
974 	if (set_rootcontext) {
975 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977 
978 		newisec->sid = oldisec->sid;
979 	}
980 
981 	sb_finish_set_opts(newsb);
982 out:
983 	mutex_unlock(&newsbsec->lock);
984 	return rc;
985 }
986 
987 /*
988  * NOTE: the caller is responsible for freeing the memory even if on error.
989  */
selinux_add_opt(int token,const char * s,void ** mnt_opts)990 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
991 {
992 	struct selinux_mnt_opts *opts = *mnt_opts;
993 	u32 *dst_sid;
994 	int rc;
995 
996 	if (token == Opt_seclabel)
997 		/* eaten and completely ignored */
998 		return 0;
999 	if (!s)
1000 		return -EINVAL;
1001 
1002 	if (!selinux_initialized()) {
1003 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1004 		return -EINVAL;
1005 	}
1006 
1007 	if (!opts) {
1008 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1009 		if (!opts)
1010 			return -ENOMEM;
1011 		*mnt_opts = opts;
1012 	}
1013 
1014 	switch (token) {
1015 	case Opt_context:
1016 		if (opts->context_sid || opts->defcontext_sid)
1017 			goto err;
1018 		dst_sid = &opts->context_sid;
1019 		break;
1020 	case Opt_fscontext:
1021 		if (opts->fscontext_sid)
1022 			goto err;
1023 		dst_sid = &opts->fscontext_sid;
1024 		break;
1025 	case Opt_rootcontext:
1026 		if (opts->rootcontext_sid)
1027 			goto err;
1028 		dst_sid = &opts->rootcontext_sid;
1029 		break;
1030 	case Opt_defcontext:
1031 		if (opts->context_sid || opts->defcontext_sid)
1032 			goto err;
1033 		dst_sid = &opts->defcontext_sid;
1034 		break;
1035 	default:
1036 		WARN_ON(1);
1037 		return -EINVAL;
1038 	}
1039 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1040 	if (rc)
1041 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1042 			s, rc);
1043 	return rc;
1044 
1045 err:
1046 	pr_warn(SEL_MOUNT_FAIL_MSG);
1047 	return -EINVAL;
1048 }
1049 
show_sid(struct seq_file * m,u32 sid)1050 static int show_sid(struct seq_file *m, u32 sid)
1051 {
1052 	char *context = NULL;
1053 	u32 len;
1054 	int rc;
1055 
1056 	rc = security_sid_to_context(sid, &context, &len);
1057 	if (!rc) {
1058 		bool has_comma = strchr(context, ',');
1059 
1060 		seq_putc(m, '=');
1061 		if (has_comma)
1062 			seq_putc(m, '\"');
1063 		seq_escape(m, context, "\"\n\\");
1064 		if (has_comma)
1065 			seq_putc(m, '\"');
1066 	}
1067 	kfree(context);
1068 	return rc;
1069 }
1070 
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1071 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072 {
1073 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1074 	int rc;
1075 
1076 	if (!(sbsec->flags & SE_SBINITIALIZED))
1077 		return 0;
1078 
1079 	if (!selinux_initialized())
1080 		return 0;
1081 
1082 	if (sbsec->flags & FSCONTEXT_MNT) {
1083 		seq_putc(m, ',');
1084 		seq_puts(m, FSCONTEXT_STR);
1085 		rc = show_sid(m, sbsec->sid);
1086 		if (rc)
1087 			return rc;
1088 	}
1089 	if (sbsec->flags & CONTEXT_MNT) {
1090 		seq_putc(m, ',');
1091 		seq_puts(m, CONTEXT_STR);
1092 		rc = show_sid(m, sbsec->mntpoint_sid);
1093 		if (rc)
1094 			return rc;
1095 	}
1096 	if (sbsec->flags & DEFCONTEXT_MNT) {
1097 		seq_putc(m, ',');
1098 		seq_puts(m, DEFCONTEXT_STR);
1099 		rc = show_sid(m, sbsec->def_sid);
1100 		if (rc)
1101 			return rc;
1102 	}
1103 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1104 		struct dentry *root = sb->s_root;
1105 		struct inode_security_struct *isec = backing_inode_security(root);
1106 		seq_putc(m, ',');
1107 		seq_puts(m, ROOTCONTEXT_STR);
1108 		rc = show_sid(m, isec->sid);
1109 		if (rc)
1110 			return rc;
1111 	}
1112 	if (sbsec->flags & SBLABEL_MNT) {
1113 		seq_putc(m, ',');
1114 		seq_puts(m, SECLABEL_STR);
1115 	}
1116 	return 0;
1117 }
1118 
inode_mode_to_security_class(umode_t mode)1119 static inline u16 inode_mode_to_security_class(umode_t mode)
1120 {
1121 	switch (mode & S_IFMT) {
1122 	case S_IFSOCK:
1123 		return SECCLASS_SOCK_FILE;
1124 	case S_IFLNK:
1125 		return SECCLASS_LNK_FILE;
1126 	case S_IFREG:
1127 		return SECCLASS_FILE;
1128 	case S_IFBLK:
1129 		return SECCLASS_BLK_FILE;
1130 	case S_IFDIR:
1131 		return SECCLASS_DIR;
1132 	case S_IFCHR:
1133 		return SECCLASS_CHR_FILE;
1134 	case S_IFIFO:
1135 		return SECCLASS_FIFO_FILE;
1136 
1137 	}
1138 
1139 	return SECCLASS_FILE;
1140 }
1141 
default_protocol_stream(int protocol)1142 static inline int default_protocol_stream(int protocol)
1143 {
1144 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1145 		protocol == IPPROTO_MPTCP);
1146 }
1147 
default_protocol_dgram(int protocol)1148 static inline int default_protocol_dgram(int protocol)
1149 {
1150 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1151 }
1152 
socket_type_to_security_class(int family,int type,int protocol)1153 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1154 {
1155 	bool extsockclass = selinux_policycap_extsockclass();
1156 
1157 	switch (family) {
1158 	case PF_UNIX:
1159 		switch (type) {
1160 		case SOCK_STREAM:
1161 		case SOCK_SEQPACKET:
1162 			return SECCLASS_UNIX_STREAM_SOCKET;
1163 		case SOCK_DGRAM:
1164 		case SOCK_RAW:
1165 			return SECCLASS_UNIX_DGRAM_SOCKET;
1166 		}
1167 		break;
1168 	case PF_INET:
1169 	case PF_INET6:
1170 		switch (type) {
1171 		case SOCK_STREAM:
1172 		case SOCK_SEQPACKET:
1173 			if (default_protocol_stream(protocol))
1174 				return SECCLASS_TCP_SOCKET;
1175 			else if (extsockclass && protocol == IPPROTO_SCTP)
1176 				return SECCLASS_SCTP_SOCKET;
1177 			else
1178 				return SECCLASS_RAWIP_SOCKET;
1179 		case SOCK_DGRAM:
1180 			if (default_protocol_dgram(protocol))
1181 				return SECCLASS_UDP_SOCKET;
1182 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1183 						  protocol == IPPROTO_ICMPV6))
1184 				return SECCLASS_ICMP_SOCKET;
1185 			else
1186 				return SECCLASS_RAWIP_SOCKET;
1187 		case SOCK_DCCP:
1188 			return SECCLASS_DCCP_SOCKET;
1189 		default:
1190 			return SECCLASS_RAWIP_SOCKET;
1191 		}
1192 		break;
1193 	case PF_NETLINK:
1194 		switch (protocol) {
1195 		case NETLINK_ROUTE:
1196 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1197 		case NETLINK_SOCK_DIAG:
1198 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199 		case NETLINK_NFLOG:
1200 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1201 		case NETLINK_XFRM:
1202 			return SECCLASS_NETLINK_XFRM_SOCKET;
1203 		case NETLINK_SELINUX:
1204 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1205 		case NETLINK_ISCSI:
1206 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1207 		case NETLINK_AUDIT:
1208 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1209 		case NETLINK_FIB_LOOKUP:
1210 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 		case NETLINK_CONNECTOR:
1212 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 		case NETLINK_NETFILTER:
1214 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1215 		case NETLINK_DNRTMSG:
1216 			return SECCLASS_NETLINK_DNRT_SOCKET;
1217 		case NETLINK_KOBJECT_UEVENT:
1218 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219 		case NETLINK_GENERIC:
1220 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 		case NETLINK_SCSITRANSPORT:
1222 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 		case NETLINK_RDMA:
1224 			return SECCLASS_NETLINK_RDMA_SOCKET;
1225 		case NETLINK_CRYPTO:
1226 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1227 		default:
1228 			return SECCLASS_NETLINK_SOCKET;
1229 		}
1230 	case PF_PACKET:
1231 		return SECCLASS_PACKET_SOCKET;
1232 	case PF_KEY:
1233 		return SECCLASS_KEY_SOCKET;
1234 	case PF_APPLETALK:
1235 		return SECCLASS_APPLETALK_SOCKET;
1236 	}
1237 
1238 	if (extsockclass) {
1239 		switch (family) {
1240 		case PF_AX25:
1241 			return SECCLASS_AX25_SOCKET;
1242 		case PF_IPX:
1243 			return SECCLASS_IPX_SOCKET;
1244 		case PF_NETROM:
1245 			return SECCLASS_NETROM_SOCKET;
1246 		case PF_ATMPVC:
1247 			return SECCLASS_ATMPVC_SOCKET;
1248 		case PF_X25:
1249 			return SECCLASS_X25_SOCKET;
1250 		case PF_ROSE:
1251 			return SECCLASS_ROSE_SOCKET;
1252 		case PF_DECnet:
1253 			return SECCLASS_DECNET_SOCKET;
1254 		case PF_ATMSVC:
1255 			return SECCLASS_ATMSVC_SOCKET;
1256 		case PF_RDS:
1257 			return SECCLASS_RDS_SOCKET;
1258 		case PF_IRDA:
1259 			return SECCLASS_IRDA_SOCKET;
1260 		case PF_PPPOX:
1261 			return SECCLASS_PPPOX_SOCKET;
1262 		case PF_LLC:
1263 			return SECCLASS_LLC_SOCKET;
1264 		case PF_CAN:
1265 			return SECCLASS_CAN_SOCKET;
1266 		case PF_TIPC:
1267 			return SECCLASS_TIPC_SOCKET;
1268 		case PF_BLUETOOTH:
1269 			return SECCLASS_BLUETOOTH_SOCKET;
1270 		case PF_IUCV:
1271 			return SECCLASS_IUCV_SOCKET;
1272 		case PF_RXRPC:
1273 			return SECCLASS_RXRPC_SOCKET;
1274 		case PF_ISDN:
1275 			return SECCLASS_ISDN_SOCKET;
1276 		case PF_PHONET:
1277 			return SECCLASS_PHONET_SOCKET;
1278 		case PF_IEEE802154:
1279 			return SECCLASS_IEEE802154_SOCKET;
1280 		case PF_CAIF:
1281 			return SECCLASS_CAIF_SOCKET;
1282 		case PF_ALG:
1283 			return SECCLASS_ALG_SOCKET;
1284 		case PF_NFC:
1285 			return SECCLASS_NFC_SOCKET;
1286 		case PF_VSOCK:
1287 			return SECCLASS_VSOCK_SOCKET;
1288 		case PF_KCM:
1289 			return SECCLASS_KCM_SOCKET;
1290 		case PF_QIPCRTR:
1291 			return SECCLASS_QIPCRTR_SOCKET;
1292 		case PF_SMC:
1293 			return SECCLASS_SMC_SOCKET;
1294 		case PF_XDP:
1295 			return SECCLASS_XDP_SOCKET;
1296 		case PF_MCTP:
1297 			return SECCLASS_MCTP_SOCKET;
1298 #if PF_MAX > 46
1299 #error New address family defined, please update this function.
1300 #endif
1301 		}
1302 	}
1303 
1304 	return SECCLASS_SOCKET;
1305 }
1306 
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1307 static int selinux_genfs_get_sid(struct dentry *dentry,
1308 				 u16 tclass,
1309 				 u16 flags,
1310 				 u32 *sid)
1311 {
1312 	int rc;
1313 	struct super_block *sb = dentry->d_sb;
1314 	char *buffer, *path;
1315 
1316 	buffer = (char *)__get_free_page(GFP_KERNEL);
1317 	if (!buffer)
1318 		return -ENOMEM;
1319 
1320 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1321 	if (IS_ERR(path))
1322 		rc = PTR_ERR(path);
1323 	else {
1324 		if (flags & SE_SBPROC) {
1325 			/* each process gets a /proc/PID/ entry. Strip off the
1326 			 * PID part to get a valid selinux labeling.
1327 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1328 			while (path[1] >= '0' && path[1] <= '9') {
1329 				path[1] = '/';
1330 				path++;
1331 			}
1332 		}
1333 		rc = security_genfs_sid(sb->s_type->name,
1334 					path, tclass, sid);
1335 		if (rc == -ENOENT) {
1336 			/* No match in policy, mark as unlabeled. */
1337 			*sid = SECINITSID_UNLABELED;
1338 			rc = 0;
1339 		}
1340 	}
1341 	free_page((unsigned long)buffer);
1342 	return rc;
1343 }
1344 
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1345 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1346 				  u32 def_sid, u32 *sid)
1347 {
1348 #define INITCONTEXTLEN 255
1349 	char *context;
1350 	unsigned int len;
1351 	int rc;
1352 
1353 	len = INITCONTEXTLEN;
1354 	context = kmalloc(len + 1, GFP_NOFS);
1355 	if (!context)
1356 		return -ENOMEM;
1357 
1358 	context[len] = '\0';
1359 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1360 	if (rc == -ERANGE) {
1361 		kfree(context);
1362 
1363 		/* Need a larger buffer.  Query for the right size. */
1364 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1365 		if (rc < 0)
1366 			return rc;
1367 
1368 		len = rc;
1369 		context = kmalloc(len + 1, GFP_NOFS);
1370 		if (!context)
1371 			return -ENOMEM;
1372 
1373 		context[len] = '\0';
1374 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1375 				    context, len);
1376 	}
1377 	if (rc < 0) {
1378 		kfree(context);
1379 		if (rc != -ENODATA) {
1380 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1381 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1382 			return rc;
1383 		}
1384 		*sid = def_sid;
1385 		return 0;
1386 	}
1387 
1388 	rc = security_context_to_sid_default(context, rc, sid,
1389 					     def_sid, GFP_NOFS);
1390 	if (rc) {
1391 		char *dev = inode->i_sb->s_id;
1392 		unsigned long ino = inode->i_ino;
1393 
1394 		if (rc == -EINVAL) {
1395 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1396 					      ino, dev, context);
1397 		} else {
1398 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1399 				__func__, context, -rc, dev, ino);
1400 		}
1401 	}
1402 	kfree(context);
1403 	return 0;
1404 }
1405 
1406 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1407 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1408 {
1409 	struct superblock_security_struct *sbsec = NULL;
1410 	struct inode_security_struct *isec = selinux_inode(inode);
1411 	u32 task_sid, sid = 0;
1412 	u16 sclass;
1413 	struct dentry *dentry;
1414 	int rc = 0;
1415 
1416 	if (isec->initialized == LABEL_INITIALIZED)
1417 		return 0;
1418 
1419 	spin_lock(&isec->lock);
1420 	if (isec->initialized == LABEL_INITIALIZED)
1421 		goto out_unlock;
1422 
1423 	if (isec->sclass == SECCLASS_FILE)
1424 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1425 
1426 	sbsec = selinux_superblock(inode->i_sb);
1427 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1428 		/* Defer initialization until selinux_complete_init,
1429 		   after the initial policy is loaded and the security
1430 		   server is ready to handle calls. */
1431 		spin_lock(&sbsec->isec_lock);
1432 		if (list_empty(&isec->list))
1433 			list_add(&isec->list, &sbsec->isec_head);
1434 		spin_unlock(&sbsec->isec_lock);
1435 		goto out_unlock;
1436 	}
1437 
1438 	sclass = isec->sclass;
1439 	task_sid = isec->task_sid;
1440 	sid = isec->sid;
1441 	isec->initialized = LABEL_PENDING;
1442 	spin_unlock(&isec->lock);
1443 
1444 	switch (sbsec->behavior) {
1445 	/*
1446 	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1447 	 * via xattr when called from delayed_superblock_init().
1448 	 */
1449 	case SECURITY_FS_USE_NATIVE:
1450 	case SECURITY_FS_USE_XATTR:
1451 		if (!(inode->i_opflags & IOP_XATTR)) {
1452 			sid = sbsec->def_sid;
1453 			break;
1454 		}
1455 		/* Need a dentry, since the xattr API requires one.
1456 		   Life would be simpler if we could just pass the inode. */
1457 		if (opt_dentry) {
1458 			/* Called from d_instantiate or d_splice_alias. */
1459 			dentry = dget(opt_dentry);
1460 		} else {
1461 			/*
1462 			 * Called from selinux_complete_init, try to find a dentry.
1463 			 * Some filesystems really want a connected one, so try
1464 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1465 			 * two, depending upon that...
1466 			 */
1467 			dentry = d_find_alias(inode);
1468 			if (!dentry)
1469 				dentry = d_find_any_alias(inode);
1470 		}
1471 		if (!dentry) {
1472 			/*
1473 			 * this is can be hit on boot when a file is accessed
1474 			 * before the policy is loaded.  When we load policy we
1475 			 * may find inodes that have no dentry on the
1476 			 * sbsec->isec_head list.  No reason to complain as these
1477 			 * will get fixed up the next time we go through
1478 			 * inode_doinit with a dentry, before these inodes could
1479 			 * be used again by userspace.
1480 			 */
1481 			goto out_invalid;
1482 		}
1483 
1484 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1485 					    &sid);
1486 		dput(dentry);
1487 		if (rc)
1488 			goto out;
1489 		break;
1490 	case SECURITY_FS_USE_TASK:
1491 		sid = task_sid;
1492 		break;
1493 	case SECURITY_FS_USE_TRANS:
1494 		/* Default to the fs SID. */
1495 		sid = sbsec->sid;
1496 
1497 		/* Try to obtain a transition SID. */
1498 		rc = security_transition_sid(task_sid, sid,
1499 					     sclass, NULL, &sid);
1500 		if (rc)
1501 			goto out;
1502 		break;
1503 	case SECURITY_FS_USE_MNTPOINT:
1504 		sid = sbsec->mntpoint_sid;
1505 		break;
1506 	default:
1507 		/* Default to the fs superblock SID. */
1508 		sid = sbsec->sid;
1509 
1510 		if ((sbsec->flags & SE_SBGENFS) &&
1511 		     (!S_ISLNK(inode->i_mode) ||
1512 		      selinux_policycap_genfs_seclabel_symlinks())) {
1513 			/* We must have a dentry to determine the label on
1514 			 * procfs inodes */
1515 			if (opt_dentry) {
1516 				/* Called from d_instantiate or
1517 				 * d_splice_alias. */
1518 				dentry = dget(opt_dentry);
1519 			} else {
1520 				/* Called from selinux_complete_init, try to
1521 				 * find a dentry.  Some filesystems really want
1522 				 * a connected one, so try that first.
1523 				 */
1524 				dentry = d_find_alias(inode);
1525 				if (!dentry)
1526 					dentry = d_find_any_alias(inode);
1527 			}
1528 			/*
1529 			 * This can be hit on boot when a file is accessed
1530 			 * before the policy is loaded.  When we load policy we
1531 			 * may find inodes that have no dentry on the
1532 			 * sbsec->isec_head list.  No reason to complain as
1533 			 * these will get fixed up the next time we go through
1534 			 * inode_doinit() with a dentry, before these inodes
1535 			 * could be used again by userspace.
1536 			 */
1537 			if (!dentry)
1538 				goto out_invalid;
1539 			rc = selinux_genfs_get_sid(dentry, sclass,
1540 						   sbsec->flags, &sid);
1541 			if (rc) {
1542 				dput(dentry);
1543 				goto out;
1544 			}
1545 
1546 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1547 			    (inode->i_opflags & IOP_XATTR)) {
1548 				rc = inode_doinit_use_xattr(inode, dentry,
1549 							    sid, &sid);
1550 				if (rc) {
1551 					dput(dentry);
1552 					goto out;
1553 				}
1554 			}
1555 			dput(dentry);
1556 		}
1557 		break;
1558 	}
1559 
1560 out:
1561 	spin_lock(&isec->lock);
1562 	if (isec->initialized == LABEL_PENDING) {
1563 		if (rc) {
1564 			isec->initialized = LABEL_INVALID;
1565 			goto out_unlock;
1566 		}
1567 		isec->initialized = LABEL_INITIALIZED;
1568 		isec->sid = sid;
1569 	}
1570 
1571 out_unlock:
1572 	spin_unlock(&isec->lock);
1573 	return rc;
1574 
1575 out_invalid:
1576 	spin_lock(&isec->lock);
1577 	if (isec->initialized == LABEL_PENDING) {
1578 		isec->initialized = LABEL_INVALID;
1579 		isec->sid = sid;
1580 	}
1581 	spin_unlock(&isec->lock);
1582 	return 0;
1583 }
1584 
1585 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1586 static inline u32 signal_to_av(int sig)
1587 {
1588 	u32 perm = 0;
1589 
1590 	switch (sig) {
1591 	case SIGCHLD:
1592 		/* Commonly granted from child to parent. */
1593 		perm = PROCESS__SIGCHLD;
1594 		break;
1595 	case SIGKILL:
1596 		/* Cannot be caught or ignored */
1597 		perm = PROCESS__SIGKILL;
1598 		break;
1599 	case SIGSTOP:
1600 		/* Cannot be caught or ignored */
1601 		perm = PROCESS__SIGSTOP;
1602 		break;
1603 	default:
1604 		/* All other signals. */
1605 		perm = PROCESS__SIGNAL;
1606 		break;
1607 	}
1608 
1609 	return perm;
1610 }
1611 
1612 #if CAP_LAST_CAP > 63
1613 #error Fix SELinux to handle capabilities > 63.
1614 #endif
1615 
1616 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1617 static int cred_has_capability(const struct cred *cred,
1618 			       int cap, unsigned int opts, bool initns)
1619 {
1620 	struct common_audit_data ad;
1621 	struct av_decision avd;
1622 	u16 sclass;
1623 	u32 sid = cred_sid(cred);
1624 	u32 av = CAP_TO_MASK(cap);
1625 	int rc;
1626 
1627 	ad.type = LSM_AUDIT_DATA_CAP;
1628 	ad.u.cap = cap;
1629 
1630 	switch (CAP_TO_INDEX(cap)) {
1631 	case 0:
1632 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1633 		break;
1634 	case 1:
1635 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1636 		break;
1637 	default:
1638 		pr_err("SELinux:  out of range capability %d\n", cap);
1639 		BUG();
1640 		return -EINVAL;
1641 	}
1642 
1643 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1644 	if (!(opts & CAP_OPT_NOAUDIT)) {
1645 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1646 		if (rc2)
1647 			return rc2;
1648 	}
1649 	return rc;
1650 }
1651 
1652 /* Check whether a task has a particular permission to an inode.
1653    The 'adp' parameter is optional and allows other audit
1654    data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1655 static int inode_has_perm(const struct cred *cred,
1656 			  struct inode *inode,
1657 			  u32 perms,
1658 			  struct common_audit_data *adp)
1659 {
1660 	struct inode_security_struct *isec;
1661 	u32 sid;
1662 
1663 	if (unlikely(IS_PRIVATE(inode)))
1664 		return 0;
1665 
1666 	sid = cred_sid(cred);
1667 	isec = selinux_inode(inode);
1668 
1669 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1670 }
1671 
1672 /* Same as inode_has_perm, but pass explicit audit data containing
1673    the dentry to help the auditing code to more easily generate the
1674    pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1675 static inline int dentry_has_perm(const struct cred *cred,
1676 				  struct dentry *dentry,
1677 				  u32 av)
1678 {
1679 	struct inode *inode = d_backing_inode(dentry);
1680 	struct common_audit_data ad;
1681 
1682 	ad.type = LSM_AUDIT_DATA_DENTRY;
1683 	ad.u.dentry = dentry;
1684 	__inode_security_revalidate(inode, dentry, true);
1685 	return inode_has_perm(cred, inode, av, &ad);
1686 }
1687 
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the path to help the auditing code to more easily generate the
1690    pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1691 static inline int path_has_perm(const struct cred *cred,
1692 				const struct path *path,
1693 				u32 av)
1694 {
1695 	struct inode *inode = d_backing_inode(path->dentry);
1696 	struct common_audit_data ad;
1697 
1698 	ad.type = LSM_AUDIT_DATA_PATH;
1699 	ad.u.path = *path;
1700 	__inode_security_revalidate(inode, path->dentry, true);
1701 	return inode_has_perm(cred, inode, av, &ad);
1702 }
1703 
1704 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1705 static inline int file_path_has_perm(const struct cred *cred,
1706 				     struct file *file,
1707 				     u32 av)
1708 {
1709 	struct common_audit_data ad;
1710 
1711 	ad.type = LSM_AUDIT_DATA_FILE;
1712 	ad.u.file = file;
1713 	return inode_has_perm(cred, file_inode(file), av, &ad);
1714 }
1715 
1716 #ifdef CONFIG_BPF_SYSCALL
1717 static int bpf_fd_pass(const struct file *file, u32 sid);
1718 #endif
1719 
1720 /* Check whether a task can use an open file descriptor to
1721    access an inode in a given way.  Check access to the
1722    descriptor itself, and then use dentry_has_perm to
1723    check a particular permission to the file.
