1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 125 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #else 135 int selinux_enabled = 1; 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 static struct kmem_cache *sel_inode_cache; 152 static struct kmem_cache *file_security_cache; 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred *cred = (struct cred *) current->real_cred; 214 struct task_security_struct *tsec; 215 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 217 if (!tsec) 218 panic("SELinux: Failed to initialize initial task.\n"); 219 220 tsec->osid = tsec->sid = SECINITSID_KERNEL; 221 cred->security = tsec; 222 } 223 224 /* 225 * get the security ID of a set of credentials 226 */ 227 static inline u32 cred_sid(const struct cred *cred) 228 { 229 const struct task_security_struct *tsec; 230 231 tsec = cred->security; 232 return tsec->sid; 233 } 234 235 /* 236 * get the objective security ID of a task 237 */ 238 static inline u32 task_sid(const struct task_struct *task) 239 { 240 u32 sid; 241 242 rcu_read_lock(); 243 sid = cred_sid(__task_cred(task)); 244 rcu_read_unlock(); 245 return sid; 246 } 247 248 /* Allocate and free functions for each kind of security blob. */ 249 250 static int inode_alloc_security(struct inode *inode) 251 { 252 struct inode_security_struct *isec; 253 u32 sid = current_sid(); 254 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 256 if (!isec) 257 return -ENOMEM; 258 259 spin_lock_init(&isec->lock); 260 INIT_LIST_HEAD(&isec->list); 261 isec->inode = inode; 262 isec->sid = SECINITSID_UNLABELED; 263 isec->sclass = SECCLASS_FILE; 264 isec->task_sid = sid; 265 isec->initialized = LABEL_INVALID; 266 inode->i_security = isec; 267 268 return 0; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @dentry parameter should be set to a dentry of the inode. 278 */ 279 static int __inode_security_revalidate(struct inode *inode, 280 struct dentry *dentry, 281 bool may_sleep) 282 { 283 struct inode_security_struct *isec = inode->i_security; 284 285 might_sleep_if(may_sleep); 286 287 if (selinux_state.initialized && 288 isec->initialized != LABEL_INITIALIZED) { 289 if (!may_sleep) 290 return -ECHILD; 291 292 /* 293 * Try reloading the inode security label. This will fail if 294 * @opt_dentry is NULL and no dentry for this inode can be 295 * found; in that case, continue using the old label. 296 */ 297 inode_doinit_with_dentry(inode, dentry); 298 } 299 return 0; 300 } 301 302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 303 { 304 return inode->i_security; 305 } 306 307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 308 { 309 int error; 310 311 error = __inode_security_revalidate(inode, NULL, !rcu); 312 if (error) 313 return ERR_PTR(error); 314 return inode->i_security; 315 } 316 317 /* 318 * Get the security label of an inode. 319 */ 320 static struct inode_security_struct *inode_security(struct inode *inode) 321 { 322 __inode_security_revalidate(inode, NULL, true); 323 return inode->i_security; 324 } 325 326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 327 { 328 struct inode *inode = d_backing_inode(dentry); 329 330 return inode->i_security; 331 } 332 333 /* 334 * Get the security label of a dentry's backing inode. 335 */ 336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 337 { 338 struct inode *inode = d_backing_inode(dentry); 339 340 __inode_security_revalidate(inode, dentry, true); 341 return inode->i_security; 342 } 343 344 static void inode_free_rcu(struct rcu_head *head) 345 { 346 struct inode_security_struct *isec; 347 348 isec = container_of(head, struct inode_security_struct, rcu); 349 kmem_cache_free(sel_inode_cache, isec); 350 } 351 352 static void inode_free_security(struct inode *inode) 353 { 354 struct inode_security_struct *isec = inode->i_security; 355 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 356 357 /* 358 * As not all inode security structures are in a list, we check for 359 * empty list outside of the lock to make sure that we won't waste 360 * time taking a lock doing nothing. 361 * 362 * The list_del_init() function can be safely called more than once. 363 * It should not be possible for this function to be called with 364 * concurrent list_add(), but for better safety against future changes 365 * in the code, we use list_empty_careful() here. 366 */ 367 if (!list_empty_careful(&isec->list)) { 368 spin_lock(&sbsec->isec_lock); 369 list_del_init(&isec->list); 370 spin_unlock(&sbsec->isec_lock); 371 } 372 373 /* 374 * The inode may still be referenced in a path walk and 375 * a call to selinux_inode_permission() can be made 376 * after inode_free_security() is called. Ideally, the VFS 377 * wouldn't do this, but fixing that is a much harder 378 * job. For now, simply free the i_security via RCU, and 379 * leave the current inode->i_security pointer intact. 380 * The inode will be freed after the RCU grace period too. 381 */ 382 call_rcu(&isec->rcu, inode_free_rcu); 383 } 384 385 static int file_alloc_security(struct file *file) 386 { 387 struct file_security_struct *fsec; 388 u32 sid = current_sid(); 389 390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 391 if (!fsec) 392 return -ENOMEM; 393 394 fsec->sid = sid; 395 fsec->fown_sid = sid; 396 file->f_security = fsec; 397 398 return 0; 399 } 400 401 static void file_free_security(struct file *file) 402 { 403 struct file_security_struct *fsec = file->f_security; 404 file->f_security = NULL; 405 kmem_cache_free(file_security_cache, fsec); 406 } 407 408 static int superblock_alloc_security(struct super_block *sb) 409 { 410 struct superblock_security_struct *sbsec; 411 412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 413 if (!sbsec) 414 return -ENOMEM; 415 416 mutex_init(&sbsec->lock); 417 INIT_LIST_HEAD(&sbsec->isec_head); 418 spin_lock_init(&sbsec->isec_lock); 419 sbsec->sb = sb; 420 sbsec->sid = SECINITSID_UNLABELED; 421 sbsec->def_sid = SECINITSID_FILE; 422 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 423 sb->s_security = sbsec; 424 425 return 0; 426 } 427 428 static void superblock_free_security(struct super_block *sb) 429 { 430 struct superblock_security_struct *sbsec = sb->s_security; 431 sb->s_security = NULL; 432 kfree(sbsec); 433 } 434 435 static inline int inode_doinit(struct inode *inode) 436 { 437 return inode_doinit_with_dentry(inode, NULL); 438 } 439 440 enum { 441 Opt_error = -1, 442 Opt_context = 1, 443 Opt_fscontext = 2, 444 Opt_defcontext = 3, 445 Opt_rootcontext = 4, 446 Opt_labelsupport = 5, 447 Opt_nextmntopt = 6, 448 }; 449 450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 451 452 static const match_table_t tokens = { 453 {Opt_context, CONTEXT_STR "%s"}, 454 {Opt_fscontext, FSCONTEXT_STR "%s"}, 455 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 457 {Opt_labelsupport, LABELSUPP_STR}, 458 {Opt_error, NULL}, 459 }; 460 461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 462 463 static int may_context_mount_sb_relabel(u32 sid, 464 struct superblock_security_struct *sbsec, 465 const struct cred *cred) 466 { 467 const struct task_security_struct *tsec = cred->security; 468 int rc; 469 470 rc = avc_has_perm(&selinux_state, 471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 472 FILESYSTEM__RELABELFROM, NULL); 473 if (rc) 474 return rc; 475 476 rc = avc_has_perm(&selinux_state, 477 tsec->sid, sid, SECCLASS_FILESYSTEM, 478 FILESYSTEM__RELABELTO, NULL); 479 return rc; 480 } 481 482 static int may_context_mount_inode_relabel(u32 sid, 483 struct superblock_security_struct *sbsec, 484 const struct cred *cred) 485 { 486 const struct task_security_struct *tsec = cred->security; 487 int rc; 488 rc = avc_has_perm(&selinux_state, 489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 490 FILESYSTEM__RELABELFROM, NULL); 491 if (rc) 492 return rc; 493 494 rc = avc_has_perm(&selinux_state, 495 sid, sbsec->sid, SECCLASS_FILESYSTEM, 496 FILESYSTEM__ASSOCIATE, NULL); 497 return rc; 498 } 499 500 static int selinux_is_sblabel_mnt(struct super_block *sb) 501 { 502 struct superblock_security_struct *sbsec = sb->s_security; 503 504 return sbsec->behavior == SECURITY_FS_USE_XATTR || 505 sbsec->behavior == SECURITY_FS_USE_TRANS || 506 sbsec->behavior == SECURITY_FS_USE_TASK || 507 sbsec->behavior == SECURITY_FS_USE_NATIVE || 508 /* Special handling. Genfs but also in-core setxattr handler */ 509 !strcmp(sb->s_type->name, "sysfs") || 510 !strcmp(sb->s_type->name, "pstore") || 511 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "rootfs") || 514 (selinux_policycap_cgroupseclabel() && 515 (!strcmp(sb->s_type->name, "cgroup") || 516 !strcmp(sb->s_type->name, "cgroup2"))); 517 } 518 519 static int sb_finish_set_opts(struct super_block *sb) 520 { 521 struct superblock_security_struct *sbsec = sb->s_security; 522 struct dentry *root = sb->s_root; 523 struct inode *root_inode = d_backing_inode(root); 524 int rc = 0; 525 526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 527 /* Make sure that the xattr handler exists and that no 528 error other than -ENODATA is returned by getxattr on 529 the root directory. -ENODATA is ok, as this may be 530 the first boot of the SELinux kernel before we have 531 assigned xattr values to the filesystem. */ 532 if (!(root_inode->i_opflags & IOP_XATTR)) { 533 pr_warn("SELinux: (dev %s, type %s) has no " 534 "xattr support\n", sb->s_id, sb->s_type->name); 535 rc = -EOPNOTSUPP; 536 goto out; 537 } 538 539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 540 if (rc < 0 && rc != -ENODATA) { 541 if (rc == -EOPNOTSUPP) 542 pr_warn("SELinux: (dev %s, type " 543 "%s) has no security xattr handler\n", 544 sb->s_id, sb->s_type->name); 545 else 546 pr_warn("SELinux: (dev %s, type " 547 "%s) getxattr errno %d\n", sb->s_id, 548 sb->s_type->name, -rc); 549 goto out; 550 } 551 } 552 553 sbsec->flags |= SE_SBINITIALIZED; 554 555 /* 556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 557 * leave the flag untouched because sb_clone_mnt_opts might be handing 558 * us a superblock that needs the flag to be cleared. 559 */ 560 if (selinux_is_sblabel_mnt(sb)) 561 sbsec->flags |= SBLABEL_MNT; 562 else 563 sbsec->flags &= ~SBLABEL_MNT; 564 565 /* Initialize the root inode. */ 566 rc = inode_doinit_with_dentry(root_inode, root); 567 568 /* Initialize any other inodes associated with the superblock, e.g. 569 inodes created prior to initial policy load or inodes created 570 during get_sb by a pseudo filesystem that directly 571 populates itself. */ 572 spin_lock(&sbsec->isec_lock); 573 next_inode: 574 if (!list_empty(&sbsec->isec_head)) { 575 struct inode_security_struct *isec = 576 list_entry(sbsec->isec_head.next, 577 struct inode_security_struct, list); 578 struct inode *inode = isec->inode; 579 list_del_init(&isec->list); 580 spin_unlock(&sbsec->isec_lock); 581 inode = igrab(inode); 582 if (inode) { 583 if (!IS_PRIVATE(inode)) 584 inode_doinit(inode); 585 iput(inode); 586 } 587 spin_lock(&sbsec->isec_lock); 588 goto next_inode; 589 } 590 spin_unlock(&sbsec->isec_lock); 591 out: 592 return rc; 593 } 594 595 /* 596 * This function should allow an FS to ask what it's mount security 597 * options were so it can use those later for submounts, displaying 598 * mount options, or whatever. 599 */ 600 static int selinux_get_mnt_opts(const struct super_block *sb, 601 struct security_mnt_opts *opts) 602 { 603 int rc = 0, i; 604 struct superblock_security_struct *sbsec = sb->s_security; 605 char *context = NULL; 606 u32 len; 607 char tmp; 608 609 security_init_mnt_opts(opts); 610 611 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 return -EINVAL; 613 614 if (!selinux_state.initialized) 615 return -EINVAL; 616 617 /* make sure we always check enough bits to cover the mask */ 618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 619 620 tmp = sbsec->flags & SE_MNTMASK; 621 /* count the number of mount options for this sb */ 622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 623 if (tmp & 0x01) 624 opts->num_mnt_opts++; 625 tmp >>= 1; 626 } 627 /* Check if the Label support flag is set */ 628 if (sbsec->flags & SBLABEL_MNT) 629 opts->num_mnt_opts++; 630 631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 632 if (!opts->mnt_opts) { 633 rc = -ENOMEM; 634 goto out_free; 635 } 636 637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 638 if (!opts->mnt_opts_flags) { 639 rc = -ENOMEM; 640 goto out_free; 641 } 642 643 i = 0; 644 if (sbsec->flags & FSCONTEXT_MNT) { 645 rc = security_sid_to_context(&selinux_state, sbsec->sid, 646 &context, &len); 647 if (rc) 648 goto out_free; 649 opts->mnt_opts[i] = context; 650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 } 652 if (sbsec->flags & CONTEXT_MNT) { 653 rc = security_sid_to_context(&selinux_state, 654 sbsec->mntpoint_sid, 655 &context, &len); 656 if (rc) 657 goto out_free; 658 opts->mnt_opts[i] = context; 659 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 } 661 if (sbsec->flags & DEFCONTEXT_MNT) { 662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid, 663 &context, &len); 664 if (rc) 665 goto out_free; 666 opts->mnt_opts[i] = context; 667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 668 } 669 if (sbsec->flags & ROOTCONTEXT_MNT) { 670 struct dentry *root = sbsec->sb->s_root; 671 struct inode_security_struct *isec = backing_inode_security(root); 672 673 rc = security_sid_to_context(&selinux_state, isec->sid, 674 &context, &len); 675 if (rc) 676 goto out_free; 677 opts->mnt_opts[i] = context; 678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 679 } 680 if (sbsec->flags & SBLABEL_MNT) { 681 opts->mnt_opts[i] = NULL; 682 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 683 } 684 685 BUG_ON(i != opts->num_mnt_opts); 686 687 return 0; 688 689 out_free: 690 security_free_mnt_opts(opts); 691 return rc; 692 } 693 694 static int bad_option(struct superblock_security_struct *sbsec, char flag, 695 u32 old_sid, u32 new_sid) 696 { 697 char mnt_flags = sbsec->flags & SE_MNTMASK; 698 699 /* check if the old mount command had the same options */ 700 if (sbsec->flags & SE_SBINITIALIZED) 701 if (!(sbsec->flags & flag) || 702 (old_sid != new_sid)) 703 return 1; 704 705 /* check if we were passed the same options twice, 706 * aka someone passed context=a,context=b 707 */ 708 if (!(sbsec->flags & SE_SBINITIALIZED)) 709 if (mnt_flags & flag) 710 return 1; 711 return 0; 712 } 713 714 /* 715 * Allow filesystems with binary mount data to explicitly set mount point 716 * labeling information. 717 */ 718 static int selinux_set_mnt_opts(struct super_block *sb, 719 struct security_mnt_opts *opts, 720 unsigned long kern_flags, 721 unsigned long *set_kern_flags) 722 { 723 const struct cred *cred = current_cred(); 724 int rc = 0, i; 725 struct superblock_security_struct *sbsec = sb->s_security; 726 const char *name = sb->s_type->name; 727 struct dentry *root = sbsec->sb->s_root; 728 struct inode_security_struct *root_isec; 729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 730 u32 defcontext_sid = 0; 731 char **mount_options = opts->mnt_opts; 732 int *flags = opts->mnt_opts_flags; 733 int num_opts = opts->num_mnt_opts; 734 735 mutex_lock(&sbsec->lock); 736 737 if (!selinux_state.initialized) { 738 if (!num_opts) { 739 /* Defer initialization until selinux_complete_init, 740 after the initial policy is loaded and the security 741 server is ready to handle calls. */ 742 goto out; 743 } 744 rc = -EINVAL; 745 pr_warn("SELinux: Unable to set superblock options " 746 "before the security server is initialized\n"); 747 goto out; 748 } 749 if (kern_flags && !set_kern_flags) { 750 /* Specifying internal flags without providing a place to 751 * place the results is not allowed */ 752 rc = -EINVAL; 753 goto out; 754 } 755 756 /* 757 * Binary mount data FS will come through this function twice. Once 758 * from an explicit call and once from the generic calls from the vfs. 759 * Since the generic VFS calls will not contain any security mount data 760 * we need to skip the double mount verification. 761 * 762 * This does open a hole in which we will not notice if the first 763 * mount using this sb set explict options and a second mount using 764 * this sb does not set any security options. (The first options 765 * will be used for both mounts) 766 */ 767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 768 && (num_opts == 0)) 769 goto out; 770 771 root_isec = backing_inode_security_novalidate(root); 772 773 /* 774 * parse the mount options, check if they are valid sids. 775 * also check if someone is trying to mount the same sb more 776 * than once with different security options. 777 */ 778 for (i = 0; i < num_opts; i++) { 779 u32 sid; 780 781 if (flags[i] == SBLABEL_MNT) 782 continue; 783 rc = security_context_str_to_sid(&selinux_state, 784 mount_options[i], &sid, 785 GFP_KERNEL); 786 if (rc) { 787 pr_warn("SELinux: security_context_str_to_sid" 788 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 mount_options[i], sb->s_id, name, rc); 790 goto out; 791 } 792 switch (flags[i]) { 793 case FSCONTEXT_MNT: 794 fscontext_sid = sid; 795 796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 797 fscontext_sid)) 798 goto out_double_mount; 799 800 sbsec->flags |= FSCONTEXT_MNT; 801 break; 802 case CONTEXT_MNT: 803 context_sid = sid; 804 805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 806 context_sid)) 807 goto out_double_mount; 808 809 sbsec->flags |= CONTEXT_MNT; 810 break; 811 case ROOTCONTEXT_MNT: 812 rootcontext_sid = sid; 813 814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 815 rootcontext_sid)) 816 goto out_double_mount; 817 818 sbsec->flags |= ROOTCONTEXT_MNT; 819 820 break; 821 case DEFCONTEXT_MNT: 822 defcontext_sid = sid; 823 824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 825 defcontext_sid)) 826 goto out_double_mount; 827 828 sbsec->flags |= DEFCONTEXT_MNT; 829 830 break; 831 default: 832 rc = -EINVAL; 833 goto out; 834 } 835 } 836 837 if (sbsec->flags & SE_SBINITIALIZED) { 838 /* previously mounted with options, but not on this attempt? */ 839 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 840 goto out_double_mount; 841 rc = 0; 842 goto out; 843 } 844 845 if (strcmp(sb->s_type->name, "proc") == 0) 846 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 847 848 if (!strcmp(sb->s_type->name, "debugfs") || 849 !strcmp(sb->s_type->name, "tracefs") || 850 !strcmp(sb->s_type->name, "sysfs") || 851 !strcmp(sb->s_type->name, "pstore") || 852 !strcmp(sb->s_type->name, "cgroup") || 853 !strcmp(sb->s_type->name, "cgroup2")) 854 sbsec->flags |= SE_SBGENFS; 855 856 if (!sbsec->behavior) { 857 /* 858 * Determine the labeling behavior to use for this 859 * filesystem type. 860 */ 861 rc = security_fs_use(&selinux_state, sb); 862 if (rc) { 863 pr_warn("%s: security_fs_use(%s) returned %d\n", 864 __func__, sb->s_type->name, rc); 865 goto out; 866 } 867 } 868 869 /* 870 * If this is a user namespace mount and the filesystem type is not 871 * explicitly whitelisted, then no contexts are allowed on the command 872 * line and security labels must be ignored. 873 */ 874 if (sb->s_user_ns != &init_user_ns && 875 strcmp(sb->s_type->name, "tmpfs") && 876 strcmp(sb->s_type->name, "ramfs") && 877 strcmp(sb->s_type->name, "devpts")) { 878 if (context_sid || fscontext_sid || rootcontext_sid || 879 defcontext_sid) { 880 rc = -EACCES; 881 goto out; 882 } 883 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 885 rc = security_transition_sid(&selinux_state, 886 current_sid(), 887 current_sid(), 888 SECCLASS_FILE, NULL, 889 &sbsec->mntpoint_sid); 890 if (rc) 891 goto out; 892 } 893 goto out_set_opts; 894 } 895 896 /* sets the context of the superblock for the fs being mounted. */ 897 if (fscontext_sid) { 898 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 899 if (rc) 900 goto out; 901 902 sbsec->sid = fscontext_sid; 903 } 904 905 /* 906 * Switch to using mount point labeling behavior. 907 * sets the label used on all file below the mountpoint, and will set 908 * the superblock context if not already set. 909 */ 910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 911 sbsec->behavior = SECURITY_FS_USE_NATIVE; 912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 913 } 914 915 if (context_sid) { 916 if (!fscontext_sid) { 917 rc = may_context_mount_sb_relabel(context_sid, sbsec, 918 cred); 919 if (rc) 920 goto out; 921 sbsec->sid = context_sid; 922 } else { 923 rc = may_context_mount_inode_relabel(context_sid, sbsec, 924 cred); 925 if (rc) 926 goto out; 927 } 928 if (!rootcontext_sid) 929 rootcontext_sid = context_sid; 930 931 sbsec->mntpoint_sid = context_sid; 932 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 933 } 934 935 if (rootcontext_sid) { 936 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 937 cred); 938 if (rc) 939 goto out; 940 941 root_isec->sid = rootcontext_sid; 942 root_isec->initialized = LABEL_INITIALIZED; 943 } 944 945 if (defcontext_sid) { 946 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 947 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 948 rc = -EINVAL; 949 pr_warn("SELinux: defcontext option is " 950 "invalid for this filesystem type\n"); 951 goto out; 952 } 953 954 if (defcontext_sid != sbsec->def_sid) { 955 rc = may_context_mount_inode_relabel(defcontext_sid, 956 sbsec, cred); 957 if (rc) 958 goto out; 959 } 960 961 sbsec->def_sid = defcontext_sid; 962 } 963 964 out_set_opts: 965 rc = sb_finish_set_opts(sb); 966 out: 967 mutex_unlock(&sbsec->lock); 968 return rc; 969 out_double_mount: 970 rc = -EINVAL; 971 pr_warn("SELinux: mount invalid. Same superblock, different " 972 "security settings for (dev %s, type %s)\n", sb->s_id, name); 973 goto out; 974 } 975 976 static int selinux_cmp_sb_context(const struct super_block *oldsb, 977 const struct super_block *newsb) 978 { 979 struct superblock_security_struct *old = oldsb->s_security; 980 struct superblock_security_struct *new = newsb->s_security; 981 char oldflags = old->flags & SE_MNTMASK; 982 char newflags = new->flags & SE_MNTMASK; 983 984 if (oldflags != newflags) 985 goto mismatch; 986 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 987 goto mismatch; 988 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 989 goto mismatch; 990 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 991 goto mismatch; 992 if (oldflags & ROOTCONTEXT_MNT) { 993 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 994 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 995 if (oldroot->sid != newroot->sid) 996 goto mismatch; 997 } 998 return 0; 999 mismatch: 1000 pr_warn("SELinux: mount invalid. Same superblock, " 1001 "different security settings for (dev %s, " 1002 "type %s)\n", newsb->s_id, newsb->s_type->name); 1003 return -EBUSY; 1004 } 1005 1006 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 1007 struct super_block *newsb, 1008 unsigned long kern_flags, 1009 unsigned long *set_kern_flags) 1010 { 1011 int rc = 0; 1012 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 1013 struct superblock_security_struct *newsbsec = newsb->s_security; 1014 1015 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 1016 int set_context = (oldsbsec->flags & CONTEXT_MNT); 1017 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 1018 1019 /* 1020 * if the parent was able to be mounted it clearly had no special lsm 1021 * mount options. thus we can safely deal with this superblock later 1022 */ 1023 if (!selinux_state.initialized) 1024 return 0; 1025 1026 /* 1027 * Specifying internal flags without providing a place to 1028 * place the results is not allowed. 1029 */ 1030 if (kern_flags && !set_kern_flags) 1031 return -EINVAL; 1032 1033 /* how can we clone if the old one wasn't set up?? */ 1034 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1035 1036 /* if fs is reusing a sb, make sure that the contexts match */ 1037 if (newsbsec->flags & SE_SBINITIALIZED) 1038 return selinux_cmp_sb_context(oldsb, newsb); 1039 1040 mutex_lock(&newsbsec->lock); 1041 1042 newsbsec->flags = oldsbsec->flags; 1043 1044 newsbsec->sid = oldsbsec->sid; 1045 newsbsec->def_sid = oldsbsec->def_sid; 1046 newsbsec->behavior = oldsbsec->behavior; 1047 1048 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1049 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1050 rc = security_fs_use(&selinux_state, newsb); 1051 if (rc) 1052 goto out; 1053 } 1054 1055 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1056 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1057 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1058 } 1059 1060 if (set_context) { 1061 u32 sid = oldsbsec->mntpoint_sid; 1062 1063 if (!set_fscontext) 1064 newsbsec->sid = sid; 1065 if (!set_rootcontext) { 1066 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1067 newisec->sid = sid; 1068 } 1069 newsbsec->mntpoint_sid = sid; 1070 } 1071 if (set_rootcontext) { 1072 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1073 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1074 1075 newisec->sid = oldisec->sid; 1076 } 1077 1078 sb_finish_set_opts(newsb); 1079 out: 1080 mutex_unlock(&newsbsec->lock); 1081 return rc; 1082 } 1083 1084 static int selinux_parse_opts_str(char *options, 1085 struct security_mnt_opts *opts) 1086 { 1087 char *p; 1088 char *context = NULL, *defcontext = NULL; 1089 char *fscontext = NULL, *rootcontext = NULL; 1090 int rc, num_mnt_opts = 0; 1091 1092 opts->num_mnt_opts = 0; 1093 1094 /* Standard string-based options. */ 1095 while ((p = strsep(&options, "|")) != NULL) { 1096 int token; 1097 substring_t args[MAX_OPT_ARGS]; 1098 1099 if (!