1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/selinux.h> 83 #include <linux/mutex.h> 84 #include <linux/posix-timers.h> 85 #include <linux/syslog.h> 86 #include <linux/user_namespace.h> 87 #include <linux/export.h> 88 #include <linux/msg.h> 89 #include <linux/shm.h> 90 #include <linux/bpf.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 125 126 static int __init selinux_enabled_setup(char *str) 127 { 128 unsigned long enabled; 129 if (!kstrtoul(str, 0, &enabled)) 130 selinux_enabled = enabled ? 1 : 0; 131 return 1; 132 } 133 __setup("selinux=", selinux_enabled_setup); 134 #else 135 int selinux_enabled = 1; 136 #endif 137 138 static unsigned int selinux_checkreqprot_boot = 139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 140 141 static int __init checkreqprot_setup(char *str) 142 { 143 unsigned long checkreqprot; 144 145 if (!kstrtoul(str, 0, &checkreqprot)) 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 return 1; 148 } 149 __setup("checkreqprot=", checkreqprot_setup); 150 151 static struct kmem_cache *sel_inode_cache; 152 static struct kmem_cache *file_security_cache; 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred *cred = (struct cred *) current->real_cred; 214 struct task_security_struct *tsec; 215 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 217 if (!tsec) 218 panic("SELinux: Failed to initialize initial task.\n"); 219 220 tsec->osid = tsec->sid = SECINITSID_KERNEL; 221 cred->security = tsec; 222 } 223 224 /* 225 * get the security ID of a set of credentials 226 */ 227 static inline u32 cred_sid(const struct cred *cred) 228 { 229 const struct task_security_struct *tsec; 230 231 tsec = cred->security; 232 return tsec->sid; 233 } 234 235 /* 236 * get the objective security ID of a task 237 */ 238 static inline u32 task_sid(const struct task_struct *task) 239 { 240 u32 sid; 241 242 rcu_read_lock(); 243 sid = cred_sid(__task_cred(task)); 244 rcu_read_unlock(); 245 return sid; 246 } 247 248 /* Allocate and free functions for each kind of security blob. */ 249 250 static int inode_alloc_security(struct inode *inode) 251 { 252 struct inode_security_struct *isec; 253 u32 sid = current_sid(); 254 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 256 if (!isec) 257 return -ENOMEM; 258 259 spin_lock_init(&isec->lock); 260 INIT_LIST_HEAD(&isec->list); 261 isec->inode = inode; 262 isec->sid = SECINITSID_UNLABELED; 263 isec->sclass = SECCLASS_FILE; 264 isec->task_sid = sid; 265 isec->initialized = LABEL_INVALID; 266 inode->i_security = isec; 267 268 return 0; 269 } 270 271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 272 273 /* 274 * Try reloading inode security labels that have been marked as invalid. The 275 * @may_sleep parameter indicates when sleeping and thus reloading labels is 276 * allowed; when set to false, returns -ECHILD when the label is 277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 278 * when no dentry is available, set it to NULL instead. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *opt_dentry, 282 bool may_sleep) 283 { 284 struct inode_security_struct *isec = inode->i_security; 285 286 might_sleep_if(may_sleep); 287 288 if (selinux_state.initialized && 289 isec->initialized != LABEL_INITIALIZED) { 290 if (!may_sleep) 291 return -ECHILD; 292 293 /* 294 * Try reloading the inode security label. This will fail if 295 * @opt_dentry is NULL and no dentry for this inode can be 296 * found; in that case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, opt_dentry); 299 } 300 return 0; 301 } 302 303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 304 { 305 return inode->i_security; 306 } 307 308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 309 { 310 int error; 311 312 error = __inode_security_revalidate(inode, NULL, !rcu); 313 if (error) 314 return ERR_PTR(error); 315 return inode->i_security; 316 } 317 318 /* 319 * Get the security label of an inode. 320 */ 321 static struct inode_security_struct *inode_security(struct inode *inode) 322 { 323 __inode_security_revalidate(inode, NULL, true); 324 return inode->i_security; 325 } 326 327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 328 { 329 struct inode *inode = d_backing_inode(dentry); 330 331 return inode->i_security; 332 } 333 334 /* 335 * Get the security label of a dentry's backing inode. 336 */ 337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 338 { 339 struct inode *inode = d_backing_inode(dentry); 340 341 __inode_security_revalidate(inode, dentry, true); 342 return inode->i_security; 343 } 344 345 static void inode_free_rcu(struct rcu_head *head) 346 { 347 struct inode_security_struct *isec; 348 349 isec = container_of(head, struct inode_security_struct, rcu); 350 kmem_cache_free(sel_inode_cache, isec); 351 } 352 353 static void inode_free_security(struct inode *inode) 354 { 355 struct inode_security_struct *isec = inode->i_security; 356 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 357 358 /* 359 * As not all inode security structures are in a list, we check for 360 * empty list outside of the lock to make sure that we won't waste 361 * time taking a lock doing nothing. 362 * 363 * The list_del_init() function can be safely called more than once. 364 * It should not be possible for this function to be called with 365 * concurrent list_add(), but for better safety against future changes 366 * in the code, we use list_empty_careful() here. 367 */ 368 if (!list_empty_careful(&isec->list)) { 369 spin_lock(&sbsec->isec_lock); 370 list_del_init(&isec->list); 371 spin_unlock(&sbsec->isec_lock); 372 } 373 374 /* 375 * The inode may still be referenced in a path walk and 376 * a call to selinux_inode_permission() can be made 377 * after inode_free_security() is called. Ideally, the VFS 378 * wouldn't do this, but fixing that is a much harder 379 * job. For now, simply free the i_security via RCU, and 380 * leave the current inode->i_security pointer intact. 381 * The inode will be freed after the RCU grace period too. 382 */ 383 call_rcu(&isec->rcu, inode_free_rcu); 384 } 385 386 static int file_alloc_security(struct file *file) 387 { 388 struct file_security_struct *fsec; 389 u32 sid = current_sid(); 390 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 392 if (!fsec) 393 return -ENOMEM; 394 395 fsec->sid = sid; 396 fsec->fown_sid = sid; 397 file->f_security = fsec; 398 399 return 0; 400 } 401 402 static void file_free_security(struct file *file) 403 { 404 struct file_security_struct *fsec = file->f_security; 405 file->f_security = NULL; 406 kmem_cache_free(file_security_cache, fsec); 407 } 408 409 static int superblock_alloc_security(struct super_block *sb) 410 { 411 struct superblock_security_struct *sbsec; 412 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 414 if (!sbsec) 415 return -ENOMEM; 416 417 mutex_init(&sbsec->lock); 418 INIT_LIST_HEAD(&sbsec->isec_head); 419 spin_lock_init(&sbsec->isec_lock); 420 sbsec->sb = sb; 421 sbsec->sid = SECINITSID_UNLABELED; 422 sbsec->def_sid = SECINITSID_FILE; 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 424 sb->s_security = sbsec; 425 426 return 0; 427 } 428 429 static void superblock_free_security(struct super_block *sb) 430 { 431 struct superblock_security_struct *sbsec = sb->s_security; 432 sb->s_security = NULL; 433 kfree(sbsec); 434 } 435 436 static inline int inode_doinit(struct inode *inode) 437 { 438 return inode_doinit_with_dentry(inode, NULL); 439 } 440 441 enum { 442 Opt_error = -1, 443 Opt_context = 1, 444 Opt_fscontext = 2, 445 Opt_defcontext = 3, 446 Opt_rootcontext = 4, 447 Opt_labelsupport = 5, 448 Opt_nextmntopt = 6, 449 }; 450 451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 452 453 static const match_table_t tokens = { 454 {Opt_context, CONTEXT_STR "%s"}, 455 {Opt_fscontext, FSCONTEXT_STR "%s"}, 456 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 458 {Opt_labelsupport, LABELSUPP_STR}, 459 {Opt_error, NULL}, 460 }; 461 462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 463 464 static int may_context_mount_sb_relabel(u32 sid, 465 struct superblock_security_struct *sbsec, 466 const struct cred *cred) 467 { 468 const struct task_security_struct *tsec = cred->security; 469 int rc; 470 471 rc = avc_has_perm(&selinux_state, 472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 473 FILESYSTEM__RELABELFROM, NULL); 474 if (rc) 475 return rc; 476 477 rc = avc_has_perm(&selinux_state, 478 tsec->sid, sid, SECCLASS_FILESYSTEM, 479 FILESYSTEM__RELABELTO, NULL); 480 return rc; 481 } 482 483 static int may_context_mount_inode_relabel(u32 sid, 484 struct superblock_security_struct *sbsec, 485 const struct cred *cred) 486 { 487 const struct task_security_struct *tsec = cred->security; 488 int rc; 489 rc = avc_has_perm(&selinux_state, 490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 491 FILESYSTEM__RELABELFROM, NULL); 492 if (rc) 493 return rc; 494 495 rc = avc_has_perm(&selinux_state, 496 sid, sbsec->sid, SECCLASS_FILESYSTEM, 497 FILESYSTEM__ASSOCIATE, NULL); 498 return rc; 499 } 500 501 static int selinux_is_sblabel_mnt(struct super_block *sb) 502 { 503 struct superblock_security_struct *sbsec = sb->s_security; 504 505 return sbsec->behavior == SECURITY_FS_USE_XATTR || 506 sbsec->behavior == SECURITY_FS_USE_TRANS || 507 sbsec->behavior == SECURITY_FS_USE_TASK || 508 sbsec->behavior == SECURITY_FS_USE_NATIVE || 509 /* Special handling. Genfs but also in-core setxattr handler */ 510 !strcmp(sb->s_type->name, "sysfs") || 511 !strcmp(sb->s_type->name, "pstore") || 512 !strcmp(sb->s_type->name, "debugfs") || 513 !strcmp(sb->s_type->name, "tracefs") || 514 !strcmp(sb->s_type->name, "rootfs") || 515 (selinux_policycap_cgroupseclabel() && 516 (!strcmp(sb->s_type->name, "cgroup") || 517 !strcmp(sb->s_type->name, "cgroup2"))); 518 } 519 520 static int sb_finish_set_opts(struct super_block *sb) 521 { 522 struct superblock_security_struct *sbsec = sb->s_security; 523 struct dentry *root = sb->s_root; 524 struct inode *root_inode = d_backing_inode(root); 525 int rc = 0; 526 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 528 /* Make sure that the xattr handler exists and that no 529 error other than -ENODATA is returned by getxattr on 530 the root directory. -ENODATA is ok, as this may be 531 the first boot of the SELinux kernel before we have 532 assigned xattr values to the filesystem. */ 533 if (!(root_inode->i_opflags & IOP_XATTR)) { 534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 535 "xattr support\n", sb->s_id, sb->s_type->name); 536 rc = -EOPNOTSUPP; 537 goto out; 538 } 539 540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 541 if (rc < 0 && rc != -ENODATA) { 542 if (rc == -EOPNOTSUPP) 543 printk(KERN_WARNING "SELinux: (dev %s, type " 544 "%s) has no security xattr handler\n", 545 sb->s_id, sb->s_type->name); 546 else 547 printk(KERN_WARNING "SELinux: (dev %s, type " 548 "%s) getxattr errno %d\n", sb->s_id, 549 sb->s_type->name, -rc); 550 goto out; 551 } 552 } 553 554 sbsec->flags |= SE_SBINITIALIZED; 555 556 /* 557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 558 * leave the flag untouched because sb_clone_mnt_opts might be handing 559 * us a superblock that needs the flag to be cleared. 560 */ 561 if (selinux_is_sblabel_mnt(sb)) 562 sbsec->flags |= SBLABEL_MNT; 563 else 564 sbsec->flags &= ~SBLABEL_MNT; 565 566 /* Initialize the root inode. */ 567 rc = inode_doinit_with_dentry(root_inode, root); 568 569 /* Initialize any other inodes associated with the superblock, e.g. 570 inodes created prior to initial policy load or inodes created 571 during get_sb by a pseudo filesystem that directly 572 populates itself. */ 573 spin_lock(&sbsec->isec_lock); 574 next_inode: 575 if (!list_empty(&sbsec->isec_head)) { 576 struct inode_security_struct *isec = 577 list_entry(sbsec->isec_head.next, 578 struct inode_security_struct, list); 579 struct inode *inode = isec->inode; 580 list_del_init(&isec->list); 581 spin_unlock(&sbsec->isec_lock); 582 inode = igrab(inode); 583 if (inode) { 584 if (!IS_PRIVATE(inode)) 585 inode_doinit(inode); 586 iput(inode); 587 } 588 spin_lock(&sbsec->isec_lock); 589 goto next_inode; 590 } 591 spin_unlock(&sbsec->isec_lock); 592 out: 593 return rc; 594 } 595 596 /* 597 * This function should allow an FS to ask what it's mount security 598 * options were so it can use those later for submounts, displaying 599 * mount options, or whatever. 600 */ 601 static int selinux_get_mnt_opts(const struct super_block *sb, 602 struct security_mnt_opts *opts) 603 { 604 int rc = 0, i; 605 struct superblock_security_struct *sbsec = sb->s_security; 606 char *context = NULL; 607 u32 len; 608 char tmp; 609 610 security_init_mnt_opts(opts); 611 612 if (!(sbsec->flags & SE_SBINITIALIZED)) 613 return -EINVAL; 614 615 if (!selinux_state.initialized) 616 return -EINVAL; 617 618 /* make sure we always check enough bits to cover the mask */ 619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 620 621 tmp = sbsec->flags & SE_MNTMASK; 622 /* count the number of mount options for this sb */ 623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 624 if (tmp & 0x01) 625 opts->num_mnt_opts++; 626 tmp >>= 1; 627 } 628 /* Check if the Label support flag is set */ 629 if (sbsec->flags & SBLABEL_MNT) 630 opts->num_mnt_opts++; 631 632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 633 if (!opts->mnt_opts) { 634 rc = -ENOMEM; 635 goto out_free; 636 } 637 638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 639 if (!opts->mnt_opts_flags) { 640 rc = -ENOMEM; 641 goto out_free; 642 } 643 644 i = 0; 645 if (sbsec->flags & FSCONTEXT_MNT) { 646 rc = security_sid_to_context(&selinux_state, sbsec->sid, 647 &context, &len); 648 if (rc) 649 goto out_free; 650 opts->mnt_opts[i] = context; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 652 } 653 if (sbsec->flags & CONTEXT_MNT) { 654 rc = security_sid_to_context(&selinux_state, 655 sbsec->mntpoint_sid, 656 &context, &len); 657 if (rc) 658 goto out_free; 659 opts->mnt_opts[i] = context; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 661 } 662 if (sbsec->flags & DEFCONTEXT_MNT) { 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid, 664 &context, &len); 665 if (rc) 666 goto out_free; 667 opts->mnt_opts[i] = context; 668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 669 } 670 if (sbsec->flags & ROOTCONTEXT_MNT) { 671 struct dentry *root = sbsec->sb->s_root; 672 struct inode_security_struct *isec = backing_inode_security(root); 673 674 rc = security_sid_to_context(&selinux_state, isec->sid, 675 &context, &len); 676 if (rc) 677 goto out_free; 678 opts->mnt_opts[i] = context; 679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 680 } 681 if (sbsec->flags & SBLABEL_MNT) { 682 opts->mnt_opts[i] = NULL; 683 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 684 } 685 686 BUG_ON(i != opts->num_mnt_opts); 687 688 return 0; 689 690 out_free: 691 security_free_mnt_opts(opts); 692 return rc; 693 } 694 695 static int bad_option(struct superblock_security_struct *sbsec, char flag, 696 u32 old_sid, u32 new_sid) 697 { 698 char mnt_flags = sbsec->flags & SE_MNTMASK; 699 700 /* check if the old mount command had the same options */ 701 if (sbsec->flags & SE_SBINITIALIZED) 702 if (!(sbsec->flags & flag) || 703 (old_sid != new_sid)) 704 return 1; 705 706 /* check if we were passed the same options twice, 707 * aka someone passed context=a,context=b 708 */ 709 if (!(sbsec->flags & SE_SBINITIALIZED)) 710 if (mnt_flags & flag) 711 return 1; 712 return 0; 713 } 714 715 /* 716 * Allow filesystems with binary mount data to explicitly set mount point 717 * labeling information. 718 */ 719 static int selinux_set_mnt_opts(struct super_block *sb, 720 struct security_mnt_opts *opts, 721 unsigned long kern_flags, 722 unsigned long *set_kern_flags) 723 { 724 const struct cred *cred = current_cred(); 725 int rc = 0, i; 726 struct superblock_security_struct *sbsec = sb->s_security; 727 const char *name = sb->s_type->name; 728 struct dentry *root = sbsec->sb->s_root; 729 struct inode_security_struct *root_isec; 730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 731 u32 defcontext_sid = 0; 732 char **mount_options = opts->mnt_opts; 733 int *flags = opts->mnt_opts_flags; 734 int num_opts = opts->num_mnt_opts; 735 736 mutex_lock(&sbsec->lock); 737 738 if (!selinux_state.initialized) { 739 if (!num_opts) { 740 /* Defer initialization until selinux_complete_init, 741 after the initial policy is loaded and the security 742 server is ready to handle calls. */ 743 goto out; 744 } 745 rc = -EINVAL; 746 printk(KERN_WARNING "SELinux: Unable to set superblock options " 747 "before the security server is initialized\n"); 748 goto out; 749 } 750 if (kern_flags && !set_kern_flags) { 751 /* Specifying internal flags without providing a place to 752 * place the results is not allowed */ 753 rc = -EINVAL; 754 goto out; 755 } 756 757 /* 758 * Binary mount data FS will come through this function twice. Once 759 * from an explicit call and once from the generic calls from the vfs. 760 * Since the generic VFS calls will not contain any security mount data 761 * we need to skip the double mount verification. 762 * 763 * This does open a hole in which we will not notice if the first 764 * mount using this sb set explict options and a second mount using 765 * this sb does not set any security options. (The first options 766 * will be used for both mounts) 767 */ 768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 769 && (num_opts == 0)) 770 goto out; 771 772 root_isec = backing_inode_security_novalidate(root); 773 774 /* 775 * parse the mount options, check if they are valid sids. 776 * also check if someone is trying to mount the same sb more 777 * than once with different security options. 778 */ 779 for (i = 0; i < num_opts; i++) { 780 u32 sid; 781 782 if (flags[i] == SBLABEL_MNT) 783 continue; 784 rc = security_context_str_to_sid(&selinux_state, 785 mount_options[i], &sid, 786 GFP_KERNEL); 787 if (rc) { 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 789 "(%s) failed for (dev %s, type %s) errno=%d\n", 790 mount_options[i], sb->s_id, name, rc); 791 goto out; 792 } 793 switch (flags[i]) { 794 case FSCONTEXT_MNT: 795 fscontext_sid = sid; 796 797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 798 fscontext_sid)) 799 goto out_double_mount; 800 801 sbsec->flags |= FSCONTEXT_MNT; 802 break; 803 case CONTEXT_MNT: 804 context_sid = sid; 805 806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 807 context_sid)) 808 goto out_double_mount; 809 810 sbsec->flags |= CONTEXT_MNT; 811 break; 812 case ROOTCONTEXT_MNT: 813 rootcontext_sid = sid; 814 815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 816 rootcontext_sid)) 817 goto out_double_mount; 818 819 sbsec->flags |= ROOTCONTEXT_MNT; 820 821 break; 822 case DEFCONTEXT_MNT: 823 defcontext_sid = sid; 824 825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 826 defcontext_sid)) 827 goto out_double_mount; 828 829 sbsec->flags |= DEFCONTEXT_MNT; 830 831 break; 832 default: 833 rc = -EINVAL; 834 goto out; 835 } 836 } 837 838 if (sbsec->flags & SE_SBINITIALIZED) { 839 /* previously mounted with options, but not on this attempt? */ 840 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 841 goto out_double_mount; 842 rc = 0; 843 goto out; 844 } 845 846 if (strcmp(sb->s_type->name, "proc") == 0) 847 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 848 849 if (!strcmp(sb->s_type->name, "debugfs") || 850 !strcmp(sb->s_type->name, "tracefs") || 851 !strcmp(sb->s_type->name, "sysfs") || 852 !strcmp(sb->s_type->name, "pstore") || 853 !strcmp(sb->s_type->name, "cgroup") || 854 !strcmp(sb->s_type->name, "cgroup2")) 855 sbsec->flags |= SE_SBGENFS; 856 857 if (!sbsec->behavior) { 858 /* 859 * Determine the labeling behavior to use for this 860 * filesystem type. 861 */ 862 rc = security_fs_use(&selinux_state, sb); 863 if (rc) { 864 printk(KERN_WARNING 865 "%s: security_fs_use(%s) returned %d\n", 866 __func__, sb->s_type->name, rc); 867 goto out; 868 } 869 } 870 871 /* 872 * If this is a user namespace mount and the filesystem type is not 873 * explicitly whitelisted, then no contexts are allowed on the command 874 * line and security labels must be ignored. 875 */ 876 if (sb->s_user_ns != &init_user_ns && 877 strcmp(sb->s_type->name, "tmpfs") && 878 strcmp(sb->s_type->name, "ramfs") && 879 strcmp(sb->s_type->name, "devpts")) { 880 if (context_sid || fscontext_sid || rootcontext_sid || 881 defcontext_sid) { 882 rc = -EACCES; 883 goto out; 884 } 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 887 rc = security_transition_sid(&selinux_state, 888 current_sid(), 889 current_sid(), 890 SECCLASS_FILE, NULL, 891 &sbsec->mntpoint_sid); 892 if (rc) 893 goto out; 894 } 895 goto out_set_opts; 896 } 897 898 /* sets the context of the superblock for the fs being mounted. */ 899 if (fscontext_sid) { 900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 901 if (rc) 902 goto out; 903 904 sbsec->sid = fscontext_sid; 905 } 906 907 /* 908 * Switch to using mount point labeling behavior. 909 * sets the label used on all file below the mountpoint, and will set 910 * the superblock context if not already set. 911 */ 912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 913 sbsec->behavior = SECURITY_FS_USE_NATIVE; 914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 915 } 916 917 if (context_sid) { 918 if (!fscontext_sid) { 919 rc = may_context_mount_sb_relabel(context_sid, sbsec, 920 cred); 921 if (rc) 922 goto out; 923 sbsec->sid = context_sid; 924 } else { 925 rc = may_context_mount_inode_relabel(context_sid, sbsec, 926 cred); 927 if (rc) 928 goto out; 929 } 930 if (!rootcontext_sid) 931 rootcontext_sid = context_sid; 932 933 sbsec->mntpoint_sid = context_sid; 934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 935 } 936 937 if (rootcontext_sid) { 938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 939 cred); 940 if (rc) 941 goto out; 942 943 root_isec->sid = rootcontext_sid; 944 root_isec->initialized = LABEL_INITIALIZED; 945 } 946 947 if (defcontext_sid) { 948 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 949 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 950 rc = -EINVAL; 951 printk(KERN_WARNING "SELinux: defcontext option is " 952 "invalid for this filesystem type\n"); 953 goto out; 954 } 955 956 if (defcontext_sid != sbsec->def_sid) { 957 rc = may_context_mount_inode_relabel(defcontext_sid, 958 sbsec, cred); 959 if (rc) 960 goto out; 961 } 962 963 sbsec->def_sid = defcontext_sid; 964 } 965 966 out_set_opts: 967 rc = sb_finish_set_opts(sb); 968 out: 969 mutex_unlock(&sbsec->lock); 970 return rc; 971 out_double_mount: 972 rc = -EINVAL; 973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 974 "security settings for (dev %s, type %s)\n", sb->s_id, name); 975 goto out; 976 } 977 978 static int selinux_cmp_sb_context(const struct super_block *oldsb, 979 const struct super_block *newsb) 980 { 981 struct superblock_security_struct *old = oldsb->s_security; 982 struct superblock_security_struct *new = newsb->s_security; 983 char oldflags = old->flags & SE_MNTMASK; 984 char newflags = new->flags & SE_MNTMASK; 985 986 if (oldflags != newflags) 987 goto mismatch; 988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 989 goto mismatch; 990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 991 goto mismatch; 992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 993 goto mismatch; 994 if (oldflags & ROOTCONTEXT_MNT) { 995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 997 if (oldroot->sid != newroot->sid) 998 goto mismatch; 999 } 1000 return 0; 1001 mismatch: 1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 1003 "different security settings for (dev %s, " 1004 "type %s)\n", newsb->s_id, newsb->s_type->name); 1005 return -EBUSY; 1006 } 1007 1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 1009 struct super_block *newsb, 1010 unsigned long kern_flags, 1011 unsigned long *set_kern_flags) 1012 { 1013 int rc = 0; 1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 1015 struct superblock_security_struct *newsbsec = newsb->s_security; 1016 1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 1018 int set_context = (oldsbsec->flags & CONTEXT_MNT); 1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 1020 1021 /* 1022 * if the parent was able to be mounted it clearly had no special lsm 1023 * mount options. thus we can safely deal with this superblock later 1024 */ 1025 if (!selinux_state.initialized) 1026 return 0; 1027 1028 /* 1029 * Specifying internal flags without providing a place to 1030 * place the results is not allowed. 