1724    Access to the descriptor is implicitly granted if it
1725    has the same SID as the process.  If av is zero, then
1726    access to the file is not checked, e.g. for cases
1727    where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1728 static int file_has_perm(const struct cred *cred,
1729 			 struct file *file,
1730 			 u32 av)
1731 {
1732 	struct file_security_struct *fsec = selinux_file(file);
1733 	struct inode *inode = file_inode(file);
1734 	struct common_audit_data ad;
1735 	u32 sid = cred_sid(cred);
1736 	int rc;
1737 
1738 	ad.type = LSM_AUDIT_DATA_FILE;
1739 	ad.u.file = file;
1740 
1741 	if (sid != fsec->sid) {
1742 		rc = avc_has_perm(sid, fsec->sid,
1743 				  SECCLASS_FD,
1744 				  FD__USE,
1745 				  &ad);
1746 		if (rc)
1747 			goto out;
1748 	}
1749 
1750 #ifdef CONFIG_BPF_SYSCALL
1751 	rc = bpf_fd_pass(file, cred_sid(cred));
1752 	if (rc)
1753 		return rc;
1754 #endif
1755 
1756 	/* av is zero if only checking access to the descriptor. */
1757 	rc = 0;
1758 	if (av)
1759 		rc = inode_has_perm(cred, inode, av, &ad);
1760 
1761 out:
1762 	return rc;
1763 }
1764 
1765 /*
1766  * Determine the label for an inode that might be unioned.
1767  */
1768 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1769 selinux_determine_inode_label(const struct task_security_struct *tsec,
1770 				 struct inode *dir,
1771 				 const struct qstr *name, u16 tclass,
1772 				 u32 *_new_isid)
1773 {
1774 	const struct superblock_security_struct *sbsec =
1775 						selinux_superblock(dir->i_sb);
1776 
1777 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1778 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1779 		*_new_isid = sbsec->mntpoint_sid;
1780 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1781 		   tsec->create_sid) {
1782 		*_new_isid = tsec->create_sid;
1783 	} else {
1784 		const struct inode_security_struct *dsec = inode_security(dir);
1785 		return security_transition_sid(tsec->sid,
1786 					       dsec->sid, tclass,
1787 					       name, _new_isid);
1788 	}
1789 
1790 	return 0;
1791 }
1792 
1793 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1794 static int may_create(struct inode *dir,
1795 		      struct dentry *dentry,
1796 		      u16 tclass)
1797 {
1798 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1799 	struct inode_security_struct *dsec;
1800 	struct superblock_security_struct *sbsec;
1801 	u32 sid, newsid;
1802 	struct common_audit_data ad;
1803 	int rc;
1804 
1805 	dsec = inode_security(dir);
1806 	sbsec = selinux_superblock(dir->i_sb);
1807 
1808 	sid = tsec->sid;
1809 
1810 	ad.type = LSM_AUDIT_DATA_DENTRY;
1811 	ad.u.dentry = dentry;
1812 
1813 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1814 			  DIR__ADD_NAME | DIR__SEARCH,
1815 			  &ad);
1816 	if (rc)
1817 		return rc;
1818 
1819 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1820 					   &newsid);
1821 	if (rc)
1822 		return rc;
1823 
1824 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1825 	if (rc)
1826 		return rc;
1827 
1828 	return avc_has_perm(newsid, sbsec->sid,
1829 			    SECCLASS_FILESYSTEM,
1830 			    FILESYSTEM__ASSOCIATE, &ad);
1831 }
1832 
1833 #define MAY_LINK	0
1834 #define MAY_UNLINK	1
1835 #define MAY_RMDIR	2
1836 
1837 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1838 static int may_link(struct inode *dir,
1839 		    struct dentry *dentry,
1840 		    int kind)
1841 
1842 {
1843 	struct inode_security_struct *dsec, *isec;
1844 	struct common_audit_data ad;
1845 	u32 sid = current_sid();
1846 	u32 av;
1847 	int rc;
1848 
1849 	dsec = inode_security(dir);
1850 	isec = backing_inode_security(dentry);
1851 
1852 	ad.type = LSM_AUDIT_DATA_DENTRY;
1853 	ad.u.dentry = dentry;
1854 
1855 	av = DIR__SEARCH;
1856 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1857 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1858 	if (rc)
1859 		return rc;
1860 
1861 	switch (kind) {
1862 	case MAY_LINK:
1863 		av = FILE__LINK;
1864 		break;
1865 	case MAY_UNLINK:
1866 		av = FILE__UNLINK;
1867 		break;
1868 	case MAY_RMDIR:
1869 		av = DIR__RMDIR;
1870 		break;
1871 	default:
1872 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1873 			__func__, kind);
1874 		return 0;
1875 	}
1876 
1877 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1878 	return rc;
1879 }
1880 
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1881 static inline int may_rename(struct inode *old_dir,
1882 			     struct dentry *old_dentry,
1883 			     struct inode *new_dir,
1884 			     struct dentry *new_dentry)
1885 {
1886 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1887 	struct common_audit_data ad;
1888 	u32 sid = current_sid();
1889 	u32 av;
1890 	int old_is_dir, new_is_dir;
1891 	int rc;
1892 
1893 	old_dsec = inode_security(old_dir);
1894 	old_isec = backing_inode_security(old_dentry);
1895 	old_is_dir = d_is_dir(old_dentry);
1896 	new_dsec = inode_security(new_dir);
1897 
1898 	ad.type = LSM_AUDIT_DATA_DENTRY;
1899 
1900 	ad.u.dentry = old_dentry;
1901 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1902 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1903 	if (rc)
1904 		return rc;
1905 	rc = avc_has_perm(sid, old_isec->sid,
1906 			  old_isec->sclass, FILE__RENAME, &ad);
1907 	if (rc)
1908 		return rc;
1909 	if (old_is_dir && new_dir != old_dir) {
1910 		rc = avc_has_perm(sid, old_isec->sid,
1911 				  old_isec->sclass, DIR__REPARENT, &ad);
1912 		if (rc)
1913 			return rc;
1914 	}
1915 
1916 	ad.u.dentry = new_dentry;
1917 	av = DIR__ADD_NAME | DIR__SEARCH;
1918 	if (d_is_positive(new_dentry))
1919 		av |= DIR__REMOVE_NAME;
1920 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921 	if (rc)
1922 		return rc;
1923 	if (d_is_positive(new_dentry)) {
1924 		new_isec = backing_inode_security(new_dentry);
1925 		new_is_dir = d_is_dir(new_dentry);
1926 		rc = avc_has_perm(sid, new_isec->sid,
1927 				  new_isec->sclass,
1928 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1929 		if (rc)
1930 			return rc;
1931 	}
1932 
1933 	return 0;
1934 }
1935 
1936 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1937 static int superblock_has_perm(const struct cred *cred,
1938 			       struct super_block *sb,
1939 			       u32 perms,
1940 			       struct common_audit_data *ad)
1941 {
1942 	struct superblock_security_struct *sbsec;
1943 	u32 sid = cred_sid(cred);
1944 
1945 	sbsec = selinux_superblock(sb);
1946 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1947 }
1948 
1949 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1950 static inline u32 file_mask_to_av(int mode, int mask)
1951 {
1952 	u32 av = 0;
1953 
1954 	if (!S_ISDIR(mode)) {
1955 		if (mask & MAY_EXEC)
1956 			av |= FILE__EXECUTE;
1957 		if (mask & MAY_READ)
1958 			av |= FILE__READ;
1959 
1960 		if (mask & MAY_APPEND)
1961 			av |= FILE__APPEND;
1962 		else if (mask & MAY_WRITE)
1963 			av |= FILE__WRITE;
1964 
1965 	} else {
1966 		if (mask & MAY_EXEC)
1967 			av |= DIR__SEARCH;
1968 		if (mask & MAY_WRITE)
1969 			av |= DIR__WRITE;
1970 		if (mask & MAY_READ)
1971 			av |= DIR__READ;
1972 	}
1973 
1974 	return av;
1975 }
1976 
1977 /* Convert a Linux file to an access vector. */
file_to_av(const struct file * file)1978 static inline u32 file_to_av(const struct file *file)
1979 {
1980 	u32 av = 0;
1981 
1982 	if (file->f_mode & FMODE_READ)
1983 		av |= FILE__READ;
1984 	if (file->f_mode & FMODE_WRITE) {
1985 		if (file->f_flags & O_APPEND)
1986 			av |= FILE__APPEND;
1987 		else
1988 			av |= FILE__WRITE;
1989 	}
1990 	if (!av) {
1991 		/*
1992 		 * Special file opened with flags 3 for ioctl-only use.
1993 		 */
1994 		av = FILE__IOCTL;
1995 	}
1996 
1997 	return av;
1998 }
1999 
2000 /*
2001  * Convert a file to an access vector and include the correct
2002  * open permission.
2003  */
open_file_to_av(struct file * file)2004 static inline u32 open_file_to_av(struct file *file)
2005 {
2006 	u32 av = file_to_av(file);
2007 	struct inode *inode = file_inode(file);
2008 
2009 	if (selinux_policycap_openperm() &&
2010 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2011 		av |= FILE__OPEN;
2012 
2013 	return av;
2014 }
2015 
2016 /* Hook functions begin here. */
2017 
selinux_binder_set_context_mgr(const struct cred * mgr)2018 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2019 {
2020 	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2021 			    BINDER__SET_CONTEXT_MGR, NULL);
2022 }
2023 
selinux_binder_transaction(const struct cred * from,const struct cred * to)2024 static int selinux_binder_transaction(const struct cred *from,
2025 				      const struct cred *to)
2026 {
2027 	u32 mysid = current_sid();
2028 	u32 fromsid = cred_sid(from);
2029 	u32 tosid = cred_sid(to);
2030 	int rc;
2031 
2032 	if (mysid != fromsid) {
2033 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2034 				  BINDER__IMPERSONATE, NULL);
2035 		if (rc)
2036 			return rc;
2037 	}
2038 
2039 	return avc_has_perm(fromsid, tosid,
2040 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2041 }
2042 
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2043 static int selinux_binder_transfer_binder(const struct cred *from,
2044 					  const struct cred *to)
2045 {
2046 	return avc_has_perm(cred_sid(from), cred_sid(to),
2047 			    SECCLASS_BINDER, BINDER__TRANSFER,
2048 			    NULL);
2049 }
2050 
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,const struct file * file)2051 static int selinux_binder_transfer_file(const struct cred *from,
2052 					const struct cred *to,
2053 					const struct file *file)
2054 {
2055 	u32 sid = cred_sid(to);
2056 	struct file_security_struct *fsec = selinux_file(file);
2057 	struct dentry *dentry = file->f_path.dentry;
2058 	struct inode_security_struct *isec;
2059 	struct common_audit_data ad;
2060 	int rc;
2061 
2062 	ad.type = LSM_AUDIT_DATA_PATH;
2063 	ad.u.path = file->f_path;
2064 
2065 	if (sid != fsec->sid) {
2066 		rc = avc_has_perm(sid, fsec->sid,
2067 				  SECCLASS_FD,
2068 				  FD__USE,
2069 				  &ad);
2070 		if (rc)
2071 			return rc;
2072 	}
2073 
2074 #ifdef CONFIG_BPF_SYSCALL
2075 	rc = bpf_fd_pass(file, sid);
2076 	if (rc)
2077 		return rc;
2078 #endif
2079 
2080 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2081 		return 0;
2082 
2083 	isec = backing_inode_security(dentry);
2084 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2085 			    &ad);
2086 }
2087 
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2088 static int selinux_ptrace_access_check(struct task_struct *child,
2089 				       unsigned int mode)
2090 {
2091 	u32 sid = current_sid();
2092 	u32 csid = task_sid_obj(child);
2093 
2094 	if (mode & PTRACE_MODE_READ)
2095 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2096 				NULL);
2097 
2098 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2099 			NULL);
2100 }
2101 
selinux_ptrace_traceme(struct task_struct * parent)2102 static int selinux_ptrace_traceme(struct task_struct *parent)
2103 {
2104 	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2105 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2106 }
2107 
selinux_capget(const struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2108 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2109 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2110 {
2111 	return avc_has_perm(current_sid(), task_sid_obj(target),
2112 			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2113 }
2114 
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2115 static int selinux_capset(struct cred *new, const struct cred *old,
2116 			  const kernel_cap_t *effective,
2117 			  const kernel_cap_t *inheritable,
2118 			  const kernel_cap_t *permitted)
2119 {
2120 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2121 			    PROCESS__SETCAP, NULL);
2122 }
2123 
2124 /*
2125  * (This comment used to live with the selinux_task_setuid hook,
2126  * which was removed).
2127  *
2128  * Since setuid only affects the current process, and since the SELinux
2129  * controls are not based on the Linux identity attributes, SELinux does not
2130  * need to control this operation.  However, SELinux does control the use of
2131  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2132  */
2133 
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2134 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2135 			   int cap, unsigned int opts)
2136 {
2137 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2138 }
2139 
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2140 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2141 {
2142 	const struct cred *cred = current_cred();
2143 	int rc = 0;
2144 
2145 	if (!sb)
2146 		return 0;
2147 
2148 	switch (cmds) {
2149 	case Q_SYNC:
2150 	case Q_QUOTAON:
2151 	case Q_QUOTAOFF:
2152 	case Q_SETINFO:
2153 	case Q_SETQUOTA:
2154 	case Q_XQUOTAOFF:
2155 	case Q_XQUOTAON:
2156 	case Q_XSETQLIM:
2157 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2158 		break;
2159 	case Q_GETFMT:
2160 	case Q_GETINFO:
2161 	case Q_GETQUOTA:
2162 	case Q_XGETQUOTA:
2163 	case Q_XGETQSTAT:
2164 	case Q_XGETQSTATV:
2165 	case Q_XGETNEXTQUOTA:
2166 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2167 		break;
2168 	default:
2169 		rc = 0;  /* let the kernel handle invalid cmds */
2170 		break;
2171 	}
2172 	return rc;
2173 }
2174 
selinux_quota_on(struct dentry * dentry)2175 static int selinux_quota_on(struct dentry *dentry)
2176 {
2177 	const struct cred *cred = current_cred();
2178 
2179 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2180 }
2181 
selinux_syslog(int type)2182 static int selinux_syslog(int type)
2183 {
2184 	switch (type) {
2185 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2186 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2187 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2188 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2189 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2190 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2191 	/* Set level of messages printed to console */
2192 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2193 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2194 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2195 				    NULL);
2196 	}
2197 	/* All other syslog types */
2198 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2199 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2200 }
2201 
2202 /*
2203  * Check that a process has enough memory to allocate a new virtual
2204  * mapping. 0 means there is enough memory for the allocation to
2205  * succeed and -ENOMEM implies there is not.
2206  *
2207  * Do not audit the selinux permission check, as this is applied to all
2208  * processes that allocate mappings.
2209  */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2210 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2211 {
2212 	int rc, cap_sys_admin = 0;
2213 
2214 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2215 				 CAP_OPT_NOAUDIT, true);
2216 	if (rc == 0)
2217 		cap_sys_admin = 1;
2218 
2219 	return cap_sys_admin;
2220 }
2221 
2222 /* binprm security operations */
2223 
ptrace_parent_sid(void)2224 static u32 ptrace_parent_sid(void)
2225 {
2226 	u32 sid = 0;
2227 	struct task_struct *tracer;
2228 
2229 	rcu_read_lock();
2230 	tracer = ptrace_parent(current);
2231 	if (tracer)
2232 		sid = task_sid_obj(tracer);
2233 	rcu_read_unlock();
2234 
2235 	return sid;
2236 }
2237 
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2238 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2239 			    const struct task_security_struct *old_tsec,
2240 			    const struct task_security_struct *new_tsec)
2241 {
2242 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2243 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2244 	int rc;
2245 	u32 av;
2246 
2247 	if (!nnp && !nosuid)
2248 		return 0; /* neither NNP nor nosuid */
2249 
2250 	if (new_tsec->sid == old_tsec->sid)
2251 		return 0; /* No change in credentials */
2252 
2253 	/*
2254 	 * If the policy enables the nnp_nosuid_transition policy capability,
2255 	 * then we permit transitions under NNP or nosuid if the
2256 	 * policy allows the corresponding permission between
2257 	 * the old and new contexts.
2258 	 */
2259 	if (selinux_policycap_nnp_nosuid_transition()) {
2260 		av = 0;
2261 		if (nnp)
2262 			av |= PROCESS2__NNP_TRANSITION;
2263 		if (nosuid)
2264 			av |= PROCESS2__NOSUID_TRANSITION;
2265 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2266 				  SECCLASS_PROCESS2, av, NULL);
2267 		if (!rc)
2268 			return 0;
2269 	}
2270 
2271 	/*
2272 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2273 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2274 	 * of the permissions of the current SID.
2275 	 */
2276 	rc = security_bounded_transition(old_tsec->sid,
2277 					 new_tsec->sid);
2278 	if (!rc)
2279 		return 0;
2280 
2281 	/*
2282 	 * On failure, preserve the errno values for NNP vs nosuid.
2283 	 * NNP:  Operation not permitted for caller.
2284 	 * nosuid:  Permission denied to file.
2285 	 */
2286 	if (nnp)
2287 		return -EPERM;
2288 	return -EACCES;
2289 }
2290 
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2291 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2292 {
2293 	const struct task_security_struct *old_tsec;
2294 	struct task_security_struct *new_tsec;
2295 	struct inode_security_struct *isec;
2296 	struct common_audit_data ad;
2297 	struct inode *inode = file_inode(bprm->file);
2298 	int rc;
2299 
2300 	/* SELinux context only depends on initial program or script and not
2301 	 * the script interpreter */
2302 
2303 	old_tsec = selinux_cred(current_cred());
2304 	new_tsec = selinux_cred(bprm->cred);
2305 	isec = inode_security(inode);
2306 
2307 	/* Default to the current task SID. */
2308 	new_tsec->sid = old_tsec->sid;
2309 	new_tsec->osid = old_tsec->sid;
2310 
2311 	/* Reset fs, key, and sock SIDs on execve. */
2312 	new_tsec->create_sid = 0;
2313 	new_tsec->keycreate_sid = 0;
2314 	new_tsec->sockcreate_sid = 0;
2315 
2316 	if (old_tsec->exec_sid) {
2317 		new_tsec->sid = old_tsec->exec_sid;
2318 		/* Reset exec SID on execve. */
2319 		new_tsec->exec_sid = 0;
2320 
2321 		/* Fail on NNP or nosuid if not an allowed transition. */
2322 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2323 		if (rc)
2324 			return rc;
2325 	} else {
2326 		/* Check for a default transition on this program. */
2327 		rc = security_transition_sid(old_tsec->sid,
2328 					     isec->sid, SECCLASS_PROCESS, NULL,
2329 					     &new_tsec->sid);
2330 		if (rc)
2331 			return rc;
2332 
2333 		/*
2334 		 * Fallback to old SID on NNP or nosuid if not an allowed
2335 		 * transition.
2336 		 */
2337 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 		if (rc)
2339 			new_tsec->sid = old_tsec->sid;
2340 	}
2341 
2342 	ad.type = LSM_AUDIT_DATA_FILE;
2343 	ad.u.file = bprm->file;
2344 
2345 	if (new_tsec->sid == old_tsec->sid) {
2346 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2347 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348 		if (rc)
2349 			return rc;
2350 	} else {
2351 		/* Check permissions for the transition. */
2352 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2353 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2354 		if (rc)
2355 			return rc;
2356 
2357 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2358 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2359 		if (rc)
2360 			return rc;
2361 
2362 		/* Check for shared state */
2363 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2364 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2365 					  SECCLASS_PROCESS, PROCESS__SHARE,
2366 					  NULL);
2367 			if (rc)
2368 				return -EPERM;
2369 		}
2370 
2371 		/* Make sure that anyone attempting to ptrace over a task that
2372 		 * changes its SID has the appropriate permit */
2373 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2374 			u32 ptsid = ptrace_parent_sid();
2375 			if (ptsid != 0) {
2376 				rc = avc_has_perm(ptsid, new_tsec->sid,
2377 						  SECCLASS_PROCESS,
2378 						  PROCESS__PTRACE, NULL);
2379 				if (rc)
2380 					return -EPERM;
2381 			}
2382 		}
2383 
2384 		/* Clear any possibly unsafe personality bits on exec: */
2385 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2386 
2387 		/* Enable secure mode for SIDs transitions unless
2388 		   the noatsecure permission is granted between
2389 		   the two SIDs, i.e. ahp returns 0. */
2390 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2391 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2392 				  NULL);
2393 		bprm->secureexec |= !!rc;
2394 	}
2395 
2396 	return 0;
2397 }
2398 
match_file(const void * p,struct file * file,unsigned fd)2399 static int match_file(const void *p, struct file *file, unsigned fd)
2400 {
2401 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2402 }
2403 
2404 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2405 static inline void flush_unauthorized_files(const struct cred *cred,
2406 					    struct files_struct *files)
2407 {
2408 	struct file *file, *devnull = NULL;
2409 	struct tty_struct *tty;
2410 	int drop_tty = 0;
2411 	unsigned n;
2412 
2413 	tty = get_current_tty();
2414 	if (tty) {
2415 		spin_lock(&tty->files_lock);
2416 		if (!list_empty(&tty->tty_files)) {
2417 			struct tty_file_private *file_priv;
2418 
2419 			/* Revalidate access to controlling tty.
2420 			   Use file_path_has_perm on the tty path directly
2421 			   rather than using file_has_perm, as this particular
2422 			   open file may belong to another process and we are
2423 			   only interested in the inode-based check here. */
2424 			file_priv = list_first_entry(&tty->tty_files,
2425 						struct tty_file_private, list);
2426 			file = file_priv->file;
2427 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2428 				drop_tty = 1;
2429 		}
2430 		spin_unlock(&tty->files_lock);
2431 		tty_kref_put(tty);
2432 	}
2433 	/* Reset controlling tty. */
2434 	if (drop_tty)
2435 		no_tty();
2436 
2437 	/* Revalidate access to inherited open files. */
2438 	n = iterate_fd(files, 0, match_file, cred);
2439 	if (!n) /* none found? */
2440 		return;
2441 
2442 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2443 	if (IS_ERR(devnull))
2444 		devnull = NULL;
2445 	/* replace all the matching ones with this */
2446 	do {
2447 		replace_fd(n - 1, devnull, 0);
2448 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2449 	if (devnull)
2450 		fput(devnull);
2451 }
2452 
2453 /*
2454  * Prepare a process for imminent new credential changes due to exec
2455  */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2456 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2457 {
2458 	struct task_security_struct *new_tsec;
2459 	struct rlimit *rlim, *initrlim;
2460 	int rc, i;
2461 
2462 	new_tsec = selinux_cred(bprm->cred);
2463 	if (new_tsec->sid == new_tsec->osid)
2464 		return;
2465 
2466 	/* Close files for which the new task SID is not authorized. */
2467 	flush_unauthorized_files(bprm->cred, current->files);
2468 
2469 	/* Always clear parent death signal on SID transitions. */
2470 	current->pdeath_signal = 0;
2471 
2472 	/* Check whether the new SID can inherit resource limits from the old
2473 	 * SID.  If not, reset all soft limits to the lower of the current
2474 	 * task's hard limit and the init task's soft limit.
2475 	 *
2476 	 * Note that the setting of hard limits (even to lower them) can be
2477 	 * controlled by the setrlimit check.  The inclusion of the init task's
2478 	 * soft limit into the computation is to avoid resetting soft limits
2479 	 * higher than the default soft limit for cases where the default is
2480 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2481 	 */
2482 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2483 			  PROCESS__RLIMITINH, NULL);
2484 	if (rc) {
2485 		/* protect against do_prlimit() */
2486 		task_lock(current);
2487 		for (i = 0; i < RLIM_NLIMITS; i++) {
2488 			rlim = current->signal->rlim + i;
2489 			initrlim = init_task.signal->rlim + i;
2490 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2491 		}
2492 		task_unlock(current);
2493 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2494 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2495 	}
2496 }
2497 
2498 /*
2499  * Clean up the process immediately after the installation of new credentials
2500  * due to exec
2501  */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2502 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2503 {
2504 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2505 	u32 osid, sid;
2506 	int rc;
2507 
2508 	osid = tsec->osid;
2509 	sid = tsec->sid;
2510 
2511 	if (sid == osid)
2512 		return;
2513 
2514 	/* Check whether the new SID can inherit signal state from the old SID.
