1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/selinux.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 #include <linux/bpf.h> 89 90 #include "avc.h" 91 #include "objsec.h" 92 #include "netif.h" 93 #include "netnode.h" 94 #include "netport.h" 95 #include "ibpkey.h" 96 #include "xfrm.h" 97 #include "netlabel.h" 98 #include "audit.h" 99 #include "avc_ss.h" 100 101 /* SECMARK reference count */ 102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 103 104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 105 int selinux_enforcing; 106 107 static int __init enforcing_setup(char *str) 108 { 109 unsigned long enforcing; 110 if (!kstrtoul(str, 0, &enforcing)) 111 selinux_enforcing = enforcing ? 1 : 0; 112 return 1; 113 } 114 __setup("enforcing=", enforcing_setup); 115 #endif 116 117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 119 120 static int __init selinux_enabled_setup(char *str) 121 { 122 unsigned long enabled; 123 if (!kstrtoul(str, 0, &enabled)) 124 selinux_enabled = enabled ? 1 : 0; 125 return 1; 126 } 127 __setup("selinux=", selinux_enabled_setup); 128 #else 129 int selinux_enabled = 1; 130 #endif 131 132 static struct kmem_cache *sel_inode_cache; 133 static struct kmem_cache *file_security_cache; 134 135 /** 136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 137 * 138 * Description: 139 * This function checks the SECMARK reference counter to see if any SECMARK 140 * targets are currently configured, if the reference counter is greater than 141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 142 * enabled, false (0) if SECMARK is disabled. If the always_check_network 143 * policy capability is enabled, SECMARK is always considered enabled. 144 * 145 */ 146 static int selinux_secmark_enabled(void) 147 { 148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 149 } 150 151 /** 152 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 153 * 154 * Description: 155 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 156 * (1) if any are enabled or false (0) if neither are enabled. If the 157 * always_check_network policy capability is enabled, peer labeling 158 * is always considered enabled. 159 * 160 */ 161 static int selinux_peerlbl_enabled(void) 162 { 163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 164 } 165 166 static int selinux_netcache_avc_callback(u32 event) 167 { 168 if (event == AVC_CALLBACK_RESET) { 169 sel_netif_flush(); 170 sel_netnode_flush(); 171 sel_netport_flush(); 172 synchronize_net(); 173 } 174 return 0; 175 } 176 177 static int selinux_lsm_notifier_avc_callback(u32 event) 178 { 179 if (event == AVC_CALLBACK_RESET) { 180 sel_ib_pkey_flush(); 181 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 182 } 183 184 return 0; 185 } 186 187 /* 188 * initialise the security for the init task 189 */ 190 static void cred_init_security(void) 191 { 192 struct cred *cred = (struct cred *) current->real_cred; 193 struct task_security_struct *tsec; 194 195 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 196 if (!tsec) 197 panic("SELinux: Failed to initialize initial task.\n"); 198 199 tsec->osid = tsec->sid = SECINITSID_KERNEL; 200 cred->security = tsec; 201 } 202 203 /* 204 * get the security ID of a set of credentials 205 */ 206 static inline u32 cred_sid(const struct cred *cred) 207 { 208 const struct task_security_struct *tsec; 209 210 tsec = cred->security; 211 return tsec->sid; 212 } 213 214 /* 215 * get the objective security ID of a task 216 */ 217 static inline u32 task_sid(const struct task_struct *task) 218 { 219 u32 sid; 220 221 rcu_read_lock(); 222 sid = cred_sid(__task_cred(task)); 223 rcu_read_unlock(); 224 return sid; 225 } 226 227 /* Allocate and free functions for each kind of security blob. */ 228 229 static int inode_alloc_security(struct inode *inode) 230 { 231 struct inode_security_struct *isec; 232 u32 sid = current_sid(); 233 234 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 235 if (!isec) 236 return -ENOMEM; 237 238 spin_lock_init(&isec->lock); 239 INIT_LIST_HEAD(&isec->list); 240 isec->inode = inode; 241 isec->sid = SECINITSID_UNLABELED; 242 isec->sclass = SECCLASS_FILE; 243 isec->task_sid = sid; 244 isec->initialized = LABEL_INVALID; 245 inode->i_security = isec; 246 247 return 0; 248 } 249 250 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 251 252 /* 253 * Try reloading inode security labels that have been marked as invalid. The 254 * @may_sleep parameter indicates when sleeping and thus reloading labels is 255 * allowed; when set to false, returns -ECHILD when the label is 256 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 257 * when no dentry is available, set it to NULL instead. 258 */ 259 static int __inode_security_revalidate(struct inode *inode, 260 struct dentry *opt_dentry, 261 bool may_sleep) 262 { 263 struct inode_security_struct *isec = inode->i_security; 264 265 might_sleep_if(may_sleep); 266 267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 268 if (!may_sleep) 269 return -ECHILD; 270 271 /* 272 * Try reloading the inode security label. This will fail if 273 * @opt_dentry is NULL and no dentry for this inode can be 274 * found; in that case, continue using the old label. 275 */ 276 inode_doinit_with_dentry(inode, opt_dentry); 277 } 278 return 0; 279 } 280 281 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 282 { 283 return inode->i_security; 284 } 285 286 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 287 { 288 int error; 289 290 error = __inode_security_revalidate(inode, NULL, !rcu); 291 if (error) 292 return ERR_PTR(error); 293 return inode->i_security; 294 } 295 296 /* 297 * Get the security label of an inode. 298 */ 299 static struct inode_security_struct *inode_security(struct inode *inode) 300 { 301 __inode_security_revalidate(inode, NULL, true); 302 return inode->i_security; 303 } 304 305 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 306 { 307 struct inode *inode = d_backing_inode(dentry); 308 309 return inode->i_security; 310 } 311 312 /* 313 * Get the security label of a dentry's backing inode. 314 */ 315 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 316 { 317 struct inode *inode = d_backing_inode(dentry); 318 319 __inode_security_revalidate(inode, dentry, true); 320 return inode->i_security; 321 } 322 323 static void inode_free_rcu(struct rcu_head *head) 324 { 325 struct inode_security_struct *isec; 326 327 isec = container_of(head, struct inode_security_struct, rcu); 328 kmem_cache_free(sel_inode_cache, isec); 329 } 330 331 static void inode_free_security(struct inode *inode) 332 { 333 struct inode_security_struct *isec = inode->i_security; 334 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 335 336 /* 337 * As not all inode security structures are in a list, we check for 338 * empty list outside of the lock to make sure that we won't waste 339 * time taking a lock doing nothing. 340 * 341 * The list_del_init() function can be safely called more than once. 342 * It should not be possible for this function to be called with 343 * concurrent list_add(), but for better safety against future changes 344 * in the code, we use list_empty_careful() here. 345 */ 346 if (!list_empty_careful(&isec->list)) { 347 spin_lock(&sbsec->isec_lock); 348 list_del_init(&isec->list); 349 spin_unlock(&sbsec->isec_lock); 350 } 351 352 /* 353 * The inode may still be referenced in a path walk and 354 * a call to selinux_inode_permission() can be made 355 * after inode_free_security() is called. Ideally, the VFS 356 * wouldn't do this, but fixing that is a much harder 357 * job. For now, simply free the i_security via RCU, and 358 * leave the current inode->i_security pointer intact. 359 * The inode will be freed after the RCU grace period too. 360 */ 361 call_rcu(&isec->rcu, inode_free_rcu); 362 } 363 364 static int file_alloc_security(struct file *file) 365 { 366 struct file_security_struct *fsec; 367 u32 sid = current_sid(); 368 369 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 370 if (!fsec) 371 return -ENOMEM; 372 373 fsec->sid = sid; 374 fsec->fown_sid = sid; 375 file->f_security = fsec; 376 377 return 0; 378 } 379 380 static void file_free_security(struct file *file) 381 { 382 struct file_security_struct *fsec = file->f_security; 383 file->f_security = NULL; 384 kmem_cache_free(file_security_cache, fsec); 385 } 386 387 static int superblock_alloc_security(struct super_block *sb) 388 { 389 struct superblock_security_struct *sbsec; 390 391 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 392 if (!sbsec) 393 return -ENOMEM; 394 395 mutex_init(&sbsec->lock); 396 INIT_LIST_HEAD(&sbsec->isec_head); 397 spin_lock_init(&sbsec->isec_lock); 398 sbsec->sb = sb; 399 sbsec->sid = SECINITSID_UNLABELED; 400 sbsec->def_sid = SECINITSID_FILE; 401 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 402 sb->s_security = sbsec; 403 404 return 0; 405 } 406 407 static void superblock_free_security(struct super_block *sb) 408 { 409 struct superblock_security_struct *sbsec = sb->s_security; 410 sb->s_security = NULL; 411 kfree(sbsec); 412 } 413 414 static inline int inode_doinit(struct inode *inode) 415 { 416 return inode_doinit_with_dentry(inode, NULL); 417 } 418 419 enum { 420 Opt_error = -1, 421 Opt_context = 1, 422 Opt_fscontext = 2, 423 Opt_defcontext = 3, 424 Opt_rootcontext = 4, 425 Opt_labelsupport = 5, 426 Opt_nextmntopt = 6, 427 }; 428 429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 430 431 static const match_table_t tokens = { 432 {Opt_context, CONTEXT_STR "%s"}, 433 {Opt_fscontext, FSCONTEXT_STR "%s"}, 434 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 436 {Opt_labelsupport, LABELSUPP_STR}, 437 {Opt_error, NULL}, 438 }; 439 440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 441 442 static int may_context_mount_sb_relabel(u32 sid, 443 struct superblock_security_struct *sbsec, 444 const struct cred *cred) 445 { 446 const struct task_security_struct *tsec = cred->security; 447 int rc; 448 449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 450 FILESYSTEM__RELABELFROM, NULL); 451 if (rc) 452 return rc; 453 454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 455 FILESYSTEM__RELABELTO, NULL); 456 return rc; 457 } 458 459 static int may_context_mount_inode_relabel(u32 sid, 460 struct superblock_security_struct *sbsec, 461 const struct cred *cred) 462 { 463 const struct task_security_struct *tsec = cred->security; 464 int rc; 465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 466 FILESYSTEM__RELABELFROM, NULL); 467 if (rc) 468 return rc; 469 470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 FILESYSTEM__ASSOCIATE, NULL); 472 return rc; 473 } 474 475 static int selinux_is_sblabel_mnt(struct super_block *sb) 476 { 477 struct superblock_security_struct *sbsec = sb->s_security; 478 479 return sbsec->behavior == SECURITY_FS_USE_XATTR || 480 sbsec->behavior == SECURITY_FS_USE_TRANS || 481 sbsec->behavior == SECURITY_FS_USE_TASK || 482 sbsec->behavior == SECURITY_FS_USE_NATIVE || 483 /* Special handling. Genfs but also in-core setxattr handler */ 484 !strcmp(sb->s_type->name, "sysfs") || 485 !strcmp(sb->s_type->name, "pstore") || 486 !strcmp(sb->s_type->name, "debugfs") || 487 !strcmp(sb->s_type->name, "tracefs") || 488 !strcmp(sb->s_type->name, "rootfs") || 489 (selinux_policycap_cgroupseclabel && 490 (!strcmp(sb->s_type->name, "cgroup") || 491 !strcmp(sb->s_type->name, "cgroup2"))); 492 } 493 494 static int sb_finish_set_opts(struct super_block *sb) 495 { 496 struct superblock_security_struct *sbsec = sb->s_security; 497 struct dentry *root = sb->s_root; 498 struct inode *root_inode = d_backing_inode(root); 499 int rc = 0; 500 501 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 502 /* Make sure that the xattr handler exists and that no 503 error other than -ENODATA is returned by getxattr on 504 the root directory. -ENODATA is ok, as this may be 505 the first boot of the SELinux kernel before we have 506 assigned xattr values to the filesystem. */ 507 if (!(root_inode->i_opflags & IOP_XATTR)) { 508 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 509 "xattr support\n", sb->s_id, sb->s_type->name); 510 rc = -EOPNOTSUPP; 511 goto out; 512 } 513 514 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 515 if (rc < 0 && rc != -ENODATA) { 516 if (rc == -EOPNOTSUPP) 517 printk(KERN_WARNING "SELinux: (dev %s, type " 518 "%s) has no security xattr handler\n", 519 sb->s_id, sb->s_type->name); 520 else 521 printk(KERN_WARNING "SELinux: (dev %s, type " 522 "%s) getxattr errno %d\n", sb->s_id, 523 sb->s_type->name, -rc); 524 goto out; 525 } 526 } 527 528 sbsec->flags |= SE_SBINITIALIZED; 529 530 /* 531 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 532 * leave the flag untouched because sb_clone_mnt_opts might be handing 533 * us a superblock that needs the flag to be cleared. 534 */ 535 if (selinux_is_sblabel_mnt(sb)) 536 sbsec->flags |= SBLABEL_MNT; 537 else 538 sbsec->flags &= ~SBLABEL_MNT; 539 540 /* Initialize the root inode. */ 541 rc = inode_doinit_with_dentry(root_inode, root); 542 543 /* Initialize any other inodes associated with the superblock, e.g. 544 inodes created prior to initial policy load or inodes created 545 during get_sb by a pseudo filesystem that directly 546 populates itself. */ 547 spin_lock(&sbsec->isec_lock); 548 next_inode: 549 if (!list_empty(&sbsec->isec_head)) { 550 struct inode_security_struct *isec = 551 list_entry(sbsec->isec_head.next, 552 struct inode_security_struct, list); 553 struct inode *inode = isec->inode; 554 list_del_init(&isec->list); 555 spin_unlock(&sbsec->isec_lock); 556 inode = igrab(inode); 557 if (inode) { 558 if (!IS_PRIVATE(inode)) 559 inode_doinit(inode); 560 iput(inode); 561 } 562 spin_lock(&sbsec->isec_lock); 563 goto next_inode; 564 } 565 spin_unlock(&sbsec->isec_lock); 566 out: 567 return rc; 568 } 569 570 /* 571 * This function should allow an FS to ask what it's mount security 572 * options were so it can use those later for submounts, displaying 573 * mount options, or whatever. 574 */ 575 static int selinux_get_mnt_opts(const struct super_block *sb, 576 struct security_mnt_opts *opts) 577 { 578 int rc = 0, i; 579 struct superblock_security_struct *sbsec = sb->s_security; 580 char *context = NULL; 581 u32 len; 582 char tmp; 583 584 security_init_mnt_opts(opts); 585 586 if (!(sbsec->flags & SE_SBINITIALIZED)) 587 return -EINVAL; 588 589 if (!ss_initialized) 590 return -EINVAL; 591 592 /* make sure we always check enough bits to cover the mask */ 593 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 594 595 tmp = sbsec->flags & SE_MNTMASK; 596 /* count the number of mount options for this sb */ 597 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 598 if (tmp & 0x01) 599 opts->num_mnt_opts++; 600 tmp >>= 1; 601 } 602 /* Check if the Label support flag is set */ 603 if (sbsec->flags & SBLABEL_MNT) 604 opts->num_mnt_opts++; 605 606 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 607 if (!opts->mnt_opts) { 608 rc = -ENOMEM; 609 goto out_free; 610 } 611 612 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 613 if (!opts->mnt_opts_flags) { 614 rc = -ENOMEM; 615 goto out_free; 616 } 617 618 i = 0; 619 if (sbsec->flags & FSCONTEXT_MNT) { 620 rc = security_sid_to_context(sbsec->sid, &context, &len); 621 if (rc) 622 goto out_free; 623 opts->mnt_opts[i] = context; 624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 625 } 626 if (sbsec->flags & CONTEXT_MNT) { 627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 628 if (rc) 629 goto out_free; 630 opts->mnt_opts[i] = context; 631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 632 } 633 if (sbsec->flags & DEFCONTEXT_MNT) { 634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 635 if (rc) 636 goto out_free; 637 opts->mnt_opts[i] = context; 638 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 639 } 640 if (sbsec->flags & ROOTCONTEXT_MNT) { 641 struct dentry *root = sbsec->sb->s_root; 642 struct inode_security_struct *isec = backing_inode_security(root); 643 644 rc = security_sid_to_context(isec->sid, &context, &len); 645 if (rc) 646 goto out_free; 647 opts->mnt_opts[i] = context; 648 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 649 } 650 if (sbsec->flags & SBLABEL_MNT) { 651 opts->mnt_opts[i] = NULL; 652 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 653 } 654 655 BUG_ON(i != opts->num_mnt_opts); 656 657 return 0; 658 659 out_free: 660 security_free_mnt_opts(opts); 661 return rc; 662 } 663 664 static int bad_option(struct superblock_security_struct *sbsec, char flag, 665 u32 old_sid, u32 new_sid) 666 { 667 char mnt_flags = sbsec->flags & SE_MNTMASK; 668 669 /* check if the old mount command had the same options */ 670 if (sbsec->flags & SE_SBINITIALIZED) 671 if (!(sbsec->flags & flag) || 672 (old_sid != new_sid)) 673 return 1; 674 675 /* check if we were passed the same options twice, 676 * aka someone passed context=a,context=b 677 */ 678 if (!(sbsec->flags & SE_SBINITIALIZED)) 679 if (mnt_flags & flag) 680 return 1; 681 return 0; 682 } 683 684 /* 685 * Allow filesystems with binary mount data to explicitly set mount point 686 * labeling information. 687 */ 688 static int selinux_set_mnt_opts(struct super_block *sb, 689 struct security_mnt_opts *opts, 690 unsigned long kern_flags, 691 unsigned long *set_kern_flags) 692 { 693 const struct cred *cred = current_cred(); 694 int rc = 0, i; 695 struct superblock_security_struct *sbsec = sb->s_security; 696 const char *name = sb->s_type->name; 697 struct dentry *root = sbsec->sb->s_root; 698 struct inode_security_struct *root_isec; 699 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 700 u32 defcontext_sid = 0; 701 char **mount_options = opts->mnt_opts; 702 int *flags = opts->mnt_opts_flags; 703 int num_opts = opts->num_mnt_opts; 704 705 mutex_lock(&sbsec->lock); 706 707 if (!ss_initialized) { 708 if (!num_opts) { 709 /* Defer initialization until selinux_complete_init, 710 after the initial policy is loaded and the security 711 server is ready to handle calls. */ 712 goto out; 713 } 714 rc = -EINVAL; 715 printk(KERN_WARNING "SELinux: Unable to set superblock options " 716 "before the security server is initialized\n"); 717 goto out; 718 } 719 if (kern_flags && !set_kern_flags) { 720 /* Specifying internal flags without providing a place to 721 * place the results is not allowed */ 722 rc = -EINVAL; 723 goto out; 724 } 725 726 /* 727 * Binary mount data FS will come through this function twice. Once 728 * from an explicit call and once from the generic calls from the vfs. 729 * Since the generic VFS calls will not contain any security mount data 730 * we need to skip the double mount verification. 731 * 732 * This does open a hole in which we will not notice if the first 733 * mount using this sb set explict options and a second mount using 734 * this sb does not set any security options. (The first options 735 * will be used for both mounts) 736 */ 737 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 738 && (num_opts == 0)) 739 goto out; 740 741 root_isec = backing_inode_security_novalidate(root); 742 743 /* 744 * parse the mount options, check if they are valid sids. 745 * also check if someone is trying to mount the same sb more 746 * than once with different security options. 747 */ 748 for (i = 0; i < num_opts; i++) { 749 u32 sid; 750 751 if (flags[i] == SBLABEL_MNT) 752 continue; 753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 754 if (rc) { 755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 756 "(%s) failed for (dev %s, type %s) errno=%d\n", 757 mount_options[i], sb->s_id, name, rc); 758 goto out; 759 } 760 switch (flags[i]) { 761 case FSCONTEXT_MNT: 762 fscontext_sid = sid; 763 764 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 765 fscontext_sid)) 766 goto out_double_mount; 767 768 sbsec->flags |= FSCONTEXT_MNT; 769 break; 770 case CONTEXT_MNT: 771 context_sid = sid; 772 773 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 774 context_sid)) 775 goto out_double_mount; 776 777 sbsec->flags |= CONTEXT_MNT; 778 break; 779 case ROOTCONTEXT_MNT: 780 rootcontext_sid = sid; 781 782 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 783 rootcontext_sid)) 784 goto out_double_mount; 785 786 sbsec->flags |= ROOTCONTEXT_MNT; 787 788 break; 789 case DEFCONTEXT_MNT: 790 defcontext_sid = sid; 791 792 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 793 defcontext_sid)) 794 goto out_double_mount; 795 796 sbsec->flags |= DEFCONTEXT_MNT; 797 798 break; 799 default: 800 rc = -EINVAL; 801 goto out; 802 } 803 } 804 805 if (sbsec->flags & SE_SBINITIALIZED) { 806 /* previously mounted with options, but not on this attempt? */ 807 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 808 goto out_double_mount; 809 rc = 0; 810 goto out; 811 } 812 813 if (strcmp(sb->s_type->name, "proc") == 0) 814 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 815 816 if (!strcmp(sb->s_type->name, "debugfs") || 817 !strcmp(sb->s_type->name, "tracefs") || 818 !strcmp(sb->s_type->name, "sysfs") || 819 !strcmp(sb->s_type->name, "pstore") || 820 !strcmp(sb->s_type->name, "cgroup") || 821 !strcmp(sb->s_type->name, "cgroup2")) 822 sbsec->flags |= SE_SBGENFS; 823 824 if (!sbsec->behavior) { 825 /* 826 * Determine the labeling behavior to use for this 827 * filesystem type. 828 */ 829 rc = security_fs_use(sb); 830 if (rc) { 831 printk(KERN_WARNING 832 "%s: security_fs_use(%s) returned %d\n", 833 __func__, sb->s_type->name, rc); 834 goto out; 835 } 836 } 837 838 /* 839 * If this is a user namespace mount and the filesystem type is not 840 * explicitly whitelisted, then no contexts are allowed on the command 841 * line and security labels must be ignored. 842 */ 843 if (sb->s_user_ns != &init_user_ns && 844 strcmp(sb->s_type->name, "tmpfs") && 845 strcmp(sb->s_type->name, "ramfs") && 846 strcmp(sb->s_type->name, "devpts")) { 847 if (context_sid || fscontext_sid || rootcontext_sid || 848 defcontext_sid) { 849 rc = -EACCES; 850 goto out; 851 } 852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 854 rc = security_transition_sid(current_sid(), current_sid(), 855 SECCLASS_FILE, NULL, 856 &sbsec->mntpoint_sid); 857 if (rc) 858 goto out; 859 } 860 goto out_set_opts; 861 } 862 863 /* sets the context of the superblock for the fs being mounted. */ 864 if (fscontext_sid) { 865 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 866 if (rc) 867 goto out; 868 869 sbsec->sid = fscontext_sid; 870 } 871 872 /* 873 * Switch to using mount point labeling behavior. 