1031 */ 1032 if (kern_flags && !set_kern_flags) 1033 return -EINVAL; 1034 1035 /* how can we clone if the old one wasn't set up?? */ 1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1037 1038 /* if fs is reusing a sb, make sure that the contexts match */ 1039 if (newsbsec->flags & SE_SBINITIALIZED) 1040 return selinux_cmp_sb_context(oldsb, newsb); 1041 1042 mutex_lock(&newsbsec->lock); 1043 1044 newsbsec->flags = oldsbsec->flags; 1045 1046 newsbsec->sid = oldsbsec->sid; 1047 newsbsec->def_sid = oldsbsec->def_sid; 1048 newsbsec->behavior = oldsbsec->behavior; 1049 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1052 rc = security_fs_use(&selinux_state, newsb); 1053 if (rc) 1054 goto out; 1055 } 1056 1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1060 } 1061 1062 if (set_context) { 1063 u32 sid = oldsbsec->mntpoint_sid; 1064 1065 if (!set_fscontext) 1066 newsbsec->sid = sid; 1067 if (!set_rootcontext) { 1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1069 newisec->sid = sid; 1070 } 1071 newsbsec->mntpoint_sid = sid; 1072 } 1073 if (set_rootcontext) { 1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1076 1077 newisec->sid = oldisec->sid; 1078 } 1079 1080 sb_finish_set_opts(newsb); 1081 out: 1082 mutex_unlock(&newsbsec->lock); 1083 return rc; 1084 } 1085 1086 static int selinux_parse_opts_str(char *options, 1087 struct security_mnt_opts *opts) 1088 { 1089 char *p; 1090 char *context = NULL, *defcontext = NULL; 1091 char *fscontext = NULL, *rootcontext = NULL; 1092 int rc, num_mnt_opts = 0; 1093 1094 opts->num_mnt_opts = 0; 1095 1096 /* Standard string-based options. */ 1097 while ((p = strsep(&options, "|")) != NULL) { 1098 int token; 1099 substring_t args[MAX_OPT_ARGS]; 1100 1101 if (!*p) 1102 continue; 1103 1104 token = match_token(p, tokens, args); 1105 1106 switch (token) { 1107 case Opt_context: 1108 if (context || defcontext) { 1109 rc = -EINVAL; 1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1111 goto out_err; 1112 } 1113 context = match_strdup(&args[0]); 1114 if (!context) { 1115 rc = -ENOMEM; 1116 goto out_err; 1117 } 1118 break; 1119 1120 case Opt_fscontext: 1121 if (fscontext) { 1122 rc = -EINVAL; 1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1124 goto out_err; 1125 } 1126 fscontext = match_strdup(&args[0]); 1127 if (!fscontext) { 1128 rc = -ENOMEM; 1129 goto out_err; 1130 } 1131 break; 1132 1133 case Opt_rootcontext: 1134 if (rootcontext) { 1135 rc = -EINVAL; 1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1137 goto out_err; 1138 } 1139 rootcontext = match_strdup(&args[0]); 1140 if (!rootcontext) { 1141 rc = -ENOMEM; 1142 goto out_err; 1143 } 1144 break; 1145 1146 case Opt_defcontext: 1147 if (context || defcontext) { 1148 rc = -EINVAL; 1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1150 goto out_err; 1151 } 1152 defcontext = match_strdup(&args[0]); 1153 if (!defcontext) { 1154 rc = -ENOMEM; 1155 goto out_err; 1156 } 1157 break; 1158 case Opt_labelsupport: 1159 break; 1160 default: 1161 rc = -EINVAL; 1162 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1163 goto out_err; 1164 1165 } 1166 } 1167 1168 rc = -ENOMEM; 1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1170 if (!opts->mnt_opts) 1171 goto out_err; 1172 1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1174 GFP_KERNEL); 1175 if (!opts->mnt_opts_flags) 1176 goto out_err; 1177 1178 if (fscontext) { 1179 opts->mnt_opts[num_mnt_opts] = fscontext; 1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1181 } 1182 if (context) { 1183 opts->mnt_opts[num_mnt_opts] = context; 1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1185 } 1186 if (rootcontext) { 1187 opts->mnt_opts[num_mnt_opts] = rootcontext; 1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1189 } 1190 if (defcontext) { 1191 opts->mnt_opts[num_mnt_opts] = defcontext; 1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1193 } 1194 1195 opts->num_mnt_opts = num_mnt_opts; 1196 return 0; 1197 1198 out_err: 1199 security_free_mnt_opts(opts); 1200 kfree(context); 1201 kfree(defcontext); 1202 kfree(fscontext); 1203 kfree(rootcontext); 1204 return rc; 1205 } 1206 /* 1207 * string mount options parsing and call set the sbsec 1208 */ 1209 static int superblock_doinit(struct super_block *sb, void *data) 1210 { 1211 int rc = 0; 1212 char *options = data; 1213 struct security_mnt_opts opts; 1214 1215 security_init_mnt_opts(&opts); 1216 1217 if (!data) 1218 goto out; 1219 1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1221 1222 rc = selinux_parse_opts_str(options, &opts); 1223 if (rc) 1224 goto out_err; 1225 1226 out: 1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1228 1229 out_err: 1230 security_free_mnt_opts(&opts); 1231 return rc; 1232 } 1233 1234 static void selinux_write_opts(struct seq_file *m, 1235 struct security_mnt_opts *opts) 1236 { 1237 int i; 1238 char *prefix; 1239 1240 for (i = 0; i < opts->num_mnt_opts; i++) { 1241 char *has_comma; 1242 1243 if (opts->mnt_opts[i]) 1244 has_comma = strchr(opts->mnt_opts[i], ','); 1245 else 1246 has_comma = NULL; 1247 1248 switch (opts->mnt_opts_flags[i]) { 1249 case CONTEXT_MNT: 1250 prefix = CONTEXT_STR; 1251 break; 1252 case FSCONTEXT_MNT: 1253 prefix = FSCONTEXT_STR; 1254 break; 1255 case ROOTCONTEXT_MNT: 1256 prefix = ROOTCONTEXT_STR; 1257 break; 1258 case DEFCONTEXT_MNT: 1259 prefix = DEFCONTEXT_STR; 1260 break; 1261 case SBLABEL_MNT: 1262 seq_putc(m, ','); 1263 seq_puts(m, LABELSUPP_STR); 1264 continue; 1265 default: 1266 BUG(); 1267 return; 1268 }; 1269 /* we need a comma before each option */ 1270 seq_putc(m, ','); 1271 seq_puts(m, prefix); 1272 if (has_comma) 1273 seq_putc(m, '\"'); 1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1275 if (has_comma) 1276 seq_putc(m, '\"'); 1277 } 1278 } 1279 1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1281 { 1282 struct security_mnt_opts opts; 1283 int rc; 1284 1285 rc = selinux_get_mnt_opts(sb, &opts); 1286 if (rc) { 1287 /* before policy load we may get EINVAL, don't show anything */ 1288 if (rc == -EINVAL) 1289 rc = 0; 1290 return rc; 1291 } 1292 1293 selinux_write_opts(m, &opts); 1294 1295 security_free_mnt_opts(&opts); 1296 1297 return rc; 1298 } 1299 1300 static inline u16 inode_mode_to_security_class(umode_t mode) 1301 { 1302 switch (mode & S_IFMT) { 1303 case S_IFSOCK: 1304 return SECCLASS_SOCK_FILE; 1305 case S_IFLNK: 1306 return SECCLASS_LNK_FILE; 1307 case S_IFREG: 1308 return SECCLASS_FILE; 1309 case S_IFBLK: 1310 return SECCLASS_BLK_FILE; 1311 case S_IFDIR: 1312 return SECCLASS_DIR; 1313 case S_IFCHR: 1314 return SECCLASS_CHR_FILE; 1315 case S_IFIFO: 1316 return SECCLASS_FIFO_FILE; 1317 1318 } 1319 1320 return SECCLASS_FILE; 1321 } 1322 1323 static inline int default_protocol_stream(int protocol) 1324 { 1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1326 } 1327 1328 static inline int default_protocol_dgram(int protocol) 1329 { 1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1331 } 1332 1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1334 { 1335 int extsockclass = selinux_policycap_extsockclass(); 1336 1337 switch (family) { 1338 case PF_UNIX: 1339 switch (type) { 1340 case SOCK_STREAM: 1341 case SOCK_SEQPACKET: 1342 return SECCLASS_UNIX_STREAM_SOCKET; 1343 case SOCK_DGRAM: 1344 case SOCK_RAW: 1345 return SECCLASS_UNIX_DGRAM_SOCKET; 1346 } 1347 break; 1348 case PF_INET: 1349 case PF_INET6: 1350 switch (type) { 1351 case SOCK_STREAM: 1352 case SOCK_SEQPACKET: 1353 if (default_protocol_stream(protocol)) 1354 return SECCLASS_TCP_SOCKET; 1355 else if (extsockclass && protocol == IPPROTO_SCTP) 1356 return SECCLASS_SCTP_SOCKET; 1357 else 1358 return SECCLASS_RAWIP_SOCKET; 1359 case SOCK_DGRAM: 1360 if (default_protocol_dgram(protocol)) 1361 return SECCLASS_UDP_SOCKET; 1362 else if (extsockclass && (protocol == IPPROTO_ICMP || 1363 protocol == IPPROTO_ICMPV6)) 1364 return SECCLASS_ICMP_SOCKET; 1365 else 1366 return SECCLASS_RAWIP_SOCKET; 1367 case SOCK_DCCP: 1368 return SECCLASS_DCCP_SOCKET; 1369 default: 1370 return SECCLASS_RAWIP_SOCKET; 1371 } 1372 break; 1373 case PF_NETLINK: 1374 switch (protocol) { 1375 case NETLINK_ROUTE: 1376 return SECCLASS_NETLINK_ROUTE_SOCKET; 1377 case NETLINK_SOCK_DIAG: 1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1379 case NETLINK_NFLOG: 1380 return SECCLASS_NETLINK_NFLOG_SOCKET; 1381 case NETLINK_XFRM: 1382 return SECCLASS_NETLINK_XFRM_SOCKET; 1383 case NETLINK_SELINUX: 1384 return SECCLASS_NETLINK_SELINUX_SOCKET; 1385 case NETLINK_ISCSI: 1386 return SECCLASS_NETLINK_ISCSI_SOCKET; 1387 case NETLINK_AUDIT: 1388 return SECCLASS_NETLINK_AUDIT_SOCKET; 1389 case NETLINK_FIB_LOOKUP: 1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1391 case NETLINK_CONNECTOR: 1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1393 case NETLINK_NETFILTER: 1394 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1395 case NETLINK_DNRTMSG: 1396 return SECCLASS_NETLINK_DNRT_SOCKET; 1397 case NETLINK_KOBJECT_UEVENT: 1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1399 case NETLINK_GENERIC: 1400 return SECCLASS_NETLINK_GENERIC_SOCKET; 1401 case NETLINK_SCSITRANSPORT: 1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1403 case NETLINK_RDMA: 1404 return SECCLASS_NETLINK_RDMA_SOCKET; 1405 case NETLINK_CRYPTO: 1406 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1407 default: 1408 return SECCLASS_NETLINK_SOCKET; 1409 } 1410 case PF_PACKET: 1411 return SECCLASS_PACKET_SOCKET; 1412 case PF_KEY: 1413 return SECCLASS_KEY_SOCKET; 1414 case PF_APPLETALK: 1415 return SECCLASS_APPLETALK_SOCKET; 1416 } 1417 1418 if (extsockclass) { 1419 switch (family) { 1420 case PF_AX25: 1421 return SECCLASS_AX25_SOCKET; 1422 case PF_IPX: 1423 return SECCLASS_IPX_SOCKET; 1424 case PF_NETROM: 1425 return SECCLASS_NETROM_SOCKET; 1426 case PF_ATMPVC: 1427 return SECCLASS_ATMPVC_SOCKET; 1428 case PF_X25: 1429 return SECCLASS_X25_SOCKET; 1430 case PF_ROSE: 1431 return SECCLASS_ROSE_SOCKET; 1432 case PF_DECnet: 1433 return SECCLASS_DECNET_SOCKET; 1434 case PF_ATMSVC: 1435 return SECCLASS_ATMSVC_SOCKET; 1436 case PF_RDS: 1437 return SECCLASS_RDS_SOCKET; 1438 case PF_IRDA: 1439 return SECCLASS_IRDA_SOCKET; 1440 case PF_PPPOX: 1441 return SECCLASS_PPPOX_SOCKET; 1442 case PF_LLC: 1443 return SECCLASS_LLC_SOCKET; 1444 case PF_CAN: 1445 return SECCLASS_CAN_SOCKET; 1446 case PF_TIPC: 1447 return SECCLASS_TIPC_SOCKET; 1448 case PF_BLUETOOTH: 1449 return SECCLASS_BLUETOOTH_SOCKET; 1450 case PF_IUCV: 1451 return SECCLASS_IUCV_SOCKET; 1452 case PF_RXRPC: 1453 return SECCLASS_RXRPC_SOCKET; 1454 case PF_ISDN: 1455 return SECCLASS_ISDN_SOCKET; 1456 case PF_PHONET: 1457 return SECCLASS_PHONET_SOCKET; 1458 case PF_IEEE802154: 1459 return SECCLASS_IEEE802154_SOCKET; 1460 case PF_CAIF: 1461 return SECCLASS_CAIF_SOCKET; 1462 case PF_ALG: 1463 return SECCLASS_ALG_SOCKET; 1464 case PF_NFC: 1465 return SECCLASS_NFC_SOCKET; 1466 case PF_VSOCK: 1467 return SECCLASS_VSOCK_SOCKET; 1468 case PF_KCM: 1469 return SECCLASS_KCM_SOCKET; 1470 case PF_QIPCRTR: 1471 return SECCLASS_QIPCRTR_SOCKET; 1472 case PF_SMC: 1473 return SECCLASS_SMC_SOCKET; 1474 case PF_XDP: 1475 return SECCLASS_XDP_SOCKET; 1476 #if PF_MAX > 45 1477 #error New address family defined, please update this function. 1478 #endif 1479 } 1480 } 1481 1482 return SECCLASS_SOCKET; 1483 } 1484 1485 static int selinux_genfs_get_sid(struct dentry *dentry, 1486 u16 tclass, 1487 u16 flags, 1488 u32 *sid) 1489 { 1490 int rc; 1491 struct super_block *sb = dentry->d_sb; 1492 char *buffer, *path; 1493 1494 buffer = (char *)__get_free_page(GFP_KERNEL); 1495 if (!buffer) 1496 return -ENOMEM; 1497 1498 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1499 if (IS_ERR(path)) 1500 rc = PTR_ERR(path); 1501 else { 1502 if (flags & SE_SBPROC) { 1503 /* each process gets a /proc/PID/ entry. Strip off the 1504 * PID part to get a valid selinux labeling. 1505 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1506 while (path[1] >= '0' && path[1] <= '9') { 1507 path[1] = '/'; 1508 path++; 1509 } 1510 } 1511 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1512 path, tclass, sid); 1513 } 1514 free_page((unsigned long)buffer); 1515 return rc; 1516 } 1517 1518 /* The inode's security attributes must be initialized before first use. */ 1519 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1520 { 1521 struct superblock_security_struct *sbsec = NULL; 1522 struct inode_security_struct *isec = inode->i_security; 1523 u32 task_sid, sid = 0; 1524 u16 sclass; 1525 struct dentry *dentry; 1526 #define INITCONTEXTLEN 255 1527 char *context = NULL; 1528 unsigned len = 0; 1529 int rc = 0; 1530 1531 if (isec->initialized == LABEL_INITIALIZED) 1532 return 0; 1533 1534 spin_lock(&isec->lock); 1535 if (isec->initialized == LABEL_INITIALIZED) 1536 goto out_unlock; 1537 1538 if (isec->sclass == SECCLASS_FILE) 1539 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1540 1541 sbsec = inode->i_sb->s_security; 1542 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1543 /* Defer initialization until selinux_complete_init, 1544 after the initial policy is loaded and the security 1545 server is ready to handle calls. */ 1546 spin_lock(&sbsec->isec_lock); 1547 if (list_empty(&isec->list)) 1548 list_add(&isec->list, &sbsec->isec_head); 1549 spin_unlock(&sbsec->isec_lock); 1550 goto out_unlock; 1551 } 1552 1553 sclass = isec->sclass; 1554 task_sid = isec->task_sid; 1555 sid = isec->sid; 1556 isec->initialized = LABEL_PENDING; 1557 spin_unlock(&isec->lock); 1558 1559 switch (sbsec->behavior) { 1560 case SECURITY_FS_USE_NATIVE: 1561 break; 1562 case SECURITY_FS_USE_XATTR: 1563 if (!(inode->i_opflags & IOP_XATTR)) { 1564 sid = sbsec->def_sid; 1565 break; 1566 } 1567 /* Need a dentry, since the xattr API requires one. 1568 Life would be simpler if we could just pass the inode. */ 1569 if (opt_dentry) { 1570 /* Called from d_instantiate or d_splice_alias. */ 1571 dentry = dget(opt_dentry); 1572 } else { 1573 /* 1574 * Called from selinux_complete_init, try to find a dentry. 1575 * Some filesystems really want a connected one, so try 1576 * that first. We could split SECURITY_FS_USE_XATTR in 1577 * two, depending upon that... 1578 */ 1579 dentry = d_find_alias(inode); 1580 if (!dentry) 1581 dentry = d_find_any_alias(inode); 1582 } 1583 if (!dentry) { 1584 /* 1585 * this is can be hit on boot when a file is accessed 1586 * before the policy is loaded. When we load policy we 1587 * may find inodes that have no dentry on the 1588 * sbsec->isec_head list. No reason to complain as these 1589 * will get fixed up the next time we go through 1590 * inode_doinit with a dentry, before these inodes could 1591 * be used again by userspace. 1592 */ 1593 goto out; 1594 } 1595 1596 len = INITCONTEXTLEN; 1597 context = kmalloc(len+1, GFP_NOFS); 1598 if (!context) { 1599 rc = -ENOMEM; 1600 dput(dentry); 1601 goto out; 1602 } 1603 context[len] = '\0'; 1604 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1605 if (rc == -ERANGE) { 1606 kfree(context); 1607 1608 /* Need a larger buffer. Query for the right size. */ 1609 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1610 if (rc < 0) { 1611 dput(dentry); 1612 goto out; 1613 } 1614 len = rc; 1615 context = kmalloc(len+1, GFP_NOFS); 1616 if (!context) { 1617 rc = -ENOMEM; 1618 dput(dentry); 1619 goto out; 1620 } 1621 context[len] = '\0'; 1622 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1623 } 1624 dput(dentry); 1625 if (rc < 0) { 1626 if (rc != -ENODATA) { 1627 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1628 "%d for dev=%s ino=%ld\n", __func__, 1629 -rc, inode->i_sb->s_id, inode->i_ino); 1630 kfree(context); 1631 goto out; 1632 } 1633 /* Map ENODATA to the default file SID */ 1634 sid = sbsec->def_sid; 1635 rc = 0; 1636 } else { 1637 rc = security_context_to_sid_default(&selinux_state, 1638 context, rc, &sid, 1639 sbsec->def_sid, 1640 GFP_NOFS); 1641 if (rc) { 1642 char *dev = inode->i_sb->s_id; 1643 unsigned long ino = inode->i_ino; 1644 1645 if (rc == -EINVAL) { 1646 if (printk_ratelimit()) 1647 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1648 "context=%s. This indicates you may need to relabel the inode or the " 1649 "filesystem in question.\n", ino, dev, context); 1650 } else { 1651 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1652 "returned %d for dev=%s ino=%ld\n", 1653 __func__, context, -rc, dev, ino); 1654 } 1655 kfree(context); 1656 /* Leave with the unlabeled SID */ 1657 rc = 0; 1658 break; 1659 } 1660 } 1661 kfree(context); 1662 break; 1663 case SECURITY_FS_USE_TASK: 1664 sid = task_sid; 1665 break; 1666 case SECURITY_FS_USE_TRANS: 1667 /* Default to the fs SID. */ 1668 sid = sbsec->sid; 1669 1670 /* Try to obtain a transition SID. */ 1671 rc = security_transition_sid(&selinux_state, task_sid, sid, 1672 sclass, NULL, &sid); 1673 if (rc) 1674 goto out; 1675 break; 1676 case SECURITY_FS_USE_MNTPOINT: 1677 sid = sbsec->mntpoint_sid; 1678 break; 1679 default: 1680 /* Default to the fs superblock SID. */ 1681 sid = sbsec->sid; 1682 1683 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1684 /* We must have a dentry to determine the label on 1685 * procfs inodes */ 1686 if (opt_dentry) { 1687 /* Called from d_instantiate or 1688 * d_splice_alias. */ 1689 dentry = dget(opt_dentry); 1690 } else { 1691 /* Called from selinux_complete_init, try to 1692 * find a dentry. Some filesystems really want 1693 * a connected one, so try that first. 1694 */ 1695 dentry = d_find_alias(inode); 1696 if (!dentry) 1697 dentry = d_find_any_alias(inode); 1698 } 1699 /* 1700 * This can be hit on boot when a file is accessed 1701 * before the policy is loaded. When we load policy we 1702 * may find inodes that have no dentry on the 1703 * sbsec->isec_head list. No reason to complain as 1704 * these will get fixed up the next time we go through 1705 * inode_doinit() with a dentry, before these inodes 1706 * could be used again by userspace. 1707 */ 1708 if (!dentry) 1709 goto out; 1710 rc = selinux_genfs_get_sid(dentry, sclass, 1711 sbsec->flags, &sid); 1712 dput(dentry); 1713 if (rc) 1714 goto out; 1715 } 1716 break; 1717 } 1718 1719 out: 1720 spin_lock(&isec->lock); 1721 if (isec->initialized == LABEL_PENDING) { 1722 if (!sid || rc) { 1723 isec->initialized = LABEL_INVALID; 1724 goto out_unlock; 1725 } 1726 1727 isec->initialized = LABEL_INITIALIZED; 1728 isec->sid = sid; 1729 } 1730 1731 out_unlock: 1732 spin_unlock(&isec->lock); 1733 return rc; 1734 } 1735 1736 /* Convert a Linux signal to an access vector. */ 1737 static inline u32 signal_to_av(int sig) 1738 { 1739 u32 perm = 0; 1740 1741 switch (sig) { 1742 case SIGCHLD: 1743 /* Commonly granted from child to parent. */ 1744 perm = PROCESS__SIGCHLD; 1745 break; 1746 case SIGKILL: 1747 /* Cannot be caught or ignored */ 1748 perm = PROCESS__SIGKILL; 1749 break; 1750 case SIGSTOP: 1751 /* Cannot be caught or ignored */ 1752 perm = PROCESS__SIGSTOP; 1753 break; 1754 default: 1755 /* All other signals. */ 1756 perm = PROCESS__SIGNAL; 1757 break; 1758 } 1759 1760 return perm; 1761 } 1762 1763 #if CAP_LAST_CAP > 63 1764 #error Fix SELinux to handle capabilities > 63. 1765 #endif 1766 1767 /* Check whether a task is allowed to use a capability. */ 1768 static int cred_has_capability(const struct cred *cred, 1769 int cap, int audit, bool initns) 1770 { 1771 struct common_audit_data ad; 1772 struct av_decision avd; 1773 u16 sclass; 1774 u32 sid = cred_sid(cred); 1775 u32 av = CAP_TO_MASK(cap); 1776 int rc; 1777 1778 ad.type = LSM_AUDIT_DATA_CAP; 1779 ad.u.cap = cap; 1780 1781 switch (CAP_TO_INDEX(cap)) { 1782 case 0: 1783 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1784 break; 1785 case 1: 1786 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1787 break; 1788 default: 1789 printk(KERN_ERR 1790 "SELinux: out of range capability %d\n", cap); 1791 BUG(); 1792 return -EINVAL; 1793 } 1794 1795 rc = avc_has_perm_noaudit(&selinux_state, 1796 sid, sid, sclass, av, 0, &avd); 1797 if (audit == SECURITY_CAP_AUDIT) { 1798 int rc2 = avc_audit(&selinux_state, 1799 sid, sid, sclass, av, &avd, rc, &ad, 0); 1800 if (rc2) 1801 return rc2; 1802 } 1803 return rc; 1804 } 1805 1806 /* Check whether a task has a particular permission to an inode. 1807 The 'adp' parameter is optional and allows other audit 1808 data to be passed (e.g. the dentry). */ 1809 static int inode_has_perm(const struct cred *cred, 1810 struct inode *inode, 1811 u32 perms, 1812 struct common_audit_data *adp) 1813 { 1814 struct inode_security_struct *isec; 1815 u32 sid; 1816 1817 validate_creds(cred); 1818 1819 if (unlikely(IS_PRIVATE(inode))) 1820 return 0; 1821 1822 sid = cred_sid(cred); 1823 isec = inode->i_security; 1824 1825 return avc_has_perm(&selinux_state, 1826 sid, isec->sid, isec->sclass, perms, adp); 1827 } 1828 1829 /* Same as inode_has_perm, but pass explicit audit data containing 1830 the dentry to help the auditing code to more easily generate the 1831 pathname if needed. */ 1832 static inline int dentry_has_perm(const struct cred *cred, 1833 struct dentry *dentry, 1834 u32 av) 1835 { 1836 struct inode *inode = d_backing_inode(dentry); 1837 struct common_audit_data ad; 1838 1839 ad.type = LSM_AUDIT_DATA_DENTRY; 1840 ad.u.dentry = dentry; 1841 __inode_security_revalidate(inode, dentry, true); 1842 return inode_has_perm(cred, inode, av, &ad); 1843 } 1844 1845 /* Same as inode_has_perm, but pass explicit audit data containing 1846 the path to help the auditing code to more easily generate the 1847 pathname if needed. */ 1848 static inline int path_has_perm(const struct cred *cred, 1849 const struct path *path, 1850 u32 av) 1851 { 1852 struct inode *inode = d_backing_inode(path->dentry); 1853 struct common_audit_data ad; 1854 1855 ad.type = LSM_AUDIT_DATA_PATH; 1856 ad.u.path = *path; 1857 __inode_security_revalidate(inode, path->dentry, true); 1858 return inode_has_perm(cred, inode, av, &ad); 1859 } 1860 1861 /* Same as path_has_perm, but uses the inode from the file struct. */ 1862 static inline int file_path_has_perm(const struct cred *cred, 1863 struct file *file, 1864 u32 av) 1865 { 1866 struct common_audit_data ad; 1867 1868 ad.type = LSM_AUDIT_DATA_FILE; 1869 ad.u.file = file; 1870 return inode_has_perm(cred, file_inode(file), av, &ad); 1871 } 1872 1873 #ifdef CONFIG_BPF_SYSCALL 1874 static int bpf_fd_pass(struct file *file, u32 sid); 1875 #endif 1876 1877 /* Check whether a task can use an open file descriptor to 1878 access an inode in a given way. Check access to the 1879 descriptor itself, and then use dentry_has_perm to 1880 check a particular permission to the file. 1881 Access to the descriptor is implicitly granted if it 1882 has the same SID as the process. If av is zero, then 1883 access to the file is not checked, e.g. for cases 1884 where only the descriptor is affected like seek. */ 1885 static int file_has_perm(const struct cred *cred, 1886 struct file *file, 1887 u32 av) 1888 { 1889 struct file_security_struct *fsec = file->f_security; 1890 struct inode *inode = file_inode(file); 1891 struct common_audit_data ad; 1892 u32 sid = cred_sid(cred); 1893 int rc; 1894 1895 ad.type = LSM_AUDIT_DATA_FILE; 1896 ad.u.file = file; 1897 1898 if (sid != fsec->sid) { 1899 rc = avc_has_perm(&selinux_state, 1900 sid, fsec->sid, 1901 SECCLASS_FD, 1902 FD__USE, 1903 &ad); 1904 if (rc) 1905 goto out; 1906 } 1907 1908 #ifdef CONFIG_BPF_SYSCALL 1909 rc = bpf_fd_pass(file, cred_sid(cred)); 1910 if (rc) 1911 return rc; 1912 #endif 1913 1914 /* av is zero if only checking access to the descriptor. */ 1915 rc = 0; 1916 if (av) 1917 rc = inode_has_perm(cred, inode, av, &ad); 1918 1919 out: 1920 return rc; 1921 } 1922 1923 /* 1924 * Determine the label for an inode that might be unioned. 