2515 	 * If not, clear itimers to avoid subsequent signal generation and
2516 	 * flush and unblock signals.
2517 	 *
2518 	 * This must occur _after_ the task SID has been updated so that any
2519 	 * kill done after the flush will be checked against the new SID.
2520 	 */
2521 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2522 	if (rc) {
2523 		clear_itimer();
2524 
2525 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2526 		if (!fatal_signal_pending(current)) {
2527 			flush_sigqueue(&current->pending);
2528 			flush_sigqueue(&current->signal->shared_pending);
2529 			flush_signal_handlers(current, 1);
2530 			sigemptyset(&current->blocked);
2531 			recalc_sigpending();
2532 		}
2533 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2534 	}
2535 
2536 	/* Wake up the parent if it is waiting so that it can recheck
2537 	 * wait permission to the new task SID. */
2538 	read_lock(&tasklist_lock);
2539 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2540 	read_unlock(&tasklist_lock);
2541 }
2542 
2543 /* superblock security operations */
2544 
selinux_sb_alloc_security(struct super_block * sb)2545 static int selinux_sb_alloc_security(struct super_block *sb)
2546 {
2547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2548 
2549 	mutex_init(&sbsec->lock);
2550 	INIT_LIST_HEAD(&sbsec->isec_head);
2551 	spin_lock_init(&sbsec->isec_lock);
2552 	sbsec->sid = SECINITSID_UNLABELED;
2553 	sbsec->def_sid = SECINITSID_FILE;
2554 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2555 
2556 	return 0;
2557 }
2558 
opt_len(const char * s)2559 static inline int opt_len(const char *s)
2560 {
2561 	bool open_quote = false;
2562 	int len;
2563 	char c;
2564 
2565 	for (len = 0; (c = s[len]) != '\0'; len++) {
2566 		if (c == '"')
2567 			open_quote = !open_quote;
2568 		if (c == ',' && !open_quote)
2569 			break;
2570 	}
2571 	return len;
2572 }
2573 
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2574 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2575 {
2576 	char *from = options;
2577 	char *to = options;
2578 	bool first = true;
2579 	int rc;
2580 
2581 	while (1) {
2582 		int len = opt_len(from);
2583 		int token;
2584 		char *arg = NULL;
2585 
2586 		token = match_opt_prefix(from, len, &arg);
2587 
2588 		if (token != Opt_error) {
2589 			char *p, *q;
2590 
2591 			/* strip quotes */
2592 			if (arg) {
2593 				for (p = q = arg; p < from + len; p++) {
2594 					char c = *p;
2595 					if (c != '"')
2596 						*q++ = c;
2597 				}
2598 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2599 				if (!arg) {
2600 					rc = -ENOMEM;
2601 					goto free_opt;
2602 				}
2603 			}
2604 			rc = selinux_add_opt(token, arg, mnt_opts);
2605 			kfree(arg);
2606 			arg = NULL;
2607 			if (unlikely(rc)) {
2608 				goto free_opt;
2609 			}
2610 		} else {
2611 			if (!first) {	// copy with preceding comma
2612 				from--;
2613 				len++;
2614 			}
2615 			if (to != from)
2616 				memmove(to, from, len);
2617 			to += len;
2618 			first = false;
2619 		}
2620 		if (!from[len])
2621 			break;
2622 		from += len + 1;
2623 	}
2624 	*to = '\0';
2625 	return 0;
2626 
2627 free_opt:
2628 	if (*mnt_opts) {
2629 		selinux_free_mnt_opts(*mnt_opts);
2630 		*mnt_opts = NULL;
2631 	}
2632 	return rc;
2633 }
2634 
selinux_sb_mnt_opts_compat(struct super_block * sb,void * mnt_opts)2635 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2636 {
2637 	struct selinux_mnt_opts *opts = mnt_opts;
2638 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2639 
2640 	/*
2641 	 * Superblock not initialized (i.e. no options) - reject if any
2642 	 * options specified, otherwise accept.
2643 	 */
2644 	if (!(sbsec->flags & SE_SBINITIALIZED))
2645 		return opts ? 1 : 0;
2646 
2647 	/*
2648 	 * Superblock initialized and no options specified - reject if
2649 	 * superblock has any options set, otherwise accept.
2650 	 */
2651 	if (!opts)
2652 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2653 
2654 	if (opts->fscontext_sid) {
2655 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2656 			       opts->fscontext_sid))
2657 			return 1;
2658 	}
2659 	if (opts->context_sid) {
2660 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2661 			       opts->context_sid))
2662 			return 1;
2663 	}
2664 	if (opts->rootcontext_sid) {
2665 		struct inode_security_struct *root_isec;
2666 
2667 		root_isec = backing_inode_security(sb->s_root);
2668 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2669 			       opts->rootcontext_sid))
2670 			return 1;
2671 	}
2672 	if (opts->defcontext_sid) {
2673 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2674 			       opts->defcontext_sid))
2675 			return 1;
2676 	}
2677 	return 0;
2678 }
2679 
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2680 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2681 {
2682 	struct selinux_mnt_opts *opts = mnt_opts;
2683 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2684 
2685 	if (!(sbsec->flags & SE_SBINITIALIZED))
2686 		return 0;
2687 
2688 	if (!opts)
2689 		return 0;
2690 
2691 	if (opts->fscontext_sid) {
2692 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2693 			       opts->fscontext_sid))
2694 			goto out_bad_option;
2695 	}
2696 	if (opts->context_sid) {
2697 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2698 			       opts->context_sid))
2699 			goto out_bad_option;
2700 	}
2701 	if (opts->rootcontext_sid) {
2702 		struct inode_security_struct *root_isec;
2703 		root_isec = backing_inode_security(sb->s_root);
2704 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2705 			       opts->rootcontext_sid))
2706 			goto out_bad_option;
2707 	}
2708 	if (opts->defcontext_sid) {
2709 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2710 			       opts->defcontext_sid))
2711 			goto out_bad_option;
2712 	}
2713 	return 0;
2714 
2715 out_bad_option:
2716 	pr_warn("SELinux: unable to change security options "
2717 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2718 	       sb->s_type->name);
2719 	return -EINVAL;
2720 }
2721 
selinux_sb_kern_mount(struct super_block * sb)2722 static int selinux_sb_kern_mount(struct super_block *sb)
2723 {
2724 	const struct cred *cred = current_cred();
2725 	struct common_audit_data ad;
2726 
2727 	ad.type = LSM_AUDIT_DATA_DENTRY;
2728 	ad.u.dentry = sb->s_root;
2729 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2730 }
2731 
selinux_sb_statfs(struct dentry * dentry)2732 static int selinux_sb_statfs(struct dentry *dentry)
2733 {
2734 	const struct cred *cred = current_cred();
2735 	struct common_audit_data ad;
2736 
2737 	ad.type = LSM_AUDIT_DATA_DENTRY;
2738 	ad.u.dentry = dentry->d_sb->s_root;
2739 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2740 }
2741 
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2742 static int selinux_mount(const char *dev_name,
2743 			 const struct path *path,
2744 			 const char *type,
2745 			 unsigned long flags,
2746 			 void *data)
2747 {
2748 	const struct cred *cred = current_cred();
2749 
2750 	if (flags & MS_REMOUNT)
2751 		return superblock_has_perm(cred, path->dentry->d_sb,
2752 					   FILESYSTEM__REMOUNT, NULL);
2753 	else
2754 		return path_has_perm(cred, path, FILE__MOUNTON);
2755 }
2756 
selinux_move_mount(const struct path * from_path,const struct path * to_path)2757 static int selinux_move_mount(const struct path *from_path,
2758 			      const struct path *to_path)
2759 {
2760 	const struct cred *cred = current_cred();
2761 
2762 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2763 }
2764 
selinux_umount(struct vfsmount * mnt,int flags)2765 static int selinux_umount(struct vfsmount *mnt, int flags)
2766 {
2767 	const struct cred *cred = current_cred();
2768 
2769 	return superblock_has_perm(cred, mnt->mnt_sb,
2770 				   FILESYSTEM__UNMOUNT, NULL);
2771 }
2772 
selinux_fs_context_submount(struct fs_context * fc,struct super_block * reference)2773 static int selinux_fs_context_submount(struct fs_context *fc,
2774 				   struct super_block *reference)
2775 {
2776 	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2777 	struct selinux_mnt_opts *opts;
2778 
2779 	/*
2780 	 * Ensure that fc->security remains NULL when no options are set
2781 	 * as expected by selinux_set_mnt_opts().
2782 	 */
2783 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2784 		return 0;
2785 
2786 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2787 	if (!opts)
2788 		return -ENOMEM;
2789 
2790 	if (sbsec->flags & FSCONTEXT_MNT)
2791 		opts->fscontext_sid = sbsec->sid;
2792 	if (sbsec->flags & CONTEXT_MNT)
2793 		opts->context_sid = sbsec->mntpoint_sid;
2794 	if (sbsec->flags & DEFCONTEXT_MNT)
2795 		opts->defcontext_sid = sbsec->def_sid;
2796 	fc->security = opts;
2797 	return 0;
2798 }
2799 
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2800 static int selinux_fs_context_dup(struct fs_context *fc,
2801 				  struct fs_context *src_fc)
2802 {
2803 	const struct selinux_mnt_opts *src = src_fc->security;
2804 
2805 	if (!src)
2806 		return 0;
2807 
2808 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2809 	return fc->security ? 0 : -ENOMEM;
2810 }
2811 
2812 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2813 	fsparam_string(CONTEXT_STR,	Opt_context),
2814 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2815 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2816 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2817 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2818 	{}
2819 };
2820 
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2821 static int selinux_fs_context_parse_param(struct fs_context *fc,
2822 					  struct fs_parameter *param)
2823 {
2824 	struct fs_parse_result result;
2825 	int opt;
2826 
2827 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2828 	if (opt < 0)
2829 		return opt;
2830 
2831 	return selinux_add_opt(opt, param->string, &fc->security);
2832 }
2833 
2834 /* inode security operations */
2835 
selinux_inode_alloc_security(struct inode * inode)2836 static int selinux_inode_alloc_security(struct inode *inode)
2837 {
2838 	struct inode_security_struct *isec = selinux_inode(inode);
2839 	u32 sid = current_sid();
2840 
2841 	spin_lock_init(&isec->lock);
2842 	INIT_LIST_HEAD(&isec->list);
2843 	isec->inode = inode;
2844 	isec->sid = SECINITSID_UNLABELED;
2845 	isec->sclass = SECCLASS_FILE;
2846 	isec->task_sid = sid;
2847 	isec->initialized = LABEL_INVALID;
2848 
2849 	return 0;
2850 }
2851 
selinux_inode_free_security(struct inode * inode)2852 static void selinux_inode_free_security(struct inode *inode)
2853 {
2854 	inode_free_security(inode);
2855 }
2856 
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,const char ** xattr_name,void ** ctx,u32 * ctxlen)2857 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2858 					const struct qstr *name,
2859 					const char **xattr_name, void **ctx,
2860 					u32 *ctxlen)
2861 {
2862 	u32 newsid;
2863 	int rc;
2864 
2865 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2866 					   d_inode(dentry->d_parent), name,
2867 					   inode_mode_to_security_class(mode),
2868 					   &newsid);
2869 	if (rc)
2870 		return rc;
2871 
2872 	if (xattr_name)
2873 		*xattr_name = XATTR_NAME_SELINUX;
2874 
2875 	return security_sid_to_context(newsid, (char **)ctx,
2876 				       ctxlen);
2877 }
2878 
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2879 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2880 					  struct qstr *name,
2881 					  const struct cred *old,
2882 					  struct cred *new)
2883 {
2884 	u32 newsid;
2885 	int rc;
2886 	struct task_security_struct *tsec;
2887 
2888 	rc = selinux_determine_inode_label(selinux_cred(old),
2889 					   d_inode(dentry->d_parent), name,
2890 					   inode_mode_to_security_class(mode),
2891 					   &newsid);
2892 	if (rc)
2893 		return rc;
2894 
2895 	tsec = selinux_cred(new);
2896 	tsec->create_sid = newsid;
2897 	return 0;
2898 }
2899 
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,struct xattr * xattrs,int * xattr_count)2900 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2901 				       const struct qstr *qstr,
2902 				       struct xattr *xattrs, int *xattr_count)
2903 {
2904 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2905 	struct superblock_security_struct *sbsec;
2906 	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2907 	u32 newsid, clen;
2908 	int rc;
2909 	char *context;
2910 
2911 	sbsec = selinux_superblock(dir->i_sb);
2912 
2913 	newsid = tsec->create_sid;
2914 
2915 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2916 		inode_mode_to_security_class(inode->i_mode),
2917 		&newsid);
2918 	if (rc)
2919 		return rc;
2920 
2921 	/* Possibly defer initialization to selinux_complete_init. */
2922 	if (sbsec->flags & SE_SBINITIALIZED) {
2923 		struct inode_security_struct *isec = selinux_inode(inode);
2924 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 		isec->sid = newsid;
2926 		isec->initialized = LABEL_INITIALIZED;
2927 	}
2928 
2929 	if (!selinux_initialized() ||
2930 	    !(sbsec->flags & SBLABEL_MNT))
2931 		return -EOPNOTSUPP;
2932 
2933 	if (xattr) {
2934 		rc = security_sid_to_context_force(newsid,
2935 						   &context, &clen);
2936 		if (rc)
2937 			return rc;
2938 		xattr->value = context;
2939 		xattr->value_len = clen;
2940 		xattr->name = XATTR_SELINUX_SUFFIX;
2941 	}
2942 
2943 	return 0;
2944 }
2945 
selinux_inode_init_security_anon(struct inode * inode,const struct qstr * name,const struct inode * context_inode)2946 static int selinux_inode_init_security_anon(struct inode *inode,
2947 					    const struct qstr *name,
2948 					    const struct inode *context_inode)
2949 {
2950 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2951 	struct common_audit_data ad;
2952 	struct inode_security_struct *isec;
2953 	int rc;
2954 
2955 	if (unlikely(!selinux_initialized()))
2956 		return 0;
2957 
2958 	isec = selinux_inode(inode);
2959 
2960 	/*
2961 	 * We only get here once per ephemeral inode.  The inode has
2962 	 * been initialized via inode_alloc_security but is otherwise
2963 	 * untouched.
2964 	 */
2965 
2966 	if (context_inode) {
2967 		struct inode_security_struct *context_isec =
2968 			selinux_inode(context_inode);
2969 		if (context_isec->initialized != LABEL_INITIALIZED) {
2970 			pr_err("SELinux:  context_inode is not initialized\n");
2971 			return -EACCES;
2972 		}
2973 
2974 		isec->sclass = context_isec->sclass;
2975 		isec->sid = context_isec->sid;
2976 	} else {
2977 		isec->sclass = SECCLASS_ANON_INODE;
2978 		rc = security_transition_sid(
2979 			tsec->sid, tsec->sid,
2980 			isec->sclass, name, &isec->sid);
2981 		if (rc)
2982 			return rc;
2983 	}
2984 
2985 	isec->initialized = LABEL_INITIALIZED;
2986 	/*
2987 	 * Now that we've initialized security, check whether we're
2988 	 * allowed to actually create this type of anonymous inode.
2989 	 */
2990 
2991 	ad.type = LSM_AUDIT_DATA_ANONINODE;
2992 	ad.u.anonclass = name ? (const char *)name->name : "?";
2993 
2994 	return avc_has_perm(tsec->sid,
2995 			    isec->sid,
2996 			    isec->sclass,
2997 			    FILE__CREATE,
2998 			    &ad);
2999 }
3000 
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)3001 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3002 {
3003 	return may_create(dir, dentry, SECCLASS_FILE);
3004 }
3005 
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)3006 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3007 {
3008 	return may_link(dir, old_dentry, MAY_LINK);
3009 }
3010 
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)3011 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3012 {
3013 	return may_link(dir, dentry, MAY_UNLINK);
3014 }
3015 
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)3016 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3017 {
3018 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3019 }
3020 
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)3021 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3022 {
3023 	return may_create(dir, dentry, SECCLASS_DIR);
3024 }
3025 
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3026 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3027 {
3028 	return may_link(dir, dentry, MAY_RMDIR);
3029 }
3030 
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3031 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3032 {
3033 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3034 }
3035 
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3036 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3037 				struct inode *new_inode, struct dentry *new_dentry)
3038 {
3039 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3040 }
3041 
selinux_inode_readlink(struct dentry * dentry)3042 static int selinux_inode_readlink(struct dentry *dentry)
3043 {
3044 	const struct cred *cred = current_cred();
3045 
3046 	return dentry_has_perm(cred, dentry, FILE__READ);
3047 }
3048 
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3049 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3050 				     bool rcu)
3051 {
3052 	const struct cred *cred = current_cred();
3053 	struct common_audit_data ad;
3054 	struct inode_security_struct *isec;
3055 	u32 sid;
3056 
3057 	ad.type = LSM_AUDIT_DATA_DENTRY;
3058 	ad.u.dentry = dentry;
3059 	sid = cred_sid(cred);
3060 	isec = inode_security_rcu(inode, rcu);
3061 	if (IS_ERR(isec))
3062 		return PTR_ERR(isec);
3063 
3064 	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3065 }
3066 
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3067 static noinline int audit_inode_permission(struct inode *inode,
3068 					   u32 perms, u32 audited, u32 denied,
3069 					   int result)
3070 {
3071 	struct common_audit_data ad;
3072 	struct inode_security_struct *isec = selinux_inode(inode);
3073 
3074 	ad.type = LSM_AUDIT_DATA_INODE;
3075 	ad.u.inode = inode;
3076 
3077 	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3078 			    audited, denied, result, &ad);
3079 }
3080 
selinux_inode_permission(struct inode * inode,int mask)3081 static int selinux_inode_permission(struct inode *inode, int mask)
3082 {
3083 	const struct cred *cred = current_cred();
3084 	u32 perms;
3085 	bool from_access;
3086 	bool no_block = mask & MAY_NOT_BLOCK;
3087 	struct inode_security_struct *isec;
3088 	u32 sid;
3089 	struct av_decision avd;
3090 	int rc, rc2;
3091 	u32 audited, denied;
3092 
3093 	from_access = mask & MAY_ACCESS;
3094 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3095 
3096 	/* No permission to check.  Existence test. */
3097 	if (!mask)
3098 		return 0;
3099 
3100 	if (unlikely(IS_PRIVATE(inode)))
3101 		return 0;
3102 
3103 	perms = file_mask_to_av(inode->i_mode, mask);
3104 
3105 	sid = cred_sid(cred);
3106 	isec = inode_security_rcu(inode, no_block);
3107 	if (IS_ERR(isec))
3108 		return PTR_ERR(isec);
3109 
3110 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3111 				  &avd);
3112 	audited = avc_audit_required(perms, &avd, rc,
3113 				     from_access ? FILE__AUDIT_ACCESS : 0,
3114 				     &denied);
3115 	if (likely(!audited))
3116 		return rc;
3117 
3118 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3119 	if (rc2)
3120 		return rc2;
3121 	return rc;
3122 }
3123 
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3124 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3125 {
3126 	const struct cred *cred = current_cred();
3127 	struct inode *inode = d_backing_inode(dentry);
3128 	unsigned int ia_valid = iattr->ia_valid;
3129 	__u32 av = FILE__WRITE;
3130 
3131 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3132 	if (ia_valid & ATTR_FORCE) {
3133 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3134 			      ATTR_FORCE);
3135 		if (!ia_valid)
3136 			return 0;
3137 	}
3138 
3139 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3140 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3141 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3142 
3143 	if (selinux_policycap_openperm() &&
3144 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3145 	    (ia_valid & ATTR_SIZE) &&
3146 	    !(ia_valid & ATTR_FILE))
3147 		av |= FILE__OPEN;
3148 
3149 	return dentry_has_perm(cred, dentry, av);
3150 }
3151 
selinux_inode_getattr(const struct path * path)3152 static int selinux_inode_getattr(const struct path *path)
3153 {
3154 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3155 }
3156 
has_cap_mac_admin(bool audit)3157 static bool has_cap_mac_admin(bool audit)
3158 {
3159 	const struct cred *cred = current_cred();
3160 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3161 
3162 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3163 		return false;
3164 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3165 		return false;
3166 	return true;
3167 }
3168 
selinux_inode_setxattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3169 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3170 				  struct dentry *dentry, const char *name,
3171 				  const void *value, size_t size, int flags)
3172 {
3173 	struct inode *inode = d_backing_inode(dentry);
3174 	struct inode_security_struct *isec;
3175 	struct superblock_security_struct *sbsec;
3176 	struct common_audit_data ad;
3177 	u32 newsid, sid = current_sid();
3178 	int rc = 0;
3179 
3180 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3181 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3182 		if (rc)
3183 			return rc;
3184 
3185 		/* Not an attribute we recognize, so just check the
3186 		   ordinary setattr permission. */
3187 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3188 	}
3189 
3190 	if (!selinux_initialized())
3191 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3192 
3193 	sbsec = selinux_superblock(inode->i_sb);
3194 	if (!(sbsec->flags & SBLABEL_MNT))
3195 		return -EOPNOTSUPP;
3196 
3197 	if (!inode_owner_or_capable(idmap, inode))
3198 		return -EPERM;
3199 
3200 	ad.type = LSM_AUDIT_DATA_DENTRY;
3201 	ad.u.dentry = dentry;
3202 
3203 	isec = backing_inode_security(dentry);
3204 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3205 			  FILE__RELABELFROM, &ad);
3206 	if (rc)
3207 		return rc;
3208 
3209 	rc = security_context_to_sid(value, size, &newsid,
3210 				     GFP_KERNEL);
3211 	if (rc == -EINVAL) {
3212 		if (!has_cap_mac_admin(true)) {
3213 			struct audit_buffer *ab;
3214 			size_t audit_size;
3215 
3216 			/* We strip a nul only if it is at the end, otherwise the
3217 			 * context contains a nul and we should audit that */
3218 			if (value) {
3219 				const char *str = value;
3220 
3221 				if (str[size - 1] == '\0')
3222 					audit_size = size - 1;
3223 				else
3224 					audit_size = size;
3225 			} else {
3226 				audit_size = 0;
3227 			}
3228 			ab = audit_log_start(audit_context(),
3229 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3230 			if (!ab)
3231 				return rc;
3232 			audit_log_format(ab, "op=setxattr invalid_context=");
3233 			audit_log_n_untrustedstring(ab, value, audit_size);
3234 			audit_log_end(ab);
3235 
3236 			return rc;
3237 		}
3238 		rc = security_context_to_sid_force(value,
3239 						   size, &newsid);
3240 	}
3241 	if (rc)
3242 		return rc;
3243 
3244 	rc = avc_has_perm(sid, newsid, isec->sclass,
3245 			  FILE__RELABELTO, &ad);
3246 	if (rc)
3247 		return rc;
3248 
3249 	rc = security_validate_transition(isec->sid, newsid,
3250 					  sid, isec->sclass);
3251 	if (rc)
3252 		return rc;
3253 
3254 	return avc_has_perm(newsid,
3255 			    sbsec->sid,
3256 			    SECCLASS_FILESYSTEM,
3257 			    FILESYSTEM__ASSOCIATE,
3258 			    &ad);
3259 }
3260 
selinux_inode_set_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name,struct posix_acl * kacl)3261 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3262 				 struct dentry *dentry, const char *acl_name,
3263 				 struct posix_acl *kacl)
3264 {
3265 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3266 }
3267 
selinux_inode_get_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name)3268 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3269 				 struct dentry *dentry, const char *acl_name)
3270 {
3271 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3272 }
3273 
selinux_inode_remove_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name)3274 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3275 				    struct dentry *dentry, const char *acl_name)
3276 {
3277 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3278 }
3279 
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3280 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3281 					const void *value, size_t size,
3282 					int flags)
3283 {
3284 	struct inode *inode = d_backing_inode(dentry);
3285 	struct inode_security_struct *isec;
3286 	u32 newsid;
3287 	int rc;
3288 
3289 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3290 		/* Not an attribute we recognize, so nothing to do. */
3291 		return;
3292 	}
3293 
3294 	if (!selinux_initialized()) {
3295 		/* If we haven't even been initialized, then we can't validate
3296 		 * against a policy, so leave the label as invalid. It may
3297 		 * resolve to a valid label on the next revalidation try if
3298 		 * we've since initialized.