*p) 1100 continue; 1101 1102 token = match_token(p, tokens, args); 1103 1104 switch (token) { 1105 case Opt_context: 1106 if (context || defcontext) { 1107 rc = -EINVAL; 1108 pr_warn(SEL_MOUNT_FAIL_MSG); 1109 goto out_err; 1110 } 1111 context = match_strdup(&args[0]); 1112 if (!context) { 1113 rc = -ENOMEM; 1114 goto out_err; 1115 } 1116 break; 1117 1118 case Opt_fscontext: 1119 if (fscontext) { 1120 rc = -EINVAL; 1121 pr_warn(SEL_MOUNT_FAIL_MSG); 1122 goto out_err; 1123 } 1124 fscontext = match_strdup(&args[0]); 1125 if (!fscontext) { 1126 rc = -ENOMEM; 1127 goto out_err; 1128 } 1129 break; 1130 1131 case Opt_rootcontext: 1132 if (rootcontext) { 1133 rc = -EINVAL; 1134 pr_warn(SEL_MOUNT_FAIL_MSG); 1135 goto out_err; 1136 } 1137 rootcontext = match_strdup(&args[0]); 1138 if (!rootcontext) { 1139 rc = -ENOMEM; 1140 goto out_err; 1141 } 1142 break; 1143 1144 case Opt_defcontext: 1145 if (context || defcontext) { 1146 rc = -EINVAL; 1147 pr_warn(SEL_MOUNT_FAIL_MSG); 1148 goto out_err; 1149 } 1150 defcontext = match_strdup(&args[0]); 1151 if (!defcontext) { 1152 rc = -ENOMEM; 1153 goto out_err; 1154 } 1155 break; 1156 case Opt_labelsupport: 1157 break; 1158 default: 1159 rc = -EINVAL; 1160 pr_warn("SELinux: unknown mount option\n"); 1161 goto out_err; 1162 1163 } 1164 } 1165 1166 rc = -ENOMEM; 1167 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1168 if (!opts->mnt_opts) 1169 goto out_err; 1170 1171 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1172 GFP_KERNEL); 1173 if (!opts->mnt_opts_flags) 1174 goto out_err; 1175 1176 if (fscontext) { 1177 opts->mnt_opts[num_mnt_opts] = fscontext; 1178 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1179 } 1180 if (context) { 1181 opts->mnt_opts[num_mnt_opts] = context; 1182 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1183 } 1184 if (rootcontext) { 1185 opts->mnt_opts[num_mnt_opts] = rootcontext; 1186 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1187 } 1188 if (defcontext) { 1189 opts->mnt_opts[num_mnt_opts] = defcontext; 1190 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1191 } 1192 1193 opts->num_mnt_opts = num_mnt_opts; 1194 return 0; 1195 1196 out_err: 1197 security_free_mnt_opts(opts); 1198 kfree(context); 1199 kfree(defcontext); 1200 kfree(fscontext); 1201 kfree(rootcontext); 1202 return rc; 1203 } 1204 /* 1205 * string mount options parsing and call set the sbsec 1206 */ 1207 static int superblock_doinit(struct super_block *sb, void *data) 1208 { 1209 int rc = 0; 1210 char *options = data; 1211 struct security_mnt_opts opts; 1212 1213 security_init_mnt_opts(&opts); 1214 1215 if (!data) 1216 goto out; 1217 1218 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1219 1220 rc = selinux_parse_opts_str(options, &opts); 1221 if (rc) 1222 goto out_err; 1223 1224 out: 1225 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1226 1227 out_err: 1228 security_free_mnt_opts(&opts); 1229 return rc; 1230 } 1231 1232 static void selinux_write_opts(struct seq_file *m, 1233 struct security_mnt_opts *opts) 1234 { 1235 int i; 1236 char *prefix; 1237 1238 for (i = 0; i < opts->num_mnt_opts; i++) { 1239 char *has_comma; 1240 1241 if (opts->mnt_opts[i]) 1242 has_comma = strchr(opts->mnt_opts[i], ','); 1243 else 1244 has_comma = NULL; 1245 1246 switch (opts->mnt_opts_flags[i]) { 1247 case CONTEXT_MNT: 1248 prefix = CONTEXT_STR; 1249 break; 1250 case FSCONTEXT_MNT: 1251 prefix = FSCONTEXT_STR; 1252 break; 1253 case ROOTCONTEXT_MNT: 1254 prefix = ROOTCONTEXT_STR; 1255 break; 1256 case DEFCONTEXT_MNT: 1257 prefix = DEFCONTEXT_STR; 1258 break; 1259 case SBLABEL_MNT: 1260 seq_putc(m, ','); 1261 seq_puts(m, LABELSUPP_STR); 1262 continue; 1263 default: 1264 BUG(); 1265 return; 1266 }; 1267 /* we need a comma before each option */ 1268 seq_putc(m, ','); 1269 seq_puts(m, prefix); 1270 if (has_comma) 1271 seq_putc(m, '\"'); 1272 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1273 if (has_comma) 1274 seq_putc(m, '\"'); 1275 } 1276 } 1277 1278 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1279 { 1280 struct security_mnt_opts opts; 1281 int rc; 1282 1283 rc = selinux_get_mnt_opts(sb, &opts); 1284 if (rc) { 1285 /* before policy load we may get EINVAL, don't show anything */ 1286 if (rc == -EINVAL) 1287 rc = 0; 1288 return rc; 1289 } 1290 1291 selinux_write_opts(m, &opts); 1292 1293 security_free_mnt_opts(&opts); 1294 1295 return rc; 1296 } 1297 1298 static inline u16 inode_mode_to_security_class(umode_t mode) 1299 { 1300 switch (mode & S_IFMT) { 1301 case S_IFSOCK: 1302 return SECCLASS_SOCK_FILE; 1303 case S_IFLNK: 1304 return SECCLASS_LNK_FILE; 1305 case S_IFREG: 1306 return SECCLASS_FILE; 1307 case S_IFBLK: 1308 return SECCLASS_BLK_FILE; 1309 case S_IFDIR: 1310 return SECCLASS_DIR; 1311 case S_IFCHR: 1312 return SECCLASS_CHR_FILE; 1313 case S_IFIFO: 1314 return SECCLASS_FIFO_FILE; 1315 1316 } 1317 1318 return SECCLASS_FILE; 1319 } 1320 1321 static inline int default_protocol_stream(int protocol) 1322 { 1323 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1324 } 1325 1326 static inline int default_protocol_dgram(int protocol) 1327 { 1328 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1329 } 1330 1331 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1332 { 1333 int extsockclass = selinux_policycap_extsockclass(); 1334 1335 switch (family) { 1336 case PF_UNIX: 1337 switch (type) { 1338 case SOCK_STREAM: 1339 case SOCK_SEQPACKET: 1340 return SECCLASS_UNIX_STREAM_SOCKET; 1341 case SOCK_DGRAM: 1342 case SOCK_RAW: 1343 return SECCLASS_UNIX_DGRAM_SOCKET; 1344 } 1345 break; 1346 case PF_INET: 1347 case PF_INET6: 1348 switch (type) { 1349 case SOCK_STREAM: 1350 case SOCK_SEQPACKET: 1351 if (default_protocol_stream(protocol)) 1352 return SECCLASS_TCP_SOCKET; 1353 else if (extsockclass && protocol == IPPROTO_SCTP) 1354 return SECCLASS_SCTP_SOCKET; 1355 else 1356 return SECCLASS_RAWIP_SOCKET; 1357 case SOCK_DGRAM: 1358 if (default_protocol_dgram(protocol)) 1359 return SECCLASS_UDP_SOCKET; 1360 else if (extsockclass && (protocol == IPPROTO_ICMP || 1361 protocol == IPPROTO_ICMPV6)) 1362 return SECCLASS_ICMP_SOCKET; 1363 else 1364 return SECCLASS_RAWIP_SOCKET; 1365 case SOCK_DCCP: 1366 return SECCLASS_DCCP_SOCKET; 1367 default: 1368 return SECCLASS_RAWIP_SOCKET; 1369 } 1370 break; 1371 case PF_NETLINK: 1372 switch (protocol) { 1373 case NETLINK_ROUTE: 1374 return SECCLASS_NETLINK_ROUTE_SOCKET; 1375 case NETLINK_SOCK_DIAG: 1376 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1377 case NETLINK_NFLOG: 1378 return SECCLASS_NETLINK_NFLOG_SOCKET; 1379 case NETLINK_XFRM: 1380 return SECCLASS_NETLINK_XFRM_SOCKET; 1381 case NETLINK_SELINUX: 1382 return SECCLASS_NETLINK_SELINUX_SOCKET; 1383 case NETLINK_ISCSI: 1384 return SECCLASS_NETLINK_ISCSI_SOCKET; 1385 case NETLINK_AUDIT: 1386 return SECCLASS_NETLINK_AUDIT_SOCKET; 1387 case NETLINK_FIB_LOOKUP: 1388 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1389 case NETLINK_CONNECTOR: 1390 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1391 case NETLINK_NETFILTER: 1392 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1393 case NETLINK_DNRTMSG: 1394 return SECCLASS_NETLINK_DNRT_SOCKET; 1395 case NETLINK_KOBJECT_UEVENT: 1396 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1397 case NETLINK_GENERIC: 1398 return SECCLASS_NETLINK_GENERIC_SOCKET; 1399 case NETLINK_SCSITRANSPORT: 1400 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1401 case NETLINK_RDMA: 1402 return SECCLASS_NETLINK_RDMA_SOCKET; 1403 case NETLINK_CRYPTO: 1404 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1405 default: 1406 return SECCLASS_NETLINK_SOCKET; 1407 } 1408 case PF_PACKET: 1409 return SECCLASS_PACKET_SOCKET; 1410 case PF_KEY: 1411 return SECCLASS_KEY_SOCKET; 1412 case PF_APPLETALK: 1413 return SECCLASS_APPLETALK_SOCKET; 1414 } 1415 1416 if (extsockclass) { 1417 switch (family) { 1418 case PF_AX25: 1419 return SECCLASS_AX25_SOCKET; 1420 case PF_IPX: 1421 return SECCLASS_IPX_SOCKET; 1422 case PF_NETROM: 1423 return SECCLASS_NETROM_SOCKET; 1424 case PF_ATMPVC: 1425 return SECCLASS_ATMPVC_SOCKET; 1426 case PF_X25: 1427 return SECCLASS_X25_SOCKET; 1428 case PF_ROSE: 1429 return SECCLASS_ROSE_SOCKET; 1430 case PF_DECnet: 1431 return SECCLASS_DECNET_SOCKET; 1432 case PF_ATMSVC: 1433 return SECCLASS_ATMSVC_SOCKET; 1434 case PF_RDS: 1435 return SECCLASS_RDS_SOCKET; 1436 case PF_IRDA: 1437 return SECCLASS_IRDA_SOCKET; 1438 case PF_PPPOX: 1439 return SECCLASS_PPPOX_SOCKET; 1440 case PF_LLC: 1441 return SECCLASS_LLC_SOCKET; 1442 case PF_CAN: 1443 return SECCLASS_CAN_SOCKET; 1444 case PF_TIPC: 1445 return SECCLASS_TIPC_SOCKET; 1446 case PF_BLUETOOTH: 1447 return SECCLASS_BLUETOOTH_SOCKET; 1448 case PF_IUCV: 1449 return SECCLASS_IUCV_SOCKET; 1450 case PF_RXRPC: 1451 return SECCLASS_RXRPC_SOCKET; 1452 case PF_ISDN: 1453 return SECCLASS_ISDN_SOCKET; 1454 case PF_PHONET: 1455 return SECCLASS_PHONET_SOCKET; 1456 case PF_IEEE802154: 1457 return SECCLASS_IEEE802154_SOCKET; 1458 case PF_CAIF: 1459 return SECCLASS_CAIF_SOCKET; 1460 case PF_ALG: 1461 return SECCLASS_ALG_SOCKET; 1462 case PF_NFC: 1463 return SECCLASS_NFC_SOCKET; 1464 case PF_VSOCK: 1465 return SECCLASS_VSOCK_SOCKET; 1466 case PF_KCM: 1467 return SECCLASS_KCM_SOCKET; 1468 case PF_QIPCRTR: 1469 return SECCLASS_QIPCRTR_SOCKET; 1470 case PF_SMC: 1471 return SECCLASS_SMC_SOCKET; 1472 case PF_XDP: 1473 return SECCLASS_XDP_SOCKET; 1474 #if PF_MAX > 45 1475 #error New address family defined, please update this function. 1476 #endif 1477 } 1478 } 1479 1480 return SECCLASS_SOCKET; 1481 } 1482 1483 static int selinux_genfs_get_sid(struct dentry *dentry, 1484 u16 tclass, 1485 u16 flags, 1486 u32 *sid) 1487 { 1488 int rc; 1489 struct super_block *sb = dentry->d_sb; 1490 char *buffer, *path; 1491 1492 buffer = (char *)__get_free_page(GFP_KERNEL); 1493 if (!buffer) 1494 return -ENOMEM; 1495 1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1497 if (IS_ERR(path)) 1498 rc = PTR_ERR(path); 1499 else { 1500 if (flags & SE_SBPROC) { 1501 /* each process gets a /proc/PID/ entry. Strip off the 1502 * PID part to get a valid selinux labeling. 1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1504 while (path[1] >= '0' && path[1] <= '9') { 1505 path[1] = '/'; 1506 path++; 1507 } 1508 } 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1510 path, tclass, sid); 1511 if (rc == -ENOENT) { 1512 /* No match in policy, mark as unlabeled. */ 1513 *sid = SECINITSID_UNLABELED; 1514 rc = 0; 1515 } 1516 } 1517 free_page((unsigned long)buffer); 1518 return rc; 1519 } 1520 1521 /* The inode's security attributes must be initialized before first use. */ 1522 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1523 { 1524 struct superblock_security_struct *sbsec = NULL; 1525 struct inode_security_struct *isec = inode->i_security; 1526 u32 task_sid, sid = 0; 1527 u16 sclass; 1528 struct dentry *dentry; 1529 #define INITCONTEXTLEN 255 1530 char *context = NULL; 1531 unsigned len = 0; 1532 int rc = 0; 1533 1534 if (isec->initialized == LABEL_INITIALIZED) 1535 return 0; 1536 1537 spin_lock(&isec->lock); 1538 if (isec->initialized == LABEL_INITIALIZED) 1539 goto out_unlock; 1540 1541 if (isec->sclass == SECCLASS_FILE) 1542 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1543 1544 sbsec = inode->i_sb->s_security; 1545 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1546 /* Defer initialization until selinux_complete_init, 1547 after the initial policy is loaded and the security 1548 server is ready to handle calls. */ 1549 spin_lock(&sbsec->isec_lock); 1550 if (list_empty(&isec->list)) 1551 list_add(&isec->list, &sbsec->isec_head); 1552 spin_unlock(&sbsec->isec_lock); 1553 goto out_unlock; 1554 } 1555 1556 sclass = isec->sclass; 1557 task_sid = isec->task_sid; 1558 sid = isec->sid; 1559 isec->initialized = LABEL_PENDING; 1560 spin_unlock(&isec->lock); 1561 1562 switch (sbsec->behavior) { 1563 case SECURITY_FS_USE_NATIVE: 1564 break; 1565 case SECURITY_FS_USE_XATTR: 1566 if (!(inode->i_opflags & IOP_XATTR)) { 1567 sid = sbsec->def_sid; 1568 break; 1569 } 1570 /* Need a dentry, since the xattr API requires one. 1571 Life would be simpler if we could just pass the inode. */ 1572 if (opt_dentry) { 1573 /* Called from d_instantiate or d_splice_alias. */ 1574 dentry = dget(opt_dentry); 1575 } else { 1576 /* 1577 * Called from selinux_complete_init, try to find a dentry. 1578 * Some filesystems really want a connected one, so try 1579 * that first. We could split SECURITY_FS_USE_XATTR in 1580 * two, depending upon that... 1581 */ 1582 dentry = d_find_alias(inode); 1583 if (!dentry) 1584 dentry = d_find_any_alias(inode); 1585 } 1586 if (!dentry) { 1587 /* 1588 * this is can be hit on boot when a file is accessed 1589 * before the policy is loaded. When we load policy we 1590 * may find inodes that have no dentry on the 1591 * sbsec->isec_head list. No reason to complain as these 1592 * will get fixed up the next time we go through 1593 * inode_doinit with a dentry, before these inodes could 1594 * be used again by userspace. 1595 */ 1596 goto out; 1597 } 1598 1599 len = INITCONTEXTLEN; 1600 context = kmalloc(len+1, GFP_NOFS); 1601 if (!context) { 1602 rc = -ENOMEM; 1603 dput(dentry); 1604 goto out; 1605 } 1606 context[len] = '\0'; 1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1608 if (rc == -ERANGE) { 1609 kfree(context); 1610 1611 /* Need a larger buffer. Query for the right size. */ 1612 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1613 if (rc < 0) { 1614 dput(dentry); 1615 goto out; 1616 } 1617 len = rc; 1618 context = kmalloc(len+1, GFP_NOFS); 1619 if (!context) { 1620 rc = -ENOMEM; 1621 dput(dentry); 1622 goto out; 1623 } 1624 context[len] = '\0'; 1625 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1626 } 1627 dput(dentry); 1628 if (rc < 0) { 1629 if (rc != -ENODATA) { 1630 pr_warn("SELinux: %s: getxattr returned " 1631 "%d for dev=%s ino=%ld\n", __func__, 1632 -rc, inode->i_sb->s_id, inode->i_ino); 1633 kfree(context); 1634 goto out; 1635 } 1636 /* Map ENODATA to the default file SID */ 1637 sid = sbsec->def_sid; 1638 rc = 0; 1639 } else { 1640 rc = security_context_to_sid_default(&selinux_state, 1641 context, rc, &sid, 1642 sbsec->def_sid, 1643 GFP_NOFS); 1644 if (rc) { 1645 char *dev = inode->i_sb->s_id; 1646 unsigned long ino = inode->i_ino; 1647 1648 if (rc == -EINVAL) { 1649 if (printk_ratelimit()) 1650 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid " 1651 "context=%s. This indicates you may need to relabel the inode or the " 1652 "filesystem in question.\n", ino, dev, context); 1653 } else { 1654 pr_warn("SELinux: %s: context_to_sid(%s) " 1655 "returned %d for dev=%s ino=%ld\n", 1656 __func__, context, -rc, dev, ino); 1657 } 1658 kfree(context); 1659 /* Leave with the unlabeled SID */ 1660 rc = 0; 1661 break; 1662 } 1663 } 1664 kfree(context); 1665 break; 1666 case SECURITY_FS_USE_TASK: 1667 sid = task_sid; 1668 break; 1669 case SECURITY_FS_USE_TRANS: 1670 /* Default to the fs SID. */ 1671 sid = sbsec->sid; 1672 1673 /* Try to obtain a transition SID. */ 1674 rc = security_transition_sid(&selinux_state, task_sid, sid, 1675 sclass, NULL, &sid); 1676 if (rc) 1677 goto out; 1678 break; 1679 case SECURITY_FS_USE_MNTPOINT: 1680 sid = sbsec->mntpoint_sid; 1681 break; 1682 default: 1683 /* Default to the fs superblock SID. */ 1684 sid = sbsec->sid; 1685 1686 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1687 /* We must have a dentry to determine the label on 1688 * procfs inodes */ 1689 if (opt_dentry) { 1690 /* Called from d_instantiate or 1691 * d_splice_alias. */ 1692 dentry = dget(opt_dentry); 1693 } else { 1694 /* Called from selinux_complete_init, try to 1695 * find a dentry. Some filesystems really want 1696 * a connected one, so try that first. 1697 */ 1698 dentry = d_find_alias(inode); 1699 if (!dentry) 1700 dentry = d_find_any_alias(inode); 1701 } 1702 /* 1703 * This can be hit on boot when a file is accessed 1704 * before the policy is loaded. When we load policy we 1705 * may find inodes that have no dentry on the 1706 * sbsec->isec_head list. No reason to complain as 1707 * these will get fixed up the next time we go through 1708 * inode_doinit() with a dentry, before these inodes 1709 * could be used again by userspace. 1710 */ 1711 if (!dentry) 1712 goto out; 1713 rc = selinux_genfs_get_sid(dentry, sclass, 1714 sbsec->flags, &sid); 1715 dput(dentry); 1716 if (rc) 1717 goto out; 1718 } 1719 break; 1720 } 1721 1722 out: 1723 spin_lock(&isec->lock); 1724 if (isec->initialized == LABEL_PENDING) { 1725 if (!sid || rc) { 1726 isec->initialized = LABEL_INVALID; 1727 goto out_unlock; 1728 } 1729 1730 isec->initialized = LABEL_INITIALIZED; 1731 isec->sid = sid; 1732 } 1733 1734 out_unlock: 1735 spin_unlock(&isec->lock); 1736 return rc; 1737 } 1738 1739 /* Convert a Linux signal to an access vector. */ 1740 static inline u32 signal_to_av(int sig) 1741 { 1742 u32 perm = 0; 1743 1744 switch (sig) { 1745 case SIGCHLD: 1746 /* Commonly granted from child to parent. */ 1747 perm = PROCESS__SIGCHLD; 1748 break; 1749 case SIGKILL: 1750 /* Cannot be caught or ignored */ 1751 perm = PROCESS__SIGKILL; 1752 break; 1753 case SIGSTOP: 1754 /* Cannot be caught or ignored */ 1755 perm = PROCESS__SIGSTOP; 1756 break; 1757 default: 1758 /* All other signals. */ 1759 perm = PROCESS__SIGNAL; 1760 break; 1761 } 1762 1763 return perm; 1764 } 1765 1766 #if CAP_LAST_CAP > 63 1767 #error Fix SELinux to handle capabilities > 63. 1768 #endif 1769 1770 /* Check whether a task is allowed to use a capability. */ 1771 static int cred_has_capability(const struct cred *cred, 1772 int cap, int audit, bool initns) 1773 { 1774 struct common_audit_data ad; 1775 struct av_decision avd; 1776 u16 sclass; 1777 u32 sid = cred_sid(cred); 1778 u32 av = CAP_TO_MASK(cap); 1779 int rc; 1780 1781 ad.type = LSM_AUDIT_DATA_CAP; 1782 ad.u.cap = cap; 1783 1784 switch (CAP_TO_INDEX(cap)) { 1785 case 0: 1786 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1787 break; 1788 case 1: 1789 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1790 break; 1791 default: 1792 pr_err("SELinux: out of range capability %d\n", cap); 1793 BUG(); 1794 return -EINVAL; 1795 } 1796 1797 rc = avc_has_perm_noaudit(&selinux_state, 1798 sid, sid, sclass, av, 0, &avd); 1799 if (audit == SECURITY_CAP_AUDIT) { 1800 int rc2 = avc_audit(&selinux_state, 1801 sid, sid, sclass, av, &avd, rc, &ad, 0); 1802 if (rc2) 1803 return rc2; 1804 } 1805 return rc; 1806 } 1807 1808 /* Check whether a task has a particular permission to an inode. 1809 The 'adp' parameter is optional and allows other audit 1810 data to be passed (e.g. the dentry). */ 1811 static int inode_has_perm(const struct cred *cred, 1812 struct inode *inode, 1813 u32 perms, 1814 struct common_audit_data *adp) 1815 { 1816 struct inode_security_struct *isec; 1817 u32 sid; 1818 1819 validate_creds(cred); 1820 1821 if (unlikely(IS_PRIVATE(inode))) 1822 return 0; 1823 1824 sid = cred_sid(cred); 1825 isec = inode->i_security; 1826 1827 return avc_has_perm(&selinux_state, 1828 sid, isec->sid, isec->sclass, perms, adp); 1829 } 1830 1831 /* Same as inode_has_perm, but pass explicit audit data containing 1832 the dentry to help the auditing code to more easily generate the 1833 pathname if needed. */ 1834 static inline int dentry_has_perm(const struct cred *cred, 1835 struct dentry *dentry, 1836 u32 av) 1837 { 1838 struct inode *inode = d_backing_inode(dentry); 1839 struct common_audit_data ad; 1840 1841 ad.type = LSM_AUDIT_DATA_DENTRY; 1842 ad.u.dentry = dentry; 1843 __inode_security_revalidate(inode, dentry, true); 1844 return inode_has_perm(cred, inode, av, &ad); 1845 } 1846 1847 /* Same as inode_has_perm, but pass explicit audit data containing 1848 the path to help the auditing code to more easily generate the 1849 pathname if needed. */ 1850 static inline int path_has_perm(const struct cred *cred, 1851 const struct path *path, 1852 u32 av) 1853 { 1854 struct inode *inode = d_backing_inode(path->dentry); 1855 struct common_audit_data ad; 1856 1857 ad.type = LSM_AUDIT_DATA_PATH; 1858 ad.u.path = *path; 1859 __inode_security_revalidate(inode, path->dentry, true); 1860 return inode_has_perm(cred, inode, av, &ad); 1861 } 1862 1863 /* Same as path_has_perm, but uses the inode from the file struct. */ 1864 static inline int file_path_has_perm(const struct cred *cred, 1865 struct file *file, 1866 u32 av) 1867 { 1868 struct common_audit_data ad; 1869 1870 ad.type = LSM_AUDIT_DATA_FILE; 1871 ad.u.file = file; 1872 return inode_has_perm(cred, file_inode(file), av, &ad); 1873 } 1874 1875 #ifdef CONFIG_BPF_SYSCALL 1876 static int bpf_fd_pass(struct file *file, u32 sid); 1877 #endif 1878 1879 /* Check whether a task can use an open file descriptor to 1880 access an inode in a given way. Check access to the 1881 descriptor itself, and then use dentry_has_perm to 1882 check a particular permission to the file. 1883 Access to the descriptor is implicitly granted if it 1884 has the same SID as the process. If av is zero, then 1885 access to the file is not checked, e.g. for cases 1886 where only the descriptor is affected like seek. */ 1887 static int file_has_perm(const struct cred *cred, 1888 struct file *file, 1889 u32 av) 1890 { 1891 struct file_security_struct *fsec = file->f_security; 1892 struct inode *inode = file_inode(file); 1893 struct common_audit_data ad; 1894 u32 sid = cred_sid(cred); 1895 int rc; 1896 1897 ad.type = LSM_AUDIT_DATA_FILE; 1898 ad.u.file = file; 1899 1900 if (sid != fsec->sid) { 1901 rc = avc_has_perm(&selinux_state, 1902 sid, fsec->sid, 1903 SECCLASS_FD, 1904 FD__USE, 1905 &ad); 1906 if (rc) 1907 goto out; 1908 } 1909 1910 #ifdef CONFIG_BPF_SYSCALL 1911 rc = bpf_fd_pass(file, cred_sid(cred)); 1912 if (rc) 1913 return rc; 1914 #endif 1915 1916 /* av is zero if only checking access to the descriptor. */ 1917 rc = 0; 1918 if (av) 1919 rc = inode_has_perm(cred, inode, av, &ad); 1920 1921 out: 1922 return rc; 1923 } 1924 1925 /* 1926 * Determine the label for an inode that might be unioned. 