874 * sets the label used on all file below the mountpoint, and will set 875 * the superblock context if not already set. 876 */ 877 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 878 sbsec->behavior = SECURITY_FS_USE_NATIVE; 879 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 880 } 881 882 if (context_sid) { 883 if (!fscontext_sid) { 884 rc = may_context_mount_sb_relabel(context_sid, sbsec, 885 cred); 886 if (rc) 887 goto out; 888 sbsec->sid = context_sid; 889 } else { 890 rc = may_context_mount_inode_relabel(context_sid, sbsec, 891 cred); 892 if (rc) 893 goto out; 894 } 895 if (!rootcontext_sid) 896 rootcontext_sid = context_sid; 897 898 sbsec->mntpoint_sid = context_sid; 899 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 900 } 901 902 if (rootcontext_sid) { 903 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 904 cred); 905 if (rc) 906 goto out; 907 908 root_isec->sid = rootcontext_sid; 909 root_isec->initialized = LABEL_INITIALIZED; 910 } 911 912 if (defcontext_sid) { 913 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 914 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 915 rc = -EINVAL; 916 printk(KERN_WARNING "SELinux: defcontext option is " 917 "invalid for this filesystem type\n"); 918 goto out; 919 } 920 921 if (defcontext_sid != sbsec->def_sid) { 922 rc = may_context_mount_inode_relabel(defcontext_sid, 923 sbsec, cred); 924 if (rc) 925 goto out; 926 } 927 928 sbsec->def_sid = defcontext_sid; 929 } 930 931 out_set_opts: 932 rc = sb_finish_set_opts(sb); 933 out: 934 mutex_unlock(&sbsec->lock); 935 return rc; 936 out_double_mount: 937 rc = -EINVAL; 938 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 939 "security settings for (dev %s, type %s)\n", sb->s_id, name); 940 goto out; 941 } 942 943 static int selinux_cmp_sb_context(const struct super_block *oldsb, 944 const struct super_block *newsb) 945 { 946 struct superblock_security_struct *old = oldsb->s_security; 947 struct superblock_security_struct *new = newsb->s_security; 948 char oldflags = old->flags & SE_MNTMASK; 949 char newflags = new->flags & SE_MNTMASK; 950 951 if (oldflags != newflags) 952 goto mismatch; 953 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 954 goto mismatch; 955 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 956 goto mismatch; 957 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 958 goto mismatch; 959 if (oldflags & ROOTCONTEXT_MNT) { 960 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 961 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 962 if (oldroot->sid != newroot->sid) 963 goto mismatch; 964 } 965 return 0; 966 mismatch: 967 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 968 "different security settings for (dev %s, " 969 "type %s)\n", newsb->s_id, newsb->s_type->name); 970 return -EBUSY; 971 } 972 973 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 974 struct super_block *newsb, 975 unsigned long kern_flags, 976 unsigned long *set_kern_flags) 977 { 978 int rc = 0; 979 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 980 struct superblock_security_struct *newsbsec = newsb->s_security; 981 982 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 983 int set_context = (oldsbsec->flags & CONTEXT_MNT); 984 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 985 986 /* 987 * if the parent was able to be mounted it clearly had no special lsm 988 * mount options. thus we can safely deal with this superblock later 989 */ 990 if (!ss_initialized) 991 return 0; 992 993 /* 994 * Specifying internal flags without providing a place to 995 * place the results is not allowed. 996 */ 997 if (kern_flags && !set_kern_flags) 998 return -EINVAL; 999 1000 /* how can we clone if the old one wasn't set up?? */ 1001 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1002 1003 /* if fs is reusing a sb, make sure that the contexts match */ 1004 if (newsbsec->flags & SE_SBINITIALIZED) 1005 return selinux_cmp_sb_context(oldsb, newsb); 1006 1007 mutex_lock(&newsbsec->lock); 1008 1009 newsbsec->flags = oldsbsec->flags; 1010 1011 newsbsec->sid = oldsbsec->sid; 1012 newsbsec->def_sid = oldsbsec->def_sid; 1013 newsbsec->behavior = oldsbsec->behavior; 1014 1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1017 rc = security_fs_use(newsb); 1018 if (rc) 1019 goto out; 1020 } 1021 1022 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1023 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1024 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1025 } 1026 1027 if (set_context) { 1028 u32 sid = oldsbsec->mntpoint_sid; 1029 1030 if (!set_fscontext) 1031 newsbsec->sid = sid; 1032 if (!set_rootcontext) { 1033 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1034 newisec->sid = sid; 1035 } 1036 newsbsec->mntpoint_sid = sid; 1037 } 1038 if (set_rootcontext) { 1039 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1040 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1041 1042 newisec->sid = oldisec->sid; 1043 } 1044 1045 sb_finish_set_opts(newsb); 1046 out: 1047 mutex_unlock(&newsbsec->lock); 1048 return rc; 1049 } 1050 1051 static int selinux_parse_opts_str(char *options, 1052 struct security_mnt_opts *opts) 1053 { 1054 char *p; 1055 char *context = NULL, *defcontext = NULL; 1056 char *fscontext = NULL, *rootcontext = NULL; 1057 int rc, num_mnt_opts = 0; 1058 1059 opts->num_mnt_opts = 0; 1060 1061 /* Standard string-based options. */ 1062 while ((p = strsep(&options, "|")) != NULL) { 1063 int token; 1064 substring_t args[MAX_OPT_ARGS]; 1065 1066 if (!*p) 1067 continue; 1068 1069 token = match_token(p, tokens, args); 1070 1071 switch (token) { 1072 case Opt_context: 1073 if (context || defcontext) { 1074 rc = -EINVAL; 1075 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1076 goto out_err; 1077 } 1078 context = match_strdup(&args[0]); 1079 if (!context) { 1080 rc = -ENOMEM; 1081 goto out_err; 1082 } 1083 break; 1084 1085 case Opt_fscontext: 1086 if (fscontext) { 1087 rc = -EINVAL; 1088 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1089 goto out_err; 1090 } 1091 fscontext = match_strdup(&args[0]); 1092 if (!fscontext) { 1093 rc = -ENOMEM; 1094 goto out_err; 1095 } 1096 break; 1097 1098 case Opt_rootcontext: 1099 if (rootcontext) { 1100 rc = -EINVAL; 1101 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1102 goto out_err; 1103 } 1104 rootcontext = match_strdup(&args[0]); 1105 if (!rootcontext) { 1106 rc = -ENOMEM; 1107 goto out_err; 1108 } 1109 break; 1110 1111 case Opt_defcontext: 1112 if (context || defcontext) { 1113 rc = -EINVAL; 1114 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1115 goto out_err; 1116 } 1117 defcontext = match_strdup(&args[0]); 1118 if (!defcontext) { 1119 rc = -ENOMEM; 1120 goto out_err; 1121 } 1122 break; 1123 case Opt_labelsupport: 1124 break; 1125 default: 1126 rc = -EINVAL; 1127 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1128 goto out_err; 1129 1130 } 1131 } 1132 1133 rc = -ENOMEM; 1134 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1135 if (!opts->mnt_opts) 1136 goto out_err; 1137 1138 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1139 GFP_KERNEL); 1140 if (!opts->mnt_opts_flags) 1141 goto out_err; 1142 1143 if (fscontext) { 1144 opts->mnt_opts[num_mnt_opts] = fscontext; 1145 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1146 } 1147 if (context) { 1148 opts->mnt_opts[num_mnt_opts] = context; 1149 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1150 } 1151 if (rootcontext) { 1152 opts->mnt_opts[num_mnt_opts] = rootcontext; 1153 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1154 } 1155 if (defcontext) { 1156 opts->mnt_opts[num_mnt_opts] = defcontext; 1157 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1158 } 1159 1160 opts->num_mnt_opts = num_mnt_opts; 1161 return 0; 1162 1163 out_err: 1164 security_free_mnt_opts(opts); 1165 kfree(context); 1166 kfree(defcontext); 1167 kfree(fscontext); 1168 kfree(rootcontext); 1169 return rc; 1170 } 1171 /* 1172 * string mount options parsing and call set the sbsec 1173 */ 1174 static int superblock_doinit(struct super_block *sb, void *data) 1175 { 1176 int rc = 0; 1177 char *options = data; 1178 struct security_mnt_opts opts; 1179 1180 security_init_mnt_opts(&opts); 1181 1182 if (!data) 1183 goto out; 1184 1185 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1186 1187 rc = selinux_parse_opts_str(options, &opts); 1188 if (rc) 1189 goto out_err; 1190 1191 out: 1192 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1193 1194 out_err: 1195 security_free_mnt_opts(&opts); 1196 return rc; 1197 } 1198 1199 static void selinux_write_opts(struct seq_file *m, 1200 struct security_mnt_opts *opts) 1201 { 1202 int i; 1203 char *prefix; 1204 1205 for (i = 0; i < opts->num_mnt_opts; i++) { 1206 char *has_comma; 1207 1208 if (opts->mnt_opts[i]) 1209 has_comma = strchr(opts->mnt_opts[i], ','); 1210 else 1211 has_comma = NULL; 1212 1213 switch (opts->mnt_opts_flags[i]) { 1214 case CONTEXT_MNT: 1215 prefix = CONTEXT_STR; 1216 break; 1217 case FSCONTEXT_MNT: 1218 prefix = FSCONTEXT_STR; 1219 break; 1220 case ROOTCONTEXT_MNT: 1221 prefix = ROOTCONTEXT_STR; 1222 break; 1223 case DEFCONTEXT_MNT: 1224 prefix = DEFCONTEXT_STR; 1225 break; 1226 case SBLABEL_MNT: 1227 seq_putc(m, ','); 1228 seq_puts(m, LABELSUPP_STR); 1229 continue; 1230 default: 1231 BUG(); 1232 return; 1233 }; 1234 /* we need a comma before each option */ 1235 seq_putc(m, ','); 1236 seq_puts(m, prefix); 1237 if (has_comma) 1238 seq_putc(m, '\"'); 1239 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1240 if (has_comma) 1241 seq_putc(m, '\"'); 1242 } 1243 } 1244 1245 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1246 { 1247 struct security_mnt_opts opts; 1248 int rc; 1249 1250 rc = selinux_get_mnt_opts(sb, &opts); 1251 if (rc) { 1252 /* before policy load we may get EINVAL, don't show anything */ 1253 if (rc == -EINVAL) 1254 rc = 0; 1255 return rc; 1256 } 1257 1258 selinux_write_opts(m, &opts); 1259 1260 security_free_mnt_opts(&opts); 1261 1262 return rc; 1263 } 1264 1265 static inline u16 inode_mode_to_security_class(umode_t mode) 1266 { 1267 switch (mode & S_IFMT) { 1268 case S_IFSOCK: 1269 return SECCLASS_SOCK_FILE; 1270 case S_IFLNK: 1271 return SECCLASS_LNK_FILE; 1272 case S_IFREG: 1273 return SECCLASS_FILE; 1274 case S_IFBLK: 1275 return SECCLASS_BLK_FILE; 1276 case S_IFDIR: 1277 return SECCLASS_DIR; 1278 case S_IFCHR: 1279 return SECCLASS_CHR_FILE; 1280 case S_IFIFO: 1281 return SECCLASS_FIFO_FILE; 1282 1283 } 1284 1285 return SECCLASS_FILE; 1286 } 1287 1288 static inline int default_protocol_stream(int protocol) 1289 { 1290 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1291 } 1292 1293 static inline int default_protocol_dgram(int protocol) 1294 { 1295 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1296 } 1297 1298 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1299 { 1300 int extsockclass = selinux_policycap_extsockclass; 1301 1302 switch (family) { 1303 case PF_UNIX: 1304 switch (type) { 1305 case SOCK_STREAM: 1306 case SOCK_SEQPACKET: 1307 return SECCLASS_UNIX_STREAM_SOCKET; 1308 case SOCK_DGRAM: 1309 case SOCK_RAW: 1310 return SECCLASS_UNIX_DGRAM_SOCKET; 1311 } 1312 break; 1313 case PF_INET: 1314 case PF_INET6: 1315 switch (type) { 1316 case SOCK_STREAM: 1317 case SOCK_SEQPACKET: 1318 if (default_protocol_stream(protocol)) 1319 return SECCLASS_TCP_SOCKET; 1320 else if (extsockclass && protocol == IPPROTO_SCTP) 1321 return SECCLASS_SCTP_SOCKET; 1322 else 1323 return SECCLASS_RAWIP_SOCKET; 1324 case SOCK_DGRAM: 1325 if (default_protocol_dgram(protocol)) 1326 return SECCLASS_UDP_SOCKET; 1327 else if (extsockclass && (protocol == IPPROTO_ICMP || 1328 protocol == IPPROTO_ICMPV6)) 1329 return SECCLASS_ICMP_SOCKET; 1330 else 1331 return SECCLASS_RAWIP_SOCKET; 1332 case SOCK_DCCP: 1333 return SECCLASS_DCCP_SOCKET; 1334 default: 1335 return SECCLASS_RAWIP_SOCKET; 1336 } 1337 break; 1338 case PF_NETLINK: 1339 switch (protocol) { 1340 case NETLINK_ROUTE: 1341 return SECCLASS_NETLINK_ROUTE_SOCKET; 1342 case NETLINK_SOCK_DIAG: 1343 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1344 case NETLINK_NFLOG: 1345 return SECCLASS_NETLINK_NFLOG_SOCKET; 1346 case NETLINK_XFRM: 1347 return SECCLASS_NETLINK_XFRM_SOCKET; 1348 case NETLINK_SELINUX: 1349 return SECCLASS_NETLINK_SELINUX_SOCKET; 1350 case NETLINK_ISCSI: 1351 return SECCLASS_NETLINK_ISCSI_SOCKET; 1352 case NETLINK_AUDIT: 1353 return SECCLASS_NETLINK_AUDIT_SOCKET; 1354 case NETLINK_FIB_LOOKUP: 1355 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1356 case NETLINK_CONNECTOR: 1357 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1358 case NETLINK_NETFILTER: 1359 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1360 case NETLINK_DNRTMSG: 1361 return SECCLASS_NETLINK_DNRT_SOCKET; 1362 case NETLINK_KOBJECT_UEVENT: 1363 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1364 case NETLINK_GENERIC: 1365 return SECCLASS_NETLINK_GENERIC_SOCKET; 1366 case NETLINK_SCSITRANSPORT: 1367 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1368 case NETLINK_RDMA: 1369 return SECCLASS_NETLINK_RDMA_SOCKET; 1370 case NETLINK_CRYPTO: 1371 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1372 default: 1373 return SECCLASS_NETLINK_SOCKET; 1374 } 1375 case PF_PACKET: 1376 return SECCLASS_PACKET_SOCKET; 1377 case PF_KEY: 1378 return SECCLASS_KEY_SOCKET; 1379 case PF_APPLETALK: 1380 return SECCLASS_APPLETALK_SOCKET; 1381 } 1382 1383 if (extsockclass) { 1384 switch (family) { 1385 case PF_AX25: 1386 return SECCLASS_AX25_SOCKET; 1387 case PF_IPX: 1388 return SECCLASS_IPX_SOCKET; 1389 case PF_NETROM: 1390 return SECCLASS_NETROM_SOCKET; 1391 case PF_ATMPVC: 1392 return SECCLASS_ATMPVC_SOCKET; 1393 case PF_X25: 1394 return SECCLASS_X25_SOCKET; 1395 case PF_ROSE: 1396 return SECCLASS_ROSE_SOCKET; 1397 case PF_DECnet: 1398 return SECCLASS_DECNET_SOCKET; 1399 case PF_ATMSVC: 1400 return SECCLASS_ATMSVC_SOCKET; 1401 case PF_RDS: 1402 return SECCLASS_RDS_SOCKET; 1403 case PF_IRDA: 1404 return SECCLASS_IRDA_SOCKET; 1405 case PF_PPPOX: 1406 return SECCLASS_PPPOX_SOCKET; 1407 case PF_LLC: 1408 return SECCLASS_LLC_SOCKET; 1409 case PF_CAN: 1410 return SECCLASS_CAN_SOCKET; 1411 case PF_TIPC: 1412 return SECCLASS_TIPC_SOCKET; 1413 case PF_BLUETOOTH: 1414 return SECCLASS_BLUETOOTH_SOCKET; 1415 case PF_IUCV: 1416 return SECCLASS_IUCV_SOCKET; 1417 case PF_RXRPC: 1418 return SECCLASS_RXRPC_SOCKET; 1419 case PF_ISDN: 1420 return SECCLASS_ISDN_SOCKET; 1421 case PF_PHONET: 1422 return SECCLASS_PHONET_SOCKET; 1423 case PF_IEEE802154: 1424 return SECCLASS_IEEE802154_SOCKET; 1425 case PF_CAIF: 1426 return SECCLASS_CAIF_SOCKET; 1427 case PF_ALG: 1428 return SECCLASS_ALG_SOCKET; 1429 case PF_NFC: 1430 return SECCLASS_NFC_SOCKET; 1431 case PF_VSOCK: 1432 return SECCLASS_VSOCK_SOCKET; 1433 case PF_KCM: 1434 return SECCLASS_KCM_SOCKET; 1435 case PF_QIPCRTR: 1436 return SECCLASS_QIPCRTR_SOCKET; 1437 case PF_SMC: 1438 return SECCLASS_SMC_SOCKET; 1439 #if PF_MAX > 44 1440 #error New address family defined, please update this function. 1441 #endif 1442 } 1443 } 1444 1445 return SECCLASS_SOCKET; 1446 } 1447 1448 static int selinux_genfs_get_sid(struct dentry *dentry, 1449 u16 tclass, 1450 u16 flags, 1451 u32 *sid) 1452 { 1453 int rc; 1454 struct super_block *sb = dentry->d_sb; 1455 char *buffer, *path; 1456 1457 buffer = (char *)__get_free_page(GFP_KERNEL); 1458 if (!buffer) 1459 return -ENOMEM; 1460 1461 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1462 if (IS_ERR(path)) 1463 rc = PTR_ERR(path); 1464 else { 1465 if (flags & SE_SBPROC) { 1466 /* each process gets a /proc/PID/ entry. Strip off the 1467 * PID part to get a valid selinux labeling. 1468 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1469 while (path[1] >= '0' && path[1] <= '9') { 1470 path[1] = '/'; 1471 path++; 1472 } 1473 } 1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1475 } 1476 free_page((unsigned long)buffer); 1477 return rc; 1478 } 1479 1480 /* The inode's security attributes must be initialized before first use. */ 1481 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1482 { 1483 struct superblock_security_struct *sbsec = NULL; 1484 struct inode_security_struct *isec = inode->i_security; 1485 u32 task_sid, sid = 0; 1486 u16 sclass; 1487 struct dentry *dentry; 1488 #define INITCONTEXTLEN 255 1489 char *context = NULL; 1490 unsigned len = 0; 1491 int rc = 0; 1492 1493 if (isec->initialized == LABEL_INITIALIZED) 1494 return 0; 1495 1496 spin_lock(&isec->lock); 1497 if (isec->initialized == LABEL_INITIALIZED) 1498 goto out_unlock; 1499 1500 if (isec->sclass == SECCLASS_FILE) 1501 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1502 1503 sbsec = inode->i_sb->s_security; 1504 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1505 /* Defer initialization until selinux_complete_init, 1506 after the initial policy is loaded and the security 1507 server is ready to handle calls. */ 1508 spin_lock(&sbsec->isec_lock); 1509 if (list_empty(&isec->list)) 1510 list_add(&isec->list, &sbsec->isec_head); 1511 spin_unlock(&sbsec->isec_lock); 1512 goto out_unlock; 1513 } 1514 1515 sclass = isec->sclass; 1516 task_sid = isec->task_sid; 1517 sid = isec->sid; 1518 isec->initialized = LABEL_PENDING; 1519 spin_unlock(&isec->lock); 1520 1521 switch (sbsec->behavior) { 1522 case SECURITY_FS_USE_NATIVE: 1523 break; 1524 case SECURITY_FS_USE_XATTR: 1525 if (!(inode->i_opflags & IOP_XATTR)) { 1526 sid = sbsec->def_sid; 1527 break; 1528 } 1529 /* Need a dentry, since the xattr API requires one. 1530 Life would be simpler if we could just pass the inode. */ 1531 if (opt_dentry) { 1532 /* Called from d_instantiate or d_splice_alias. */ 1533 dentry = dget(opt_dentry); 1534 } else { 1535 /* Called from selinux_complete_init, try to find a dentry. */ 1536 dentry = d_find_alias(inode); 1537 } 1538 if (!dentry) { 1539 /* 1540 * this is can be hit on boot when a file is accessed 1541 * before the policy is loaded. When we load policy we 1542 * may find inodes that have no dentry on the 1543 * sbsec->isec_head list. No reason to complain as these 1544 * will get fixed up the next time we go through 1545 * inode_doinit with a dentry, before these inodes could 1546 * be used again by userspace. 1547 */ 1548 goto out; 1549 } 1550 1551 len = INITCONTEXTLEN; 1552 context = kmalloc(len+1, GFP_NOFS); 1553 if (!context) { 1554 rc = -ENOMEM; 1555 dput(dentry); 1556 goto out; 1557 } 1558 context[len] = '\0'; 1559 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1560 if (rc == -ERANGE) { 1561 kfree(context); 1562 1563 /* Need a larger buffer. Query for the right size. */ 1564 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1565 if (rc < 0) { 1566 dput(dentry); 1567 goto out; 1568 } 1569 len = rc; 1570 context = kmalloc(len+1, GFP_NOFS); 1571 if (!context) { 1572 rc = -ENOMEM; 1573 dput(dentry); 1574 goto out; 1575 } 1576 context[len] = '\0'; 1577 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1578 } 1579 dput(dentry); 1580 if (rc < 0) { 1581 if (rc != -ENODATA) { 1582 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1583 "%d for dev=%s ino=%ld\n", __func__, 1584 -rc, inode->i_sb->s_id, inode->i_ino); 1585 kfree(context); 1586 goto out; 1587 } 1588 /* Map ENODATA to the default file SID */ 1589 sid = sbsec->def_sid; 1590 rc = 0; 1591 } else { 1592 rc = security_context_to_sid_default(context, rc, &sid, 1593 sbsec->def_sid, 1594 GFP_NOFS); 1595 if (rc) { 1596 char *dev = inode->i_sb->s_id; 1597 unsigned long ino = inode->i_ino; 1598 1599 if (rc == -EINVAL) { 1600 if (printk_ratelimit()) 1601 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1602 "context=%s. This indicates you may need to relabel the inode or the " 1603 "filesystem in question.\n", ino, dev, context); 1604 } else { 1605 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1606 "returned %d for dev=%s ino=%ld\n", 1607 __func__, context, -rc, dev, ino); 1608 } 1609 kfree(context); 1610 /* Leave with the unlabeled SID */ 1611 rc = 0; 1612 break; 1613 } 1614 } 1615 kfree(context); 1616 break; 1617 case SECURITY_FS_USE_TASK: 1618 sid = task_sid; 1619 break; 1620 case SECURITY_FS_USE_TRANS: 1621 /* Default to the fs SID. */ 1622 sid = sbsec->sid; 1623 1624 /* Try to obtain a transition SID. */ 1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1626 if (rc) 1627 goto out; 1628 break; 1629 case SECURITY_FS_USE_MNTPOINT: 1630 sid = sbsec->mntpoint_sid; 1631 break; 1632 default: 1633 /* Default to the fs superblock SID. */ 1634 sid = sbsec->sid; 1635 1636 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1637 /* We must have a dentry to determine the label on 1638 * procfs inodes */ 1639 if (opt_dentry) 1640 /* Called from d_instantiate or 1641 * d_splice_alias. */ 1642 dentry = dget(opt_dentry); 1643 else 1644 /* Called from selinux_complete_init, try to 1645 * find a dentry. */ 1646 dentry = d_find_alias(inode); 1647 /* 1648 * This can be hit on boot when a file is accessed 1649 * before the policy is loaded. When we load policy we 1650 * may find inodes that have no dentry on the 1651 * sbsec->isec_head list. No reason to complain as 1652 * these will get fixed up the next time we go through 1653 * inode_doinit() with a dentry, before these inodes 1654 * could be used again by userspace. 1655 */ 1656 if (!dentry) 1657 goto out; 1658 rc = selinux_genfs_get_sid(dentry, sclass, 1659 sbsec->flags, &sid); 1660 dput(dentry); 1661 if (rc) 1662 goto out; 1663 } 1664 break; 1665 } 1666 1667 out: 1668 spin_lock(&isec->lock); 1669 if (isec->initialized == LABEL_PENDING) { 1670 if (!sid || rc) { 1671 isec->initialized = LABEL_INVALID; 1672 goto out_unlock; 1673 } 1674 1675 isec->initialized = LABEL_INITIALIZED; 1676 isec->sid = sid; 1677 } 1678 1679 out_unlock: 1680 spin_unlock(&isec->lock); 1681 return rc; 1682 } 1683 1684 /* Convert a Linux signal to an access vector. */ 1685 static inline u32 signal_to_av(int sig) 1686 { 1687 u32 perm = 0; 1688 1689 switch (sig) { 1690 case SIGCHLD: 1691 /* Commonly granted from child to parent. */ 1692 perm = PROCESS__SIGCHLD; 1693 break; 1694 case SIGKILL: 1695 /* Cannot be caught or ignored */ 1696 perm = PROCESS__SIGKILL; 1697 break; 1698 case SIGSTOP: 1699 /* Cannot be caught or ignored */ 1700 perm = PROCESS__SIGSTOP; 1701 break; 1702 default: 1703 /* All other signals. */ 1704 perm = PROCESS__SIGNAL; 1705 break; 1706 } 1707 1708 return perm; 1709 } 1710 1711 #if CAP_LAST_CAP > 63 1712 #error Fix SELinux to handle capabilities > 63. 1713 #endif 1714 1715 /* Check whether a task is allowed to use a capability. */ 1716 static int cred_has_capability(const struct cred *cred, 1717 int cap, int audit, bool initns) 1718 { 1719 struct common_audit_data ad; 1720 struct av_decision avd; 1721 u16 sclass; 1722 u32 sid = cred_sid(cred); 1723 u32 av = CAP_TO_MASK(cap); 1724 int rc; 1725 1726 ad.type = LSM_AUDIT_DATA_CAP; 1727 ad.u.cap = cap; 1728 1729 switch (CAP_TO_INDEX(cap)) { 1730 case 0: 1731 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1732 break; 1733 case 1: 1734 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1735 break; 1736 default: 1737 printk(KERN_ERR 1738 "SELinux: out of range capability %d\n", cap); 1739 BUG(); 1740 return -EINVAL; 1741 } 1742 1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1744 if (audit == SECURITY_CAP_AUDIT) { 1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1746 if (rc2) 1747 return rc2; 1748 } 1749 return rc; 1750 } 1751 1752 /* Check whether a task has a particular permission to an inode. 