3299 		 */
3300 		return;
3301 	}
3302 
3303 	rc = security_context_to_sid_force(value, size,
3304 					   &newsid);
3305 	if (rc) {
3306 		pr_err("SELinux:  unable to map context to SID"
3307 		       "for (%s, %lu), rc=%d\n",
3308 		       inode->i_sb->s_id, inode->i_ino, -rc);
3309 		return;
3310 	}
3311 
3312 	isec = backing_inode_security(dentry);
3313 	spin_lock(&isec->lock);
3314 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3315 	isec->sid = newsid;
3316 	isec->initialized = LABEL_INITIALIZED;
3317 	spin_unlock(&isec->lock);
3318 }
3319 
selinux_inode_getxattr(struct dentry * dentry,const char * name)3320 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3321 {
3322 	const struct cred *cred = current_cred();
3323 
3324 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3325 }
3326 
selinux_inode_listxattr(struct dentry * dentry)3327 static int selinux_inode_listxattr(struct dentry *dentry)
3328 {
3329 	const struct cred *cred = current_cred();
3330 
3331 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3332 }
3333 
selinux_inode_removexattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name)3334 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3335 				     struct dentry *dentry, const char *name)
3336 {
3337 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3338 		int rc = cap_inode_removexattr(idmap, dentry, name);
3339 		if (rc)
3340 			return rc;
3341 
3342 		/* Not an attribute we recognize, so just check the
3343 		   ordinary setattr permission. */
3344 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3345 	}
3346 
3347 	if (!selinux_initialized())
3348 		return 0;
3349 
3350 	/* No one is allowed to remove a SELinux security label.
3351 	   You can change the label, but all data must be labeled. */
3352 	return -EACCES;
3353 }
3354 
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3355 static int selinux_path_notify(const struct path *path, u64 mask,
3356 						unsigned int obj_type)
3357 {
3358 	int ret;
3359 	u32 perm;
3360 
3361 	struct common_audit_data ad;
3362 
3363 	ad.type = LSM_AUDIT_DATA_PATH;
3364 	ad.u.path = *path;
3365 
3366 	/*
3367 	 * Set permission needed based on the type of mark being set.
3368 	 * Performs an additional check for sb watches.
3369 	 */
3370 	switch (obj_type) {
3371 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3372 		perm = FILE__WATCH_MOUNT;
3373 		break;
3374 	case FSNOTIFY_OBJ_TYPE_SB:
3375 		perm = FILE__WATCH_SB;
3376 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3377 						FILESYSTEM__WATCH, &ad);
3378 		if (ret)
3379 			return ret;
3380 		break;
3381 	case FSNOTIFY_OBJ_TYPE_INODE:
3382 		perm = FILE__WATCH;
3383 		break;
3384 	default:
3385 		return -EINVAL;
3386 	}
3387 
3388 	/* blocking watches require the file:watch_with_perm permission */
3389 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3390 		perm |= FILE__WATCH_WITH_PERM;
3391 
3392 	/* watches on read-like events need the file:watch_reads permission */
3393 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3394 		perm |= FILE__WATCH_READS;
3395 
3396 	return path_has_perm(current_cred(), path, perm);
3397 }
3398 
3399 /*
3400  * Copy the inode security context value to the user.
3401  *
3402  * Permission check is handled by selinux_inode_getxattr hook.
3403  */
selinux_inode_getsecurity(struct mnt_idmap * idmap,struct inode * inode,const char * name,void ** buffer,bool alloc)3404 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3405 				     struct inode *inode, const char *name,
3406 				     void **buffer, bool alloc)
3407 {
3408 	u32 size;
3409 	int error;
3410 	char *context = NULL;
3411 	struct inode_security_struct *isec;
3412 
3413 	/*
3414 	 * If we're not initialized yet, then we can't validate contexts, so
3415 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3416 	 */
3417 	if (!selinux_initialized() ||
3418 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3419 		return -EOPNOTSUPP;
3420 
3421 	/*
3422 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3423 	 * value even if it is not defined by current policy; otherwise,
3424 	 * use the in-core value under current policy.
3425 	 * Use the non-auditing forms of the permission checks since
3426 	 * getxattr may be called by unprivileged processes commonly
3427 	 * and lack of permission just means that we fall back to the
3428 	 * in-core context value, not a denial.
3429 	 */
3430 	isec = inode_security(inode);
3431 	if (has_cap_mac_admin(false))
3432 		error = security_sid_to_context_force(isec->sid, &context,
3433 						      &size);
3434 	else
3435 		error = security_sid_to_context(isec->sid,
3436 						&context, &size);
3437 	if (error)
3438 		return error;
3439 	error = size;
3440 	if (alloc) {
3441 		*buffer = context;
3442 		goto out_nofree;
3443 	}
3444 	kfree(context);
3445 out_nofree:
3446 	return error;
3447 }
3448 
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 				     const void *value, size_t size, int flags)
3451 {
3452 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 	struct superblock_security_struct *sbsec;
3454 	u32 newsid;
3455 	int rc;
3456 
3457 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3458 		return -EOPNOTSUPP;
3459 
3460 	sbsec = selinux_superblock(inode->i_sb);
3461 	if (!(sbsec->flags & SBLABEL_MNT))
3462 		return -EOPNOTSUPP;
3463 
3464 	if (!value || !size)
3465 		return -EACCES;
3466 
3467 	rc = security_context_to_sid(value, size, &newsid,
3468 				     GFP_KERNEL);
3469 	if (rc)
3470 		return rc;
3471 
3472 	spin_lock(&isec->lock);
3473 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 	isec->sid = newsid;
3475 	isec->initialized = LABEL_INITIALIZED;
3476 	spin_unlock(&isec->lock);
3477 	return 0;
3478 }
3479 
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482 	const int len = sizeof(XATTR_NAME_SELINUX);
3483 
3484 	if (!selinux_initialized())
3485 		return 0;
3486 
3487 	if (buffer && len <= buffer_size)
3488 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3489 	return len;
3490 }
3491 
selinux_inode_getsecid(struct inode * inode,u32 * secid)3492 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3493 {
3494 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3495 	*secid = isec->sid;
3496 }
3497 
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3498 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3499 {
3500 	u32 sid;
3501 	struct task_security_struct *tsec;
3502 	struct cred *new_creds = *new;
3503 
3504 	if (new_creds == NULL) {
3505 		new_creds = prepare_creds();
3506 		if (!new_creds)
3507 			return -ENOMEM;
3508 	}
3509 
3510 	tsec = selinux_cred(new_creds);
3511 	/* Get label from overlay inode and set it in create_sid */
3512 	selinux_inode_getsecid(d_inode(src), &sid);
3513 	tsec->create_sid = sid;
3514 	*new = new_creds;
3515 	return 0;
3516 }
3517 
selinux_inode_copy_up_xattr(const char * name)3518 static int selinux_inode_copy_up_xattr(const char *name)
3519 {
3520 	/* The copy_up hook above sets the initial context on an inode, but we
3521 	 * don't then want to overwrite it by blindly copying all the lower
3522 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3523 	 */
3524 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3525 		return 1; /* Discard */
3526 	/*
3527 	 * Any other attribute apart from SELINUX is not claimed, supported
3528 	 * by selinux.
3529 	 */
3530 	return -EOPNOTSUPP;
3531 }
3532 
3533 /* kernfs node operations */
3534 
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3535 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3536 					struct kernfs_node *kn)
3537 {
3538 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3539 	u32 parent_sid, newsid, clen;
3540 	int rc;
3541 	char *context;
3542 
3543 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3544 	if (rc == -ENODATA)
3545 		return 0;
3546 	else if (rc < 0)
3547 		return rc;
3548 
3549 	clen = (u32)rc;
3550 	context = kmalloc(clen, GFP_KERNEL);
3551 	if (!context)
3552 		return -ENOMEM;
3553 
3554 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3555 	if (rc < 0) {
3556 		kfree(context);
3557 		return rc;
3558 	}
3559 
3560 	rc = security_context_to_sid(context, clen, &parent_sid,
3561 				     GFP_KERNEL);
3562 	kfree(context);
3563 	if (rc)
3564 		return rc;
3565 
3566 	if (tsec->create_sid) {
3567 		newsid = tsec->create_sid;
3568 	} else {
3569 		u16 secclass = inode_mode_to_security_class(kn->mode);
3570 		struct qstr q;
3571 
3572 		q.name = kn->name;
3573 		q.hash_len = hashlen_string(kn_dir, kn->name);
3574 
3575 		rc = security_transition_sid(tsec->sid,
3576 					     parent_sid, secclass, &q,
3577 					     &newsid);
3578 		if (rc)
3579 			return rc;
3580 	}
3581 
3582 	rc = security_sid_to_context_force(newsid,
3583 					   &context, &clen);
3584 	if (rc)
3585 		return rc;
3586 
3587 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3588 			      XATTR_CREATE);
3589 	kfree(context);
3590 	return rc;
3591 }
3592 
3593 
3594 /* file security operations */
3595 
selinux_revalidate_file_permission(struct file * file,int mask)3596 static int selinux_revalidate_file_permission(struct file *file, int mask)
3597 {
3598 	const struct cred *cred = current_cred();
3599 	struct inode *inode = file_inode(file);
3600 
3601 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3602 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3603 		mask |= MAY_APPEND;
3604 
3605 	return file_has_perm(cred, file,
3606 			     file_mask_to_av(inode->i_mode, mask));
3607 }
3608 
selinux_file_permission(struct file * file,int mask)3609 static int selinux_file_permission(struct file *file, int mask)
3610 {
3611 	struct inode *inode = file_inode(file);
3612 	struct file_security_struct *fsec = selinux_file(file);
3613 	struct inode_security_struct *isec;
3614 	u32 sid = current_sid();
3615 
3616 	if (!mask)
3617 		/* No permission to check.  Existence test. */
3618 		return 0;
3619 
3620 	isec = inode_security(inode);
3621 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3622 	    fsec->pseqno == avc_policy_seqno())
3623 		/* No change since file_open check. */
3624 		return 0;
3625 
3626 	return selinux_revalidate_file_permission(file, mask);
3627 }
3628 
selinux_file_alloc_security(struct file * file)3629 static int selinux_file_alloc_security(struct file *file)
3630 {
3631 	struct file_security_struct *fsec = selinux_file(file);
3632 	u32 sid = current_sid();
3633 
3634 	fsec->sid = sid;
3635 	fsec->fown_sid = sid;
3636 
3637 	return 0;
3638 }
3639 
3640 /*
3641  * Check whether a task has the ioctl permission and cmd
3642  * operation to an inode.
3643  */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3644 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3645 		u32 requested, u16 cmd)
3646 {
3647 	struct common_audit_data ad;
3648 	struct file_security_struct *fsec = selinux_file(file);
3649 	struct inode *inode = file_inode(file);
3650 	struct inode_security_struct *isec;
3651 	struct lsm_ioctlop_audit ioctl;
3652 	u32 ssid = cred_sid(cred);
3653 	int rc;
3654 	u8 driver = cmd >> 8;
3655 	u8 xperm = cmd & 0xff;
3656 
3657 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3658 	ad.u.op = &ioctl;
3659 	ad.u.op->cmd = cmd;
3660 	ad.u.op->path = file->f_path;
3661 
3662 	if (ssid != fsec->sid) {
3663 		rc = avc_has_perm(ssid, fsec->sid,
3664 				SECCLASS_FD,
3665 				FD__USE,
3666 				&ad);
3667 		if (rc)
3668 			goto out;
3669 	}
3670 
3671 	if (unlikely(IS_PRIVATE(inode)))
3672 		return 0;
3673 
3674 	isec = inode_security(inode);
3675 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3676 				    requested, driver, xperm, &ad);
3677 out:
3678 	return rc;
3679 }
3680 
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3681 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682 			      unsigned long arg)
3683 {
3684 	const struct cred *cred = current_cred();
3685 	int error = 0;
3686 
3687 	switch (cmd) {
3688 	case FIONREAD:
3689 	case FIBMAP:
3690 	case FIGETBSZ:
3691 	case FS_IOC_GETFLAGS:
3692 	case FS_IOC_GETVERSION:
3693 		error = file_has_perm(cred, file, FILE__GETATTR);
3694 		break;
3695 
3696 	case FS_IOC_SETFLAGS:
3697 	case FS_IOC_SETVERSION:
3698 		error = file_has_perm(cred, file, FILE__SETATTR);
3699 		break;
3700 
3701 	/* sys_ioctl() checks */
3702 	case FIONBIO:
3703 	case FIOASYNC:
3704 		error = file_has_perm(cred, file, 0);
3705 		break;
3706 
3707 	case KDSKBENT:
3708 	case KDSKBSENT:
3709 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3710 					    CAP_OPT_NONE, true);
3711 		break;
3712 
3713 	case FIOCLEX:
3714 	case FIONCLEX:
3715 		if (!selinux_policycap_ioctl_skip_cloexec())
3716 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3717 		break;
3718 
3719 	/* default case assumes that the command will go
3720 	 * to the file's ioctl() function.
3721 	 */
3722 	default:
3723 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3724 	}
3725 	return error;
3726 }
3727 
selinux_file_ioctl_compat(struct file * file,unsigned int cmd,unsigned long arg)3728 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3729 			      unsigned long arg)
3730 {
3731 	/*
3732 	 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3733 	 * make sure we don't compare 32-bit flags to 64-bit flags.
3734 	 */
3735 	switch (cmd) {
3736 	case FS_IOC32_GETFLAGS:
3737 		cmd = FS_IOC_GETFLAGS;
3738 		break;
3739 	case FS_IOC32_SETFLAGS:
3740 		cmd = FS_IOC_SETFLAGS;
3741 		break;
3742 	case FS_IOC32_GETVERSION:
3743 		cmd = FS_IOC_GETVERSION;
3744 		break;
3745 	case FS_IOC32_SETVERSION:
3746 		cmd = FS_IOC_SETVERSION;
3747 		break;
3748 	default:
3749 		break;
3750 	}
3751 
3752 	return selinux_file_ioctl(file, cmd, arg);
3753 }
3754 
3755 static int default_noexec __ro_after_init;
3756 
file_map_prot_check(struct file * file,unsigned long prot,int shared)3757 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3758 {
3759 	const struct cred *cred = current_cred();
3760 	u32 sid = cred_sid(cred);
3761 	int rc = 0;
3762 
3763 	if (default_noexec &&
3764 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3765 				   (!shared && (prot & PROT_WRITE)))) {
3766 		/*
3767 		 * We are making executable an anonymous mapping or a
3768 		 * private file mapping that will also be writable.
3769 		 * This has an additional check.
3770 		 */
3771 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3772 				  PROCESS__EXECMEM, NULL);
3773 		if (rc)
3774 			goto error;
3775 	}
3776 
3777 	if (file) {
3778 		/* read access is always possible with a mapping */
3779 		u32 av = FILE__READ;
3780 
3781 		/* write access only matters if the mapping is shared */
3782 		if (shared && (prot & PROT_WRITE))
3783 			av |= FILE__WRITE;
3784 
3785 		if (prot & PROT_EXEC)
3786 			av |= FILE__EXECUTE;
3787 
3788 		return file_has_perm(cred, file, av);
3789 	}
3790 
3791 error:
3792 	return rc;
3793 }
3794 
selinux_mmap_addr(unsigned long addr)3795 static int selinux_mmap_addr(unsigned long addr)
3796 {
3797 	int rc = 0;
3798 
3799 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3800 		u32 sid = current_sid();
3801 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3802 				  MEMPROTECT__MMAP_ZERO, NULL);
3803 	}
3804 
3805 	return rc;
3806 }
3807 
selinux_mmap_file(struct file * file,unsigned long reqprot __always_unused,unsigned long prot,unsigned long flags)3808 static int selinux_mmap_file(struct file *file,
3809 			     unsigned long reqprot __always_unused,
3810 			     unsigned long prot, unsigned long flags)
3811 {
3812 	struct common_audit_data ad;
3813 	int rc;
3814 
3815 	if (file) {
3816 		ad.type = LSM_AUDIT_DATA_FILE;
3817 		ad.u.file = file;
3818 		rc = inode_has_perm(current_cred(), file_inode(file),
3819 				    FILE__MAP, &ad);
3820 		if (rc)
3821 			return rc;
3822 	}
3823 
3824 	return file_map_prot_check(file, prot,
3825 				   (flags & MAP_TYPE) == MAP_SHARED);
3826 }
3827 
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot __always_unused,unsigned long prot)3828 static int selinux_file_mprotect(struct vm_area_struct *vma,
3829 				 unsigned long reqprot __always_unused,
3830 				 unsigned long prot)
3831 {
3832 	const struct cred *cred = current_cred();
3833 	u32 sid = cred_sid(cred);
3834 
3835 	if (default_noexec &&
3836 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3837 		int rc = 0;
3838 		/*
3839 		 * We don't use the vma_is_initial_heap() helper as it has
3840 		 * a history of problems and is currently broken on systems
3841 		 * where there is no heap, e.g. brk == start_brk.  Before
3842 		 * replacing the conditional below with vma_is_initial_heap(),
3843 		 * or something similar, please ensure that the logic is the
3844 		 * same as what we have below or you have tested every possible
3845 		 * corner case you can think to test.
3846 		 */
3847 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3848 		    vma->vm_end <= vma->vm_mm->brk) {
3849 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3850 					  PROCESS__EXECHEAP, NULL);
3851 		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3852 			    vma_is_stack_for_current(vma))) {
3853 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3854 					  PROCESS__EXECSTACK, NULL);
3855 		} else if (vma->vm_file && vma->anon_vma) {
3856 			/*
3857 			 * We are making executable a file mapping that has
3858 			 * had some COW done. Since pages might have been
3859 			 * written, check ability to execute the possibly
3860 			 * modified content.  This typically should only
3861 			 * occur for text relocations.
3862 			 */
3863 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3864 		}
3865 		if (rc)
3866 			return rc;
3867 	}
3868 
3869 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3870 }
3871 
selinux_file_lock(struct file * file,unsigned int cmd)3872 static int selinux_file_lock(struct file *file, unsigned int cmd)
3873 {
3874 	const struct cred *cred = current_cred();
3875 
3876 	return file_has_perm(cred, file, FILE__LOCK);
3877 }
3878 
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3879 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3880 			      unsigned long arg)
3881 {
3882 	const struct cred *cred = current_cred();
3883 	int err = 0;
3884 
3885 	switch (cmd) {
3886 	case F_SETFL:
3887 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3888 			err = file_has_perm(cred, file, FILE__WRITE);
3889 			break;
3890 		}
3891 		fallthrough;
3892 	case F_SETOWN:
3893 	case F_SETSIG:
3894 	case F_GETFL:
3895 	case F_GETOWN:
3896 	case F_GETSIG:
3897 	case F_GETOWNER_UIDS:
3898 		/* Just check FD__USE permission */
3899 		err = file_has_perm(cred, file, 0);
3900 		break;
3901 	case F_GETLK:
3902 	case F_SETLK:
3903 	case F_SETLKW:
3904 	case F_OFD_GETLK:
3905 	case F_OFD_SETLK:
3906 	case F_OFD_SETLKW:
3907 #if BITS_PER_LONG == 32
3908 	case F_GETLK64:
3909 	case F_SETLK64:
3910 	case F_SETLKW64:
3911 #endif
3912 		err = file_has_perm(cred, file, FILE__LOCK);
3913 		break;
3914 	}
3915 
3916 	return err;
3917 }
3918 
selinux_file_set_fowner(struct file * file)3919 static void selinux_file_set_fowner(struct file *file)
3920 {
3921 	struct file_security_struct *fsec;
3922 
3923 	fsec = selinux_file(file);
3924 	fsec->fown_sid = current_sid();
3925 }
3926 
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3927 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3928 				       struct fown_struct *fown, int signum)
3929 {
3930 	struct file *file;
3931 	u32 sid = task_sid_obj(tsk);
3932 	u32 perm;
3933 	struct file_security_struct *fsec;
3934 
3935 	/* struct fown_struct is never outside the context of a struct file */
3936 	file = container_of(fown, struct file, f_owner);
3937 
3938 	fsec = selinux_file(file);
3939 
3940 	if (!signum)
3941 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3942 	else
3943 		perm = signal_to_av(signum);
3944 
3945 	return avc_has_perm(fsec->fown_sid, sid,
3946 			    SECCLASS_PROCESS, perm, NULL);
3947 }
3948 
selinux_file_receive(struct file * file)3949 static int selinux_file_receive(struct file *file)
3950 {
3951 	const struct cred *cred = current_cred();
3952 
3953 	return file_has_perm(cred, file, file_to_av(file));
3954 }
3955 
selinux_file_open(struct file * file)3956 static int selinux_file_open(struct file *file)
3957 {
3958 	struct file_security_struct *fsec;
3959 	struct inode_security_struct *isec;
3960 
3961 	fsec = selinux_file(file);
3962 	isec = inode_security(file_inode(file));
3963 	/*
3964 	 * Save inode label and policy sequence number
3965 	 * at open-time so that selinux_file_permission
3966 	 * can determine whether revalidation is necessary.
3967 	 * Task label is already saved in the file security
3968 	 * struct as its SID.
3969 	 */
3970 	fsec->isid = isec->sid;
3971 	fsec->pseqno = avc_policy_seqno();
3972 	/*
3973 	 * Since the inode label or policy seqno may have changed
3974 	 * between the selinux_inode_permission check and the saving
3975 	 * of state above, recheck that access is still permitted.
3976 	 * Otherwise, access might never be revalidated against the
3977 	 * new inode label or new policy.
3978 	 * This check is not redundant - do not remove.