1927 */ 1928 static int 1929 selinux_determine_inode_label(const struct task_security_struct *tsec, 1930 struct inode *dir, 1931 const struct qstr *name, u16 tclass, 1932 u32 *_new_isid) 1933 { 1934 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1935 1936 if ((sbsec->flags & SE_SBINITIALIZED) && 1937 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1938 *_new_isid = sbsec->mntpoint_sid; 1939 } else if ((sbsec->flags & SBLABEL_MNT) && 1940 tsec->create_sid) { 1941 *_new_isid = tsec->create_sid; 1942 } else { 1943 const struct inode_security_struct *dsec = inode_security(dir); 1944 return security_transition_sid(&selinux_state, tsec->sid, 1945 dsec->sid, tclass, 1946 name, _new_isid); 1947 } 1948 1949 return 0; 1950 } 1951 1952 /* Check whether a task can create a file. */ 1953 static int may_create(struct inode *dir, 1954 struct dentry *dentry, 1955 u16 tclass) 1956 { 1957 const struct task_security_struct *tsec = current_security(); 1958 struct inode_security_struct *dsec; 1959 struct superblock_security_struct *sbsec; 1960 u32 sid, newsid; 1961 struct common_audit_data ad; 1962 int rc; 1963 1964 dsec = inode_security(dir); 1965 sbsec = dir->i_sb->s_security; 1966 1967 sid = tsec->sid; 1968 1969 ad.type = LSM_AUDIT_DATA_DENTRY; 1970 ad.u.dentry = dentry; 1971 1972 rc = avc_has_perm(&selinux_state, 1973 sid, dsec->sid, SECCLASS_DIR, 1974 DIR__ADD_NAME | DIR__SEARCH, 1975 &ad); 1976 if (rc) 1977 return rc; 1978 1979 rc = selinux_determine_inode_label(current_security(), dir, 1980 &dentry->d_name, tclass, &newsid); 1981 if (rc) 1982 return rc; 1983 1984 rc = avc_has_perm(&selinux_state, 1985 sid, newsid, tclass, FILE__CREATE, &ad); 1986 if (rc) 1987 return rc; 1988 1989 return avc_has_perm(&selinux_state, 1990 newsid, sbsec->sid, 1991 SECCLASS_FILESYSTEM, 1992 FILESYSTEM__ASSOCIATE, &ad); 1993 } 1994 1995 #define MAY_LINK 0 1996 #define MAY_UNLINK 1 1997 #define MAY_RMDIR 2 1998 1999 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 2000 static int may_link(struct inode *dir, 2001 struct dentry *dentry, 2002 int kind) 2003 2004 { 2005 struct inode_security_struct *dsec, *isec; 2006 struct common_audit_data ad; 2007 u32 sid = current_sid(); 2008 u32 av; 2009 int rc; 2010 2011 dsec = inode_security(dir); 2012 isec = backing_inode_security(dentry); 2013 2014 ad.type = LSM_AUDIT_DATA_DENTRY; 2015 ad.u.dentry = dentry; 2016 2017 av = DIR__SEARCH; 2018 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2019 rc = avc_has_perm(&selinux_state, 2020 sid, dsec->sid, SECCLASS_DIR, av, &ad); 2021 if (rc) 2022 return rc; 2023 2024 switch (kind) { 2025 case MAY_LINK: 2026 av = FILE__LINK; 2027 break; 2028 case MAY_UNLINK: 2029 av = FILE__UNLINK; 2030 break; 2031 case MAY_RMDIR: 2032 av = DIR__RMDIR; 2033 break; 2034 default: 2035 pr_warn("SELinux: %s: unrecognized kind %d\n", 2036 __func__, kind); 2037 return 0; 2038 } 2039 2040 rc = avc_has_perm(&selinux_state, 2041 sid, isec->sid, isec->sclass, av, &ad); 2042 return rc; 2043 } 2044 2045 static inline int may_rename(struct inode *old_dir, 2046 struct dentry *old_dentry, 2047 struct inode *new_dir, 2048 struct dentry *new_dentry) 2049 { 2050 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 2051 struct common_audit_data ad; 2052 u32 sid = current_sid(); 2053 u32 av; 2054 int old_is_dir, new_is_dir; 2055 int rc; 2056 2057 old_dsec = inode_security(old_dir); 2058 old_isec = backing_inode_security(old_dentry); 2059 old_is_dir = d_is_dir(old_dentry); 2060 new_dsec = inode_security(new_dir); 2061 2062 ad.type = LSM_AUDIT_DATA_DENTRY; 2063 2064 ad.u.dentry = old_dentry; 2065 rc = avc_has_perm(&selinux_state, 2066 sid, old_dsec->sid, SECCLASS_DIR, 2067 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2068 if (rc) 2069 return rc; 2070 rc = avc_has_perm(&selinux_state, 2071 sid, old_isec->sid, 2072 old_isec->sclass, FILE__RENAME, &ad); 2073 if (rc) 2074 return rc; 2075 if (old_is_dir && new_dir != old_dir) { 2076 rc = avc_has_perm(&selinux_state, 2077 sid, old_isec->sid, 2078 old_isec->sclass, DIR__REPARENT, &ad); 2079 if (rc) 2080 return rc; 2081 } 2082 2083 ad.u.dentry = new_dentry; 2084 av = DIR__ADD_NAME | DIR__SEARCH; 2085 if (d_is_positive(new_dentry)) 2086 av |= DIR__REMOVE_NAME; 2087 rc = avc_has_perm(&selinux_state, 2088 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2089 if (rc) 2090 return rc; 2091 if (d_is_positive(new_dentry)) { 2092 new_isec = backing_inode_security(new_dentry); 2093 new_is_dir = d_is_dir(new_dentry); 2094 rc = avc_has_perm(&selinux_state, 2095 sid, new_isec->sid, 2096 new_isec->sclass, 2097 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2098 if (rc) 2099 return rc; 2100 } 2101 2102 return 0; 2103 } 2104 2105 /* Check whether a task can perform a filesystem operation. */ 2106 static int superblock_has_perm(const struct cred *cred, 2107 struct super_block *sb, 2108 u32 perms, 2109 struct common_audit_data *ad) 2110 { 2111 struct superblock_security_struct *sbsec; 2112 u32 sid = cred_sid(cred); 2113 2114 sbsec = sb->s_security; 2115 return avc_has_perm(&selinux_state, 2116 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2117 } 2118 2119 /* Convert a Linux mode and permission mask to an access vector. */ 2120 static inline u32 file_mask_to_av(int mode, int mask) 2121 { 2122 u32 av = 0; 2123 2124 if (!S_ISDIR(mode)) { 2125 if (mask & MAY_EXEC) 2126 av |= FILE__EXECUTE; 2127 if (mask & MAY_READ) 2128 av |= FILE__READ; 2129 2130 if (mask & MAY_APPEND) 2131 av |= FILE__APPEND; 2132 else if (mask & MAY_WRITE) 2133 av |= FILE__WRITE; 2134 2135 } else { 2136 if (mask & MAY_EXEC) 2137 av |= DIR__SEARCH; 2138 if (mask & MAY_WRITE) 2139 av |= DIR__WRITE; 2140 if (mask & MAY_READ) 2141 av |= DIR__READ; 2142 } 2143 2144 return av; 2145 } 2146 2147 /* Convert a Linux file to an access vector. */ 2148 static inline u32 file_to_av(struct file *file) 2149 { 2150 u32 av = 0; 2151 2152 if (file->f_mode & FMODE_READ) 2153 av |= FILE__READ; 2154 if (file->f_mode & FMODE_WRITE) { 2155 if (file->f_flags & O_APPEND) 2156 av |= FILE__APPEND; 2157 else 2158 av |= FILE__WRITE; 2159 } 2160 if (!av) { 2161 /* 2162 * Special file opened with flags 3 for ioctl-only use. 2163 */ 2164 av = FILE__IOCTL; 2165 } 2166 2167 return av; 2168 } 2169 2170 /* 2171 * Convert a file to an access vector and include the correct open 2172 * open permission. 2173 */ 2174 static inline u32 open_file_to_av(struct file *file) 2175 { 2176 u32 av = file_to_av(file); 2177 struct inode *inode = file_inode(file); 2178 2179 if (selinux_policycap_openperm() && 2180 inode->i_sb->s_magic != SOCKFS_MAGIC) 2181 av |= FILE__OPEN; 2182 2183 return av; 2184 } 2185 2186 /* Hook functions begin here. */ 2187 2188 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2189 { 2190 u32 mysid = current_sid(); 2191 u32 mgrsid = task_sid(mgr); 2192 2193 return avc_has_perm(&selinux_state, 2194 mysid, mgrsid, SECCLASS_BINDER, 2195 BINDER__SET_CONTEXT_MGR, NULL); 2196 } 2197 2198 static int selinux_binder_transaction(struct task_struct *from, 2199 struct task_struct *to) 2200 { 2201 u32 mysid = current_sid(); 2202 u32 fromsid = task_sid(from); 2203 u32 tosid = task_sid(to); 2204 int rc; 2205 2206 if (mysid != fromsid) { 2207 rc = avc_has_perm(&selinux_state, 2208 mysid, fromsid, SECCLASS_BINDER, 2209 BINDER__IMPERSONATE, NULL); 2210 if (rc) 2211 return rc; 2212 } 2213 2214 return avc_has_perm(&selinux_state, 2215 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2216 NULL); 2217 } 2218 2219 static int selinux_binder_transfer_binder(struct task_struct *from, 2220 struct task_struct *to) 2221 { 2222 u32 fromsid = task_sid(from); 2223 u32 tosid = task_sid(to); 2224 2225 return avc_has_perm(&selinux_state, 2226 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2227 NULL); 2228 } 2229 2230 static int selinux_binder_transfer_file(struct task_struct *from, 2231 struct task_struct *to, 2232 struct file *file) 2233 { 2234 u32 sid = task_sid(to); 2235 struct file_security_struct *fsec = file->f_security; 2236 struct dentry *dentry = file->f_path.dentry; 2237 struct inode_security_struct *isec; 2238 struct common_audit_data ad; 2239 int rc; 2240 2241 ad.type = LSM_AUDIT_DATA_PATH; 2242 ad.u.path = file->f_path; 2243 2244 if (sid != fsec->sid) { 2245 rc = avc_has_perm(&selinux_state, 2246 sid, fsec->sid, 2247 SECCLASS_FD, 2248 FD__USE, 2249 &ad); 2250 if (rc) 2251 return rc; 2252 } 2253 2254 #ifdef CONFIG_BPF_SYSCALL 2255 rc = bpf_fd_pass(file, sid); 2256 if (rc) 2257 return rc; 2258 #endif 2259 2260 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2261 return 0; 2262 2263 isec = backing_inode_security(dentry); 2264 return avc_has_perm(&selinux_state, 2265 sid, isec->sid, isec->sclass, file_to_av(file), 2266 &ad); 2267 } 2268 2269 static int selinux_ptrace_access_check(struct task_struct *child, 2270 unsigned int mode) 2271 { 2272 u32 sid = current_sid(); 2273 u32 csid = task_sid(child); 2274 2275 if (mode & PTRACE_MODE_READ) 2276 return avc_has_perm(&selinux_state, 2277 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2278 2279 return avc_has_perm(&selinux_state, 2280 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2281 } 2282 2283 static int selinux_ptrace_traceme(struct task_struct *parent) 2284 { 2285 return avc_has_perm(&selinux_state, 2286 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2287 PROCESS__PTRACE, NULL); 2288 } 2289 2290 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2291 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2292 { 2293 return avc_has_perm(&selinux_state, 2294 current_sid(), task_sid(target), SECCLASS_PROCESS, 2295 PROCESS__GETCAP, NULL); 2296 } 2297 2298 static int selinux_capset(struct cred *new, const struct cred *old, 2299 const kernel_cap_t *effective, 2300 const kernel_cap_t *inheritable, 2301 const kernel_cap_t *permitted) 2302 { 2303 return avc_has_perm(&selinux_state, 2304 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2305 PROCESS__SETCAP, NULL); 2306 } 2307 2308 /* 2309 * (This comment used to live with the selinux_task_setuid hook, 2310 * which was removed). 2311 * 2312 * Since setuid only affects the current process, and since the SELinux 2313 * controls are not based on the Linux identity attributes, SELinux does not 2314 * need to control this operation. However, SELinux does control the use of 2315 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2316 */ 2317 2318 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2319 int cap, int audit) 2320 { 2321 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2322 } 2323 2324 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2325 { 2326 const struct cred *cred = current_cred(); 2327 int rc = 0; 2328 2329 if (!sb) 2330 return 0; 2331 2332 switch (cmds) { 2333 case Q_SYNC: 2334 case Q_QUOTAON: 2335 case Q_QUOTAOFF: 2336 case Q_SETINFO: 2337 case Q_SETQUOTA: 2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2339 break; 2340 case Q_GETFMT: 2341 case Q_GETINFO: 2342 case Q_GETQUOTA: 2343 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2344 break; 2345 default: 2346 rc = 0; /* let the kernel handle invalid cmds */ 2347 break; 2348 } 2349 return rc; 2350 } 2351 2352 static int selinux_quota_on(struct dentry *dentry) 2353 { 2354 const struct cred *cred = current_cred(); 2355 2356 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2357 } 2358 2359 static int selinux_syslog(int type) 2360 { 2361 switch (type) { 2362 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2363 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2364 return avc_has_perm(&selinux_state, 2365 current_sid(), SECINITSID_KERNEL, 2366 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2367 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2368 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2369 /* Set level of messages printed to console */ 2370 case SYSLOG_ACTION_CONSOLE_LEVEL: 2371 return avc_has_perm(&selinux_state, 2372 current_sid(), SECINITSID_KERNEL, 2373 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2374 NULL); 2375 } 2376 /* All other syslog types */ 2377 return avc_has_perm(&selinux_state, 2378 current_sid(), SECINITSID_KERNEL, 2379 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2380 } 2381 2382 /* 2383 * Check that a process has enough memory to allocate a new virtual 2384 * mapping. 0 means there is enough memory for the allocation to 2385 * succeed and -ENOMEM implies there is not. 2386 * 2387 * Do not audit the selinux permission check, as this is applied to all 2388 * processes that allocate mappings. 2389 */ 2390 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2391 { 2392 int rc, cap_sys_admin = 0; 2393 2394 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2395 SECURITY_CAP_NOAUDIT, true); 2396 if (rc == 0) 2397 cap_sys_admin = 1; 2398 2399 return cap_sys_admin; 2400 } 2401 2402 /* binprm security operations */ 2403 2404 static u32 ptrace_parent_sid(void) 2405 { 2406 u32 sid = 0; 2407 struct task_struct *tracer; 2408 2409 rcu_read_lock(); 2410 tracer = ptrace_parent(current); 2411 if (tracer) 2412 sid = task_sid(tracer); 2413 rcu_read_unlock(); 2414 2415 return sid; 2416 } 2417 2418 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2419 const struct task_security_struct *old_tsec, 2420 const struct task_security_struct *new_tsec) 2421 { 2422 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2423 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2424 int rc; 2425 u32 av; 2426 2427 if (!nnp && !nosuid) 2428 return 0; /* neither NNP nor nosuid */ 2429 2430 if (new_tsec->sid == old_tsec->sid) 2431 return 0; /* No change in credentials */ 2432 2433 /* 2434 * If the policy enables the nnp_nosuid_transition policy capability, 2435 * then we permit transitions under NNP or nosuid if the 2436 * policy allows the corresponding permission between 2437 * the old and new contexts. 2438 */ 2439 if (selinux_policycap_nnp_nosuid_transition()) { 2440 av = 0; 2441 if (nnp) 2442 av |= PROCESS2__NNP_TRANSITION; 2443 if (nosuid) 2444 av |= PROCESS2__NOSUID_TRANSITION; 2445 rc = avc_has_perm(&selinux_state, 2446 old_tsec->sid, new_tsec->sid, 2447 SECCLASS_PROCESS2, av, NULL); 2448 if (!rc) 2449 return 0; 2450 } 2451 2452 /* 2453 * We also permit NNP or nosuid transitions to bounded SIDs, 2454 * i.e. SIDs that are guaranteed to only be allowed a subset 2455 * of the permissions of the current SID. 2456 */ 2457 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2458 new_tsec->sid); 2459 if (!rc) 2460 return 0; 2461 2462 /* 2463 * On failure, preserve the errno values for NNP vs nosuid. 2464 * NNP: Operation not permitted for caller. 2465 * nosuid: Permission denied to file. 2466 */ 2467 if (nnp) 2468 return -EPERM; 2469 return -EACCES; 2470 } 2471 2472 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2473 { 2474 const struct task_security_struct *old_tsec; 2475 struct task_security_struct *new_tsec; 2476 struct inode_security_struct *isec; 2477 struct common_audit_data ad; 2478 struct inode *inode = file_inode(bprm->file); 2479 int rc; 2480 2481 /* SELinux context only depends on initial program or script and not 2482 * the script interpreter */ 2483 if (bprm->called_set_creds) 2484 return 0; 2485 2486 old_tsec = current_security(); 2487 new_tsec = bprm->cred->security; 2488 isec = inode_security(inode); 2489 2490 /* Default to the current task SID. */ 2491 new_tsec->sid = old_tsec->sid; 2492 new_tsec->osid = old_tsec->sid; 2493 2494 /* Reset fs, key, and sock SIDs on execve. */ 2495 new_tsec->create_sid = 0; 2496 new_tsec->keycreate_sid = 0; 2497 new_tsec->sockcreate_sid = 0; 2498 2499 if (old_tsec->exec_sid) { 2500 new_tsec->sid = old_tsec->exec_sid; 2501 /* Reset exec SID on execve. */ 2502 new_tsec->exec_sid = 0; 2503 2504 /* Fail on NNP or nosuid if not an allowed transition. */ 2505 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2506 if (rc) 2507 return rc; 2508 } else { 2509 /* Check for a default transition on this program. */ 2510 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2511 isec->sid, SECCLASS_PROCESS, NULL, 2512 &new_tsec->sid); 2513 if (rc) 2514 return rc; 2515 2516 /* 2517 * Fallback to old SID on NNP or nosuid if not an allowed 2518 * transition. 2519 */ 2520 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2521 if (rc) 2522 new_tsec->sid = old_tsec->sid; 2523 } 2524 2525 ad.type = LSM_AUDIT_DATA_FILE; 2526 ad.u.file = bprm->file; 2527 2528 if (new_tsec->sid == old_tsec->sid) { 2529 rc = avc_has_perm(&selinux_state, 2530 old_tsec->sid, isec->sid, 2531 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2532 if (rc) 2533 return rc; 2534 } else { 2535 /* Check permissions for the transition. */ 2536 rc = avc_has_perm(&selinux_state, 2537 old_tsec->sid, new_tsec->sid, 2538 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2539 if (rc) 2540 return rc; 2541 2542 rc = avc_has_perm(&selinux_state, 2543 new_tsec->sid, isec->sid, 2544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2545 if (rc) 2546 return rc; 2547 2548 /* Check for shared state */ 2549 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2550 rc = avc_has_perm(&selinux_state, 2551 old_tsec->sid, new_tsec->sid, 2552 SECCLASS_PROCESS, PROCESS__SHARE, 2553 NULL); 2554 if (rc) 2555 return -EPERM; 2556 } 2557 2558 /* Make sure that anyone attempting to ptrace over a task that 2559 * changes its SID has the appropriate permit */ 2560 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2561 u32 ptsid = ptrace_parent_sid(); 2562 if (ptsid != 0) { 2563 rc = avc_has_perm(&selinux_state, 2564 ptsid, new_tsec->sid, 2565 SECCLASS_PROCESS, 2566 PROCESS__PTRACE, NULL); 2567 if (rc) 2568 return -EPERM; 2569 } 2570 } 2571 2572 /* Clear any possibly unsafe personality bits on exec: */ 2573 bprm->per_clear |= PER_CLEAR_ON_SETID; 2574 2575 /* Enable secure mode for SIDs transitions unless 2576 the noatsecure permission is granted between 2577 the two SIDs, i.e. ahp returns 0. */ 2578 rc = avc_has_perm(&selinux_state, 2579 old_tsec->sid, new_tsec->sid, 2580 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2581 NULL); 2582 bprm->secureexec |= !!rc; 2583 } 2584 2585 return 0; 2586 } 2587 2588 static int match_file(const void *p, struct file *file, unsigned fd) 2589 { 2590 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2591 } 2592 2593 /* Derived from fs/exec.c:flush_old_files. */ 2594 static inline void flush_unauthorized_files(const struct cred *cred, 2595 struct files_struct *files) 2596 { 2597 struct file *file, *devnull = NULL; 2598 struct tty_struct *tty; 2599 int drop_tty = 0; 2600 unsigned n; 2601 2602 tty = get_current_tty(); 2603 if (tty) { 2604 spin_lock(&tty->files_lock); 2605 if (!list_empty(&tty->tty_files)) { 2606 struct tty_file_private *file_priv; 2607 2608 /* Revalidate access to controlling tty. 2609 Use file_path_has_perm on the tty path directly 2610 rather than using file_has_perm, as this particular 2611 open file may belong to another process and we are 2612 only interested in the inode-based check here. */ 2613 file_priv = list_first_entry(&tty->tty_files, 2614 struct tty_file_private, list); 2615 file = file_priv->file; 2616 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2617 drop_tty = 1; 2618 } 2619 spin_unlock(&tty->files_lock); 2620 tty_kref_put(tty); 2621 } 2622 /* Reset controlling tty. */ 2623 if (drop_tty) 2624 no_tty(); 2625 2626 /* Revalidate access to inherited open files. */ 2627 n = iterate_fd(files, 0, match_file, cred); 2628 if (!n) /* none found? */ 2629 return; 2630 2631 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2632 if (IS_ERR(devnull)) 2633 devnull = NULL; 2634 /* replace all the matching ones with this */ 2635 do { 2636 replace_fd(n - 1, devnull, 0); 2637 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2638 if (devnull) 2639 fput(devnull); 2640 } 2641 2642 /* 2643 * Prepare a process for imminent new credential changes due to exec 2644 */ 2645 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2646 { 2647 struct task_security_struct *new_tsec; 2648 struct rlimit *rlim, *initrlim; 2649 int rc, i; 2650 2651 new_tsec = bprm->cred->security; 2652 if (new_tsec->sid == new_tsec->osid) 2653 return; 2654 2655 /* Close files for which the new task SID is not authorized. */ 2656 flush_unauthorized_files(bprm->cred, current->files); 2657 2658 /* Always clear parent death signal on SID transitions. */ 2659 current->pdeath_signal = 0; 2660 2661 /* Check whether the new SID can inherit resource limits from the old 2662 * SID. If not, reset all soft limits to the lower of the current 2663 * task's hard limit and the init task's soft limit. 2664 * 2665 * Note that the setting of hard limits (even to lower them) can be 2666 * controlled by the setrlimit check. The inclusion of the init task's 2667 * soft limit into the computation is to avoid resetting soft limits 2668 * higher than the default soft limit for cases where the default is 2669 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2670 */ 2671 rc = avc_has_perm(&selinux_state, 2672 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2673 PROCESS__RLIMITINH, NULL); 2674 if (rc) { 2675 /* protect against do_prlimit() */ 2676 task_lock(current); 2677 for (i = 0; i < RLIM_NLIMITS; i++) { 2678 rlim = current->signal->rlim + i; 2679 initrlim = init_task.signal->rlim + i; 2680 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2681 } 2682 task_unlock(current); 2683 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2684 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2685 } 2686 } 2687 2688 /* 2689 * Clean up the process immediately after the installation of new credentials 2690 * due to exec 2691 */ 2692 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2693 { 2694 const struct task_security_struct *tsec = current_security(); 2695 struct itimerval itimer; 2696 u32 osid, sid; 2697 int rc, i; 2698 2699 osid = tsec->osid; 2700 sid = tsec->sid; 2701 2702 if (sid == osid) 2703 return; 2704 2705 /* Check whether the new SID can inherit signal state from the old SID. 2706 * If not, clear itimers to avoid subsequent signal generation and 2707 * flush and unblock signals. 2708 * 2709 * This must occur _after_ the task SID has been updated so that any 2710 * kill done after the flush will be checked against the new SID. 2711 */ 2712 rc = avc_has_perm(&selinux_state, 2713 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2714 if (rc) { 2715 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2716 memset(&itimer, 0, sizeof itimer); 2717 for (i = 0; i < 3; i++) 2718 do_setitimer(i, &itimer, NULL); 2719 } 2720 spin_lock_irq(¤t->sighand->siglock); 2721 if (!fatal_signal_pending(current)) { 2722 flush_sigqueue(¤t->pending); 2723 flush_sigqueue(¤t->signal->shared_pending); 2724 flush_signal_handlers(current, 1); 2725 sigemptyset(¤t->blocked); 2726 recalc_sigpending(); 2727 } 2728 spin_unlock_irq(¤t->sighand->siglock); 2729 } 2730 2731 /* Wake up the parent if it is waiting so that it can recheck 2732 * wait permission to the new task SID. */ 2733 read_lock(&tasklist_lock); 2734 __wake_up_parent(current, current->real_parent); 2735 read_unlock(&tasklist_lock); 2736 } 2737 2738 /* superblock security operations */ 2739 2740 static int selinux_sb_alloc_security(struct super_block *sb) 2741 { 2742 return superblock_alloc_security(sb); 2743 } 2744 2745 static void selinux_sb_free_security(struct super_block *sb) 2746 { 2747 superblock_free_security(sb); 2748 } 2749 2750 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2751 { 2752 if (plen > olen) 2753 return 0; 2754 2755 return !memcmp(prefix, option, plen); 2756 } 2757 2758 static inline int selinux_option(char *option, int len) 2759 { 2760 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2761 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2762 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2763 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2764 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2765 } 2766 2767 static inline void take_option(char **to, char *from, int *first, int len) 2768 { 2769 if (!*first) { 2770 **to = ','; 2771 *to += 1; 2772 } else 2773 *first = 0; 2774 memcpy(*to, from, len); 2775 *to += len; 2776 } 2777 2778 static inline void take_selinux_option(char **to, char *from, int *first, 2779 int len) 2780 { 2781 int current_size = 0; 2782 2783 if (!*first) { 2784 **to = '|'; 2785 *to += 1; 2786 } else 2787 *first = 0; 2788 2789 while (current_size < len) { 2790 if (*from != '"') { 2791 **to = *from; 2792 *to += 1; 2793 } 2794 from += 1; 2795 current_size += 1; 2796 } 2797 } 2798 2799 static int selinux_sb_copy_data(char *orig, char *copy) 2800 { 2801 int fnosec, fsec, rc = 0; 2802 char *in_save, *in_curr, *in_end; 2803 char *sec_curr, *nosec_save, *nosec; 2804 int open_quote = 0; 2805 2806 in_curr = orig; 2807 sec_curr = copy; 2808 2809 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2810 if (!nosec) { 2811 rc = -ENOMEM; 2812 goto out; 2813 } 2814 2815 nosec_save = nosec; 2816 fnosec = fsec = 1; 2817 in_save = in_end = orig; 2818 2819 do { 2820 if (*in_end == '"') 2821 open_quote = !open_quote; 2822 if ((*in_end == ',' && open_quote == 0) || 2823 *in_end == '\0') { 2824 int len = in_end - in_curr; 2825 2826 if (selinux_option(in_curr, len)) 2827 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2828 else 2829 take_option(&nosec, in_curr, &fnosec, len); 2830 2831 in_curr = in_end + 1; 2832 } 2833 } while (*in_end++); 2834 2835 strcpy(in_save, nosec_save); 2836 free_page((unsigned long)nosec_save); 2837 out: 2838 return rc; 2839 } 2840 2841 static int selinux_sb_remount(struct super_block *sb, void *data) 2842 { 2843 int rc, i, *flags; 2844 struct security_mnt_opts opts; 2845 char *secdata, **mount_options; 2846 struct superblock_security_struct *sbsec = sb->s_security; 2847 2848 if (!