1753 The 'adp' parameter is optional and allows other audit 1754 data to be passed (e.g. the dentry). */ 1755 static int inode_has_perm(const struct cred *cred, 1756 struct inode *inode, 1757 u32 perms, 1758 struct common_audit_data *adp) 1759 { 1760 struct inode_security_struct *isec; 1761 u32 sid; 1762 1763 validate_creds(cred); 1764 1765 if (unlikely(IS_PRIVATE(inode))) 1766 return 0; 1767 1768 sid = cred_sid(cred); 1769 isec = inode->i_security; 1770 1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1772 } 1773 1774 /* Same as inode_has_perm, but pass explicit audit data containing 1775 the dentry to help the auditing code to more easily generate the 1776 pathname if needed. */ 1777 static inline int dentry_has_perm(const struct cred *cred, 1778 struct dentry *dentry, 1779 u32 av) 1780 { 1781 struct inode *inode = d_backing_inode(dentry); 1782 struct common_audit_data ad; 1783 1784 ad.type = LSM_AUDIT_DATA_DENTRY; 1785 ad.u.dentry = dentry; 1786 __inode_security_revalidate(inode, dentry, true); 1787 return inode_has_perm(cred, inode, av, &ad); 1788 } 1789 1790 /* Same as inode_has_perm, but pass explicit audit data containing 1791 the path to help the auditing code to more easily generate the 1792 pathname if needed. */ 1793 static inline int path_has_perm(const struct cred *cred, 1794 const struct path *path, 1795 u32 av) 1796 { 1797 struct inode *inode = d_backing_inode(path->dentry); 1798 struct common_audit_data ad; 1799 1800 ad.type = LSM_AUDIT_DATA_PATH; 1801 ad.u.path = *path; 1802 __inode_security_revalidate(inode, path->dentry, true); 1803 return inode_has_perm(cred, inode, av, &ad); 1804 } 1805 1806 /* Same as path_has_perm, but uses the inode from the file struct. */ 1807 static inline int file_path_has_perm(const struct cred *cred, 1808 struct file *file, 1809 u32 av) 1810 { 1811 struct common_audit_data ad; 1812 1813 ad.type = LSM_AUDIT_DATA_FILE; 1814 ad.u.file = file; 1815 return inode_has_perm(cred, file_inode(file), av, &ad); 1816 } 1817 1818 #ifdef CONFIG_BPF_SYSCALL 1819 static int bpf_fd_pass(struct file *file, u32 sid); 1820 #endif 1821 1822 /* Check whether a task can use an open file descriptor to 1823 access an inode in a given way. Check access to the 1824 descriptor itself, and then use dentry_has_perm to 1825 check a particular permission to the file. 1826 Access to the descriptor is implicitly granted if it 1827 has the same SID as the process. If av is zero, then 1828 access to the file is not checked, e.g. for cases 1829 where only the descriptor is affected like seek. */ 1830 static int file_has_perm(const struct cred *cred, 1831 struct file *file, 1832 u32 av) 1833 { 1834 struct file_security_struct *fsec = file->f_security; 1835 struct inode *inode = file_inode(file); 1836 struct common_audit_data ad; 1837 u32 sid = cred_sid(cred); 1838 int rc; 1839 1840 ad.type = LSM_AUDIT_DATA_FILE; 1841 ad.u.file = file; 1842 1843 if (sid != fsec->sid) { 1844 rc = avc_has_perm(sid, fsec->sid, 1845 SECCLASS_FD, 1846 FD__USE, 1847 &ad); 1848 if (rc) 1849 goto out; 1850 } 1851 1852 #ifdef CONFIG_BPF_SYSCALL 1853 rc = bpf_fd_pass(file, cred_sid(cred)); 1854 if (rc) 1855 return rc; 1856 #endif 1857 1858 /* av is zero if only checking access to the descriptor. */ 1859 rc = 0; 1860 if (av) 1861 rc = inode_has_perm(cred, inode, av, &ad); 1862 1863 out: 1864 return rc; 1865 } 1866 1867 /* 1868 * Determine the label for an inode that might be unioned. 1869 */ 1870 static int 1871 selinux_determine_inode_label(const struct task_security_struct *tsec, 1872 struct inode *dir, 1873 const struct qstr *name, u16 tclass, 1874 u32 *_new_isid) 1875 { 1876 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1877 1878 if ((sbsec->flags & SE_SBINITIALIZED) && 1879 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1880 *_new_isid = sbsec->mntpoint_sid; 1881 } else if ((sbsec->flags & SBLABEL_MNT) && 1882 tsec->create_sid) { 1883 *_new_isid = tsec->create_sid; 1884 } else { 1885 const struct inode_security_struct *dsec = inode_security(dir); 1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1887 name, _new_isid); 1888 } 1889 1890 return 0; 1891 } 1892 1893 /* Check whether a task can create a file. */ 1894 static int may_create(struct inode *dir, 1895 struct dentry *dentry, 1896 u16 tclass) 1897 { 1898 const struct task_security_struct *tsec = current_security(); 1899 struct inode_security_struct *dsec; 1900 struct superblock_security_struct *sbsec; 1901 u32 sid, newsid; 1902 struct common_audit_data ad; 1903 int rc; 1904 1905 dsec = inode_security(dir); 1906 sbsec = dir->i_sb->s_security; 1907 1908 sid = tsec->sid; 1909 1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1911 ad.u.dentry = dentry; 1912 1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1914 DIR__ADD_NAME | DIR__SEARCH, 1915 &ad); 1916 if (rc) 1917 return rc; 1918 1919 rc = selinux_determine_inode_label(current_security(), dir, 1920 &dentry->d_name, tclass, &newsid); 1921 if (rc) 1922 return rc; 1923 1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1925 if (rc) 1926 return rc; 1927 1928 return avc_has_perm(newsid, sbsec->sid, 1929 SECCLASS_FILESYSTEM, 1930 FILESYSTEM__ASSOCIATE, &ad); 1931 } 1932 1933 #define MAY_LINK 0 1934 #define MAY_UNLINK 1 1935 #define MAY_RMDIR 2 1936 1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1938 static int may_link(struct inode *dir, 1939 struct dentry *dentry, 1940 int kind) 1941 1942 { 1943 struct inode_security_struct *dsec, *isec; 1944 struct common_audit_data ad; 1945 u32 sid = current_sid(); 1946 u32 av; 1947 int rc; 1948 1949 dsec = inode_security(dir); 1950 isec = backing_inode_security(dentry); 1951 1952 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.u.dentry = dentry; 1954 1955 av = DIR__SEARCH; 1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1958 if (rc) 1959 return rc; 1960 1961 switch (kind) { 1962 case MAY_LINK: 1963 av = FILE__LINK; 1964 break; 1965 case MAY_UNLINK: 1966 av = FILE__UNLINK; 1967 break; 1968 case MAY_RMDIR: 1969 av = DIR__RMDIR; 1970 break; 1971 default: 1972 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1973 __func__, kind); 1974 return 0; 1975 } 1976 1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1978 return rc; 1979 } 1980 1981 static inline int may_rename(struct inode *old_dir, 1982 struct dentry *old_dentry, 1983 struct inode *new_dir, 1984 struct dentry *new_dentry) 1985 { 1986 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1987 struct common_audit_data ad; 1988 u32 sid = current_sid(); 1989 u32 av; 1990 int old_is_dir, new_is_dir; 1991 int rc; 1992 1993 old_dsec = inode_security(old_dir); 1994 old_isec = backing_inode_security(old_dentry); 1995 old_is_dir = d_is_dir(old_dentry); 1996 new_dsec = inode_security(new_dir); 1997 1998 ad.type = LSM_AUDIT_DATA_DENTRY; 1999 2000 ad.u.dentry = old_dentry; 2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2003 if (rc) 2004 return rc; 2005 rc = avc_has_perm(sid, old_isec->sid, 2006 old_isec->sclass, FILE__RENAME, &ad); 2007 if (rc) 2008 return rc; 2009 if (old_is_dir && new_dir != old_dir) { 2010 rc = avc_has_perm(sid, old_isec->sid, 2011 old_isec->sclass, DIR__REPARENT, &ad); 2012 if (rc) 2013 return rc; 2014 } 2015 2016 ad.u.dentry = new_dentry; 2017 av = DIR__ADD_NAME | DIR__SEARCH; 2018 if (d_is_positive(new_dentry)) 2019 av |= DIR__REMOVE_NAME; 2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2021 if (rc) 2022 return rc; 2023 if (d_is_positive(new_dentry)) { 2024 new_isec = backing_inode_security(new_dentry); 2025 new_is_dir = d_is_dir(new_dentry); 2026 rc = avc_has_perm(sid, new_isec->sid, 2027 new_isec->sclass, 2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2029 if (rc) 2030 return rc; 2031 } 2032 2033 return 0; 2034 } 2035 2036 /* Check whether a task can perform a filesystem operation. */ 2037 static int superblock_has_perm(const struct cred *cred, 2038 struct super_block *sb, 2039 u32 perms, 2040 struct common_audit_data *ad) 2041 { 2042 struct superblock_security_struct *sbsec; 2043 u32 sid = cred_sid(cred); 2044 2045 sbsec = sb->s_security; 2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2047 } 2048 2049 /* Convert a Linux mode and permission mask to an access vector. */ 2050 static inline u32 file_mask_to_av(int mode, int mask) 2051 { 2052 u32 av = 0; 2053 2054 if (!S_ISDIR(mode)) { 2055 if (mask & MAY_EXEC) 2056 av |= FILE__EXECUTE; 2057 if (mask & MAY_READ) 2058 av |= FILE__READ; 2059 2060 if (mask & MAY_APPEND) 2061 av |= FILE__APPEND; 2062 else if (mask & MAY_WRITE) 2063 av |= FILE__WRITE; 2064 2065 } else { 2066 if (mask & MAY_EXEC) 2067 av |= DIR__SEARCH; 2068 if (mask & MAY_WRITE) 2069 av |= DIR__WRITE; 2070 if (mask & MAY_READ) 2071 av |= DIR__READ; 2072 } 2073 2074 return av; 2075 } 2076 2077 /* Convert a Linux file to an access vector. */ 2078 static inline u32 file_to_av(struct file *file) 2079 { 2080 u32 av = 0; 2081 2082 if (file->f_mode & FMODE_READ) 2083 av |= FILE__READ; 2084 if (file->f_mode & FMODE_WRITE) { 2085 if (file->f_flags & O_APPEND) 2086 av |= FILE__APPEND; 2087 else 2088 av |= FILE__WRITE; 2089 } 2090 if (!av) { 2091 /* 2092 * Special file opened with flags 3 for ioctl-only use. 2093 */ 2094 av = FILE__IOCTL; 2095 } 2096 2097 return av; 2098 } 2099 2100 /* 2101 * Convert a file to an access vector and include the correct open 2102 * open permission. 2103 */ 2104 static inline u32 open_file_to_av(struct file *file) 2105 { 2106 u32 av = file_to_av(file); 2107 struct inode *inode = file_inode(file); 2108 2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2110 av |= FILE__OPEN; 2111 2112 return av; 2113 } 2114 2115 /* Hook functions begin here. */ 2116 2117 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2118 { 2119 u32 mysid = current_sid(); 2120 u32 mgrsid = task_sid(mgr); 2121 2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2123 BINDER__SET_CONTEXT_MGR, NULL); 2124 } 2125 2126 static int selinux_binder_transaction(struct task_struct *from, 2127 struct task_struct *to) 2128 { 2129 u32 mysid = current_sid(); 2130 u32 fromsid = task_sid(from); 2131 u32 tosid = task_sid(to); 2132 int rc; 2133 2134 if (mysid != fromsid) { 2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2136 BINDER__IMPERSONATE, NULL); 2137 if (rc) 2138 return rc; 2139 } 2140 2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2142 NULL); 2143 } 2144 2145 static int selinux_binder_transfer_binder(struct task_struct *from, 2146 struct task_struct *to) 2147 { 2148 u32 fromsid = task_sid(from); 2149 u32 tosid = task_sid(to); 2150 2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2152 NULL); 2153 } 2154 2155 static int selinux_binder_transfer_file(struct task_struct *from, 2156 struct task_struct *to, 2157 struct file *file) 2158 { 2159 u32 sid = task_sid(to); 2160 struct file_security_struct *fsec = file->f_security; 2161 struct dentry *dentry = file->f_path.dentry; 2162 struct inode_security_struct *isec; 2163 struct common_audit_data ad; 2164 int rc; 2165 2166 ad.type = LSM_AUDIT_DATA_PATH; 2167 ad.u.path = file->f_path; 2168 2169 if (sid != fsec->sid) { 2170 rc = avc_has_perm(sid, fsec->sid, 2171 SECCLASS_FD, 2172 FD__USE, 2173 &ad); 2174 if (rc) 2175 return rc; 2176 } 2177 2178 #ifdef CONFIG_BPF_SYSCALL 2179 rc = bpf_fd_pass(file, sid); 2180 if (rc) 2181 return rc; 2182 #endif 2183 2184 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2185 return 0; 2186 2187 isec = backing_inode_security(dentry); 2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2189 &ad); 2190 } 2191 2192 static int selinux_ptrace_access_check(struct task_struct *child, 2193 unsigned int mode) 2194 { 2195 u32 sid = current_sid(); 2196 u32 csid = task_sid(child); 2197 2198 if (mode & PTRACE_MODE_READ) 2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2200 2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2202 } 2203 2204 static int selinux_ptrace_traceme(struct task_struct *parent) 2205 { 2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2207 PROCESS__PTRACE, NULL); 2208 } 2209 2210 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2212 { 2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2214 PROCESS__GETCAP, NULL); 2215 } 2216 2217 static int selinux_capset(struct cred *new, const struct cred *old, 2218 const kernel_cap_t *effective, 2219 const kernel_cap_t *inheritable, 2220 const kernel_cap_t *permitted) 2221 { 2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2223 PROCESS__SETCAP, NULL); 2224 } 2225 2226 /* 2227 * (This comment used to live with the selinux_task_setuid hook, 2228 * which was removed). 2229 * 2230 * Since setuid only affects the current process, and since the SELinux 2231 * controls are not based on the Linux identity attributes, SELinux does not 2232 * need to control this operation. However, SELinux does control the use of 2233 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2234 */ 2235 2236 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2237 int cap, int audit) 2238 { 2239 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2240 } 2241 2242 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2243 { 2244 const struct cred *cred = current_cred(); 2245 int rc = 0; 2246 2247 if (!sb) 2248 return 0; 2249 2250 switch (cmds) { 2251 case Q_SYNC: 2252 case Q_QUOTAON: 2253 case Q_QUOTAOFF: 2254 case Q_SETINFO: 2255 case Q_SETQUOTA: 2256 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2257 break; 2258 case Q_GETFMT: 2259 case Q_GETINFO: 2260 case Q_GETQUOTA: 2261 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2262 break; 2263 default: 2264 rc = 0; /* let the kernel handle invalid cmds */ 2265 break; 2266 } 2267 return rc; 2268 } 2269 2270 static int selinux_quota_on(struct dentry *dentry) 2271 { 2272 const struct cred *cred = current_cred(); 2273 2274 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2275 } 2276 2277 static int selinux_syslog(int type) 2278 { 2279 switch (type) { 2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2286 /* Set level of messages printed to console */ 2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2290 NULL); 2291 } 2292 /* All other syslog types */ 2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2295 } 2296 2297 /* 2298 * Check that a process has enough memory to allocate a new virtual 2299 * mapping. 0 means there is enough memory for the allocation to 2300 * succeed and -ENOMEM implies there is not. 2301 * 2302 * Do not audit the selinux permission check, as this is applied to all 2303 * processes that allocate mappings. 2304 */ 2305 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2306 { 2307 int rc, cap_sys_admin = 0; 2308 2309 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2310 SECURITY_CAP_NOAUDIT, true); 2311 if (rc == 0) 2312 cap_sys_admin = 1; 2313 2314 return cap_sys_admin; 2315 } 2316 2317 /* binprm security operations */ 2318 2319 static u32 ptrace_parent_sid(void) 2320 { 2321 u32 sid = 0; 2322 struct task_struct *tracer; 2323 2324 rcu_read_lock(); 2325 tracer = ptrace_parent(current); 2326 if (tracer) 2327 sid = task_sid(tracer); 2328 rcu_read_unlock(); 2329 2330 return sid; 2331 } 2332 2333 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2334 const struct task_security_struct *old_tsec, 2335 const struct task_security_struct *new_tsec) 2336 { 2337 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2338 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2339 int rc; 2340 u32 av; 2341 2342 if (!nnp && !nosuid) 2343 return 0; /* neither NNP nor nosuid */ 2344 2345 if (new_tsec->sid == old_tsec->sid) 2346 return 0; /* No change in credentials */ 2347 2348 /* 2349 * If the policy enables the nnp_nosuid_transition policy capability, 2350 * then we permit transitions under NNP or nosuid if the 2351 * policy allows the corresponding permission between 2352 * the old and new contexts. 2353 */ 2354 if (selinux_policycap_nnp_nosuid_transition) { 2355 av = 0; 2356 if (nnp) 2357 av |= PROCESS2__NNP_TRANSITION; 2358 if (nosuid) 2359 av |= PROCESS2__NOSUID_TRANSITION; 2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2361 SECCLASS_PROCESS2, av, NULL); 2362 if (!rc) 2363 return 0; 2364 } 2365 2366 /* 2367 * We also permit NNP or nosuid transitions to bounded SIDs, 2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2369 * of the permissions of the current SID. 2370 */ 2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2372 if (!rc) 2373 return 0; 2374 2375 /* 2376 * On failure, preserve the errno values for NNP vs nosuid. 2377 * NNP: Operation not permitted for caller. 2378 * nosuid: Permission denied to file. 2379 */ 2380 if (nnp) 2381 return -EPERM; 2382 return -EACCES; 2383 } 2384 2385 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2386 { 2387 const struct task_security_struct *old_tsec; 2388 struct task_security_struct *new_tsec; 2389 struct inode_security_struct *isec; 2390 struct common_audit_data ad; 2391 struct inode *inode = file_inode(bprm->file); 2392 int rc; 2393 2394 /* SELinux context only depends on initial program or script and not 2395 * the script interpreter */ 2396 if (bprm->called_set_creds) 2397 return 0; 2398 2399 old_tsec = current_security(); 2400 new_tsec = bprm->cred->security; 2401 isec = inode_security(inode); 2402 2403 /* Default to the current task SID. */ 2404 new_tsec->sid = old_tsec->sid; 2405 new_tsec->osid = old_tsec->sid; 2406 2407 /* Reset fs, key, and sock SIDs on execve. */ 2408 new_tsec->create_sid = 0; 2409 new_tsec->keycreate_sid = 0; 2410 new_tsec->sockcreate_sid = 0; 2411 2412 if (old_tsec->exec_sid) { 2413 new_tsec->sid = old_tsec->exec_sid; 2414 /* Reset exec SID on execve. */ 2415 new_tsec->exec_sid = 0; 2416 2417 /* Fail on NNP or nosuid if not an allowed transition. */ 2418 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2419 if (rc) 2420 return rc; 2421 } else { 2422 /* Check for a default transition on this program. */ 2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2424 SECCLASS_PROCESS, NULL, 2425 &new_tsec->sid); 2426 if (rc) 2427 return rc; 2428 2429 /* 2430 * Fallback to old SID on NNP or nosuid if not an allowed 2431 * transition. 2432 */ 2433 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2434 if (rc) 2435 new_tsec->sid = old_tsec->sid; 2436 } 2437 2438 ad.type = LSM_AUDIT_DATA_FILE; 2439 ad.u.file = bprm->file; 2440 2441 if (new_tsec->sid == old_tsec->sid) { 2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2444 if (rc) 2445 return rc; 2446 } else { 2447 /* Check permissions for the transition. */ 2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2450 if (rc) 2451 return rc; 2452 2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2455 if (rc) 2456 return rc; 2457 2458 /* Check for shared state */ 2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2461 SECCLASS_PROCESS, PROCESS__SHARE, 2462 NULL); 2463 if (rc) 2464 return -EPERM; 2465 } 2466 2467 /* Make sure that anyone attempting to ptrace over a task that 2468 * changes its SID has the appropriate permit */ 2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2470 u32 ptsid = ptrace_parent_sid(); 2471 if (ptsid != 0) { 2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2473 SECCLASS_PROCESS, 2474 PROCESS__PTRACE, NULL); 2475 if (rc) 2476 return -EPERM; 2477 } 2478 } 2479 2480 /* Clear any possibly unsafe personality bits on exec: */ 2481 bprm->per_clear |= PER_CLEAR_ON_SETID; 2482 2483 /* Enable secure mode for SIDs transitions unless 2484 the noatsecure permission is granted between 2485 the two SIDs, i.e. ahp returns 0. */ 2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2488 NULL); 2489 bprm->secureexec |= !!rc; 2490 } 2491 2492 return 0; 2493 } 2494 2495 static int match_file(const void *p, struct file *file, unsigned fd) 2496 { 2497 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2498 } 2499 2500 /* Derived from fs/exec.c:flush_old_files. */ 2501 static inline void flush_unauthorized_files(const struct cred *cred, 2502 struct files_struct *files) 2503 { 2504 struct file *file, *devnull = NULL; 2505 struct tty_struct *tty; 2506 int drop_tty = 0; 2507 unsigned n; 2508 2509 tty = get_current_tty(); 2510 if (tty) { 2511 spin_lock(&tty->files_lock); 2512 if (!list_empty(&tty->tty_files)) { 2513 struct tty_file_private *file_priv; 2514 2515 /* Revalidate access to controlling tty. 2516 Use file_path_has_perm on the tty path directly 2517 rather than using file_has_perm, as this particular 2518 open file may belong to another process and we are 2519 only interested in the inode-based check here. */ 2520 file_priv = list_first_entry(&tty->tty_files, 2521 struct tty_file_private, list); 2522 file = file_priv->file; 2523 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2524 drop_tty = 1; 2525 } 2526 spin_unlock(&tty->files_lock); 2527 tty_kref_put(tty); 2528 } 2529 /* Reset controlling tty. */ 2530 if (drop_tty) 2531 no_tty(); 2532 2533 /* Revalidate access to inherited open files. */ 2534 n = iterate_fd(files, 0, match_file, cred); 2535 if (!n) /* none found? */ 2536 return; 2537 2538 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2539 if (IS_ERR(devnull)) 2540 devnull = NULL; 2541 /* replace all the matching ones with this */ 2542 do { 2543 replace_fd(n - 1, devnull, 0); 2544 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2545 if (devnull) 2546 fput(devnull); 2547 } 2548 2549 /* 2550 * Prepare a process for imminent new credential changes due to exec 2551 */ 2552 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2553 { 2554 struct task_security_struct *new_tsec; 2555 struct rlimit *rlim, *initrlim; 2556 int rc, i; 2557 2558 new_tsec = bprm->cred->security; 2559 if (new_tsec->sid == new_tsec->osid) 2560 return; 2561 2562 /* Close files for which the new task SID is not authorized. */ 2563 flush_unauthorized_files(bprm->cred, current->files); 2564 2565 /* Always clear parent death signal on SID transitions. */ 2566 current->pdeath_signal = 0; 2567 2568 /* Check whether the new SID can inherit resource limits from the old 2569 * SID. If not, reset all soft limits to the lower of the current 2570 * task's hard limit and the init task's soft limit. 2571 * 2572 * Note that the setting of hard limits (even to lower them) can be 2573 * controlled by the setrlimit check. The inclusion of the init task's 2574 * soft limit into the computation is to avoid resetting soft limits 2575 * higher than the default soft limit for cases where the default is 2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2577 */ 2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2579 PROCESS__RLIMITINH, NULL); 2580 if (rc) { 2581 /* protect against do_prlimit() */ 2582 task_lock(current); 2583 for (i = 0; i < RLIM_NLIMITS; i++) { 2584 rlim = current->signal->rlim + i; 2585 initrlim = init_task.signal->rlim + i; 2586 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2587 } 2588 task_unlock(current); 2589 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2590 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2591 } 2592 } 2593 2594 /* 2595 * Clean up the process immediately after the installation of new credentials 2596 * due to exec 2597 */ 2598 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2599 { 2600 const struct task_security_struct *tsec = current_security(); 2601 struct itimerval itimer; 2602 u32 osid, sid; 2603 int rc, i; 2604 2605 osid = tsec->osid; 2606 sid = tsec->sid; 2607 2608 if (sid == osid) 2609 return; 2610 2611 /* Check whether the new SID can inherit signal state from the old SID. 2612 * If not, clear itimers to avoid subsequent signal generation and 2613 * flush and unblock signals. 2614 * 2615 * This must occur _after_ the task SID has been updated so that any 2616 * kill done after the flush will be checked against the new SID. 2617 */ 2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2619 if (rc) { 2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2621 memset(&itimer, 0, sizeof itimer); 2622 for (i = 0; i < 3; i++) 2623 do_setitimer(i, &itimer, NULL); 2624 } 2625 spin_lock_irq(¤t->sighand->siglock); 2626 if (!fatal_signal_pending(current)) { 2627 flush_sigqueue(¤t->pending); 2628 flush_sigqueue(¤t->signal->shared_pending); 2629 flush_signal_handlers(current, 1); 2630 sigemptyset(¤t->blocked); 2631 recalc_sigpending(); 2632 } 2633 spin_unlock_irq(¤t->sighand->siglock); 2634 } 2635 2636 /* Wake up the parent if it is waiting so that it can recheck 2637 * wait permission to the new task SID. */ 2638 read_lock(&tasklist_lock); 2639 __wake_up_parent(current, current->real_parent); 2640 read_unlock(&tasklist_lock); 2641 } 2642 2643 /* superblock security operations */ 2644 2645 static int selinux_sb_alloc_security(struct super_block *sb) 2646 { 2647 return superblock_alloc_security(sb); 2648 } 2649 2650 static void selinux_sb_free_security(struct super_block *sb) 2651 { 2652 superblock_free_security(sb); 2653 } 2654 2655 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2656 { 2657 if (plen > olen) 2658 return 0; 2659 2660 return !memcmp(prefix, option, plen); 2661 } 2662 2663 static inline int selinux_option(char *option, int len) 2664 { 2665 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2666 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2667 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2668 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2669 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2670 } 2671 2672 static inline void take_option(char **to, char *from, int *first, int len) 2673 { 2674 if (!