3979 	 */
3980 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3981 }
3982 
3983 /* task security operations */
3984 
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3985 static int selinux_task_alloc(struct task_struct *task,
3986 			      unsigned long clone_flags)
3987 {
3988 	u32 sid = current_sid();
3989 
3990 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3991 }
3992 
3993 /*
3994  * prepare a new set of credentials for modification
3995  */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3996 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3997 				gfp_t gfp)
3998 {
3999 	const struct task_security_struct *old_tsec = selinux_cred(old);
4000 	struct task_security_struct *tsec = selinux_cred(new);
4001 
4002 	*tsec = *old_tsec;
4003 	return 0;
4004 }
4005 
4006 /*
4007  * transfer the SELinux data to a blank set of creds
4008  */
selinux_cred_transfer(struct cred * new,const struct cred * old)4009 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4010 {
4011 	const struct task_security_struct *old_tsec = selinux_cred(old);
4012 	struct task_security_struct *tsec = selinux_cred(new);
4013 
4014 	*tsec = *old_tsec;
4015 }
4016 
selinux_cred_getsecid(const struct cred * c,u32 * secid)4017 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4018 {
4019 	*secid = cred_sid(c);
4020 }
4021 
4022 /*
4023  * set the security data for a kernel service
4024  * - all the creation contexts are set to unlabelled
4025  */
selinux_kernel_act_as(struct cred * new,u32 secid)4026 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4027 {
4028 	struct task_security_struct *tsec = selinux_cred(new);
4029 	u32 sid = current_sid();
4030 	int ret;
4031 
4032 	ret = avc_has_perm(sid, secid,
4033 			   SECCLASS_KERNEL_SERVICE,
4034 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4035 			   NULL);
4036 	if (ret == 0) {
4037 		tsec->sid = secid;
4038 		tsec->create_sid = 0;
4039 		tsec->keycreate_sid = 0;
4040 		tsec->sockcreate_sid = 0;
4041 	}
4042 	return ret;
4043 }
4044 
4045 /*
4046  * set the file creation context in a security record to the same as the
4047  * objective context of the specified inode
4048  */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)4049 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4050 {
4051 	struct inode_security_struct *isec = inode_security(inode);
4052 	struct task_security_struct *tsec = selinux_cred(new);
4053 	u32 sid = current_sid();
4054 	int ret;
4055 
4056 	ret = avc_has_perm(sid, isec->sid,
4057 			   SECCLASS_KERNEL_SERVICE,
4058 			   KERNEL_SERVICE__CREATE_FILES_AS,
4059 			   NULL);
4060 
4061 	if (ret == 0)
4062 		tsec->create_sid = isec->sid;
4063 	return ret;
4064 }
4065 
selinux_kernel_module_request(char * kmod_name)4066 static int selinux_kernel_module_request(char *kmod_name)
4067 {
4068 	struct common_audit_data ad;
4069 
4070 	ad.type = LSM_AUDIT_DATA_KMOD;
4071 	ad.u.kmod_name = kmod_name;
4072 
4073 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4074 			    SYSTEM__MODULE_REQUEST, &ad);
4075 }
4076 
selinux_kernel_module_from_file(struct file * file)4077 static int selinux_kernel_module_from_file(struct file *file)
4078 {
4079 	struct common_audit_data ad;
4080 	struct inode_security_struct *isec;
4081 	struct file_security_struct *fsec;
4082 	u32 sid = current_sid();
4083 	int rc;
4084 
4085 	/* init_module */
4086 	if (file == NULL)
4087 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4088 					SYSTEM__MODULE_LOAD, NULL);
4089 
4090 	/* finit_module */
4091 
4092 	ad.type = LSM_AUDIT_DATA_FILE;
4093 	ad.u.file = file;
4094 
4095 	fsec = selinux_file(file);
4096 	if (sid != fsec->sid) {
4097 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4098 		if (rc)
4099 			return rc;
4100 	}
4101 
4102 	isec = inode_security(file_inode(file));
4103 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4104 				SYSTEM__MODULE_LOAD, &ad);
4105 }
4106 
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4107 static int selinux_kernel_read_file(struct file *file,
4108 				    enum kernel_read_file_id id,
4109 				    bool contents)
4110 {
4111 	int rc = 0;
4112 
4113 	switch (id) {
4114 	case READING_MODULE:
4115 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4116 		break;
4117 	default:
4118 		break;
4119 	}
4120 
4121 	return rc;
4122 }
4123 
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4124 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4125 {
4126 	int rc = 0;
4127 
4128 	switch (id) {
4129 	case LOADING_MODULE:
4130 		rc = selinux_kernel_module_from_file(NULL);
4131 		break;
4132 	default:
4133 		break;
4134 	}
4135 
4136 	return rc;
4137 }
4138 
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4139 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4140 {
4141 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4142 			    PROCESS__SETPGID, NULL);
4143 }
4144 
selinux_task_getpgid(struct task_struct * p)4145 static int selinux_task_getpgid(struct task_struct *p)
4146 {
4147 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4148 			    PROCESS__GETPGID, NULL);
4149 }
4150 
selinux_task_getsid(struct task_struct * p)4151 static int selinux_task_getsid(struct task_struct *p)
4152 {
4153 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4154 			    PROCESS__GETSESSION, NULL);
4155 }
4156 
selinux_current_getsecid_subj(u32 * secid)4157 static void selinux_current_getsecid_subj(u32 *secid)
4158 {
4159 	*secid = current_sid();
4160 }
4161 
selinux_task_getsecid_obj(struct task_struct * p,u32 * secid)4162 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4163 {
4164 	*secid = task_sid_obj(p);
4165 }
4166 
selinux_task_setnice(struct task_struct * p,int nice)4167 static int selinux_task_setnice(struct task_struct *p, int nice)
4168 {
4169 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4170 			    PROCESS__SETSCHED, NULL);
4171 }
4172 
selinux_task_setioprio(struct task_struct * p,int ioprio)4173 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4174 {
4175 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4176 			    PROCESS__SETSCHED, NULL);
4177 }
4178 
selinux_task_getioprio(struct task_struct * p)4179 static int selinux_task_getioprio(struct task_struct *p)
4180 {
4181 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4182 			    PROCESS__GETSCHED, NULL);
4183 }
4184 
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4185 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4186 				unsigned int flags)
4187 {
4188 	u32 av = 0;
4189 
4190 	if (!flags)
4191 		return 0;
4192 	if (flags & LSM_PRLIMIT_WRITE)
4193 		av |= PROCESS__SETRLIMIT;
4194 	if (flags & LSM_PRLIMIT_READ)
4195 		av |= PROCESS__GETRLIMIT;
4196 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4197 			    SECCLASS_PROCESS, av, NULL);
4198 }
4199 
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4200 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4201 		struct rlimit *new_rlim)
4202 {
4203 	struct rlimit *old_rlim = p->signal->rlim + resource;
4204 
4205 	/* Control the ability to change the hard limit (whether
4206 	   lowering or raising it), so that the hard limit can
4207 	   later be used as a safe reset point for the soft limit
4208 	   upon context transitions.  See selinux_bprm_committing_creds. */
4209 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4210 		return avc_has_perm(current_sid(), task_sid_obj(p),
4211 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4212 
4213 	return 0;
4214 }
4215 
selinux_task_setscheduler(struct task_struct * p)4216 static int selinux_task_setscheduler(struct task_struct *p)
4217 {
4218 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4219 			    PROCESS__SETSCHED, NULL);
4220 }
4221 
selinux_task_getscheduler(struct task_struct * p)4222 static int selinux_task_getscheduler(struct task_struct *p)
4223 {
4224 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4225 			    PROCESS__GETSCHED, NULL);
4226 }
4227 
selinux_task_movememory(struct task_struct * p)4228 static int selinux_task_movememory(struct task_struct *p)
4229 {
4230 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4231 			    PROCESS__SETSCHED, NULL);
4232 }
4233 
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4234 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4235 				int sig, const struct cred *cred)
4236 {
4237 	u32 secid;
4238 	u32 perm;
4239 
4240 	if (!sig)
4241 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4242 	else
4243 		perm = signal_to_av(sig);
4244 	if (!cred)
4245 		secid = current_sid();
4246 	else
4247 		secid = cred_sid(cred);
4248 	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4249 }
4250 
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4251 static void selinux_task_to_inode(struct task_struct *p,
4252 				  struct inode *inode)
4253 {
4254 	struct inode_security_struct *isec = selinux_inode(inode);
4255 	u32 sid = task_sid_obj(p);
4256 
4257 	spin_lock(&isec->lock);
4258 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4259 	isec->sid = sid;
4260 	isec->initialized = LABEL_INITIALIZED;
4261 	spin_unlock(&isec->lock);
4262 }
4263 
selinux_userns_create(const struct cred * cred)4264 static int selinux_userns_create(const struct cred *cred)
4265 {
4266 	u32 sid = current_sid();
4267 
4268 	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4269 			USER_NAMESPACE__CREATE, NULL);
4270 }
4271 
4272 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4273 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4274 			struct common_audit_data *ad, u8 *proto)
4275 {
4276 	int offset, ihlen, ret = -EINVAL;
4277 	struct iphdr _iph, *ih;
4278 
4279 	offset = skb_network_offset(skb);
4280 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4281 	if (ih == NULL)
4282 		goto out;
4283 
4284 	ihlen = ih->ihl * 4;
4285 	if (ihlen < sizeof(_iph))
4286 		goto out;
4287 
4288 	ad->u.net->v4info.saddr = ih->saddr;
4289 	ad->u.net->v4info.daddr = ih->daddr;
4290 	ret = 0;
4291 
4292 	if (proto)
4293 		*proto = ih->protocol;
4294 
4295 	switch (ih->protocol) {
4296 	case IPPROTO_TCP: {
4297 		struct tcphdr _tcph, *th;
4298 
4299 		if (ntohs(ih->frag_off) & IP_OFFSET)
4300 			break;
4301 
4302 		offset += ihlen;
4303 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4304 		if (th == NULL)
4305 			break;
4306 
4307 		ad->u.net->sport = th->source;
4308 		ad->u.net->dport = th->dest;
4309 		break;
4310 	}
4311 
4312 	case IPPROTO_UDP: {
4313 		struct udphdr _udph, *uh;
4314 
4315 		if (ntohs(ih->frag_off) & IP_OFFSET)
4316 			break;
4317 
4318 		offset += ihlen;
4319 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4320 		if (uh == NULL)
4321 			break;
4322 
4323 		ad->u.net->sport = uh->source;
4324 		ad->u.net->dport = uh->dest;
4325 		break;
4326 	}
4327 
4328 	case IPPROTO_DCCP: {
4329 		struct dccp_hdr _dccph, *dh;
4330 
4331 		if (ntohs(ih->frag_off) & IP_OFFSET)
4332 			break;
4333 
4334 		offset += ihlen;
4335 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4336 		if (dh == NULL)
4337 			break;
4338 
4339 		ad->u.net->sport = dh->dccph_sport;
4340 		ad->u.net->dport = dh->dccph_dport;
4341 		break;
4342 	}
4343 
4344 #if IS_ENABLED(CONFIG_IP_SCTP)
4345 	case IPPROTO_SCTP: {
4346 		struct sctphdr _sctph, *sh;
4347 
4348 		if (ntohs(ih->frag_off) & IP_OFFSET)
4349 			break;
4350 
4351 		offset += ihlen;
4352 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4353 		if (sh == NULL)
4354 			break;
4355 
4356 		ad->u.net->sport = sh->source;
4357 		ad->u.net->dport = sh->dest;
4358 		break;
4359 	}
4360 #endif
4361 	default:
4362 		break;
4363 	}
4364 out:
4365 	return ret;
4366 }
4367 
4368 #if IS_ENABLED(CONFIG_IPV6)
4369 
4370 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4371 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4372 			struct common_audit_data *ad, u8 *proto)
4373 {
4374 	u8 nexthdr;
4375 	int ret = -EINVAL, offset;
4376 	struct ipv6hdr _ipv6h, *ip6;
4377 	__be16 frag_off;
4378 
4379 	offset = skb_network_offset(skb);
4380 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4381 	if (ip6 == NULL)
4382 		goto out;
4383 
4384 	ad->u.net->v6info.saddr = ip6->saddr;
4385 	ad->u.net->v6info.daddr = ip6->daddr;
4386 	ret = 0;
4387 
4388 	nexthdr = ip6->nexthdr;
4389 	offset += sizeof(_ipv6h);
4390 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4391 	if (offset < 0)
4392 		goto out;
4393 
4394 	if (proto)
4395 		*proto = nexthdr;
4396 
4397 	switch (nexthdr) {
4398 	case IPPROTO_TCP: {
4399 		struct tcphdr _tcph, *th;
4400 
4401 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4402 		if (th == NULL)
4403 			break;
4404 
4405 		ad->u.net->sport = th->source;
4406 		ad->u.net->dport = th->dest;
4407 		break;
4408 	}
4409 
4410 	case IPPROTO_UDP: {
4411 		struct udphdr _udph, *uh;
4412 
4413 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4414 		if (uh == NULL)
4415 			break;
4416 
4417 		ad->u.net->sport = uh->source;
4418 		ad->u.net->dport = uh->dest;
4419 		break;
4420 	}
4421 
4422 	case IPPROTO_DCCP: {
4423 		struct dccp_hdr _dccph, *dh;
4424 
4425 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4426 		if (dh == NULL)
4427 			break;
4428 
4429 		ad->u.net->sport = dh->dccph_sport;
4430 		ad->u.net->dport = dh->dccph_dport;
4431 		break;
4432 	}
4433 
4434 #if IS_ENABLED(CONFIG_IP_SCTP)
4435 	case IPPROTO_SCTP: {
4436 		struct sctphdr _sctph, *sh;
4437 
4438 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4439 		if (sh == NULL)
4440 			break;
4441 
4442 		ad->u.net->sport = sh->source;
4443 		ad->u.net->dport = sh->dest;
4444 		break;
4445 	}
4446 #endif
4447 	/* includes fragments */
4448 	default:
4449 		break;
4450 	}
4451 out:
4452 	return ret;
4453 }
4454 
4455 #endif /* IPV6 */
4456 
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4457 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4458 			     char **_addrp, int src, u8 *proto)
4459 {
4460 	char *addrp;
4461 	int ret;
4462 
4463 	switch (ad->u.net->family) {
4464 	case PF_INET:
4465 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4466 		if (ret)
4467 			goto parse_error;
4468 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4469 				       &ad->u.net->v4info.daddr);
4470 		goto okay;
4471 
4472 #if IS_ENABLED(CONFIG_IPV6)
4473 	case PF_INET6:
4474 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4475 		if (ret)
4476 			goto parse_error;
4477 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4478 				       &ad->u.net->v6info.daddr);
4479 		goto okay;
4480 #endif	/* IPV6 */
4481 	default:
4482 		addrp = NULL;
4483 		goto okay;
4484 	}
4485 
4486 parse_error:
4487 	pr_warn(
4488 	       "SELinux: failure in selinux_parse_skb(),"
4489 	       " unable to parse packet\n");
4490 	return ret;
4491 
4492 okay:
4493 	if (_addrp)
4494 		*_addrp = addrp;
4495 	return 0;
4496 }
4497 
4498 /**
4499  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4500  * @skb: the packet
4501  * @family: protocol family
4502  * @sid: the packet's peer label SID
4503  *
4504  * Description:
4505  * Check the various different forms of network peer labeling and determine
4506  * the peer label/SID for the packet; most of the magic actually occurs in
4507  * the security server function security_net_peersid_cmp().  The function
4508  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4509  * or -EACCES if @sid is invalid due to inconsistencies with the different
4510  * peer labels.
4511  *
4512  */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4513 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4514 {
4515 	int err;
4516 	u32 xfrm_sid;
4517 	u32 nlbl_sid;
4518 	u32 nlbl_type;
4519 
4520 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4521 	if (unlikely(err))
4522 		return -EACCES;
4523 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4524 	if (unlikely(err))
4525 		return -EACCES;
4526 
4527 	err = security_net_peersid_resolve(nlbl_sid,
4528 					   nlbl_type, xfrm_sid, sid);
4529 	if (unlikely(err)) {
4530 		pr_warn(
4531 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4532 		       " unable to determine packet's peer label\n");
4533 		return -EACCES;
4534 	}
4535 
4536 	return 0;
4537 }
4538 
4539 /**
4540  * selinux_conn_sid - Determine the child socket label for a connection
4541  * @sk_sid: the parent socket's SID
4542  * @skb_sid: the packet's SID
4543  * @conn_sid: the resulting connection SID
4544  *
4545  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4546  * combined with the MLS information from @skb_sid in order to create
4547  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4548  * of @sk_sid.  Returns zero on success, negative values on failure.
4549  *
4550  */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4551 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4552 {
4553 	int err = 0;
4554 
4555 	if (skb_sid != SECSID_NULL)
4556 		err = security_sid_mls_copy(sk_sid, skb_sid,
4557 					    conn_sid);
4558 	else
4559 		*conn_sid = sk_sid;
4560 
4561 	return err;
4562 }
4563 
4564 /* socket security operations */
4565 
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4566 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4567 				 u16 secclass, u32 *socksid)
4568 {
4569 	if (tsec->sockcreate_sid > SECSID_NULL) {
4570 		*socksid = tsec->sockcreate_sid;
4571 		return 0;
4572 	}
4573 
4574 	return security_transition_sid(tsec->sid, tsec->sid,
4575 				       secclass, NULL, socksid);
4576 }
4577 
sock_has_perm(struct sock * sk,u32 perms)4578 static int sock_has_perm(struct sock *sk, u32 perms)
4579 {
4580 	struct sk_security_struct *sksec = sk->sk_security;
4581 	struct common_audit_data ad;
4582 	struct lsm_network_audit net;
4583 
4584 	if (sksec->sid == SECINITSID_KERNEL)
4585 		return 0;
4586 
4587 	ad_net_init_from_sk(&ad, &net, sk);
4588 
4589 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4590 			    &ad);
4591 }
4592 
selinux_socket_create(int family,int type,int protocol,int kern)4593 static int selinux_socket_create(int family, int type,
4594 				 int protocol, int kern)
4595 {
4596 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4597 	u32 newsid;
4598 	u16 secclass;
4599 	int rc;
4600 
4601 	if (kern)
4602 		return 0;
4603 
4604 	secclass = socket_type_to_security_class(family, type, protocol);
4605 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4606 	if (rc)
4607 		return rc;
4608 
4609 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4610 }
4611 
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4612 static int selinux_socket_post_create(struct socket *sock, int family,
4613 				      int type, int protocol, int kern)
4614 {
4615 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4616 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4617 	struct sk_security_struct *sksec;
4618 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4619 	u32 sid = SECINITSID_KERNEL;
4620 	int err = 0;
4621 
4622 	if (!kern) {
4623 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4624 		if (err)
4625 			return err;
4626 	}
4627 
4628 	isec->sclass = sclass;
4629 	isec->sid = sid;
4630 	isec->initialized = LABEL_INITIALIZED;
4631 
4632 	if (sock->sk) {
4633 		sksec = sock->sk->sk_security;
4634 		sksec->sclass = sclass;
4635 		sksec->sid = sid;
4636 		/* Allows detection of the first association on this socket */
4637 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4638 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4639 
4640 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4641 	}
4642 
4643 	return err;
4644 }
4645 
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4646 static int selinux_socket_socketpair(struct socket *socka,
4647 				     struct socket *sockb)
4648 {
4649 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4650 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4651 
4652 	sksec_a->peer_sid = sksec_b->sid;
4653 	sksec_b->peer_sid = sksec_a->sid;
4654 
4655 	return 0;
4656 }
4657 
4658 /* Range of port numbers used to automatically bind.
4659    Need to determine whether we should perform a name_bind
4660    permission check between the socket and the port number. */
4661 
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4662 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4663 {
4664 	struct sock *sk = sock->sk;
4665 	struct sk_security_struct *sksec = sk->sk_security;
4666 	u16 family;
4667 	int err;
4668 
4669 	err = sock_has_perm(sk, SOCKET__BIND);
4670 	if (err)
4671 		goto out;
4672 
4673 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4674 	family = sk->sk_family;
4675 	if (family == PF_INET || family == PF_INET6) {
4676 		char *addrp;
4677 		struct common_audit_data ad;
4678 		struct lsm_network_audit net = {0,};
4679 		struct sockaddr_in *addr4 = NULL;
4680 		struct sockaddr_in6 *addr6 = NULL;
4681 		u16 family_sa;
4682 		unsigned short snum;
4683 		u32 sid, node_perm;
4684 
4685 		/*
4686 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4687 		 * that validates multiple binding addresses. Because of this
4688 		 * need to check address->sa_family as it is possible to have
4689 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4690 		 */
4691 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4692 			return -EINVAL;
4693 		family_sa = address->sa_family;
4694 		switch (family_sa) {
4695 		case AF_UNSPEC:
4696 		case AF_INET:
4697 			if (addrlen < sizeof(struct sockaddr_in))
4698 				return -EINVAL;
4699 			addr4 = (struct sockaddr_in *)address;
4700 			if (family_sa == AF_UNSPEC) {
4701 				if (family == PF_INET6) {
4702 					/* Length check from inet6_bind_sk() */
4703 					if (addrlen < SIN6_LEN_RFC2133)
4704 						return -EINVAL;
4705 					/* Family check from __inet6_bind() */
4706 					goto err_af;
4707 				}
4708 				/* see __inet_bind(), we only want to allow
4709 				 * AF_UNSPEC if the address is INADDR_ANY
4710 				 */
4711 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4712 					goto err_af;
4713 				family_sa = AF_INET;
4714 			}
4715 			snum = ntohs(addr4->sin_port);
4716 			addrp = (char *)&addr4->sin_addr.s_addr;
4717 			break;
4718 		case AF_INET6:
4719 			if (addrlen < SIN6_LEN_RFC2133)
4720 				return -EINVAL;
4721 			addr6 = (struct sockaddr_in6 *)address;
4722 			snum = ntohs(addr6->sin6_port);
4723 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4724 			break;
4725 		default:
4726 			goto err_af;
4727 		}
4728 
4729 		ad.type = LSM_AUDIT_DATA_NET;
4730 		ad.u.net = &net;
4731 		ad.u.net->sport = htons(snum);
4732 		ad.u.net->family = family_sa;
4733 
4734 		if (snum) {
4735 			int low, high;
4736 
4737 			inet_get_local_port_range(sock_net(sk), &low, &high);
4738 
4739 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4740 			    snum < low || snum > high) {
4741 				err = sel_netport_sid(sk->sk_protocol,
4742 						      snum, &sid);
4743 				if (err)
4744 					goto out;
4745 				err = avc_has_perm(sksec->sid, sid,
4746 						   sksec->sclass,
4747 						   SOCKET__NAME_BIND, &ad);
4748 				if (err)
4749 					goto out;
4750 			}
4751 		}
4752 
4753 		switch (sksec->sclass) {
4754 		case SECCLASS_TCP_SOCKET:
4755 			node_perm = TCP_SOCKET__NODE_BIND;
4756 			break;
4757 
4758 		case SECCLASS_UDP_SOCKET:
4759 			node_perm = UDP_SOCKET__NODE_BIND;
4760 			break;
4761 
4762 		case SECCLASS_DCCP_SOCKET:
4763 			node_perm = DCCP_SOCKET__NODE_BIND;
4764 			break;
4765 
4766 		case SECCLASS_SCTP_SOCKET:
4767 			node_perm = SCTP_SOCKET__NODE_BIND;
4768 			break;
4769 
4770 		default:
4771 			node_perm = RAWIP_SOCKET__NODE_BIND;
4772 			break;
4773 		}
4774 
4775 		err = sel_netnode_sid(addrp, family_sa, &sid);
4776 		if (err)
4777 			goto out;
4778 
4779 		if (family_sa == AF_INET)
4780 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4781 		else
4782 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4783 
4784 		err = avc_has_perm(sksec->sid, sid,
4785 				   sksec->sclass, node_perm, &ad);
4786 		if (err)
4787 			goto out;
4788 	}
4789 out:
4790 	return err;
4791 err_af:
4792 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4793 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4794 		return -EINVAL;
4795 	return -EAFNOSUPPORT;
4796 }
4797 
4798 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4799  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4800  */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4801 static int selinux_socket_connect_helper(struct socket *sock,
4802 					 struct sockaddr *address, int addrlen)
4803 {
4804 	struct sock *sk = sock->sk;
4805 	struct sk_security_struct *sksec = sk->sk_security;
4806 	int err;
4807 
4808 	err = sock_has_perm(sk, SOCKET__CONNECT);
4809 	if (err)
4810 		return err;
4811 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4812 		return -EINVAL;
4813 
4814 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4815 	 * way to disconnect the socket
4816 	 */
4817 	if (address->sa_family == AF_UNSPEC)
4818 		return 0;
4819 
4820 	/*
4821 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4822 	 * for the port.
4823 	 */
4824 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4825 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4826 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4827 		struct common_audit_data ad;
4828 		struct lsm_network_audit net = {0,};
4829 		struct sockaddr_in *addr4 = NULL;
4830 		struct sockaddr_in6 *addr6 = NULL;
4831 		unsigned short snum;
4832 		u32 sid, perm;
4833 
4834 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4835 		 * that validates multiple connect addresses. Because of this
4836 		 * need to check address->sa_family as it is possible to have
4837 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4838 		 */
4839 		switch (address->sa_family) {
4840 		case AF_INET:
4841 			addr4 = (struct sockaddr_in *)address;
4842 			if (addrlen < sizeof(struct sockaddr_in))
4843 				return -EINVAL;
4844 			snum = ntohs(addr4->sin_port);
4845 			break;
4846 		case AF_INET6:
4847 			addr6 = (struct sockaddr_in6 *)address;
4848 			if (addrlen < SIN6_LEN_RFC2133)
4849 				return -EINVAL;
4850 			snum = ntohs(addr6->sin6_port);
4851 			break;
4852 		default:
4853 			/* Note that SCTP services expect -EINVAL, whereas
4854 			 * others expect -EAFNOSUPPORT.