(sbsec->flags & SE_SBINITIALIZED)) 2849 return 0; 2850 2851 if (!data) 2852 return 0; 2853 2854 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2855 return 0; 2856 2857 security_init_mnt_opts(&opts); 2858 secdata = alloc_secdata(); 2859 if (!secdata) 2860 return -ENOMEM; 2861 rc = selinux_sb_copy_data(data, secdata); 2862 if (rc) 2863 goto out_free_secdata; 2864 2865 rc = selinux_parse_opts_str(secdata, &opts); 2866 if (rc) 2867 goto out_free_secdata; 2868 2869 mount_options = opts.mnt_opts; 2870 flags = opts.mnt_opts_flags; 2871 2872 for (i = 0; i < opts.num_mnt_opts; i++) { 2873 u32 sid; 2874 2875 if (flags[i] == SBLABEL_MNT) 2876 continue; 2877 rc = security_context_str_to_sid(&selinux_state, 2878 mount_options[i], &sid, 2879 GFP_KERNEL); 2880 if (rc) { 2881 pr_warn("SELinux: security_context_str_to_sid" 2882 "(%s) failed for (dev %s, type %s) errno=%d\n", 2883 mount_options[i], sb->s_id, sb->s_type->name, rc); 2884 goto out_free_opts; 2885 } 2886 rc = -EINVAL; 2887 switch (flags[i]) { 2888 case FSCONTEXT_MNT: 2889 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2890 goto out_bad_option; 2891 break; 2892 case CONTEXT_MNT: 2893 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2894 goto out_bad_option; 2895 break; 2896 case ROOTCONTEXT_MNT: { 2897 struct inode_security_struct *root_isec; 2898 root_isec = backing_inode_security(sb->s_root); 2899 2900 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2901 goto out_bad_option; 2902 break; 2903 } 2904 case DEFCONTEXT_MNT: 2905 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2906 goto out_bad_option; 2907 break; 2908 default: 2909 goto out_free_opts; 2910 } 2911 } 2912 2913 rc = 0; 2914 out_free_opts: 2915 security_free_mnt_opts(&opts); 2916 out_free_secdata: 2917 free_secdata(secdata); 2918 return rc; 2919 out_bad_option: 2920 pr_warn("SELinux: unable to change security options " 2921 "during remount (dev %s, type=%s)\n", sb->s_id, 2922 sb->s_type->name); 2923 goto out_free_opts; 2924 } 2925 2926 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2927 { 2928 const struct cred *cred = current_cred(); 2929 struct common_audit_data ad; 2930 int rc; 2931 2932 rc = superblock_doinit(sb, data); 2933 if (rc) 2934 return rc; 2935 2936 /* Allow all mounts performed by the kernel */ 2937 if (flags & MS_KERNMOUNT) 2938 return 0; 2939 2940 ad.type = LSM_AUDIT_DATA_DENTRY; 2941 ad.u.dentry = sb->s_root; 2942 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2943 } 2944 2945 static int selinux_sb_statfs(struct dentry *dentry) 2946 { 2947 const struct cred *cred = current_cred(); 2948 struct common_audit_data ad; 2949 2950 ad.type = LSM_AUDIT_DATA_DENTRY; 2951 ad.u.dentry = dentry->d_sb->s_root; 2952 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2953 } 2954 2955 static int selinux_mount(const char *dev_name, 2956 const struct path *path, 2957 const char *type, 2958 unsigned long flags, 2959 void *data) 2960 { 2961 const struct cred *cred = current_cred(); 2962 2963 if (flags & MS_REMOUNT) 2964 return superblock_has_perm(cred, path->dentry->d_sb, 2965 FILESYSTEM__REMOUNT, NULL); 2966 else 2967 return path_has_perm(cred, path, FILE__MOUNTON); 2968 } 2969 2970 static int selinux_umount(struct vfsmount *mnt, int flags) 2971 { 2972 const struct cred *cred = current_cred(); 2973 2974 return superblock_has_perm(cred, mnt->mnt_sb, 2975 FILESYSTEM__UNMOUNT, NULL); 2976 } 2977 2978 /* inode security operations */ 2979 2980 static int selinux_inode_alloc_security(struct inode *inode) 2981 { 2982 return inode_alloc_security(inode); 2983 } 2984 2985 static void selinux_inode_free_security(struct inode *inode) 2986 { 2987 inode_free_security(inode); 2988 } 2989 2990 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2991 const struct qstr *name, void **ctx, 2992 u32 *ctxlen) 2993 { 2994 u32 newsid; 2995 int rc; 2996 2997 rc = selinux_determine_inode_label(current_security(), 2998 d_inode(dentry->d_parent), name, 2999 inode_mode_to_security_class(mode), 3000 &newsid); 3001 if (rc) 3002 return rc; 3003 3004 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 3005 ctxlen); 3006 } 3007 3008 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 3009 struct qstr *name, 3010 const struct cred *old, 3011 struct cred *new) 3012 { 3013 u32 newsid; 3014 int rc; 3015 struct task_security_struct *tsec; 3016 3017 rc = selinux_determine_inode_label(old->security, 3018 d_inode(dentry->d_parent), name, 3019 inode_mode_to_security_class(mode), 3020 &newsid); 3021 if (rc) 3022 return rc; 3023 3024 tsec = new->security; 3025 tsec->create_sid = newsid; 3026 return 0; 3027 } 3028 3029 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 3030 const struct qstr *qstr, 3031 const char **name, 3032 void **value, size_t *len) 3033 { 3034 const struct task_security_struct *tsec = current_security(); 3035 struct superblock_security_struct *sbsec; 3036 u32 newsid, clen; 3037 int rc; 3038 char *context; 3039 3040 sbsec = dir->i_sb->s_security; 3041 3042 newsid = tsec->create_sid; 3043 3044 rc = selinux_determine_inode_label(current_security(), 3045 dir, qstr, 3046 inode_mode_to_security_class(inode->i_mode), 3047 &newsid); 3048 if (rc) 3049 return rc; 3050 3051 /* Possibly defer initialization to selinux_complete_init. */ 3052 if (sbsec->flags & SE_SBINITIALIZED) { 3053 struct inode_security_struct *isec = inode->i_security; 3054 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3055 isec->sid = newsid; 3056 isec->initialized = LABEL_INITIALIZED; 3057 } 3058 3059 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 3060 return -EOPNOTSUPP; 3061 3062 if (name) 3063 *name = XATTR_SELINUX_SUFFIX; 3064 3065 if (value && len) { 3066 rc = security_sid_to_context_force(&selinux_state, newsid, 3067 &context, &clen); 3068 if (rc) 3069 return rc; 3070 *value = context; 3071 *len = clen; 3072 } 3073 3074 return 0; 3075 } 3076 3077 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3078 { 3079 return may_create(dir, dentry, SECCLASS_FILE); 3080 } 3081 3082 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3083 { 3084 return may_link(dir, old_dentry, MAY_LINK); 3085 } 3086 3087 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3088 { 3089 return may_link(dir, dentry, MAY_UNLINK); 3090 } 3091 3092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3093 { 3094 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3095 } 3096 3097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3098 { 3099 return may_create(dir, dentry, SECCLASS_DIR); 3100 } 3101 3102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3103 { 3104 return may_link(dir, dentry, MAY_RMDIR); 3105 } 3106 3107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3108 { 3109 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3110 } 3111 3112 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3113 struct inode *new_inode, struct dentry *new_dentry) 3114 { 3115 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3116 } 3117 3118 static int selinux_inode_readlink(struct dentry *dentry) 3119 { 3120 const struct cred *cred = current_cred(); 3121 3122 return dentry_has_perm(cred, dentry, FILE__READ); 3123 } 3124 3125 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3126 bool rcu) 3127 { 3128 const struct cred *cred = current_cred(); 3129 struct common_audit_data ad; 3130 struct inode_security_struct *isec; 3131 u32 sid; 3132 3133 validate_creds(cred); 3134 3135 ad.type = LSM_AUDIT_DATA_DENTRY; 3136 ad.u.dentry = dentry; 3137 sid = cred_sid(cred); 3138 isec = inode_security_rcu(inode, rcu); 3139 if (IS_ERR(isec)) 3140 return PTR_ERR(isec); 3141 3142 return avc_has_perm_flags(&selinux_state, 3143 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3144 rcu ? MAY_NOT_BLOCK : 0); 3145 } 3146 3147 static noinline int audit_inode_permission(struct inode *inode, 3148 u32 perms, u32 audited, u32 denied, 3149 int result, 3150 unsigned flags) 3151 { 3152 struct common_audit_data ad; 3153 struct inode_security_struct *isec = inode->i_security; 3154 int rc; 3155 3156 ad.type = LSM_AUDIT_DATA_INODE; 3157 ad.u.inode = inode; 3158 3159 rc = slow_avc_audit(&selinux_state, 3160 current_sid(), isec->sid, isec->sclass, perms, 3161 audited, denied, result, &ad, flags); 3162 if (rc) 3163 return rc; 3164 return 0; 3165 } 3166 3167 static int selinux_inode_permission(struct inode *inode, int mask) 3168 { 3169 const struct cred *cred = current_cred(); 3170 u32 perms; 3171 bool from_access; 3172 unsigned flags = mask & MAY_NOT_BLOCK; 3173 struct inode_security_struct *isec; 3174 u32 sid; 3175 struct av_decision avd; 3176 int rc, rc2; 3177 u32 audited, denied; 3178 3179 from_access = mask & MAY_ACCESS; 3180 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3181 3182 /* No permission to check. Existence test. */ 3183 if (!mask) 3184 return 0; 3185 3186 validate_creds(cred); 3187 3188 if (unlikely(IS_PRIVATE(inode))) 3189 return 0; 3190 3191 perms = file_mask_to_av(inode->i_mode, mask); 3192 3193 sid = cred_sid(cred); 3194 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3195 if (IS_ERR(isec)) 3196 return PTR_ERR(isec); 3197 3198 rc = avc_has_perm_noaudit(&selinux_state, 3199 sid, isec->sid, isec->sclass, perms, 0, &avd); 3200 audited = avc_audit_required(perms, &avd, rc, 3201 from_access ? FILE__AUDIT_ACCESS : 0, 3202 &denied); 3203 if (likely(!audited)) 3204 return rc; 3205 3206 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3207 if (rc2) 3208 return rc2; 3209 return rc; 3210 } 3211 3212 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3213 { 3214 const struct cred *cred = current_cred(); 3215 struct inode *inode = d_backing_inode(dentry); 3216 unsigned int ia_valid = iattr->ia_valid; 3217 __u32 av = FILE__WRITE; 3218 3219 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3220 if (ia_valid & ATTR_FORCE) { 3221 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3222 ATTR_FORCE); 3223 if (!ia_valid) 3224 return 0; 3225 } 3226 3227 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3228 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3229 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3230 3231 if (selinux_policycap_openperm() && 3232 inode->i_sb->s_magic != SOCKFS_MAGIC && 3233 (ia_valid & ATTR_SIZE) && 3234 !(ia_valid & ATTR_FILE)) 3235 av |= FILE__OPEN; 3236 3237 return dentry_has_perm(cred, dentry, av); 3238 } 3239 3240 static int selinux_inode_getattr(const struct path *path) 3241 { 3242 return path_has_perm(current_cred(), path, FILE__GETATTR); 3243 } 3244 3245 static bool has_cap_mac_admin(bool audit) 3246 { 3247 const struct cred *cred = current_cred(); 3248 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3249 3250 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3251 return false; 3252 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3253 return false; 3254 return true; 3255 } 3256 3257 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3258 const void *value, size_t size, int flags) 3259 { 3260 struct inode *inode = d_backing_inode(dentry); 3261 struct inode_security_struct *isec; 3262 struct superblock_security_struct *sbsec; 3263 struct common_audit_data ad; 3264 u32 newsid, sid = current_sid(); 3265 int rc = 0; 3266 3267 if (strcmp(name, XATTR_NAME_SELINUX)) { 3268 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3269 if (rc) 3270 return rc; 3271 3272 /* Not an attribute we recognize, so just check the 3273 ordinary setattr permission. */ 3274 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3275 } 3276 3277 sbsec = inode->i_sb->s_security; 3278 if (!(sbsec->flags & SBLABEL_MNT)) 3279 return -EOPNOTSUPP; 3280 3281 if (!inode_owner_or_capable(inode)) 3282 return -EPERM; 3283 3284 ad.type = LSM_AUDIT_DATA_DENTRY; 3285 ad.u.dentry = dentry; 3286 3287 isec = backing_inode_security(dentry); 3288 rc = avc_has_perm(&selinux_state, 3289 sid, isec->sid, isec->sclass, 3290 FILE__RELABELFROM, &ad); 3291 if (rc) 3292 return rc; 3293 3294 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3295 GFP_KERNEL); 3296 if (rc == -EINVAL) { 3297 if (!has_cap_mac_admin(true)) { 3298 struct audit_buffer *ab; 3299 size_t audit_size; 3300 3301 /* We strip a nul only if it is at the end, otherwise the 3302 * context contains a nul and we should audit that */ 3303 if (value) { 3304 const char *str = value; 3305 3306 if (str[size - 1] == '\0') 3307 audit_size = size - 1; 3308 else 3309 audit_size = size; 3310 } else { 3311 audit_size = 0; 3312 } 3313 ab = audit_log_start(audit_context(), 3314 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3315 audit_log_format(ab, "op=setxattr invalid_context="); 3316 audit_log_n_untrustedstring(ab, value, audit_size); 3317 audit_log_end(ab); 3318 3319 return rc; 3320 } 3321 rc = security_context_to_sid_force(&selinux_state, value, 3322 size, &newsid); 3323 } 3324 if (rc) 3325 return rc; 3326 3327 rc = avc_has_perm(&selinux_state, 3328 sid, newsid, isec->sclass, 3329 FILE__RELABELTO, &ad); 3330 if (rc) 3331 return rc; 3332 3333 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3334 sid, isec->sclass); 3335 if (rc) 3336 return rc; 3337 3338 return avc_has_perm(&selinux_state, 3339 newsid, 3340 sbsec->sid, 3341 SECCLASS_FILESYSTEM, 3342 FILESYSTEM__ASSOCIATE, 3343 &ad); 3344 } 3345 3346 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3347 const void *value, size_t size, 3348 int flags) 3349 { 3350 struct inode *inode = d_backing_inode(dentry); 3351 struct inode_security_struct *isec; 3352 u32 newsid; 3353 int rc; 3354 3355 if (strcmp(name, XATTR_NAME_SELINUX)) { 3356 /* Not an attribute we recognize, so nothing to do. */ 3357 return; 3358 } 3359 3360 rc = security_context_to_sid_force(&selinux_state, value, size, 3361 &newsid); 3362 if (rc) { 3363 pr_err("SELinux: unable to map context to SID" 3364 "for (%s, %lu), rc=%d\n", 3365 inode->i_sb->s_id, inode->i_ino, -rc); 3366 return; 3367 } 3368 3369 isec = backing_inode_security(dentry); 3370 spin_lock(&isec->lock); 3371 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3372 isec->sid = newsid; 3373 isec->initialized = LABEL_INITIALIZED; 3374 spin_unlock(&isec->lock); 3375 3376 return; 3377 } 3378 3379 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3380 { 3381 const struct cred *cred = current_cred(); 3382 3383 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3384 } 3385 3386 static int selinux_inode_listxattr(struct dentry *dentry) 3387 { 3388 const struct cred *cred = current_cred(); 3389 3390 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3391 } 3392 3393 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3394 { 3395 if (strcmp(name, XATTR_NAME_SELINUX)) { 3396 int rc = cap_inode_removexattr(dentry, name); 3397 if (rc) 3398 return rc; 3399 3400 /* Not an attribute we recognize, so just check the 3401 ordinary setattr permission. */ 3402 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3403 } 3404 3405 /* No one is allowed to remove a SELinux security label. 3406 You can change the label, but all data must be labeled. */ 3407 return -EACCES; 3408 } 3409 3410 /* 3411 * Copy the inode security context value to the user. 3412 * 3413 * Permission check is handled by selinux_inode_getxattr hook. 3414 */ 3415 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3416 { 3417 u32 size; 3418 int error; 3419 char *context = NULL; 3420 struct inode_security_struct *isec; 3421 3422 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3423 return -EOPNOTSUPP; 3424 3425 /* 3426 * If the caller has CAP_MAC_ADMIN, then get the raw context 3427 * value even if it is not defined by current policy; otherwise, 3428 * use the in-core value under current policy. 3429 * Use the non-auditing forms of the permission checks since 3430 * getxattr may be called by unprivileged processes commonly 3431 * and lack of permission just means that we fall back to the 3432 * in-core context value, not a denial. 3433 */ 3434 isec = inode_security(inode); 3435 if (has_cap_mac_admin(false)) 3436 error = security_sid_to_context_force(&selinux_state, 3437 isec->sid, &context, 3438 &size); 3439 else 3440 error = security_sid_to_context(&selinux_state, isec->sid, 3441 &context, &size); 3442 if (error) 3443 return error; 3444 error = size; 3445 if (alloc) { 3446 *buffer = context; 3447 goto out_nofree; 3448 } 3449 kfree(context); 3450 out_nofree: 3451 return error; 3452 } 3453 3454 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3455 const void *value, size_t size, int flags) 3456 { 3457 struct inode_security_struct *isec = inode_security_novalidate(inode); 3458 u32 newsid; 3459 int rc; 3460 3461 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3462 return -EOPNOTSUPP; 3463 3464 if (!value || !size) 3465 return -EACCES; 3466 3467 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3468 GFP_KERNEL); 3469 if (rc) 3470 return rc; 3471 3472 spin_lock(&isec->lock); 3473 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3474 isec->sid = newsid; 3475 isec->initialized = LABEL_INITIALIZED; 3476 spin_unlock(&isec->lock); 3477 return 0; 3478 } 3479 3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3481 { 3482 const int len = sizeof(XATTR_NAME_SELINUX); 3483 if (buffer && len <= buffer_size) 3484 memcpy(buffer, XATTR_NAME_SELINUX, len); 3485 return len; 3486 } 3487 3488 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3489 { 3490 struct inode_security_struct *isec = inode_security_novalidate(inode); 3491 *secid = isec->sid; 3492 } 3493 3494 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3495 { 3496 u32 sid; 3497 struct task_security_struct *tsec; 3498 struct cred *new_creds = *new; 3499 3500 if (new_creds == NULL) { 3501 new_creds = prepare_creds(); 3502 if (!new_creds) 3503 return -ENOMEM; 3504 } 3505 3506 tsec = new_creds->security; 3507 /* Get label from overlay inode and set it in create_sid */ 3508 selinux_inode_getsecid(d_inode(src), &sid); 3509 tsec->create_sid = sid; 3510 *new = new_creds; 3511 return 0; 3512 } 3513 3514 static int selinux_inode_copy_up_xattr(const char *name) 3515 { 3516 /* The copy_up hook above sets the initial context on an inode, but we 3517 * don't then want to overwrite it by blindly copying all the lower 3518 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3519 */ 3520 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3521 return 1; /* Discard */ 3522 /* 3523 * Any other attribute apart from SELINUX is not claimed, supported 3524 * by selinux. 3525 */ 3526 return -EOPNOTSUPP; 3527 } 3528 3529 /* file security operations */ 3530 3531 static int selinux_revalidate_file_permission(struct file *file, int mask) 3532 { 3533 const struct cred *cred = current_cred(); 3534 struct inode *inode = file_inode(file); 3535 3536 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3537 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3538 mask |= MAY_APPEND; 3539 3540 return file_has_perm(cred, file, 3541 file_mask_to_av(inode->i_mode, mask)); 3542 } 3543 3544 static int selinux_file_permission(struct file *file, int mask) 3545 { 3546 struct inode *inode = file_inode(file); 3547 struct file_security_struct *fsec = file->f_security; 3548 struct inode_security_struct *isec; 3549 u32 sid = current_sid(); 3550 3551 if (!mask) 3552 /* No permission to check. Existence test. */ 3553 return 0; 3554 3555 isec = inode_security(inode); 3556 if (sid == fsec->sid && fsec->isid == isec->sid && 3557 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3558 /* No change since file_open check. */ 3559 return 0; 3560 3561 return selinux_revalidate_file_permission(file, mask); 3562 } 3563 3564 static int selinux_file_alloc_security(struct file *file) 3565 { 3566 return file_alloc_security(file); 3567 } 3568 3569 static void selinux_file_free_security(struct file *file) 3570 { 3571 file_free_security(file); 3572 } 3573 3574 /* 3575 * Check whether a task has the ioctl permission and cmd 3576 * operation to an inode. 3577 */ 3578 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3579 u32 requested, u16 cmd) 3580 { 3581 struct common_audit_data ad; 3582 struct file_security_struct *fsec = file->f_security; 3583 struct inode *inode = file_inode(file); 3584 struct inode_security_struct *isec; 3585 struct lsm_ioctlop_audit ioctl; 3586 u32 ssid = cred_sid(cred); 3587 int rc; 3588 u8 driver = cmd >> 8; 3589 u8 xperm = cmd & 0xff; 3590 3591 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3592 ad.u.op = &ioctl; 3593 ad.u.op->cmd = cmd; 3594 ad.u.op->path = file->f_path; 3595 3596 if (ssid != fsec->sid) { 3597 rc = avc_has_perm(&selinux_state, 3598 ssid, fsec->sid, 3599 SECCLASS_FD, 3600 FD__USE, 3601 &ad); 3602 if (rc) 3603 goto out; 3604 } 3605 3606 if (unlikely(IS_PRIVATE(inode))) 3607 return 0; 3608 3609 isec = inode_security(inode); 3610 rc = avc_has_extended_perms(&selinux_state, 3611 ssid, isec->sid, isec->sclass, 3612 requested, driver, xperm, &ad); 3613 out: 3614 return rc; 3615 } 3616 3617 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3618 unsigned long arg) 3619 { 3620 const struct cred *cred = current_cred(); 3621 int error = 0; 3622 3623 switch (cmd) { 3624 case FIONREAD: 3625 /* fall through */ 3626 case FIBMAP: 3627 /* fall through */ 3628 case FIGETBSZ: 3629 /* fall through */ 3630 case FS_IOC_GETFLAGS: 3631 /* fall through */ 3632 case FS_IOC_GETVERSION: 3633 error = file_has_perm(cred, file, FILE__GETATTR); 3634 break; 3635 3636 case FS_IOC_SETFLAGS: 3637 /* fall through */ 3638 case FS_IOC_SETVERSION: 3639 error = file_has_perm(cred, file, FILE__SETATTR); 3640 break; 3641 3642 /* sys_ioctl() checks */ 3643 case FIONBIO: 3644 /* fall through */ 3645 case FIOASYNC: 3646 error = file_has_perm(cred, file, 0); 3647 break; 3648 3649 case KDSKBENT: 3650 case KDSKBSENT: 3651 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3652 SECURITY_CAP_AUDIT, true); 3653 break; 3654 3655 /* default case assumes that the command will go 3656 * to the file's ioctl() function. 3657 */ 3658 default: 3659 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3660 } 3661 return error; 3662 } 3663 3664 static int default_noexec; 3665 3666 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3667 { 3668 const struct cred *cred = current_cred(); 3669 u32 sid = cred_sid(cred); 3670 int rc = 0; 3671 3672 if (default_noexec && 3673 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3674 (!shared && (prot & PROT_WRITE)))) { 3675 /* 3676 * We are making executable an anonymous mapping or a 3677 * private file mapping that will also be writable. 3678 * This has an additional check. 3679 */ 3680 rc = avc_has_perm(&selinux_state, 3681 sid, sid, SECCLASS_PROCESS, 3682 PROCESS__EXECMEM, NULL); 3683 if (rc) 3684 goto error; 3685 } 3686 3687 if (file) { 3688 /* read access is always possible with a mapping */ 3689 u32 av = FILE__READ; 3690 3691 /* write access only matters if the mapping is shared */ 3692 if (shared && (prot & PROT_WRITE)) 3693 av |= FILE__WRITE; 3694 3695 if (prot & PROT_EXEC) 3696 av |= FILE__EXECUTE; 3697 3698 return file_has_perm(cred, file, av); 3699 } 3700 3701 error: 3702 return rc; 3703 } 3704 3705 static int selinux_mmap_addr(unsigned long addr) 3706 { 3707 int rc = 0; 3708 3709 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3710 u32 sid = current_sid(); 3711 rc = avc_has_perm(&selinux_state, 3712 sid, sid, SECCLASS_MEMPROTECT, 3713 MEMPROTECT__MMAP_ZERO, NULL); 3714 } 3715 3716 return rc; 3717 } 3718 3719 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3720 unsigned long prot, unsigned long flags) 3721 { 3722 struct common_audit_data ad; 3723 int rc; 3724 3725 if (file) { 3726 ad.type = LSM_AUDIT_DATA_FILE; 3727 ad.u.file = file; 3728 rc = inode_has_perm(current_cred(), file_inode(file), 3729 FILE__MAP, &ad); 3730 if (rc) 3731 return rc; 3732 } 3733 3734 if (selinux_state.checkreqprot) 3735 prot = reqprot; 3736 3737 return file_map_prot_check(file, prot, 3738 (flags & MAP_TYPE) == MAP_SHARED); 3739 } 3740 3741 static int selinux_file_mprotect(struct vm_area_struct *vma, 3742 unsigned long reqprot, 3743 unsigned long prot) 3744 { 3745 const struct cred *cred = current_cred(); 3746 u32 sid = cred_sid(cred); 3747 3748 if (selinux_state.checkreqprot) 3749 prot = reqprot; 3750 3751 if (default_noexec && 3752 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3753 int rc = 0; 3754 if (vma->vm_start >= vma->vm_mm->start_brk && 3755 vma->vm_end <= vma->vm_mm->brk) { 3756 rc = avc_has_perm(&selinux_state, 3757 sid, sid, SECCLASS_PROCESS, 3758 PROCESS__EXECHEAP, NULL); 3759 } else if (!vma->vm_file && 3760 ((vma->vm_start <= vma->vm_mm->start_stack && 3761 vma->vm_end >= vma->vm_mm->start_stack) || 3762 vma_is_stack_for_current(vma))) { 3763 rc = avc_has_perm(&selinux_state, 3764 sid, sid, SECCLASS_PROCESS, 3765 PROCESS__EXECSTACK, NULL); 3766 } else if (vma->vm_file && vma->anon_vma) { 3767 /* 3768 * We are making executable a file mapping that has 3769 * had some COW done. Since pages might have been 3770 * written, check ability to execute the possibly 3771 * modified content. This typically should only 3772 * occur for text relocations. 3773 */ 3774 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3775 } 3776 if (rc) 3777 return rc; 3778 } 3779 3780 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3781 } 3782 3783 static int selinux_file_lock(struct file *file, unsigned int cmd) 3784 { 3785 const struct cred *cred = current_cred(); 3786 3787 return file_has_perm(cred, file, FILE__LOCK); 3788 } 3789 3790 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3791 unsigned long arg) 3792 { 3793 const struct cred *cred = current_cred(); 3794 int err = 0; 3795 3796 switch (cmd) { 3797 case F_SETFL: 3798 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3799 err = file_has_perm(cred, file, FILE__WRITE); 3800 break; 3801 } 3802 /* fall through */ 3803 case F_SETOWN: 3804 case F_SETSIG: 3805 case F_GETFL: 3806 case F_GETOWN: 3807 case F_GETSIG: 3808 case F_GETOWNER_UIDS: 3809 /* Just check FD__USE permission */ 3810 err = file_has_perm(cred, file, 0); 3811 break; 3812 case F_GETLK: 3813 case F_SETLK: 3814 case F_SETLKW: 3815 case F_OFD_GETLK: 3816 case F_OFD_SETLK: 3817 case F_OFD_SETLKW: 3818 #if BITS_PER_LONG == 32 3819 case F_GETLK64: 3820 case F_SETLK64: 3821 case F_SETLKW64: 3822 #endif 3823 err = file_has_perm(cred, file, FILE__LOCK); 3824 break; 3825 } 3826 3827 return err; 3828 } 3829 3830 static void selinux_file_set_fowner(struct file *file) 3831 { 3832 struct file_security_struct *fsec; 3833 3834 fsec = file->f_security; 3835 fsec->fown_sid = current_sid(); 3836 } 3837 3838 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3839 struct fown_struct *fown, int signum) 3840 { 3841 struct file *file; 3842 u32 sid = task_sid(tsk); 3843 u32 perm; 3844 struct file_security_struct *fsec; 3845 3846 /* struct fown_struct is never outside the context of a struct file */ 3847 file = container_of(fown, struct file, f_owner); 3848 3849 fsec = file->f_security; 3850 3851 if (!signum) 3852 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3853 else 3854 perm = signal_to_av(signum); 3855 3856 return avc_has_perm(&selinux_state, 3857 fsec->fown_sid, sid, 3858 SECCLASS_PROCESS, perm, NULL); 3859 } 3860 3861 static int selinux_file_receive(struct file *file) 3862 { 3863 const struct cred *cred = current_cred(); 3864 3865 return file_has_perm(cred, file, file_to_av(file)); 3866 } 3867 3868 static int selinux_file_open(struct file *file) 3869 { 3870 struct file_security_struct *fsec; 3871 struct inode_security_struct *isec; 3872 3873 fsec = file->f_security; 3874 isec = inode_security(file_inode(file)); 3875 /* 3876 * Save inode label and policy sequence number 3877 * at open-time so that selinux_file_permission 3878 * can determine whether revalidation is necessary. 