1925 */ 1926 static int 1927 selinux_determine_inode_label(const struct task_security_struct *tsec, 1928 struct inode *dir, 1929 const struct qstr *name, u16 tclass, 1930 u32 *_new_isid) 1931 { 1932 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1933 1934 if ((sbsec->flags & SE_SBINITIALIZED) && 1935 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1936 *_new_isid = sbsec->mntpoint_sid; 1937 } else if ((sbsec->flags & SBLABEL_MNT) && 1938 tsec->create_sid) { 1939 *_new_isid = tsec->create_sid; 1940 } else { 1941 const struct inode_security_struct *dsec = inode_security(dir); 1942 return security_transition_sid(&selinux_state, tsec->sid, 1943 dsec->sid, tclass, 1944 name, _new_isid); 1945 } 1946 1947 return 0; 1948 } 1949 1950 /* Check whether a task can create a file. */ 1951 static int may_create(struct inode *dir, 1952 struct dentry *dentry, 1953 u16 tclass) 1954 { 1955 const struct task_security_struct *tsec = current_security(); 1956 struct inode_security_struct *dsec; 1957 struct superblock_security_struct *sbsec; 1958 u32 sid, newsid; 1959 struct common_audit_data ad; 1960 int rc; 1961 1962 dsec = inode_security(dir); 1963 sbsec = dir->i_sb->s_security; 1964 1965 sid = tsec->sid; 1966 1967 ad.type = LSM_AUDIT_DATA_DENTRY; 1968 ad.u.dentry = dentry; 1969 1970 rc = avc_has_perm(&selinux_state, 1971 sid, dsec->sid, SECCLASS_DIR, 1972 DIR__ADD_NAME | DIR__SEARCH, 1973 &ad); 1974 if (rc) 1975 return rc; 1976 1977 rc = selinux_determine_inode_label(current_security(), dir, 1978 &dentry->d_name, tclass, &newsid); 1979 if (rc) 1980 return rc; 1981 1982 rc = avc_has_perm(&selinux_state, 1983 sid, newsid, tclass, FILE__CREATE, &ad); 1984 if (rc) 1985 return rc; 1986 1987 return avc_has_perm(&selinux_state, 1988 newsid, sbsec->sid, 1989 SECCLASS_FILESYSTEM, 1990 FILESYSTEM__ASSOCIATE, &ad); 1991 } 1992 1993 #define MAY_LINK 0 1994 #define MAY_UNLINK 1 1995 #define MAY_RMDIR 2 1996 1997 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1998 static int may_link(struct inode *dir, 1999 struct dentry *dentry, 2000 int kind) 2001 2002 { 2003 struct inode_security_struct *dsec, *isec; 2004 struct common_audit_data ad; 2005 u32 sid = current_sid(); 2006 u32 av; 2007 int rc; 2008 2009 dsec = inode_security(dir); 2010 isec = backing_inode_security(dentry); 2011 2012 ad.type = LSM_AUDIT_DATA_DENTRY; 2013 ad.u.dentry = dentry; 2014 2015 av = DIR__SEARCH; 2016 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2017 rc = avc_has_perm(&selinux_state, 2018 sid, dsec->sid, SECCLASS_DIR, av, &ad); 2019 if (rc) 2020 return rc; 2021 2022 switch (kind) { 2023 case MAY_LINK: 2024 av = FILE__LINK; 2025 break; 2026 case MAY_UNLINK: 2027 av = FILE__UNLINK; 2028 break; 2029 case MAY_RMDIR: 2030 av = DIR__RMDIR; 2031 break; 2032 default: 2033 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 2034 __func__, kind); 2035 return 0; 2036 } 2037 2038 rc = avc_has_perm(&selinux_state, 2039 sid, isec->sid, isec->sclass, av, &ad); 2040 return rc; 2041 } 2042 2043 static inline int may_rename(struct inode *old_dir, 2044 struct dentry *old_dentry, 2045 struct inode *new_dir, 2046 struct dentry *new_dentry) 2047 { 2048 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 2049 struct common_audit_data ad; 2050 u32 sid = current_sid(); 2051 u32 av; 2052 int old_is_dir, new_is_dir; 2053 int rc; 2054 2055 old_dsec = inode_security(old_dir); 2056 old_isec = backing_inode_security(old_dentry); 2057 old_is_dir = d_is_dir(old_dentry); 2058 new_dsec = inode_security(new_dir); 2059 2060 ad.type = LSM_AUDIT_DATA_DENTRY; 2061 2062 ad.u.dentry = old_dentry; 2063 rc = avc_has_perm(&selinux_state, 2064 sid, old_dsec->sid, SECCLASS_DIR, 2065 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2066 if (rc) 2067 return rc; 2068 rc = avc_has_perm(&selinux_state, 2069 sid, old_isec->sid, 2070 old_isec->sclass, FILE__RENAME, &ad); 2071 if (rc) 2072 return rc; 2073 if (old_is_dir && new_dir != old_dir) { 2074 rc = avc_has_perm(&selinux_state, 2075 sid, old_isec->sid, 2076 old_isec->sclass, DIR__REPARENT, &ad); 2077 if (rc) 2078 return rc; 2079 } 2080 2081 ad.u.dentry = new_dentry; 2082 av = DIR__ADD_NAME | DIR__SEARCH; 2083 if (d_is_positive(new_dentry)) 2084 av |= DIR__REMOVE_NAME; 2085 rc = avc_has_perm(&selinux_state, 2086 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2087 if (rc) 2088 return rc; 2089 if (d_is_positive(new_dentry)) { 2090 new_isec = backing_inode_security(new_dentry); 2091 new_is_dir = d_is_dir(new_dentry); 2092 rc = avc_has_perm(&selinux_state, 2093 sid, new_isec->sid, 2094 new_isec->sclass, 2095 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2096 if (rc) 2097 return rc; 2098 } 2099 2100 return 0; 2101 } 2102 2103 /* Check whether a task can perform a filesystem operation. */ 2104 static int superblock_has_perm(const struct cred *cred, 2105 struct super_block *sb, 2106 u32 perms, 2107 struct common_audit_data *ad) 2108 { 2109 struct superblock_security_struct *sbsec; 2110 u32 sid = cred_sid(cred); 2111 2112 sbsec = sb->s_security; 2113 return avc_has_perm(&selinux_state, 2114 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2115 } 2116 2117 /* Convert a Linux mode and permission mask to an access vector. */ 2118 static inline u32 file_mask_to_av(int mode, int mask) 2119 { 2120 u32 av = 0; 2121 2122 if (!S_ISDIR(mode)) { 2123 if (mask & MAY_EXEC) 2124 av |= FILE__EXECUTE; 2125 if (mask & MAY_READ) 2126 av |= FILE__READ; 2127 2128 if (mask & MAY_APPEND) 2129 av |= FILE__APPEND; 2130 else if (mask & MAY_WRITE) 2131 av |= FILE__WRITE; 2132 2133 } else { 2134 if (mask & MAY_EXEC) 2135 av |= DIR__SEARCH; 2136 if (mask & MAY_WRITE) 2137 av |= DIR__WRITE; 2138 if (mask & MAY_READ) 2139 av |= DIR__READ; 2140 } 2141 2142 return av; 2143 } 2144 2145 /* Convert a Linux file to an access vector. */ 2146 static inline u32 file_to_av(struct file *file) 2147 { 2148 u32 av = 0; 2149 2150 if (file->f_mode & FMODE_READ) 2151 av |= FILE__READ; 2152 if (file->f_mode & FMODE_WRITE) { 2153 if (file->f_flags & O_APPEND) 2154 av |= FILE__APPEND; 2155 else 2156 av |= FILE__WRITE; 2157 } 2158 if (!av) { 2159 /* 2160 * Special file opened with flags 3 for ioctl-only use. 2161 */ 2162 av = FILE__IOCTL; 2163 } 2164 2165 return av; 2166 } 2167 2168 /* 2169 * Convert a file to an access vector and include the correct open 2170 * open permission. 2171 */ 2172 static inline u32 open_file_to_av(struct file *file) 2173 { 2174 u32 av = file_to_av(file); 2175 struct inode *inode = file_inode(file); 2176 2177 if (selinux_policycap_openperm() && 2178 inode->i_sb->s_magic != SOCKFS_MAGIC) 2179 av |= FILE__OPEN; 2180 2181 return av; 2182 } 2183 2184 /* Hook functions begin here. */ 2185 2186 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2187 { 2188 u32 mysid = current_sid(); 2189 u32 mgrsid = task_sid(mgr); 2190 2191 return avc_has_perm(&selinux_state, 2192 mysid, mgrsid, SECCLASS_BINDER, 2193 BINDER__SET_CONTEXT_MGR, NULL); 2194 } 2195 2196 static int selinux_binder_transaction(struct task_struct *from, 2197 struct task_struct *to) 2198 { 2199 u32 mysid = current_sid(); 2200 u32 fromsid = task_sid(from); 2201 u32 tosid = task_sid(to); 2202 int rc; 2203 2204 if (mysid != fromsid) { 2205 rc = avc_has_perm(&selinux_state, 2206 mysid, fromsid, SECCLASS_BINDER, 2207 BINDER__IMPERSONATE, NULL); 2208 if (rc) 2209 return rc; 2210 } 2211 2212 return avc_has_perm(&selinux_state, 2213 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2214 NULL); 2215 } 2216 2217 static int selinux_binder_transfer_binder(struct task_struct *from, 2218 struct task_struct *to) 2219 { 2220 u32 fromsid = task_sid(from); 2221 u32 tosid = task_sid(to); 2222 2223 return avc_has_perm(&selinux_state, 2224 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2225 NULL); 2226 } 2227 2228 static int selinux_binder_transfer_file(struct task_struct *from, 2229 struct task_struct *to, 2230 struct file *file) 2231 { 2232 u32 sid = task_sid(to); 2233 struct file_security_struct *fsec = file->f_security; 2234 struct dentry *dentry = file->f_path.dentry; 2235 struct inode_security_struct *isec; 2236 struct common_audit_data ad; 2237 int rc; 2238 2239 ad.type = LSM_AUDIT_DATA_PATH; 2240 ad.u.path = file->f_path; 2241 2242 if (sid != fsec->sid) { 2243 rc = avc_has_perm(&selinux_state, 2244 sid, fsec->sid, 2245 SECCLASS_FD, 2246 FD__USE, 2247 &ad); 2248 if (rc) 2249 return rc; 2250 } 2251 2252 #ifdef CONFIG_BPF_SYSCALL 2253 rc = bpf_fd_pass(file, sid); 2254 if (rc) 2255 return rc; 2256 #endif 2257 2258 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2259 return 0; 2260 2261 isec = backing_inode_security(dentry); 2262 return avc_has_perm(&selinux_state, 2263 sid, isec->sid, isec->sclass, file_to_av(file), 2264 &ad); 2265 } 2266 2267 static int selinux_ptrace_access_check(struct task_struct *child, 2268 unsigned int mode) 2269 { 2270 u32 sid = current_sid(); 2271 u32 csid = task_sid(child); 2272 2273 if (mode & PTRACE_MODE_READ) 2274 return avc_has_perm(&selinux_state, 2275 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2276 2277 return avc_has_perm(&selinux_state, 2278 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2279 } 2280 2281 static int selinux_ptrace_traceme(struct task_struct *parent) 2282 { 2283 return avc_has_perm(&selinux_state, 2284 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2285 PROCESS__PTRACE, NULL); 2286 } 2287 2288 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2289 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2290 { 2291 return avc_has_perm(&selinux_state, 2292 current_sid(), task_sid(target), SECCLASS_PROCESS, 2293 PROCESS__GETCAP, NULL); 2294 } 2295 2296 static int selinux_capset(struct cred *new, const struct cred *old, 2297 const kernel_cap_t *effective, 2298 const kernel_cap_t *inheritable, 2299 const kernel_cap_t *permitted) 2300 { 2301 return avc_has_perm(&selinux_state, 2302 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2303 PROCESS__SETCAP, NULL); 2304 } 2305 2306 /* 2307 * (This comment used to live with the selinux_task_setuid hook, 2308 * which was removed). 2309 * 2310 * Since setuid only affects the current process, and since the SELinux 2311 * controls are not based on the Linux identity attributes, SELinux does not 2312 * need to control this operation. However, SELinux does control the use of 2313 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2314 */ 2315 2316 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2317 int cap, int audit) 2318 { 2319 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2320 } 2321 2322 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2323 { 2324 const struct cred *cred = current_cred(); 2325 int rc = 0; 2326 2327 if (!sb) 2328 return 0; 2329 2330 switch (cmds) { 2331 case Q_SYNC: 2332 case Q_QUOTAON: 2333 case Q_QUOTAOFF: 2334 case Q_SETINFO: 2335 case Q_SETQUOTA: 2336 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2337 break; 2338 case Q_GETFMT: 2339 case Q_GETINFO: 2340 case Q_GETQUOTA: 2341 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2342 break; 2343 default: 2344 rc = 0; /* let the kernel handle invalid cmds */ 2345 break; 2346 } 2347 return rc; 2348 } 2349 2350 static int selinux_quota_on(struct dentry *dentry) 2351 { 2352 const struct cred *cred = current_cred(); 2353 2354 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2355 } 2356 2357 static int selinux_syslog(int type) 2358 { 2359 switch (type) { 2360 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2361 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2362 return avc_has_perm(&selinux_state, 2363 current_sid(), SECINITSID_KERNEL, 2364 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2365 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2366 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2367 /* Set level of messages printed to console */ 2368 case SYSLOG_ACTION_CONSOLE_LEVEL: 2369 return avc_has_perm(&selinux_state, 2370 current_sid(), SECINITSID_KERNEL, 2371 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2372 NULL); 2373 } 2374 /* All other syslog types */ 2375 return avc_has_perm(&selinux_state, 2376 current_sid(), SECINITSID_KERNEL, 2377 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2378 } 2379 2380 /* 2381 * Check that a process has enough memory to allocate a new virtual 2382 * mapping. 0 means there is enough memory for the allocation to 2383 * succeed and -ENOMEM implies there is not. 2384 * 2385 * Do not audit the selinux permission check, as this is applied to all 2386 * processes that allocate mappings. 2387 */ 2388 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2389 { 2390 int rc, cap_sys_admin = 0; 2391 2392 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2393 SECURITY_CAP_NOAUDIT, true); 2394 if (rc == 0) 2395 cap_sys_admin = 1; 2396 2397 return cap_sys_admin; 2398 } 2399 2400 /* binprm security operations */ 2401 2402 static u32 ptrace_parent_sid(void) 2403 { 2404 u32 sid = 0; 2405 struct task_struct *tracer; 2406 2407 rcu_read_lock(); 2408 tracer = ptrace_parent(current); 2409 if (tracer) 2410 sid = task_sid(tracer); 2411 rcu_read_unlock(); 2412 2413 return sid; 2414 } 2415 2416 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2417 const struct task_security_struct *old_tsec, 2418 const struct task_security_struct *new_tsec) 2419 { 2420 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2421 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2422 int rc; 2423 u32 av; 2424 2425 if (!nnp && !nosuid) 2426 return 0; /* neither NNP nor nosuid */ 2427 2428 if (new_tsec->sid == old_tsec->sid) 2429 return 0; /* No change in credentials */ 2430 2431 /* 2432 * If the policy enables the nnp_nosuid_transition policy capability, 2433 * then we permit transitions under NNP or nosuid if the 2434 * policy allows the corresponding permission between 2435 * the old and new contexts. 2436 */ 2437 if (selinux_policycap_nnp_nosuid_transition()) { 2438 av = 0; 2439 if (nnp) 2440 av |= PROCESS2__NNP_TRANSITION; 2441 if (nosuid) 2442 av |= PROCESS2__NOSUID_TRANSITION; 2443 rc = avc_has_perm(&selinux_state, 2444 old_tsec->sid, new_tsec->sid, 2445 SECCLASS_PROCESS2, av, NULL); 2446 if (!rc) 2447 return 0; 2448 } 2449 2450 /* 2451 * We also permit NNP or nosuid transitions to bounded SIDs, 2452 * i.e. SIDs that are guaranteed to only be allowed a subset 2453 * of the permissions of the current SID. 2454 */ 2455 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2456 new_tsec->sid); 2457 if (!rc) 2458 return 0; 2459 2460 /* 2461 * On failure, preserve the errno values for NNP vs nosuid. 2462 * NNP: Operation not permitted for caller. 2463 * nosuid: Permission denied to file. 2464 */ 2465 if (nnp) 2466 return -EPERM; 2467 return -EACCES; 2468 } 2469 2470 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2471 { 2472 const struct task_security_struct *old_tsec; 2473 struct task_security_struct *new_tsec; 2474 struct inode_security_struct *isec; 2475 struct common_audit_data ad; 2476 struct inode *inode = file_inode(bprm->file); 2477 int rc; 2478 2479 /* SELinux context only depends on initial program or script and not 2480 * the script interpreter */ 2481 if (bprm->called_set_creds) 2482 return 0; 2483 2484 old_tsec = current_security(); 2485 new_tsec = bprm->cred->security; 2486 isec = inode_security(inode); 2487 2488 /* Default to the current task SID. */ 2489 new_tsec->sid = old_tsec->sid; 2490 new_tsec->osid = old_tsec->sid; 2491 2492 /* Reset fs, key, and sock SIDs on execve. */ 2493 new_tsec->create_sid = 0; 2494 new_tsec->keycreate_sid = 0; 2495 new_tsec->sockcreate_sid = 0; 2496 2497 if (old_tsec->exec_sid) { 2498 new_tsec->sid = old_tsec->exec_sid; 2499 /* Reset exec SID on execve. */ 2500 new_tsec->exec_sid = 0; 2501 2502 /* Fail on NNP or nosuid if not an allowed transition. */ 2503 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2504 if (rc) 2505 return rc; 2506 } else { 2507 /* Check for a default transition on this program. */ 2508 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2509 isec->sid, SECCLASS_PROCESS, NULL, 2510 &new_tsec->sid); 2511 if (rc) 2512 return rc; 2513 2514 /* 2515 * Fallback to old SID on NNP or nosuid if not an allowed 2516 * transition. 2517 */ 2518 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2519 if (rc) 2520 new_tsec->sid = old_tsec->sid; 2521 } 2522 2523 ad.type = LSM_AUDIT_DATA_FILE; 2524 ad.u.file = bprm->file; 2525 2526 if (new_tsec->sid == old_tsec->sid) { 2527 rc = avc_has_perm(&selinux_state, 2528 old_tsec->sid, isec->sid, 2529 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2530 if (rc) 2531 return rc; 2532 } else { 2533 /* Check permissions for the transition. */ 2534 rc = avc_has_perm(&selinux_state, 2535 old_tsec->sid, new_tsec->sid, 2536 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2537 if (rc) 2538 return rc; 2539 2540 rc = avc_has_perm(&selinux_state, 2541 new_tsec->sid, isec->sid, 2542 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2543 if (rc) 2544 return rc; 2545 2546 /* Check for shared state */ 2547 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2548 rc = avc_has_perm(&selinux_state, 2549 old_tsec->sid, new_tsec->sid, 2550 SECCLASS_PROCESS, PROCESS__SHARE, 2551 NULL); 2552 if (rc) 2553 return -EPERM; 2554 } 2555 2556 /* Make sure that anyone attempting to ptrace over a task that 2557 * changes its SID has the appropriate permit */ 2558 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2559 u32 ptsid = ptrace_parent_sid(); 2560 if (ptsid != 0) { 2561 rc = avc_has_perm(&selinux_state, 2562 ptsid, new_tsec->sid, 2563 SECCLASS_PROCESS, 2564 PROCESS__PTRACE, NULL); 2565 if (rc) 2566 return -EPERM; 2567 } 2568 } 2569 2570 /* Clear any possibly unsafe personality bits on exec: */ 2571 bprm->per_clear |= PER_CLEAR_ON_SETID; 2572 2573 /* Enable secure mode for SIDs transitions unless 2574 the noatsecure permission is granted between 2575 the two SIDs, i.e. ahp returns 0. */ 2576 rc = avc_has_perm(&selinux_state, 2577 old_tsec->sid, new_tsec->sid, 2578 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2579 NULL); 2580 bprm->secureexec |= !!rc; 2581 } 2582 2583 return 0; 2584 } 2585 2586 static int match_file(const void *p, struct file *file, unsigned fd) 2587 { 2588 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2589 } 2590 2591 /* Derived from fs/exec.c:flush_old_files. */ 2592 static inline void flush_unauthorized_files(const struct cred *cred, 2593 struct files_struct *files) 2594 { 2595 struct file *file, *devnull = NULL; 2596 struct tty_struct *tty; 2597 int drop_tty = 0; 2598 unsigned n; 2599 2600 tty = get_current_tty(); 2601 if (tty) { 2602 spin_lock(&tty->files_lock); 2603 if (!list_empty(&tty->tty_files)) { 2604 struct tty_file_private *file_priv; 2605 2606 /* Revalidate access to controlling tty. 2607 Use file_path_has_perm on the tty path directly 2608 rather than using file_has_perm, as this particular 2609 open file may belong to another process and we are 2610 only interested in the inode-based check here. */ 2611 file_priv = list_first_entry(&tty->tty_files, 2612 struct tty_file_private, list); 2613 file = file_priv->file; 2614 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2615 drop_tty = 1; 2616 } 2617 spin_unlock(&tty->files_lock); 2618 tty_kref_put(tty); 2619 } 2620 /* Reset controlling tty. */ 2621 if (drop_tty) 2622 no_tty(); 2623 2624 /* Revalidate access to inherited open files. */ 2625 n = iterate_fd(files, 0, match_file, cred); 2626 if (!n) /* none found? */ 2627 return; 2628 2629 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2630 if (IS_ERR(devnull)) 2631 devnull = NULL; 2632 /* replace all the matching ones with this */ 2633 do { 2634 replace_fd(n - 1, devnull, 0); 2635 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2636 if (devnull) 2637 fput(devnull); 2638 } 2639 2640 /* 2641 * Prepare a process for imminent new credential changes due to exec 2642 */ 2643 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2644 { 2645 struct task_security_struct *new_tsec; 2646 struct rlimit *rlim, *initrlim; 2647 int rc, i; 2648 2649 new_tsec = bprm->cred->security; 2650 if (new_tsec->sid == new_tsec->osid) 2651 return; 2652 2653 /* Close files for which the new task SID is not authorized. */ 2654 flush_unauthorized_files(bprm->cred, current->files); 2655 2656 /* Always clear parent death signal on SID transitions. */ 2657 current->pdeath_signal = 0; 2658 2659 /* Check whether the new SID can inherit resource limits from the old 2660 * SID. If not, reset all soft limits to the lower of the current 2661 * task's hard limit and the init task's soft limit. 2662 * 2663 * Note that the setting of hard limits (even to lower them) can be 2664 * controlled by the setrlimit check. The inclusion of the init task's 2665 * soft limit into the computation is to avoid resetting soft limits 2666 * higher than the default soft limit for cases where the default is 2667 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2668 */ 2669 rc = avc_has_perm(&selinux_state, 2670 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2671 PROCESS__RLIMITINH, NULL); 2672 if (rc) { 2673 /* protect against do_prlimit() */ 2674 task_lock(current); 2675 for (i = 0; i < RLIM_NLIMITS; i++) { 2676 rlim = current->signal->rlim + i; 2677 initrlim = init_task.signal->rlim + i; 2678 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2679 } 2680 task_unlock(current); 2681 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2682 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2683 } 2684 } 2685 2686 /* 2687 * Clean up the process immediately after the installation of new credentials 2688 * due to exec 2689 */ 2690 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2691 { 2692 const struct task_security_struct *tsec = current_security(); 2693 struct itimerval itimer; 2694 u32 osid, sid; 2695 int rc, i; 2696 2697 osid = tsec->osid; 2698 sid = tsec->sid; 2699 2700 if (sid == osid) 2701 return; 2702 2703 /* Check whether the new SID can inherit signal state from the old SID. 2704 * If not, clear itimers to avoid subsequent signal generation and 2705 * flush and unblock signals. 2706 * 2707 * This must occur _after_ the task SID has been updated so that any 2708 * kill done after the flush will be checked against the new SID. 2709 */ 2710 rc = avc_has_perm(&selinux_state, 2711 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2712 if (rc) { 2713 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2714 memset(&itimer, 0, sizeof itimer); 2715 for (i = 0; i < 3; i++) 2716 do_setitimer(i, &itimer, NULL); 2717 } 2718 spin_lock_irq(¤t->sighand->siglock); 2719 if (!fatal_signal_pending(current)) { 2720 flush_sigqueue(¤t->pending); 2721 flush_sigqueue(¤t->signal->shared_pending); 2722 flush_signal_handlers(current, 1); 2723 sigemptyset(¤t->blocked); 2724 recalc_sigpending(); 2725 } 2726 spin_unlock_irq(¤t->sighand->siglock); 2727 } 2728 2729 /* Wake up the parent if it is waiting so that it can recheck 2730 * wait permission to the new task SID. */ 2731 read_lock(&tasklist_lock); 2732 __wake_up_parent(current, current->real_parent); 2733 read_unlock(&tasklist_lock); 2734 } 2735 2736 /* superblock security operations */ 2737 2738 static int selinux_sb_alloc_security(struct super_block *sb) 2739 { 2740 return superblock_alloc_security(sb); 2741 } 2742 2743 static void selinux_sb_free_security(struct super_block *sb) 2744 { 2745 superblock_free_security(sb); 2746 } 2747 2748 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2749 { 2750 if (plen > olen) 2751 return 0; 2752 2753 return !memcmp(prefix, option, plen); 2754 } 2755 2756 static inline int selinux_option(char *option, int len) 2757 { 2758 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2759 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2760 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2761 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2762 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2763 } 2764 2765 static inline void take_option(char **to, char *from, int *first, int len) 2766 { 2767 if (!*first) { 2768 **to = ','; 2769 *to += 1; 2770 } else 2771 *first = 0; 2772 memcpy(*to, from, len); 2773 *to += len; 2774 } 2775 2776 static inline void take_selinux_option(char **to, char *from, int *first, 2777 int len) 2778 { 2779 int current_size = 0; 2780 2781 if (!*first) { 2782 **to = '|'; 2783 *to += 1; 2784 } else 2785 *first = 0; 2786 2787 while (current_size < len) { 2788 if (*from != '"') { 2789 **to = *from; 2790 *to += 1; 2791 } 2792 from += 1; 2793 current_size += 1; 2794 } 2795 } 2796 2797 static int selinux_sb_copy_data(char *orig, char *copy) 2798 { 2799 int fnosec, fsec, rc = 0; 2800 char *in_save, *in_curr, *in_end; 2801 char *sec_curr, *nosec_save, *nosec; 2802 int open_quote = 0; 2803 2804 in_curr = orig; 2805 sec_curr = copy; 2806 2807 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2808 if (!nosec) { 2809 rc = -ENOMEM; 2810 goto out; 2811 } 2812 2813 nosec_save = nosec; 2814 fnosec = fsec = 1; 2815 in_save = in_end = orig; 2816 2817 do { 2818 if (*in_end == '"') 2819 open_quote = !open_quote; 2820 if ((*in_end == ',' && open_quote == 0) || 2821 *in_end == '\0') { 2822 int len = in_end - in_curr; 2823 2824 if (selinux_option(in_curr, len)) 2825 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2826 else 2827 take_option(&nosec, in_curr, &fnosec, len); 2828 2829 in_curr = in_end + 1; 2830 } 2831 } while (*in_end++); 2832 2833 strcpy(in_save, nosec_save); 2834 free_page((unsigned long)nosec_save); 2835 out: 2836 return rc; 2837 } 2838 2839 static int selinux_sb_remount(struct super_block *sb, void *data) 2840 { 2841 int rc, i, *flags; 2842 struct security_mnt_opts opts; 2843 char *secdata, **mount_options; 2844 struct superblock_security_struct *sbsec = sb->s_security; 2845 2846 if (!