*first) { 2675 **to = ','; 2676 *to += 1; 2677 } else 2678 *first = 0; 2679 memcpy(*to, from, len); 2680 *to += len; 2681 } 2682 2683 static inline void take_selinux_option(char **to, char *from, int *first, 2684 int len) 2685 { 2686 int current_size = 0; 2687 2688 if (!*first) { 2689 **to = '|'; 2690 *to += 1; 2691 } else 2692 *first = 0; 2693 2694 while (current_size < len) { 2695 if (*from != '"') { 2696 **to = *from; 2697 *to += 1; 2698 } 2699 from += 1; 2700 current_size += 1; 2701 } 2702 } 2703 2704 static int selinux_sb_copy_data(char *orig, char *copy) 2705 { 2706 int fnosec, fsec, rc = 0; 2707 char *in_save, *in_curr, *in_end; 2708 char *sec_curr, *nosec_save, *nosec; 2709 int open_quote = 0; 2710 2711 in_curr = orig; 2712 sec_curr = copy; 2713 2714 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2715 if (!nosec) { 2716 rc = -ENOMEM; 2717 goto out; 2718 } 2719 2720 nosec_save = nosec; 2721 fnosec = fsec = 1; 2722 in_save = in_end = orig; 2723 2724 do { 2725 if (*in_end == '"') 2726 open_quote = !open_quote; 2727 if ((*in_end == ',' && open_quote == 0) || 2728 *in_end == '\0') { 2729 int len = in_end - in_curr; 2730 2731 if (selinux_option(in_curr, len)) 2732 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2733 else 2734 take_option(&nosec, in_curr, &fnosec, len); 2735 2736 in_curr = in_end + 1; 2737 } 2738 } while (*in_end++); 2739 2740 strcpy(in_save, nosec_save); 2741 free_page((unsigned long)nosec_save); 2742 out: 2743 return rc; 2744 } 2745 2746 static int selinux_sb_remount(struct super_block *sb, void *data) 2747 { 2748 int rc, i, *flags; 2749 struct security_mnt_opts opts; 2750 char *secdata, **mount_options; 2751 struct superblock_security_struct *sbsec = sb->s_security; 2752 2753 if (!(sbsec->flags & SE_SBINITIALIZED)) 2754 return 0; 2755 2756 if (!data) 2757 return 0; 2758 2759 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2760 return 0; 2761 2762 security_init_mnt_opts(&opts); 2763 secdata = alloc_secdata(); 2764 if (!secdata) 2765 return -ENOMEM; 2766 rc = selinux_sb_copy_data(data, secdata); 2767 if (rc) 2768 goto out_free_secdata; 2769 2770 rc = selinux_parse_opts_str(secdata, &opts); 2771 if (rc) 2772 goto out_free_secdata; 2773 2774 mount_options = opts.mnt_opts; 2775 flags = opts.mnt_opts_flags; 2776 2777 for (i = 0; i < opts.num_mnt_opts; i++) { 2778 u32 sid; 2779 2780 if (flags[i] == SBLABEL_MNT) 2781 continue; 2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2783 if (rc) { 2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2786 mount_options[i], sb->s_id, sb->s_type->name, rc); 2787 goto out_free_opts; 2788 } 2789 rc = -EINVAL; 2790 switch (flags[i]) { 2791 case FSCONTEXT_MNT: 2792 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2793 goto out_bad_option; 2794 break; 2795 case CONTEXT_MNT: 2796 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2797 goto out_bad_option; 2798 break; 2799 case ROOTCONTEXT_MNT: { 2800 struct inode_security_struct *root_isec; 2801 root_isec = backing_inode_security(sb->s_root); 2802 2803 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2804 goto out_bad_option; 2805 break; 2806 } 2807 case DEFCONTEXT_MNT: 2808 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2809 goto out_bad_option; 2810 break; 2811 default: 2812 goto out_free_opts; 2813 } 2814 } 2815 2816 rc = 0; 2817 out_free_opts: 2818 security_free_mnt_opts(&opts); 2819 out_free_secdata: 2820 free_secdata(secdata); 2821 return rc; 2822 out_bad_option: 2823 printk(KERN_WARNING "SELinux: unable to change security options " 2824 "during remount (dev %s, type=%s)\n", sb->s_id, 2825 sb->s_type->name); 2826 goto out_free_opts; 2827 } 2828 2829 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2830 { 2831 const struct cred *cred = current_cred(); 2832 struct common_audit_data ad; 2833 int rc; 2834 2835 rc = superblock_doinit(sb, data); 2836 if (rc) 2837 return rc; 2838 2839 /* Allow all mounts performed by the kernel */ 2840 if (flags & MS_KERNMOUNT) 2841 return 0; 2842 2843 ad.type = LSM_AUDIT_DATA_DENTRY; 2844 ad.u.dentry = sb->s_root; 2845 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2846 } 2847 2848 static int selinux_sb_statfs(struct dentry *dentry) 2849 { 2850 const struct cred *cred = current_cred(); 2851 struct common_audit_data ad; 2852 2853 ad.type = LSM_AUDIT_DATA_DENTRY; 2854 ad.u.dentry = dentry->d_sb->s_root; 2855 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2856 } 2857 2858 static int selinux_mount(const char *dev_name, 2859 const struct path *path, 2860 const char *type, 2861 unsigned long flags, 2862 void *data) 2863 { 2864 const struct cred *cred = current_cred(); 2865 2866 if (flags & MS_REMOUNT) 2867 return superblock_has_perm(cred, path->dentry->d_sb, 2868 FILESYSTEM__REMOUNT, NULL); 2869 else 2870 return path_has_perm(cred, path, FILE__MOUNTON); 2871 } 2872 2873 static int selinux_umount(struct vfsmount *mnt, int flags) 2874 { 2875 const struct cred *cred = current_cred(); 2876 2877 return superblock_has_perm(cred, mnt->mnt_sb, 2878 FILESYSTEM__UNMOUNT, NULL); 2879 } 2880 2881 /* inode security operations */ 2882 2883 static int selinux_inode_alloc_security(struct inode *inode) 2884 { 2885 return inode_alloc_security(inode); 2886 } 2887 2888 static void selinux_inode_free_security(struct inode *inode) 2889 { 2890 inode_free_security(inode); 2891 } 2892 2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2894 const struct qstr *name, void **ctx, 2895 u32 *ctxlen) 2896 { 2897 u32 newsid; 2898 int rc; 2899 2900 rc = selinux_determine_inode_label(current_security(), 2901 d_inode(dentry->d_parent), name, 2902 inode_mode_to_security_class(mode), 2903 &newsid); 2904 if (rc) 2905 return rc; 2906 2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2908 } 2909 2910 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2911 struct qstr *name, 2912 const struct cred *old, 2913 struct cred *new) 2914 { 2915 u32 newsid; 2916 int rc; 2917 struct task_security_struct *tsec; 2918 2919 rc = selinux_determine_inode_label(old->security, 2920 d_inode(dentry->d_parent), name, 2921 inode_mode_to_security_class(mode), 2922 &newsid); 2923 if (rc) 2924 return rc; 2925 2926 tsec = new->security; 2927 tsec->create_sid = newsid; 2928 return 0; 2929 } 2930 2931 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2932 const struct qstr *qstr, 2933 const char **name, 2934 void **value, size_t *len) 2935 { 2936 const struct task_security_struct *tsec = current_security(); 2937 struct superblock_security_struct *sbsec; 2938 u32 sid, newsid, clen; 2939 int rc; 2940 char *context; 2941 2942 sbsec = dir->i_sb->s_security; 2943 2944 sid = tsec->sid; 2945 newsid = tsec->create_sid; 2946 2947 rc = selinux_determine_inode_label(current_security(), 2948 dir, qstr, 2949 inode_mode_to_security_class(inode->i_mode), 2950 &newsid); 2951 if (rc) 2952 return rc; 2953 2954 /* Possibly defer initialization to selinux_complete_init. */ 2955 if (sbsec->flags & SE_SBINITIALIZED) { 2956 struct inode_security_struct *isec = inode->i_security; 2957 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2958 isec->sid = newsid; 2959 isec->initialized = LABEL_INITIALIZED; 2960 } 2961 2962 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2963 return -EOPNOTSUPP; 2964 2965 if (name) 2966 *name = XATTR_SELINUX_SUFFIX; 2967 2968 if (value && len) { 2969 rc = security_sid_to_context_force(newsid, &context, &clen); 2970 if (rc) 2971 return rc; 2972 *value = context; 2973 *len = clen; 2974 } 2975 2976 return 0; 2977 } 2978 2979 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2980 { 2981 return may_create(dir, dentry, SECCLASS_FILE); 2982 } 2983 2984 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2985 { 2986 return may_link(dir, old_dentry, MAY_LINK); 2987 } 2988 2989 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2990 { 2991 return may_link(dir, dentry, MAY_UNLINK); 2992 } 2993 2994 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2995 { 2996 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2997 } 2998 2999 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3000 { 3001 return may_create(dir, dentry, SECCLASS_DIR); 3002 } 3003 3004 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3005 { 3006 return may_link(dir, dentry, MAY_RMDIR); 3007 } 3008 3009 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3010 { 3011 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3012 } 3013 3014 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3015 struct inode *new_inode, struct dentry *new_dentry) 3016 { 3017 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3018 } 3019 3020 static int selinux_inode_readlink(struct dentry *dentry) 3021 { 3022 const struct cred *cred = current_cred(); 3023 3024 return dentry_has_perm(cred, dentry, FILE__READ); 3025 } 3026 3027 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3028 bool rcu) 3029 { 3030 const struct cred *cred = current_cred(); 3031 struct common_audit_data ad; 3032 struct inode_security_struct *isec; 3033 u32 sid; 3034 3035 validate_creds(cred); 3036 3037 ad.type = LSM_AUDIT_DATA_DENTRY; 3038 ad.u.dentry = dentry; 3039 sid = cred_sid(cred); 3040 isec = inode_security_rcu(inode, rcu); 3041 if (IS_ERR(isec)) 3042 return PTR_ERR(isec); 3043 3044 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3045 rcu ? MAY_NOT_BLOCK : 0); 3046 } 3047 3048 static noinline int audit_inode_permission(struct inode *inode, 3049 u32 perms, u32 audited, u32 denied, 3050 int result, 3051 unsigned flags) 3052 { 3053 struct common_audit_data ad; 3054 struct inode_security_struct *isec = inode->i_security; 3055 int rc; 3056 3057 ad.type = LSM_AUDIT_DATA_INODE; 3058 ad.u.inode = inode; 3059 3060 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3061 audited, denied, result, &ad, flags); 3062 if (rc) 3063 return rc; 3064 return 0; 3065 } 3066 3067 static int selinux_inode_permission(struct inode *inode, int mask) 3068 { 3069 const struct cred *cred = current_cred(); 3070 u32 perms; 3071 bool from_access; 3072 unsigned flags = mask & MAY_NOT_BLOCK; 3073 struct inode_security_struct *isec; 3074 u32 sid; 3075 struct av_decision avd; 3076 int rc, rc2; 3077 u32 audited, denied; 3078 3079 from_access = mask & MAY_ACCESS; 3080 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3081 3082 /* No permission to check. Existence test. */ 3083 if (!mask) 3084 return 0; 3085 3086 validate_creds(cred); 3087 3088 if (unlikely(IS_PRIVATE(inode))) 3089 return 0; 3090 3091 perms = file_mask_to_av(inode->i_mode, mask); 3092 3093 sid = cred_sid(cred); 3094 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3095 if (IS_ERR(isec)) 3096 return PTR_ERR(isec); 3097 3098 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3099 audited = avc_audit_required(perms, &avd, rc, 3100 from_access ? FILE__AUDIT_ACCESS : 0, 3101 &denied); 3102 if (likely(!audited)) 3103 return rc; 3104 3105 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3106 if (rc2) 3107 return rc2; 3108 return rc; 3109 } 3110 3111 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3112 { 3113 const struct cred *cred = current_cred(); 3114 struct inode *inode = d_backing_inode(dentry); 3115 unsigned int ia_valid = iattr->ia_valid; 3116 __u32 av = FILE__WRITE; 3117 3118 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3119 if (ia_valid & ATTR_FORCE) { 3120 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3121 ATTR_FORCE); 3122 if (!ia_valid) 3123 return 0; 3124 } 3125 3126 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3127 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3128 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3129 3130 if (selinux_policycap_openperm && 3131 inode->i_sb->s_magic != SOCKFS_MAGIC && 3132 (ia_valid & ATTR_SIZE) && 3133 !(ia_valid & ATTR_FILE)) 3134 av |= FILE__OPEN; 3135 3136 return dentry_has_perm(cred, dentry, av); 3137 } 3138 3139 static int selinux_inode_getattr(const struct path *path) 3140 { 3141 return path_has_perm(current_cred(), path, FILE__GETATTR); 3142 } 3143 3144 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 3145 { 3146 const struct cred *cred = current_cred(); 3147 3148 if (!strncmp(name, XATTR_SECURITY_PREFIX, 3149 sizeof XATTR_SECURITY_PREFIX - 1)) { 3150 if (!strcmp(name, XATTR_NAME_CAPS)) { 3151 if (!capable(CAP_SETFCAP)) 3152 return -EPERM; 3153 } else if (!capable(CAP_SYS_ADMIN)) { 3154 /* A different attribute in the security namespace. 3155 Restrict to administrator. */ 3156 return -EPERM; 3157 } 3158 } 3159 3160 /* Not an attribute we recognize, so just check the 3161 ordinary setattr permission. */ 3162 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3163 } 3164 3165 static bool has_cap_mac_admin(bool audit) 3166 { 3167 const struct cred *cred = current_cred(); 3168 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3169 3170 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3171 return false; 3172 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3173 return false; 3174 return true; 3175 } 3176 3177 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3178 const void *value, size_t size, int flags) 3179 { 3180 struct inode *inode = d_backing_inode(dentry); 3181 struct inode_security_struct *isec; 3182 struct superblock_security_struct *sbsec; 3183 struct common_audit_data ad; 3184 u32 newsid, sid = current_sid(); 3185 int rc = 0; 3186 3187 if (strcmp(name, XATTR_NAME_SELINUX)) 3188 return selinux_inode_setotherxattr(dentry, name); 3189 3190 sbsec = inode->i_sb->s_security; 3191 if (!(sbsec->flags & SBLABEL_MNT)) 3192 return -EOPNOTSUPP; 3193 3194 if (!inode_owner_or_capable(inode)) 3195 return -EPERM; 3196 3197 ad.type = LSM_AUDIT_DATA_DENTRY; 3198 ad.u.dentry = dentry; 3199 3200 isec = backing_inode_security(dentry); 3201 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3202 FILE__RELABELFROM, &ad); 3203 if (rc) 3204 return rc; 3205 3206 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3207 if (rc == -EINVAL) { 3208 if (!has_cap_mac_admin(true)) { 3209 struct audit_buffer *ab; 3210 size_t audit_size; 3211 const char *str; 3212 3213 /* We strip a nul only if it is at the end, otherwise the 3214 * context contains a nul and we should audit that */ 3215 if (value) { 3216 str = value; 3217 if (str[size - 1] == '\0') 3218 audit_size = size - 1; 3219 else 3220 audit_size = size; 3221 } else { 3222 str = ""; 3223 audit_size = 0; 3224 } 3225 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3226 audit_log_format(ab, "op=setxattr invalid_context="); 3227 audit_log_n_untrustedstring(ab, value, audit_size); 3228 audit_log_end(ab); 3229 3230 return rc; 3231 } 3232 rc = security_context_to_sid_force(value, size, &newsid); 3233 } 3234 if (rc) 3235 return rc; 3236 3237 rc = avc_has_perm(sid, newsid, isec->sclass, 3238 FILE__RELABELTO, &ad); 3239 if (rc) 3240 return rc; 3241 3242 rc = security_validate_transition(isec->sid, newsid, sid, 3243 isec->sclass); 3244 if (rc) 3245 return rc; 3246 3247 return avc_has_perm(newsid, 3248 sbsec->sid, 3249 SECCLASS_FILESYSTEM, 3250 FILESYSTEM__ASSOCIATE, 3251 &ad); 3252 } 3253 3254 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3255 const void *value, size_t size, 3256 int flags) 3257 { 3258 struct inode *inode = d_backing_inode(dentry); 3259 struct inode_security_struct *isec; 3260 u32 newsid; 3261 int rc; 3262 3263 if (strcmp(name, XATTR_NAME_SELINUX)) { 3264 /* Not an attribute we recognize, so nothing to do. */ 3265 return; 3266 } 3267 3268 rc = security_context_to_sid_force(value, size, &newsid); 3269 if (rc) { 3270 printk(KERN_ERR "SELinux: unable to map context to SID" 3271 "for (%s, %lu), rc=%d\n", 3272 inode->i_sb->s_id, inode->i_ino, -rc); 3273 return; 3274 } 3275 3276 isec = backing_inode_security(dentry); 3277 spin_lock(&isec->lock); 3278 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3279 isec->sid = newsid; 3280 isec->initialized = LABEL_INITIALIZED; 3281 spin_unlock(&isec->lock); 3282 3283 return; 3284 } 3285 3286 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3287 { 3288 const struct cred *cred = current_cred(); 3289 3290 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3291 } 3292 3293 static int selinux_inode_listxattr(struct dentry *dentry) 3294 { 3295 const struct cred *cred = current_cred(); 3296 3297 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3298 } 3299 3300 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3301 { 3302 if (strcmp(name, XATTR_NAME_SELINUX)) 3303 return selinux_inode_setotherxattr(dentry, name); 3304 3305 /* No one is allowed to remove a SELinux security label. 3306 You can change the label, but all data must be labeled. */ 3307 return -EACCES; 3308 } 3309 3310 /* 3311 * Copy the inode security context value to the user. 3312 * 3313 * Permission check is handled by selinux_inode_getxattr hook. 3314 */ 3315 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3316 { 3317 u32 size; 3318 int error; 3319 char *context = NULL; 3320 struct inode_security_struct *isec; 3321 3322 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3323 return -EOPNOTSUPP; 3324 3325 /* 3326 * If the caller has CAP_MAC_ADMIN, then get the raw context 3327 * value even if it is not defined by current policy; otherwise, 3328 * use the in-core value under current policy. 3329 * Use the non-auditing forms of the permission checks since 3330 * getxattr may be called by unprivileged processes commonly 3331 * and lack of permission just means that we fall back to the 3332 * in-core context value, not a denial. 3333 */ 3334 isec = inode_security(inode); 3335 if (has_cap_mac_admin(false)) 3336 error = security_sid_to_context_force(isec->sid, &context, 3337 &size); 3338 else 3339 error = security_sid_to_context(isec->sid, &context, &size); 3340 if (error) 3341 return error; 3342 error = size; 3343 if (alloc) { 3344 *buffer = context; 3345 goto out_nofree; 3346 } 3347 kfree(context); 3348 out_nofree: 3349 return error; 3350 } 3351 3352 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3353 const void *value, size_t size, int flags) 3354 { 3355 struct inode_security_struct *isec = inode_security_novalidate(inode); 3356 u32 newsid; 3357 int rc; 3358 3359 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3360 return -EOPNOTSUPP; 3361 3362 if (!value || !size) 3363 return -EACCES; 3364 3365 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3366 if (rc) 3367 return rc; 3368 3369 spin_lock(&isec->lock); 3370 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3371 isec->sid = newsid; 3372 isec->initialized = LABEL_INITIALIZED; 3373 spin_unlock(&isec->lock); 3374 return 0; 3375 } 3376 3377 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3378 { 3379 const int len = sizeof(XATTR_NAME_SELINUX); 3380 if (buffer && len <= buffer_size) 3381 memcpy(buffer, XATTR_NAME_SELINUX, len); 3382 return len; 3383 } 3384 3385 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3386 { 3387 struct inode_security_struct *isec = inode_security_novalidate(inode); 3388 *secid = isec->sid; 3389 } 3390 3391 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3392 { 3393 u32 sid; 3394 struct task_security_struct *tsec; 3395 struct cred *new_creds = *new; 3396 3397 if (new_creds == NULL) { 3398 new_creds = prepare_creds(); 3399 if (!new_creds) 3400 return -ENOMEM; 3401 } 3402 3403 tsec = new_creds->security; 3404 /* Get label from overlay inode and set it in create_sid */ 3405 selinux_inode_getsecid(d_inode(src), &sid); 3406 tsec->create_sid = sid; 3407 *new = new_creds; 3408 return 0; 3409 } 3410 3411 static int selinux_inode_copy_up_xattr(const char *name) 3412 { 3413 /* The copy_up hook above sets the initial context on an inode, but we 3414 * don't then want to overwrite it by blindly copying all the lower 3415 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3416 */ 3417 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3418 return 1; /* Discard */ 3419 /* 3420 * Any other attribute apart from SELINUX is not claimed, supported 3421 * by selinux. 3422 */ 3423 return -EOPNOTSUPP; 3424 } 3425 3426 /* file security operations */ 3427 3428 static int selinux_revalidate_file_permission(struct file *file, int mask) 3429 { 3430 const struct cred *cred = current_cred(); 3431 struct inode *inode = file_inode(file); 3432 3433 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3434 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3435 mask |= MAY_APPEND; 3436 3437 return file_has_perm(cred, file, 3438 file_mask_to_av(inode->i_mode, mask)); 3439 } 3440 3441 static int selinux_file_permission(struct file *file, int mask) 3442 { 3443 struct inode *inode = file_inode(file); 3444 struct file_security_struct *fsec = file->f_security; 3445 struct inode_security_struct *isec; 3446 u32 sid = current_sid(); 3447 3448 if (!mask) 3449 /* No permission to check. Existence test. */ 3450 return 0; 3451 3452 isec = inode_security(inode); 3453 if (sid == fsec->sid && fsec->isid == isec->sid && 3454 fsec->pseqno == avc_policy_seqno()) 3455 /* No change since file_open check. */ 3456 return 0; 3457 3458 return selinux_revalidate_file_permission(file, mask); 3459 } 3460 3461 static int selinux_file_alloc_security(struct file *file) 3462 { 3463 return file_alloc_security(file); 3464 } 3465 3466 static void selinux_file_free_security(struct file *file) 3467 { 3468 file_free_security(file); 3469 } 3470 3471 /* 3472 * Check whether a task has the ioctl permission and cmd 3473 * operation to an inode. 3474 */ 3475 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3476 u32 requested, u16 cmd) 3477 { 3478 struct common_audit_data ad; 3479 struct file_security_struct *fsec = file->f_security; 3480 struct inode *inode = file_inode(file); 3481 struct inode_security_struct *isec; 3482 struct lsm_ioctlop_audit ioctl; 3483 u32 ssid = cred_sid(cred); 3484 int rc; 3485 u8 driver = cmd >> 8; 3486 u8 xperm = cmd & 0xff; 3487 3488 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3489 ad.u.op = &ioctl; 3490 ad.u.op->cmd = cmd; 3491 ad.u.op->path = file->f_path; 3492 3493 if (ssid != fsec->sid) { 3494 rc = avc_has_perm(ssid, fsec->sid, 3495 SECCLASS_FD, 3496 FD__USE, 3497 &ad); 3498 if (rc) 3499 goto out; 3500 } 3501 3502 if (unlikely(IS_PRIVATE(inode))) 3503 return 0; 3504 3505 isec = inode_security(inode); 3506 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3507 requested, driver, xperm, &ad); 3508 out: 3509 return rc; 3510 } 3511 3512 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3513 unsigned long arg) 3514 { 3515 const struct cred *cred = current_cred(); 3516 int error = 0; 3517 3518 switch (cmd) { 3519 case FIONREAD: 3520 /* fall through */ 3521 case FIBMAP: 3522 /* fall through */ 3523 case FIGETBSZ: 3524 /* fall through */ 3525 case FS_IOC_GETFLAGS: 3526 /* fall through */ 3527 case FS_IOC_GETVERSION: 3528 error = file_has_perm(cred, file, FILE__GETATTR); 3529 break; 3530 3531 case FS_IOC_SETFLAGS: 3532 /* fall through */ 3533 case FS_IOC_SETVERSION: 3534 error = file_has_perm(cred, file, FILE__SETATTR); 3535 break; 3536 3537 /* sys_ioctl() checks */ 3538 case FIONBIO: 3539 /* fall through */ 3540 case FIOASYNC: 3541 error = file_has_perm(cred, file, 0); 3542 break; 3543 3544 case KDSKBENT: 3545 case KDSKBSENT: 3546 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3547 SECURITY_CAP_AUDIT, true); 3548 break; 3549 3550 /* default case assumes that the command will go 3551 * to the file's ioctl() function. 