3879 * Task label is already saved in the file security 3880 * struct as its SID. 3881 */ 3882 fsec->isid = isec->sid; 3883 fsec->pseqno = avc_policy_seqno(&selinux_state); 3884 /* 3885 * Since the inode label or policy seqno may have changed 3886 * between the selinux_inode_permission check and the saving 3887 * of state above, recheck that access is still permitted. 3888 * Otherwise, access might never be revalidated against the 3889 * new inode label or new policy. 3890 * This check is not redundant - do not remove. 3891 */ 3892 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3893 } 3894 3895 /* task security operations */ 3896 3897 static int selinux_task_alloc(struct task_struct *task, 3898 unsigned long clone_flags) 3899 { 3900 u32 sid = current_sid(); 3901 3902 return avc_has_perm(&selinux_state, 3903 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3904 } 3905 3906 /* 3907 * allocate the SELinux part of blank credentials 3908 */ 3909 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3910 { 3911 struct task_security_struct *tsec; 3912 3913 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3914 if (!tsec) 3915 return -ENOMEM; 3916 3917 cred->security = tsec; 3918 return 0; 3919 } 3920 3921 /* 3922 * detach and free the LSM part of a set of credentials 3923 */ 3924 static void selinux_cred_free(struct cred *cred) 3925 { 3926 struct task_security_struct *tsec = cred->security; 3927 3928 /* 3929 * cred->security == NULL if security_cred_alloc_blank() or 3930 * security_prepare_creds() returned an error. 3931 */ 3932 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3933 cred->security = (void *) 0x7UL; 3934 kfree(tsec); 3935 } 3936 3937 /* 3938 * prepare a new set of credentials for modification 3939 */ 3940 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3941 gfp_t gfp) 3942 { 3943 const struct task_security_struct *old_tsec; 3944 struct task_security_struct *tsec; 3945 3946 old_tsec = old->security; 3947 3948 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3949 if (!tsec) 3950 return -ENOMEM; 3951 3952 new->security = tsec; 3953 return 0; 3954 } 3955 3956 /* 3957 * transfer the SELinux data to a blank set of creds 3958 */ 3959 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3960 { 3961 const struct task_security_struct *old_tsec = old->security; 3962 struct task_security_struct *tsec = new->security; 3963 3964 *tsec = *old_tsec; 3965 } 3966 3967 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3968 { 3969 *secid = cred_sid(c); 3970 } 3971 3972 /* 3973 * set the security data for a kernel service 3974 * - all the creation contexts are set to unlabelled 3975 */ 3976 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3977 { 3978 struct task_security_struct *tsec = new->security; 3979 u32 sid = current_sid(); 3980 int ret; 3981 3982 ret = avc_has_perm(&selinux_state, 3983 sid, secid, 3984 SECCLASS_KERNEL_SERVICE, 3985 KERNEL_SERVICE__USE_AS_OVERRIDE, 3986 NULL); 3987 if (ret == 0) { 3988 tsec->sid = secid; 3989 tsec->create_sid = 0; 3990 tsec->keycreate_sid = 0; 3991 tsec->sockcreate_sid = 0; 3992 } 3993 return ret; 3994 } 3995 3996 /* 3997 * set the file creation context in a security record to the same as the 3998 * objective context of the specified inode 3999 */ 4000 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4001 { 4002 struct inode_security_struct *isec = inode_security(inode); 4003 struct task_security_struct *tsec = new->security; 4004 u32 sid = current_sid(); 4005 int ret; 4006 4007 ret = avc_has_perm(&selinux_state, 4008 sid, isec->sid, 4009 SECCLASS_KERNEL_SERVICE, 4010 KERNEL_SERVICE__CREATE_FILES_AS, 4011 NULL); 4012 4013 if (ret == 0) 4014 tsec->create_sid = isec->sid; 4015 return ret; 4016 } 4017 4018 static int selinux_kernel_module_request(char *kmod_name) 4019 { 4020 struct common_audit_data ad; 4021 4022 ad.type = LSM_AUDIT_DATA_KMOD; 4023 ad.u.kmod_name = kmod_name; 4024 4025 return avc_has_perm(&selinux_state, 4026 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4027 SYSTEM__MODULE_REQUEST, &ad); 4028 } 4029 4030 static int selinux_kernel_module_from_file(struct file *file) 4031 { 4032 struct common_audit_data ad; 4033 struct inode_security_struct *isec; 4034 struct file_security_struct *fsec; 4035 u32 sid = current_sid(); 4036 int rc; 4037 4038 /* init_module */ 4039 if (file == NULL) 4040 return avc_has_perm(&selinux_state, 4041 sid, sid, SECCLASS_SYSTEM, 4042 SYSTEM__MODULE_LOAD, NULL); 4043 4044 /* finit_module */ 4045 4046 ad.type = LSM_AUDIT_DATA_FILE; 4047 ad.u.file = file; 4048 4049 fsec = file->f_security; 4050 if (sid != fsec->sid) { 4051 rc = avc_has_perm(&selinux_state, 4052 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4053 if (rc) 4054 return rc; 4055 } 4056 4057 isec = inode_security(file_inode(file)); 4058 return avc_has_perm(&selinux_state, 4059 sid, isec->sid, SECCLASS_SYSTEM, 4060 SYSTEM__MODULE_LOAD, &ad); 4061 } 4062 4063 static int selinux_kernel_read_file(struct file *file, 4064 enum kernel_read_file_id id) 4065 { 4066 int rc = 0; 4067 4068 switch (id) { 4069 case READING_MODULE: 4070 rc = selinux_kernel_module_from_file(file); 4071 break; 4072 default: 4073 break; 4074 } 4075 4076 return rc; 4077 } 4078 4079 static int selinux_kernel_load_data(enum kernel_load_data_id id) 4080 { 4081 int rc = 0; 4082 4083 switch (id) { 4084 case LOADING_MODULE: 4085 rc = selinux_kernel_module_from_file(NULL); 4086 default: 4087 break; 4088 } 4089 4090 return rc; 4091 } 4092 4093 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4094 { 4095 return avc_has_perm(&selinux_state, 4096 current_sid(), task_sid(p), SECCLASS_PROCESS, 4097 PROCESS__SETPGID, NULL); 4098 } 4099 4100 static int selinux_task_getpgid(struct task_struct *p) 4101 { 4102 return avc_has_perm(&selinux_state, 4103 current_sid(), task_sid(p), SECCLASS_PROCESS, 4104 PROCESS__GETPGID, NULL); 4105 } 4106 4107 static int selinux_task_getsid(struct task_struct *p) 4108 { 4109 return avc_has_perm(&selinux_state, 4110 current_sid(), task_sid(p), SECCLASS_PROCESS, 4111 PROCESS__GETSESSION, NULL); 4112 } 4113 4114 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4115 { 4116 *secid = task_sid(p); 4117 } 4118 4119 static int selinux_task_setnice(struct task_struct *p, int nice) 4120 { 4121 return avc_has_perm(&selinux_state, 4122 current_sid(), task_sid(p), SECCLASS_PROCESS, 4123 PROCESS__SETSCHED, NULL); 4124 } 4125 4126 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4127 { 4128 return avc_has_perm(&selinux_state, 4129 current_sid(), task_sid(p), SECCLASS_PROCESS, 4130 PROCESS__SETSCHED, NULL); 4131 } 4132 4133 static int selinux_task_getioprio(struct task_struct *p) 4134 { 4135 return avc_has_perm(&selinux_state, 4136 current_sid(), task_sid(p), SECCLASS_PROCESS, 4137 PROCESS__GETSCHED, NULL); 4138 } 4139 4140 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4141 unsigned int flags) 4142 { 4143 u32 av = 0; 4144 4145 if (!flags) 4146 return 0; 4147 if (flags & LSM_PRLIMIT_WRITE) 4148 av |= PROCESS__SETRLIMIT; 4149 if (flags & LSM_PRLIMIT_READ) 4150 av |= PROCESS__GETRLIMIT; 4151 return avc_has_perm(&selinux_state, 4152 cred_sid(cred), cred_sid(tcred), 4153 SECCLASS_PROCESS, av, NULL); 4154 } 4155 4156 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4157 struct rlimit *new_rlim) 4158 { 4159 struct rlimit *old_rlim = p->signal->rlim + resource; 4160 4161 /* Control the ability to change the hard limit (whether 4162 lowering or raising it), so that the hard limit can 4163 later be used as a safe reset point for the soft limit 4164 upon context transitions. See selinux_bprm_committing_creds. */ 4165 if (old_rlim->rlim_max != new_rlim->rlim_max) 4166 return avc_has_perm(&selinux_state, 4167 current_sid(), task_sid(p), 4168 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4169 4170 return 0; 4171 } 4172 4173 static int selinux_task_setscheduler(struct task_struct *p) 4174 { 4175 return avc_has_perm(&selinux_state, 4176 current_sid(), task_sid(p), SECCLASS_PROCESS, 4177 PROCESS__SETSCHED, NULL); 4178 } 4179 4180 static int selinux_task_getscheduler(struct task_struct *p) 4181 { 4182 return avc_has_perm(&selinux_state, 4183 current_sid(), task_sid(p), SECCLASS_PROCESS, 4184 PROCESS__GETSCHED, NULL); 4185 } 4186 4187 static int selinux_task_movememory(struct task_struct *p) 4188 { 4189 return avc_has_perm(&selinux_state, 4190 current_sid(), task_sid(p), SECCLASS_PROCESS, 4191 PROCESS__SETSCHED, NULL); 4192 } 4193 4194 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4195 int sig, const struct cred *cred) 4196 { 4197 u32 secid; 4198 u32 perm; 4199 4200 if (!sig) 4201 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4202 else 4203 perm = signal_to_av(sig); 4204 if (!cred) 4205 secid = current_sid(); 4206 else 4207 secid = cred_sid(cred); 4208 return avc_has_perm(&selinux_state, 4209 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4210 } 4211 4212 static void selinux_task_to_inode(struct task_struct *p, 4213 struct inode *inode) 4214 { 4215 struct inode_security_struct *isec = inode->i_security; 4216 u32 sid = task_sid(p); 4217 4218 spin_lock(&isec->lock); 4219 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4220 isec->sid = sid; 4221 isec->initialized = LABEL_INITIALIZED; 4222 spin_unlock(&isec->lock); 4223 } 4224 4225 /* Returns error only if unable to parse addresses */ 4226 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4227 struct common_audit_data *ad, u8 *proto) 4228 { 4229 int offset, ihlen, ret = -EINVAL; 4230 struct iphdr _iph, *ih; 4231 4232 offset = skb_network_offset(skb); 4233 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4234 if (ih == NULL) 4235 goto out; 4236 4237 ihlen = ih->ihl * 4; 4238 if (ihlen < sizeof(_iph)) 4239 goto out; 4240 4241 ad->u.net->v4info.saddr = ih->saddr; 4242 ad->u.net->v4info.daddr = ih->daddr; 4243 ret = 0; 4244 4245 if (proto) 4246 *proto = ih->protocol; 4247 4248 switch (ih->protocol) { 4249 case IPPROTO_TCP: { 4250 struct tcphdr _tcph, *th; 4251 4252 if (ntohs(ih->frag_off) & IP_OFFSET) 4253 break; 4254 4255 offset += ihlen; 4256 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4257 if (th == NULL) 4258 break; 4259 4260 ad->u.net->sport = th->source; 4261 ad->u.net->dport = th->dest; 4262 break; 4263 } 4264 4265 case IPPROTO_UDP: { 4266 struct udphdr _udph, *uh; 4267 4268 if (ntohs(ih->frag_off) & IP_OFFSET) 4269 break; 4270 4271 offset += ihlen; 4272 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4273 if (uh == NULL) 4274 break; 4275 4276 ad->u.net->sport = uh->source; 4277 ad->u.net->dport = uh->dest; 4278 break; 4279 } 4280 4281 case IPPROTO_DCCP: { 4282 struct dccp_hdr _dccph, *dh; 4283 4284 if (ntohs(ih->frag_off) & IP_OFFSET) 4285 break; 4286 4287 offset += ihlen; 4288 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4289 if (dh == NULL) 4290 break; 4291 4292 ad->u.net->sport = dh->dccph_sport; 4293 ad->u.net->dport = dh->dccph_dport; 4294 break; 4295 } 4296 4297 #if IS_ENABLED(CONFIG_IP_SCTP) 4298 case IPPROTO_SCTP: { 4299 struct sctphdr _sctph, *sh; 4300 4301 if (ntohs(ih->frag_off) & IP_OFFSET) 4302 break; 4303 4304 offset += ihlen; 4305 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4306 if (sh == NULL) 4307 break; 4308 4309 ad->u.net->sport = sh->source; 4310 ad->u.net->dport = sh->dest; 4311 break; 4312 } 4313 #endif 4314 default: 4315 break; 4316 } 4317 out: 4318 return ret; 4319 } 4320 4321 #if IS_ENABLED(CONFIG_IPV6) 4322 4323 /* Returns error only if unable to parse addresses */ 4324 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4325 struct common_audit_data *ad, u8 *proto) 4326 { 4327 u8 nexthdr; 4328 int ret = -EINVAL, offset; 4329 struct ipv6hdr _ipv6h, *ip6; 4330 __be16 frag_off; 4331 4332 offset = skb_network_offset(skb); 4333 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4334 if (ip6 == NULL) 4335 goto out; 4336 4337 ad->u.net->v6info.saddr = ip6->saddr; 4338 ad->u.net->v6info.daddr = ip6->daddr; 4339 ret = 0; 4340 4341 nexthdr = ip6->nexthdr; 4342 offset += sizeof(_ipv6h); 4343 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4344 if (offset < 0) 4345 goto out; 4346 4347 if (proto) 4348 *proto = nexthdr; 4349 4350 switch (nexthdr) { 4351 case IPPROTO_TCP: { 4352 struct tcphdr _tcph, *th; 4353 4354 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4355 if (th == NULL) 4356 break; 4357 4358 ad->u.net->sport = th->source; 4359 ad->u.net->dport = th->dest; 4360 break; 4361 } 4362 4363 case IPPROTO_UDP: { 4364 struct udphdr _udph, *uh; 4365 4366 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4367 if (uh == NULL) 4368 break; 4369 4370 ad->u.net->sport = uh->source; 4371 ad->u.net->dport = uh->dest; 4372 break; 4373 } 4374 4375 case IPPROTO_DCCP: { 4376 struct dccp_hdr _dccph, *dh; 4377 4378 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4379 if (dh == NULL) 4380 break; 4381 4382 ad->u.net->sport = dh->dccph_sport; 4383 ad->u.net->dport = dh->dccph_dport; 4384 break; 4385 } 4386 4387 #if IS_ENABLED(CONFIG_IP_SCTP) 4388 case IPPROTO_SCTP: { 4389 struct sctphdr _sctph, *sh; 4390 4391 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4392 if (sh == NULL) 4393 break; 4394 4395 ad->u.net->sport = sh->source; 4396 ad->u.net->dport = sh->dest; 4397 break; 4398 } 4399 #endif 4400 /* includes fragments */ 4401 default: 4402 break; 4403 } 4404 out: 4405 return ret; 4406 } 4407 4408 #endif /* IPV6 */ 4409 4410 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4411 char **_addrp, int src, u8 *proto) 4412 { 4413 char *addrp; 4414 int ret; 4415 4416 switch (ad->u.net->family) { 4417 case PF_INET: 4418 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4419 if (ret) 4420 goto parse_error; 4421 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4422 &ad->u.net->v4info.daddr); 4423 goto okay; 4424 4425 #if IS_ENABLED(CONFIG_IPV6) 4426 case PF_INET6: 4427 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4428 if (ret) 4429 goto parse_error; 4430 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4431 &ad->u.net->v6info.daddr); 4432 goto okay; 4433 #endif /* IPV6 */ 4434 default: 4435 addrp = NULL; 4436 goto okay; 4437 } 4438 4439 parse_error: 4440 pr_warn( 4441 "SELinux: failure in selinux_parse_skb()," 4442 " unable to parse packet\n"); 4443 return ret; 4444 4445 okay: 4446 if (_addrp) 4447 *_addrp = addrp; 4448 return 0; 4449 } 4450 4451 /** 4452 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4453 * @skb: the packet 4454 * @family: protocol family 4455 * @sid: the packet's peer label SID 4456 * 4457 * Description: 4458 * Check the various different forms of network peer labeling and determine 4459 * the peer label/SID for the packet; most of the magic actually occurs in 4460 * the security server function security_net_peersid_cmp(). The function 4461 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4462 * or -EACCES if @sid is invalid due to inconsistencies with the different 4463 * peer labels. 4464 * 4465 */ 4466 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4467 { 4468 int err; 4469 u32 xfrm_sid; 4470 u32 nlbl_sid; 4471 u32 nlbl_type; 4472 4473 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4474 if (unlikely(err)) 4475 return -EACCES; 4476 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4477 if (unlikely(err)) 4478 return -EACCES; 4479 4480 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4481 nlbl_type, xfrm_sid, sid); 4482 if (unlikely(err)) { 4483 pr_warn( 4484 "SELinux: failure in selinux_skb_peerlbl_sid()," 4485 " unable to determine packet's peer label\n"); 4486 return -EACCES; 4487 } 4488 4489 return 0; 4490 } 4491 4492 /** 4493 * selinux_conn_sid - Determine the child socket label for a connection 4494 * @sk_sid: the parent socket's SID 4495 * @skb_sid: the packet's SID 4496 * @conn_sid: the resulting connection SID 4497 * 4498 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4499 * combined with the MLS information from @skb_sid in order to create 4500 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4501 * of @sk_sid. Returns zero on success, negative values on failure. 4502 * 4503 */ 4504 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4505 { 4506 int err = 0; 4507 4508 if (skb_sid != SECSID_NULL) 4509 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4510 conn_sid); 4511 else 4512 *conn_sid = sk_sid; 4513 4514 return err; 4515 } 4516 4517 /* socket security operations */ 4518 4519 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4520 u16 secclass, u32 *socksid) 4521 { 4522 if (tsec->sockcreate_sid > SECSID_NULL) { 4523 *socksid = tsec->sockcreate_sid; 4524 return 0; 4525 } 4526 4527 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4528 secclass, NULL, socksid); 4529 } 4530 4531 static int sock_has_perm(struct sock *sk, u32 perms) 4532 { 4533 struct sk_security_struct *sksec = sk->sk_security; 4534 struct common_audit_data ad; 4535 struct lsm_network_audit net = {0,}; 4536 4537 if (sksec->sid == SECINITSID_KERNEL) 4538 return 0; 4539 4540 ad.type = LSM_AUDIT_DATA_NET; 4541 ad.u.net = &net; 4542 ad.u.net->sk = sk; 4543 4544 return avc_has_perm(&selinux_state, 4545 current_sid(), sksec->sid, sksec->sclass, perms, 4546 &ad); 4547 } 4548 4549 static int selinux_socket_create(int family, int type, 4550 int protocol, int kern) 4551 { 4552 const struct task_security_struct *tsec = current_security(); 4553 u32 newsid; 4554 u16 secclass; 4555 int rc; 4556 4557 if (kern) 4558 return 0; 4559 4560 secclass = socket_type_to_security_class(family, type, protocol); 4561 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4562 if (rc) 4563 return rc; 4564 4565 return avc_has_perm(&selinux_state, 4566 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4567 } 4568 4569 static int selinux_socket_post_create(struct socket *sock, int family, 4570 int type, int protocol, int kern) 4571 { 4572 const struct task_security_struct *tsec = current_security(); 4573 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4574 struct sk_security_struct *sksec; 4575 u16 sclass = socket_type_to_security_class(family, type, protocol); 4576 u32 sid = SECINITSID_KERNEL; 4577 int err = 0; 4578 4579 if (!kern) { 4580 err = socket_sockcreate_sid(tsec, sclass, &sid); 4581 if (err) 4582 return err; 4583 } 4584 4585 isec->sclass = sclass; 4586 isec->sid = sid; 4587 isec->initialized = LABEL_INITIALIZED; 4588 4589 if (sock->sk) { 4590 sksec = sock->sk->sk_security; 4591 sksec->sclass = sclass; 4592 sksec->sid = sid; 4593 /* Allows detection of the first association on this socket */ 4594 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4595 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4596 4597 err = selinux_netlbl_socket_post_create(sock->sk, family); 4598 } 4599 4600 return err; 4601 } 4602 4603 static int selinux_socket_socketpair(struct socket *socka, 4604 struct socket *sockb) 4605 { 4606 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4607 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4608 4609 sksec_a->peer_sid = sksec_b->sid; 4610 sksec_b->peer_sid = sksec_a->sid; 4611 4612 return 0; 4613 } 4614 4615 /* Range of port numbers used to automatically bind. 4616 Need to determine whether we should perform a name_bind 4617 permission check between the socket and the port number. */ 4618 4619 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4620 { 4621 struct sock *sk = sock->sk; 4622 struct sk_security_struct *sksec = sk->sk_security; 4623 u16 family; 4624 int err; 4625 4626 err = sock_has_perm(sk, SOCKET__BIND); 4627 if (err) 4628 goto out; 4629 4630 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4631 family = sk->sk_family; 4632 if (family == PF_INET || family == PF_INET6) { 4633 char *addrp; 4634 struct common_audit_data ad; 4635 struct lsm_network_audit net = {0,}; 4636 struct sockaddr_in *addr4 = NULL; 4637 struct sockaddr_in6 *addr6 = NULL; 4638 u16 family_sa = address->sa_family; 4639 unsigned short snum; 4640 u32 sid, node_perm; 4641 4642 /* 4643 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4644 * that validates multiple binding addresses. Because of this 4645 * need to check address->sa_family as it is possible to have 4646 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4647 */ 4648 switch (family_sa) { 4649 case AF_UNSPEC: 4650 case AF_INET: 4651 if (addrlen < sizeof(struct sockaddr_in)) 4652 return -EINVAL; 4653 addr4 = (struct sockaddr_in *)address; 4654 if (family_sa == AF_UNSPEC) { 4655 /* see __inet_bind(), we only want to allow 4656 * AF_UNSPEC if the address is INADDR_ANY 4657 */ 4658 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4659 goto err_af; 4660 family_sa = AF_INET; 4661 } 4662 snum = ntohs(addr4->sin_port); 4663 addrp = (char *)&addr4->sin_addr.s_addr; 4664 break; 4665 case AF_INET6: 4666 if (addrlen < SIN6_LEN_RFC2133) 4667 return -EINVAL; 4668 addr6 = (struct sockaddr_in6 *)address; 4669 snum = ntohs(addr6->sin6_port); 4670 addrp = (char *)&addr6->sin6_addr.s6_addr; 4671 break; 4672 default: 4673 goto err_af; 4674 } 4675 4676 ad.type = LSM_AUDIT_DATA_NET; 4677 ad.u.net = &net; 4678 ad.u.net->sport = htons(snum); 4679 ad.u.net->family = family_sa; 4680 4681 if (snum) { 4682 int low, high; 4683 4684 inet_get_local_port_range(sock_net(sk), &low, &high); 4685 4686 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4687 snum > high) { 4688 err = sel_netport_sid(sk->sk_protocol, 4689 snum, &sid); 4690 if (err) 4691 goto out; 4692 err = avc_has_perm(&selinux_state, 4693 sksec->sid, sid, 4694 sksec->sclass, 4695 SOCKET__NAME_BIND, &ad); 4696 if (err) 4697 goto out; 4698 } 4699 } 4700 4701 switch (sksec->sclass) { 4702 case SECCLASS_TCP_SOCKET: 4703 node_perm = TCP_SOCKET__NODE_BIND; 4704 break; 4705 4706 case SECCLASS_UDP_SOCKET: 4707 node_perm = UDP_SOCKET__NODE_BIND; 4708 break; 4709 4710 case SECCLASS_DCCP_SOCKET: 4711 node_perm = DCCP_SOCKET__NODE_BIND; 4712 break; 4713 4714 case SECCLASS_SCTP_SOCKET: 4715 node_perm = SCTP_SOCKET__NODE_BIND; 4716 break; 4717 4718 default: 4719 node_perm = RAWIP_SOCKET__NODE_BIND; 4720 break; 4721 } 4722 4723 err = sel_netnode_sid(addrp, family_sa, &sid); 4724 if (err) 4725 goto out; 4726 4727 if (family_sa == AF_INET) 4728 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4729 else 4730 ad.u.net->v6info.saddr = addr6->sin6_addr; 4731 4732 err = avc_has_perm(&selinux_state, 4733 sksec->sid, sid, 4734 sksec->sclass, node_perm, &ad); 4735 if (err) 4736 goto out; 4737 } 4738 out: 4739 return err; 4740 err_af: 4741 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4742 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4743 return -EINVAL; 4744 return -EAFNOSUPPORT; 4745 } 4746 4747 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4748 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst 4749 */ 4750 static int selinux_socket_connect_helper(struct socket *sock, 4751 struct sockaddr *address, int addrlen) 4752 { 4753 struct sock *sk = sock->sk; 4754 struct sk_security_struct *sksec = sk->sk_security; 4755 int err; 4756 4757 err = sock_has_perm(sk, SOCKET__CONNECT); 4758 if (err) 4759 return err; 4760 4761 /* 4762 * If a TCP, DCCP or SCTP socket, check name_connect permission 4763 * for the port. 4764 */ 4765 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4766 sksec->sclass == SECCLASS_DCCP_SOCKET || 4767 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4768 struct common_audit_data ad; 4769 struct lsm_network_audit net = {0,}; 4770 struct sockaddr_in *addr4 = NULL; 4771 struct sockaddr_in6 *addr6 = NULL; 4772 unsigned short snum; 4773 u32 sid, perm; 4774 4775 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4776 * that validates multiple connect addresses. Because of this 4777 * need to check address->sa_family as it is possible to have 4778 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4779 */ 4780 switch (address->sa_family) { 4781 case AF_INET: 4782 addr4 = (struct sockaddr_in *)address; 4783 if (addrlen < sizeof(struct sockaddr_in)) 4784 return -EINVAL; 4785 snum = ntohs(addr4->sin_port); 4786 break; 4787 case AF_INET6: 4788 addr6 = (struct sockaddr_in6 *)address; 4789 if (addrlen < SIN6_LEN_RFC2133) 4790 return -EINVAL; 4791 snum = ntohs(addr6->sin6_port); 4792 break; 4793 default: 4794 /* Note that SCTP services expect -EINVAL, whereas 4795 * others expect -EAFNOSUPPORT. 