(sbsec->flags & SE_SBINITIALIZED)) 2847 return 0; 2848 2849 if (!data) 2850 return 0; 2851 2852 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2853 return 0; 2854 2855 security_init_mnt_opts(&opts); 2856 secdata = alloc_secdata(); 2857 if (!secdata) 2858 return -ENOMEM; 2859 rc = selinux_sb_copy_data(data, secdata); 2860 if (rc) 2861 goto out_free_secdata; 2862 2863 rc = selinux_parse_opts_str(secdata, &opts); 2864 if (rc) 2865 goto out_free_secdata; 2866 2867 mount_options = opts.mnt_opts; 2868 flags = opts.mnt_opts_flags; 2869 2870 for (i = 0; i < opts.num_mnt_opts; i++) { 2871 u32 sid; 2872 2873 if (flags[i] == SBLABEL_MNT) 2874 continue; 2875 rc = security_context_str_to_sid(&selinux_state, 2876 mount_options[i], &sid, 2877 GFP_KERNEL); 2878 if (rc) { 2879 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2880 "(%s) failed for (dev %s, type %s) errno=%d\n", 2881 mount_options[i], sb->s_id, sb->s_type->name, rc); 2882 goto out_free_opts; 2883 } 2884 rc = -EINVAL; 2885 switch (flags[i]) { 2886 case FSCONTEXT_MNT: 2887 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2888 goto out_bad_option; 2889 break; 2890 case CONTEXT_MNT: 2891 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2892 goto out_bad_option; 2893 break; 2894 case ROOTCONTEXT_MNT: { 2895 struct inode_security_struct *root_isec; 2896 root_isec = backing_inode_security(sb->s_root); 2897 2898 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2899 goto out_bad_option; 2900 break; 2901 } 2902 case DEFCONTEXT_MNT: 2903 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2904 goto out_bad_option; 2905 break; 2906 default: 2907 goto out_free_opts; 2908 } 2909 } 2910 2911 rc = 0; 2912 out_free_opts: 2913 security_free_mnt_opts(&opts); 2914 out_free_secdata: 2915 free_secdata(secdata); 2916 return rc; 2917 out_bad_option: 2918 printk(KERN_WARNING "SELinux: unable to change security options " 2919 "during remount (dev %s, type=%s)\n", sb->s_id, 2920 sb->s_type->name); 2921 goto out_free_opts; 2922 } 2923 2924 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2925 { 2926 const struct cred *cred = current_cred(); 2927 struct common_audit_data ad; 2928 int rc; 2929 2930 rc = superblock_doinit(sb, data); 2931 if (rc) 2932 return rc; 2933 2934 /* Allow all mounts performed by the kernel */ 2935 if (flags & MS_KERNMOUNT) 2936 return 0; 2937 2938 ad.type = LSM_AUDIT_DATA_DENTRY; 2939 ad.u.dentry = sb->s_root; 2940 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2941 } 2942 2943 static int selinux_sb_statfs(struct dentry *dentry) 2944 { 2945 const struct cred *cred = current_cred(); 2946 struct common_audit_data ad; 2947 2948 ad.type = LSM_AUDIT_DATA_DENTRY; 2949 ad.u.dentry = dentry->d_sb->s_root; 2950 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2951 } 2952 2953 static int selinux_mount(const char *dev_name, 2954 const struct path *path, 2955 const char *type, 2956 unsigned long flags, 2957 void *data) 2958 { 2959 const struct cred *cred = current_cred(); 2960 2961 if (flags & MS_REMOUNT) 2962 return superblock_has_perm(cred, path->dentry->d_sb, 2963 FILESYSTEM__REMOUNT, NULL); 2964 else 2965 return path_has_perm(cred, path, FILE__MOUNTON); 2966 } 2967 2968 static int selinux_umount(struct vfsmount *mnt, int flags) 2969 { 2970 const struct cred *cred = current_cred(); 2971 2972 return superblock_has_perm(cred, mnt->mnt_sb, 2973 FILESYSTEM__UNMOUNT, NULL); 2974 } 2975 2976 /* inode security operations */ 2977 2978 static int selinux_inode_alloc_security(struct inode *inode) 2979 { 2980 return inode_alloc_security(inode); 2981 } 2982 2983 static void selinux_inode_free_security(struct inode *inode) 2984 { 2985 inode_free_security(inode); 2986 } 2987 2988 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2989 const struct qstr *name, void **ctx, 2990 u32 *ctxlen) 2991 { 2992 u32 newsid; 2993 int rc; 2994 2995 rc = selinux_determine_inode_label(current_security(), 2996 d_inode(dentry->d_parent), name, 2997 inode_mode_to_security_class(mode), 2998 &newsid); 2999 if (rc) 3000 return rc; 3001 3002 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 3003 ctxlen); 3004 } 3005 3006 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 3007 struct qstr *name, 3008 const struct cred *old, 3009 struct cred *new) 3010 { 3011 u32 newsid; 3012 int rc; 3013 struct task_security_struct *tsec; 3014 3015 rc = selinux_determine_inode_label(old->security, 3016 d_inode(dentry->d_parent), name, 3017 inode_mode_to_security_class(mode), 3018 &newsid); 3019 if (rc) 3020 return rc; 3021 3022 tsec = new->security; 3023 tsec->create_sid = newsid; 3024 return 0; 3025 } 3026 3027 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 3028 const struct qstr *qstr, 3029 const char **name, 3030 void **value, size_t *len) 3031 { 3032 const struct task_security_struct *tsec = current_security(); 3033 struct superblock_security_struct *sbsec; 3034 u32 newsid, clen; 3035 int rc; 3036 char *context; 3037 3038 sbsec = dir->i_sb->s_security; 3039 3040 newsid = tsec->create_sid; 3041 3042 rc = selinux_determine_inode_label(current_security(), 3043 dir, qstr, 3044 inode_mode_to_security_class(inode->i_mode), 3045 &newsid); 3046 if (rc) 3047 return rc; 3048 3049 /* Possibly defer initialization to selinux_complete_init. */ 3050 if (sbsec->flags & SE_SBINITIALIZED) { 3051 struct inode_security_struct *isec = inode->i_security; 3052 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3053 isec->sid = newsid; 3054 isec->initialized = LABEL_INITIALIZED; 3055 } 3056 3057 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 3058 return -EOPNOTSUPP; 3059 3060 if (name) 3061 *name = XATTR_SELINUX_SUFFIX; 3062 3063 if (value && len) { 3064 rc = security_sid_to_context_force(&selinux_state, newsid, 3065 &context, &clen); 3066 if (rc) 3067 return rc; 3068 *value = context; 3069 *len = clen; 3070 } 3071 3072 return 0; 3073 } 3074 3075 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3076 { 3077 return may_create(dir, dentry, SECCLASS_FILE); 3078 } 3079 3080 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3081 { 3082 return may_link(dir, old_dentry, MAY_LINK); 3083 } 3084 3085 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3086 { 3087 return may_link(dir, dentry, MAY_UNLINK); 3088 } 3089 3090 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3091 { 3092 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3093 } 3094 3095 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3096 { 3097 return may_create(dir, dentry, SECCLASS_DIR); 3098 } 3099 3100 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3101 { 3102 return may_link(dir, dentry, MAY_RMDIR); 3103 } 3104 3105 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3106 { 3107 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3108 } 3109 3110 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3111 struct inode *new_inode, struct dentry *new_dentry) 3112 { 3113 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3114 } 3115 3116 static int selinux_inode_readlink(struct dentry *dentry) 3117 { 3118 const struct cred *cred = current_cred(); 3119 3120 return dentry_has_perm(cred, dentry, FILE__READ); 3121 } 3122 3123 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3124 bool rcu) 3125 { 3126 const struct cred *cred = current_cred(); 3127 struct common_audit_data ad; 3128 struct inode_security_struct *isec; 3129 u32 sid; 3130 3131 validate_creds(cred); 3132 3133 ad.type = LSM_AUDIT_DATA_DENTRY; 3134 ad.u.dentry = dentry; 3135 sid = cred_sid(cred); 3136 isec = inode_security_rcu(inode, rcu); 3137 if (IS_ERR(isec)) 3138 return PTR_ERR(isec); 3139 3140 return avc_has_perm_flags(&selinux_state, 3141 sid, isec->sid, isec->sclass, FILE__READ, &ad, 3142 rcu ? MAY_NOT_BLOCK : 0); 3143 } 3144 3145 static noinline int audit_inode_permission(struct inode *inode, 3146 u32 perms, u32 audited, u32 denied, 3147 int result, 3148 unsigned flags) 3149 { 3150 struct common_audit_data ad; 3151 struct inode_security_struct *isec = inode->i_security; 3152 int rc; 3153 3154 ad.type = LSM_AUDIT_DATA_INODE; 3155 ad.u.inode = inode; 3156 3157 rc = slow_avc_audit(&selinux_state, 3158 current_sid(), isec->sid, isec->sclass, perms, 3159 audited, denied, result, &ad, flags); 3160 if (rc) 3161 return rc; 3162 return 0; 3163 } 3164 3165 static int selinux_inode_permission(struct inode *inode, int mask) 3166 { 3167 const struct cred *cred = current_cred(); 3168 u32 perms; 3169 bool from_access; 3170 unsigned flags = mask & MAY_NOT_BLOCK; 3171 struct inode_security_struct *isec; 3172 u32 sid; 3173 struct av_decision avd; 3174 int rc, rc2; 3175 u32 audited, denied; 3176 3177 from_access = mask & MAY_ACCESS; 3178 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3179 3180 /* No permission to check. Existence test. */ 3181 if (!mask) 3182 return 0; 3183 3184 validate_creds(cred); 3185 3186 if (unlikely(IS_PRIVATE(inode))) 3187 return 0; 3188 3189 perms = file_mask_to_av(inode->i_mode, mask); 3190 3191 sid = cred_sid(cred); 3192 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3193 if (IS_ERR(isec)) 3194 return PTR_ERR(isec); 3195 3196 rc = avc_has_perm_noaudit(&selinux_state, 3197 sid, isec->sid, isec->sclass, perms, 0, &avd); 3198 audited = avc_audit_required(perms, &avd, rc, 3199 from_access ? FILE__AUDIT_ACCESS : 0, 3200 &denied); 3201 if (likely(!audited)) 3202 return rc; 3203 3204 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3205 if (rc2) 3206 return rc2; 3207 return rc; 3208 } 3209 3210 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3211 { 3212 const struct cred *cred = current_cred(); 3213 struct inode *inode = d_backing_inode(dentry); 3214 unsigned int ia_valid = iattr->ia_valid; 3215 __u32 av = FILE__WRITE; 3216 3217 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3218 if (ia_valid & ATTR_FORCE) { 3219 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3220 ATTR_FORCE); 3221 if (!ia_valid) 3222 return 0; 3223 } 3224 3225 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3226 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3227 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3228 3229 if (selinux_policycap_openperm() && 3230 inode->i_sb->s_magic != SOCKFS_MAGIC && 3231 (ia_valid & ATTR_SIZE) && 3232 !(ia_valid & ATTR_FILE)) 3233 av |= FILE__OPEN; 3234 3235 return dentry_has_perm(cred, dentry, av); 3236 } 3237 3238 static int selinux_inode_getattr(const struct path *path) 3239 { 3240 return path_has_perm(current_cred(), path, FILE__GETATTR); 3241 } 3242 3243 static bool has_cap_mac_admin(bool audit) 3244 { 3245 const struct cred *cred = current_cred(); 3246 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3247 3248 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3249 return false; 3250 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3251 return false; 3252 return true; 3253 } 3254 3255 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3256 const void *value, size_t size, int flags) 3257 { 3258 struct inode *inode = d_backing_inode(dentry); 3259 struct inode_security_struct *isec; 3260 struct superblock_security_struct *sbsec; 3261 struct common_audit_data ad; 3262 u32 newsid, sid = current_sid(); 3263 int rc = 0; 3264 3265 if (strcmp(name, XATTR_NAME_SELINUX)) { 3266 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3267 if (rc) 3268 return rc; 3269 3270 /* Not an attribute we recognize, so just check the 3271 ordinary setattr permission. */ 3272 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3273 } 3274 3275 sbsec = inode->i_sb->s_security; 3276 if (!(sbsec->flags & SBLABEL_MNT)) 3277 return -EOPNOTSUPP; 3278 3279 if (!inode_owner_or_capable(inode)) 3280 return -EPERM; 3281 3282 ad.type = LSM_AUDIT_DATA_DENTRY; 3283 ad.u.dentry = dentry; 3284 3285 isec = backing_inode_security(dentry); 3286 rc = avc_has_perm(&selinux_state, 3287 sid, isec->sid, isec->sclass, 3288 FILE__RELABELFROM, &ad); 3289 if (rc) 3290 return rc; 3291 3292 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3293 GFP_KERNEL); 3294 if (rc == -EINVAL) { 3295 if (!has_cap_mac_admin(true)) { 3296 struct audit_buffer *ab; 3297 size_t audit_size; 3298 3299 /* We strip a nul only if it is at the end, otherwise the 3300 * context contains a nul and we should audit that */ 3301 if (value) { 3302 const char *str = value; 3303 3304 if (str[size - 1] == '\0') 3305 audit_size = size - 1; 3306 else 3307 audit_size = size; 3308 } else { 3309 audit_size = 0; 3310 } 3311 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3312 audit_log_format(ab, "op=setxattr invalid_context="); 3313 audit_log_n_untrustedstring(ab, value, audit_size); 3314 audit_log_end(ab); 3315 3316 return rc; 3317 } 3318 rc = security_context_to_sid_force(&selinux_state, value, 3319 size, &newsid); 3320 } 3321 if (rc) 3322 return rc; 3323 3324 rc = avc_has_perm(&selinux_state, 3325 sid, newsid, isec->sclass, 3326 FILE__RELABELTO, &ad); 3327 if (rc) 3328 return rc; 3329 3330 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3331 sid, isec->sclass); 3332 if (rc) 3333 return rc; 3334 3335 return avc_has_perm(&selinux_state, 3336 newsid, 3337 sbsec->sid, 3338 SECCLASS_FILESYSTEM, 3339 FILESYSTEM__ASSOCIATE, 3340 &ad); 3341 } 3342 3343 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3344 const void *value, size_t size, 3345 int flags) 3346 { 3347 struct inode *inode = d_backing_inode(dentry); 3348 struct inode_security_struct *isec; 3349 u32 newsid; 3350 int rc; 3351 3352 if (strcmp(name, XATTR_NAME_SELINUX)) { 3353 /* Not an attribute we recognize, so nothing to do. */ 3354 return; 3355 } 3356 3357 rc = security_context_to_sid_force(&selinux_state, value, size, 3358 &newsid); 3359 if (rc) { 3360 printk(KERN_ERR "SELinux: unable to map context to SID" 3361 "for (%s, %lu), rc=%d\n", 3362 inode->i_sb->s_id, inode->i_ino, -rc); 3363 return; 3364 } 3365 3366 isec = backing_inode_security(dentry); 3367 spin_lock(&isec->lock); 3368 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3369 isec->sid = newsid; 3370 isec->initialized = LABEL_INITIALIZED; 3371 spin_unlock(&isec->lock); 3372 3373 return; 3374 } 3375 3376 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3377 { 3378 const struct cred *cred = current_cred(); 3379 3380 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3381 } 3382 3383 static int selinux_inode_listxattr(struct dentry *dentry) 3384 { 3385 const struct cred *cred = current_cred(); 3386 3387 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3388 } 3389 3390 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3391 { 3392 if (strcmp(name, XATTR_NAME_SELINUX)) { 3393 int rc = cap_inode_removexattr(dentry, name); 3394 if (rc) 3395 return rc; 3396 3397 /* Not an attribute we recognize, so just check the 3398 ordinary setattr permission. */ 3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3400 } 3401 3402 /* No one is allowed to remove a SELinux security label. 3403 You can change the label, but all data must be labeled. */ 3404 return -EACCES; 3405 } 3406 3407 /* 3408 * Copy the inode security context value to the user. 3409 * 3410 * Permission check is handled by selinux_inode_getxattr hook. 3411 */ 3412 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3413 { 3414 u32 size; 3415 int error; 3416 char *context = NULL; 3417 struct inode_security_struct *isec; 3418 3419 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3420 return -EOPNOTSUPP; 3421 3422 /* 3423 * If the caller has CAP_MAC_ADMIN, then get the raw context 3424 * value even if it is not defined by current policy; otherwise, 3425 * use the in-core value under current policy. 3426 * Use the non-auditing forms of the permission checks since 3427 * getxattr may be called by unprivileged processes commonly 3428 * and lack of permission just means that we fall back to the 3429 * in-core context value, not a denial. 3430 */ 3431 isec = inode_security(inode); 3432 if (has_cap_mac_admin(false)) 3433 error = security_sid_to_context_force(&selinux_state, 3434 isec->sid, &context, 3435 &size); 3436 else 3437 error = security_sid_to_context(&selinux_state, isec->sid, 3438 &context, &size); 3439 if (error) 3440 return error; 3441 error = size; 3442 if (alloc) { 3443 *buffer = context; 3444 goto out_nofree; 3445 } 3446 kfree(context); 3447 out_nofree: 3448 return error; 3449 } 3450 3451 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3452 const void *value, size_t size, int flags) 3453 { 3454 struct inode_security_struct *isec = inode_security_novalidate(inode); 3455 u32 newsid; 3456 int rc; 3457 3458 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3459 return -EOPNOTSUPP; 3460 3461 if (!value || !size) 3462 return -EACCES; 3463 3464 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3465 GFP_KERNEL); 3466 if (rc) 3467 return rc; 3468 3469 spin_lock(&isec->lock); 3470 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3471 isec->sid = newsid; 3472 isec->initialized = LABEL_INITIALIZED; 3473 spin_unlock(&isec->lock); 3474 return 0; 3475 } 3476 3477 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3478 { 3479 const int len = sizeof(XATTR_NAME_SELINUX); 3480 if (buffer && len <= buffer_size) 3481 memcpy(buffer, XATTR_NAME_SELINUX, len); 3482 return len; 3483 } 3484 3485 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3486 { 3487 struct inode_security_struct *isec = inode_security_novalidate(inode); 3488 *secid = isec->sid; 3489 } 3490 3491 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3492 { 3493 u32 sid; 3494 struct task_security_struct *tsec; 3495 struct cred *new_creds = *new; 3496 3497 if (new_creds == NULL) { 3498 new_creds = prepare_creds(); 3499 if (!new_creds) 3500 return -ENOMEM; 3501 } 3502 3503 tsec = new_creds->security; 3504 /* Get label from overlay inode and set it in create_sid */ 3505 selinux_inode_getsecid(d_inode(src), &sid); 3506 tsec->create_sid = sid; 3507 *new = new_creds; 3508 return 0; 3509 } 3510 3511 static int selinux_inode_copy_up_xattr(const char *name) 3512 { 3513 /* The copy_up hook above sets the initial context on an inode, but we 3514 * don't then want to overwrite it by blindly copying all the lower 3515 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3516 */ 3517 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3518 return 1; /* Discard */ 3519 /* 3520 * Any other attribute apart from SELINUX is not claimed, supported 3521 * by selinux. 3522 */ 3523 return -EOPNOTSUPP; 3524 } 3525 3526 /* file security operations */ 3527 3528 static int selinux_revalidate_file_permission(struct file *file, int mask) 3529 { 3530 const struct cred *cred = current_cred(); 3531 struct inode *inode = file_inode(file); 3532 3533 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3534 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3535 mask |= MAY_APPEND; 3536 3537 return file_has_perm(cred, file, 3538 file_mask_to_av(inode->i_mode, mask)); 3539 } 3540 3541 static int selinux_file_permission(struct file *file, int mask) 3542 { 3543 struct inode *inode = file_inode(file); 3544 struct file_security_struct *fsec = file->f_security; 3545 struct inode_security_struct *isec; 3546 u32 sid = current_sid(); 3547 3548 if (!mask) 3549 /* No permission to check. Existence test. */ 3550 return 0; 3551 3552 isec = inode_security(inode); 3553 if (sid == fsec->sid && fsec->isid == isec->sid && 3554 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3555 /* No change since file_open check. */ 3556 return 0; 3557 3558 return selinux_revalidate_file_permission(file, mask); 3559 } 3560 3561 static int selinux_file_alloc_security(struct file *file) 3562 { 3563 return file_alloc_security(file); 3564 } 3565 3566 static void selinux_file_free_security(struct file *file) 3567 { 3568 file_free_security(file); 3569 } 3570 3571 /* 3572 * Check whether a task has the ioctl permission and cmd 3573 * operation to an inode. 3574 */ 3575 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3576 u32 requested, u16 cmd) 3577 { 3578 struct common_audit_data ad; 3579 struct file_security_struct *fsec = file->f_security; 3580 struct inode *inode = file_inode(file); 3581 struct inode_security_struct *isec; 3582 struct lsm_ioctlop_audit ioctl; 3583 u32 ssid = cred_sid(cred); 3584 int rc; 3585 u8 driver = cmd >> 8; 3586 u8 xperm = cmd & 0xff; 3587 3588 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3589 ad.u.op = &ioctl; 3590 ad.u.op->cmd = cmd; 3591 ad.u.op->path = file->f_path; 3592 3593 if (ssid != fsec->sid) { 3594 rc = avc_has_perm(&selinux_state, 3595 ssid, fsec->sid, 3596 SECCLASS_FD, 3597 FD__USE, 3598 &ad); 3599 if (rc) 3600 goto out; 3601 } 3602 3603 if (unlikely(IS_PRIVATE(inode))) 3604 return 0; 3605 3606 isec = inode_security(inode); 3607 rc = avc_has_extended_perms(&selinux_state, 3608 ssid, isec->sid, isec->sclass, 3609 requested, driver, xperm, &ad); 3610 out: 3611 return rc; 3612 } 3613 3614 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3615 unsigned long arg) 3616 { 3617 const struct cred *cred = current_cred(); 3618 int error = 0; 3619 3620 switch (cmd) { 3621 case FIONREAD: 3622 /* fall through */ 3623 case FIBMAP: 3624 /* fall through */ 3625 case FIGETBSZ: 3626 /* fall through */ 3627 case FS_IOC_GETFLAGS: 3628 /* fall through */ 3629 case FS_IOC_GETVERSION: 3630 error = file_has_perm(cred, file, FILE__GETATTR); 3631 break; 3632 3633 case FS_IOC_SETFLAGS: 3634 /* fall through */ 3635 case FS_IOC_SETVERSION: 3636 error = file_has_perm(cred, file, FILE__SETATTR); 3637 break; 3638 3639 /* sys_ioctl() checks */ 3640 case FIONBIO: 3641 /* fall through */ 3642 case FIOASYNC: 3643 error = file_has_perm(cred, file, 0); 3644 break; 3645 3646 case KDSKBENT: 3647 case KDSKBSENT: 3648 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3649 SECURITY_CAP_AUDIT, true); 3650 break; 3651 3652 /* default case assumes that the command will go 3653 * to the file's ioctl() function. 3654 */ 3655 default: 3656 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3657 } 3658 return error; 3659 } 3660 3661 static int default_noexec; 3662 3663 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3664 { 3665 const struct cred *cred = current_cred(); 3666 u32 sid = cred_sid(cred); 3667 int rc = 0; 3668 3669 if (default_noexec && 3670 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3671 (!shared && (prot & PROT_WRITE)))) { 3672 /* 3673 * We are making executable an anonymous mapping or a 3674 * private file mapping that will also be writable. 3675 * This has an additional check. 3676 */ 3677 rc = avc_has_perm(&selinux_state, 3678 sid, sid, SECCLASS_PROCESS, 3679 PROCESS__EXECMEM, NULL); 3680 if (rc) 3681 goto error; 3682 } 3683 3684 if (file) { 3685 /* read access is always possible with a mapping */ 3686 u32 av = FILE__READ; 3687 3688 /* write access only matters if the mapping is shared */ 3689 if (shared && (prot & PROT_WRITE)) 3690 av |= FILE__WRITE; 3691 3692 if (prot & PROT_EXEC) 3693 av |= FILE__EXECUTE; 3694 3695 return file_has_perm(cred, file, av); 3696 } 3697 3698 error: 3699 return rc; 3700 } 3701 3702 static int selinux_mmap_addr(unsigned long addr) 3703 { 3704 int rc = 0; 3705 3706 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3707 u32 sid = current_sid(); 3708 rc = avc_has_perm(&selinux_state, 3709 sid, sid, SECCLASS_MEMPROTECT, 3710 MEMPROTECT__MMAP_ZERO, NULL); 3711 } 3712 3713 return rc; 3714 } 3715 3716 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3717 unsigned long prot, unsigned long flags) 3718 { 3719 struct common_audit_data ad; 3720 int rc; 3721 3722 if (file) { 3723 ad.type = LSM_AUDIT_DATA_FILE; 3724 ad.u.file = file; 3725 rc = inode_has_perm(current_cred(), file_inode(file), 3726 FILE__MAP, &ad); 3727 if (rc) 3728 return rc; 3729 } 3730 3731 if (selinux_state.checkreqprot) 3732 prot = reqprot; 3733 3734 return file_map_prot_check(file, prot, 3735 (flags & MAP_TYPE) == MAP_SHARED); 3736 } 3737 3738 static int selinux_file_mprotect(struct vm_area_struct *vma, 3739 unsigned long reqprot, 3740 unsigned long prot) 3741 { 3742 const struct cred *cred = current_cred(); 3743 u32 sid = cred_sid(cred); 3744 3745 if (selinux_state.checkreqprot) 3746 prot = reqprot; 3747 3748 if (default_noexec && 3749 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3750 int rc = 0; 3751 if (vma->vm_start >= vma->vm_mm->start_brk && 3752 vma->vm_end <= vma->vm_mm->brk) { 3753 rc = avc_has_perm(&selinux_state, 3754 sid, sid, SECCLASS_PROCESS, 3755 PROCESS__EXECHEAP, NULL); 3756 } else if (!vma->vm_file && 3757 ((vma->vm_start <= vma->vm_mm->start_stack && 3758 vma->vm_end >= vma->vm_mm->start_stack) || 3759 vma_is_stack_for_current(vma))) { 3760 rc = avc_has_perm(&selinux_state, 3761 sid, sid, SECCLASS_PROCESS, 3762 PROCESS__EXECSTACK, NULL); 3763 } else if (vma->vm_file && vma->anon_vma) { 3764 /* 3765 * We are making executable a file mapping that has 3766 * had some COW done. Since pages might have been 3767 * written, check ability to execute the possibly 3768 * modified content. This typically should only 3769 * occur for text relocations. 