3552 */ 3553 default: 3554 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3555 } 3556 return error; 3557 } 3558 3559 static int default_noexec; 3560 3561 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3562 { 3563 const struct cred *cred = current_cred(); 3564 u32 sid = cred_sid(cred); 3565 int rc = 0; 3566 3567 if (default_noexec && 3568 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3569 (!shared && (prot & PROT_WRITE)))) { 3570 /* 3571 * We are making executable an anonymous mapping or a 3572 * private file mapping that will also be writable. 3573 * This has an additional check. 3574 */ 3575 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3576 PROCESS__EXECMEM, NULL); 3577 if (rc) 3578 goto error; 3579 } 3580 3581 if (file) { 3582 /* read access is always possible with a mapping */ 3583 u32 av = FILE__READ; 3584 3585 /* write access only matters if the mapping is shared */ 3586 if (shared && (prot & PROT_WRITE)) 3587 av |= FILE__WRITE; 3588 3589 if (prot & PROT_EXEC) 3590 av |= FILE__EXECUTE; 3591 3592 return file_has_perm(cred, file, av); 3593 } 3594 3595 error: 3596 return rc; 3597 } 3598 3599 static int selinux_mmap_addr(unsigned long addr) 3600 { 3601 int rc = 0; 3602 3603 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3604 u32 sid = current_sid(); 3605 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3606 MEMPROTECT__MMAP_ZERO, NULL); 3607 } 3608 3609 return rc; 3610 } 3611 3612 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3613 unsigned long prot, unsigned long flags) 3614 { 3615 struct common_audit_data ad; 3616 int rc; 3617 3618 if (file) { 3619 ad.type = LSM_AUDIT_DATA_FILE; 3620 ad.u.file = file; 3621 rc = inode_has_perm(current_cred(), file_inode(file), 3622 FILE__MAP, &ad); 3623 if (rc) 3624 return rc; 3625 } 3626 3627 if (selinux_checkreqprot) 3628 prot = reqprot; 3629 3630 return file_map_prot_check(file, prot, 3631 (flags & MAP_TYPE) == MAP_SHARED); 3632 } 3633 3634 static int selinux_file_mprotect(struct vm_area_struct *vma, 3635 unsigned long reqprot, 3636 unsigned long prot) 3637 { 3638 const struct cred *cred = current_cred(); 3639 u32 sid = cred_sid(cred); 3640 3641 if (selinux_checkreqprot) 3642 prot = reqprot; 3643 3644 if (default_noexec && 3645 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3646 int rc = 0; 3647 if (vma->vm_start >= vma->vm_mm->start_brk && 3648 vma->vm_end <= vma->vm_mm->brk) { 3649 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3650 PROCESS__EXECHEAP, NULL); 3651 } else if (!vma->vm_file && 3652 ((vma->vm_start <= vma->vm_mm->start_stack && 3653 vma->vm_end >= vma->vm_mm->start_stack) || 3654 vma_is_stack_for_current(vma))) { 3655 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3656 PROCESS__EXECSTACK, NULL); 3657 } else if (vma->vm_file && vma->anon_vma) { 3658 /* 3659 * We are making executable a file mapping that has 3660 * had some COW done. Since pages might have been 3661 * written, check ability to execute the possibly 3662 * modified content. This typically should only 3663 * occur for text relocations. 3664 */ 3665 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3666 } 3667 if (rc) 3668 return rc; 3669 } 3670 3671 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3672 } 3673 3674 static int selinux_file_lock(struct file *file, unsigned int cmd) 3675 { 3676 const struct cred *cred = current_cred(); 3677 3678 return file_has_perm(cred, file, FILE__LOCK); 3679 } 3680 3681 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3682 unsigned long arg) 3683 { 3684 const struct cred *cred = current_cred(); 3685 int err = 0; 3686 3687 switch (cmd) { 3688 case F_SETFL: 3689 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3690 err = file_has_perm(cred, file, FILE__WRITE); 3691 break; 3692 } 3693 /* fall through */ 3694 case F_SETOWN: 3695 case F_SETSIG: 3696 case F_GETFL: 3697 case F_GETOWN: 3698 case F_GETSIG: 3699 case F_GETOWNER_UIDS: 3700 /* Just check FD__USE permission */ 3701 err = file_has_perm(cred, file, 0); 3702 break; 3703 case F_GETLK: 3704 case F_SETLK: 3705 case F_SETLKW: 3706 case F_OFD_GETLK: 3707 case F_OFD_SETLK: 3708 case F_OFD_SETLKW: 3709 #if BITS_PER_LONG == 32 3710 case F_GETLK64: 3711 case F_SETLK64: 3712 case F_SETLKW64: 3713 #endif 3714 err = file_has_perm(cred, file, FILE__LOCK); 3715 break; 3716 } 3717 3718 return err; 3719 } 3720 3721 static void selinux_file_set_fowner(struct file *file) 3722 { 3723 struct file_security_struct *fsec; 3724 3725 fsec = file->f_security; 3726 fsec->fown_sid = current_sid(); 3727 } 3728 3729 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3730 struct fown_struct *fown, int signum) 3731 { 3732 struct file *file; 3733 u32 sid = task_sid(tsk); 3734 u32 perm; 3735 struct file_security_struct *fsec; 3736 3737 /* struct fown_struct is never outside the context of a struct file */ 3738 file = container_of(fown, struct file, f_owner); 3739 3740 fsec = file->f_security; 3741 3742 if (!signum) 3743 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3744 else 3745 perm = signal_to_av(signum); 3746 3747 return avc_has_perm(fsec->fown_sid, sid, 3748 SECCLASS_PROCESS, perm, NULL); 3749 } 3750 3751 static int selinux_file_receive(struct file *file) 3752 { 3753 const struct cred *cred = current_cred(); 3754 3755 return file_has_perm(cred, file, file_to_av(file)); 3756 } 3757 3758 static int selinux_file_open(struct file *file, const struct cred *cred) 3759 { 3760 struct file_security_struct *fsec; 3761 struct inode_security_struct *isec; 3762 3763 fsec = file->f_security; 3764 isec = inode_security(file_inode(file)); 3765 /* 3766 * Save inode label and policy sequence number 3767 * at open-time so that selinux_file_permission 3768 * can determine whether revalidation is necessary. 3769 * Task label is already saved in the file security 3770 * struct as its SID. 3771 */ 3772 fsec->isid = isec->sid; 3773 fsec->pseqno = avc_policy_seqno(); 3774 /* 3775 * Since the inode label or policy seqno may have changed 3776 * between the selinux_inode_permission check and the saving 3777 * of state above, recheck that access is still permitted. 3778 * Otherwise, access might never be revalidated against the 3779 * new inode label or new policy. 3780 * This check is not redundant - do not remove. 3781 */ 3782 return file_path_has_perm(cred, file, open_file_to_av(file)); 3783 } 3784 3785 /* task security operations */ 3786 3787 static int selinux_task_alloc(struct task_struct *task, 3788 unsigned long clone_flags) 3789 { 3790 u32 sid = current_sid(); 3791 3792 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3793 } 3794 3795 /* 3796 * allocate the SELinux part of blank credentials 3797 */ 3798 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3799 { 3800 struct task_security_struct *tsec; 3801 3802 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3803 if (!tsec) 3804 return -ENOMEM; 3805 3806 cred->security = tsec; 3807 return 0; 3808 } 3809 3810 /* 3811 * detach and free the LSM part of a set of credentials 3812 */ 3813 static void selinux_cred_free(struct cred *cred) 3814 { 3815 struct task_security_struct *tsec = cred->security; 3816 3817 /* 3818 * cred->security == NULL if security_cred_alloc_blank() or 3819 * security_prepare_creds() returned an error. 3820 */ 3821 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3822 cred->security = (void *) 0x7UL; 3823 kfree(tsec); 3824 } 3825 3826 /* 3827 * prepare a new set of credentials for modification 3828 */ 3829 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3830 gfp_t gfp) 3831 { 3832 const struct task_security_struct *old_tsec; 3833 struct task_security_struct *tsec; 3834 3835 old_tsec = old->security; 3836 3837 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3838 if (!tsec) 3839 return -ENOMEM; 3840 3841 new->security = tsec; 3842 return 0; 3843 } 3844 3845 /* 3846 * transfer the SELinux data to a blank set of creds 3847 */ 3848 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3849 { 3850 const struct task_security_struct *old_tsec = old->security; 3851 struct task_security_struct *tsec = new->security; 3852 3853 *tsec = *old_tsec; 3854 } 3855 3856 /* 3857 * set the security data for a kernel service 3858 * - all the creation contexts are set to unlabelled 3859 */ 3860 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3861 { 3862 struct task_security_struct *tsec = new->security; 3863 u32 sid = current_sid(); 3864 int ret; 3865 3866 ret = avc_has_perm(sid, secid, 3867 SECCLASS_KERNEL_SERVICE, 3868 KERNEL_SERVICE__USE_AS_OVERRIDE, 3869 NULL); 3870 if (ret == 0) { 3871 tsec->sid = secid; 3872 tsec->create_sid = 0; 3873 tsec->keycreate_sid = 0; 3874 tsec->sockcreate_sid = 0; 3875 } 3876 return ret; 3877 } 3878 3879 /* 3880 * set the file creation context in a security record to the same as the 3881 * objective context of the specified inode 3882 */ 3883 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3884 { 3885 struct inode_security_struct *isec = inode_security(inode); 3886 struct task_security_struct *tsec = new->security; 3887 u32 sid = current_sid(); 3888 int ret; 3889 3890 ret = avc_has_perm(sid, isec->sid, 3891 SECCLASS_KERNEL_SERVICE, 3892 KERNEL_SERVICE__CREATE_FILES_AS, 3893 NULL); 3894 3895 if (ret == 0) 3896 tsec->create_sid = isec->sid; 3897 return ret; 3898 } 3899 3900 static int selinux_kernel_module_request(char *kmod_name) 3901 { 3902 struct common_audit_data ad; 3903 3904 ad.type = LSM_AUDIT_DATA_KMOD; 3905 ad.u.kmod_name = kmod_name; 3906 3907 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3908 SYSTEM__MODULE_REQUEST, &ad); 3909 } 3910 3911 static int selinux_kernel_module_from_file(struct file *file) 3912 { 3913 struct common_audit_data ad; 3914 struct inode_security_struct *isec; 3915 struct file_security_struct *fsec; 3916 u32 sid = current_sid(); 3917 int rc; 3918 3919 /* init_module */ 3920 if (file == NULL) 3921 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3922 SYSTEM__MODULE_LOAD, NULL); 3923 3924 /* finit_module */ 3925 3926 ad.type = LSM_AUDIT_DATA_FILE; 3927 ad.u.file = file; 3928 3929 fsec = file->f_security; 3930 if (sid != fsec->sid) { 3931 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3932 if (rc) 3933 return rc; 3934 } 3935 3936 isec = inode_security(file_inode(file)); 3937 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3938 SYSTEM__MODULE_LOAD, &ad); 3939 } 3940 3941 static int selinux_kernel_read_file(struct file *file, 3942 enum kernel_read_file_id id) 3943 { 3944 int rc = 0; 3945 3946 switch (id) { 3947 case READING_MODULE: 3948 rc = selinux_kernel_module_from_file(file); 3949 break; 3950 default: 3951 break; 3952 } 3953 3954 return rc; 3955 } 3956 3957 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3958 { 3959 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3960 PROCESS__SETPGID, NULL); 3961 } 3962 3963 static int selinux_task_getpgid(struct task_struct *p) 3964 { 3965 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3966 PROCESS__GETPGID, NULL); 3967 } 3968 3969 static int selinux_task_getsid(struct task_struct *p) 3970 { 3971 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3972 PROCESS__GETSESSION, NULL); 3973 } 3974 3975 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3976 { 3977 *secid = task_sid(p); 3978 } 3979 3980 static int selinux_task_setnice(struct task_struct *p, int nice) 3981 { 3982 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3983 PROCESS__SETSCHED, NULL); 3984 } 3985 3986 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3987 { 3988 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3989 PROCESS__SETSCHED, NULL); 3990 } 3991 3992 static int selinux_task_getioprio(struct task_struct *p) 3993 { 3994 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3995 PROCESS__GETSCHED, NULL); 3996 } 3997 3998 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3999 unsigned int flags) 4000 { 4001 u32 av = 0; 4002 4003 if (!flags) 4004 return 0; 4005 if (flags & LSM_PRLIMIT_WRITE) 4006 av |= PROCESS__SETRLIMIT; 4007 if (flags & LSM_PRLIMIT_READ) 4008 av |= PROCESS__GETRLIMIT; 4009 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4010 SECCLASS_PROCESS, av, NULL); 4011 } 4012 4013 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4014 struct rlimit *new_rlim) 4015 { 4016 struct rlimit *old_rlim = p->signal->rlim + resource; 4017 4018 /* Control the ability to change the hard limit (whether 4019 lowering or raising it), so that the hard limit can 4020 later be used as a safe reset point for the soft limit 4021 upon context transitions. See selinux_bprm_committing_creds. */ 4022 if (old_rlim->rlim_max != new_rlim->rlim_max) 4023 return avc_has_perm(current_sid(), task_sid(p), 4024 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4025 4026 return 0; 4027 } 4028 4029 static int selinux_task_setscheduler(struct task_struct *p) 4030 { 4031 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4032 PROCESS__SETSCHED, NULL); 4033 } 4034 4035 static int selinux_task_getscheduler(struct task_struct *p) 4036 { 4037 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4038 PROCESS__GETSCHED, NULL); 4039 } 4040 4041 static int selinux_task_movememory(struct task_struct *p) 4042 { 4043 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4044 PROCESS__SETSCHED, NULL); 4045 } 4046 4047 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4048 int sig, u32 secid) 4049 { 4050 u32 perm; 4051 4052 if (!sig) 4053 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4054 else 4055 perm = signal_to_av(sig); 4056 if (!secid) 4057 secid = current_sid(); 4058 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4059 } 4060 4061 static void selinux_task_to_inode(struct task_struct *p, 4062 struct inode *inode) 4063 { 4064 struct inode_security_struct *isec = inode->i_security; 4065 u32 sid = task_sid(p); 4066 4067 spin_lock(&isec->lock); 4068 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4069 isec->sid = sid; 4070 isec->initialized = LABEL_INITIALIZED; 4071 spin_unlock(&isec->lock); 4072 } 4073 4074 /* Returns error only if unable to parse addresses */ 4075 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4076 struct common_audit_data *ad, u8 *proto) 4077 { 4078 int offset, ihlen, ret = -EINVAL; 4079 struct iphdr _iph, *ih; 4080 4081 offset = skb_network_offset(skb); 4082 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4083 if (ih == NULL) 4084 goto out; 4085 4086 ihlen = ih->ihl * 4; 4087 if (ihlen < sizeof(_iph)) 4088 goto out; 4089 4090 ad->u.net->v4info.saddr = ih->saddr; 4091 ad->u.net->v4info.daddr = ih->daddr; 4092 ret = 0; 4093 4094 if (proto) 4095 *proto = ih->protocol; 4096 4097 switch (ih->protocol) { 4098 case IPPROTO_TCP: { 4099 struct tcphdr _tcph, *th; 4100 4101 if (ntohs(ih->frag_off) & IP_OFFSET) 4102 break; 4103 4104 offset += ihlen; 4105 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4106 if (th == NULL) 4107 break; 4108 4109 ad->u.net->sport = th->source; 4110 ad->u.net->dport = th->dest; 4111 break; 4112 } 4113 4114 case IPPROTO_UDP: { 4115 struct udphdr _udph, *uh; 4116 4117 if (ntohs(ih->frag_off) & IP_OFFSET) 4118 break; 4119 4120 offset += ihlen; 4121 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4122 if (uh == NULL) 4123 break; 4124 4125 ad->u.net->sport = uh->source; 4126 ad->u.net->dport = uh->dest; 4127 break; 4128 } 4129 4130 case IPPROTO_DCCP: { 4131 struct dccp_hdr _dccph, *dh; 4132 4133 if (ntohs(ih->frag_off) & IP_OFFSET) 4134 break; 4135 4136 offset += ihlen; 4137 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4138 if (dh == NULL) 4139 break; 4140 4141 ad->u.net->sport = dh->dccph_sport; 4142 ad->u.net->dport = dh->dccph_dport; 4143 break; 4144 } 4145 4146 default: 4147 break; 4148 } 4149 out: 4150 return ret; 4151 } 4152 4153 #if IS_ENABLED(CONFIG_IPV6) 4154 4155 /* Returns error only if unable to parse addresses */ 4156 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4157 struct common_audit_data *ad, u8 *proto) 4158 { 4159 u8 nexthdr; 4160 int ret = -EINVAL, offset; 4161 struct ipv6hdr _ipv6h, *ip6; 4162 __be16 frag_off; 4163 4164 offset = skb_network_offset(skb); 4165 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4166 if (ip6 == NULL) 4167 goto out; 4168 4169 ad->u.net->v6info.saddr = ip6->saddr; 4170 ad->u.net->v6info.daddr = ip6->daddr; 4171 ret = 0; 4172 4173 nexthdr = ip6->nexthdr; 4174 offset += sizeof(_ipv6h); 4175 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4176 if (offset < 0) 4177 goto out; 4178 4179 if (proto) 4180 *proto = nexthdr; 4181 4182 switch (nexthdr) { 4183 case IPPROTO_TCP: { 4184 struct tcphdr _tcph, *th; 4185 4186 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4187 if (th == NULL) 4188 break; 4189 4190 ad->u.net->sport = th->source; 4191 ad->u.net->dport = th->dest; 4192 break; 4193 } 4194 4195 case IPPROTO_UDP: { 4196 struct udphdr _udph, *uh; 4197 4198 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4199 if (uh == NULL) 4200 break; 4201 4202 ad->u.net->sport = uh->source; 4203 ad->u.net->dport = uh->dest; 4204 break; 4205 } 4206 4207 case IPPROTO_DCCP: { 4208 struct dccp_hdr _dccph, *dh; 4209 4210 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4211 if (dh == NULL) 4212 break; 4213 4214 ad->u.net->sport = dh->dccph_sport; 4215 ad->u.net->dport = dh->dccph_dport; 4216 break; 4217 } 4218 4219 /* includes fragments */ 4220 default: 4221 break; 4222 } 4223 out: 4224 return ret; 4225 } 4226 4227 #endif /* IPV6 */ 4228 4229 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4230 char **_addrp, int src, u8 *proto) 4231 { 4232 char *addrp; 4233 int ret; 4234 4235 switch (ad->u.net->family) { 4236 case PF_INET: 4237 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4238 if (ret) 4239 goto parse_error; 4240 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4241 &ad->u.net->v4info.daddr); 4242 goto okay; 4243 4244 #if IS_ENABLED(CONFIG_IPV6) 4245 case PF_INET6: 4246 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4247 if (ret) 4248 goto parse_error; 4249 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4250 &ad->u.net->v6info.daddr); 4251 goto okay; 4252 #endif /* IPV6 */ 4253 default: 4254 addrp = NULL; 4255 goto okay; 4256 } 4257 4258 parse_error: 4259 printk(KERN_WARNING 4260 "SELinux: failure in selinux_parse_skb()," 4261 " unable to parse packet\n"); 4262 return ret; 4263 4264 okay: 4265 if (_addrp) 4266 *_addrp = addrp; 4267 return 0; 4268 } 4269 4270 /** 4271 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4272 * @skb: the packet 4273 * @family: protocol family 4274 * @sid: the packet's peer label SID 4275 * 4276 * Description: 4277 * Check the various different forms of network peer labeling and determine 4278 * the peer label/SID for the packet; most of the magic actually occurs in 4279 * the security server function security_net_peersid_cmp(). The function 4280 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4281 * or -EACCES if @sid is invalid due to inconsistencies with the different 4282 * peer labels. 4283 * 4284 */ 4285 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4286 { 4287 int err; 4288 u32 xfrm_sid; 4289 u32 nlbl_sid; 4290 u32 nlbl_type; 4291 4292 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4293 if (unlikely(err)) 4294 return -EACCES; 4295 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4296 if (unlikely(err)) 4297 return -EACCES; 4298 4299 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4300 if (unlikely(err)) { 4301 printk(KERN_WARNING 4302 "SELinux: failure in selinux_skb_peerlbl_sid()," 4303 " unable to determine packet's peer label\n"); 4304 return -EACCES; 4305 } 4306 4307 return 0; 4308 } 4309 4310 /** 4311 * selinux_conn_sid - Determine the child socket label for a connection 4312 * @sk_sid: the parent socket's SID 4313 * @skb_sid: the packet's SID 4314 * @conn_sid: the resulting connection SID 4315 * 4316 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4317 * combined with the MLS information from @skb_sid in order to create 4318 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4319 * of @sk_sid. Returns zero on success, negative values on failure. 