4855 			 */
4856 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4857 				return -EINVAL;
4858 			else
4859 				return -EAFNOSUPPORT;
4860 		}
4861 
4862 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4863 		if (err)
4864 			return err;
4865 
4866 		switch (sksec->sclass) {
4867 		case SECCLASS_TCP_SOCKET:
4868 			perm = TCP_SOCKET__NAME_CONNECT;
4869 			break;
4870 		case SECCLASS_DCCP_SOCKET:
4871 			perm = DCCP_SOCKET__NAME_CONNECT;
4872 			break;
4873 		case SECCLASS_SCTP_SOCKET:
4874 			perm = SCTP_SOCKET__NAME_CONNECT;
4875 			break;
4876 		}
4877 
4878 		ad.type = LSM_AUDIT_DATA_NET;
4879 		ad.u.net = &net;
4880 		ad.u.net->dport = htons(snum);
4881 		ad.u.net->family = address->sa_family;
4882 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4883 		if (err)
4884 			return err;
4885 	}
4886 
4887 	return 0;
4888 }
4889 
4890 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4891 static int selinux_socket_connect(struct socket *sock,
4892 				  struct sockaddr *address, int addrlen)
4893 {
4894 	int err;
4895 	struct sock *sk = sock->sk;
4896 
4897 	err = selinux_socket_connect_helper(sock, address, addrlen);
4898 	if (err)
4899 		return err;
4900 
4901 	return selinux_netlbl_socket_connect(sk, address);
4902 }
4903 
selinux_socket_listen(struct socket * sock,int backlog)4904 static int selinux_socket_listen(struct socket *sock, int backlog)
4905 {
4906 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4907 }
4908 
selinux_socket_accept(struct socket * sock,struct socket * newsock)4909 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4910 {
4911 	int err;
4912 	struct inode_security_struct *isec;
4913 	struct inode_security_struct *newisec;
4914 	u16 sclass;
4915 	u32 sid;
4916 
4917 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4918 	if (err)
4919 		return err;
4920 
4921 	isec = inode_security_novalidate(SOCK_INODE(sock));
4922 	spin_lock(&isec->lock);
4923 	sclass = isec->sclass;
4924 	sid = isec->sid;
4925 	spin_unlock(&isec->lock);
4926 
4927 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4928 	newisec->sclass = sclass;
4929 	newisec->sid = sid;
4930 	newisec->initialized = LABEL_INITIALIZED;
4931 
4932 	return 0;
4933 }
4934 
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4935 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4936 				  int size)
4937 {
4938 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4939 }
4940 
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4941 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4942 				  int size, int flags)
4943 {
4944 	return sock_has_perm(sock->sk, SOCKET__READ);
4945 }
4946 
selinux_socket_getsockname(struct socket * sock)4947 static int selinux_socket_getsockname(struct socket *sock)
4948 {
4949 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4950 }
4951 
selinux_socket_getpeername(struct socket * sock)4952 static int selinux_socket_getpeername(struct socket *sock)
4953 {
4954 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4955 }
4956 
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4957 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4958 {
4959 	int err;
4960 
4961 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4962 	if (err)
4963 		return err;
4964 
4965 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4966 }
4967 
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4968 static int selinux_socket_getsockopt(struct socket *sock, int level,
4969 				     int optname)
4970 {
4971 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4972 }
4973 
selinux_socket_shutdown(struct socket * sock,int how)4974 static int selinux_socket_shutdown(struct socket *sock, int how)
4975 {
4976 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4977 }
4978 
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4979 static int selinux_socket_unix_stream_connect(struct sock *sock,
4980 					      struct sock *other,
4981 					      struct sock *newsk)
4982 {
4983 	struct sk_security_struct *sksec_sock = sock->sk_security;
4984 	struct sk_security_struct *sksec_other = other->sk_security;
4985 	struct sk_security_struct *sksec_new = newsk->sk_security;
4986 	struct common_audit_data ad;
4987 	struct lsm_network_audit net;
4988 	int err;
4989 
4990 	ad_net_init_from_sk(&ad, &net, other);
4991 
4992 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4993 			   sksec_other->sclass,
4994 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4995 	if (err)
4996 		return err;
4997 
4998 	/* server child socket */
4999 	sksec_new->peer_sid = sksec_sock->sid;
5000 	err = security_sid_mls_copy(sksec_other->sid,
5001 				    sksec_sock->sid, &sksec_new->sid);
5002 	if (err)
5003 		return err;
5004 
5005 	/* connecting socket */
5006 	sksec_sock->peer_sid = sksec_new->sid;
5007 
5008 	return 0;
5009 }
5010 
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)5011 static int selinux_socket_unix_may_send(struct socket *sock,
5012 					struct socket *other)
5013 {
5014 	struct sk_security_struct *ssec = sock->sk->sk_security;
5015 	struct sk_security_struct *osec = other->sk->sk_security;
5016 	struct common_audit_data ad;
5017 	struct lsm_network_audit net;
5018 
5019 	ad_net_init_from_sk(&ad, &net, other->sk);
5020 
5021 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5022 			    &ad);
5023 }
5024 
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)5025 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5026 				    char *addrp, u16 family, u32 peer_sid,
5027 				    struct common_audit_data *ad)
5028 {
5029 	int err;
5030 	u32 if_sid;
5031 	u32 node_sid;
5032 
5033 	err = sel_netif_sid(ns, ifindex, &if_sid);
5034 	if (err)
5035 		return err;
5036 	err = avc_has_perm(peer_sid, if_sid,
5037 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5038 	if (err)
5039 		return err;
5040 
5041 	err = sel_netnode_sid(addrp, family, &node_sid);
5042 	if (err)
5043 		return err;
5044 	return avc_has_perm(peer_sid, node_sid,
5045 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5046 }
5047 
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5048 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5049 				       u16 family)
5050 {
5051 	int err = 0;
5052 	struct sk_security_struct *sksec = sk->sk_security;
5053 	u32 sk_sid = sksec->sid;
5054 	struct common_audit_data ad;
5055 	struct lsm_network_audit net;
5056 	char *addrp;
5057 
5058 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5059 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5060 	if (err)
5061 		return err;
5062 
5063 	if (selinux_secmark_enabled()) {
5064 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5065 				   PACKET__RECV, &ad);
5066 		if (err)
5067 			return err;
5068 	}
5069 
5070 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5071 	if (err)
5072 		return err;
5073 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5074 
5075 	return err;
5076 }
5077 
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5078 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5079 {
5080 	int err, peerlbl_active, secmark_active;
5081 	struct sk_security_struct *sksec = sk->sk_security;
5082 	u16 family = sk->sk_family;
5083 	u32 sk_sid = sksec->sid;
5084 	struct common_audit_data ad;
5085 	struct lsm_network_audit net;
5086 	char *addrp;
5087 
5088 	if (family != PF_INET && family != PF_INET6)
5089 		return 0;
5090 
5091 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5092 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5093 		family = PF_INET;
5094 
5095 	/* If any sort of compatibility mode is enabled then handoff processing
5096 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5097 	 * special handling.  We do this in an attempt to keep this function
5098 	 * as fast and as clean as possible. */
5099 	if (!selinux_policycap_netpeer())
5100 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5101 
5102 	secmark_active = selinux_secmark_enabled();
5103 	peerlbl_active = selinux_peerlbl_enabled();
5104 	if (!secmark_active && !peerlbl_active)
5105 		return 0;
5106 
5107 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5108 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5109 	if (err)
5110 		return err;
5111 
5112 	if (peerlbl_active) {
5113 		u32 peer_sid;
5114 
5115 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5116 		if (err)
5117 			return err;
5118 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5119 					       addrp, family, peer_sid, &ad);
5120 		if (err) {
5121 			selinux_netlbl_err(skb, family, err, 0);
5122 			return err;
5123 		}
5124 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5125 				   PEER__RECV, &ad);
5126 		if (err) {
5127 			selinux_netlbl_err(skb, family, err, 0);
5128 			return err;
5129 		}
5130 	}
5131 
5132 	if (secmark_active) {
5133 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5134 				   PACKET__RECV, &ad);
5135 		if (err)
5136 			return err;
5137 	}
5138 
5139 	return err;
5140 }
5141 
selinux_socket_getpeersec_stream(struct socket * sock,sockptr_t optval,sockptr_t optlen,unsigned int len)5142 static int selinux_socket_getpeersec_stream(struct socket *sock,
5143 					    sockptr_t optval, sockptr_t optlen,
5144 					    unsigned int len)
5145 {
5146 	int err = 0;
5147 	char *scontext = NULL;
5148 	u32 scontext_len;
5149 	struct sk_security_struct *sksec = sock->sk->sk_security;
5150 	u32 peer_sid = SECSID_NULL;
5151 
5152 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5153 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5154 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5155 		peer_sid = sksec->peer_sid;
5156 	if (peer_sid == SECSID_NULL)
5157 		return -ENOPROTOOPT;
5158 
5159 	err = security_sid_to_context(peer_sid, &scontext,
5160 				      &scontext_len);
5161 	if (err)
5162 		return err;
5163 	if (scontext_len > len) {
5164 		err = -ERANGE;
5165 		goto out_len;
5166 	}
5167 
5168 	if (copy_to_sockptr(optval, scontext, scontext_len))
5169 		err = -EFAULT;
5170 out_len:
5171 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5172 		err = -EFAULT;
5173 	kfree(scontext);
5174 	return err;
5175 }
5176 
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5177 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5178 {
5179 	u32 peer_secid = SECSID_NULL;
5180 	u16 family;
5181 	struct inode_security_struct *isec;
5182 
5183 	if (skb && skb->protocol == htons(ETH_P_IP))
5184 		family = PF_INET;
5185 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5186 		family = PF_INET6;
5187 	else if (sock)
5188 		family = sock->sk->sk_family;
5189 	else
5190 		goto out;
5191 
5192 	if (sock && family == PF_UNIX) {
5193 		isec = inode_security_novalidate(SOCK_INODE(sock));
5194 		peer_secid = isec->sid;
5195 	} else if (skb)
5196 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5197 
5198 out:
5199 	*secid = peer_secid;
5200 	if (peer_secid == SECSID_NULL)
5201 		return -EINVAL;
5202 	return 0;
5203 }
5204 
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5205 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5206 {
5207 	struct sk_security_struct *sksec;
5208 
5209 	sksec = kzalloc(sizeof(*sksec), priority);
5210 	if (!sksec)
5211 		return -ENOMEM;
5212 
5213 	sksec->peer_sid = SECINITSID_UNLABELED;
5214 	sksec->sid = SECINITSID_UNLABELED;
5215 	sksec->sclass = SECCLASS_SOCKET;
5216 	selinux_netlbl_sk_security_reset(sksec);
5217 	sk->sk_security = sksec;
5218 
5219 	return 0;
5220 }
5221 
selinux_sk_free_security(struct sock * sk)5222 static void selinux_sk_free_security(struct sock *sk)
5223 {
5224 	struct sk_security_struct *sksec = sk->sk_security;
5225 
5226 	sk->sk_security = NULL;
5227 	selinux_netlbl_sk_security_free(sksec);
5228 	kfree(sksec);
5229 }
5230 
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5231 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5232 {
5233 	struct sk_security_struct *sksec = sk->sk_security;
5234 	struct sk_security_struct *newsksec = newsk->sk_security;
5235 
5236 	newsksec->sid = sksec->sid;
5237 	newsksec->peer_sid = sksec->peer_sid;
5238 	newsksec->sclass = sksec->sclass;
5239 
5240 	selinux_netlbl_sk_security_reset(newsksec);
5241 }
5242 
selinux_sk_getsecid(const struct sock * sk,u32 * secid)5243 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5244 {
5245 	if (!sk)
5246 		*secid = SECINITSID_ANY_SOCKET;
5247 	else {
5248 		const struct sk_security_struct *sksec = sk->sk_security;
5249 
5250 		*secid = sksec->sid;
5251 	}
5252 }
5253 
selinux_sock_graft(struct sock * sk,struct socket * parent)5254 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5255 {
5256 	struct inode_security_struct *isec =
5257 		inode_security_novalidate(SOCK_INODE(parent));
5258 	struct sk_security_struct *sksec = sk->sk_security;
5259 
5260 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5261 	    sk->sk_family == PF_UNIX)
5262 		isec->sid = sksec->sid;
5263 	sksec->sclass = isec->sclass;
5264 }
5265 
5266 /*
5267  * Determines peer_secid for the asoc and updates socket's peer label
5268  * if it's the first association on the socket.
5269  */
selinux_sctp_process_new_assoc(struct sctp_association * asoc,struct sk_buff * skb)5270 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5271 					  struct sk_buff *skb)
5272 {
5273 	struct sock *sk = asoc->base.sk;
5274 	u16 family = sk->sk_family;
5275 	struct sk_security_struct *sksec = sk->sk_security;
5276 	struct common_audit_data ad;
5277 	struct lsm_network_audit net;
5278 	int err;
5279 
5280 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5281 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5282 		family = PF_INET;
5283 
5284 	if (selinux_peerlbl_enabled()) {
5285 		asoc->peer_secid = SECSID_NULL;
5286 
5287 		/* This will return peer_sid = SECSID_NULL if there are
5288 		 * no peer labels, see security_net_peersid_resolve().
5289 		 */
5290 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5291 		if (err)
5292 			return err;
5293 
5294 		if (asoc->peer_secid == SECSID_NULL)
5295 			asoc->peer_secid = SECINITSID_UNLABELED;
5296 	} else {
5297 		asoc->peer_secid = SECINITSID_UNLABELED;
5298 	}
5299 
5300 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5301 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5302 
5303 		/* Here as first association on socket. As the peer SID
5304 		 * was allowed by peer recv (and the netif/node checks),
5305 		 * then it is approved by policy and used as the primary
5306 		 * peer SID for getpeercon(3).
5307 		 */
5308 		sksec->peer_sid = asoc->peer_secid;
5309 	} else if (sksec->peer_sid != asoc->peer_secid) {
5310 		/* Other association peer SIDs are checked to enforce
5311 		 * consistency among the peer SIDs.
5312 		 */
5313 		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5314 		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5315 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5316 				   &ad);
5317 		if (err)
5318 			return err;
5319 	}
5320 	return 0;
5321 }
5322 
5323 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5324  * happens on an incoming connect(2), sctp_connectx(3) or
5325  * sctp_sendmsg(3) (with no association already present).
5326  */
selinux_sctp_assoc_request(struct sctp_association * asoc,struct sk_buff * skb)5327 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5328 				      struct sk_buff *skb)
5329 {
5330 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5331 	u32 conn_sid;
5332 	int err;
5333 
5334 	if (!selinux_policycap_extsockclass())
5335 		return 0;
5336 
5337 	err = selinux_sctp_process_new_assoc(asoc, skb);
5338 	if (err)
5339 		return err;
5340 
5341 	/* Compute the MLS component for the connection and store
5342 	 * the information in asoc. This will be used by SCTP TCP type
5343 	 * sockets and peeled off connections as they cause a new
5344 	 * socket to be generated. selinux_sctp_sk_clone() will then
5345 	 * plug this into the new socket.
5346 	 */
5347 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5348 	if (err)
5349 		return err;
5350 
5351 	asoc->secid = conn_sid;
5352 
5353 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5354 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5355 }
5356 
5357 /* Called when SCTP receives a COOKIE ACK chunk as the final
5358  * response to an association request (initited by us).
5359  */
selinux_sctp_assoc_established(struct sctp_association * asoc,struct sk_buff * skb)5360 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5361 					  struct sk_buff *skb)
5362 {
5363 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5364 
5365 	if (!selinux_policycap_extsockclass())
5366 		return 0;
5367 
5368 	/* Inherit secid from the parent socket - this will be picked up
5369 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5370 	 * into a new socket.
5371 	 */
5372 	asoc->secid = sksec->sid;
5373 
5374 	return selinux_sctp_process_new_assoc(asoc, skb);
5375 }
5376 
5377 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5378  * based on their @optname.
5379  */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5380 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5381 				     struct sockaddr *address,
5382 				     int addrlen)
5383 {
5384 	int len, err = 0, walk_size = 0;
5385 	void *addr_buf;
5386 	struct sockaddr *addr;
5387 	struct socket *sock;
5388 
5389 	if (!selinux_policycap_extsockclass())
5390 		return 0;
5391 
5392 	/* Process one or more addresses that may be IPv4 or IPv6 */
5393 	sock = sk->sk_socket;
5394 	addr_buf = address;
5395 
5396 	while (walk_size < addrlen) {
5397 		if (walk_size + sizeof(sa_family_t) > addrlen)
5398 			return -EINVAL;
5399 
5400 		addr = addr_buf;
5401 		switch (addr->sa_family) {
5402 		case AF_UNSPEC:
5403 		case AF_INET:
5404 			len = sizeof(struct sockaddr_in);
5405 			break;
5406 		case AF_INET6:
5407 			len = sizeof(struct sockaddr_in6);
5408 			break;
5409 		default:
5410 			return -EINVAL;
5411 		}
5412 
5413 		if (walk_size + len > addrlen)
5414 			return -EINVAL;
5415 
5416 		err = -EINVAL;
5417 		switch (optname) {
5418 		/* Bind checks */
5419 		case SCTP_PRIMARY_ADDR:
5420 		case SCTP_SET_PEER_PRIMARY_ADDR:
5421 		case SCTP_SOCKOPT_BINDX_ADD:
5422 			err = selinux_socket_bind(sock, addr, len);
5423 			break;
5424 		/* Connect checks */
5425 		case SCTP_SOCKOPT_CONNECTX:
5426 		case SCTP_PARAM_SET_PRIMARY:
5427 		case SCTP_PARAM_ADD_IP:
5428 		case SCTP_SENDMSG_CONNECT:
5429 			err = selinux_socket_connect_helper(sock, addr, len);
5430 			if (err)
5431 				return err;
5432 
5433 			/* As selinux_sctp_bind_connect() is called by the
5434 			 * SCTP protocol layer, the socket is already locked,
5435 			 * therefore selinux_netlbl_socket_connect_locked()
5436 			 * is called here. The situations handled are:
5437 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5438 			 * whenever a new IP address is added or when a new
5439 			 * primary address is selected.
5440 			 * Note that an SCTP connect(2) call happens before
5441 			 * the SCTP protocol layer and is handled via
5442 			 * selinux_socket_connect().
5443 			 */
5444 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5445 			break;
5446 		}
5447 
5448 		if (err)
5449 			return err;
5450 
5451 		addr_buf += len;
5452 		walk_size += len;
5453 	}
5454 
5455 	return 0;
5456 }
5457 
5458 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_association * asoc,struct sock * sk,struct sock * newsk)5459 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5460 				  struct sock *newsk)
5461 {
5462 	struct sk_security_struct *sksec = sk->sk_security;
5463 	struct sk_security_struct *newsksec = newsk->sk_security;
5464 
5465 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5466 	 * the non-sctp clone version.
5467 	 */
5468 	if (!selinux_policycap_extsockclass())
5469 		return selinux_sk_clone_security(sk, newsk);
5470 
5471 	newsksec->sid = asoc->secid;
5472 	newsksec->peer_sid = asoc->peer_secid;
5473 	newsksec->sclass = sksec->sclass;
5474 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5475 }
5476 
selinux_mptcp_add_subflow(struct sock * sk,struct sock * ssk)5477 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5478 {
5479 	struct sk_security_struct *ssksec = ssk->sk_security;
5480 	struct sk_security_struct *sksec = sk->sk_security;
5481 
5482 	ssksec->sclass = sksec->sclass;
5483 	ssksec->sid = sksec->sid;
5484 
5485 	/* replace the existing subflow label deleting the existing one
5486 	 * and re-recreating a new label using the updated context
5487 	 */
5488 	selinux_netlbl_sk_security_free(ssksec);
5489 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5490 }
5491 
selinux_inet_conn_request(const struct sock * sk,struct sk_buff * skb,struct request_sock * req)5492 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5493 				     struct request_sock *req)
5494 {
5495 	struct sk_security_struct *sksec = sk->sk_security;
5496 	int err;
5497 	u16 family = req->rsk_ops->family;
5498 	u32 connsid;
5499 	u32 peersid;
5500 
5501 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5502 	if (err)
5503 		return err;
5504 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5505 	if (err)
5506 		return err;
5507 	req->secid = connsid;
5508 	req->peer_secid = peersid;
5509 
5510 	return selinux_netlbl_inet_conn_request(req, family);
5511 }
5512 
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5513 static void selinux_inet_csk_clone(struct sock *newsk,
5514 				   const struct request_sock *req)
5515 {
5516 	struct sk_security_struct *newsksec = newsk->sk_security;
5517 
5518 	newsksec->sid = req->secid;
5519 	newsksec->peer_sid = req->peer_secid;
5520 	/* NOTE: Ideally, we should also get the isec->sid for the
5521 	   new socket in sync, but we don't have the isec available yet.
5522 	   So we will wait until sock_graft to do it, by which
5523 	   time it will have been created and available. */
5524 
5525 	/* We don't need to take any sort of lock here as we are the only
5526 	 * thread with access to newsksec */
5527 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5528 }
5529 
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5530 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5531 {
5532 	u16 family = sk->sk_family;
5533 	struct sk_security_struct *sksec = sk->sk_security;
5534 
5535 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5536 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5537 		family = PF_INET;
5538 
5539 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5540 }
5541 
selinux_secmark_relabel_packet(u32 sid)5542 static int selinux_secmark_relabel_packet(u32 sid)
5543 {
5544 	const struct task_security_struct *tsec;
5545 	u32 tsid;
5546 
5547 	tsec = selinux_cred(current_cred());
5548 	tsid = tsec->sid;
5549 
5550 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5551 			    NULL);
5552 }
5553 
selinux_secmark_refcount_inc(void)5554 static void selinux_secmark_refcount_inc(void)
5555 {
5556 	atomic_inc(&selinux_secmark_refcount);
5557 }
5558 
selinux_secmark_refcount_dec(void)5559 static void selinux_secmark_refcount_dec(void)
5560 {
5561 	atomic_dec(&selinux_secmark_refcount);
5562 }
5563 
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5564 static void selinux_req_classify_flow(const struct request_sock *req,
5565 				      struct flowi_common *flic)
5566 {
5567 	flic->flowic_secid = req->secid;
5568 }
5569 
selinux_tun_dev_alloc_security(void ** security)5570 static int selinux_tun_dev_alloc_security(void **security)
5571 {
5572 	struct tun_security_struct *tunsec;
5573 
5574 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5575 	if (!tunsec)
5576 		return -ENOMEM;
5577 	tunsec->sid = current_sid();
5578 
5579 	*security = tunsec;
5580 	return 0;
5581 }
5582 
selinux_tun_dev_free_security(void * security)5583 static void selinux_tun_dev_free_security(void *security)
5584 {
5585 	kfree(security);
5586 }
5587 
selinux_tun_dev_create(void)5588 static int selinux_tun_dev_create(void)
5589 {
5590 	u32 sid = current_sid();
5591 
5592 	/* we aren't taking into account the "sockcreate" SID since the socket
5593 	 * that is being created here is not a socket in the traditional sense,
5594 	 * instead it is a private sock, accessible only to the kernel, and
5595 	 * representing a wide range of network traffic spanning multiple
5596 	 * connections unlike traditional sockets - check the TUN driver to
5597 	 * get a better understanding of why this socket is special */
5598 
5599 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5600 			    NULL);
5601 }
5602 
selinux_tun_dev_attach_queue(void * security)5603 static int selinux_tun_dev_attach_queue(void *security)
5604 {
5605 	struct tun_security_struct *tunsec = security;
5606 
5607 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5608 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5609 }
5610 
selinux_tun_dev_attach(struct sock * sk,void * security)5611 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5612 {
5613 	struct tun_security_struct *tunsec = security;
5614 	struct sk_security_struct *sksec = sk->sk_security;
5615 
5616 	/* we don't currently perform any NetLabel based labeling here and it
5617 	 * isn't clear that we would want to do so anyway; while we could apply
5618 	 * labeling without the support of the TUN user the resulting labeled
5619 	 * traffic from the other end of the connection would almost certainly
5620 	 * cause confusion to the TUN user that had no idea network labeling
5621 	 * protocols were being used */
5622 
5623 	sksec->sid = tunsec->sid;
5624 	sksec->sclass = SECCLASS_TUN_SOCKET;
5625 
5626 	return 0;
5627 }
5628 
selinux_tun_dev_open(void * security)5629 static int selinux_tun_dev_open(void *security)
5630 {
5631 	struct tun_security_struct *tunsec = security;
5632 	u32 sid = current_sid();
5633 	int err;
5634 
5635 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5636 			   TUN_SOCKET__RELABELFROM, NULL);
5637 	if (err)
5638 		return err;
5639 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5640 			   TUN_SOCKET__RELABELTO, NULL);
5641 	if (err)
5642 		return err;
5643 	tunsec->sid = sid;
5644 
5645 	return 0;
5646 }
5647 
5648 #ifdef CONFIG_NETFILTER
5649 
selinux_ip_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5650 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5651 				       const struct nf_hook_state *state)
5652 {
5653 	int ifindex;
5654 	u16 family;
5655 	char *addrp;
5656 	u32 peer_sid;
5657 	struct common_audit_data ad;
5658 	struct lsm_network_audit net;
5659 	int secmark_active, peerlbl_active;
5660 
5661 	if (!selinux_policycap_netpeer())
5662 		return NF_ACCEPT;
5663 
5664 	secmark_active = selinux_secmark_enabled();
5665 	peerlbl_active = selinux_peerlbl_enabled();
5666 	if (!secmark_active && !peerlbl_active)
5667 		return NF_ACCEPT;
5668 
5669 	family = state->pf;
5670 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5671 		return NF_DROP;
5672 
5673 	ifindex = state->in->ifindex;
5674 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5675 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5676 		return NF_DROP;
5677 
5678 	if (peerlbl_active) {
5679 		int err;
5680 
5681 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5682 					       addrp, family, peer_sid, &ad);
5683 		if (err) {
5684 			selinux_netlbl_err(skb, family, err, 1);
5685 			return NF_DROP;
5686 		}
5687 	}
5688 
5689 	if (secmark_active)
5690 		if (avc_has_perm(peer_sid, skb->secmark,
5691 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5692 			return NF_DROP;
5693 
5694 	if (netlbl_enabled())
5695 		/* we do this in the FORWARD path and not the POST_ROUTING
5696 		 * path because we want to make sure we apply the necessary
5697 		 * labeling before IPsec is applied so we can leverage AH
5698 		 * protection */
5699 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5700 			return NF_DROP;
5701 
5702 	return NF_ACCEPT;
5703 }
5704 
selinux_ip_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5705 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5706 				      const struct nf_hook_state *state)
5707 {
5708 	struct sock *sk;
5709 	u32 sid;
5710 
5711 	if (!netlbl_enabled())
5712 		return NF_ACCEPT;
5713 
5714 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5715 	 * because we want to make sure we apply the necessary labeling
5716 	 * before IPsec is applied so we can leverage AH protection */
5717 	sk = skb->sk;
5718 	if (sk) {
5719 		struct sk_security_struct *sksec;
5720 
5721 		if (sk_listener(sk))
5722 			/* if the socket is the listening state then this
5723 			 * packet is a SYN-ACK packet which means it needs to
5724 			 * be labeled based on the connection/request_sock and
5725 			 * not the parent socket.  unfortunately, we can't
5726 			 * lookup the request_sock yet as it isn't queued on
5727 			 * the parent socket until after the SYN-ACK is sent.