4796 */ 4797 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4798 return -EINVAL; 4799 else 4800 return -EAFNOSUPPORT; 4801 } 4802 4803 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4804 if (err) 4805 return err; 4806 4807 switch (sksec->sclass) { 4808 case SECCLASS_TCP_SOCKET: 4809 perm = TCP_SOCKET__NAME_CONNECT; 4810 break; 4811 case SECCLASS_DCCP_SOCKET: 4812 perm = DCCP_SOCKET__NAME_CONNECT; 4813 break; 4814 case SECCLASS_SCTP_SOCKET: 4815 perm = SCTP_SOCKET__NAME_CONNECT; 4816 break; 4817 } 4818 4819 ad.type = LSM_AUDIT_DATA_NET; 4820 ad.u.net = &net; 4821 ad.u.net->dport = htons(snum); 4822 ad.u.net->family = address->sa_family; 4823 err = avc_has_perm(&selinux_state, 4824 sksec->sid, sid, sksec->sclass, perm, &ad); 4825 if (err) 4826 return err; 4827 } 4828 4829 return 0; 4830 } 4831 4832 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4833 static int selinux_socket_connect(struct socket *sock, 4834 struct sockaddr *address, int addrlen) 4835 { 4836 int err; 4837 struct sock *sk = sock->sk; 4838 4839 err = selinux_socket_connect_helper(sock, address, addrlen); 4840 if (err) 4841 return err; 4842 4843 return selinux_netlbl_socket_connect(sk, address); 4844 } 4845 4846 static int selinux_socket_listen(struct socket *sock, int backlog) 4847 { 4848 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4849 } 4850 4851 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4852 { 4853 int err; 4854 struct inode_security_struct *isec; 4855 struct inode_security_struct *newisec; 4856 u16 sclass; 4857 u32 sid; 4858 4859 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4860 if (err) 4861 return err; 4862 4863 isec = inode_security_novalidate(SOCK_INODE(sock)); 4864 spin_lock(&isec->lock); 4865 sclass = isec->sclass; 4866 sid = isec->sid; 4867 spin_unlock(&isec->lock); 4868 4869 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4870 newisec->sclass = sclass; 4871 newisec->sid = sid; 4872 newisec->initialized = LABEL_INITIALIZED; 4873 4874 return 0; 4875 } 4876 4877 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4878 int size) 4879 { 4880 return sock_has_perm(sock->sk, SOCKET__WRITE); 4881 } 4882 4883 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4884 int size, int flags) 4885 { 4886 return sock_has_perm(sock->sk, SOCKET__READ); 4887 } 4888 4889 static int selinux_socket_getsockname(struct socket *sock) 4890 { 4891 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4892 } 4893 4894 static int selinux_socket_getpeername(struct socket *sock) 4895 { 4896 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4897 } 4898 4899 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4900 { 4901 int err; 4902 4903 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4904 if (err) 4905 return err; 4906 4907 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4908 } 4909 4910 static int selinux_socket_getsockopt(struct socket *sock, int level, 4911 int optname) 4912 { 4913 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4914 } 4915 4916 static int selinux_socket_shutdown(struct socket *sock, int how) 4917 { 4918 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4919 } 4920 4921 static int selinux_socket_unix_stream_connect(struct sock *sock, 4922 struct sock *other, 4923 struct sock *newsk) 4924 { 4925 struct sk_security_struct *sksec_sock = sock->sk_security; 4926 struct sk_security_struct *sksec_other = other->sk_security; 4927 struct sk_security_struct *sksec_new = newsk->sk_security; 4928 struct common_audit_data ad; 4929 struct lsm_network_audit net = {0,}; 4930 int err; 4931 4932 ad.type = LSM_AUDIT_DATA_NET; 4933 ad.u.net = &net; 4934 ad.u.net->sk = other; 4935 4936 err = avc_has_perm(&selinux_state, 4937 sksec_sock->sid, sksec_other->sid, 4938 sksec_other->sclass, 4939 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4940 if (err) 4941 return err; 4942 4943 /* server child socket */ 4944 sksec_new->peer_sid = sksec_sock->sid; 4945 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4946 sksec_sock->sid, &sksec_new->sid); 4947 if (err) 4948 return err; 4949 4950 /* connecting socket */ 4951 sksec_sock->peer_sid = sksec_new->sid; 4952 4953 return 0; 4954 } 4955 4956 static int selinux_socket_unix_may_send(struct socket *sock, 4957 struct socket *other) 4958 { 4959 struct sk_security_struct *ssec = sock->sk->sk_security; 4960 struct sk_security_struct *osec = other->sk->sk_security; 4961 struct common_audit_data ad; 4962 struct lsm_network_audit net = {0,}; 4963 4964 ad.type = LSM_AUDIT_DATA_NET; 4965 ad.u.net = &net; 4966 ad.u.net->sk = other->sk; 4967 4968 return avc_has_perm(&selinux_state, 4969 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4970 &ad); 4971 } 4972 4973 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4974 char *addrp, u16 family, u32 peer_sid, 4975 struct common_audit_data *ad) 4976 { 4977 int err; 4978 u32 if_sid; 4979 u32 node_sid; 4980 4981 err = sel_netif_sid(ns, ifindex, &if_sid); 4982 if (err) 4983 return err; 4984 err = avc_has_perm(&selinux_state, 4985 peer_sid, if_sid, 4986 SECCLASS_NETIF, NETIF__INGRESS, ad); 4987 if (err) 4988 return err; 4989 4990 err = sel_netnode_sid(addrp, family, &node_sid); 4991 if (err) 4992 return err; 4993 return avc_has_perm(&selinux_state, 4994 peer_sid, node_sid, 4995 SECCLASS_NODE, NODE__RECVFROM, ad); 4996 } 4997 4998 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4999 u16 family) 5000 { 5001 int err = 0; 5002 struct sk_security_struct *sksec = sk->sk_security; 5003 u32 sk_sid = sksec->sid; 5004 struct common_audit_data ad; 5005 struct lsm_network_audit net = {0,}; 5006 char *addrp; 5007 5008 ad.type = LSM_AUDIT_DATA_NET; 5009 ad.u.net = &net; 5010 ad.u.net->netif = skb->skb_iif; 5011 ad.u.net->family = family; 5012 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5013 if (err) 5014 return err; 5015 5016 if (selinux_secmark_enabled()) { 5017 err = avc_has_perm(&selinux_state, 5018 sk_sid, skb->secmark, SECCLASS_PACKET, 5019 PACKET__RECV, &ad); 5020 if (err) 5021 return err; 5022 } 5023 5024 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5025 if (err) 5026 return err; 5027 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5028 5029 return err; 5030 } 5031 5032 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5033 { 5034 int err; 5035 struct sk_security_struct *sksec = sk->sk_security; 5036 u16 family = sk->sk_family; 5037 u32 sk_sid = sksec->sid; 5038 struct common_audit_data ad; 5039 struct lsm_network_audit net = {0,}; 5040 char *addrp; 5041 u8 secmark_active; 5042 u8 peerlbl_active; 5043 5044 if (family != PF_INET && family != PF_INET6) 5045 return 0; 5046 5047 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5048 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5049 family = PF_INET; 5050 5051 /* If any sort of compatibility mode is enabled then handoff processing 5052 * to the selinux_sock_rcv_skb_compat() function to deal with the 5053 * special handling. We do this in an attempt to keep this function 5054 * as fast and as clean as possible. */ 5055 if (!selinux_policycap_netpeer()) 5056 return selinux_sock_rcv_skb_compat(sk, skb, family); 5057 5058 secmark_active = selinux_secmark_enabled(); 5059 peerlbl_active = selinux_peerlbl_enabled(); 5060 if (!secmark_active && !peerlbl_active) 5061 return 0; 5062 5063 ad.type = LSM_AUDIT_DATA_NET; 5064 ad.u.net = &net; 5065 ad.u.net->netif = skb->skb_iif; 5066 ad.u.net->family = family; 5067 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5068 if (err) 5069 return err; 5070 5071 if (peerlbl_active) { 5072 u32 peer_sid; 5073 5074 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5075 if (err) 5076 return err; 5077 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5078 addrp, family, peer_sid, &ad); 5079 if (err) { 5080 selinux_netlbl_err(skb, family, err, 0); 5081 return err; 5082 } 5083 err = avc_has_perm(&selinux_state, 5084 sk_sid, peer_sid, SECCLASS_PEER, 5085 PEER__RECV, &ad); 5086 if (err) { 5087 selinux_netlbl_err(skb, family, err, 0); 5088 return err; 5089 } 5090 } 5091 5092 if (secmark_active) { 5093 err = avc_has_perm(&selinux_state, 5094 sk_sid, skb->secmark, SECCLASS_PACKET, 5095 PACKET__RECV, &ad); 5096 if (err) 5097 return err; 5098 } 5099 5100 return err; 5101 } 5102 5103 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5104 int __user *optlen, unsigned len) 5105 { 5106 int err = 0; 5107 char *scontext; 5108 u32 scontext_len; 5109 struct sk_security_struct *sksec = sock->sk->sk_security; 5110 u32 peer_sid = SECSID_NULL; 5111 5112 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5113 sksec->sclass == SECCLASS_TCP_SOCKET || 5114 sksec->sclass == SECCLASS_SCTP_SOCKET) 5115 peer_sid = sksec->peer_sid; 5116 if (peer_sid == SECSID_NULL) 5117 return -ENOPROTOOPT; 5118 5119 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5120 &scontext_len); 5121 if (err) 5122 return err; 5123 5124 if (scontext_len > len) { 5125 err = -ERANGE; 5126 goto out_len; 5127 } 5128 5129 if (copy_to_user(optval, scontext, scontext_len)) 5130 err = -EFAULT; 5131 5132 out_len: 5133 if (put_user(scontext_len, optlen)) 5134 err = -EFAULT; 5135 kfree(scontext); 5136 return err; 5137 } 5138 5139 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5140 { 5141 u32 peer_secid = SECSID_NULL; 5142 u16 family; 5143 struct inode_security_struct *isec; 5144 5145 if (skb && skb->protocol == htons(ETH_P_IP)) 5146 family = PF_INET; 5147 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5148 family = PF_INET6; 5149 else if (sock) 5150 family = sock->sk->sk_family; 5151 else 5152 goto out; 5153 5154 if (sock && family == PF_UNIX) { 5155 isec = inode_security_novalidate(SOCK_INODE(sock)); 5156 peer_secid = isec->sid; 5157 } else if (skb) 5158 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5159 5160 out: 5161 *secid = peer_secid; 5162 if (peer_secid == SECSID_NULL) 5163 return -EINVAL; 5164 return 0; 5165 } 5166 5167 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5168 { 5169 struct sk_security_struct *sksec; 5170 5171 sksec = kzalloc(sizeof(*sksec), priority); 5172 if (!sksec) 5173 return -ENOMEM; 5174 5175 sksec->peer_sid = SECINITSID_UNLABELED; 5176 sksec->sid = SECINITSID_UNLABELED; 5177 sksec->sclass = SECCLASS_SOCKET; 5178 selinux_netlbl_sk_security_reset(sksec); 5179 sk->sk_security = sksec; 5180 5181 return 0; 5182 } 5183 5184 static void selinux_sk_free_security(struct sock *sk) 5185 { 5186 struct sk_security_struct *sksec = sk->sk_security; 5187 5188 sk->sk_security = NULL; 5189 selinux_netlbl_sk_security_free(sksec); 5190 kfree(sksec); 5191 } 5192 5193 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5194 { 5195 struct sk_security_struct *sksec = sk->sk_security; 5196 struct sk_security_struct *newsksec = newsk->sk_security; 5197 5198 newsksec->sid = sksec->sid; 5199 newsksec->peer_sid = sksec->peer_sid; 5200 newsksec->sclass = sksec->sclass; 5201 5202 selinux_netlbl_sk_security_reset(newsksec); 5203 } 5204 5205 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5206 { 5207 if (!sk) 5208 *secid = SECINITSID_ANY_SOCKET; 5209 else { 5210 struct sk_security_struct *sksec = sk->sk_security; 5211 5212 *secid = sksec->sid; 5213 } 5214 } 5215 5216 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5217 { 5218 struct inode_security_struct *isec = 5219 inode_security_novalidate(SOCK_INODE(parent)); 5220 struct sk_security_struct *sksec = sk->sk_security; 5221 5222 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5223 sk->sk_family == PF_UNIX) 5224 isec->sid = sksec->sid; 5225 sksec->sclass = isec->sclass; 5226 } 5227 5228 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5229 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5230 * already present). 5231 */ 5232 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5233 struct sk_buff *skb) 5234 { 5235 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5236 struct common_audit_data ad; 5237 struct lsm_network_audit net = {0,}; 5238 u8 peerlbl_active; 5239 u32 peer_sid = SECINITSID_UNLABELED; 5240 u32 conn_sid; 5241 int err = 0; 5242 5243 if (!selinux_policycap_extsockclass()) 5244 return 0; 5245 5246 peerlbl_active = selinux_peerlbl_enabled(); 5247 5248 if (peerlbl_active) { 5249 /* This will return peer_sid = SECSID_NULL if there are 5250 * no peer labels, see security_net_peersid_resolve(). 5251 */ 5252 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5253 &peer_sid); 5254 if (err) 5255 return err; 5256 5257 if (peer_sid == SECSID_NULL) 5258 peer_sid = SECINITSID_UNLABELED; 5259 } 5260 5261 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5262 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5263 5264 /* Here as first association on socket. As the peer SID 5265 * was allowed by peer recv (and the netif/node checks), 5266 * then it is approved by policy and used as the primary 5267 * peer SID for getpeercon(3). 5268 */ 5269 sksec->peer_sid = peer_sid; 5270 } else if (sksec->peer_sid != peer_sid) { 5271 /* Other association peer SIDs are checked to enforce 5272 * consistency among the peer SIDs. 5273 */ 5274 ad.type = LSM_AUDIT_DATA_NET; 5275 ad.u.net = &net; 5276 ad.u.net->sk = ep->base.sk; 5277 err = avc_has_perm(&selinux_state, 5278 sksec->peer_sid, peer_sid, sksec->sclass, 5279 SCTP_SOCKET__ASSOCIATION, &ad); 5280 if (err) 5281 return err; 5282 } 5283 5284 /* Compute the MLS component for the connection and store 5285 * the information in ep. This will be used by SCTP TCP type 5286 * sockets and peeled off connections as they cause a new 5287 * socket to be generated. selinux_sctp_sk_clone() will then 5288 * plug this into the new socket. 5289 */ 5290 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5291 if (err) 5292 return err; 5293 5294 ep->secid = conn_sid; 5295 ep->peer_secid = peer_sid; 5296 5297 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5298 return selinux_netlbl_sctp_assoc_request(ep, skb); 5299 } 5300 5301 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5302 * based on their @optname. 5303 */ 5304 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5305 struct sockaddr *address, 5306 int addrlen) 5307 { 5308 int len, err = 0, walk_size = 0; 5309 void *addr_buf; 5310 struct sockaddr *addr; 5311 struct socket *sock; 5312 5313 if (!selinux_policycap_extsockclass()) 5314 return 0; 5315 5316 /* Process one or more addresses that may be IPv4 or IPv6 */ 5317 sock = sk->sk_socket; 5318 addr_buf = address; 5319 5320 while (walk_size < addrlen) { 5321 if (walk_size + sizeof(sa_family_t) > addrlen) 5322 return -EINVAL; 5323 5324 addr = addr_buf; 5325 switch (addr->sa_family) { 5326 case AF_UNSPEC: 5327 case AF_INET: 5328 len = sizeof(struct sockaddr_in); 5329 break; 5330 case AF_INET6: 5331 len = sizeof(struct sockaddr_in6); 5332 break; 5333 default: 5334 return -EINVAL; 5335 } 5336 5337 err = -EINVAL; 5338 switch (optname) { 5339 /* Bind checks */ 5340 case SCTP_PRIMARY_ADDR: 5341 case SCTP_SET_PEER_PRIMARY_ADDR: 5342 case SCTP_SOCKOPT_BINDX_ADD: 5343 err = selinux_socket_bind(sock, addr, len); 5344 break; 5345 /* Connect checks */ 5346 case SCTP_SOCKOPT_CONNECTX: 5347 case SCTP_PARAM_SET_PRIMARY: 5348 case SCTP_PARAM_ADD_IP: 5349 case SCTP_SENDMSG_CONNECT: 5350 err = selinux_socket_connect_helper(sock, addr, len); 5351 if (err) 5352 return err; 5353 5354 /* As selinux_sctp_bind_connect() is called by the 5355 * SCTP protocol layer, the socket is already locked, 5356 * therefore selinux_netlbl_socket_connect_locked() is 5357 * is called here. The situations handled are: 5358 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5359 * whenever a new IP address is added or when a new 5360 * primary address is selected. 5361 * Note that an SCTP connect(2) call happens before 5362 * the SCTP protocol layer and is handled via 5363 * selinux_socket_connect(). 5364 */ 5365 err = selinux_netlbl_socket_connect_locked(sk, addr); 5366 break; 5367 } 5368 5369 if (err) 5370 return err; 5371 5372 addr_buf += len; 5373 walk_size += len; 5374 } 5375 5376 return 0; 5377 } 5378 5379 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5380 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5381 struct sock *newsk) 5382 { 5383 struct sk_security_struct *sksec = sk->sk_security; 5384 struct sk_security_struct *newsksec = newsk->sk_security; 5385 5386 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5387 * the non-sctp clone version. 5388 */ 5389 if (!selinux_policycap_extsockclass()) 5390 return selinux_sk_clone_security(sk, newsk); 5391 5392 newsksec->sid = ep->secid; 5393 newsksec->peer_sid = ep->peer_secid; 5394 newsksec->sclass = sksec->sclass; 5395 selinux_netlbl_sctp_sk_clone(sk, newsk); 5396 } 5397 5398 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5399 struct request_sock *req) 5400 { 5401 struct sk_security_struct *sksec = sk->sk_security; 5402 int err; 5403 u16 family = req->rsk_ops->family; 5404 u32 connsid; 5405 u32 peersid; 5406 5407 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5408 if (err) 5409 return err; 5410 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5411 if (err) 5412 return err; 5413 req->secid = connsid; 5414 req->peer_secid = peersid; 5415 5416 return selinux_netlbl_inet_conn_request(req, family); 5417 } 5418 5419 static void selinux_inet_csk_clone(struct sock *newsk, 5420 const struct request_sock *req) 5421 { 5422 struct sk_security_struct *newsksec = newsk->sk_security; 5423 5424 newsksec->sid = req->secid; 5425 newsksec->peer_sid = req->peer_secid; 5426 /* NOTE: Ideally, we should also get the isec->sid for the 5427 new socket in sync, but we don't have the isec available yet. 5428 So we will wait until sock_graft to do it, by which 5429 time it will have been created and available. */ 5430 5431 /* We don't need to take any sort of lock here as we are the only 5432 * thread with access to newsksec */ 5433 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5434 } 5435 5436 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5437 { 5438 u16 family = sk->sk_family; 5439 struct sk_security_struct *sksec = sk->sk_security; 5440 5441 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5442 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5443 family = PF_INET; 5444 5445 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5446 } 5447 5448 static int selinux_secmark_relabel_packet(u32 sid) 5449 { 5450 const struct task_security_struct *__tsec; 5451 u32 tsid; 5452 5453 __tsec = current_security(); 5454 tsid = __tsec->sid; 5455 5456 return avc_has_perm(&selinux_state, 5457 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5458 NULL); 5459 } 5460 5461 static void selinux_secmark_refcount_inc(void) 5462 { 5463 atomic_inc(&selinux_secmark_refcount); 5464 } 5465 5466 static void selinux_secmark_refcount_dec(void) 5467 { 5468 atomic_dec(&selinux_secmark_refcount); 5469 } 5470 5471 static void selinux_req_classify_flow(const struct request_sock *req, 5472 struct flowi *fl) 5473 { 5474 fl->flowi_secid = req->secid; 5475 } 5476 5477 static int selinux_tun_dev_alloc_security(void **security) 5478 { 5479 struct tun_security_struct *tunsec; 5480 5481 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5482 if (!tunsec) 5483 return -ENOMEM; 5484 tunsec->sid = current_sid(); 5485 5486 *security = tunsec; 5487 return 0; 5488 } 5489 5490 static void selinux_tun_dev_free_security(void *security) 5491 { 5492 kfree(security); 5493 } 5494 5495 static int selinux_tun_dev_create(void) 5496 { 5497 u32 sid = current_sid(); 5498 5499 /* we aren't taking into account the "sockcreate" SID since the socket 5500 * that is being created here is not a socket in the traditional sense, 5501 * instead it is a private sock, accessible only to the kernel, and 5502 * representing a wide range of network traffic spanning multiple 5503 * connections unlike traditional sockets - check the TUN driver to 5504 * get a better understanding of why this socket is special */ 5505 5506 return avc_has_perm(&selinux_state, 5507 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5508 NULL); 5509 } 5510 5511 static int selinux_tun_dev_attach_queue(void *security) 5512 { 5513 struct tun_security_struct *tunsec = security; 5514 5515 return avc_has_perm(&selinux_state, 5516 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5517 TUN_SOCKET__ATTACH_QUEUE, NULL); 5518 } 5519 5520 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5521 { 5522 struct tun_security_struct *tunsec = security; 5523 struct sk_security_struct *sksec = sk->sk_security; 5524 5525 /* we don't currently perform any NetLabel based labeling here and it 5526 * isn't clear that we would want to do so anyway; while we could apply 5527 * labeling without the support of the TUN user the resulting labeled 5528 * traffic from the other end of the connection would almost certainly 5529 * cause confusion to the TUN user that had no idea network labeling 5530 * protocols were being used */ 5531 5532 sksec->sid = tunsec->sid; 5533 sksec->sclass = SECCLASS_TUN_SOCKET; 5534 5535 return 0; 5536 } 5537 5538 static int selinux_tun_dev_open(void *security) 5539 { 5540 struct tun_security_struct *tunsec = security; 5541 u32 sid = current_sid(); 5542 int err; 5543 5544 err = avc_has_perm(&selinux_state, 5545 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5546 TUN_SOCKET__RELABELFROM, NULL); 5547 if (err) 5548 return err; 5549 err = avc_has_perm(&selinux_state, 5550 sid, sid, SECCLASS_TUN_SOCKET, 5551 TUN_SOCKET__RELABELTO, NULL); 5552 if (err) 5553 return err; 5554 tunsec->sid = sid; 5555 5556 return 0; 5557 } 5558 5559 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5560 { 5561 int err = 0; 5562 u32 perm; 5563 struct nlmsghdr *nlh; 5564 struct sk_security_struct *sksec = sk->sk_security; 5565 5566 if (skb->len < NLMSG_HDRLEN) { 5567 err = -EINVAL; 5568 goto out; 5569 } 5570 nlh = nlmsg_hdr(skb); 5571 5572 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5573 if (err) { 5574 if (err == -EINVAL) { 5575 pr_warn_ratelimited("SELinux: unrecognized netlink" 5576 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5577 " pig=%d comm=%s\n", 5578 sk->sk_protocol, nlh->nlmsg_type, 5579 secclass_map[sksec->sclass - 1].name, 5580 task_pid_nr(current), current->comm); 5581 if (!enforcing_enabled(&selinux_state) || 5582 security_get_allow_unknown(&selinux_state)) 5583 err = 0; 5584 } 5585 5586 /* Ignore */ 5587 if (err == -ENOENT) 5588 err = 0; 5589 goto out; 5590 } 5591 5592 err = sock_has_perm(sk, perm); 5593 out: 5594 return err; 5595 } 5596 5597 #ifdef CONFIG_NETFILTER 5598 5599 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5600 const struct net_device *indev, 5601 u16 family) 5602 { 5603 int err; 5604 char *addrp; 5605 u32 peer_sid; 5606 struct common_audit_data ad; 5607 struct lsm_network_audit net = {0,}; 5608 u8 secmark_active; 5609 u8 netlbl_active; 5610 u8 peerlbl_active; 5611 5612 if (!selinux_policycap_netpeer()) 5613 return NF_ACCEPT; 5614 5615 secmark_active = selinux_secmark_enabled(); 5616 netlbl_active = netlbl_enabled(); 5617 peerlbl_active = selinux_peerlbl_enabled(); 5618 if (!secmark_active && !peerlbl_active) 5619 return NF_ACCEPT; 5620 5621 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5622 return NF_DROP; 5623 5624 ad.type = LSM_AUDIT_DATA_NET; 5625 ad.u.net = &net; 5626 ad.u.net->netif = indev->ifindex; 5627 ad.u.net->family = family; 5628 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5629 return NF_DROP; 5630 5631 if (peerlbl_active) { 5632 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5633 addrp, family, peer_sid, &ad); 5634 if (err) { 5635 selinux_netlbl_err(skb, family, err, 1); 5636 return NF_DROP; 5637 } 5638 } 5639 5640 if (secmark_active) 5641 if (avc_has_perm(&selinux_state, 5642 peer_sid, skb->secmark, 5643 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5644 return NF_DROP; 5645 5646 if (netlbl_active) 5647 /* we do this in the FORWARD path and not the POST_ROUTING 5648 * path because we want to make sure we apply the necessary 5649 * labeling before IPsec is applied so we can leverage AH 5650 * protection */ 5651 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5652 return NF_DROP; 5653 5654 return NF_ACCEPT; 5655 } 5656 5657 static unsigned int selinux_ipv4_forward(void *priv, 5658 struct sk_buff *skb, 5659 const struct nf_hook_state *state) 5660 { 5661 return selinux_ip_forward(skb, state->in, PF_INET); 5662 } 5663 5664 #if IS_ENABLED(CONFIG_IPV6) 5665 static unsigned int selinux_ipv6_forward(void *priv, 5666 struct sk_buff *skb, 5667 const struct nf_hook_state *state) 5668 { 5669 return selinux_ip_forward(skb, state->in, PF_INET6); 5670 } 5671 #endif /* IPV6 */ 5672 5673 static unsigned int selinux_ip_output(struct sk_buff *skb, 5674 u16 family) 5675 { 5676 struct sock *sk; 5677 u32 sid; 5678 5679 if (!netlbl_enabled()) 5680 return NF_ACCEPT; 5681 5682 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5683 * because we want to make sure we apply the necessary labeling 5684 * before IPsec is applied so we can leverage AH protection */ 5685 sk = skb->sk; 5686 if (sk) { 5687 struct sk_security_struct *sksec; 5688 5689 if (sk_listener(sk)) 5690 /* if the socket is the listening state then this 5691 * packet is a SYN-ACK packet which means it needs to 5692 * be labeled based on the connection/request_sock and 5693 * not the parent socket. unfortunately, we can't 5694 * lookup the request_sock yet as it isn't queued on 5695 * the parent socket until after the SYN-ACK is sent. 5696 * the "solution" is to simply pass the packet as-is 5697 * as any IP option based labeling should be copied 5698 * from the initial connection request (in the IP 5699 * layer). it is far from ideal, but until we get a 5700 * security label in the packet itself this is the 5701 * best we can do. */ 5702 return NF_ACCEPT; 5703 5704 /* standard practice, label using the parent socket */ 5705 sksec = sk->sk_security; 5706 sid = sksec->sid; 5707 } else 5708 sid = SECINITSID_KERNEL; 5709 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5710 return NF_DROP; 5711 5712 return NF_ACCEPT; 5713 } 5714 5715 static unsigned int selinux_ipv4_output(void *priv, 5716 struct sk_buff *skb, 5717 const struct nf_hook_state *state) 5718 { 5719 return selinux_ip_output(skb, PF_INET); 5720 } 5721 5722 #if IS_ENABLED(CONFIG_IPV6) 5723 static unsigned int selinux_ipv6_output(void *priv, 5724 struct sk_buff *skb, 5725 const struct nf_hook_state *state) 5726 { 5727 return selinux_ip_output(skb, PF_INET6); 5728 } 5729 #endif /* IPV6 */ 5730 5731 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5732 int ifindex, 5733 u16 family) 5734 { 5735 struct sock *sk = skb_to_full_sk(skb); 5736 struct sk_security_struct *sksec; 5737 struct common_audit_data ad; 5738 struct lsm_network_audit net = {0,}; 5739 char *addrp; 5740 u8 proto; 5741 5742 if (sk == NULL) 5743 return NF_ACCEPT; 5744 sksec = sk->sk_security; 5745 5746 ad.type = LSM_AUDIT_DATA_NET; 5747 ad.u.net = &net; 5748 ad.u.net->netif = ifindex; 5749 ad.u.net->family = family; 5750 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5751 return NF_DROP; 5752 5753 if (selinux_secmark_enabled()) 5754 if (avc_has_perm(&selinux_state, 5755 sksec->sid, skb->secmark, 5756 SECCLASS_PACKET, PACKET__SEND, &ad)) 5757 return NF_DROP_ERR(-ECONNREFUSED); 5758 5759 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5760 return NF_DROP_ERR(-ECONNREFUSED); 5761 5762 return NF_ACCEPT; 5763 } 5764 5765 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5766 const struct net_device *outdev, 5767 u16 family) 5768 { 5769 u32 secmark_perm; 5770 u32 peer_sid; 5771 int ifindex = outdev->ifindex; 5772 struct sock *sk; 5773 struct common_audit_data ad; 5774 struct lsm_network_audit net = {0,}; 5775 char *addrp; 5776 u8 secmark_active; 5777 u8 peerlbl_active; 5778 5779 /* If any sort of compatibility mode is enabled then handoff processing 5780 * to the selinux_ip_postroute_compat() function to deal with the 5781 * special handling. We do this in an attempt to keep this function 5782 * as fast and as clean as possible. */ 5783 if (!selinux_policycap_netpeer()) 5784 return selinux_ip_postroute_compat(skb, ifindex, family); 5785 5786 secmark_active = selinux_secmark_enabled(); 5787 peerlbl_active = selinux_peerlbl_enabled(); 5788 if (!secmark_active && !peerlbl_active) 5789 return NF_ACCEPT; 5790 5791 sk = skb_to_full_sk(skb); 5792 5793 #ifdef CONFIG_XFRM 5794 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5795 * packet transformation so allow the packet to pass without any checks 5796 * since we'll have another chance to perform access control checks 5797 * when the packet is on it's final way out. 5798 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5799 * is NULL, in this case go ahead and apply access control. 5800 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5801 * TCP listening state we cannot wait until the XFRM processing 5802 * is done as we will miss out on the SA label if we do; 5803 * unfortunately, this means more work, but it is only once per 5804 * connection. */ 5805 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5806 !(sk && sk_listener(sk))) 5807 return NF_ACCEPT; 5808 #endif 5809 5810 if (sk == NULL) { 5811 /* Without an associated socket the packet is either coming 5812 * from the kernel or it is being forwarded; check the packet 5813 * to determine which and if the packet is being forwarded 5814 * query the packet directly to determine the security label. */ 5815 if (skb->skb_iif) { 5816 secmark_perm = PACKET__FORWARD_OUT; 5817 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5818 return NF_DROP; 5819 } else { 5820 secmark_perm = PACKET__SEND; 5821 peer_sid = SECINITSID_KERNEL; 5822 } 5823 } else if (sk_listener(sk)) { 5824 /* Locally generated packet but the associated socket is in the 5825 * listening state which means this is a SYN-ACK packet. In 5826 * this particular case the correct security label is assigned 5827 * to the connection/request_sock but unfortunately we can't 5828 * query the request_sock as it isn't queued on the parent 5829 * socket until after the SYN-ACK packet is sent; the only 5830 * viable choice is to regenerate the label like we do in 5831 * selinux_inet_conn_request(). See also selinux_ip_output() 5832 * for similar problems. */ 5833 u32 skb_sid; 5834 struct sk_security_struct *sksec; 5835 5836 sksec = sk->sk_security; 5837 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5838 return NF_DROP; 5839 /* At this point, if the returned skb peerlbl is SECSID_NULL 5840 * and the packet has been through at least one XFRM 5841 * transformation then we must be dealing with the "final" 5842 * form of labeled IPsec packet; since we've already applied 5843 * all of our access controls on this packet we can safely 5844 * pass the packet. */ 5845 if (skb_sid == SECSID_NULL) { 5846 switch (family) { 5847 case PF_INET: 5848 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5849 return NF_ACCEPT; 5850 break; 5851 case PF_INET6: 5852 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5853 return NF_ACCEPT; 5854 break; 5855 default: 5856 return NF_DROP_ERR(-ECONNREFUSED); 5857 } 5858 } 5859 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5860 return NF_DROP; 5861 secmark_perm = PACKET__SEND; 5862 } else { 5863 /* Locally generated packet, fetch the security label from the 5864 * associated socket. */ 5865 struct sk_security_struct *sksec = sk->sk_security; 5866 peer_sid = sksec->sid; 5867 secmark_perm = PACKET__SEND; 5868 } 5869 5870 ad.type = LSM_AUDIT_DATA_NET; 5871 ad.u.net = &net; 5872 ad.u.net->netif = ifindex; 5873 ad.u.net->family = family; 5874 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5875 return NF_DROP; 5876 5877 if (secmark_active) 5878 if (avc_has_perm(&selinux_state, 5879 peer_sid, skb->secmark, 5880 SECCLASS_PACKET, secmark_perm, &ad)) 5881 return NF_DROP_ERR(-ECONNREFUSED); 5882 5883 if (peerlbl_active) { 5884 u32 if_sid; 5885 u32 node_sid; 5886 5887 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5888 return NF_DROP; 5889 if (avc_has_perm(&selinux_state, 5890 peer_sid, if_sid, 5891 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5892 return NF_DROP_ERR(-ECONNREFUSED); 5893 5894 if (sel_netnode_sid(addrp, family, &node_sid)) 5895 return NF_DROP; 5896 if (avc_has_perm(&selinux_state, 5897 peer_sid, node_sid, 5898 SECCLASS_NODE, NODE__SENDTO, &ad)) 5899 return NF_DROP_ERR(-ECONNREFUSED); 5900 } 5901 5902 return NF_ACCEPT; 5903 } 5904 5905 static unsigned int selinux_ipv4_postroute(void *priv, 5906 struct sk_buff *skb, 5907 const struct nf_hook_state *state) 5908 { 5909 return selinux_ip_postroute(skb, state->out, PF_INET); 5910 } 5911 5912 #if IS_ENABLED(CONFIG_IPV6) 5913 static unsigned int selinux_ipv6_postroute(void *priv, 5914 struct sk_buff *skb, 5915 const struct nf_hook_state *state) 5916 { 5917 return selinux_ip_postroute(skb, state->out, PF_INET6); 5918 } 5919 #endif /* IPV6 */ 5920 5921 #endif /* CONFIG_NETFILTER */ 5922 5923 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5924 { 5925 return selinux_nlmsg_perm(sk, skb); 5926 } 5927 5928 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5929 u16 sclass) 5930 { 5931 struct ipc_security_struct *isec; 5932 5933 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5934 if (!isec) 5935 return -ENOMEM; 5936 5937 isec->sclass = sclass; 5938 isec->sid = current_sid(); 5939 perm->security = isec; 5940 5941 return 0; 5942 } 5943 5944 static void ipc_free_security(struct kern_ipc_perm *perm) 5945 { 5946 struct ipc_security_struct *isec = perm->security; 5947 perm->security = NULL; 5948 kfree(isec); 5949 } 5950 5951 static int msg_msg_alloc_security(struct msg_msg *msg) 5952 { 5953 struct msg_security_struct *msec; 5954 5955 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5956 if (!msec) 5957 return -ENOMEM; 5958 5959 msec->sid = SECINITSID_UNLABELED; 5960 msg->security = msec; 5961 5962 return 0; 5963 } 5964 5965 static void msg_msg_free_security(struct msg_msg *msg) 5966 { 5967 struct msg_security_struct *msec = msg->security; 5968 5969 msg->security = NULL; 5970 kfree(msec); 5971 } 5972 5973 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5974 u32 perms) 5975 { 5976 struct ipc_security_struct *isec; 5977 struct common_audit_data ad; 5978 u32 sid = current_sid(); 5979 5980 isec = ipc_perms->security; 5981 5982 ad.type = LSM_AUDIT_DATA_IPC; 5983 ad.u.ipc_id = ipc_perms->key; 5984 5985 return avc_has_perm(&selinux_state, 5986 sid, isec->sid, isec->sclass, perms, &ad); 5987 } 5988 5989 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5990 { 5991 return msg_msg_alloc_security(msg); 5992 } 5993 5994 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5995 { 5996 msg_msg_free_security(msg); 5997 } 5998 5999 /* message queue security operations */ 6000 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6001 { 6002 struct ipc_security_struct *isec; 6003 struct common_audit_data ad; 6004 u32 sid = current_sid(); 6005 int rc; 6006 6007 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 6008 if (rc) 6009 return rc; 6010 6011 isec = msq->security; 6012 6013 ad.type = LSM_AUDIT_DATA_IPC; 6014 ad.u.ipc_id = msq->key; 6015 6016 rc = avc_has_perm(&selinux_state, 6017 sid, isec->sid, SECCLASS_MSGQ, 6018 MSGQ__CREATE, &ad); 6019 if (rc) { 6020 ipc_free_security(msq); 6021 return rc; 6022 } 6023 return 0; 6024 } 6025 6026 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 6027 { 6028 ipc_free_security(msq); 6029 } 6030 6031 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6032 { 6033 struct ipc_security_struct *isec; 6034 struct common_audit_data ad; 6035 u32 sid = current_sid(); 6036 6037 isec = msq->security; 6038 6039 ad.type = LSM_AUDIT_DATA_IPC; 6040 ad.u.ipc_id = msq->key; 6041 6042 return avc_has_perm(&selinux_state, 6043 sid, isec->sid, SECCLASS_MSGQ, 6044 MSGQ__ASSOCIATE, &ad); 6045 } 6046 6047 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6048 { 6049 int err; 6050 int perms; 6051 6052 switch (cmd) { 6053 case IPC_INFO: 6054 case MSG_INFO: 6055 /* No specific object, just general system-wide information. */ 6056 return avc_has_perm(&selinux_state, 6057 current_sid(), SECINITSID_KERNEL, 6058 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6059 case IPC_STAT: 6060 case MSG_STAT: 6061 case MSG_STAT_ANY: 6062 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6063 break; 6064 case IPC_SET: 6065 perms = MSGQ__SETATTR; 6066 break; 6067 case IPC_RMID: 6068 perms = MSGQ__DESTROY; 6069 break; 6070 default: 6071 return 0; 6072 } 6073 6074 err = ipc_has_perm(msq, perms); 6075 return err; 6076 } 6077 6078 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6079 { 6080 struct ipc_security_struct *isec; 6081 struct msg_security_struct *msec; 6082 struct common_audit_data ad; 6083 u32 sid = current_sid(); 6084 int rc; 6085 6086 isec = msq->security; 6087 msec = msg->security; 6088 6089 /* 6090 * First time through, need to assign label to the message 6091 */ 6092 if (msec->sid == SECINITSID_UNLABELED) { 6093 /* 6094 * Compute new sid based on current process and 6095 * message queue this message will be stored in 6096 */ 6097 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6098 SECCLASS_MSG, NULL, &msec->sid); 6099 if (rc) 6100 return rc; 6101 } 6102 6103 ad.type = LSM_AUDIT_DATA_IPC; 6104 ad.u.ipc_id = msq->key; 6105 6106 /* Can this process write to the queue? */ 6107 rc = avc_has_perm(&selinux_state, 6108 sid, isec->sid, SECCLASS_MSGQ, 6109 MSGQ__WRITE, &ad); 6110 if (!rc) 6111 /* Can this process send the message */ 6112 rc = avc_has_perm(&selinux_state, 6113 sid, msec->sid, SECCLASS_MSG, 6114 MSG__SEND, &ad); 6115 if (!rc) 6116 /* Can the message be put in the queue? */ 6117 rc = avc_has_perm(&selinux_state, 6118 msec->sid, isec->sid, SECCLASS_MSGQ, 6119 MSGQ__ENQUEUE, &ad); 6120 6121 return rc; 6122 } 6123 6124 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6125 struct task_struct *target, 6126 long type, int mode) 6127 { 6128 struct ipc_security_struct *isec; 6129 struct msg_security_struct *msec; 6130 struct common_audit_data ad; 6131 u32 sid = task_sid(target); 6132 int rc; 6133 6134 isec = msq->security; 6135 msec = msg->security; 6136 6137 ad.type = LSM_AUDIT_DATA_IPC; 6138 ad.u.ipc_id = msq->key; 6139 6140 rc = avc_has_perm(&selinux_state, 6141 sid, isec->sid, 6142 SECCLASS_MSGQ, MSGQ__READ, &ad); 6143 if (!rc) 6144 rc = avc_has_perm(&selinux_state, 6145 sid, msec->sid, 6146 SECCLASS_MSG, MSG__RECEIVE, &ad); 6147 return rc; 6148 } 6149 6150 /* Shared Memory security operations */ 6151 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6152 { 6153 struct ipc_security_struct *isec; 6154 struct common_audit_data ad; 6155 u32 sid = current_sid(); 6156 int rc; 6157 6158 rc = ipc_alloc_security(shp, SECCLASS_SHM); 6159 if (rc) 6160 return rc; 6161 6162 isec = shp->security; 6163 6164 ad.type = LSM_AUDIT_DATA_IPC; 6165 ad.u.ipc_id = shp->key; 6166 6167 rc = avc_has_perm(&selinux_state, 6168 sid, isec->sid, SECCLASS_SHM, 6169 SHM__CREATE, &ad); 6170 if (rc) { 6171 ipc_free_security(shp); 6172 return rc; 6173 } 6174 return 0; 6175 } 6176 6177 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 6178 { 6179 ipc_free_security(shp); 6180 } 6181 6182 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6183 { 6184 struct ipc_security_struct *isec; 6185 struct common_audit_data ad; 6186 u32 sid = current_sid(); 6187 6188 isec = shp->security; 6189 6190 ad.type = LSM_AUDIT_DATA_IPC; 6191 ad.u.ipc_id = shp->key; 6192 6193 return avc_has_perm(&selinux_state, 6194 sid, isec->sid, SECCLASS_SHM, 6195 SHM__ASSOCIATE, &ad); 6196 } 6197 6198 /* Note, at this point, shp is locked down */ 6199 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6200 { 6201 int perms; 6202 int err; 6203 6204 switch (cmd) { 6205 case IPC_INFO: 6206 case SHM_INFO: 6207 /* No specific object, just general system-wide information. */ 6208 return avc_has_perm(&selinux_state, 6209 current_sid(), SECINITSID_KERNEL, 6210 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6211 case IPC_STAT: 6212 case SHM_STAT: 6213 case SHM_STAT_ANY: 6214 perms = SHM__GETATTR | SHM__ASSOCIATE; 6215 break; 6216 case IPC_SET: 6217 perms = SHM__SETATTR; 6218 break; 6219 case SHM_LOCK: 6220 case SHM_UNLOCK: 6221 perms = SHM__LOCK; 6222 break; 6223 case IPC_RMID: 6224 perms = SHM__DESTROY; 6225 break; 6226 default: 6227 return 0; 6228 } 6229 6230 err = ipc_has_perm(shp, perms); 6231 return err; 6232 } 6233 6234 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6235 char __user *shmaddr, int shmflg) 6236 { 6237 u32 perms; 6238 6239 if (shmflg & SHM_RDONLY) 6240 perms = SHM__READ; 6241 else 6242 perms = SHM__READ | SHM__WRITE; 6243 6244 return ipc_has_perm(shp, perms); 6245 } 6246 6247 /* Semaphore security operations */ 6248 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6249 { 6250 struct ipc_security_struct *isec; 6251 struct common_audit_data ad; 6252 u32 sid = current_sid(); 6253 int rc; 6254 6255 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6256 if (rc) 6257 return rc; 6258 6259 isec = sma->security; 6260 6261 ad.type = LSM_AUDIT_DATA_IPC; 6262 ad.u.ipc_id = sma->key; 6263 6264 rc = avc_has_perm(&selinux_state, 6265 sid, isec->sid, SECCLASS_SEM, 6266 SEM__CREATE, &ad); 6267 if (rc) { 6268 ipc_free_security(sma); 6269 return rc; 6270 } 6271 return 0; 6272 } 6273 6274 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6275 { 6276 ipc_free_security(sma); 6277 } 6278 6279 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6280 { 6281 struct ipc_security_struct *isec; 6282 struct common_audit_data ad; 6283 u32 sid = current_sid(); 6284 6285 isec = sma->security; 6286 6287 ad.type = LSM_AUDIT_DATA_IPC; 6288 ad.u.ipc_id = sma->key; 6289 6290 return avc_has_perm(&selinux_state, 6291 sid, isec->sid, SECCLASS_SEM, 6292 SEM__ASSOCIATE, &ad); 6293 } 6294 6295 /* Note, at this point, sma is locked down */ 6296 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6297 { 6298 int err; 6299 u32 perms; 6300 6301 switch (cmd) { 6302 case IPC_INFO: 6303 case SEM_INFO: 6304 /* No specific object, just general system-wide information. */ 6305 return avc_has_perm(&selinux_state, 6306 current_sid(), SECINITSID_KERNEL, 6307 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6308 case GETPID: 6309 case GETNCNT: 6310 case GETZCNT: 6311 perms = SEM__GETATTR; 6312 break; 6313 case GETVAL: 6314 case GETALL: 6315 perms = SEM__READ; 6316 break; 6317 case SETVAL: 6318 case SETALL: 6319 perms = SEM__WRITE; 6320 break; 6321 case IPC_RMID: 6322 perms = SEM__DESTROY; 6323 break; 6324 case IPC_SET: 6325 perms = SEM__SETATTR; 6326 break; 6327 case IPC_STAT: 6328 case SEM_STAT: 6329 case SEM_STAT_ANY: 6330 perms = SEM__GETATTR | SEM__ASSOCIATE; 6331 break; 6332 default: 6333 return 0; 6334 } 6335 6336 err = ipc_has_perm(sma, perms); 6337 return err; 6338 } 6339 6340 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6341 struct sembuf *sops, unsigned nsops, int alter) 6342 { 6343 u32 perms; 6344 6345 if (alter) 6346 perms = SEM__READ | SEM__WRITE; 6347 else 6348 perms = SEM__READ; 6349 6350 return ipc_has_perm(sma, perms); 6351 } 6352 6353 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6354 { 6355 u32 av = 0; 6356 6357 av = 0; 6358 if (flag & S_IRUGO) 6359 av |= IPC__UNIX_READ; 6360 if (flag & S_IWUGO) 6361 av |= IPC__UNIX_WRITE; 6362 6363 if (av == 0) 6364 return 0; 6365 6366 return ipc_has_perm(ipcp, av); 6367 } 6368 6369 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6370 { 6371 struct ipc_security_struct *isec = ipcp->security; 6372 *secid = isec->sid; 6373 } 6374 6375 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6376 { 6377 if (inode) 6378 inode_doinit_with_dentry(inode, dentry); 6379 } 6380 6381 static int selinux_getprocattr(struct task_struct *p, 6382 char *name, char **value) 6383 { 6384 const struct task_security_struct *__tsec; 6385 u32 sid; 6386 int error; 6387 unsigned len; 6388 6389 rcu_read_lock(); 6390 __tsec = __task_cred(p)->security; 6391 6392 if (current != p) { 6393 error = avc_has_perm(&selinux_state, 6394 current_sid(), __tsec->sid, 6395 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6396 if (error) 6397 goto bad; 6398 } 6399 6400 if (!strcmp(name, "current")) 6401 sid = __tsec->sid; 6402 else if (!strcmp(name, "prev")) 6403 sid = __tsec->osid; 6404 else if (!strcmp(name, "exec")) 6405 sid = __tsec->exec_sid; 6406 else if (!strcmp(name, "fscreate")) 6407 sid = __tsec->create_sid; 6408 else if (!strcmp(name, "keycreate")) 6409 sid = __tsec->keycreate_sid; 6410 else if (!strcmp(name, "sockcreate")) 6411 sid = __tsec->sockcreate_sid; 6412 else { 6413 error = -EINVAL; 6414 goto bad; 6415 } 6416 rcu_read_unlock(); 6417 6418 if (!sid) 6419 return 0; 6420 6421 error = security_sid_to_context(&selinux_state, sid, value, &len); 6422 if (error) 6423 return error; 6424 return len; 6425 6426 bad: 6427 rcu_read_unlock(); 6428 return error; 6429 } 6430 6431 static int selinux_setprocattr(const char *name, void *value, size_t size) 6432 { 6433 struct task_security_struct *tsec; 6434 struct cred *new; 6435 u32 mysid = current_sid(), sid = 0, ptsid; 6436 int error; 6437 char *str = value; 6438 6439 /* 6440 * Basic control over ability to set these attributes at all. 6441 */ 6442 if (!strcmp(name, "exec")) 6443 error = avc_has_perm(&selinux_state, 6444 mysid, mysid, SECCLASS_PROCESS, 6445 PROCESS__SETEXEC, NULL); 6446 else if (!strcmp(name, "fscreate")) 6447 error = avc_has_perm(&selinux_state, 6448 mysid, mysid, SECCLASS_PROCESS, 6449 PROCESS__SETFSCREATE, NULL); 6450 else if (!strcmp(name, "keycreate")) 6451 error = avc_has_perm(&selinux_state, 6452 mysid, mysid, SECCLASS_PROCESS, 6453 PROCESS__SETKEYCREATE, NULL); 6454 else if (!strcmp(name, "sockcreate")) 6455 error = avc_has_perm(&selinux_state, 6456 mysid, mysid, SECCLASS_PROCESS, 6457 PROCESS__SETSOCKCREATE, NULL); 6458 else if (!strcmp(name, "current")) 6459 error = avc_has_perm(&selinux_state, 6460 mysid, mysid, SECCLASS_PROCESS, 6461 PROCESS__SETCURRENT, NULL); 6462 else 6463 error = -EINVAL; 6464 if (error) 6465 return error; 6466 6467 /* Obtain a SID for the context, if one was specified. */ 6468 if (size && str[0] && str[0] != '\n') { 6469 if (str[size-1] == '\n') { 6470 str[size-1] = 0; 6471 size--; 6472 } 6473 error = security_context_to_sid(&selinux_state, value, size, 6474 &sid, GFP_KERNEL); 6475 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6476 if (!has_cap_mac_admin(true)) { 6477 struct audit_buffer *ab; 6478 size_t audit_size; 6479 6480 /* We strip a nul only if it is at the end, otherwise the 6481 * context contains a nul and we should audit that */ 6482 if (str[size - 1] == '\0') 6483 audit_size = size - 1; 6484 else 6485 audit_size = size; 6486 ab = audit_log_start(audit_context(), 6487 GFP_ATOMIC, 6488 AUDIT_SELINUX_ERR); 6489 audit_log_format(ab, "op=fscreate invalid_context="); 6490 audit_log_n_untrustedstring(ab, value, audit_size); 6491 audit_log_end(ab); 6492 6493 return error; 6494 } 6495 error = security_context_to_sid_force( 6496 &selinux_state, 6497 value, size, &sid); 6498 } 6499 if (error) 6500 return error; 6501 } 6502 6503 new = prepare_creds(); 6504 if (!new) 6505 return -ENOMEM; 6506 6507 /* Permission checking based on the specified context is 6508 performed during the actual operation (execve, 6509 open/mkdir/...), when we know the full context of the 6510 operation. See selinux_bprm_set_creds for the execve 6511 checks and may_create for the file creation checks. The 6512 operation will then fail if the context is not permitted. */ 6513 tsec = new->security; 6514 if (!strcmp(name, "exec")) { 6515 tsec->exec_sid = sid; 6516 } else if (!strcmp(name, "fscreate")) { 6517 tsec->create_sid = sid; 6518 } else if (!strcmp(name, "keycreate")) { 6519 error = avc_has_perm(&selinux_state, 6520 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6521 NULL); 6522 if (error) 6523 goto abort_change; 6524 tsec->keycreate_sid = sid; 6525 } else if (!strcmp(name, "sockcreate")) { 6526 tsec->sockcreate_sid = sid; 6527 } else if (!strcmp(name, "current")) { 6528 error = -EINVAL; 6529 if (sid == 0) 6530 goto abort_change; 6531 6532 /* Only allow single threaded processes to change context */ 6533 error = -EPERM; 6534 if (!current_is_single_threaded()) { 6535 error = security_bounded_transition(&selinux_state, 6536 tsec->sid, sid); 6537 if (error) 6538 goto abort_change; 6539 } 6540 6541 /* Check permissions for the transition. */ 6542 error = avc_has_perm(&selinux_state, 6543 tsec->sid, sid, SECCLASS_PROCESS, 6544 PROCESS__DYNTRANSITION, NULL); 6545 if (error) 6546 goto abort_change; 6547 6548 /* Check for ptracing, and update the task SID if ok. 6549 Otherwise, leave SID unchanged and fail. */ 6550 ptsid = ptrace_parent_sid(); 6551 if (ptsid != 0) { 6552 error = avc_has_perm(&selinux_state, 6553 ptsid, sid, SECCLASS_PROCESS, 6554 PROCESS__PTRACE, NULL); 6555 if (error) 6556 goto abort_change; 6557 } 6558 6559 tsec->sid = sid; 6560 } else { 6561 error = -EINVAL; 6562 goto abort_change; 6563 } 6564 6565 commit_creds(new); 6566 return size; 6567 6568 abort_change: 6569 abort_creds(new); 6570 return error; 6571 } 6572 6573 static int selinux_ismaclabel(const char *name) 6574 { 6575 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6576 } 6577 6578 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6579 { 6580 return security_sid_to_context(&selinux_state, secid, 6581 secdata, seclen); 6582 } 6583 6584 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6585 { 6586 return security_context_to_sid(&selinux_state, secdata, seclen, 6587 secid, GFP_KERNEL); 6588 } 6589 6590 static void selinux_release_secctx(char *secdata, u32 seclen) 6591 { 6592 kfree(secdata); 6593 } 6594 6595 static void selinux_inode_invalidate_secctx(struct inode *inode) 6596 { 6597 struct inode_security_struct *isec = inode->i_security; 6598 6599 spin_lock(&isec->lock); 6600 isec->initialized = LABEL_INVALID; 6601 spin_unlock(&isec->lock); 6602 } 6603 6604 /* 6605 * called with inode->i_mutex locked 6606 */ 6607 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6608 { 6609 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6610 } 6611 6612 /* 6613 * called with inode->i_mutex locked 6614 */ 6615 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6616 { 6617 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6618 } 6619 6620 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6621 { 6622 int len = 0; 6623 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6624 ctx, true); 6625 if (len < 0) 6626 return len; 6627 *ctxlen = len; 6628 return 0; 6629 } 6630 #ifdef CONFIG_KEYS 6631 6632 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6633 unsigned long flags) 6634 { 6635 const struct task_security_struct *tsec; 6636 struct key_security_struct *ksec; 6637 6638 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6639 if (!ksec) 6640 return -ENOMEM; 6641 6642 tsec = cred->security; 6643 if (tsec->keycreate_sid) 6644 ksec->sid = tsec->keycreate_sid; 6645 else 6646 ksec->sid = tsec->sid; 6647 6648 k->security = ksec; 6649 return 0; 6650 } 6651 6652 static void selinux_key_free(struct key *k) 6653 { 6654 struct key_security_struct *ksec = k->security; 6655 6656 k->security = NULL; 6657 kfree(ksec); 6658 } 6659 6660 static int selinux_key_permission(key_ref_t key_ref, 6661 const struct cred *cred, 6662 unsigned perm) 6663 { 6664 struct key *key; 6665 struct key_security_struct *ksec; 6666 u32 sid; 6667 6668 /* if no specific permissions are requested, we skip the 6669 permission check. No serious, additional covert channels 6670 appear to be created. */ 6671 if (perm == 0) 6672 return 0; 6673 6674 sid = cred_sid(cred); 6675 6676 key = key_ref_to_ptr(key_ref); 6677 ksec = key->security; 6678 6679 return avc_has_perm(&selinux_state, 6680 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6681 } 6682 6683 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6684 { 6685 struct key_security_struct *ksec = key->security; 6686 char *context = NULL; 6687 unsigned len; 6688 int rc; 6689 6690 rc = security_sid_to_context(&selinux_state, ksec->sid, 6691 &context, &len); 6692 if (!rc) 6693 rc = len; 6694 *_buffer = context; 6695 return rc; 6696 } 6697 #endif 6698 6699 #ifdef CONFIG_SECURITY_INFINIBAND 6700 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6701 { 6702 struct common_audit_data ad; 6703 int err; 6704 u32 sid = 0; 6705 struct ib_security_struct *sec = ib_sec; 6706 struct lsm_ibpkey_audit ibpkey; 6707 6708 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6709 if (err) 6710 return err; 6711 6712 ad.type = LSM_AUDIT_DATA_IBPKEY; 6713 ibpkey.subnet_prefix = subnet_prefix; 6714 ibpkey.pkey = pkey_val; 6715 ad.u.ibpkey = &ibpkey; 6716 return avc_has_perm(&selinux_state, 6717 sec->sid, sid, 6718 SECCLASS_INFINIBAND_PKEY, 6719 INFINIBAND_PKEY__ACCESS, &ad); 6720 } 6721 6722 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6723 u8 port_num) 6724 { 6725 struct common_audit_data ad; 6726 int err; 6727 u32 sid = 0; 6728 struct ib_security_struct *sec = ib_sec; 6729 struct lsm_ibendport_audit ibendport; 6730 6731 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6732 &sid); 6733 6734 if (err) 6735 return err; 6736 6737 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6738 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6739 ibendport.port = port_num; 6740 ad.u.ibendport = &ibendport; 6741 return avc_has_perm(&selinux_state, 6742 sec->sid, sid, 6743 SECCLASS_INFINIBAND_ENDPORT, 6744 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6745 } 6746 6747 static int selinux_ib_alloc_security(void **ib_sec) 6748 { 6749 struct ib_security_struct *sec; 6750 6751 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6752 if (!sec) 6753 return -ENOMEM; 6754 sec->sid = current_sid(); 6755 6756 *ib_sec = sec; 6757 return 0; 6758 } 6759 6760 static void selinux_ib_free_security(void *ib_sec) 6761 { 6762 kfree(ib_sec); 6763 } 6764 #endif 6765 6766 #ifdef CONFIG_BPF_SYSCALL 6767 static int selinux_bpf(int cmd, union bpf_attr *attr, 6768 unsigned int size) 6769 { 6770 u32 sid = current_sid(); 6771 int ret; 6772 6773 switch (cmd) { 6774 case BPF_MAP_CREATE: 6775 ret = avc_has_perm(&selinux_state, 6776 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6777 NULL); 6778 break; 6779 case BPF_PROG_LOAD: 6780 ret = avc_has_perm(&selinux_state, 6781 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6782 NULL); 6783 break; 6784 default: 6785 ret = 0; 6786 break; 6787 } 6788 6789 return ret; 6790 } 6791 6792 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6793 { 6794 u32 av = 0; 6795 6796 if (fmode & FMODE_READ) 6797 av |= BPF__MAP_READ; 6798 if (fmode & FMODE_WRITE) 6799 av |= BPF__MAP_WRITE; 6800 return av; 6801 } 6802 6803 /* This function will check the file pass through unix socket or binder to see 6804 * if it is a bpf related object. And apply correspinding checks on the bpf 6805 * object based on the type. The bpf maps and programs, not like other files and 6806 * socket, are using a shared anonymous inode inside the kernel as their inode. 6807 * So checking that inode cannot identify if the process have privilege to 6808 * access the bpf object and that's why we have to add this additional check in 6809 * selinux_file_receive and selinux_binder_transfer_files. 6810 */ 6811 static int bpf_fd_pass(struct file *file, u32 sid) 6812 { 6813 struct bpf_security_struct *bpfsec; 6814 struct bpf_prog *prog; 6815 struct bpf_map *map; 6816 int ret; 6817 6818 if (file->f_op == &bpf_map_fops) { 6819 map = file->private_data; 6820 bpfsec = map->security; 6821 ret = avc_has_perm(&selinux_state, 6822 sid, bpfsec->sid, SECCLASS_BPF, 6823 bpf_map_fmode_to_av(file->f_mode), NULL); 6824 if (ret) 6825 return ret; 6826 } else if (file->f_op == &bpf_prog_fops) { 6827 prog = file->private_data; 6828 bpfsec = prog->aux->security; 6829 ret = avc_has_perm(&selinux_state, 6830 sid, bpfsec->sid, SECCLASS_BPF, 6831 BPF__PROG_RUN, NULL); 6832 if (ret) 6833 return ret; 6834 } 6835 return 0; 6836 } 6837 6838 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6839 { 6840 u32 sid = current_sid(); 6841 struct bpf_security_struct *bpfsec; 6842 6843 bpfsec = map->security; 6844 return avc_has_perm(&selinux_state, 6845 sid, bpfsec->sid, SECCLASS_BPF, 6846 bpf_map_fmode_to_av(fmode), NULL); 6847 } 6848 6849 static int selinux_bpf_prog(struct bpf_prog *prog) 6850 { 6851 u32 sid = current_sid(); 6852 struct bpf_security_struct *bpfsec; 6853 6854 bpfsec = prog->aux->security; 6855 return avc_has_perm(&selinux_state, 6856 sid, bpfsec->sid, SECCLASS_BPF, 6857 BPF__PROG_RUN, NULL); 6858 } 6859 6860 static int selinux_bpf_map_alloc(struct bpf_map *map) 6861 { 6862 struct bpf_security_struct *bpfsec; 6863 6864 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6865 if (!bpfsec) 6866 return -ENOMEM; 6867 6868 bpfsec->sid = current_sid(); 6869 map->security = bpfsec; 6870 6871 return 0; 6872 } 6873 6874 static void selinux_bpf_map_free(struct bpf_map *map) 6875 { 6876 struct bpf_security_struct *bpfsec = map->security; 6877 6878 map->security = NULL; 6879 kfree(bpfsec); 6880 } 6881 6882 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6883 { 6884 struct bpf_security_struct *bpfsec; 6885 6886 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6887 if (!bpfsec) 6888 return -ENOMEM; 6889 6890 bpfsec->sid = current_sid(); 6891 aux->security = bpfsec; 6892 6893 return 0; 6894 } 6895 6896 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6897 { 6898 struct bpf_security_struct *bpfsec = aux->security; 6899 6900 aux->security = NULL; 6901 kfree(bpfsec); 6902 } 6903 #endif 6904 6905 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6906 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6907 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6908 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6909 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6910 6911 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6912 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6913 LSM_HOOK_INIT(capget, selinux_capget), 6914 LSM_HOOK_INIT(capset, selinux_capset), 6915 LSM_HOOK_INIT(capable, selinux_capable), 6916 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6917 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6918 LSM_HOOK_INIT(syslog, selinux_syslog), 6919 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6920 6921 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6922 6923 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6924 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6925 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6926 6927 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6928 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6929 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6930 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6931 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6932 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6933 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6934 LSM_HOOK_INIT(sb_mount, selinux_mount), 6935 LSM_HOOK_INIT(sb_umount, selinux_umount), 6936 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6937 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6938 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6939 6940 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6941 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6942 6943 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6944 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6945 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6946 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6947 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6948 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6949 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6950 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6951 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6952 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6953 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6954 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6955 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6956 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6957 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6958 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6959 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6960 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6961 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6962 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6963 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6964 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6965 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6966 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6967 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6968 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6969 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6970 6971 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6972 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6973 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6974 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6975 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6976 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6977 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6978 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6979 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6980 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6981 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6982 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6983 6984 LSM_HOOK_INIT(file_open, selinux_file_open), 6985 6986 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6987 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6988 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6989 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6990 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6991 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6992 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6993 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6994 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6995 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 6996 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6997 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6998 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6999 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7000 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 7001 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7002 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7003 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7004 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7005 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7006 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7007 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7008 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7009 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7010 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7011 7012 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7013 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7014 7015 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7016 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 7017 7018 LSM_HOOK_INIT(msg_queue_alloc_security, 7019 selinux_msg_queue_alloc_security), 7020 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 7021 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7022 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7023 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7024 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7025 7026 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7027 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 7028 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7029 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7030 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7031 7032 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7033 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 7034 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7035 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7036 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7037 7038 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7039 7040 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7041 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7042 7043 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7044 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7045 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7046 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7047 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7048 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7049 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7050 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7051 7052 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7053 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7054 7055 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7056 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7057 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7058 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7059 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7060 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7061 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7062 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7063 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7064 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7065 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7066 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7067 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7068 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7069 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7070 LSM_HOOK_INIT(socket_getpeersec_stream, 7071 selinux_socket_getpeersec_stream), 7072 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7073 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7074 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7075 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7076 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7077 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7078 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7079 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7080 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7081 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7082 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7083 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7084 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7085 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7086 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7087 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7088 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7089 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7090 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7091 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7092 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7093 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7094 #ifdef CONFIG_SECURITY_INFINIBAND 7095 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7096 LSM_HOOK_INIT(ib_endport_manage_subnet, 7097 selinux_ib_endport_manage_subnet), 7098 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7099 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7100 #endif 7101 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7102 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7103 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7104 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7105 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7106 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7107 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7108 selinux_xfrm_state_alloc_acquire), 7109 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7110 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7111 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7112 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7113 selinux_xfrm_state_pol_flow_match), 7114 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7115 #endif 7116 7117 #ifdef CONFIG_KEYS 7118 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7119 LSM_HOOK_INIT(key_free, selinux_key_free), 7120 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7121 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7122 #endif 7123 7124 #ifdef CONFIG_AUDIT 7125 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7126 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7127 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7128 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7129 #endif 7130 7131 #ifdef CONFIG_BPF_SYSCALL 7132 LSM_HOOK_INIT(bpf, selinux_bpf), 7133 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7134 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7135 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7136 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7137 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7138 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7139 #endif 7140 }; 7141 7142 static __init int selinux_init(void) 7143 { 7144 if (!security_module_enable("selinux")) { 7145 selinux_enabled = 0; 7146 return 0; 7147 } 7148 7149 if (!selinux_enabled) { 7150 pr_info("SELinux: Disabled at boot.\n"); 7151 return 0; 7152 } 7153 7154 pr_info("SELinux: Initializing.\n"); 7155 7156 memset(&selinux_state, 0, sizeof(selinux_state)); 7157 enforcing_set(&selinux_state, selinux_enforcing_boot); 7158 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7159 selinux_ss_init(&selinux_state.ss); 7160 selinux_avc_init(&selinux_state.avc); 7161 7162 /* Set the security state for the initial task. */ 7163 cred_init_security(); 7164 7165 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7166 7167 sel_inode_cache = kmem_cache_create("selinux_inode_security", 7168 sizeof(struct inode_security_struct), 7169 0, SLAB_PANIC, NULL); 7170 file_security_cache = kmem_cache_create("selinux_file_security", 7171 sizeof(struct file_security_struct), 7172 0, SLAB_PANIC, NULL); 7173 avc_init(); 7174 7175 avtab_cache_init(); 7176 7177 ebitmap_cache_init(); 7178 7179 hashtab_cache_init(); 7180 7181 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7182 7183 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7184 panic("SELinux: Unable to register AVC netcache callback\n"); 7185 7186 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7187 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7188 7189 if (selinux_enforcing_boot) 7190 pr_debug("SELinux: Starting in enforcing mode\n"); 7191 else 7192 pr_debug("SELinux: Starting in permissive mode\n"); 7193 7194 return 0; 7195 } 7196 7197 static void delayed_superblock_init(struct super_block *sb, void *unused) 7198 { 7199 superblock_doinit(sb, NULL); 7200 } 7201 7202 void selinux_complete_init(void) 7203 { 7204 pr_debug("SELinux: Completing initialization.\n"); 7205 7206 /* Set up any superblocks initialized prior to the policy load. */ 7207 pr_debug("SELinux: Setting up existing superblocks.\n"); 7208 iterate_supers(delayed_superblock_init, NULL); 7209 } 7210 7211 /* SELinux requires early initialization in order to label 7212 all processes and objects when they are created. */ 7213 DEFINE_LSM(selinux) = { 7214 .name = "selinux", 7215 .init = selinux_init, 7216 }; 7217 7218 #if defined(CONFIG_NETFILTER) 7219 7220 static const struct nf_hook_ops selinux_nf_ops[] = { 7221 { 7222 .hook = selinux_ipv4_postroute, 7223 .pf = NFPROTO_IPV4, 7224 .hooknum = NF_INET_POST_ROUTING, 7225 .priority = NF_IP_PRI_SELINUX_LAST, 7226 }, 7227 { 7228 .hook = selinux_ipv4_forward, 7229 .pf = NFPROTO_IPV4, 7230 .hooknum = NF_INET_FORWARD, 7231 .priority = NF_IP_PRI_SELINUX_FIRST, 7232 }, 7233 { 7234 .hook = selinux_ipv4_output, 7235 .pf = NFPROTO_IPV4, 7236 .hooknum = NF_INET_LOCAL_OUT, 7237 .priority = NF_IP_PRI_SELINUX_FIRST, 7238 }, 7239 #if IS_ENABLED(CONFIG_IPV6) 7240 { 7241 .hook = selinux_ipv6_postroute, 7242 .pf = NFPROTO_IPV6, 7243 .hooknum = NF_INET_POST_ROUTING, 7244 .priority = NF_IP6_PRI_SELINUX_LAST, 7245 }, 7246 { 7247 .hook = selinux_ipv6_forward, 7248 .pf = NFPROTO_IPV6, 7249 .hooknum = NF_INET_FORWARD, 7250 .priority = NF_IP6_PRI_SELINUX_FIRST, 7251 }, 7252 { 7253 .hook = selinux_ipv6_output, 7254 .pf = NFPROTO_IPV6, 7255 .hooknum = NF_INET_LOCAL_OUT, 7256 .priority = NF_IP6_PRI_SELINUX_FIRST, 7257 }, 7258 #endif /* IPV6 */ 7259 }; 7260 7261 static int __net_init selinux_nf_register(struct net *net) 7262 { 7263 return nf_register_net_hooks(net, selinux_nf_ops, 7264 ARRAY_SIZE(selinux_nf_ops)); 7265 } 7266 7267 static void __net_exit selinux_nf_unregister(struct net *net) 7268 { 7269 nf_unregister_net_hooks(net, selinux_nf_ops, 7270 ARRAY_SIZE(selinux_nf_ops)); 7271 } 7272 7273 static struct pernet_operations selinux_net_ops = { 7274 .init = selinux_nf_register, 7275 .exit = selinux_nf_unregister, 7276 }; 7277 7278 static int __init selinux_nf_ip_init(void) 7279 { 7280 int err; 7281 7282 if (!selinux_enabled) 7283 return 0; 7284 7285 pr_debug("SELinux: Registering netfilter hooks\n"); 7286 7287 err = register_pernet_subsys(&selinux_net_ops); 7288 if (err) 7289 panic("SELinux: register_pernet_subsys: error %d\n", err); 7290 7291 return 0; 7292 } 7293 __initcall(selinux_nf_ip_init); 7294 7295 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7296 static void selinux_nf_ip_exit(void) 7297 { 7298 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7299 7300 unregister_pernet_subsys(&selinux_net_ops); 7301 } 7302 #endif 7303 7304 #else /* CONFIG_NETFILTER */ 7305 7306 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7307 #define selinux_nf_ip_exit() 7308 #endif 7309 7310 #endif /* CONFIG_NETFILTER */ 7311 7312 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7313 int selinux_disable(struct selinux_state *state) 7314 { 7315 if (state->initialized) { 7316 /* Not permitted after initial policy load. */ 7317 return -EINVAL; 7318 } 7319 7320 if (state->disabled) { 7321 /* Only do this once. */ 7322 return -EINVAL; 7323 } 7324 7325 state->disabled = 1; 7326 7327 pr_info("SELinux: Disabled at runtime.\n"); 7328 7329 selinux_enabled = 0; 7330 7331 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7332 7333 /* Try to destroy the avc node cache */ 7334 avc_disable(); 7335 7336 /* Unregister netfilter hooks. */ 7337 selinux_nf_ip_exit(); 7338 7339 /* Unregister selinuxfs. */ 7340 exit_sel_fs(); 7341 7342 return 0; 7343 } 7344 #endif 7345