3770 */ 3771 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3772 } 3773 if (rc) 3774 return rc; 3775 } 3776 3777 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3778 } 3779 3780 static int selinux_file_lock(struct file *file, unsigned int cmd) 3781 { 3782 const struct cred *cred = current_cred(); 3783 3784 return file_has_perm(cred, file, FILE__LOCK); 3785 } 3786 3787 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3788 unsigned long arg) 3789 { 3790 const struct cred *cred = current_cred(); 3791 int err = 0; 3792 3793 switch (cmd) { 3794 case F_SETFL: 3795 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3796 err = file_has_perm(cred, file, FILE__WRITE); 3797 break; 3798 } 3799 /* fall through */ 3800 case F_SETOWN: 3801 case F_SETSIG: 3802 case F_GETFL: 3803 case F_GETOWN: 3804 case F_GETSIG: 3805 case F_GETOWNER_UIDS: 3806 /* Just check FD__USE permission */ 3807 err = file_has_perm(cred, file, 0); 3808 break; 3809 case F_GETLK: 3810 case F_SETLK: 3811 case F_SETLKW: 3812 case F_OFD_GETLK: 3813 case F_OFD_SETLK: 3814 case F_OFD_SETLKW: 3815 #if BITS_PER_LONG == 32 3816 case F_GETLK64: 3817 case F_SETLK64: 3818 case F_SETLKW64: 3819 #endif 3820 err = file_has_perm(cred, file, FILE__LOCK); 3821 break; 3822 } 3823 3824 return err; 3825 } 3826 3827 static void selinux_file_set_fowner(struct file *file) 3828 { 3829 struct file_security_struct *fsec; 3830 3831 fsec = file->f_security; 3832 fsec->fown_sid = current_sid(); 3833 } 3834 3835 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3836 struct fown_struct *fown, int signum) 3837 { 3838 struct file *file; 3839 u32 sid = task_sid(tsk); 3840 u32 perm; 3841 struct file_security_struct *fsec; 3842 3843 /* struct fown_struct is never outside the context of a struct file */ 3844 file = container_of(fown, struct file, f_owner); 3845 3846 fsec = file->f_security; 3847 3848 if (!signum) 3849 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3850 else 3851 perm = signal_to_av(signum); 3852 3853 return avc_has_perm(&selinux_state, 3854 fsec->fown_sid, sid, 3855 SECCLASS_PROCESS, perm, NULL); 3856 } 3857 3858 static int selinux_file_receive(struct file *file) 3859 { 3860 const struct cred *cred = current_cred(); 3861 3862 return file_has_perm(cred, file, file_to_av(file)); 3863 } 3864 3865 static int selinux_file_open(struct file *file, const struct cred *cred) 3866 { 3867 struct file_security_struct *fsec; 3868 struct inode_security_struct *isec; 3869 3870 fsec = file->f_security; 3871 isec = inode_security(file_inode(file)); 3872 /* 3873 * Save inode label and policy sequence number 3874 * at open-time so that selinux_file_permission 3875 * can determine whether revalidation is necessary. 3876 * Task label is already saved in the file security 3877 * struct as its SID. 3878 */ 3879 fsec->isid = isec->sid; 3880 fsec->pseqno = avc_policy_seqno(&selinux_state); 3881 /* 3882 * Since the inode label or policy seqno may have changed 3883 * between the selinux_inode_permission check and the saving 3884 * of state above, recheck that access is still permitted. 3885 * Otherwise, access might never be revalidated against the 3886 * new inode label or new policy. 3887 * This check is not redundant - do not remove. 3888 */ 3889 return file_path_has_perm(cred, file, open_file_to_av(file)); 3890 } 3891 3892 /* task security operations */ 3893 3894 static int selinux_task_alloc(struct task_struct *task, 3895 unsigned long clone_flags) 3896 { 3897 u32 sid = current_sid(); 3898 3899 return avc_has_perm(&selinux_state, 3900 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3901 } 3902 3903 /* 3904 * allocate the SELinux part of blank credentials 3905 */ 3906 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3907 { 3908 struct task_security_struct *tsec; 3909 3910 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3911 if (!tsec) 3912 return -ENOMEM; 3913 3914 cred->security = tsec; 3915 return 0; 3916 } 3917 3918 /* 3919 * detach and free the LSM part of a set of credentials 3920 */ 3921 static void selinux_cred_free(struct cred *cred) 3922 { 3923 struct task_security_struct *tsec = cred->security; 3924 3925 /* 3926 * cred->security == NULL if security_cred_alloc_blank() or 3927 * security_prepare_creds() returned an error. 3928 */ 3929 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3930 cred->security = (void *) 0x7UL; 3931 kfree(tsec); 3932 } 3933 3934 /* 3935 * prepare a new set of credentials for modification 3936 */ 3937 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3938 gfp_t gfp) 3939 { 3940 const struct task_security_struct *old_tsec; 3941 struct task_security_struct *tsec; 3942 3943 old_tsec = old->security; 3944 3945 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3946 if (!tsec) 3947 return -ENOMEM; 3948 3949 new->security = tsec; 3950 return 0; 3951 } 3952 3953 /* 3954 * transfer the SELinux data to a blank set of creds 3955 */ 3956 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3957 { 3958 const struct task_security_struct *old_tsec = old->security; 3959 struct task_security_struct *tsec = new->security; 3960 3961 *tsec = *old_tsec; 3962 } 3963 3964 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3965 { 3966 *secid = cred_sid(c); 3967 } 3968 3969 /* 3970 * set the security data for a kernel service 3971 * - all the creation contexts are set to unlabelled 3972 */ 3973 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3974 { 3975 struct task_security_struct *tsec = new->security; 3976 u32 sid = current_sid(); 3977 int ret; 3978 3979 ret = avc_has_perm(&selinux_state, 3980 sid, secid, 3981 SECCLASS_KERNEL_SERVICE, 3982 KERNEL_SERVICE__USE_AS_OVERRIDE, 3983 NULL); 3984 if (ret == 0) { 3985 tsec->sid = secid; 3986 tsec->create_sid = 0; 3987 tsec->keycreate_sid = 0; 3988 tsec->sockcreate_sid = 0; 3989 } 3990 return ret; 3991 } 3992 3993 /* 3994 * set the file creation context in a security record to the same as the 3995 * objective context of the specified inode 3996 */ 3997 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3998 { 3999 struct inode_security_struct *isec = inode_security(inode); 4000 struct task_security_struct *tsec = new->security; 4001 u32 sid = current_sid(); 4002 int ret; 4003 4004 ret = avc_has_perm(&selinux_state, 4005 sid, isec->sid, 4006 SECCLASS_KERNEL_SERVICE, 4007 KERNEL_SERVICE__CREATE_FILES_AS, 4008 NULL); 4009 4010 if (ret == 0) 4011 tsec->create_sid = isec->sid; 4012 return ret; 4013 } 4014 4015 static int selinux_kernel_module_request(char *kmod_name) 4016 { 4017 struct common_audit_data ad; 4018 4019 ad.type = LSM_AUDIT_DATA_KMOD; 4020 ad.u.kmod_name = kmod_name; 4021 4022 return avc_has_perm(&selinux_state, 4023 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4024 SYSTEM__MODULE_REQUEST, &ad); 4025 } 4026 4027 static int selinux_kernel_module_from_file(struct file *file) 4028 { 4029 struct common_audit_data ad; 4030 struct inode_security_struct *isec; 4031 struct file_security_struct *fsec; 4032 u32 sid = current_sid(); 4033 int rc; 4034 4035 /* init_module */ 4036 if (file == NULL) 4037 return avc_has_perm(&selinux_state, 4038 sid, sid, SECCLASS_SYSTEM, 4039 SYSTEM__MODULE_LOAD, NULL); 4040 4041 /* finit_module */ 4042 4043 ad.type = LSM_AUDIT_DATA_FILE; 4044 ad.u.file = file; 4045 4046 fsec = file->f_security; 4047 if (sid != fsec->sid) { 4048 rc = avc_has_perm(&selinux_state, 4049 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4050 if (rc) 4051 return rc; 4052 } 4053 4054 isec = inode_security(file_inode(file)); 4055 return avc_has_perm(&selinux_state, 4056 sid, isec->sid, SECCLASS_SYSTEM, 4057 SYSTEM__MODULE_LOAD, &ad); 4058 } 4059 4060 static int selinux_kernel_read_file(struct file *file, 4061 enum kernel_read_file_id id) 4062 { 4063 int rc = 0; 4064 4065 switch (id) { 4066 case READING_MODULE: 4067 rc = selinux_kernel_module_from_file(file); 4068 break; 4069 default: 4070 break; 4071 } 4072 4073 return rc; 4074 } 4075 4076 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4077 { 4078 return avc_has_perm(&selinux_state, 4079 current_sid(), task_sid(p), SECCLASS_PROCESS, 4080 PROCESS__SETPGID, NULL); 4081 } 4082 4083 static int selinux_task_getpgid(struct task_struct *p) 4084 { 4085 return avc_has_perm(&selinux_state, 4086 current_sid(), task_sid(p), SECCLASS_PROCESS, 4087 PROCESS__GETPGID, NULL); 4088 } 4089 4090 static int selinux_task_getsid(struct task_struct *p) 4091 { 4092 return avc_has_perm(&selinux_state, 4093 current_sid(), task_sid(p), SECCLASS_PROCESS, 4094 PROCESS__GETSESSION, NULL); 4095 } 4096 4097 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 4098 { 4099 *secid = task_sid(p); 4100 } 4101 4102 static int selinux_task_setnice(struct task_struct *p, int nice) 4103 { 4104 return avc_has_perm(&selinux_state, 4105 current_sid(), task_sid(p), SECCLASS_PROCESS, 4106 PROCESS__SETSCHED, NULL); 4107 } 4108 4109 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4110 { 4111 return avc_has_perm(&selinux_state, 4112 current_sid(), task_sid(p), SECCLASS_PROCESS, 4113 PROCESS__SETSCHED, NULL); 4114 } 4115 4116 static int selinux_task_getioprio(struct task_struct *p) 4117 { 4118 return avc_has_perm(&selinux_state, 4119 current_sid(), task_sid(p), SECCLASS_PROCESS, 4120 PROCESS__GETSCHED, NULL); 4121 } 4122 4123 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4124 unsigned int flags) 4125 { 4126 u32 av = 0; 4127 4128 if (!flags) 4129 return 0; 4130 if (flags & LSM_PRLIMIT_WRITE) 4131 av |= PROCESS__SETRLIMIT; 4132 if (flags & LSM_PRLIMIT_READ) 4133 av |= PROCESS__GETRLIMIT; 4134 return avc_has_perm(&selinux_state, 4135 cred_sid(cred), cred_sid(tcred), 4136 SECCLASS_PROCESS, av, NULL); 4137 } 4138 4139 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4140 struct rlimit *new_rlim) 4141 { 4142 struct rlimit *old_rlim = p->signal->rlim + resource; 4143 4144 /* Control the ability to change the hard limit (whether 4145 lowering or raising it), so that the hard limit can 4146 later be used as a safe reset point for the soft limit 4147 upon context transitions. See selinux_bprm_committing_creds. */ 4148 if (old_rlim->rlim_max != new_rlim->rlim_max) 4149 return avc_has_perm(&selinux_state, 4150 current_sid(), task_sid(p), 4151 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4152 4153 return 0; 4154 } 4155 4156 static int selinux_task_setscheduler(struct task_struct *p) 4157 { 4158 return avc_has_perm(&selinux_state, 4159 current_sid(), task_sid(p), SECCLASS_PROCESS, 4160 PROCESS__SETSCHED, NULL); 4161 } 4162 4163 static int selinux_task_getscheduler(struct task_struct *p) 4164 { 4165 return avc_has_perm(&selinux_state, 4166 current_sid(), task_sid(p), SECCLASS_PROCESS, 4167 PROCESS__GETSCHED, NULL); 4168 } 4169 4170 static int selinux_task_movememory(struct task_struct *p) 4171 { 4172 return avc_has_perm(&selinux_state, 4173 current_sid(), task_sid(p), SECCLASS_PROCESS, 4174 PROCESS__SETSCHED, NULL); 4175 } 4176 4177 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4178 int sig, const struct cred *cred) 4179 { 4180 u32 secid; 4181 u32 perm; 4182 4183 if (!sig) 4184 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4185 else 4186 perm = signal_to_av(sig); 4187 if (!cred) 4188 secid = current_sid(); 4189 else 4190 secid = cred_sid(cred); 4191 return avc_has_perm(&selinux_state, 4192 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4193 } 4194 4195 static void selinux_task_to_inode(struct task_struct *p, 4196 struct inode *inode) 4197 { 4198 struct inode_security_struct *isec = inode->i_security; 4199 u32 sid = task_sid(p); 4200 4201 spin_lock(&isec->lock); 4202 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4203 isec->sid = sid; 4204 isec->initialized = LABEL_INITIALIZED; 4205 spin_unlock(&isec->lock); 4206 } 4207 4208 /* Returns error only if unable to parse addresses */ 4209 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4210 struct common_audit_data *ad, u8 *proto) 4211 { 4212 int offset, ihlen, ret = -EINVAL; 4213 struct iphdr _iph, *ih; 4214 4215 offset = skb_network_offset(skb); 4216 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4217 if (ih == NULL) 4218 goto out; 4219 4220 ihlen = ih->ihl * 4; 4221 if (ihlen < sizeof(_iph)) 4222 goto out; 4223 4224 ad->u.net->v4info.saddr = ih->saddr; 4225 ad->u.net->v4info.daddr = ih->daddr; 4226 ret = 0; 4227 4228 if (proto) 4229 *proto = ih->protocol; 4230 4231 switch (ih->protocol) { 4232 case IPPROTO_TCP: { 4233 struct tcphdr _tcph, *th; 4234 4235 if (ntohs(ih->frag_off) & IP_OFFSET) 4236 break; 4237 4238 offset += ihlen; 4239 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4240 if (th == NULL) 4241 break; 4242 4243 ad->u.net->sport = th->source; 4244 ad->u.net->dport = th->dest; 4245 break; 4246 } 4247 4248 case IPPROTO_UDP: { 4249 struct udphdr _udph, *uh; 4250 4251 if (ntohs(ih->frag_off) & IP_OFFSET) 4252 break; 4253 4254 offset += ihlen; 4255 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4256 if (uh == NULL) 4257 break; 4258 4259 ad->u.net->sport = uh->source; 4260 ad->u.net->dport = uh->dest; 4261 break; 4262 } 4263 4264 case IPPROTO_DCCP: { 4265 struct dccp_hdr _dccph, *dh; 4266 4267 if (ntohs(ih->frag_off) & IP_OFFSET) 4268 break; 4269 4270 offset += ihlen; 4271 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4272 if (dh == NULL) 4273 break; 4274 4275 ad->u.net->sport = dh->dccph_sport; 4276 ad->u.net->dport = dh->dccph_dport; 4277 break; 4278 } 4279 4280 #if IS_ENABLED(CONFIG_IP_SCTP) 4281 case IPPROTO_SCTP: { 4282 struct sctphdr _sctph, *sh; 4283 4284 if (ntohs(ih->frag_off) & IP_OFFSET) 4285 break; 4286 4287 offset += ihlen; 4288 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4289 if (sh == NULL) 4290 break; 4291 4292 ad->u.net->sport = sh->source; 4293 ad->u.net->dport = sh->dest; 4294 break; 4295 } 4296 #endif 4297 default: 4298 break; 4299 } 4300 out: 4301 return ret; 4302 } 4303 4304 #if IS_ENABLED(CONFIG_IPV6) 4305 4306 /* Returns error only if unable to parse addresses */ 4307 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4308 struct common_audit_data *ad, u8 *proto) 4309 { 4310 u8 nexthdr; 4311 int ret = -EINVAL, offset; 4312 struct ipv6hdr _ipv6h, *ip6; 4313 __be16 frag_off; 4314 4315 offset = skb_network_offset(skb); 4316 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4317 if (ip6 == NULL) 4318 goto out; 4319 4320 ad->u.net->v6info.saddr = ip6->saddr; 4321 ad->u.net->v6info.daddr = ip6->daddr; 4322 ret = 0; 4323 4324 nexthdr = ip6->nexthdr; 4325 offset += sizeof(_ipv6h); 4326 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4327 if (offset < 0) 4328 goto out; 4329 4330 if (proto) 4331 *proto = nexthdr; 4332 4333 switch (nexthdr) { 4334 case IPPROTO_TCP: { 4335 struct tcphdr _tcph, *th; 4336 4337 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4338 if (th == NULL) 4339 break; 4340 4341 ad->u.net->sport = th->source; 4342 ad->u.net->dport = th->dest; 4343 break; 4344 } 4345 4346 case IPPROTO_UDP: { 4347 struct udphdr _udph, *uh; 4348 4349 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4350 if (uh == NULL) 4351 break; 4352 4353 ad->u.net->sport = uh->source; 4354 ad->u.net->dport = uh->dest; 4355 break; 4356 } 4357 4358 case IPPROTO_DCCP: { 4359 struct dccp_hdr _dccph, *dh; 4360 4361 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4362 if (dh == NULL) 4363 break; 4364 4365 ad->u.net->sport = dh->dccph_sport; 4366 ad->u.net->dport = dh->dccph_dport; 4367 break; 4368 } 4369 4370 #if IS_ENABLED(CONFIG_IP_SCTP) 4371 case IPPROTO_SCTP: { 4372 struct sctphdr _sctph, *sh; 4373 4374 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4375 if (sh == NULL) 4376 break; 4377 4378 ad->u.net->sport = sh->source; 4379 ad->u.net->dport = sh->dest; 4380 break; 4381 } 4382 #endif 4383 /* includes fragments */ 4384 default: 4385 break; 4386 } 4387 out: 4388 return ret; 4389 } 4390 4391 #endif /* IPV6 */ 4392 4393 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4394 char **_addrp, int src, u8 *proto) 4395 { 4396 char *addrp; 4397 int ret; 4398 4399 switch (ad->u.net->family) { 4400 case PF_INET: 4401 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4402 if (ret) 4403 goto parse_error; 4404 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4405 &ad->u.net->v4info.daddr); 4406 goto okay; 4407 4408 #if IS_ENABLED(CONFIG_IPV6) 4409 case PF_INET6: 4410 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4411 if (ret) 4412 goto parse_error; 4413 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4414 &ad->u.net->v6info.daddr); 4415 goto okay; 4416 #endif /* IPV6 */ 4417 default: 4418 addrp = NULL; 4419 goto okay; 4420 } 4421 4422 parse_error: 4423 printk(KERN_WARNING 4424 "SELinux: failure in selinux_parse_skb()," 4425 " unable to parse packet\n"); 4426 return ret; 4427 4428 okay: 4429 if (_addrp) 4430 *_addrp = addrp; 4431 return 0; 4432 } 4433 4434 /** 4435 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4436 * @skb: the packet 4437 * @family: protocol family 4438 * @sid: the packet's peer label SID 4439 * 4440 * Description: 4441 * Check the various different forms of network peer labeling and determine 4442 * the peer label/SID for the packet; most of the magic actually occurs in 4443 * the security server function security_net_peersid_cmp(). The function 4444 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4445 * or -EACCES if @sid is invalid due to inconsistencies with the different 4446 * peer labels. 4447 * 4448 */ 4449 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4450 { 4451 int err; 4452 u32 xfrm_sid; 4453 u32 nlbl_sid; 4454 u32 nlbl_type; 4455 4456 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4457 if (unlikely(err)) 4458 return -EACCES; 4459 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4460 if (unlikely(err)) 4461 return -EACCES; 4462 4463 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4464 nlbl_type, xfrm_sid, sid); 4465 if (unlikely(err)) { 4466 printk(KERN_WARNING 4467 "SELinux: failure in selinux_skb_peerlbl_sid()," 4468 " unable to determine packet's peer label\n"); 4469 return -EACCES; 4470 } 4471 4472 return 0; 4473 } 4474 4475 /** 4476 * selinux_conn_sid - Determine the child socket label for a connection 4477 * @sk_sid: the parent socket's SID 4478 * @skb_sid: the packet's SID 4479 * @conn_sid: the resulting connection SID 4480 * 4481 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4482 * combined with the MLS information from @skb_sid in order to create 4483 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4484 * of @sk_sid. Returns zero on success, negative values on failure. 4485 * 4486 */ 4487 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4488 { 4489 int err = 0; 4490 4491 if (skb_sid != SECSID_NULL) 4492 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4493 conn_sid); 4494 else 4495 *conn_sid = sk_sid; 4496 4497 return err; 4498 } 4499 4500 /* socket security operations */ 4501 4502 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4503 u16 secclass, u32 *socksid) 4504 { 4505 if (tsec->sockcreate_sid > SECSID_NULL) { 4506 *socksid = tsec->sockcreate_sid; 4507 return 0; 4508 } 4509 4510 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4511 secclass, NULL, socksid); 4512 } 4513 4514 static int sock_has_perm(struct sock *sk, u32 perms) 4515 { 4516 struct sk_security_struct *sksec = sk->sk_security; 4517 struct common_audit_data ad; 4518 struct lsm_network_audit net = {0,}; 4519 4520 if (sksec->sid == SECINITSID_KERNEL) 4521 return 0; 4522 4523 ad.type = LSM_AUDIT_DATA_NET; 4524 ad.u.net = &net; 4525 ad.u.net->sk = sk; 4526 4527 return avc_has_perm(&selinux_state, 4528 current_sid(), sksec->sid, sksec->sclass, perms, 4529 &ad); 4530 } 4531 4532 static int selinux_socket_create(int family, int type, 4533 int protocol, int kern) 4534 { 4535 const struct task_security_struct *tsec = current_security(); 4536 u32 newsid; 4537 u16 secclass; 4538 int rc; 4539 4540 if (kern) 4541 return 0; 4542 4543 secclass = socket_type_to_security_class(family, type, protocol); 4544 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4545 if (rc) 4546 return rc; 4547 4548 return avc_has_perm(&selinux_state, 4549 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4550 } 4551 4552 static int selinux_socket_post_create(struct socket *sock, int family, 4553 int type, int protocol, int kern) 4554 { 4555 const struct task_security_struct *tsec = current_security(); 4556 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4557 struct sk_security_struct *sksec; 4558 u16 sclass = socket_type_to_security_class(family, type, protocol); 4559 u32 sid = SECINITSID_KERNEL; 4560 int err = 0; 4561 4562 if (!kern) { 4563 err = socket_sockcreate_sid(tsec, sclass, &sid); 4564 if (err) 4565 return err; 4566 } 4567 4568 isec->sclass = sclass; 4569 isec->sid = sid; 4570 isec->initialized = LABEL_INITIALIZED; 4571 4572 if (sock->sk) { 4573 sksec = sock->sk->sk_security; 4574 sksec->sclass = sclass; 4575 sksec->sid = sid; 4576 /* Allows detection of the first association on this socket */ 4577 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4578 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4579 4580 err = selinux_netlbl_socket_post_create(sock->sk, family); 4581 } 4582 4583 return err; 4584 } 4585 4586 /* Range of port numbers used to automatically bind. 4587 Need to determine whether we should perform a name_bind 4588 permission check between the socket and the port number. */ 4589 4590 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4591 { 4592 struct sock *sk = sock->sk; 4593 struct sk_security_struct *sksec = sk->sk_security; 4594 u16 family; 4595 int err; 4596 4597 err = sock_has_perm(sk, SOCKET__BIND); 4598 if (err) 4599 goto out; 4600 4601 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4602 family = sk->sk_family; 4603 if (family == PF_INET || family == PF_INET6) { 4604 char *addrp; 4605 struct common_audit_data ad; 4606 struct lsm_network_audit net = {0,}; 4607 struct sockaddr_in *addr4 = NULL; 4608 struct sockaddr_in6 *addr6 = NULL; 4609 u16 family_sa = address->sa_family; 4610 unsigned short snum; 4611 u32 sid, node_perm; 4612 4613 /* 4614 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4615 * that validates multiple binding addresses. Because of this 4616 * need to check address->sa_family as it is possible to have 4617 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4618 */ 4619 switch (family_sa) { 4620 case AF_UNSPEC: 4621 case AF_INET: 4622 if (addrlen < sizeof(struct sockaddr_in)) 4623 return -EINVAL; 4624 addr4 = (struct sockaddr_in *)address; 4625 if (family_sa == AF_UNSPEC) { 4626 /* see __inet_bind(), we only want to allow 4627 * AF_UNSPEC if the address is INADDR_ANY 4628 */ 4629 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4630 goto err_af; 4631 family_sa = AF_INET; 4632 } 4633 snum = ntohs(addr4->sin_port); 4634 addrp = (char *)&addr4->sin_addr.s_addr; 4635 break; 4636 case AF_INET6: 4637 if (addrlen < SIN6_LEN_RFC2133) 4638 return -EINVAL; 4639 addr6 = (struct sockaddr_in6 *)address; 4640 snum = ntohs(addr6->sin6_port); 4641 addrp = (char *)&addr6->sin6_addr.s6_addr; 4642 break; 4643 default: 4644 goto err_af; 4645 } 4646 4647 ad.type = LSM_AUDIT_DATA_NET; 4648 ad.u.net = &net; 4649 ad.u.net->sport = htons(snum); 4650 ad.u.net->family = family_sa; 4651 4652 if (snum) { 4653 int low, high; 4654 4655 inet_get_local_port_range(sock_net(sk), &low, &high); 4656 4657 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4658 snum > high) { 4659 err = sel_netport_sid(sk->sk_protocol, 4660 snum, &sid); 4661 if (err) 4662 goto out; 4663 err = avc_has_perm(&selinux_state, 4664 sksec->sid, sid, 4665 sksec->sclass, 4666 SOCKET__NAME_BIND, &ad); 4667 if (err) 4668 goto out; 4669 } 4670 } 4671 4672 switch (sksec->sclass) { 4673 case SECCLASS_TCP_SOCKET: 4674 node_perm = TCP_SOCKET__NODE_BIND; 4675 break; 4676 4677 case SECCLASS_UDP_SOCKET: 4678 node_perm = UDP_SOCKET__NODE_BIND; 4679 break; 4680 4681 case SECCLASS_DCCP_SOCKET: 4682 node_perm = DCCP_SOCKET__NODE_BIND; 4683 break; 4684 4685 case SECCLASS_SCTP_SOCKET: 4686 node_perm = SCTP_SOCKET__NODE_BIND; 4687 break; 4688 4689 default: 4690 node_perm = RAWIP_SOCKET__NODE_BIND; 4691 break; 4692 } 4693 4694 err = sel_netnode_sid(addrp, family_sa, &sid); 4695 if (err) 4696 goto out; 4697 4698 if (family_sa == AF_INET) 4699 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4700 else 4701 ad.u.net->v6info.saddr = addr6->sin6_addr; 4702 4703 err = avc_has_perm(&selinux_state, 4704 sksec->sid, sid, 4705 sksec->sclass, node_perm, &ad); 4706 if (err) 4707 goto out; 4708 } 4709 out: 4710 return err; 4711 err_af: 4712 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4713 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4714 return -EINVAL; 4715 return -EAFNOSUPPORT; 4716 } 4717 4718 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4719 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt 4720 */ 4721 static int selinux_socket_connect_helper(struct socket *sock, 4722 struct sockaddr *address, int addrlen) 4723 { 4724 struct sock *sk = sock->sk; 4725 struct sk_security_struct *sksec = sk->sk_security; 4726 int err; 4727 4728 err = sock_has_perm(sk, SOCKET__CONNECT); 4729 if (err) 4730 return err; 4731 4732 /* 4733 * If a TCP, DCCP or SCTP socket, check name_connect permission 4734 * for the port. 4735 */ 4736 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4737 sksec->sclass == SECCLASS_DCCP_SOCKET || 4738 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4739 struct common_audit_data ad; 4740 struct lsm_network_audit net = {0,}; 4741 struct sockaddr_in *addr4 = NULL; 4742 struct sockaddr_in6 *addr6 = NULL; 4743 unsigned short snum; 4744 u32 sid, perm; 4745 4746 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4747 * that validates multiple connect addresses. Because of this 4748 * need to check address->sa_family as it is possible to have 4749 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4750 */ 4751 switch (address->sa_family) { 4752 case AF_INET: 4753 addr4 = (struct sockaddr_in *)address; 4754 if (addrlen < sizeof(struct sockaddr_in)) 4755 return -EINVAL; 4756 snum = ntohs(addr4->sin_port); 4757 break; 4758 case AF_INET6: 4759 addr6 = (struct sockaddr_in6 *)address; 4760 if (addrlen < SIN6_LEN_RFC2133) 4761 return -EINVAL; 4762 snum = ntohs(addr6->sin6_port); 4763 break; 4764 default: 4765 /* Note that SCTP services expect -EINVAL, whereas 4766 * others expect -EAFNOSUPPORT. 