4320 * 4321 */ 4322 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4323 { 4324 int err = 0; 4325 4326 if (skb_sid != SECSID_NULL) 4327 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4328 else 4329 *conn_sid = sk_sid; 4330 4331 return err; 4332 } 4333 4334 /* socket security operations */ 4335 4336 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4337 u16 secclass, u32 *socksid) 4338 { 4339 if (tsec->sockcreate_sid > SECSID_NULL) { 4340 *socksid = tsec->sockcreate_sid; 4341 return 0; 4342 } 4343 4344 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4345 socksid); 4346 } 4347 4348 static int sock_has_perm(struct sock *sk, u32 perms) 4349 { 4350 struct sk_security_struct *sksec = sk->sk_security; 4351 struct common_audit_data ad; 4352 struct lsm_network_audit net = {0,}; 4353 4354 if (sksec->sid == SECINITSID_KERNEL) 4355 return 0; 4356 4357 ad.type = LSM_AUDIT_DATA_NET; 4358 ad.u.net = &net; 4359 ad.u.net->sk = sk; 4360 4361 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4362 &ad); 4363 } 4364 4365 static int selinux_socket_create(int family, int type, 4366 int protocol, int kern) 4367 { 4368 const struct task_security_struct *tsec = current_security(); 4369 u32 newsid; 4370 u16 secclass; 4371 int rc; 4372 4373 if (kern) 4374 return 0; 4375 4376 secclass = socket_type_to_security_class(family, type, protocol); 4377 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4378 if (rc) 4379 return rc; 4380 4381 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4382 } 4383 4384 static int selinux_socket_post_create(struct socket *sock, int family, 4385 int type, int protocol, int kern) 4386 { 4387 const struct task_security_struct *tsec = current_security(); 4388 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4389 struct sk_security_struct *sksec; 4390 u16 sclass = socket_type_to_security_class(family, type, protocol); 4391 u32 sid = SECINITSID_KERNEL; 4392 int err = 0; 4393 4394 if (!kern) { 4395 err = socket_sockcreate_sid(tsec, sclass, &sid); 4396 if (err) 4397 return err; 4398 } 4399 4400 isec->sclass = sclass; 4401 isec->sid = sid; 4402 isec->initialized = LABEL_INITIALIZED; 4403 4404 if (sock->sk) { 4405 sksec = sock->sk->sk_security; 4406 sksec->sclass = sclass; 4407 sksec->sid = sid; 4408 err = selinux_netlbl_socket_post_create(sock->sk, family); 4409 } 4410 4411 return err; 4412 } 4413 4414 /* Range of port numbers used to automatically bind. 4415 Need to determine whether we should perform a name_bind 4416 permission check between the socket and the port number. */ 4417 4418 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4419 { 4420 struct sock *sk = sock->sk; 4421 u16 family; 4422 int err; 4423 4424 err = sock_has_perm(sk, SOCKET__BIND); 4425 if (err) 4426 goto out; 4427 4428 /* 4429 * If PF_INET or PF_INET6, check name_bind permission for the port. 4430 * Multiple address binding for SCTP is not supported yet: we just 4431 * check the first address now. 4432 */ 4433 family = sk->sk_family; 4434 if (family == PF_INET || family == PF_INET6) { 4435 char *addrp; 4436 struct sk_security_struct *sksec = sk->sk_security; 4437 struct common_audit_data ad; 4438 struct lsm_network_audit net = {0,}; 4439 struct sockaddr_in *addr4 = NULL; 4440 struct sockaddr_in6 *addr6 = NULL; 4441 unsigned short snum; 4442 u32 sid, node_perm; 4443 4444 if (family == PF_INET) { 4445 if (addrlen < sizeof(struct sockaddr_in)) { 4446 err = -EINVAL; 4447 goto out; 4448 } 4449 addr4 = (struct sockaddr_in *)address; 4450 snum = ntohs(addr4->sin_port); 4451 addrp = (char *)&addr4->sin_addr.s_addr; 4452 } else { 4453 if (addrlen < SIN6_LEN_RFC2133) { 4454 err = -EINVAL; 4455 goto out; 4456 } 4457 addr6 = (struct sockaddr_in6 *)address; 4458 snum = ntohs(addr6->sin6_port); 4459 addrp = (char *)&addr6->sin6_addr.s6_addr; 4460 } 4461 4462 if (snum) { 4463 int low, high; 4464 4465 inet_get_local_port_range(sock_net(sk), &low, &high); 4466 4467 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4468 snum > high) { 4469 err = sel_netport_sid(sk->sk_protocol, 4470 snum, &sid); 4471 if (err) 4472 goto out; 4473 ad.type = LSM_AUDIT_DATA_NET; 4474 ad.u.net = &net; 4475 ad.u.net->sport = htons(snum); 4476 ad.u.net->family = family; 4477 err = avc_has_perm(sksec->sid, sid, 4478 sksec->sclass, 4479 SOCKET__NAME_BIND, &ad); 4480 if (err) 4481 goto out; 4482 } 4483 } 4484 4485 switch (sksec->sclass) { 4486 case SECCLASS_TCP_SOCKET: 4487 node_perm = TCP_SOCKET__NODE_BIND; 4488 break; 4489 4490 case SECCLASS_UDP_SOCKET: 4491 node_perm = UDP_SOCKET__NODE_BIND; 4492 break; 4493 4494 case SECCLASS_DCCP_SOCKET: 4495 node_perm = DCCP_SOCKET__NODE_BIND; 4496 break; 4497 4498 default: 4499 node_perm = RAWIP_SOCKET__NODE_BIND; 4500 break; 4501 } 4502 4503 err = sel_netnode_sid(addrp, family, &sid); 4504 if (err) 4505 goto out; 4506 4507 ad.type = LSM_AUDIT_DATA_NET; 4508 ad.u.net = &net; 4509 ad.u.net->sport = htons(snum); 4510 ad.u.net->family = family; 4511 4512 if (family == PF_INET) 4513 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4514 else 4515 ad.u.net->v6info.saddr = addr6->sin6_addr; 4516 4517 err = avc_has_perm(sksec->sid, sid, 4518 sksec->sclass, node_perm, &ad); 4519 if (err) 4520 goto out; 4521 } 4522 out: 4523 return err; 4524 } 4525 4526 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4527 { 4528 struct sock *sk = sock->sk; 4529 struct sk_security_struct *sksec = sk->sk_security; 4530 int err; 4531 4532 err = sock_has_perm(sk, SOCKET__CONNECT); 4533 if (err) 4534 return err; 4535 4536 /* 4537 * If a TCP or DCCP socket, check name_connect permission for the port. 4538 */ 4539 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4540 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4541 struct common_audit_data ad; 4542 struct lsm_network_audit net = {0,}; 4543 struct sockaddr_in *addr4 = NULL; 4544 struct sockaddr_in6 *addr6 = NULL; 4545 unsigned short snum; 4546 u32 sid, perm; 4547 4548 if (sk->sk_family == PF_INET) { 4549 addr4 = (struct sockaddr_in *)address; 4550 if (addrlen < sizeof(struct sockaddr_in)) 4551 return -EINVAL; 4552 snum = ntohs(addr4->sin_port); 4553 } else { 4554 addr6 = (struct sockaddr_in6 *)address; 4555 if (addrlen < SIN6_LEN_RFC2133) 4556 return -EINVAL; 4557 snum = ntohs(addr6->sin6_port); 4558 } 4559 4560 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4561 if (err) 4562 goto out; 4563 4564 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4565 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4566 4567 ad.type = LSM_AUDIT_DATA_NET; 4568 ad.u.net = &net; 4569 ad.u.net->dport = htons(snum); 4570 ad.u.net->family = sk->sk_family; 4571 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4572 if (err) 4573 goto out; 4574 } 4575 4576 err = selinux_netlbl_socket_connect(sk, address); 4577 4578 out: 4579 return err; 4580 } 4581 4582 static int selinux_socket_listen(struct socket *sock, int backlog) 4583 { 4584 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4585 } 4586 4587 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4588 { 4589 int err; 4590 struct inode_security_struct *isec; 4591 struct inode_security_struct *newisec; 4592 u16 sclass; 4593 u32 sid; 4594 4595 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4596 if (err) 4597 return err; 4598 4599 isec = inode_security_novalidate(SOCK_INODE(sock)); 4600 spin_lock(&isec->lock); 4601 sclass = isec->sclass; 4602 sid = isec->sid; 4603 spin_unlock(&isec->lock); 4604 4605 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4606 newisec->sclass = sclass; 4607 newisec->sid = sid; 4608 newisec->initialized = LABEL_INITIALIZED; 4609 4610 return 0; 4611 } 4612 4613 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4614 int size) 4615 { 4616 return sock_has_perm(sock->sk, SOCKET__WRITE); 4617 } 4618 4619 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4620 int size, int flags) 4621 { 4622 return sock_has_perm(sock->sk, SOCKET__READ); 4623 } 4624 4625 static int selinux_socket_getsockname(struct socket *sock) 4626 { 4627 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4628 } 4629 4630 static int selinux_socket_getpeername(struct socket *sock) 4631 { 4632 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4633 } 4634 4635 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4636 { 4637 int err; 4638 4639 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4640 if (err) 4641 return err; 4642 4643 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4644 } 4645 4646 static int selinux_socket_getsockopt(struct socket *sock, int level, 4647 int optname) 4648 { 4649 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4650 } 4651 4652 static int selinux_socket_shutdown(struct socket *sock, int how) 4653 { 4654 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4655 } 4656 4657 static int selinux_socket_unix_stream_connect(struct sock *sock, 4658 struct sock *other, 4659 struct sock *newsk) 4660 { 4661 struct sk_security_struct *sksec_sock = sock->sk_security; 4662 struct sk_security_struct *sksec_other = other->sk_security; 4663 struct sk_security_struct *sksec_new = newsk->sk_security; 4664 struct common_audit_data ad; 4665 struct lsm_network_audit net = {0,}; 4666 int err; 4667 4668 ad.type = LSM_AUDIT_DATA_NET; 4669 ad.u.net = &net; 4670 ad.u.net->sk = other; 4671 4672 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4673 sksec_other->sclass, 4674 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4675 if (err) 4676 return err; 4677 4678 /* server child socket */ 4679 sksec_new->peer_sid = sksec_sock->sid; 4680 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4681 &sksec_new->sid); 4682 if (err) 4683 return err; 4684 4685 /* connecting socket */ 4686 sksec_sock->peer_sid = sksec_new->sid; 4687 4688 return 0; 4689 } 4690 4691 static int selinux_socket_unix_may_send(struct socket *sock, 4692 struct socket *other) 4693 { 4694 struct sk_security_struct *ssec = sock->sk->sk_security; 4695 struct sk_security_struct *osec = other->sk->sk_security; 4696 struct common_audit_data ad; 4697 struct lsm_network_audit net = {0,}; 4698 4699 ad.type = LSM_AUDIT_DATA_NET; 4700 ad.u.net = &net; 4701 ad.u.net->sk = other->sk; 4702 4703 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4704 &ad); 4705 } 4706 4707 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4708 char *addrp, u16 family, u32 peer_sid, 4709 struct common_audit_data *ad) 4710 { 4711 int err; 4712 u32 if_sid; 4713 u32 node_sid; 4714 4715 err = sel_netif_sid(ns, ifindex, &if_sid); 4716 if (err) 4717 return err; 4718 err = avc_has_perm(peer_sid, if_sid, 4719 SECCLASS_NETIF, NETIF__INGRESS, ad); 4720 if (err) 4721 return err; 4722 4723 err = sel_netnode_sid(addrp, family, &node_sid); 4724 if (err) 4725 return err; 4726 return avc_has_perm(peer_sid, node_sid, 4727 SECCLASS_NODE, NODE__RECVFROM, ad); 4728 } 4729 4730 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4731 u16 family) 4732 { 4733 int err = 0; 4734 struct sk_security_struct *sksec = sk->sk_security; 4735 u32 sk_sid = sksec->sid; 4736 struct common_audit_data ad; 4737 struct lsm_network_audit net = {0,}; 4738 char *addrp; 4739 4740 ad.type = LSM_AUDIT_DATA_NET; 4741 ad.u.net = &net; 4742 ad.u.net->netif = skb->skb_iif; 4743 ad.u.net->family = family; 4744 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4745 if (err) 4746 return err; 4747 4748 if (selinux_secmark_enabled()) { 4749 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4750 PACKET__RECV, &ad); 4751 if (err) 4752 return err; 4753 } 4754 4755 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4756 if (err) 4757 return err; 4758 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4759 4760 return err; 4761 } 4762 4763 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4764 { 4765 int err; 4766 struct sk_security_struct *sksec = sk->sk_security; 4767 u16 family = sk->sk_family; 4768 u32 sk_sid = sksec->sid; 4769 struct common_audit_data ad; 4770 struct lsm_network_audit net = {0,}; 4771 char *addrp; 4772 u8 secmark_active; 4773 u8 peerlbl_active; 4774 4775 if (family != PF_INET && family != PF_INET6) 4776 return 0; 4777 4778 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4779 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4780 family = PF_INET; 4781 4782 /* If any sort of compatibility mode is enabled then handoff processing 4783 * to the selinux_sock_rcv_skb_compat() function to deal with the 4784 * special handling. We do this in an attempt to keep this function 4785 * as fast and as clean as possible. */ 4786 if (!selinux_policycap_netpeer) 4787 return selinux_sock_rcv_skb_compat(sk, skb, family); 4788 4789 secmark_active = selinux_secmark_enabled(); 4790 peerlbl_active = selinux_peerlbl_enabled(); 4791 if (!secmark_active && !peerlbl_active) 4792 return 0; 4793 4794 ad.type = LSM_AUDIT_DATA_NET; 4795 ad.u.net = &net; 4796 ad.u.net->netif = skb->skb_iif; 4797 ad.u.net->family = family; 4798 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4799 if (err) 4800 return err; 4801 4802 if (peerlbl_active) { 4803 u32 peer_sid; 4804 4805 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4806 if (err) 4807 return err; 4808 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4809 addrp, family, peer_sid, &ad); 4810 if (err) { 4811 selinux_netlbl_err(skb, family, err, 0); 4812 return err; 4813 } 4814 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4815 PEER__RECV, &ad); 4816 if (err) { 4817 selinux_netlbl_err(skb, family, err, 0); 4818 return err; 4819 } 4820 } 4821 4822 if (secmark_active) { 4823 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4824 PACKET__RECV, &ad); 4825 if (err) 4826 return err; 4827 } 4828 4829 return err; 4830 } 4831 4832 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4833 int __user *optlen, unsigned len) 4834 { 4835 int err = 0; 4836 char *scontext; 4837 u32 scontext_len; 4838 struct sk_security_struct *sksec = sock->sk->sk_security; 4839 u32 peer_sid = SECSID_NULL; 4840 4841 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4842 sksec->sclass == SECCLASS_TCP_SOCKET) 4843 peer_sid = sksec->peer_sid; 4844 if (peer_sid == SECSID_NULL) 4845 return -ENOPROTOOPT; 4846 4847 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4848 if (err) 4849 return err; 4850 4851 if (scontext_len > len) { 4852 err = -ERANGE; 4853 goto out_len; 4854 } 4855 4856 if (copy_to_user(optval, scontext, scontext_len)) 4857 err = -EFAULT; 4858 4859 out_len: 4860 if (put_user(scontext_len, optlen)) 4861 err = -EFAULT; 4862 kfree(scontext); 4863 return err; 4864 } 4865 4866 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4867 { 4868 u32 peer_secid = SECSID_NULL; 4869 u16 family; 4870 struct inode_security_struct *isec; 4871 4872 if (skb && skb->protocol == htons(ETH_P_IP)) 4873 family = PF_INET; 4874 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4875 family = PF_INET6; 4876 else if (sock) 4877 family = sock->sk->sk_family; 4878 else 4879 goto out; 4880 4881 if (sock && family == PF_UNIX) { 4882 isec = inode_security_novalidate(SOCK_INODE(sock)); 4883 peer_secid = isec->sid; 4884 } else if (skb) 4885 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4886 4887 out: 4888 *secid = peer_secid; 4889 if (peer_secid == SECSID_NULL) 4890 return -EINVAL; 4891 return 0; 4892 } 4893 4894 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4895 { 4896 struct sk_security_struct *sksec; 4897 4898 sksec = kzalloc(sizeof(*sksec), priority); 4899 if (!sksec) 4900 return -ENOMEM; 4901 4902 sksec->peer_sid = SECINITSID_UNLABELED; 4903 sksec->sid = SECINITSID_UNLABELED; 4904 sksec->sclass = SECCLASS_SOCKET; 4905 selinux_netlbl_sk_security_reset(sksec); 4906 sk->sk_security = sksec; 4907 4908 return 0; 4909 } 4910 4911 static void selinux_sk_free_security(struct sock *sk) 4912 { 4913 struct sk_security_struct *sksec = sk->sk_security; 4914 4915 sk->sk_security = NULL; 4916 selinux_netlbl_sk_security_free(sksec); 4917 kfree(sksec); 4918 } 4919 4920 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4921 { 4922 struct sk_security_struct *sksec = sk->sk_security; 4923 struct sk_security_struct *newsksec = newsk->sk_security; 4924 4925 newsksec->sid = sksec->sid; 4926 newsksec->peer_sid = sksec->peer_sid; 4927 newsksec->sclass = sksec->sclass; 4928 4929 selinux_netlbl_sk_security_reset(newsksec); 4930 } 4931 4932 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4933 { 4934 if (!sk) 4935 *secid = SECINITSID_ANY_SOCKET; 4936 else { 4937 struct sk_security_struct *sksec = sk->sk_security; 4938 4939 *secid = sksec->sid; 4940 } 4941 } 4942 4943 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4944 { 4945 struct inode_security_struct *isec = 4946 inode_security_novalidate(SOCK_INODE(parent)); 4947 struct sk_security_struct *sksec = sk->sk_security; 4948 4949 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4950 sk->sk_family == PF_UNIX) 4951 isec->sid = sksec->sid; 4952 sksec->sclass = isec->sclass; 4953 } 4954 4955 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4956 struct request_sock *req) 4957 { 4958 struct sk_security_struct *sksec = sk->sk_security; 4959 int err; 4960 u16 family = req->rsk_ops->family; 4961 u32 connsid; 4962 u32 peersid; 4963 4964 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4965 if (err) 4966 return err; 4967 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4968 if (err) 4969 return err; 4970 req->secid = connsid; 4971 req->peer_secid = peersid; 4972 4973 return selinux_netlbl_inet_conn_request(req, family); 4974 } 4975 4976 static void selinux_inet_csk_clone(struct sock *newsk, 4977 const struct request_sock *req) 4978 { 4979 struct sk_security_struct *newsksec = newsk->sk_security; 4980 4981 newsksec->sid = req->secid; 4982 newsksec->peer_sid = req->peer_secid; 4983 /* NOTE: Ideally, we should also get the isec->sid for the 4984 new socket in sync, but we don't have the isec available yet. 4985 So we will wait until sock_graft to do it, by which 4986 time it will have been created and available. */ 4987 4988 /* We don't need to take any sort of lock here as we are the only 4989 * thread with access to newsksec */ 4990 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4991 } 4992 4993 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4994 { 4995 u16 family = sk->sk_family; 4996 struct sk_security_struct *sksec = sk->sk_security; 4997 4998 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4999 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5000 family = PF_INET; 5001 5002 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5003 } 5004 5005 static int selinux_secmark_relabel_packet(u32 sid) 5006 { 5007 const struct task_security_struct *__tsec; 5008 u32 tsid; 5009 5010 __tsec = current_security(); 5011 tsid = __tsec->sid; 5012 5013 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5014 } 5015 5016 static void selinux_secmark_refcount_inc(void) 5017 { 5018 atomic_inc(&selinux_secmark_refcount); 5019 } 5020 5021 static void selinux_secmark_refcount_dec(void) 5022 { 5023 atomic_dec(&selinux_secmark_refcount); 5024 } 5025 5026 static void selinux_req_classify_flow(const struct request_sock *req, 5027 struct flowi *fl) 5028 { 5029 fl->flowi_secid = req->secid; 5030 } 5031 5032 static int selinux_tun_dev_alloc_security(void **security) 5033 { 5034 struct tun_security_struct *tunsec; 5035 5036 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5037 if (!tunsec) 5038 return -ENOMEM; 5039 tunsec->sid = current_sid(); 5040 5041 *security = tunsec; 5042 return 0; 5043 } 5044 5045 static void selinux_tun_dev_free_security(void *security) 5046 { 5047 kfree(security); 5048 } 5049 5050 static int selinux_tun_dev_create(void) 5051 { 5052 u32 sid = current_sid(); 5053 5054 /* we aren't taking into account the "sockcreate" SID since the socket 5055 * that is being created here is not a socket in the traditional sense, 5056 * instead it is a private sock, accessible only to the kernel, and 5057 * representing a wide range of network traffic spanning multiple 5058 * connections unlike traditional sockets - check the TUN driver to 5059 * get a better understanding of why this socket is special */ 5060 5061 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5062 NULL); 5063 } 5064 5065 static int selinux_tun_dev_attach_queue(void *security) 5066 { 5067 struct tun_security_struct *tunsec = security; 5068 5069 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5070 TUN_SOCKET__ATTACH_QUEUE, NULL); 5071 } 5072 5073 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5074 { 5075 struct tun_security_struct *tunsec = security; 5076 struct sk_security_struct *sksec = sk->sk_security; 5077 5078 /* we don't currently perform any NetLabel based labeling here and it 5079 * isn't clear that we would want to do so anyway; while we could apply 5080 * labeling without the support of the TUN user the resulting labeled 5081 * traffic from the other end of the connection would almost certainly 5082 * cause confusion to the TUN user that had no idea network labeling 5083 * protocols were being used */ 5084 5085 sksec->sid = tunsec->sid; 5086 sksec->sclass = SECCLASS_TUN_SOCKET; 5087 5088 return 0; 5089 } 5090 5091 static int selinux_tun_dev_open(void *security) 5092 { 5093 struct tun_security_struct *tunsec = security; 5094 u32 sid = current_sid(); 5095 int err; 5096 5097 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5098 TUN_SOCKET__RELABELFROM, NULL); 5099 if (err) 5100 return err; 5101 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5102 TUN_SOCKET__RELABELTO, NULL); 5103 if (err) 5104 return err; 5105 tunsec->sid = sid; 5106 5107 return 0; 5108 } 5109 5110 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5111 { 5112 int err = 0; 5113 u32 perm; 5114 struct nlmsghdr *nlh; 5115 struct sk_security_struct *sksec = sk->sk_security; 5116 5117 if (skb->len < NLMSG_HDRLEN) { 5118 err = -EINVAL; 5119 goto out; 5120 } 5121 nlh = nlmsg_hdr(skb); 5122 5123 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5124 if (err) { 5125 if (err == -EINVAL) { 5126 pr_warn_ratelimited("SELinux: unrecognized netlink" 5127 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5128 " pig=%d comm=%s\n", 5129 sk->sk_protocol, nlh->nlmsg_type, 5130 secclass_map[sksec->sclass - 1].name, 5131 task_pid_nr(current), current->comm); 5132 if (!selinux_enforcing || security_get_allow_unknown()) 5133 err = 0; 5134 } 5135 5136 /* Ignore */ 5137 if (err == -ENOENT) 5138 err = 0; 5139 goto out; 5140 } 5141 5142 err = sock_has_perm(sk, perm); 5143 out: 5144 return err; 5145 } 5146 5147 #ifdef CONFIG_NETFILTER 5148 5149 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5150 const struct net_device *indev, 5151 u16 family) 5152 { 5153 int err; 5154 char *addrp; 5155 u32 peer_sid; 5156 struct common_audit_data ad; 5157 struct lsm_network_audit net = {0,}; 5158 u8 secmark_active; 5159 u8 netlbl_active; 5160 u8 peerlbl_active; 5161 5162 if (!selinux_policycap_netpeer) 5163 return NF_ACCEPT; 5164 5165 secmark_active = selinux_secmark_enabled(); 5166 netlbl_active = netlbl_enabled(); 5167 peerlbl_active = selinux_peerlbl_enabled(); 5168 if (!secmark_active && !peerlbl_active) 5169 return NF_ACCEPT; 5170 5171 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5172 return NF_DROP; 5173 5174 ad.type = LSM_AUDIT_DATA_NET; 5175 ad.u.net = &net; 5176 ad.u.net->netif = indev->ifindex; 5177 ad.u.net->family = family; 5178 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5179 return NF_DROP; 5180 5181 if (peerlbl_active) { 5182 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5183 addrp, family, peer_sid, &ad); 5184 if (err) { 5185 selinux_netlbl_err(skb, family, err, 1); 5186 return NF_DROP; 5187 } 5188 } 5189 5190 if (secmark_active) 5191 if (avc_has_perm(peer_sid, skb->secmark, 5192 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5193 return NF_DROP; 5194 5195 if (netlbl_active) 5196 /* we do this in the FORWARD path and not the POST_ROUTING 5197 * path because we want to make sure we apply the necessary 5198 * labeling before IPsec is applied so we can leverage AH 5199 * protection */ 5200 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5201 return NF_DROP; 5202 5203 return NF_ACCEPT; 5204 } 5205 5206 static unsigned int selinux_ipv4_forward(void *priv, 5207 struct sk_buff *skb, 5208 const struct nf_hook_state *state) 5209 { 5210 return selinux_ip_forward(skb, state->in, PF_INET); 5211 } 5212 5213 #if IS_ENABLED(CONFIG_IPV6) 5214 static unsigned int selinux_ipv6_forward(void *priv, 5215 struct sk_buff *skb, 5216 const struct nf_hook_state *state) 5217 { 5218 return selinux_ip_forward(skb, state->in, PF_INET6); 5219 } 5220 #endif /* IPV6 */ 5221 5222 static unsigned int selinux_ip_output(struct sk_buff *skb, 5223 u16 family) 5224 { 5225 struct sock *sk; 5226 u32 sid; 5227 5228 if (!netlbl_enabled()) 5229 return NF_ACCEPT; 5230 5231 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5232 * because we want to make sure we apply the necessary labeling 5233 * before IPsec is applied so we can leverage AH protection */ 5234 sk = skb->sk; 5235 if (sk) { 5236 struct sk_security_struct *sksec; 5237 5238 if (sk_listener(sk)) 5239 /* if the socket is the listening state then this 5240 * packet is a SYN-ACK packet which means it needs to 5241 * be labeled based on the connection/request_sock and 5242 * not the parent socket. unfortunately, we can't 5243 * lookup the request_sock yet as it isn't queued on 5244 * the parent socket until after the SYN-ACK is sent. 5245 * the "solution" is to simply pass the packet as-is 5246 * as any IP option based labeling should be copied 5247 * from the initial connection request (in the IP 5248 * layer). it is far from ideal, but until we get a 5249 * security label in the packet itself this is the 5250 * best we can do. */ 5251 return NF_ACCEPT; 5252 5253 /* standard practice, label using the parent socket */ 5254 sksec = sk->sk_security; 5255 sid = sksec->sid; 5256 } else 5257 sid = SECINITSID_KERNEL; 5258 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5259 return NF_DROP; 5260 5261 return NF_ACCEPT; 5262 } 5263 5264 static unsigned int selinux_ipv4_output(void *priv, 5265 struct sk_buff *skb, 5266 const struct nf_hook_state *state) 5267 { 5268 return selinux_ip_output(skb, PF_INET); 5269 } 5270 5271 #if IS_ENABLED(CONFIG_IPV6) 5272 static unsigned int selinux_ipv6_output(void *priv, 5273 struct sk_buff *skb, 5274 const struct nf_hook_state *state) 5275 { 5276 return selinux_ip_output(skb, PF_INET6); 5277 } 5278 #endif /* IPV6 */ 5279 5280 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5281 int ifindex, 5282 u16 family) 5283 { 5284 struct sock *sk = skb_to_full_sk(skb); 5285 struct sk_security_struct *sksec; 5286 struct common_audit_data ad; 5287 struct lsm_network_audit net = {0,}; 5288 char *addrp; 5289 u8 proto; 5290 5291 if (sk == NULL) 5292 return NF_ACCEPT; 5293 sksec = sk->sk_security; 5294 5295 ad.type = LSM_AUDIT_DATA_NET; 5296 ad.u.net = &net; 5297 ad.u.net->netif = ifindex; 5298 ad.u.net->family = family; 5299 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5300 return NF_DROP; 5301 5302 if (selinux_secmark_enabled()) 5303 if (avc_has_perm(sksec->sid, skb->secmark, 5304 SECCLASS_PACKET, PACKET__SEND, &ad)) 5305 return NF_DROP_ERR(-ECONNREFUSED); 5306 5307 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5308 return NF_DROP_ERR(-ECONNREFUSED); 5309 5310 return NF_ACCEPT; 5311 } 5312 5313 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5314 const struct net_device *outdev, 5315 u16 family) 5316 { 5317 u32 secmark_perm; 5318 u32 peer_sid; 5319 int ifindex = outdev->ifindex; 5320 struct sock *sk; 5321 struct common_audit_data ad; 5322 struct lsm_network_audit net = {0,}; 5323 char *addrp; 5324 u8 secmark_active; 5325 u8 peerlbl_active; 5326 5327 /* If any sort of compatibility mode is enabled then handoff processing 5328 * to the selinux_ip_postroute_compat() function to deal with the 5329 * special handling. We do this in an attempt to keep this function 5330 * as fast and as clean as possible. */ 5331 if (!selinux_policycap_netpeer) 5332 return selinux_ip_postroute_compat(skb, ifindex, family); 5333 5334 secmark_active = selinux_secmark_enabled(); 5335 peerlbl_active = selinux_peerlbl_enabled(); 5336 if (!secmark_active && !peerlbl_active) 5337 return NF_ACCEPT; 5338 5339 sk = skb_to_full_sk(skb); 5340 5341 #ifdef CONFIG_XFRM 5342 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5343 * packet transformation so allow the packet to pass without any checks 5344 * since we'll have another chance to perform access control checks 5345 * when the packet is on it's final way out. 5346 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5347 * is NULL, in this case go ahead and apply access control. 