5728 			 * the "solution" is to simply pass the packet as-is
5729 			 * as any IP option based labeling should be copied
5730 			 * from the initial connection request (in the IP
5731 			 * layer).  it is far from ideal, but until we get a
5732 			 * security label in the packet itself this is the
5733 			 * best we can do. */
5734 			return NF_ACCEPT;
5735 
5736 		/* standard practice, label using the parent socket */
5737 		sksec = sk->sk_security;
5738 		sid = sksec->sid;
5739 	} else
5740 		sid = SECINITSID_KERNEL;
5741 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5742 		return NF_DROP;
5743 
5744 	return NF_ACCEPT;
5745 }
5746 
5747 
selinux_ip_postroute_compat(struct sk_buff * skb,const struct nf_hook_state * state)5748 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5749 					const struct nf_hook_state *state)
5750 {
5751 	struct sock *sk;
5752 	struct sk_security_struct *sksec;
5753 	struct common_audit_data ad;
5754 	struct lsm_network_audit net;
5755 	u8 proto = 0;
5756 
5757 	sk = skb_to_full_sk(skb);
5758 	if (sk == NULL)
5759 		return NF_ACCEPT;
5760 	sksec = sk->sk_security;
5761 
5762 	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5763 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5764 		return NF_DROP;
5765 
5766 	if (selinux_secmark_enabled())
5767 		if (avc_has_perm(sksec->sid, skb->secmark,
5768 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5769 			return NF_DROP_ERR(-ECONNREFUSED);
5770 
5771 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5772 		return NF_DROP_ERR(-ECONNREFUSED);
5773 
5774 	return NF_ACCEPT;
5775 }
5776 
selinux_ip_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5777 static unsigned int selinux_ip_postroute(void *priv,
5778 					 struct sk_buff *skb,
5779 					 const struct nf_hook_state *state)
5780 {
5781 	u16 family;
5782 	u32 secmark_perm;
5783 	u32 peer_sid;
5784 	int ifindex;
5785 	struct sock *sk;
5786 	struct common_audit_data ad;
5787 	struct lsm_network_audit net;
5788 	char *addrp;
5789 	int secmark_active, peerlbl_active;
5790 
5791 	/* If any sort of compatibility mode is enabled then handoff processing
5792 	 * to the selinux_ip_postroute_compat() function to deal with the
5793 	 * special handling.  We do this in an attempt to keep this function
5794 	 * as fast and as clean as possible. */
5795 	if (!selinux_policycap_netpeer())
5796 		return selinux_ip_postroute_compat(skb, state);
5797 
5798 	secmark_active = selinux_secmark_enabled();
5799 	peerlbl_active = selinux_peerlbl_enabled();
5800 	if (!secmark_active && !peerlbl_active)
5801 		return NF_ACCEPT;
5802 
5803 	sk = skb_to_full_sk(skb);
5804 
5805 #ifdef CONFIG_XFRM
5806 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5807 	 * packet transformation so allow the packet to pass without any checks
5808 	 * since we'll have another chance to perform access control checks
5809 	 * when the packet is on it's final way out.
5810 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5811 	 *       is NULL, in this case go ahead and apply access control.
5812 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5813 	 *       TCP listening state we cannot wait until the XFRM processing
5814 	 *       is done as we will miss out on the SA label if we do;
5815 	 *       unfortunately, this means more work, but it is only once per
5816 	 *       connection. */
5817 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5818 	    !(sk && sk_listener(sk)))
5819 		return NF_ACCEPT;
5820 #endif
5821 
5822 	family = state->pf;
5823 	if (sk == NULL) {
5824 		/* Without an associated socket the packet is either coming
5825 		 * from the kernel or it is being forwarded; check the packet
5826 		 * to determine which and if the packet is being forwarded
5827 		 * query the packet directly to determine the security label. */
5828 		if (skb->skb_iif) {
5829 			secmark_perm = PACKET__FORWARD_OUT;
5830 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5831 				return NF_DROP;
5832 		} else {
5833 			secmark_perm = PACKET__SEND;
5834 			peer_sid = SECINITSID_KERNEL;
5835 		}
5836 	} else if (sk_listener(sk)) {
5837 		/* Locally generated packet but the associated socket is in the
5838 		 * listening state which means this is a SYN-ACK packet.  In
5839 		 * this particular case the correct security label is assigned
5840 		 * to the connection/request_sock but unfortunately we can't
5841 		 * query the request_sock as it isn't queued on the parent
5842 		 * socket until after the SYN-ACK packet is sent; the only
5843 		 * viable choice is to regenerate the label like we do in
5844 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5845 		 * for similar problems. */
5846 		u32 skb_sid;
5847 		struct sk_security_struct *sksec;
5848 
5849 		sksec = sk->sk_security;
5850 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5851 			return NF_DROP;
5852 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5853 		 * and the packet has been through at least one XFRM
5854 		 * transformation then we must be dealing with the "final"
5855 		 * form of labeled IPsec packet; since we've already applied
5856 		 * all of our access controls on this packet we can safely
5857 		 * pass the packet. */
5858 		if (skb_sid == SECSID_NULL) {
5859 			switch (family) {
5860 			case PF_INET:
5861 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5862 					return NF_ACCEPT;
5863 				break;
5864 			case PF_INET6:
5865 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5866 					return NF_ACCEPT;
5867 				break;
5868 			default:
5869 				return NF_DROP_ERR(-ECONNREFUSED);
5870 			}
5871 		}
5872 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5873 			return NF_DROP;
5874 		secmark_perm = PACKET__SEND;
5875 	} else {
5876 		/* Locally generated packet, fetch the security label from the
5877 		 * associated socket. */
5878 		struct sk_security_struct *sksec = sk->sk_security;
5879 		peer_sid = sksec->sid;
5880 		secmark_perm = PACKET__SEND;
5881 	}
5882 
5883 	ifindex = state->out->ifindex;
5884 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5885 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5886 		return NF_DROP;
5887 
5888 	if (secmark_active)
5889 		if (avc_has_perm(peer_sid, skb->secmark,
5890 				 SECCLASS_PACKET, secmark_perm, &ad))
5891 			return NF_DROP_ERR(-ECONNREFUSED);
5892 
5893 	if (peerlbl_active) {
5894 		u32 if_sid;
5895 		u32 node_sid;
5896 
5897 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5898 			return NF_DROP;
5899 		if (avc_has_perm(peer_sid, if_sid,
5900 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5901 			return NF_DROP_ERR(-ECONNREFUSED);
5902 
5903 		if (sel_netnode_sid(addrp, family, &node_sid))
5904 			return NF_DROP;
5905 		if (avc_has_perm(peer_sid, node_sid,
5906 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5907 			return NF_DROP_ERR(-ECONNREFUSED);
5908 	}
5909 
5910 	return NF_ACCEPT;
5911 }
5912 #endif	/* CONFIG_NETFILTER */
5913 
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5914 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5915 {
5916 	int rc = 0;
5917 	unsigned int msg_len;
5918 	unsigned int data_len = skb->len;
5919 	unsigned char *data = skb->data;
5920 	struct nlmsghdr *nlh;
5921 	struct sk_security_struct *sksec = sk->sk_security;
5922 	u16 sclass = sksec->sclass;
5923 	u32 perm;
5924 
5925 	while (data_len >= nlmsg_total_size(0)) {
5926 		nlh = (struct nlmsghdr *)data;
5927 
5928 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5929 		 *       users which means we can't reject skb's with bogus
5930 		 *       length fields; our solution is to follow what
5931 		 *       netlink_rcv_skb() does and simply skip processing at
5932 		 *       messages with length fields that are clearly junk
5933 		 */
5934 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5935 			return 0;
5936 
5937 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5938 		if (rc == 0) {
5939 			rc = sock_has_perm(sk, perm);
5940 			if (rc)
5941 				return rc;
5942 		} else if (rc == -EINVAL) {
5943 			/* -EINVAL is a missing msg/perm mapping */
5944 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5945 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5946 				" pid=%d comm=%s\n",
5947 				sk->sk_protocol, nlh->nlmsg_type,
5948 				secclass_map[sclass - 1].name,
5949 				task_pid_nr(current), current->comm);
5950 			if (enforcing_enabled() &&
5951 			    !security_get_allow_unknown())
5952 				return rc;
5953 			rc = 0;
5954 		} else if (rc == -ENOENT) {
5955 			/* -ENOENT is a missing socket/class mapping, ignore */
5956 			rc = 0;
5957 		} else {
5958 			return rc;
5959 		}
5960 
5961 		/* move to the next message after applying netlink padding */
5962 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5963 		if (msg_len >= data_len)
5964 			return 0;
5965 		data_len -= msg_len;
5966 		data += msg_len;
5967 	}
5968 
5969 	return rc;
5970 }
5971 
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)5972 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5973 {
5974 	isec->sclass = sclass;
5975 	isec->sid = current_sid();
5976 }
5977 
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5978 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5979 			u32 perms)
5980 {
5981 	struct ipc_security_struct *isec;
5982 	struct common_audit_data ad;
5983 	u32 sid = current_sid();
5984 
5985 	isec = selinux_ipc(ipc_perms);
5986 
5987 	ad.type = LSM_AUDIT_DATA_IPC;
5988 	ad.u.ipc_id = ipc_perms->key;
5989 
5990 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5991 }
5992 
selinux_msg_msg_alloc_security(struct msg_msg * msg)5993 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5994 {
5995 	struct msg_security_struct *msec;
5996 
5997 	msec = selinux_msg_msg(msg);
5998 	msec->sid = SECINITSID_UNLABELED;
5999 
6000 	return 0;
6001 }
6002 
6003 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)6004 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6005 {
6006 	struct ipc_security_struct *isec;
6007 	struct common_audit_data ad;
6008 	u32 sid = current_sid();
6009 
6010 	isec = selinux_ipc(msq);
6011 	ipc_init_security(isec, SECCLASS_MSGQ);
6012 
6013 	ad.type = LSM_AUDIT_DATA_IPC;
6014 	ad.u.ipc_id = msq->key;
6015 
6016 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6017 			    MSGQ__CREATE, &ad);
6018 }
6019 
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6020 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6021 {
6022 	struct ipc_security_struct *isec;
6023 	struct common_audit_data ad;
6024 	u32 sid = current_sid();
6025 
6026 	isec = selinux_ipc(msq);
6027 
6028 	ad.type = LSM_AUDIT_DATA_IPC;
6029 	ad.u.ipc_id = msq->key;
6030 
6031 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6032 			    MSGQ__ASSOCIATE, &ad);
6033 }
6034 
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6035 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6036 {
6037 	u32 perms;
6038 
6039 	switch (cmd) {
6040 	case IPC_INFO:
6041 	case MSG_INFO:
6042 		/* No specific object, just general system-wide information. */
6043 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6044 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6045 	case IPC_STAT:
6046 	case MSG_STAT:
6047 	case MSG_STAT_ANY:
6048 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6049 		break;
6050 	case IPC_SET:
6051 		perms = MSGQ__SETATTR;
6052 		break;
6053 	case IPC_RMID:
6054 		perms = MSGQ__DESTROY;
6055 		break;
6056 	default:
6057 		return 0;
6058 	}
6059 
6060 	return ipc_has_perm(msq, perms);
6061 }
6062 
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6063 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6064 {
6065 	struct ipc_security_struct *isec;
6066 	struct msg_security_struct *msec;
6067 	struct common_audit_data ad;
6068 	u32 sid = current_sid();
6069 	int rc;
6070 
6071 	isec = selinux_ipc(msq);
6072 	msec = selinux_msg_msg(msg);
6073 
6074 	/*
6075 	 * First time through, need to assign label to the message
6076 	 */
6077 	if (msec->sid == SECINITSID_UNLABELED) {
6078 		/*
6079 		 * Compute new sid based on current process and
6080 		 * message queue this message will be stored in
6081 		 */
6082 		rc = security_transition_sid(sid, isec->sid,
6083 					     SECCLASS_MSG, NULL, &msec->sid);
6084 		if (rc)
6085 			return rc;
6086 	}
6087 
6088 	ad.type = LSM_AUDIT_DATA_IPC;
6089 	ad.u.ipc_id = msq->key;
6090 
6091 	/* Can this process write to the queue? */
6092 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6093 			  MSGQ__WRITE, &ad);
6094 	if (!rc)
6095 		/* Can this process send the message */
6096 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6097 				  MSG__SEND, &ad);
6098 	if (!rc)
6099 		/* Can the message be put in the queue? */
6100 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6101 				  MSGQ__ENQUEUE, &ad);
6102 
6103 	return rc;
6104 }
6105 
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6106 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6107 				    struct task_struct *target,
6108 				    long type, int mode)
6109 {
6110 	struct ipc_security_struct *isec;
6111 	struct msg_security_struct *msec;
6112 	struct common_audit_data ad;
6113 	u32 sid = task_sid_obj(target);
6114 	int rc;
6115 
6116 	isec = selinux_ipc(msq);
6117 	msec = selinux_msg_msg(msg);
6118 
6119 	ad.type = LSM_AUDIT_DATA_IPC;
6120 	ad.u.ipc_id = msq->key;
6121 
6122 	rc = avc_has_perm(sid, isec->sid,
6123 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6124 	if (!rc)
6125 		rc = avc_has_perm(sid, msec->sid,
6126 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6127 	return rc;
6128 }
6129 
6130 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6131 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6132 {
6133 	struct ipc_security_struct *isec;
6134 	struct common_audit_data ad;
6135 	u32 sid = current_sid();
6136 
6137 	isec = selinux_ipc(shp);
6138 	ipc_init_security(isec, SECCLASS_SHM);
6139 
6140 	ad.type = LSM_AUDIT_DATA_IPC;
6141 	ad.u.ipc_id = shp->key;
6142 
6143 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6144 			    SHM__CREATE, &ad);
6145 }
6146 
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6147 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6148 {
6149 	struct ipc_security_struct *isec;
6150 	struct common_audit_data ad;
6151 	u32 sid = current_sid();
6152 
6153 	isec = selinux_ipc(shp);
6154 
6155 	ad.type = LSM_AUDIT_DATA_IPC;
6156 	ad.u.ipc_id = shp->key;
6157 
6158 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6159 			    SHM__ASSOCIATE, &ad);
6160 }
6161 
6162 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6163 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6164 {
6165 	u32 perms;
6166 
6167 	switch (cmd) {
6168 	case IPC_INFO:
6169 	case SHM_INFO:
6170 		/* No specific object, just general system-wide information. */
6171 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6172 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6173 	case IPC_STAT:
6174 	case SHM_STAT:
6175 	case SHM_STAT_ANY:
6176 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6177 		break;
6178 	case IPC_SET:
6179 		perms = SHM__SETATTR;
6180 		break;
6181 	case SHM_LOCK:
6182 	case SHM_UNLOCK:
6183 		perms = SHM__LOCK;
6184 		break;
6185 	case IPC_RMID:
6186 		perms = SHM__DESTROY;
6187 		break;
6188 	default:
6189 		return 0;
6190 	}
6191 
6192 	return ipc_has_perm(shp, perms);
6193 }
6194 
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6195 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6196 			     char __user *shmaddr, int shmflg)
6197 {
6198 	u32 perms;
6199 
6200 	if (shmflg & SHM_RDONLY)
6201 		perms = SHM__READ;
6202 	else
6203 		perms = SHM__READ | SHM__WRITE;
6204 
6205 	return ipc_has_perm(shp, perms);
6206 }
6207 
6208 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6209 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6210 {
6211 	struct ipc_security_struct *isec;
6212 	struct common_audit_data ad;
6213 	u32 sid = current_sid();
6214 
6215 	isec = selinux_ipc(sma);
6216 	ipc_init_security(isec, SECCLASS_SEM);
6217 
6218 	ad.type = LSM_AUDIT_DATA_IPC;
6219 	ad.u.ipc_id = sma->key;
6220 
6221 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6222 			    SEM__CREATE, &ad);
6223 }
6224 
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6225 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6226 {
6227 	struct ipc_security_struct *isec;
6228 	struct common_audit_data ad;
6229 	u32 sid = current_sid();
6230 
6231 	isec = selinux_ipc(sma);
6232 
6233 	ad.type = LSM_AUDIT_DATA_IPC;
6234 	ad.u.ipc_id = sma->key;
6235 
6236 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6237 			    SEM__ASSOCIATE, &ad);
6238 }
6239 
6240 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6241 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6242 {
6243 	int err;
6244 	u32 perms;
6245 
6246 	switch (cmd) {
6247 	case IPC_INFO:
6248 	case SEM_INFO:
6249 		/* No specific object, just general system-wide information. */
6250 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6251 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6252 	case GETPID:
6253 	case GETNCNT:
6254 	case GETZCNT:
6255 		perms = SEM__GETATTR;
6256 		break;
6257 	case GETVAL:
6258 	case GETALL:
6259 		perms = SEM__READ;
6260 		break;
6261 	case SETVAL:
6262 	case SETALL:
6263 		perms = SEM__WRITE;
6264 		break;
6265 	case IPC_RMID:
6266 		perms = SEM__DESTROY;
6267 		break;
6268 	case IPC_SET:
6269 		perms = SEM__SETATTR;
6270 		break;
6271 	case IPC_STAT:
6272 	case SEM_STAT:
6273 	case SEM_STAT_ANY:
6274 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6275 		break;
6276 	default:
6277 		return 0;
6278 	}
6279 
6280 	err = ipc_has_perm(sma, perms);
6281 	return err;
6282 }
6283 
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6284 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6285 			     struct sembuf *sops, unsigned nsops, int alter)
6286 {
6287 	u32 perms;
6288 
6289 	if (alter)
6290 		perms = SEM__READ | SEM__WRITE;
6291 	else
6292 		perms = SEM__READ;
6293 
6294 	return ipc_has_perm(sma, perms);
6295 }
6296 
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6297 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6298 {
6299 	u32 av = 0;
6300 
6301 	av = 0;
6302 	if (flag & S_IRUGO)
6303 		av |= IPC__UNIX_READ;
6304 	if (flag & S_IWUGO)
6305 		av |= IPC__UNIX_WRITE;
6306 
6307 	if (av == 0)
6308 		return 0;
6309 
6310 	return ipc_has_perm(ipcp, av);
6311 }
6312 
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6313 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6314 {
6315 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6316 	*secid = isec->sid;
6317 }
6318 
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6319 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6320 {
6321 	if (inode)
6322 		inode_doinit_with_dentry(inode, dentry);
6323 }
6324 
selinux_getprocattr(struct task_struct * p,const char * name,char ** value)6325 static int selinux_getprocattr(struct task_struct *p,
6326 			       const char *name, char **value)
6327 {
6328 	const struct task_security_struct *__tsec;
6329 	u32 sid;
6330 	int error;
6331 	unsigned len;
6332 
6333 	rcu_read_lock();
6334 	__tsec = selinux_cred(__task_cred(p));
6335 
6336 	if (current != p) {
6337 		error = avc_has_perm(current_sid(), __tsec->sid,
6338 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6339 		if (error)
6340 			goto bad;
6341 	}
6342 
6343 	if (!strcmp(name, "current"))
6344 		sid = __tsec->sid;
6345 	else if (!strcmp(name, "prev"))
6346 		sid = __tsec->osid;
6347 	else if (!strcmp(name, "exec"))
6348 		sid = __tsec->exec_sid;
6349 	else if (!strcmp(name, "fscreate"))
6350 		sid = __tsec->create_sid;
6351 	else if (!strcmp(name, "keycreate"))
6352 		sid = __tsec->keycreate_sid;
6353 	else if (!strcmp(name, "sockcreate"))
6354 		sid = __tsec->sockcreate_sid;
6355 	else {
6356 		error = -EINVAL;
6357 		goto bad;
6358 	}
6359 	rcu_read_unlock();
6360 
6361 	if (!sid)
6362 		return 0;
6363 
6364 	error = security_sid_to_context(sid, value, &len);
6365 	if (error)
6366 		return error;
6367 	return len;
6368 
6369 bad:
6370 	rcu_read_unlock();
6371 	return error;
6372 }
6373 
selinux_setprocattr(const char * name,void * value,size_t size)6374 static int selinux_setprocattr(const char *name, void *value, size_t size)
6375 {
6376 	struct task_security_struct *tsec;
6377 	struct cred *new;
6378 	u32 mysid = current_sid(), sid = 0, ptsid;
6379 	int error;
6380 	char *str = value;
6381 
6382 	/*
6383 	 * Basic control over ability to set these attributes at all.
6384 	 */
6385 	if (!strcmp(name, "exec"))
6386 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6387 				     PROCESS__SETEXEC, NULL);
6388 	else if (!strcmp(name, "fscreate"))
6389 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6390 				     PROCESS__SETFSCREATE, NULL);
6391 	else if (!strcmp(name, "keycreate"))
6392 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6393 				     PROCESS__SETKEYCREATE, NULL);
6394 	else if (!strcmp(name, "sockcreate"))
6395 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6396 				     PROCESS__SETSOCKCREATE, NULL);
6397 	else if (!strcmp(name, "current"))
6398 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6399 				     PROCESS__SETCURRENT, NULL);
6400 	else
6401 		error = -EINVAL;
6402 	if (error)
6403 		return error;
6404 
6405 	/* Obtain a SID for the context, if one was specified. */
6406 	if (size && str[0] && str[0] != '\n') {
6407 		if (str[size-1] == '\n') {
6408 			str[size-1] = 0;
6409 			size--;
6410 		}
6411 		error = security_context_to_sid(value, size,
6412 						&sid, GFP_KERNEL);
6413 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6414 			if (!has_cap_mac_admin(true)) {
6415 				struct audit_buffer *ab;
6416 				size_t audit_size;
6417 
6418 				/* We strip a nul only if it is at the end, otherwise the
6419 				 * context contains a nul and we should audit that */
6420 				if (str[size - 1] == '\0')
6421 					audit_size = size - 1;
6422 				else
6423 					audit_size = size;
6424 				ab = audit_log_start(audit_context(),
6425 						     GFP_ATOMIC,
6426 						     AUDIT_SELINUX_ERR);
6427 				if (!ab)
6428 					return error;
6429 				audit_log_format(ab, "op=fscreate invalid_context=");
6430 				audit_log_n_untrustedstring(ab, value, audit_size);
6431 				audit_log_end(ab);
6432 
6433 				return error;
6434 			}
6435 			error = security_context_to_sid_force(value, size,
6436 							&sid);
6437 		}
6438 		if (error)
6439 			return error;
6440 	}
6441 
6442 	new = prepare_creds();
6443 	if (!new)
6444 		return -ENOMEM;
6445 
6446 	/* Permission checking based on the specified context is
6447 	   performed during the actual operation (execve,
6448 	   open/mkdir/...), when we know the full context of the
6449 	   operation.  See selinux_bprm_creds_for_exec for the execve
6450 	   checks and may_create for the file creation checks. The
6451 	   operation will then fail if the context is not permitted. */
6452 	tsec = selinux_cred(new);
6453 	if (!strcmp(name, "exec")) {
6454 		tsec->exec_sid = sid;
6455 	} else if (!strcmp(name, "fscreate")) {
6456 		tsec->create_sid = sid;
6457 	} else if (!strcmp(name, "keycreate")) {
6458 		if (sid) {
6459 			error = avc_has_perm(mysid, sid,
6460 					     SECCLASS_KEY, KEY__CREATE, NULL);
6461 			if (error)
6462 				goto abort_change;
6463 		}
6464 		tsec->keycreate_sid = sid;
6465 	} else if (!strcmp(name, "sockcreate")) {
6466 		tsec->sockcreate_sid = sid;
6467 	} else if (!strcmp(name, "current")) {
6468 		error = -EINVAL;
6469 		if (sid == 0)
6470 			goto abort_change;
6471 
6472 		/* Only allow single threaded processes to change context */
6473 		if (!current_is_single_threaded()) {
6474 			error = security_bounded_transition(tsec->sid, sid);
6475 			if (error)
6476 				goto abort_change;
6477 		}
6478 
6479 		/* Check permissions for the transition. */
6480 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6481 				     PROCESS__DYNTRANSITION, NULL);
6482 		if (error)
6483 			goto abort_change;
6484 
6485 		/* Check for ptracing, and update the task SID if ok.