4767 */ 4768 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4769 return -EINVAL; 4770 else 4771 return -EAFNOSUPPORT; 4772 } 4773 4774 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4775 if (err) 4776 return err; 4777 4778 switch (sksec->sclass) { 4779 case SECCLASS_TCP_SOCKET: 4780 perm = TCP_SOCKET__NAME_CONNECT; 4781 break; 4782 case SECCLASS_DCCP_SOCKET: 4783 perm = DCCP_SOCKET__NAME_CONNECT; 4784 break; 4785 case SECCLASS_SCTP_SOCKET: 4786 perm = SCTP_SOCKET__NAME_CONNECT; 4787 break; 4788 } 4789 4790 ad.type = LSM_AUDIT_DATA_NET; 4791 ad.u.net = &net; 4792 ad.u.net->dport = htons(snum); 4793 ad.u.net->family = address->sa_family; 4794 err = avc_has_perm(&selinux_state, 4795 sksec->sid, sid, sksec->sclass, perm, &ad); 4796 if (err) 4797 return err; 4798 } 4799 4800 return 0; 4801 } 4802 4803 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4804 static int selinux_socket_connect(struct socket *sock, 4805 struct sockaddr *address, int addrlen) 4806 { 4807 int err; 4808 struct sock *sk = sock->sk; 4809 4810 err = selinux_socket_connect_helper(sock, address, addrlen); 4811 if (err) 4812 return err; 4813 4814 return selinux_netlbl_socket_connect(sk, address); 4815 } 4816 4817 static int selinux_socket_listen(struct socket *sock, int backlog) 4818 { 4819 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4820 } 4821 4822 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4823 { 4824 int err; 4825 struct inode_security_struct *isec; 4826 struct inode_security_struct *newisec; 4827 u16 sclass; 4828 u32 sid; 4829 4830 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4831 if (err) 4832 return err; 4833 4834 isec = inode_security_novalidate(SOCK_INODE(sock)); 4835 spin_lock(&isec->lock); 4836 sclass = isec->sclass; 4837 sid = isec->sid; 4838 spin_unlock(&isec->lock); 4839 4840 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4841 newisec->sclass = sclass; 4842 newisec->sid = sid; 4843 newisec->initialized = LABEL_INITIALIZED; 4844 4845 return 0; 4846 } 4847 4848 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4849 int size) 4850 { 4851 return sock_has_perm(sock->sk, SOCKET__WRITE); 4852 } 4853 4854 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4855 int size, int flags) 4856 { 4857 return sock_has_perm(sock->sk, SOCKET__READ); 4858 } 4859 4860 static int selinux_socket_getsockname(struct socket *sock) 4861 { 4862 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4863 } 4864 4865 static int selinux_socket_getpeername(struct socket *sock) 4866 { 4867 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4868 } 4869 4870 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4871 { 4872 int err; 4873 4874 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4875 if (err) 4876 return err; 4877 4878 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4879 } 4880 4881 static int selinux_socket_getsockopt(struct socket *sock, int level, 4882 int optname) 4883 { 4884 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4885 } 4886 4887 static int selinux_socket_shutdown(struct socket *sock, int how) 4888 { 4889 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4890 } 4891 4892 static int selinux_socket_unix_stream_connect(struct sock *sock, 4893 struct sock *other, 4894 struct sock *newsk) 4895 { 4896 struct sk_security_struct *sksec_sock = sock->sk_security; 4897 struct sk_security_struct *sksec_other = other->sk_security; 4898 struct sk_security_struct *sksec_new = newsk->sk_security; 4899 struct common_audit_data ad; 4900 struct lsm_network_audit net = {0,}; 4901 int err; 4902 4903 ad.type = LSM_AUDIT_DATA_NET; 4904 ad.u.net = &net; 4905 ad.u.net->sk = other; 4906 4907 err = avc_has_perm(&selinux_state, 4908 sksec_sock->sid, sksec_other->sid, 4909 sksec_other->sclass, 4910 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4911 if (err) 4912 return err; 4913 4914 /* server child socket */ 4915 sksec_new->peer_sid = sksec_sock->sid; 4916 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4917 sksec_sock->sid, &sksec_new->sid); 4918 if (err) 4919 return err; 4920 4921 /* connecting socket */ 4922 sksec_sock->peer_sid = sksec_new->sid; 4923 4924 return 0; 4925 } 4926 4927 static int selinux_socket_unix_may_send(struct socket *sock, 4928 struct socket *other) 4929 { 4930 struct sk_security_struct *ssec = sock->sk->sk_security; 4931 struct sk_security_struct *osec = other->sk->sk_security; 4932 struct common_audit_data ad; 4933 struct lsm_network_audit net = {0,}; 4934 4935 ad.type = LSM_AUDIT_DATA_NET; 4936 ad.u.net = &net; 4937 ad.u.net->sk = other->sk; 4938 4939 return avc_has_perm(&selinux_state, 4940 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4941 &ad); 4942 } 4943 4944 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4945 char *addrp, u16 family, u32 peer_sid, 4946 struct common_audit_data *ad) 4947 { 4948 int err; 4949 u32 if_sid; 4950 u32 node_sid; 4951 4952 err = sel_netif_sid(ns, ifindex, &if_sid); 4953 if (err) 4954 return err; 4955 err = avc_has_perm(&selinux_state, 4956 peer_sid, if_sid, 4957 SECCLASS_NETIF, NETIF__INGRESS, ad); 4958 if (err) 4959 return err; 4960 4961 err = sel_netnode_sid(addrp, family, &node_sid); 4962 if (err) 4963 return err; 4964 return avc_has_perm(&selinux_state, 4965 peer_sid, node_sid, 4966 SECCLASS_NODE, NODE__RECVFROM, ad); 4967 } 4968 4969 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4970 u16 family) 4971 { 4972 int err = 0; 4973 struct sk_security_struct *sksec = sk->sk_security; 4974 u32 sk_sid = sksec->sid; 4975 struct common_audit_data ad; 4976 struct lsm_network_audit net = {0,}; 4977 char *addrp; 4978 4979 ad.type = LSM_AUDIT_DATA_NET; 4980 ad.u.net = &net; 4981 ad.u.net->netif = skb->skb_iif; 4982 ad.u.net->family = family; 4983 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4984 if (err) 4985 return err; 4986 4987 if (selinux_secmark_enabled()) { 4988 err = avc_has_perm(&selinux_state, 4989 sk_sid, skb->secmark, SECCLASS_PACKET, 4990 PACKET__RECV, &ad); 4991 if (err) 4992 return err; 4993 } 4994 4995 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4996 if (err) 4997 return err; 4998 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4999 5000 return err; 5001 } 5002 5003 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5004 { 5005 int err; 5006 struct sk_security_struct *sksec = sk->sk_security; 5007 u16 family = sk->sk_family; 5008 u32 sk_sid = sksec->sid; 5009 struct common_audit_data ad; 5010 struct lsm_network_audit net = {0,}; 5011 char *addrp; 5012 u8 secmark_active; 5013 u8 peerlbl_active; 5014 5015 if (family != PF_INET && family != PF_INET6) 5016 return 0; 5017 5018 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5019 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5020 family = PF_INET; 5021 5022 /* If any sort of compatibility mode is enabled then handoff processing 5023 * to the selinux_sock_rcv_skb_compat() function to deal with the 5024 * special handling. We do this in an attempt to keep this function 5025 * as fast and as clean as possible. */ 5026 if (!selinux_policycap_netpeer()) 5027 return selinux_sock_rcv_skb_compat(sk, skb, family); 5028 5029 secmark_active = selinux_secmark_enabled(); 5030 peerlbl_active = selinux_peerlbl_enabled(); 5031 if (!secmark_active && !peerlbl_active) 5032 return 0; 5033 5034 ad.type = LSM_AUDIT_DATA_NET; 5035 ad.u.net = &net; 5036 ad.u.net->netif = skb->skb_iif; 5037 ad.u.net->family = family; 5038 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5039 if (err) 5040 return err; 5041 5042 if (peerlbl_active) { 5043 u32 peer_sid; 5044 5045 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5046 if (err) 5047 return err; 5048 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5049 addrp, family, peer_sid, &ad); 5050 if (err) { 5051 selinux_netlbl_err(skb, family, err, 0); 5052 return err; 5053 } 5054 err = avc_has_perm(&selinux_state, 5055 sk_sid, peer_sid, SECCLASS_PEER, 5056 PEER__RECV, &ad); 5057 if (err) { 5058 selinux_netlbl_err(skb, family, err, 0); 5059 return err; 5060 } 5061 } 5062 5063 if (secmark_active) { 5064 err = avc_has_perm(&selinux_state, 5065 sk_sid, skb->secmark, SECCLASS_PACKET, 5066 PACKET__RECV, &ad); 5067 if (err) 5068 return err; 5069 } 5070 5071 return err; 5072 } 5073 5074 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5075 int __user *optlen, unsigned len) 5076 { 5077 int err = 0; 5078 char *scontext; 5079 u32 scontext_len; 5080 struct sk_security_struct *sksec = sock->sk->sk_security; 5081 u32 peer_sid = SECSID_NULL; 5082 5083 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5084 sksec->sclass == SECCLASS_TCP_SOCKET || 5085 sksec->sclass == SECCLASS_SCTP_SOCKET) 5086 peer_sid = sksec->peer_sid; 5087 if (peer_sid == SECSID_NULL) 5088 return -ENOPROTOOPT; 5089 5090 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5091 &scontext_len); 5092 if (err) 5093 return err; 5094 5095 if (scontext_len > len) { 5096 err = -ERANGE; 5097 goto out_len; 5098 } 5099 5100 if (copy_to_user(optval, scontext, scontext_len)) 5101 err = -EFAULT; 5102 5103 out_len: 5104 if (put_user(scontext_len, optlen)) 5105 err = -EFAULT; 5106 kfree(scontext); 5107 return err; 5108 } 5109 5110 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5111 { 5112 u32 peer_secid = SECSID_NULL; 5113 u16 family; 5114 struct inode_security_struct *isec; 5115 5116 if (skb && skb->protocol == htons(ETH_P_IP)) 5117 family = PF_INET; 5118 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5119 family = PF_INET6; 5120 else if (sock) 5121 family = sock->sk->sk_family; 5122 else 5123 goto out; 5124 5125 if (sock && family == PF_UNIX) { 5126 isec = inode_security_novalidate(SOCK_INODE(sock)); 5127 peer_secid = isec->sid; 5128 } else if (skb) 5129 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5130 5131 out: 5132 *secid = peer_secid; 5133 if (peer_secid == SECSID_NULL) 5134 return -EINVAL; 5135 return 0; 5136 } 5137 5138 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5139 { 5140 struct sk_security_struct *sksec; 5141 5142 sksec = kzalloc(sizeof(*sksec), priority); 5143 if (!sksec) 5144 return -ENOMEM; 5145 5146 sksec->peer_sid = SECINITSID_UNLABELED; 5147 sksec->sid = SECINITSID_UNLABELED; 5148 sksec->sclass = SECCLASS_SOCKET; 5149 selinux_netlbl_sk_security_reset(sksec); 5150 sk->sk_security = sksec; 5151 5152 return 0; 5153 } 5154 5155 static void selinux_sk_free_security(struct sock *sk) 5156 { 5157 struct sk_security_struct *sksec = sk->sk_security; 5158 5159 sk->sk_security = NULL; 5160 selinux_netlbl_sk_security_free(sksec); 5161 kfree(sksec); 5162 } 5163 5164 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5165 { 5166 struct sk_security_struct *sksec = sk->sk_security; 5167 struct sk_security_struct *newsksec = newsk->sk_security; 5168 5169 newsksec->sid = sksec->sid; 5170 newsksec->peer_sid = sksec->peer_sid; 5171 newsksec->sclass = sksec->sclass; 5172 5173 selinux_netlbl_sk_security_reset(newsksec); 5174 } 5175 5176 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5177 { 5178 if (!sk) 5179 *secid = SECINITSID_ANY_SOCKET; 5180 else { 5181 struct sk_security_struct *sksec = sk->sk_security; 5182 5183 *secid = sksec->sid; 5184 } 5185 } 5186 5187 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5188 { 5189 struct inode_security_struct *isec = 5190 inode_security_novalidate(SOCK_INODE(parent)); 5191 struct sk_security_struct *sksec = sk->sk_security; 5192 5193 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5194 sk->sk_family == PF_UNIX) 5195 isec->sid = sksec->sid; 5196 sksec->sclass = isec->sclass; 5197 } 5198 5199 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5200 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5201 * already present). 5202 */ 5203 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5204 struct sk_buff *skb) 5205 { 5206 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5207 struct common_audit_data ad; 5208 struct lsm_network_audit net = {0,}; 5209 u8 peerlbl_active; 5210 u32 peer_sid = SECINITSID_UNLABELED; 5211 u32 conn_sid; 5212 int err = 0; 5213 5214 if (!selinux_policycap_extsockclass()) 5215 return 0; 5216 5217 peerlbl_active = selinux_peerlbl_enabled(); 5218 5219 if (peerlbl_active) { 5220 /* This will return peer_sid = SECSID_NULL if there are 5221 * no peer labels, see security_net_peersid_resolve(). 5222 */ 5223 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5224 &peer_sid); 5225 if (err) 5226 return err; 5227 5228 if (peer_sid == SECSID_NULL) 5229 peer_sid = SECINITSID_UNLABELED; 5230 } 5231 5232 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5233 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5234 5235 /* Here as first association on socket. As the peer SID 5236 * was allowed by peer recv (and the netif/node checks), 5237 * then it is approved by policy and used as the primary 5238 * peer SID for getpeercon(3). 5239 */ 5240 sksec->peer_sid = peer_sid; 5241 } else if (sksec->peer_sid != peer_sid) { 5242 /* Other association peer SIDs are checked to enforce 5243 * consistency among the peer SIDs. 5244 */ 5245 ad.type = LSM_AUDIT_DATA_NET; 5246 ad.u.net = &net; 5247 ad.u.net->sk = ep->base.sk; 5248 err = avc_has_perm(&selinux_state, 5249 sksec->peer_sid, peer_sid, sksec->sclass, 5250 SCTP_SOCKET__ASSOCIATION, &ad); 5251 if (err) 5252 return err; 5253 } 5254 5255 /* Compute the MLS component for the connection and store 5256 * the information in ep. This will be used by SCTP TCP type 5257 * sockets and peeled off connections as they cause a new 5258 * socket to be generated. selinux_sctp_sk_clone() will then 5259 * plug this into the new socket. 5260 */ 5261 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5262 if (err) 5263 return err; 5264 5265 ep->secid = conn_sid; 5266 ep->peer_secid = peer_sid; 5267 5268 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5269 return selinux_netlbl_sctp_assoc_request(ep, skb); 5270 } 5271 5272 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5273 * based on their @optname. 5274 */ 5275 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5276 struct sockaddr *address, 5277 int addrlen) 5278 { 5279 int len, err = 0, walk_size = 0; 5280 void *addr_buf; 5281 struct sockaddr *addr; 5282 struct socket *sock; 5283 5284 if (!selinux_policycap_extsockclass()) 5285 return 0; 5286 5287 /* Process one or more addresses that may be IPv4 or IPv6 */ 5288 sock = sk->sk_socket; 5289 addr_buf = address; 5290 5291 while (walk_size < addrlen) { 5292 addr = addr_buf; 5293 switch (addr->sa_family) { 5294 case AF_UNSPEC: 5295 case AF_INET: 5296 len = sizeof(struct sockaddr_in); 5297 break; 5298 case AF_INET6: 5299 len = sizeof(struct sockaddr_in6); 5300 break; 5301 default: 5302 return -EINVAL; 5303 } 5304 5305 err = -EINVAL; 5306 switch (optname) { 5307 /* Bind checks */ 5308 case SCTP_PRIMARY_ADDR: 5309 case SCTP_SET_PEER_PRIMARY_ADDR: 5310 case SCTP_SOCKOPT_BINDX_ADD: 5311 err = selinux_socket_bind(sock, addr, len); 5312 break; 5313 /* Connect checks */ 5314 case SCTP_SOCKOPT_CONNECTX: 5315 case SCTP_PARAM_SET_PRIMARY: 5316 case SCTP_PARAM_ADD_IP: 5317 case SCTP_SENDMSG_CONNECT: 5318 err = selinux_socket_connect_helper(sock, addr, len); 5319 if (err) 5320 return err; 5321 5322 /* As selinux_sctp_bind_connect() is called by the 5323 * SCTP protocol layer, the socket is already locked, 5324 * therefore selinux_netlbl_socket_connect_locked() is 5325 * is called here. The situations handled are: 5326 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5327 * whenever a new IP address is added or when a new 5328 * primary address is selected. 5329 * Note that an SCTP connect(2) call happens before 5330 * the SCTP protocol layer and is handled via 5331 * selinux_socket_connect(). 5332 */ 5333 err = selinux_netlbl_socket_connect_locked(sk, addr); 5334 break; 5335 } 5336 5337 if (err) 5338 return err; 5339 5340 addr_buf += len; 5341 walk_size += len; 5342 } 5343 5344 return 0; 5345 } 5346 5347 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5348 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5349 struct sock *newsk) 5350 { 5351 struct sk_security_struct *sksec = sk->sk_security; 5352 struct sk_security_struct *newsksec = newsk->sk_security; 5353 5354 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5355 * the non-sctp clone version. 5356 */ 5357 if (!selinux_policycap_extsockclass()) 5358 return selinux_sk_clone_security(sk, newsk); 5359 5360 newsksec->sid = ep->secid; 5361 newsksec->peer_sid = ep->peer_secid; 5362 newsksec->sclass = sksec->sclass; 5363 selinux_netlbl_sctp_sk_clone(sk, newsk); 5364 } 5365 5366 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5367 struct request_sock *req) 5368 { 5369 struct sk_security_struct *sksec = sk->sk_security; 5370 int err; 5371 u16 family = req->rsk_ops->family; 5372 u32 connsid; 5373 u32 peersid; 5374 5375 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5376 if (err) 5377 return err; 5378 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5379 if (err) 5380 return err; 5381 req->secid = connsid; 5382 req->peer_secid = peersid; 5383 5384 return selinux_netlbl_inet_conn_request(req, family); 5385 } 5386 5387 static void selinux_inet_csk_clone(struct sock *newsk, 5388 const struct request_sock *req) 5389 { 5390 struct sk_security_struct *newsksec = newsk->sk_security; 5391 5392 newsksec->sid = req->secid; 5393 newsksec->peer_sid = req->peer_secid; 5394 /* NOTE: Ideally, we should also get the isec->sid for the 5395 new socket in sync, but we don't have the isec available yet. 5396 So we will wait until sock_graft to do it, by which 5397 time it will have been created and available. */ 5398 5399 /* We don't need to take any sort of lock here as we are the only 5400 * thread with access to newsksec */ 5401 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5402 } 5403 5404 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5405 { 5406 u16 family = sk->sk_family; 5407 struct sk_security_struct *sksec = sk->sk_security; 5408 5409 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5410 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5411 family = PF_INET; 5412 5413 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5414 } 5415 5416 static int selinux_secmark_relabel_packet(u32 sid) 5417 { 5418 const struct task_security_struct *__tsec; 5419 u32 tsid; 5420 5421 __tsec = current_security(); 5422 tsid = __tsec->sid; 5423 5424 return avc_has_perm(&selinux_state, 5425 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5426 NULL); 5427 } 5428 5429 static void selinux_secmark_refcount_inc(void) 5430 { 5431 atomic_inc(&selinux_secmark_refcount); 5432 } 5433 5434 static void selinux_secmark_refcount_dec(void) 5435 { 5436 atomic_dec(&selinux_secmark_refcount); 5437 } 5438 5439 static void selinux_req_classify_flow(const struct request_sock *req, 5440 struct flowi *fl) 5441 { 5442 fl->flowi_secid = req->secid; 5443 } 5444 5445 static int selinux_tun_dev_alloc_security(void **security) 5446 { 5447 struct tun_security_struct *tunsec; 5448 5449 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5450 if (!tunsec) 5451 return -ENOMEM; 5452 tunsec->sid = current_sid(); 5453 5454 *security = tunsec; 5455 return 0; 5456 } 5457 5458 static void selinux_tun_dev_free_security(void *security) 5459 { 5460 kfree(security); 5461 } 5462 5463 static int selinux_tun_dev_create(void) 5464 { 5465 u32 sid = current_sid(); 5466 5467 /* we aren't taking into account the "sockcreate" SID since the socket 5468 * that is being created here is not a socket in the traditional sense, 5469 * instead it is a private sock, accessible only to the kernel, and 5470 * representing a wide range of network traffic spanning multiple 5471 * connections unlike traditional sockets - check the TUN driver to 5472 * get a better understanding of why this socket is special */ 5473 5474 return avc_has_perm(&selinux_state, 5475 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5476 NULL); 5477 } 5478 5479 static int selinux_tun_dev_attach_queue(void *security) 5480 { 5481 struct tun_security_struct *tunsec = security; 5482 5483 return avc_has_perm(&selinux_state, 5484 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5485 TUN_SOCKET__ATTACH_QUEUE, NULL); 5486 } 5487 5488 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5489 { 5490 struct tun_security_struct *tunsec = security; 5491 struct sk_security_struct *sksec = sk->sk_security; 5492 5493 /* we don't currently perform any NetLabel based labeling here and it 5494 * isn't clear that we would want to do so anyway; while we could apply 5495 * labeling without the support of the TUN user the resulting labeled 5496 * traffic from the other end of the connection would almost certainly 5497 * cause confusion to the TUN user that had no idea network labeling 5498 * protocols were being used */ 5499 5500 sksec->sid = tunsec->sid; 5501 sksec->sclass = SECCLASS_TUN_SOCKET; 5502 5503 return 0; 5504 } 5505 5506 static int selinux_tun_dev_open(void *security) 5507 { 5508 struct tun_security_struct *tunsec = security; 5509 u32 sid = current_sid(); 5510 int err; 5511 5512 err = avc_has_perm(&selinux_state, 5513 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5514 TUN_SOCKET__RELABELFROM, NULL); 5515 if (err) 5516 return err; 5517 err = avc_has_perm(&selinux_state, 5518 sid, sid, SECCLASS_TUN_SOCKET, 5519 TUN_SOCKET__RELABELTO, NULL); 5520 if (err) 5521 return err; 5522 tunsec->sid = sid; 5523 5524 return 0; 5525 } 5526 5527 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5528 { 5529 int err = 0; 5530 u32 perm; 5531 struct nlmsghdr *nlh; 5532 struct sk_security_struct *sksec = sk->sk_security; 5533 5534 if (skb->len < NLMSG_HDRLEN) { 5535 err = -EINVAL; 5536 goto out; 5537 } 5538 nlh = nlmsg_hdr(skb); 5539 5540 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5541 if (err) { 5542 if (err == -EINVAL) { 5543 pr_warn_ratelimited("SELinux: unrecognized netlink" 5544 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5545 " pig=%d comm=%s\n", 5546 sk->sk_protocol, nlh->nlmsg_type, 5547 secclass_map[sksec->sclass - 1].name, 5548 task_pid_nr(current), current->comm); 5549 if (!enforcing_enabled(&selinux_state) || 5550 security_get_allow_unknown(&selinux_state)) 5551 err = 0; 5552 } 5553 5554 /* Ignore */ 5555 if (err == -ENOENT) 5556 err = 0; 5557 goto out; 5558 } 5559 5560 err = sock_has_perm(sk, perm); 5561 out: 5562 return err; 5563 } 5564 5565 #ifdef CONFIG_NETFILTER 5566 5567 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5568 const struct net_device *indev, 5569 u16 family) 5570 { 5571 int err; 5572 char *addrp; 5573 u32 peer_sid; 5574 struct common_audit_data ad; 5575 struct lsm_network_audit net = {0,}; 5576 u8 secmark_active; 5577 u8 netlbl_active; 5578 u8 peerlbl_active; 5579 5580 if (!selinux_policycap_netpeer()) 5581 return NF_ACCEPT; 5582 5583 secmark_active = selinux_secmark_enabled(); 5584 netlbl_active = netlbl_enabled(); 5585 peerlbl_active = selinux_peerlbl_enabled(); 5586 if (!secmark_active && !peerlbl_active) 5587 return NF_ACCEPT; 5588 5589 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5590 return NF_DROP; 5591 5592 ad.type = LSM_AUDIT_DATA_NET; 5593 ad.u.net = &net; 5594 ad.u.net->netif = indev->ifindex; 5595 ad.u.net->family = family; 5596 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5597 return NF_DROP; 5598 5599 if (peerlbl_active) { 5600 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5601 