5348 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5349 * TCP listening state we cannot wait until the XFRM processing 5350 * is done as we will miss out on the SA label if we do; 5351 * unfortunately, this means more work, but it is only once per 5352 * connection. */ 5353 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5354 !(sk && sk_listener(sk))) 5355 return NF_ACCEPT; 5356 #endif 5357 5358 if (sk == NULL) { 5359 /* Without an associated socket the packet is either coming 5360 * from the kernel or it is being forwarded; check the packet 5361 * to determine which and if the packet is being forwarded 5362 * query the packet directly to determine the security label. */ 5363 if (skb->skb_iif) { 5364 secmark_perm = PACKET__FORWARD_OUT; 5365 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5366 return NF_DROP; 5367 } else { 5368 secmark_perm = PACKET__SEND; 5369 peer_sid = SECINITSID_KERNEL; 5370 } 5371 } else if (sk_listener(sk)) { 5372 /* Locally generated packet but the associated socket is in the 5373 * listening state which means this is a SYN-ACK packet. In 5374 * this particular case the correct security label is assigned 5375 * to the connection/request_sock but unfortunately we can't 5376 * query the request_sock as it isn't queued on the parent 5377 * socket until after the SYN-ACK packet is sent; the only 5378 * viable choice is to regenerate the label like we do in 5379 * selinux_inet_conn_request(). See also selinux_ip_output() 5380 * for similar problems. */ 5381 u32 skb_sid; 5382 struct sk_security_struct *sksec; 5383 5384 sksec = sk->sk_security; 5385 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5386 return NF_DROP; 5387 /* At this point, if the returned skb peerlbl is SECSID_NULL 5388 * and the packet has been through at least one XFRM 5389 * transformation then we must be dealing with the "final" 5390 * form of labeled IPsec packet; since we've already applied 5391 * all of our access controls on this packet we can safely 5392 * pass the packet. */ 5393 if (skb_sid == SECSID_NULL) { 5394 switch (family) { 5395 case PF_INET: 5396 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5397 return NF_ACCEPT; 5398 break; 5399 case PF_INET6: 5400 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5401 return NF_ACCEPT; 5402 break; 5403 default: 5404 return NF_DROP_ERR(-ECONNREFUSED); 5405 } 5406 } 5407 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5408 return NF_DROP; 5409 secmark_perm = PACKET__SEND; 5410 } else { 5411 /* Locally generated packet, fetch the security label from the 5412 * associated socket. */ 5413 struct sk_security_struct *sksec = sk->sk_security; 5414 peer_sid = sksec->sid; 5415 secmark_perm = PACKET__SEND; 5416 } 5417 5418 ad.type = LSM_AUDIT_DATA_NET; 5419 ad.u.net = &net; 5420 ad.u.net->netif = ifindex; 5421 ad.u.net->family = family; 5422 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5423 return NF_DROP; 5424 5425 if (secmark_active) 5426 if (avc_has_perm(peer_sid, skb->secmark, 5427 SECCLASS_PACKET, secmark_perm, &ad)) 5428 return NF_DROP_ERR(-ECONNREFUSED); 5429 5430 if (peerlbl_active) { 5431 u32 if_sid; 5432 u32 node_sid; 5433 5434 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5435 return NF_DROP; 5436 if (avc_has_perm(peer_sid, if_sid, 5437 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5438 return NF_DROP_ERR(-ECONNREFUSED); 5439 5440 if (sel_netnode_sid(addrp, family, &node_sid)) 5441 return NF_DROP; 5442 if (avc_has_perm(peer_sid, node_sid, 5443 SECCLASS_NODE, NODE__SENDTO, &ad)) 5444 return NF_DROP_ERR(-ECONNREFUSED); 5445 } 5446 5447 return NF_ACCEPT; 5448 } 5449 5450 static unsigned int selinux_ipv4_postroute(void *priv, 5451 struct sk_buff *skb, 5452 const struct nf_hook_state *state) 5453 { 5454 return selinux_ip_postroute(skb, state->out, PF_INET); 5455 } 5456 5457 #if IS_ENABLED(CONFIG_IPV6) 5458 static unsigned int selinux_ipv6_postroute(void *priv, 5459 struct sk_buff *skb, 5460 const struct nf_hook_state *state) 5461 { 5462 return selinux_ip_postroute(skb, state->out, PF_INET6); 5463 } 5464 #endif /* IPV6 */ 5465 5466 #endif /* CONFIG_NETFILTER */ 5467 5468 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5469 { 5470 return selinux_nlmsg_perm(sk, skb); 5471 } 5472 5473 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5474 u16 sclass) 5475 { 5476 struct ipc_security_struct *isec; 5477 5478 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5479 if (!isec) 5480 return -ENOMEM; 5481 5482 isec->sclass = sclass; 5483 isec->sid = current_sid(); 5484 perm->security = isec; 5485 5486 return 0; 5487 } 5488 5489 static void ipc_free_security(struct kern_ipc_perm *perm) 5490 { 5491 struct ipc_security_struct *isec = perm->security; 5492 perm->security = NULL; 5493 kfree(isec); 5494 } 5495 5496 static int msg_msg_alloc_security(struct msg_msg *msg) 5497 { 5498 struct msg_security_struct *msec; 5499 5500 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5501 if (!msec) 5502 return -ENOMEM; 5503 5504 msec->sid = SECINITSID_UNLABELED; 5505 msg->security = msec; 5506 5507 return 0; 5508 } 5509 5510 static void msg_msg_free_security(struct msg_msg *msg) 5511 { 5512 struct msg_security_struct *msec = msg->security; 5513 5514 msg->security = NULL; 5515 kfree(msec); 5516 } 5517 5518 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5519 u32 perms) 5520 { 5521 struct ipc_security_struct *isec; 5522 struct common_audit_data ad; 5523 u32 sid = current_sid(); 5524 5525 isec = ipc_perms->security; 5526 5527 ad.type = LSM_AUDIT_DATA_IPC; 5528 ad.u.ipc_id = ipc_perms->key; 5529 5530 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5531 } 5532 5533 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5534 { 5535 return msg_msg_alloc_security(msg); 5536 } 5537 5538 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5539 { 5540 msg_msg_free_security(msg); 5541 } 5542 5543 /* message queue security operations */ 5544 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5545 { 5546 struct ipc_security_struct *isec; 5547 struct common_audit_data ad; 5548 u32 sid = current_sid(); 5549 int rc; 5550 5551 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5552 if (rc) 5553 return rc; 5554 5555 isec = msq->q_perm.security; 5556 5557 ad.type = LSM_AUDIT_DATA_IPC; 5558 ad.u.ipc_id = msq->q_perm.key; 5559 5560 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5561 MSGQ__CREATE, &ad); 5562 if (rc) { 5563 ipc_free_security(&msq->q_perm); 5564 return rc; 5565 } 5566 return 0; 5567 } 5568 5569 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5570 { 5571 ipc_free_security(&msq->q_perm); 5572 } 5573 5574 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5575 { 5576 struct ipc_security_struct *isec; 5577 struct common_audit_data ad; 5578 u32 sid = current_sid(); 5579 5580 isec = msq->q_perm.security; 5581 5582 ad.type = LSM_AUDIT_DATA_IPC; 5583 ad.u.ipc_id = msq->q_perm.key; 5584 5585 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5586 MSGQ__ASSOCIATE, &ad); 5587 } 5588 5589 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5590 { 5591 int err; 5592 int perms; 5593 5594 switch (cmd) { 5595 case IPC_INFO: 5596 case MSG_INFO: 5597 /* No specific object, just general system-wide information. */ 5598 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5599 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5600 case IPC_STAT: 5601 case MSG_STAT: 5602 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5603 break; 5604 case IPC_SET: 5605 perms = MSGQ__SETATTR; 5606 break; 5607 case IPC_RMID: 5608 perms = MSGQ__DESTROY; 5609 break; 5610 default: 5611 return 0; 5612 } 5613 5614 err = ipc_has_perm(&msq->q_perm, perms); 5615 return err; 5616 } 5617 5618 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5619 { 5620 struct ipc_security_struct *isec; 5621 struct msg_security_struct *msec; 5622 struct common_audit_data ad; 5623 u32 sid = current_sid(); 5624 int rc; 5625 5626 isec = msq->q_perm.security; 5627 msec = msg->security; 5628 5629 /* 5630 * First time through, need to assign label to the message 5631 */ 5632 if (msec->sid == SECINITSID_UNLABELED) { 5633 /* 5634 * Compute new sid based on current process and 5635 * message queue this message will be stored in 5636 */ 5637 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5638 NULL, &msec->sid); 5639 if (rc) 5640 return rc; 5641 } 5642 5643 ad.type = LSM_AUDIT_DATA_IPC; 5644 ad.u.ipc_id = msq->q_perm.key; 5645 5646 /* Can this process write to the queue? */ 5647 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5648 MSGQ__WRITE, &ad); 5649 if (!rc) 5650 /* Can this process send the message */ 5651 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5652 MSG__SEND, &ad); 5653 if (!rc) 5654 /* Can the message be put in the queue? */ 5655 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5656 MSGQ__ENQUEUE, &ad); 5657 5658 return rc; 5659 } 5660 5661 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5662 struct task_struct *target, 5663 long type, int mode) 5664 { 5665 struct ipc_security_struct *isec; 5666 struct msg_security_struct *msec; 5667 struct common_audit_data ad; 5668 u32 sid = task_sid(target); 5669 int rc; 5670 5671 isec = msq->q_perm.security; 5672 msec = msg->security; 5673 5674 ad.type = LSM_AUDIT_DATA_IPC; 5675 ad.u.ipc_id = msq->q_perm.key; 5676 5677 rc = avc_has_perm(sid, isec->sid, 5678 SECCLASS_MSGQ, MSGQ__READ, &ad); 5679 if (!rc) 5680 rc = avc_has_perm(sid, msec->sid, 5681 SECCLASS_MSG, MSG__RECEIVE, &ad); 5682 return rc; 5683 } 5684 5685 /* Shared Memory security operations */ 5686 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5687 { 5688 struct ipc_security_struct *isec; 5689 struct common_audit_data ad; 5690 u32 sid = current_sid(); 5691 int rc; 5692 5693 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 5694 if (rc) 5695 return rc; 5696 5697 isec = shp->shm_perm.security; 5698 5699 ad.type = LSM_AUDIT_DATA_IPC; 5700 ad.u.ipc_id = shp->shm_perm.key; 5701 5702 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5703 SHM__CREATE, &ad); 5704 if (rc) { 5705 ipc_free_security(&shp->shm_perm); 5706 return rc; 5707 } 5708 return 0; 5709 } 5710 5711 static void selinux_shm_free_security(struct shmid_kernel *shp) 5712 { 5713 ipc_free_security(&shp->shm_perm); 5714 } 5715 5716 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5717 { 5718 struct ipc_security_struct *isec; 5719 struct common_audit_data ad; 5720 u32 sid = current_sid(); 5721 5722 isec = shp->shm_perm.security; 5723 5724 ad.type = LSM_AUDIT_DATA_IPC; 5725 ad.u.ipc_id = shp->shm_perm.key; 5726 5727 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5728 SHM__ASSOCIATE, &ad); 5729 } 5730 5731 /* Note, at this point, shp is locked down */ 5732 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5733 { 5734 int perms; 5735 int err; 5736 5737 switch (cmd) { 5738 case IPC_INFO: 5739 case SHM_INFO: 5740 /* No specific object, just general system-wide information. */ 5741 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5742 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5743 case IPC_STAT: 5744 case SHM_STAT: 5745 perms = SHM__GETATTR | SHM__ASSOCIATE; 5746 break; 5747 case IPC_SET: 5748 perms = SHM__SETATTR; 5749 break; 5750 case SHM_LOCK: 5751 case SHM_UNLOCK: 5752 perms = SHM__LOCK; 5753 break; 5754 case IPC_RMID: 5755 perms = SHM__DESTROY; 5756 break; 5757 default: 5758 return 0; 5759 } 5760 5761 err = ipc_has_perm(&shp->shm_perm, perms); 5762 return err; 5763 } 5764 5765 static int selinux_shm_shmat(struct shmid_kernel *shp, 5766 char __user *shmaddr, int shmflg) 5767 { 5768 u32 perms; 5769 5770 if (shmflg & SHM_RDONLY) 5771 perms = SHM__READ; 5772 else 5773 perms = SHM__READ | SHM__WRITE; 5774 5775 return ipc_has_perm(&shp->shm_perm, perms); 5776 } 5777 5778 /* Semaphore security operations */ 5779 static int selinux_sem_alloc_security(struct sem_array *sma) 5780 { 5781 struct ipc_security_struct *isec; 5782 struct common_audit_data ad; 5783 u32 sid = current_sid(); 5784 int rc; 5785 5786 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 5787 if (rc) 5788 return rc; 5789 5790 isec = sma->sem_perm.security; 5791 5792 ad.type = LSM_AUDIT_DATA_IPC; 5793 ad.u.ipc_id = sma->sem_perm.key; 5794 5795 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5796 SEM__CREATE, &ad); 5797 if (rc) { 5798 ipc_free_security(&sma->sem_perm); 5799 return rc; 5800 } 5801 return 0; 5802 } 5803 5804 static void selinux_sem_free_security(struct sem_array *sma) 5805 { 5806 ipc_free_security(&sma->sem_perm); 5807 } 5808 5809 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5810 { 5811 struct ipc_security_struct *isec; 5812 struct common_audit_data ad; 5813 u32 sid = current_sid(); 5814 5815 isec = sma->sem_perm.security; 5816 5817 ad.type = LSM_AUDIT_DATA_IPC; 5818 ad.u.ipc_id = sma->sem_perm.key; 5819 5820 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5821 SEM__ASSOCIATE, &ad); 5822 } 5823 5824 /* Note, at this point, sma is locked down */ 5825 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5826 { 5827 int err; 5828 u32 perms; 5829 5830 switch (cmd) { 5831 case IPC_INFO: 5832 case SEM_INFO: 5833 /* No specific object, just general system-wide information. */ 5834 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5835 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5836 case GETPID: 5837 case GETNCNT: 5838 case GETZCNT: 5839 perms = SEM__GETATTR; 5840 break; 5841 case GETVAL: 5842 case GETALL: 5843 perms = SEM__READ; 5844 break; 5845 case SETVAL: 5846 case SETALL: 5847 perms = SEM__WRITE; 5848 break; 5849 case IPC_RMID: 5850 perms = SEM__DESTROY; 5851 break; 5852 case IPC_SET: 5853 perms = SEM__SETATTR; 5854 break; 5855 case IPC_STAT: 5856 case SEM_STAT: 5857 perms = SEM__GETATTR | SEM__ASSOCIATE; 5858 break; 5859 default: 5860 return 0; 5861 } 5862 5863 err = ipc_has_perm(&sma->sem_perm, perms); 5864 return err; 5865 } 5866 5867 static int selinux_sem_semop(struct sem_array *sma, 5868 struct sembuf *sops, unsigned nsops, int alter) 5869 { 5870 u32 perms; 5871 5872 if (alter) 5873 perms = SEM__READ | SEM__WRITE; 5874 else 5875 perms = SEM__READ; 5876 5877 return ipc_has_perm(&sma->sem_perm, perms); 5878 } 5879 5880 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5881 { 5882 u32 av = 0; 5883 5884 av = 0; 5885 if (flag & S_IRUGO) 5886 av |= IPC__UNIX_READ; 5887 if (flag & S_IWUGO) 5888 av |= IPC__UNIX_WRITE; 5889 5890 if (av == 0) 5891 return 0; 5892 5893 return ipc_has_perm(ipcp, av); 5894 } 5895 5896 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5897 { 5898 struct ipc_security_struct *isec = ipcp->security; 5899 *secid = isec->sid; 5900 } 5901 5902 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5903 { 5904 if (inode) 5905 inode_doinit_with_dentry(inode, dentry); 5906 } 5907 5908 static int selinux_getprocattr(struct task_struct *p, 5909 char *name, char **value) 5910 { 5911 const struct task_security_struct *__tsec; 5912 u32 sid; 5913 int error; 5914 unsigned len; 5915 5916 rcu_read_lock(); 5917 __tsec = __task_cred(p)->security; 5918 5919 if (current != p) { 5920 error = avc_has_perm(current_sid(), __tsec->sid, 5921 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 5922 if (error) 5923 goto bad; 5924 } 5925 5926 if (!strcmp(name, "current")) 5927 sid = __tsec->sid; 5928 else if (!strcmp(name, "prev")) 5929 sid = __tsec->osid; 5930 else if (!strcmp(name, "exec")) 5931 sid = __tsec->exec_sid; 5932 else if (!strcmp(name, "fscreate")) 5933 sid = __tsec->create_sid; 5934 else if (!strcmp(name, "keycreate")) 5935 sid = __tsec->keycreate_sid; 5936 else if (!strcmp(name, "sockcreate")) 5937 sid = __tsec->sockcreate_sid; 5938 else { 5939 error = -EINVAL; 5940 goto bad; 5941 } 5942 rcu_read_unlock(); 5943 5944 if (!sid) 5945 return 0; 5946 5947 error = security_sid_to_context(sid, value, &len); 5948 if (error) 5949 return error; 5950 return len; 5951 5952 bad: 5953 rcu_read_unlock(); 5954 return error; 5955 } 5956 5957 static int selinux_setprocattr(const char *name, void *value, size_t size) 5958 { 5959 struct task_security_struct *tsec; 5960 struct cred *new; 5961 u32 mysid = current_sid(), sid = 0, ptsid; 5962 int error; 5963 char *str = value; 5964 5965 /* 5966 * Basic control over ability to set these attributes at all. 5967 */ 5968 if (!strcmp(name, "exec")) 5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5970 PROCESS__SETEXEC, NULL); 5971 else if (!strcmp(name, "fscreate")) 5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5973 PROCESS__SETFSCREATE, NULL); 5974 else if (!strcmp(name, "keycreate")) 5975 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5976 PROCESS__SETKEYCREATE, NULL); 5977 else if (!strcmp(name, "sockcreate")) 5978 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5979 PROCESS__SETSOCKCREATE, NULL); 5980 else if (!strcmp(name, "current")) 5981 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5982 PROCESS__SETCURRENT, NULL); 5983 else 5984 error = -EINVAL; 5985 if (error) 5986 return error; 5987 5988 /* Obtain a SID for the context, if one was specified. */ 5989 if (size && str[0] && str[0] != '\n') { 5990 if (str[size-1] == '\n') { 5991 str[size-1] = 0; 5992 size--; 5993 } 5994 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5995 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5996 if (!has_cap_mac_admin(true)) { 5997 struct audit_buffer *ab; 5998 size_t audit_size; 5999 6000 /* We strip a nul only if it is at the end, otherwise the 6001 * context contains a nul and we should audit that */ 6002 if (str[size - 1] == '\0') 6003 audit_size = size - 1; 6004 else 6005 audit_size = size; 6006 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6007 audit_log_format(ab, "op=fscreate invalid_context="); 6008 audit_log_n_untrustedstring(ab, value, audit_size); 6009 audit_log_end(ab); 6010 6011 return error; 6012 } 6013 error = security_context_to_sid_force(value, size, 6014 &sid); 6015 } 6016 if (error) 6017 return error; 6018 } 6019 6020 new = prepare_creds(); 6021 if (!new) 6022 return -ENOMEM; 6023 6024 /* Permission checking based on the specified context is 6025 performed during the actual operation (execve, 6026 open/mkdir/...), when we know the full context of the 6027 operation. See selinux_bprm_set_creds for the execve 6028 checks and may_create for the file creation checks. The 6029 operation will then fail if the context is not permitted. */ 6030 tsec = new->security; 6031 if (!strcmp(name, "exec")) { 6032 tsec->exec_sid = sid; 6033 } else if (!strcmp(name, "fscreate")) { 6034 tsec->create_sid = sid; 6035 } else if (!strcmp(name, "keycreate")) { 6036 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6037 NULL); 6038 if (error) 6039 goto abort_change; 6040 tsec->keycreate_sid = sid; 6041 } else if (!strcmp(name, "sockcreate")) { 6042 tsec->sockcreate_sid = sid; 6043 } else if (!strcmp(name, "current")) { 6044 error = -EINVAL; 6045 if (sid == 0) 6046 goto abort_change; 6047 6048 /* Only allow single threaded processes to change context */ 6049 error = -EPERM; 6050 if (!current_is_single_threaded()) { 6051 error = security_bounded_transition(tsec->sid, sid); 6052 if (error) 6053 goto abort_change; 6054 } 6055 6056 /* Check permissions for the transition. */ 6057 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6058 PROCESS__DYNTRANSITION, NULL); 6059 if (error) 6060 goto abort_change; 6061 6062 /* Check for ptracing, and update the task SID if ok. 6063 Otherwise, leave SID unchanged and fail. */ 6064 ptsid = ptrace_parent_sid(); 6065 if (ptsid != 0) { 6066 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6067 PROCESS__PTRACE, NULL); 6068 if (error) 6069 goto abort_change; 6070 } 6071 6072 tsec->sid = sid; 6073 } else { 6074 error = -EINVAL; 6075 goto abort_change; 6076 } 6077 6078 commit_creds(new); 6079 return size; 6080 6081 abort_change: 6082 abort_creds(new); 6083 return error; 6084 } 6085 6086 static int selinux_ismaclabel(const char *name) 6087 { 6088 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6089 } 6090 6091 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6092 { 6093 return security_sid_to_context(secid, secdata, seclen); 6094 } 6095 6096 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6097 { 6098 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6099 } 6100 6101 static void selinux_release_secctx(char *secdata, u32 seclen) 6102 { 6103 kfree(secdata); 6104 } 6105 6106 static void selinux_inode_invalidate_secctx(struct inode *inode) 6107 { 6108 struct inode_security_struct *isec = inode->i_security; 6109 6110 spin_lock(&isec->lock); 6111 isec->initialized = LABEL_INVALID; 6112 spin_unlock(&isec->lock); 6113 } 6114 6115 /* 6116 * called with inode->i_mutex locked 6117 */ 6118 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6119 { 6120 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6121 } 6122 6123 /* 6124 * called with inode->i_mutex locked 6125 */ 6126 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6127 { 6128 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6129 } 6130 6131 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6132 { 6133 int len = 0; 6134 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6135 ctx, true); 6136 if (len < 0) 6137 return len; 6138 *ctxlen = len; 6139 return 0; 6140 } 6141 #ifdef CONFIG_KEYS 6142 6143 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6144 unsigned long flags) 6145 { 6146 const struct task_security_struct *tsec; 6147 struct key_security_struct *ksec; 6148 6149 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6150 if (!ksec) 6151 return -ENOMEM; 6152 6153 tsec = cred->security; 6154 if (tsec->keycreate_sid) 6155 ksec->sid = tsec->keycreate_sid; 6156 else 6157 ksec->sid = tsec->sid; 6158 6159 k->security = ksec; 6160 return 0; 6161 } 6162 6163 static void selinux_key_free(struct key *k) 6164 { 6165 struct key_security_struct *ksec = k->security; 6166 6167 k->security = NULL; 6168 kfree(ksec); 6169 } 6170 6171 static int selinux_key_permission(key_ref_t key_ref, 6172 const struct cred *cred, 6173 unsigned perm) 6174 { 6175 struct key *key; 6176 struct key_security_struct *ksec; 6177 u32 sid; 6178 6179 /* if no specific permissions are requested, we skip the 6180 permission check. No serious, additional covert channels 6181 appear to be created. */ 6182 if (perm == 0) 6183 return 0; 6184 6185 sid = cred_sid(cred); 6186 6187 key = key_ref_to_ptr(key_ref); 6188 ksec = key->security; 6189 6190 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6191 } 6192 6193 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6194 { 6195 struct key_security_struct *ksec = key->security; 6196 char *context = NULL; 6197 unsigned len; 6198 int rc; 6199 6200 rc = security_sid_to_context(ksec->sid, &context, &len); 6201 if (!rc) 6202 rc = len; 6203 *_buffer = context; 6204 return rc; 6205 } 6206 #endif 6207 6208 #ifdef CONFIG_SECURITY_INFINIBAND 6209 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6210 { 6211 struct common_audit_data ad; 6212 int err; 6213 u32 sid = 0; 6214 struct ib_security_struct *sec = ib_sec; 6215 struct lsm_ibpkey_audit ibpkey; 6216 6217 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6218 if (err) 6219 return err; 6220 6221 ad.type = LSM_AUDIT_DATA_IBPKEY; 6222 ibpkey.subnet_prefix = subnet_prefix; 6223 ibpkey.pkey = pkey_val; 6224 ad.u.ibpkey = &ibpkey; 6225 return avc_has_perm(sec->sid, sid, 6226 SECCLASS_INFINIBAND_PKEY, 6227 INFINIBAND_PKEY__ACCESS, &ad); 6228 } 6229 6230 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6231 u8 port_num) 6232 { 6233 struct common_audit_data ad; 6234 int err; 6235 u32 sid = 0; 6236 struct ib_security_struct *sec = ib_sec; 6237 struct lsm_ibendport_audit ibendport; 6238 6239 err = security_ib_endport_sid(dev_name, port_num, &sid); 6240 6241 if (err) 6242 return err; 6243 6244 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6245 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6246 ibendport.port = port_num; 6247 ad.u.ibendport = &ibendport; 6248 return avc_has_perm(sec->sid, sid, 6249 SECCLASS_INFINIBAND_ENDPORT, 6250 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6251 } 6252 6253 static int selinux_ib_alloc_security(void **ib_sec) 6254 { 6255 struct ib_security_struct *sec; 6256 6257 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6258 if (!sec) 6259 return -ENOMEM; 6260 sec->sid = current_sid(); 6261 6262 *ib_sec = sec; 6263 return 0; 6264 } 6265 6266 static void selinux_ib_free_security(void *ib_sec) 6267 { 6268 kfree(ib_sec); 6269 } 6270 #endif 6271 6272 #ifdef CONFIG_BPF_SYSCALL 6273 static int selinux_bpf(int cmd, union bpf_attr *attr, 6274 unsigned int size) 6275 { 6276 u32 sid = current_sid(); 6277 int ret; 6278 6279 switch (cmd) { 6280 case BPF_MAP_CREATE: 6281 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6282 NULL); 6283 break; 6284 case BPF_PROG_LOAD: 6285 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6286 NULL); 6287 break; 6288 default: 6289 ret = 0; 6290 break; 6291 } 6292 6293 return ret; 6294 } 6295 6296 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6297 { 6298 u32 av = 0; 6299 6300 if (fmode & FMODE_READ) 6301 av |= BPF__MAP_READ; 6302 if (fmode & FMODE_WRITE) 6303 av |= BPF__MAP_WRITE; 6304 return av; 6305 } 6306 6307 /* This function will check the file pass through unix socket or binder to see 6308 * if it is a bpf related object. And apply correspinding checks on the bpf 6309 * object based on the type. The bpf maps and programs, not like other files and 6310 * socket, are using a shared anonymous inode inside the kernel as their inode. 6311 * So checking that inode cannot identify if the process have privilege to 6312 * access the bpf object and that's why we have to add this additional check in 6313 * selinux_file_receive and selinux_binder_transfer_files. 6314 */ 6315 static int bpf_fd_pass(struct file *file, u32 sid) 6316 { 6317 struct bpf_security_struct *bpfsec; 6318 struct bpf_prog *prog; 6319 struct bpf_map *map; 6320 int ret; 6321 6322 if (file->f_op == &bpf_map_fops) { 6323 map = file->private_data; 6324 bpfsec = map->security; 6325 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6326 bpf_map_fmode_to_av(file->f_mode), NULL); 6327 if (ret) 6328 return ret; 6329 } else if (file->f_op == &bpf_prog_fops) { 6330 prog = file->private_data; 6331 bpfsec = prog->aux->security; 6332 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6333 BPF__PROG_RUN, NULL); 6334 if (ret) 6335 return ret; 6336 } 6337 return 0; 6338 } 6339 6340 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6341 { 6342 u32 sid = current_sid(); 6343 struct bpf_security_struct *bpfsec; 6344 6345 bpfsec = map->security; 6346 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6347 bpf_map_fmode_to_av(fmode), NULL); 6348 } 6349 6350 static int selinux_bpf_prog(struct bpf_prog *prog) 6351 { 6352 u32 sid = current_sid(); 6353 struct bpf_security_struct *bpfsec; 6354 6355 bpfsec = prog->aux->security; 6356 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6357 BPF__PROG_RUN, NULL); 6358 } 6359 6360 static int selinux_bpf_map_alloc(struct bpf_map *map) 6361 { 6362 struct bpf_security_struct *bpfsec; 6363 6364 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6365 if (!bpfsec) 6366 return -ENOMEM; 6367 6368 bpfsec->sid = current_sid(); 6369 map->security = bpfsec; 6370 6371 return 0; 6372 } 6373 6374 static void selinux_bpf_map_free(struct bpf_map *map) 6375 { 6376 struct bpf_security_struct *bpfsec = map->security; 6377 6378 map->security = NULL; 6379 kfree(bpfsec); 6380 } 6381 6382 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6383 { 6384 struct bpf_security_struct *bpfsec; 6385 6386 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6387 if (!bpfsec) 6388 return -ENOMEM; 6389 6390 bpfsec->sid = current_sid(); 6391 aux->security = bpfsec; 6392 6393 return 0; 6394 } 6395 6396 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6397 { 6398 struct bpf_security_struct *bpfsec = aux->security; 6399 6400 aux->security = NULL; 6401 kfree(bpfsec); 6402 } 6403 #endif 6404 6405 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6406 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6407 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6408 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6409 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6410 6411 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6412 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6413 LSM_HOOK_INIT(capget, selinux_capget), 6414 LSM_HOOK_INIT(capset, selinux_capset), 6415 LSM_HOOK_INIT(capable, selinux_capable), 6416 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6417 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6418 LSM_HOOK_INIT(syslog, selinux_syslog), 6419 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6420 6421 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6422 6423 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6424 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6425 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6426 6427 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6428 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6429 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6430 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6431 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6432 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6433 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6434 LSM_HOOK_INIT(sb_mount, selinux_mount), 6435 LSM_HOOK_INIT(sb_umount, selinux_umount), 6436 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6437 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6438 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6439 6440 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6441 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6442 6443 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6444 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6445 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6446 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6447 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6448 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6449 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6450 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6451 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6452 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6453 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6454 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6455 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6456 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6457 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6458 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6459 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6460 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6461 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6462 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6463 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6464 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6465 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6466 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6467 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6468 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6469 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6470 6471 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6472 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6473 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6474 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6475 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6476 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6477 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6478 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6479 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6480 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6481 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6482 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6483 6484 LSM_HOOK_INIT(file_open, selinux_file_open), 6485 6486 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6487 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6488 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6489 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6490 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6491 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6492 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6493 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6494 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6495 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6496 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6497 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6498 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6499 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6500 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6501 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6502 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6503 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6504 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6505 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6506 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6507 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6508 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6509 6510 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6511 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6512 6513 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6514 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6515 6516 LSM_HOOK_INIT(msg_queue_alloc_security, 6517 selinux_msg_queue_alloc_security), 6518 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6519 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6520 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6521 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6522 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6523 6524 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6525 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6526 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6527 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6528 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6529 6530 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6531 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6532 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6533 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6534 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6535 6536 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6537 6538 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6539 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6540 6541 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6542 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6543 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6544 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6545 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6546 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6547 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6548 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6549 6550 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6551 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6552 6553 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6554 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6555 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6556 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6557 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6558 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6559 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6560 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6561 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6562 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6563 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6564 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6565 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6566 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6567 LSM_HOOK_INIT(socket_getpeersec_stream, 6568 selinux_socket_getpeersec_stream), 6569 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6570 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6571 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6572 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6573 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6574 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6575 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6576 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6577 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6578 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6579 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6580 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6581 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6582 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6583 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6584 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6585 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6586 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6587 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6588 #ifdef CONFIG_SECURITY_INFINIBAND 6589 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6590 LSM_HOOK_INIT(ib_endport_manage_subnet, 6591 selinux_ib_endport_manage_subnet), 6592 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6593 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6594 #endif 6595 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6596 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6597 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6598 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6599 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6600 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6601 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6602 selinux_xfrm_state_alloc_acquire), 6603 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6604 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6605 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6606 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6607 selinux_xfrm_state_pol_flow_match), 6608 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6609 #endif 6610 6611 #ifdef CONFIG_KEYS 6612 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6613 LSM_HOOK_INIT(key_free, selinux_key_free), 6614 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6615 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6616 #endif 6617 6618 #ifdef CONFIG_AUDIT 6619 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6620 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6621 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6622 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6623 #endif 6624 6625 #ifdef CONFIG_BPF_SYSCALL 6626 LSM_HOOK_INIT(bpf, selinux_bpf), 6627 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 6628 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 6629 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 6630 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 6631 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 6632 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 6633 #endif 6634 }; 6635 6636 static __init int selinux_init(void) 6637 { 6638 if (!security_module_enable("selinux")) { 6639 selinux_enabled = 0; 6640 return 0; 6641 } 6642 6643 if (!selinux_enabled) { 6644 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6645 return 0; 6646 } 6647 6648 printk(KERN_INFO "SELinux: Initializing.\n"); 6649 6650 /* Set the security state for the initial task. */ 6651 cred_init_security(); 6652 6653 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6654 6655 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6656 sizeof(struct inode_security_struct), 6657 0, SLAB_PANIC, NULL); 6658 file_security_cache = kmem_cache_create("selinux_file_security", 6659 sizeof(struct file_security_struct), 6660 0, SLAB_PANIC, NULL); 6661 avc_init(); 6662 6663 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6664 6665 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6666 panic("SELinux: Unable to register AVC netcache callback\n"); 6667 6668 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6669 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6670 6671 if (selinux_enforcing) 6672 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6673 else 6674 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6675 6676 return 0; 6677 } 6678 6679 static void delayed_superblock_init(struct super_block *sb, void *unused) 6680 { 6681 superblock_doinit(sb, NULL); 6682 } 6683 6684 void selinux_complete_init(void) 6685 { 6686 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6687 6688 /* Set up any superblocks initialized prior to the policy load. */ 6689 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6690 iterate_supers(delayed_superblock_init, NULL); 6691 } 6692 6693 /* SELinux requires early initialization in order to label 6694 all processes and objects when they are created. */ 6695 security_initcall(selinux_init); 6696 6697 #if defined(CONFIG_NETFILTER) 6698 6699 static const struct nf_hook_ops selinux_nf_ops[] = { 6700 { 6701 .hook = selinux_ipv4_postroute, 6702 .pf = NFPROTO_IPV4, 6703 .hooknum = NF_INET_POST_ROUTING, 6704 .priority = NF_IP_PRI_SELINUX_LAST, 6705 }, 6706 { 6707 .hook = selinux_ipv4_forward, 6708 .pf = NFPROTO_IPV4, 6709 .hooknum = NF_INET_FORWARD, 6710 .priority = NF_IP_PRI_SELINUX_FIRST, 6711 }, 6712 { 6713 .hook = selinux_ipv4_output, 6714 .pf = NFPROTO_IPV4, 6715 .hooknum = NF_INET_LOCAL_OUT, 6716 .priority = NF_IP_PRI_SELINUX_FIRST, 6717 }, 6718 #if IS_ENABLED(CONFIG_IPV6) 6719 { 6720 .hook = selinux_ipv6_postroute, 6721 .pf = NFPROTO_IPV6, 6722 .hooknum = NF_INET_POST_ROUTING, 6723 .priority = NF_IP6_PRI_SELINUX_LAST, 6724 }, 6725 { 6726 .hook = selinux_ipv6_forward, 6727 .pf = NFPROTO_IPV6, 6728 .hooknum = NF_INET_FORWARD, 6729 .priority = NF_IP6_PRI_SELINUX_FIRST, 6730 }, 6731 { 6732 .hook = selinux_ipv6_output, 6733 .pf = NFPROTO_IPV6, 6734 .hooknum = NF_INET_LOCAL_OUT, 6735 .priority = NF_IP6_PRI_SELINUX_FIRST, 6736 }, 6737 #endif /* IPV6 */ 6738 }; 6739 6740 static int __net_init selinux_nf_register(struct net *net) 6741 { 6742 return nf_register_net_hooks(net, selinux_nf_ops, 6743 ARRAY_SIZE(selinux_nf_ops)); 6744 } 6745 6746 static void __net_exit selinux_nf_unregister(struct net *net) 6747 { 6748 nf_unregister_net_hooks(net, selinux_nf_ops, 6749 ARRAY_SIZE(selinux_nf_ops)); 6750 } 6751 6752 static struct pernet_operations selinux_net_ops = { 6753 .init = selinux_nf_register, 6754 .exit = selinux_nf_unregister, 6755 }; 6756 6757 static int __init selinux_nf_ip_init(void) 6758 { 6759 int err; 6760 6761 if (!selinux_enabled) 6762 return 0; 6763 6764 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6765 6766 err = register_pernet_subsys(&selinux_net_ops); 6767 if (err) 6768 panic("SELinux: register_pernet_subsys: error %d\n", err); 6769 6770 return 0; 6771 } 6772 __initcall(selinux_nf_ip_init); 6773 6774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6775 static void selinux_nf_ip_exit(void) 6776 { 6777 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6778 6779 unregister_pernet_subsys(&selinux_net_ops); 6780 } 6781 #endif 6782 6783 #else /* CONFIG_NETFILTER */ 6784 6785 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6786 #define selinux_nf_ip_exit() 6787 #endif 6788 6789 #endif /* CONFIG_NETFILTER */ 6790 6791 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6792 static int selinux_disabled; 6793 6794 int selinux_disable(void) 6795 { 6796 if (ss_initialized) { 6797 /* Not permitted after initial policy load. */ 6798 return -EINVAL; 6799 } 6800 6801 if (selinux_disabled) { 6802 /* Only do this once. */ 6803 return -EINVAL; 6804 } 6805 6806 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6807 6808 selinux_disabled = 1; 6809 selinux_enabled = 0; 6810 6811 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6812 6813 /* Try to destroy the avc node cache */ 6814 avc_disable(); 6815 6816 /* Unregister netfilter hooks. */ 6817 selinux_nf_ip_exit(); 6818 6819 /* Unregister selinuxfs. */ 6820 exit_sel_fs(); 6821 6822 return 0; 6823 } 6824 #endif 6825