6486 		   Otherwise, leave SID unchanged and fail. */
6487 		ptsid = ptrace_parent_sid();
6488 		if (ptsid != 0) {
6489 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6490 					     PROCESS__PTRACE, NULL);
6491 			if (error)
6492 				goto abort_change;
6493 		}
6494 
6495 		tsec->sid = sid;
6496 	} else {
6497 		error = -EINVAL;
6498 		goto abort_change;
6499 	}
6500 
6501 	commit_creds(new);
6502 	return size;
6503 
6504 abort_change:
6505 	abort_creds(new);
6506 	return error;
6507 }
6508 
selinux_ismaclabel(const char * name)6509 static int selinux_ismaclabel(const char *name)
6510 {
6511 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6512 }
6513 
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6514 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6515 {
6516 	return security_sid_to_context(secid,
6517 				       secdata, seclen);
6518 }
6519 
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6520 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6521 {
6522 	return security_context_to_sid(secdata, seclen,
6523 				       secid, GFP_KERNEL);
6524 }
6525 
selinux_release_secctx(char * secdata,u32 seclen)6526 static void selinux_release_secctx(char *secdata, u32 seclen)
6527 {
6528 	kfree(secdata);
6529 }
6530 
selinux_inode_invalidate_secctx(struct inode * inode)6531 static void selinux_inode_invalidate_secctx(struct inode *inode)
6532 {
6533 	struct inode_security_struct *isec = selinux_inode(inode);
6534 
6535 	spin_lock(&isec->lock);
6536 	isec->initialized = LABEL_INVALID;
6537 	spin_unlock(&isec->lock);
6538 }
6539 
6540 /*
6541  *	called with inode->i_mutex locked
6542  */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6543 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6544 {
6545 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6546 					   ctx, ctxlen, 0);
6547 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6548 	return rc == -EOPNOTSUPP ? 0 : rc;
6549 }
6550 
6551 /*
6552  *	called with inode->i_mutex locked
6553  */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6554 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6555 {
6556 	return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6557 				     ctx, ctxlen, 0, NULL);
6558 }
6559 
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6560 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6561 {
6562 	int len = 0;
6563 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6564 					XATTR_SELINUX_SUFFIX, ctx, true);
6565 	if (len < 0)
6566 		return len;
6567 	*ctxlen = len;
6568 	return 0;
6569 }
6570 #ifdef CONFIG_KEYS
6571 
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6572 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6573 			     unsigned long flags)
6574 {
6575 	const struct task_security_struct *tsec;
6576 	struct key_security_struct *ksec;
6577 
6578 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6579 	if (!ksec)
6580 		return -ENOMEM;
6581 
6582 	tsec = selinux_cred(cred);
6583 	if (tsec->keycreate_sid)
6584 		ksec->sid = tsec->keycreate_sid;
6585 	else
6586 		ksec->sid = tsec->sid;
6587 
6588 	k->security = ksec;
6589 	return 0;
6590 }
6591 
selinux_key_free(struct key * k)6592 static void selinux_key_free(struct key *k)
6593 {
6594 	struct key_security_struct *ksec = k->security;
6595 
6596 	k->security = NULL;
6597 	kfree(ksec);
6598 }
6599 
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6600 static int selinux_key_permission(key_ref_t key_ref,
6601 				  const struct cred *cred,
6602 				  enum key_need_perm need_perm)
6603 {
6604 	struct key *key;
6605 	struct key_security_struct *ksec;
6606 	u32 perm, sid;
6607 
6608 	switch (need_perm) {
6609 	case KEY_NEED_VIEW:
6610 		perm = KEY__VIEW;
6611 		break;
6612 	case KEY_NEED_READ:
6613 		perm = KEY__READ;
6614 		break;
6615 	case KEY_NEED_WRITE:
6616 		perm = KEY__WRITE;
6617 		break;
6618 	case KEY_NEED_SEARCH:
6619 		perm = KEY__SEARCH;
6620 		break;
6621 	case KEY_NEED_LINK:
6622 		perm = KEY__LINK;
6623 		break;
6624 	case KEY_NEED_SETATTR:
6625 		perm = KEY__SETATTR;
6626 		break;
6627 	case KEY_NEED_UNLINK:
6628 	case KEY_SYSADMIN_OVERRIDE:
6629 	case KEY_AUTHTOKEN_OVERRIDE:
6630 	case KEY_DEFER_PERM_CHECK:
6631 		return 0;
6632 	default:
6633 		WARN_ON(1);
6634 		return -EPERM;
6635 
6636 	}
6637 
6638 	sid = cred_sid(cred);
6639 	key = key_ref_to_ptr(key_ref);
6640 	ksec = key->security;
6641 
6642 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6643 }
6644 
selinux_key_getsecurity(struct key * key,char ** _buffer)6645 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6646 {
6647 	struct key_security_struct *ksec = key->security;
6648 	char *context = NULL;
6649 	unsigned len;
6650 	int rc;
6651 
6652 	rc = security_sid_to_context(ksec->sid,
6653 				     &context, &len);
6654 	if (!rc)
6655 		rc = len;
6656 	*_buffer = context;
6657 	return rc;
6658 }
6659 
6660 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6661 static int selinux_watch_key(struct key *key)
6662 {
6663 	struct key_security_struct *ksec = key->security;
6664 	u32 sid = current_sid();
6665 
6666 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6667 }
6668 #endif
6669 #endif
6670 
6671 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6672 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6673 {
6674 	struct common_audit_data ad;
6675 	int err;
6676 	u32 sid = 0;
6677 	struct ib_security_struct *sec = ib_sec;
6678 	struct lsm_ibpkey_audit ibpkey;
6679 
6680 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6681 	if (err)
6682 		return err;
6683 
6684 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6685 	ibpkey.subnet_prefix = subnet_prefix;
6686 	ibpkey.pkey = pkey_val;
6687 	ad.u.ibpkey = &ibpkey;
6688 	return avc_has_perm(sec->sid, sid,
6689 			    SECCLASS_INFINIBAND_PKEY,
6690 			    INFINIBAND_PKEY__ACCESS, &ad);
6691 }
6692 
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6693 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6694 					    u8 port_num)
6695 {
6696 	struct common_audit_data ad;
6697 	int err;
6698 	u32 sid = 0;
6699 	struct ib_security_struct *sec = ib_sec;
6700 	struct lsm_ibendport_audit ibendport;
6701 
6702 	err = security_ib_endport_sid(dev_name, port_num,
6703 				      &sid);
6704 
6705 	if (err)
6706 		return err;
6707 
6708 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6709 	ibendport.dev_name = dev_name;
6710 	ibendport.port = port_num;
6711 	ad.u.ibendport = &ibendport;
6712 	return avc_has_perm(sec->sid, sid,
6713 			    SECCLASS_INFINIBAND_ENDPORT,
6714 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6715 }
6716 
selinux_ib_alloc_security(void ** ib_sec)6717 static int selinux_ib_alloc_security(void **ib_sec)
6718 {
6719 	struct ib_security_struct *sec;
6720 
6721 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6722 	if (!sec)
6723 		return -ENOMEM;
6724 	sec->sid = current_sid();
6725 
6726 	*ib_sec = sec;
6727 	return 0;
6728 }
6729 
selinux_ib_free_security(void * ib_sec)6730 static void selinux_ib_free_security(void *ib_sec)
6731 {
6732 	kfree(ib_sec);
6733 }
6734 #endif
6735 
6736 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6737 static int selinux_bpf(int cmd, union bpf_attr *attr,
6738 				     unsigned int size)
6739 {
6740 	u32 sid = current_sid();
6741 	int ret;
6742 
6743 	switch (cmd) {
6744 	case BPF_MAP_CREATE:
6745 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6746 				   NULL);
6747 		break;
6748 	case BPF_PROG_LOAD:
6749 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6750 				   NULL);
6751 		break;
6752 	default:
6753 		ret = 0;
6754 		break;
6755 	}
6756 
6757 	return ret;
6758 }
6759 
bpf_map_fmode_to_av(fmode_t fmode)6760 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6761 {
6762 	u32 av = 0;
6763 
6764 	if (fmode & FMODE_READ)
6765 		av |= BPF__MAP_READ;
6766 	if (fmode & FMODE_WRITE)
6767 		av |= BPF__MAP_WRITE;
6768 	return av;
6769 }
6770 
6771 /* This function will check the file pass through unix socket or binder to see
6772  * if it is a bpf related object. And apply corresponding checks on the bpf
6773  * object based on the type. The bpf maps and programs, not like other files and
6774  * socket, are using a shared anonymous inode inside the kernel as their inode.
6775  * So checking that inode cannot identify if the process have privilege to
6776  * access the bpf object and that's why we have to add this additional check in
6777  * selinux_file_receive and selinux_binder_transfer_files.
6778  */
bpf_fd_pass(const struct file * file,u32 sid)6779 static int bpf_fd_pass(const struct file *file, u32 sid)
6780 {
6781 	struct bpf_security_struct *bpfsec;
6782 	struct bpf_prog *prog;
6783 	struct bpf_map *map;
6784 	int ret;
6785 
6786 	if (file->f_op == &bpf_map_fops) {
6787 		map = file->private_data;
6788 		bpfsec = map->security;
6789 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6790 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6791 		if (ret)
6792 			return ret;
6793 	} else if (file->f_op == &bpf_prog_fops) {
6794 		prog = file->private_data;
6795 		bpfsec = prog->aux->security;
6796 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6797 				   BPF__PROG_RUN, NULL);
6798 		if (ret)
6799 			return ret;
6800 	}
6801 	return 0;
6802 }
6803 
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6804 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6805 {
6806 	u32 sid = current_sid();
6807 	struct bpf_security_struct *bpfsec;
6808 
6809 	bpfsec = map->security;
6810 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6811 			    bpf_map_fmode_to_av(fmode), NULL);
6812 }
6813 
selinux_bpf_prog(struct bpf_prog * prog)6814 static int selinux_bpf_prog(struct bpf_prog *prog)
6815 {
6816 	u32 sid = current_sid();
6817 	struct bpf_security_struct *bpfsec;
6818 
6819 	bpfsec = prog->aux->security;
6820 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6821 			    BPF__PROG_RUN, NULL);
6822 }
6823 
selinux_bpf_map_alloc(struct bpf_map * map)6824 static int selinux_bpf_map_alloc(struct bpf_map *map)
6825 {
6826 	struct bpf_security_struct *bpfsec;
6827 
6828 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6829 	if (!bpfsec)
6830 		return -ENOMEM;
6831 
6832 	bpfsec->sid = current_sid();
6833 	map->security = bpfsec;
6834 
6835 	return 0;
6836 }
6837 
selinux_bpf_map_free(struct bpf_map * map)6838 static void selinux_bpf_map_free(struct bpf_map *map)
6839 {
6840 	struct bpf_security_struct *bpfsec = map->security;
6841 
6842 	map->security = NULL;
6843 	kfree(bpfsec);
6844 }
6845 
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6846 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6847 {
6848 	struct bpf_security_struct *bpfsec;
6849 
6850 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6851 	if (!bpfsec)
6852 		return -ENOMEM;
6853 
6854 	bpfsec->sid = current_sid();
6855 	aux->security = bpfsec;
6856 
6857 	return 0;
6858 }
6859 
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6860 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6861 {
6862 	struct bpf_security_struct *bpfsec = aux->security;
6863 
6864 	aux->security = NULL;
6865 	kfree(bpfsec);
6866 }
6867 #endif
6868 
6869 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6870 	.lbs_cred = sizeof(struct task_security_struct),
6871 	.lbs_file = sizeof(struct file_security_struct),
6872 	.lbs_inode = sizeof(struct inode_security_struct),
6873 	.lbs_ipc = sizeof(struct ipc_security_struct),
6874 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6875 	.lbs_superblock = sizeof(struct superblock_security_struct),
6876 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6877 };
6878 
6879 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)6880 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6881 {
6882 	u32 requested, sid = current_sid();
6883 
6884 	if (type == PERF_SECURITY_OPEN)
6885 		requested = PERF_EVENT__OPEN;
6886 	else if (type == PERF_SECURITY_CPU)
6887 		requested = PERF_EVENT__CPU;
6888 	else if (type == PERF_SECURITY_KERNEL)
6889 		requested = PERF_EVENT__KERNEL;
6890 	else if (type == PERF_SECURITY_TRACEPOINT)
6891 		requested = PERF_EVENT__TRACEPOINT;
6892 	else
6893 		return -EINVAL;
6894 
6895 	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6896 			    requested, NULL);
6897 }
6898 
selinux_perf_event_alloc(struct perf_event * event)6899 static int selinux_perf_event_alloc(struct perf_event *event)
6900 {
6901 	struct perf_event_security_struct *perfsec;
6902 
6903 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6904 	if (!perfsec)
6905 		return -ENOMEM;
6906 
6907 	perfsec->sid = current_sid();
6908 	event->security = perfsec;
6909 
6910 	return 0;
6911 }
6912 
selinux_perf_event_free(struct perf_event * event)6913 static void selinux_perf_event_free(struct perf_event *event)
6914 {
6915 	struct perf_event_security_struct *perfsec = event->security;
6916 
6917 	event->security = NULL;
6918 	kfree(perfsec);
6919 }
6920 
selinux_perf_event_read(struct perf_event * event)6921 static int selinux_perf_event_read(struct perf_event *event)
6922 {
6923 	struct perf_event_security_struct *perfsec = event->security;
6924 	u32 sid = current_sid();
6925 
6926 	return avc_has_perm(sid, perfsec->sid,
6927 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6928 }
6929 
selinux_perf_event_write(struct perf_event * event)6930 static int selinux_perf_event_write(struct perf_event *event)
6931 {
6932 	struct perf_event_security_struct *perfsec = event->security;
6933 	u32 sid = current_sid();
6934 
6935 	return avc_has_perm(sid, perfsec->sid,
6936 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6937 }
6938 #endif
6939 
6940 #ifdef CONFIG_IO_URING
6941 /**
6942  * selinux_uring_override_creds - check the requested cred override
6943  * @new: the target creds
6944  *
6945  * Check to see if the current task is allowed to override it's credentials
6946  * to service an io_uring operation.
6947  */
selinux_uring_override_creds(const struct cred * new)6948 static int selinux_uring_override_creds(const struct cred *new)
6949 {
6950 	return avc_has_perm(current_sid(), cred_sid(new),
6951 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6952 }
6953 
6954 /**
6955  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6956  *
6957  * Check to see if the current task is allowed to create a new io_uring
6958  * kernel polling thread.
6959  */
selinux_uring_sqpoll(void)6960 static int selinux_uring_sqpoll(void)
6961 {
6962 	u32 sid = current_sid();
6963 
6964 	return avc_has_perm(sid, sid,
6965 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6966 }
6967 
6968 /**
6969  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6970  * @ioucmd: the io_uring command structure
6971  *
6972  * Check to see if the current domain is allowed to execute an
6973  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6974  *
6975  */
selinux_uring_cmd(struct io_uring_cmd * ioucmd)6976 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6977 {
6978 	struct file *file = ioucmd->file;
6979 	struct inode *inode = file_inode(file);
6980 	struct inode_security_struct *isec = selinux_inode(inode);
6981 	struct common_audit_data ad;
6982 
6983 	ad.type = LSM_AUDIT_DATA_FILE;
6984 	ad.u.file = file;
6985 
6986 	return avc_has_perm(current_sid(), isec->sid,
6987 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
6988 }
6989 #endif /* CONFIG_IO_URING */
6990 
6991 /*
6992  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6993  * 1. any hooks that don't belong to (2.) or (3.) below,
6994  * 2. hooks that both access structures allocated by other hooks, and allocate
6995  *    structures that can be later accessed by other hooks (mostly "cloning"
6996  *    hooks),
6997  * 3. hooks that only allocate structures that can be later accessed by other
6998  *    hooks ("allocating" hooks).
6999  *
7000  * Please follow block comment delimiters in the list to keep this order.
7001  */
7002 static struct security_hook_list selinux_hooks[] __ro_after_init = {
7003 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7004 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7005 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7006 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7007 
7008 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7009 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7010 	LSM_HOOK_INIT(capget, selinux_capget),
7011 	LSM_HOOK_INIT(capset, selinux_capset),
7012 	LSM_HOOK_INIT(capable, selinux_capable),
7013 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7014 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7015 	LSM_HOOK_INIT(syslog, selinux_syslog),
7016 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7017 
7018 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7019 
7020 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7021 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7022 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7023 
7024 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7025 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7026 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7027 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7028 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7029 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7030 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7031 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7032 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7033 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7034 
7035 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7036 
7037 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7038 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7039 
7040 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7041 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7042 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7043 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7044 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7045 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7046 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7047 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7048 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7049 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7050 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7051 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7052 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7053 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7054 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7055 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7056 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7057 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7058 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7059 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7060 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7061 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7062 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7063 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7064 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7065 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7066 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7067 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7068 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7069 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7070 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7071 
7072 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7073 
7074 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7075 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7076 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7077 	LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7078 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7079 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7080 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7081 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7082 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7083 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7084 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7085 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7086 
7087 	LSM_HOOK_INIT(file_open, selinux_file_open),
7088 
7089 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7090 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7091 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7092 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7093 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7094 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7095 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7096 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7097 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7098 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7099 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7100 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7101 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7102 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7103 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7104 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7105 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7106 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7107 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7108 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7109 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7110 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7111 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7112 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7113 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7114 
7115 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7116 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7117 
7118 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7119 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7120 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7121 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7122 
7123 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7124 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7125 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7126 
7127 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7128 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7129 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7130 
7131 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7132 
7133 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7134 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7135 
7136 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7137 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7138 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7139 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7140 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7141 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7142 
7143 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7144 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7145 
7146 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7147 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7148 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7149 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7150 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7151 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7152 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7153 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7154 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7155 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7156 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7157 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7158 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7159 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7160 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7161 	LSM_HOOK_INIT(socket_getpeersec_stream,
7162 			selinux_socket_getpeersec_stream),
7163 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7164 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7165 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7166 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7167 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7168 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7169 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7170 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7171 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7172 	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7173 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7174 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7175 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7176 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7177 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7178 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7179 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7180 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7181 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7182 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7183 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7184 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7185 #ifdef CONFIG_SECURITY_INFINIBAND
7186 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7187 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7188 		      selinux_ib_endport_manage_subnet),
7189 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7190 #endif
7191 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7192 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7193 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7194 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7195 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7196 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7197 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7198 			selinux_xfrm_state_pol_flow_match),
7199 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7200 #endif
7201 
7202 #ifdef CONFIG_KEYS
7203 	LSM_HOOK_INIT(key_free, selinux_key_free),
7204 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7205 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7206 #ifdef CONFIG_KEY_NOTIFICATIONS
7207 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7208 #endif
7209 #endif
7210 
7211 #ifdef CONFIG_AUDIT
7212 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7213 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7214 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7215 #endif
7216 
7217 #ifdef CONFIG_BPF_SYSCALL
7218 	LSM_HOOK_INIT(bpf, selinux_bpf),
7219 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7220 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7221 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7222 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7223 #endif
7224 
7225 #ifdef CONFIG_PERF_EVENTS
7226 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7227 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7228 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7229 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7230 #endif
7231 
7232 #ifdef CONFIG_IO_URING
7233 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7234 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7235 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7236 #endif
7237 
7238 	/*
7239 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7240 	 */
7241 	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7242 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7243 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7244 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7245 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7246 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7247 #endif
7248 
7249 	/*
7250 	 * PUT "ALLOCATING" HOOKS HERE
7251 	 */
7252 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7253 	LSM_HOOK_INIT(msg_queue_alloc_security,
7254 		      selinux_msg_queue_alloc_security),
7255 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7256 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7257 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7258 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7259 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7260 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7261 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7262 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7263 #ifdef CONFIG_SECURITY_INFINIBAND
7264 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7265 #endif
7266 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7267 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7268 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7269 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7270 		      selinux_xfrm_state_alloc_acquire),
7271 #endif
7272 #ifdef CONFIG_KEYS
7273 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7274 #endif
7275 #ifdef CONFIG_AUDIT
7276 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7277 #endif
7278 #ifdef CONFIG_BPF_SYSCALL
7279 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7280 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7281 #endif
7282 #ifdef CONFIG_PERF_EVENTS
7283 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7284 #endif
7285 };
7286 
selinux_init(void)7287 static __init int selinux_init(void)
7288 {
7289 	pr_info("SELinux:  Initializing.\n");
7290 
7291 	memset(&selinux_state, 0, sizeof(selinux_state));
7292 	enforcing_set(selinux_enforcing_boot);
7293 	selinux_avc_init();
7294 	mutex_init(&selinux_state.status_lock);
7295 	mutex_init(&selinux_state.policy_mutex);
7296 
7297 	/* Set the security state for the initial task. */
7298 	cred_init_security();
7299 
7300 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7301 	if (!default_noexec)
7302 		pr_notice("SELinux:  virtual memory is executable by default\n");
7303 
7304 	avc_init();
7305 
7306 	avtab_cache_init();
7307 
7308 	ebitmap_cache_init();
7309 
7310 	hashtab_cache_init();
7311 
7312 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7313 
7314 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7315 		panic("SELinux: Unable to register AVC netcache callback\n");
7316 
7317 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7318 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7319 
7320 	if (selinux_enforcing_boot)
7321 		pr_debug("SELinux:  Starting in enforcing mode\n");
7322 	else
7323 		pr_debug("SELinux:  Starting in permissive mode\n");
7324 
7325 	fs_validate_description("selinux", selinux_fs_parameters);
7326 
7327 	return 0;
7328 }
7329 
delayed_superblock_init(struct super_block * sb,void * unused)7330 static void delayed_superblock_init(struct super_block *sb, void *unused)
7331 {
7332 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7333 }
7334 
selinux_complete_init(void)7335 void selinux_complete_init(void)
7336 {
7337 	pr_debug("SELinux:  Completing initialization.\n");
7338 
7339 	/* Set up any superblocks initialized prior to the policy load. */
7340 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7341 	iterate_supers(delayed_superblock_init, NULL);
7342 }
7343 
7344 /* SELinux requires early initialization in order to label
7345    all processes and objects when they are created. */
7346 DEFINE_LSM(selinux) = {
7347 	.name = "selinux",
7348 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7349 	.enabled = &selinux_enabled_boot,
7350 	.blobs = &selinux_blob_sizes,
7351 	.init = selinux_init,
7352 };
7353 
7354 #if defined(CONFIG_NETFILTER)
7355 static const struct nf_hook_ops selinux_nf_ops[] = {
7356 	{
7357 		.hook =		selinux_ip_postroute,
7358 		.pf =		NFPROTO_IPV4,
7359 		.hooknum =	NF_INET_POST_ROUTING,
7360 		.priority =	NF_IP_PRI_SELINUX_LAST,
7361 	},
7362 	{
7363 		.hook =		selinux_ip_forward,
7364 		.pf =		NFPROTO_IPV4,
7365 		.hooknum =	NF_INET_FORWARD,
7366 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7367 	},
7368 	{
7369 		.hook =		selinux_ip_output,
7370 		.pf =		NFPROTO_IPV4,
7371 		.hooknum =	NF_INET_LOCAL_OUT,
7372 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7373 	},
7374 #if IS_ENABLED(CONFIG_IPV6)
7375 	{
7376 		.hook =		selinux_ip_postroute,
7377 		.pf =		NFPROTO_IPV6,
7378 		.hooknum =	NF_INET_POST_ROUTING,
7379 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7380 	},
7381 	{
7382 		.hook =		selinux_ip_forward,
7383 		.pf =		NFPROTO_IPV6,
7384 		.hooknum =	NF_INET_FORWARD,
7385 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7386 	},
7387 	{
7388 		.hook =		selinux_ip_output,
7389 		.pf =		NFPROTO_IPV6,
7390 		.hooknum =	NF_INET_LOCAL_OUT,
7391 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7392 	},
7393 #endif	/* IPV6 */
7394 };
7395 
selinux_nf_register(struct net * net)7396 static int __net_init selinux_nf_register(struct net *net)
7397 {
7398 	return nf_register_net_hooks(net, selinux_nf_ops,
7399 				     ARRAY_SIZE(selinux_nf_ops));
7400 }
7401 
selinux_nf_unregister(struct net * net)7402 static void __net_exit selinux_nf_unregister(struct net *net)
7403 {
7404 	nf_unregister_net_hooks(net, selinux_nf_ops,
7405 				ARRAY_SIZE(selinux_nf_ops));
7406 }
7407 
7408 static struct pernet_operations selinux_net_ops = {
7409 	.init = selinux_nf_register,
7410 	.exit = selinux_nf_unregister,
7411 };
7412 
selinux_nf_ip_init(void)7413 static int __init selinux_nf_ip_init(void)
7414 {
7415 	int err;
7416 
7417 	if (!selinux_enabled_boot)
7418 		return 0;
7419 
7420 	pr_debug("SELinux:  Registering netfilter hooks\n");
7421 
7422 	err = register_pernet_subsys(&selinux_net_ops);
7423 	if (err)
7424 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7425 
7426 	return 0;
7427 }
7428 __initcall(selinux_nf_ip_init);
7429 #endif /* CONFIG_NETFILTER */
7430