addrp, family, peer_sid, &ad); 5602 if (err) { 5603 selinux_netlbl_err(skb, family, err, 1); 5604 return NF_DROP; 5605 } 5606 } 5607 5608 if (secmark_active) 5609 if (avc_has_perm(&selinux_state, 5610 peer_sid, skb->secmark, 5611 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5612 return NF_DROP; 5613 5614 if (netlbl_active) 5615 /* we do this in the FORWARD path and not the POST_ROUTING 5616 * path because we want to make sure we apply the necessary 5617 * labeling before IPsec is applied so we can leverage AH 5618 * protection */ 5619 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5620 return NF_DROP; 5621 5622 return NF_ACCEPT; 5623 } 5624 5625 static unsigned int selinux_ipv4_forward(void *priv, 5626 struct sk_buff *skb, 5627 const struct nf_hook_state *state) 5628 { 5629 return selinux_ip_forward(skb, state->in, PF_INET); 5630 } 5631 5632 #if IS_ENABLED(CONFIG_IPV6) 5633 static unsigned int selinux_ipv6_forward(void *priv, 5634 struct sk_buff *skb, 5635 const struct nf_hook_state *state) 5636 { 5637 return selinux_ip_forward(skb, state->in, PF_INET6); 5638 } 5639 #endif /* IPV6 */ 5640 5641 static unsigned int selinux_ip_output(struct sk_buff *skb, 5642 u16 family) 5643 { 5644 struct sock *sk; 5645 u32 sid; 5646 5647 if (!netlbl_enabled()) 5648 return NF_ACCEPT; 5649 5650 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5651 * because we want to make sure we apply the necessary labeling 5652 * before IPsec is applied so we can leverage AH protection */ 5653 sk = skb->sk; 5654 if (sk) { 5655 struct sk_security_struct *sksec; 5656 5657 if (sk_listener(sk)) 5658 /* if the socket is the listening state then this 5659 * packet is a SYN-ACK packet which means it needs to 5660 * be labeled based on the connection/request_sock and 5661 * not the parent socket. unfortunately, we can't 5662 * lookup the request_sock yet as it isn't queued on 5663 * the parent socket until after the SYN-ACK is sent. 5664 * the "solution" is to simply pass the packet as-is 5665 * as any IP option based labeling should be copied 5666 * from the initial connection request (in the IP 5667 * layer). it is far from ideal, but until we get a 5668 * security label in the packet itself this is the 5669 * best we can do. */ 5670 return NF_ACCEPT; 5671 5672 /* standard practice, label using the parent socket */ 5673 sksec = sk->sk_security; 5674 sid = sksec->sid; 5675 } else 5676 sid = SECINITSID_KERNEL; 5677 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5678 return NF_DROP; 5679 5680 return NF_ACCEPT; 5681 } 5682 5683 static unsigned int selinux_ipv4_output(void *priv, 5684 struct sk_buff *skb, 5685 const struct nf_hook_state *state) 5686 { 5687 return selinux_ip_output(skb, PF_INET); 5688 } 5689 5690 #if IS_ENABLED(CONFIG_IPV6) 5691 static unsigned int selinux_ipv6_output(void *priv, 5692 struct sk_buff *skb, 5693 const struct nf_hook_state *state) 5694 { 5695 return selinux_ip_output(skb, PF_INET6); 5696 } 5697 #endif /* IPV6 */ 5698 5699 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5700 int ifindex, 5701 u16 family) 5702 { 5703 struct sock *sk = skb_to_full_sk(skb); 5704 struct sk_security_struct *sksec; 5705 struct common_audit_data ad; 5706 struct lsm_network_audit net = {0,}; 5707 char *addrp; 5708 u8 proto; 5709 5710 if (sk == NULL) 5711 return NF_ACCEPT; 5712 sksec = sk->sk_security; 5713 5714 ad.type = LSM_AUDIT_DATA_NET; 5715 ad.u.net = &net; 5716 ad.u.net->netif = ifindex; 5717 ad.u.net->family = family; 5718 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5719 return NF_DROP; 5720 5721 if (selinux_secmark_enabled()) 5722 if (avc_has_perm(&selinux_state, 5723 sksec->sid, skb->secmark, 5724 SECCLASS_PACKET, PACKET__SEND, &ad)) 5725 return NF_DROP_ERR(-ECONNREFUSED); 5726 5727 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5728 return NF_DROP_ERR(-ECONNREFUSED); 5729 5730 return NF_ACCEPT; 5731 } 5732 5733 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5734 const struct net_device *outdev, 5735 u16 family) 5736 { 5737 u32 secmark_perm; 5738 u32 peer_sid; 5739 int ifindex = outdev->ifindex; 5740 struct sock *sk; 5741 struct common_audit_data ad; 5742 struct lsm_network_audit net = {0,}; 5743 char *addrp; 5744 u8 secmark_active; 5745 u8 peerlbl_active; 5746 5747 /* If any sort of compatibility mode is enabled then handoff processing 5748 * to the selinux_ip_postroute_compat() function to deal with the 5749 * special handling. We do this in an attempt to keep this function 5750 * as fast and as clean as possible. */ 5751 if (!selinux_policycap_netpeer()) 5752 return selinux_ip_postroute_compat(skb, ifindex, family); 5753 5754 secmark_active = selinux_secmark_enabled(); 5755 peerlbl_active = selinux_peerlbl_enabled(); 5756 if (!secmark_active && !peerlbl_active) 5757 return NF_ACCEPT; 5758 5759 sk = skb_to_full_sk(skb); 5760 5761 #ifdef CONFIG_XFRM 5762 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5763 * packet transformation so allow the packet to pass without any checks 5764 * since we'll have another chance to perform access control checks 5765 * when the packet is on it's final way out. 5766 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5767 * is NULL, in this case go ahead and apply access control. 5768 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5769 * TCP listening state we cannot wait until the XFRM processing 5770 * is done as we will miss out on the SA label if we do; 5771 * unfortunately, this means more work, but it is only once per 5772 * connection. */ 5773 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5774 !(sk && sk_listener(sk))) 5775 return NF_ACCEPT; 5776 #endif 5777 5778 if (sk == NULL) { 5779 /* Without an associated socket the packet is either coming 5780 * from the kernel or it is being forwarded; check the packet 5781 * to determine which and if the packet is being forwarded 5782 * query the packet directly to determine the security label. */ 5783 if (skb->skb_iif) { 5784 secmark_perm = PACKET__FORWARD_OUT; 5785 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5786 return NF_DROP; 5787 } else { 5788 secmark_perm = PACKET__SEND; 5789 peer_sid = SECINITSID_KERNEL; 5790 } 5791 } else if (sk_listener(sk)) { 5792 /* Locally generated packet but the associated socket is in the 5793 * listening state which means this is a SYN-ACK packet. In 5794 * this particular case the correct security label is assigned 5795 * to the connection/request_sock but unfortunately we can't 5796 * query the request_sock as it isn't queued on the parent 5797 * socket until after the SYN-ACK packet is sent; the only 5798 * viable choice is to regenerate the label like we do in 5799 * selinux_inet_conn_request(). See also selinux_ip_output() 5800 * for similar problems. */ 5801 u32 skb_sid; 5802 struct sk_security_struct *sksec; 5803 5804 sksec = sk->sk_security; 5805 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5806 return NF_DROP; 5807 /* At this point, if the returned skb peerlbl is SECSID_NULL 5808 * and the packet has been through at least one XFRM 5809 * transformation then we must be dealing with the "final" 5810 * form of labeled IPsec packet; since we've already applied 5811 * all of our access controls on this packet we can safely 5812 * pass the packet. */ 5813 if (skb_sid == SECSID_NULL) { 5814 switch (family) { 5815 case PF_INET: 5816 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5817 return NF_ACCEPT; 5818 break; 5819 case PF_INET6: 5820 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5821 return NF_ACCEPT; 5822 break; 5823 default: 5824 return NF_DROP_ERR(-ECONNREFUSED); 5825 } 5826 } 5827 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5828 return NF_DROP; 5829 secmark_perm = PACKET__SEND; 5830 } else { 5831 /* Locally generated packet, fetch the security label from the 5832 * associated socket. */ 5833 struct sk_security_struct *sksec = sk->sk_security; 5834 peer_sid = sksec->sid; 5835 secmark_perm = PACKET__SEND; 5836 } 5837 5838 ad.type = LSM_AUDIT_DATA_NET; 5839 ad.u.net = &net; 5840 ad.u.net->netif = ifindex; 5841 ad.u.net->family = family; 5842 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5843 return NF_DROP; 5844 5845 if (secmark_active) 5846 if (avc_has_perm(&selinux_state, 5847 peer_sid, skb->secmark, 5848 SECCLASS_PACKET, secmark_perm, &ad)) 5849 return NF_DROP_ERR(-ECONNREFUSED); 5850 5851 if (peerlbl_active) { 5852 u32 if_sid; 5853 u32 node_sid; 5854 5855 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5856 return NF_DROP; 5857 if (avc_has_perm(&selinux_state, 5858 peer_sid, if_sid, 5859 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5860 return NF_DROP_ERR(-ECONNREFUSED); 5861 5862 if (sel_netnode_sid(addrp, family, &node_sid)) 5863 return NF_DROP; 5864 if (avc_has_perm(&selinux_state, 5865 peer_sid, node_sid, 5866 SECCLASS_NODE, NODE__SENDTO, &ad)) 5867 return NF_DROP_ERR(-ECONNREFUSED); 5868 } 5869 5870 return NF_ACCEPT; 5871 } 5872 5873 static unsigned int selinux_ipv4_postroute(void *priv, 5874 struct sk_buff *skb, 5875 const struct nf_hook_state *state) 5876 { 5877 return selinux_ip_postroute(skb, state->out, PF_INET); 5878 } 5879 5880 #if IS_ENABLED(CONFIG_IPV6) 5881 static unsigned int selinux_ipv6_postroute(void *priv, 5882 struct sk_buff *skb, 5883 const struct nf_hook_state *state) 5884 { 5885 return selinux_ip_postroute(skb, state->out, PF_INET6); 5886 } 5887 #endif /* IPV6 */ 5888 5889 #endif /* CONFIG_NETFILTER */ 5890 5891 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5892 { 5893 return selinux_nlmsg_perm(sk, skb); 5894 } 5895 5896 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5897 u16 sclass) 5898 { 5899 struct ipc_security_struct *isec; 5900 5901 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5902 if (!isec) 5903 return -ENOMEM; 5904 5905 isec->sclass = sclass; 5906 isec->sid = current_sid(); 5907 perm->security = isec; 5908 5909 return 0; 5910 } 5911 5912 static void ipc_free_security(struct kern_ipc_perm *perm) 5913 { 5914 struct ipc_security_struct *isec = perm->security; 5915 perm->security = NULL; 5916 kfree(isec); 5917 } 5918 5919 static int msg_msg_alloc_security(struct msg_msg *msg) 5920 { 5921 struct msg_security_struct *msec; 5922 5923 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5924 if (!msec) 5925 return -ENOMEM; 5926 5927 msec->sid = SECINITSID_UNLABELED; 5928 msg->security = msec; 5929 5930 return 0; 5931 } 5932 5933 static void msg_msg_free_security(struct msg_msg *msg) 5934 { 5935 struct msg_security_struct *msec = msg->security; 5936 5937 msg->security = NULL; 5938 kfree(msec); 5939 } 5940 5941 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5942 u32 perms) 5943 { 5944 struct ipc_security_struct *isec; 5945 struct common_audit_data ad; 5946 u32 sid = current_sid(); 5947 5948 isec = ipc_perms->security; 5949 5950 ad.type = LSM_AUDIT_DATA_IPC; 5951 ad.u.ipc_id = ipc_perms->key; 5952 5953 return avc_has_perm(&selinux_state, 5954 sid, isec->sid, isec->sclass, perms, &ad); 5955 } 5956 5957 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5958 { 5959 return msg_msg_alloc_security(msg); 5960 } 5961 5962 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5963 { 5964 msg_msg_free_security(msg); 5965 } 5966 5967 /* message queue security operations */ 5968 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5969 { 5970 struct ipc_security_struct *isec; 5971 struct common_audit_data ad; 5972 u32 sid = current_sid(); 5973 int rc; 5974 5975 rc = ipc_alloc_security(msq, SECCLASS_MSGQ); 5976 if (rc) 5977 return rc; 5978 5979 isec = msq->security; 5980 5981 ad.type = LSM_AUDIT_DATA_IPC; 5982 ad.u.ipc_id = msq->key; 5983 5984 rc = avc_has_perm(&selinux_state, 5985 sid, isec->sid, SECCLASS_MSGQ, 5986 MSGQ__CREATE, &ad); 5987 if (rc) { 5988 ipc_free_security(msq); 5989 return rc; 5990 } 5991 return 0; 5992 } 5993 5994 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq) 5995 { 5996 ipc_free_security(msq); 5997 } 5998 5999 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6000 { 6001 struct ipc_security_struct *isec; 6002 struct common_audit_data ad; 6003 u32 sid = current_sid(); 6004 6005 isec = msq->security; 6006 6007 ad.type = LSM_AUDIT_DATA_IPC; 6008 ad.u.ipc_id = msq->key; 6009 6010 return avc_has_perm(&selinux_state, 6011 sid, isec->sid, SECCLASS_MSGQ, 6012 MSGQ__ASSOCIATE, &ad); 6013 } 6014 6015 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6016 { 6017 int err; 6018 int perms; 6019 6020 switch (cmd) { 6021 case IPC_INFO: 6022 case MSG_INFO: 6023 /* No specific object, just general system-wide information. */ 6024 return avc_has_perm(&selinux_state, 6025 current_sid(), SECINITSID_KERNEL, 6026 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6027 case IPC_STAT: 6028 case MSG_STAT: 6029 case MSG_STAT_ANY: 6030 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6031 break; 6032 case IPC_SET: 6033 perms = MSGQ__SETATTR; 6034 break; 6035 case IPC_RMID: 6036 perms = MSGQ__DESTROY; 6037 break; 6038 default: 6039 return 0; 6040 } 6041 6042 err = ipc_has_perm(msq, perms); 6043 return err; 6044 } 6045 6046 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6047 { 6048 struct ipc_security_struct *isec; 6049 struct msg_security_struct *msec; 6050 struct common_audit_data ad; 6051 u32 sid = current_sid(); 6052 int rc; 6053 6054 isec = msq->security; 6055 msec = msg->security; 6056 6057 /* 6058 * First time through, need to assign label to the message 6059 */ 6060 if (msec->sid == SECINITSID_UNLABELED) { 6061 /* 6062 * Compute new sid based on current process and 6063 * message queue this message will be stored in 6064 */ 6065 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6066 SECCLASS_MSG, NULL, &msec->sid); 6067 if (rc) 6068 return rc; 6069 } 6070 6071 ad.type = LSM_AUDIT_DATA_IPC; 6072 ad.u.ipc_id = msq->key; 6073 6074 /* Can this process write to the queue? */ 6075 rc = avc_has_perm(&selinux_state, 6076 sid, isec->sid, SECCLASS_MSGQ, 6077 MSGQ__WRITE, &ad); 6078 if (!rc) 6079 /* Can this process send the message */ 6080 rc = avc_has_perm(&selinux_state, 6081 sid, msec->sid, SECCLASS_MSG, 6082 MSG__SEND, &ad); 6083 if (!rc) 6084 /* Can the message be put in the queue? */ 6085 rc = avc_has_perm(&selinux_state, 6086 msec->sid, isec->sid, SECCLASS_MSGQ, 6087 MSGQ__ENQUEUE, &ad); 6088 6089 return rc; 6090 } 6091 6092 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6093 struct task_struct *target, 6094 long type, int mode) 6095 { 6096 struct ipc_security_struct *isec; 6097 struct msg_security_struct *msec; 6098 struct common_audit_data ad; 6099 u32 sid = task_sid(target); 6100 int rc; 6101 6102 isec = msq->security; 6103 msec = msg->security; 6104 6105 ad.type = LSM_AUDIT_DATA_IPC; 6106 ad.u.ipc_id = msq->key; 6107 6108 rc = avc_has_perm(&selinux_state, 6109 sid, isec->sid, 6110 SECCLASS_MSGQ, MSGQ__READ, &ad); 6111 if (!rc) 6112 rc = avc_has_perm(&selinux_state, 6113 sid, msec->sid, 6114 SECCLASS_MSG, MSG__RECEIVE, &ad); 6115 return rc; 6116 } 6117 6118 /* Shared Memory security operations */ 6119 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6120 { 6121 struct ipc_security_struct *isec; 6122 struct common_audit_data ad; 6123 u32 sid = current_sid(); 6124 int rc; 6125 6126 rc = ipc_alloc_security(shp, SECCLASS_SHM); 6127 if (rc) 6128 return rc; 6129 6130 isec = shp->security; 6131 6132 ad.type = LSM_AUDIT_DATA_IPC; 6133 ad.u.ipc_id = shp->key; 6134 6135 rc = avc_has_perm(&selinux_state, 6136 sid, isec->sid, SECCLASS_SHM, 6137 SHM__CREATE, &ad); 6138 if (rc) { 6139 ipc_free_security(shp); 6140 return rc; 6141 } 6142 return 0; 6143 } 6144 6145 static void selinux_shm_free_security(struct kern_ipc_perm *shp) 6146 { 6147 ipc_free_security(shp); 6148 } 6149 6150 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6151 { 6152 struct ipc_security_struct *isec; 6153 struct common_audit_data ad; 6154 u32 sid = current_sid(); 6155 6156 isec = shp->security; 6157 6158 ad.type = LSM_AUDIT_DATA_IPC; 6159 ad.u.ipc_id = shp->key; 6160 6161 return avc_has_perm(&selinux_state, 6162 sid, isec->sid, SECCLASS_SHM, 6163 SHM__ASSOCIATE, &ad); 6164 } 6165 6166 /* Note, at this point, shp is locked down */ 6167 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6168 { 6169 int perms; 6170 int err; 6171 6172 switch (cmd) { 6173 case IPC_INFO: 6174 case SHM_INFO: 6175 /* No specific object, just general system-wide information. */ 6176 return avc_has_perm(&selinux_state, 6177 current_sid(), SECINITSID_KERNEL, 6178 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6179 case IPC_STAT: 6180 case SHM_STAT: 6181 case SHM_STAT_ANY: 6182 perms = SHM__GETATTR | SHM__ASSOCIATE; 6183 break; 6184 case IPC_SET: 6185 perms = SHM__SETATTR; 6186 break; 6187 case SHM_LOCK: 6188 case SHM_UNLOCK: 6189 perms = SHM__LOCK; 6190 break; 6191 case IPC_RMID: 6192 perms = SHM__DESTROY; 6193 break; 6194 default: 6195 return 0; 6196 } 6197 6198 err = ipc_has_perm(shp, perms); 6199 return err; 6200 } 6201 6202 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6203 char __user *shmaddr, int shmflg) 6204 { 6205 u32 perms; 6206 6207 if (shmflg & SHM_RDONLY) 6208 perms = SHM__READ; 6209 else 6210 perms = SHM__READ | SHM__WRITE; 6211 6212 return ipc_has_perm(shp, perms); 6213 } 6214 6215 /* Semaphore security operations */ 6216 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6217 { 6218 struct ipc_security_struct *isec; 6219 struct common_audit_data ad; 6220 u32 sid = current_sid(); 6221 int rc; 6222 6223 rc = ipc_alloc_security(sma, SECCLASS_SEM); 6224 if (rc) 6225 return rc; 6226 6227 isec = sma->security; 6228 6229 ad.type = LSM_AUDIT_DATA_IPC; 6230 ad.u.ipc_id = sma->key; 6231 6232 rc = avc_has_perm(&selinux_state, 6233 sid, isec->sid, SECCLASS_SEM, 6234 SEM__CREATE, &ad); 6235 if (rc) { 6236 ipc_free_security(sma); 6237 return rc; 6238 } 6239 return 0; 6240 } 6241 6242 static void selinux_sem_free_security(struct kern_ipc_perm *sma) 6243 { 6244 ipc_free_security(sma); 6245 } 6246 6247 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6248 { 6249 struct ipc_security_struct *isec; 6250 struct common_audit_data ad; 6251 u32 sid = current_sid(); 6252 6253 isec = sma->security; 6254 6255 ad.type = LSM_AUDIT_DATA_IPC; 6256 ad.u.ipc_id = sma->key; 6257 6258 return avc_has_perm(&selinux_state, 6259 sid, isec->sid, SECCLASS_SEM, 6260 SEM__ASSOCIATE, &ad); 6261 } 6262 6263 /* Note, at this point, sma is locked down */ 6264 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6265 { 6266 int err; 6267 u32 perms; 6268 6269 switch (cmd) { 6270 case IPC_INFO: 6271 case SEM_INFO: 6272 /* No specific object, just general system-wide information. */ 6273 return avc_has_perm(&selinux_state, 6274 current_sid(), SECINITSID_KERNEL, 6275 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6276 case GETPID: 6277 case GETNCNT: 6278 case GETZCNT: 6279 perms = SEM__GETATTR; 6280 break; 6281 case GETVAL: 6282 case GETALL: 6283 perms = SEM__READ; 6284 break; 6285 case SETVAL: 6286 case SETALL: 6287 perms = SEM__WRITE; 6288 break; 6289 case IPC_RMID: 6290 perms = SEM__DESTROY; 6291 break; 6292 case IPC_SET: 6293 perms = SEM__SETATTR; 6294 break; 6295 case IPC_STAT: 6296 case SEM_STAT: 6297 case SEM_STAT_ANY: 6298 perms = SEM__GETATTR | SEM__ASSOCIATE; 6299 break; 6300 default: 6301 return 0; 6302 } 6303 6304 err = ipc_has_perm(sma, perms); 6305 return err; 6306 } 6307 6308 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6309 struct sembuf *sops, unsigned nsops, int alter) 6310 { 6311 u32 perms; 6312 6313 if (alter) 6314 perms = SEM__READ | SEM__WRITE; 6315 else 6316 perms = SEM__READ; 6317 6318 return ipc_has_perm(sma, perms); 6319 } 6320 6321 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6322 { 6323 u32 av = 0; 6324 6325 av = 0; 6326 if (flag & S_IRUGO) 6327 av |= IPC__UNIX_READ; 6328 if (flag & S_IWUGO) 6329 av |= IPC__UNIX_WRITE; 6330 6331 if (av == 0) 6332 return 0; 6333 6334 return ipc_has_perm(ipcp, av); 6335 } 6336 6337 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6338 { 6339 struct ipc_security_struct *isec = ipcp->security; 6340 *secid = isec->sid; 6341 } 6342 6343 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6344 { 6345 if (inode) 6346 inode_doinit_with_dentry(inode, dentry); 6347 } 6348 6349 static int selinux_getprocattr(struct task_struct *p, 6350 char *name, char **value) 6351 { 6352 const struct task_security_struct *__tsec; 6353 u32 sid; 6354 int error; 6355 unsigned len; 6356 6357 rcu_read_lock(); 6358 __tsec = __task_cred(p)->security; 6359 6360 if (current != p) { 6361 error = avc_has_perm(&selinux_state, 6362 current_sid(), __tsec->sid, 6363 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6364 if (error) 6365 goto bad; 6366 } 6367 6368 if (!strcmp(name, "current")) 6369 sid = __tsec->sid; 6370 else if (!strcmp(name, "prev")) 6371 sid = __tsec->osid; 6372 else if (!strcmp(name, "exec")) 6373 sid = __tsec->exec_sid; 6374 else if (!strcmp(name, "fscreate")) 6375 sid = __tsec->create_sid; 6376 else if (!strcmp(name, "keycreate")) 6377 sid = __tsec->keycreate_sid; 6378 else if (!strcmp(name, "sockcreate")) 6379 sid = __tsec->sockcreate_sid; 6380 else { 6381 error = -EINVAL; 6382 goto bad; 6383 } 6384 rcu_read_unlock(); 6385 6386 if (!sid) 6387 return 0; 6388 6389 error = security_sid_to_context(&selinux_state, sid, value, &len); 6390 if (error) 6391 return error; 6392 return len; 6393 6394 bad: 6395 rcu_read_unlock(); 6396 return error; 6397 } 6398 6399 static int selinux_setprocattr(const char *name, void *value, size_t size) 6400 { 6401 struct task_security_struct *tsec; 6402 struct cred *new; 6403 u32 mysid = current_sid(), sid = 0, ptsid; 6404 int error; 6405 char *str = value; 6406 6407 /* 6408 * Basic control over ability to set these attributes at all. 6409 */ 6410 if (!strcmp(name, "exec")) 6411 error = avc_has_perm(&selinux_state, 6412 mysid, mysid, SECCLASS_PROCESS, 6413 PROCESS__SETEXEC, NULL); 6414 else if (!strcmp(name, "fscreate")) 6415 error = avc_has_perm(&selinux_state, 6416 mysid, mysid, SECCLASS_PROCESS, 6417 PROCESS__SETFSCREATE, NULL); 6418 else if (!strcmp(name, "keycreate")) 6419 error = avc_has_perm(&selinux_state, 6420 mysid, mysid, SECCLASS_PROCESS, 6421 PROCESS__SETKEYCREATE, NULL); 6422 else if (!strcmp(name, "sockcreate")) 6423 error = avc_has_perm(&selinux_state, 6424 mysid, mysid, SECCLASS_PROCESS, 6425 PROCESS__SETSOCKCREATE, NULL); 6426 else if (!strcmp(name, "current")) 6427 error = avc_has_perm(&selinux_state, 6428 mysid, mysid, SECCLASS_PROCESS, 6429 PROCESS__SETCURRENT, NULL); 6430 else 6431 error = -EINVAL; 6432 if (error) 6433 return error; 6434 6435 /* Obtain a SID for the context, if one was specified. */ 6436 if (size && str[0] && str[0] != '\n') { 6437 if (str[size-1] == '\n') { 6438 str[size-1] = 0; 6439 size--; 6440 } 6441 error = security_context_to_sid(&selinux_state, value, size, 6442 &sid, GFP_KERNEL); 6443 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6444 if (!has_cap_mac_admin(true)) { 6445 struct audit_buffer *ab; 6446 size_t audit_size; 6447 6448 /* We strip a nul only if it is at the end, otherwise the 6449 * context contains a nul and we should audit that */ 6450 if (str[size - 1] == '\0') 6451 audit_size = size - 1; 6452 else 6453 audit_size = size; 6454 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6455 audit_log_format(ab, "op=fscreate invalid_context="); 6456 audit_log_n_untrustedstring(ab, value, audit_size); 6457 audit_log_end(ab); 6458 6459 return error; 6460 } 6461 error = security_context_to_sid_force( 6462 &selinux_state, 6463 value, size, &sid); 6464 } 6465 if (error) 6466 return error; 6467 } 6468 6469 new = prepare_creds(); 6470 if (!new) 6471 return -ENOMEM; 6472 6473 /* Permission checking based on the specified context is 6474 performed during the actual operation (execve, 6475 open/mkdir/...), when we know the full context of the 6476 operation. See selinux_bprm_set_creds for the execve 6477 checks and may_create for the file creation checks. The 6478 operation will then fail if the context is not permitted. */ 6479 tsec = new->security; 6480 if (!strcmp(name, "exec")) { 6481 tsec->exec_sid = sid; 6482 } else if (!strcmp(name, "fscreate")) { 6483 tsec->create_sid = sid; 6484 } else if (!strcmp(name, "keycreate")) { 6485 error = avc_has_perm(&selinux_state, 6486 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6487 NULL); 6488 if (error) 6489 goto abort_change; 6490 tsec->keycreate_sid = sid; 6491 } else if (!strcmp(name, "sockcreate")) { 6492 tsec->sockcreate_sid = sid; 6493 } else if (!strcmp(name, "current")) { 6494 error = -EINVAL; 6495 if (sid == 0) 6496 goto abort_change; 6497 6498 /* Only allow single threaded processes to change context */ 6499 error = -EPERM; 6500 if (!current_is_single_threaded()) { 6501 error = security_bounded_transition(&selinux_state, 6502 tsec->sid, sid); 6503 if (error) 6504 goto abort_change; 6505 } 6506 6507 /* Check permissions for the transition. */ 6508 error = avc_has_perm(&selinux_state, 6509 tsec->sid, sid, SECCLASS_PROCESS, 6510 PROCESS__DYNTRANSITION, NULL); 6511 if (error) 6512 goto abort_change; 6513 6514 /* Check for ptracing, and update the task SID if ok. 6515 Otherwise, leave SID unchanged and fail. */ 6516 ptsid = ptrace_parent_sid(); 6517 if (ptsid != 0) { 6518 error = avc_has_perm(&selinux_state, 6519 ptsid, sid, SECCLASS_PROCESS, 6520 PROCESS__PTRACE, NULL); 6521 if (error) 6522 goto abort_change; 6523 } 6524 6525 tsec->sid = sid; 6526 } else { 6527 error = -EINVAL; 6528 goto abort_change; 6529 } 6530 6531 commit_creds(new); 6532 return size; 6533 6534 abort_change: 6535 abort_creds(new); 6536 return error; 6537 } 6538 6539 static int selinux_ismaclabel(const char *name) 6540 { 6541 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6542 } 6543 6544 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6545 { 6546 return security_sid_to_context(&selinux_state, secid, 6547 secdata, seclen); 6548 } 6549 6550 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6551 { 6552 return security_context_to_sid(&selinux_state, secdata, seclen, 6553 secid, GFP_KERNEL); 6554 } 6555 6556 static void selinux_release_secctx(char *secdata, u32 seclen) 6557 { 6558 kfree(secdata); 6559 } 6560 6561 static void selinux_inode_invalidate_secctx(struct inode *inode) 6562 { 6563 struct inode_security_struct *isec = inode->i_security; 6564 6565 spin_lock(&isec->lock); 6566 isec->initialized = LABEL_INVALID; 6567 spin_unlock(&isec->lock); 6568 } 6569 6570 /* 6571 * called with inode->i_mutex locked 6572 */ 6573 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6574 { 6575 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6576 } 6577 6578 /* 6579 * called with inode->i_mutex locked 6580 */ 6581 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6582 { 6583 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6584 } 6585 6586 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6587 { 6588 int len = 0; 6589 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6590 ctx, true); 6591 if (len < 0) 6592 return len; 6593 *ctxlen = len; 6594 return 0; 6595 } 6596 #ifdef CONFIG_KEYS 6597 6598 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6599 unsigned long flags) 6600 { 6601 const struct task_security_struct *tsec; 6602 struct key_security_struct *ksec; 6603 6604 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6605 if (!ksec) 6606 return -ENOMEM; 6607 6608 tsec = cred->security; 6609 if (tsec->keycreate_sid) 6610 ksec->sid = tsec->keycreate_sid; 6611 else 6612 ksec->sid = tsec->sid; 6613 6614 k->security = ksec; 6615 return 0; 6616 } 6617 6618 static void selinux_key_free(struct key *k) 6619 { 6620 struct key_security_struct *ksec = k->security; 6621 6622 k->security = NULL; 6623 kfree(ksec); 6624 } 6625 6626 static int selinux_key_permission(key_ref_t key_ref, 6627 const struct cred *cred, 6628 unsigned perm) 6629 { 6630 struct key *key; 6631 struct key_security_struct *ksec; 6632 u32 sid; 6633 6634 /* if no specific permissions are requested, we skip the 6635 permission check. No serious, additional covert channels 6636 appear to be created. */ 6637 if (perm == 0) 6638 return 0; 6639 6640 sid = cred_sid(cred); 6641 6642 key = key_ref_to_ptr(key_ref); 6643 ksec = key->security; 6644 6645 return avc_has_perm(&selinux_state, 6646 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6647 } 6648 6649 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6650 { 6651 struct key_security_struct *ksec = key->security; 6652 char *context = NULL; 6653 unsigned len; 6654 int rc; 6655 6656 rc = security_sid_to_context(&selinux_state, ksec->sid, 6657 &context, &len); 6658 if (!rc) 6659 rc = len; 6660 *_buffer = context; 6661 return rc; 6662 } 6663 #endif 6664 6665 #ifdef CONFIG_SECURITY_INFINIBAND 6666 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6667 { 6668 struct common_audit_data ad; 6669 int err; 6670 u32 sid = 0; 6671 struct ib_security_struct *sec = ib_sec; 6672 struct lsm_ibpkey_audit ibpkey; 6673 6674 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6675 if (err) 6676 return err; 6677 6678 ad.type = LSM_AUDIT_DATA_IBPKEY; 6679 ibpkey.subnet_prefix = subnet_prefix; 6680 ibpkey.pkey = pkey_val; 6681 ad.u.ibpkey = &ibpkey; 6682 return avc_has_perm(&selinux_state, 6683 sec->sid, sid, 6684 SECCLASS_INFINIBAND_PKEY, 6685 INFINIBAND_PKEY__ACCESS, &ad); 6686 } 6687 6688 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6689 u8 port_num) 6690 { 6691 struct common_audit_data ad; 6692 int err; 6693 u32 sid = 0; 6694 struct ib_security_struct *sec = ib_sec; 6695 struct lsm_ibendport_audit ibendport; 6696 6697 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6698 &sid); 6699 6700 if (err) 6701 return err; 6702 6703 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6704 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6705 ibendport.port = port_num; 6706 ad.u.ibendport = &ibendport; 6707 return avc_has_perm(&selinux_state, 6708 sec->sid, sid, 6709 SECCLASS_INFINIBAND_ENDPORT, 6710 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6711 } 6712 6713 static int selinux_ib_alloc_security(void **ib_sec) 6714 { 6715 struct ib_security_struct *sec; 6716 6717 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6718 if (!sec) 6719 return -ENOMEM; 6720 sec->sid = current_sid(); 6721 6722 *ib_sec = sec; 6723 return 0; 6724 } 6725 6726 static void selinux_ib_free_security(void *ib_sec) 6727 { 6728 kfree(ib_sec); 6729 } 6730 #endif 6731 6732 #ifdef CONFIG_BPF_SYSCALL 6733 static int selinux_bpf(int cmd, union bpf_attr *attr, 6734 unsigned int size) 6735 { 6736 u32 sid = current_sid(); 6737 int ret; 6738 6739 switch (cmd) { 6740 case BPF_MAP_CREATE: 6741 ret = avc_has_perm(&selinux_state, 6742 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6743 NULL); 6744 break; 6745 case BPF_PROG_LOAD: 6746 ret = avc_has_perm(&selinux_state, 6747 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6748 NULL); 6749 break; 6750 default: 6751 ret = 0; 6752 break; 6753 } 6754 6755 return ret; 6756 } 6757 6758 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6759 { 6760 u32 av = 0; 6761 6762 if (fmode & FMODE_READ) 6763 av |= BPF__MAP_READ; 6764 if (fmode & FMODE_WRITE) 6765 av |= BPF__MAP_WRITE; 6766 return av; 6767 } 6768 6769 /* This function will check the file pass through unix socket or binder to see 6770 * if it is a bpf related object. And apply correspinding checks on the bpf 6771 * object based on the type. The bpf maps and programs, not like other files and 6772 * socket, are using a shared anonymous inode inside the kernel as their inode. 6773 * So checking that inode cannot identify if the process have privilege to 6774 * access the bpf object and that's why we have to add this additional check in 6775 * selinux_file_receive and selinux_binder_transfer_files. 6776 */ 6777 static int bpf_fd_pass(struct file *file, u32 sid) 6778 { 6779 struct bpf_security_struct *bpfsec; 6780 struct bpf_prog *prog; 6781 struct bpf_map *map; 6782 int ret; 6783 6784 if (file->f_op == &bpf_map_fops) { 6785 map = file->private_data; 6786 bpfsec = map->security; 6787 ret = avc_has_perm(&selinux_state, 6788 sid, bpfsec->sid, SECCLASS_BPF, 6789 bpf_map_fmode_to_av(file->f_mode), NULL); 6790 if (ret) 6791 return ret; 6792 } else if (file->f_op == &bpf_prog_fops) { 6793 prog = file->private_data; 6794 bpfsec = prog->aux->security; 6795 ret = avc_has_perm(&selinux_state, 6796 sid, bpfsec->sid, SECCLASS_BPF, 6797 BPF__PROG_RUN, NULL); 6798 if (ret) 6799 return ret; 6800 } 6801 return 0; 6802 } 6803 6804 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6805 { 6806 u32 sid = current_sid(); 6807 struct bpf_security_struct *bpfsec; 6808 6809 bpfsec = map->security; 6810 return avc_has_perm(&selinux_state, 6811 sid, bpfsec->sid, SECCLASS_BPF, 6812 bpf_map_fmode_to_av(fmode), NULL); 6813 } 6814 6815 static int selinux_bpf_prog(struct bpf_prog *prog) 6816 { 6817 u32 sid = current_sid(); 6818 struct bpf_security_struct *bpfsec; 6819 6820 bpfsec = prog->aux->security; 6821 return avc_has_perm(&selinux_state, 6822 sid, bpfsec->sid, SECCLASS_BPF, 6823 BPF__PROG_RUN, NULL); 6824 } 6825 6826 static int selinux_bpf_map_alloc(struct bpf_map *map) 6827 { 6828 struct bpf_security_struct *bpfsec; 6829 6830 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6831 if (!bpfsec) 6832 return -ENOMEM; 6833 6834 bpfsec->sid = current_sid(); 6835 map->security = bpfsec; 6836 6837 return 0; 6838 } 6839 6840 static void selinux_bpf_map_free(struct bpf_map *map) 6841 { 6842 struct bpf_security_struct *bpfsec = map->security; 6843 6844 map->security = NULL; 6845 kfree(bpfsec); 6846 } 6847 6848 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6849 { 6850 struct bpf_security_struct *bpfsec; 6851 6852 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6853 if (!bpfsec) 6854 return -ENOMEM; 6855 6856 bpfsec->sid = current_sid(); 6857 aux->security = bpfsec; 6858 6859 return 0; 6860 } 6861 6862 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6863 { 6864 struct bpf_security_struct *bpfsec = aux->security; 6865 6866 aux->security = NULL; 6867 kfree(bpfsec); 6868 } 6869 #endif 6870 6871 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6872 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6873 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6874 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6875 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6876 6877 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6878 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6879 LSM_HOOK_INIT(capget, selinux_capget), 6880 LSM_HOOK_INIT(capset, selinux_capset), 6881 LSM_HOOK_INIT(capable, selinux_capable), 6882 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6883 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6884 LSM_HOOK_INIT(syslog, selinux_syslog), 6885 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6886 6887 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6888 6889 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6890 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6891 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6892 6893 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6894 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6895 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6896 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6897 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6898 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6899 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6900 LSM_HOOK_INIT(sb_mount, selinux_mount), 6901 LSM_HOOK_INIT(sb_umount, selinux_umount), 6902 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6903 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6904 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6905 6906 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6907 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6908 6909 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6910 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6911 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6912 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6913 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6914 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6915 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6916 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6917 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6918 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6919 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6920 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6921 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6922 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6923 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6924 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6925 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6926 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6927 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6928 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6929 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6930 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6931 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6932 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6933 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6934 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6935 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6936 6937 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6938 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6939 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6940 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6941 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6942 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6943 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6944 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6945 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6946 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6947 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6948 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6949 6950 LSM_HOOK_INIT(file_open, selinux_file_open), 6951 6952 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6953 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6954 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6955 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6956 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6957 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6958 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6959 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6960 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6961 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6962 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6963 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6964 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6965 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6966 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6967 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6968 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6969 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6970 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6971 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6972 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6973 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6974 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6975 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6976 6977 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6978 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6979 6980 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6981 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6982 6983 LSM_HOOK_INIT(msg_queue_alloc_security, 6984 selinux_msg_queue_alloc_security), 6985 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6986 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6987 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6988 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6989 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6990 6991 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6992 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6993 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6994 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6995 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6996 6997 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6998 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6999 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7000 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7001 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7002 7003 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7004 7005 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7006 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7007 7008 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7009 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7010 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7011 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7012 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7013 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7014 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7015 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7016 7017 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7018 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7019 7020 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7021 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7022 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7023 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7024 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7025 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7026 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7027 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7028 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7029 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7030 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7031 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7032 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7033 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7034 LSM_HOOK_INIT(socket_getpeersec_stream, 7035 selinux_socket_getpeersec_stream), 7036 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7037 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7038 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7039 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7040 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7041 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7042 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7043 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7044 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7045 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7046 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7047 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7048 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7049 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7050 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7051 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7052 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7053 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7054 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7055 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7056 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7057 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7058 #ifdef CONFIG_SECURITY_INFINIBAND 7059 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7060 LSM_HOOK_INIT(ib_endport_manage_subnet, 7061 selinux_ib_endport_manage_subnet), 7062 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7063 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7064 #endif 7065 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7066 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7067 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7068 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7069 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7070 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7071 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7072 selinux_xfrm_state_alloc_acquire), 7073 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7074 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7075 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7076 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7077 selinux_xfrm_state_pol_flow_match), 7078 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7079 #endif 7080 7081 #ifdef CONFIG_KEYS 7082 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7083 LSM_HOOK_INIT(key_free, selinux_key_free), 7084 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7085 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7086 #endif 7087 7088 #ifdef CONFIG_AUDIT 7089 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7090 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7091 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7092 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7093 #endif 7094 7095 #ifdef CONFIG_BPF_SYSCALL 7096 LSM_HOOK_INIT(bpf, selinux_bpf), 7097 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7098 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7099 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7100 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7101 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7102 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7103 #endif 7104 }; 7105 7106 static __init int selinux_init(void) 7107 { 7108 if (!security_module_enable("selinux")) { 7109 selinux_enabled = 0; 7110 return 0; 7111 } 7112 7113 if (!selinux_enabled) { 7114 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 7115 return 0; 7116 } 7117 7118 printk(KERN_INFO "SELinux: Initializing.\n"); 7119 7120 memset(&selinux_state, 0, sizeof(selinux_state)); 7121 enforcing_set(&selinux_state, selinux_enforcing_boot); 7122 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7123 selinux_ss_init(&selinux_state.ss); 7124 selinux_avc_init(&selinux_state.avc); 7125 7126 /* Set the security state for the initial task. */ 7127 cred_init_security(); 7128 7129 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7130 7131 sel_inode_cache = kmem_cache_create("selinux_inode_security", 7132 sizeof(struct inode_security_struct), 7133 0, SLAB_PANIC, NULL); 7134 file_security_cache = kmem_cache_create("selinux_file_security", 7135 sizeof(struct file_security_struct), 7136 0, SLAB_PANIC, NULL); 7137 avc_init(); 7138 7139 avtab_cache_init(); 7140 7141 ebitmap_cache_init(); 7142 7143 hashtab_cache_init(); 7144 7145 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7146 7147 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7148 panic("SELinux: Unable to register AVC netcache callback\n"); 7149 7150 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7151 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7152 7153 if (selinux_enforcing_boot) 7154 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7155 else 7156 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7157 7158 return 0; 7159 } 7160 7161 static void delayed_superblock_init(struct super_block *sb, void *unused) 7162 { 7163 superblock_doinit(sb, NULL); 7164 } 7165 7166 void selinux_complete_init(void) 7167 { 7168 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 7169 7170 /* Set up any superblocks initialized prior to the policy load. */ 7171 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 7172 iterate_supers(delayed_superblock_init, NULL); 7173 } 7174 7175 /* SELinux requires early initialization in order to label 7176 all processes and objects when they are created. */ 7177 security_initcall(selinux_init); 7178 7179 #if defined(CONFIG_NETFILTER) 7180 7181 static const struct nf_hook_ops selinux_nf_ops[] = { 7182 { 7183 .hook = selinux_ipv4_postroute, 7184 .pf = NFPROTO_IPV4, 7185 .hooknum = NF_INET_POST_ROUTING, 7186 .priority = NF_IP_PRI_SELINUX_LAST, 7187 }, 7188 { 7189 .hook = selinux_ipv4_forward, 7190 .pf = NFPROTO_IPV4, 7191 .hooknum = NF_INET_FORWARD, 7192 .priority = NF_IP_PRI_SELINUX_FIRST, 7193 }, 7194 { 7195 .hook = selinux_ipv4_output, 7196 .pf = NFPROTO_IPV4, 7197 .hooknum = NF_INET_LOCAL_OUT, 7198 .priority = NF_IP_PRI_SELINUX_FIRST, 7199 }, 7200 #if IS_ENABLED(CONFIG_IPV6) 7201 { 7202 .hook = selinux_ipv6_postroute, 7203 .pf = NFPROTO_IPV6, 7204 .hooknum = NF_INET_POST_ROUTING, 7205 .priority = NF_IP6_PRI_SELINUX_LAST, 7206 }, 7207 { 7208 .hook = selinux_ipv6_forward, 7209 .pf = NFPROTO_IPV6, 7210 .hooknum = NF_INET_FORWARD, 7211 .priority = NF_IP6_PRI_SELINUX_FIRST, 7212 }, 7213 { 7214 .hook = selinux_ipv6_output, 7215 .pf = NFPROTO_IPV6, 7216 .hooknum = NF_INET_LOCAL_OUT, 7217 .priority = NF_IP6_PRI_SELINUX_FIRST, 7218 }, 7219 #endif /* IPV6 */ 7220 }; 7221 7222 static int __net_init selinux_nf_register(struct net *net) 7223 { 7224 return nf_register_net_hooks(net, selinux_nf_ops, 7225 ARRAY_SIZE(selinux_nf_ops)); 7226 } 7227 7228 static void __net_exit selinux_nf_unregister(struct net *net) 7229 { 7230 nf_unregister_net_hooks(net, selinux_nf_ops, 7231 ARRAY_SIZE(selinux_nf_ops)); 7232 } 7233 7234 static struct pernet_operations selinux_net_ops = { 7235 .init = selinux_nf_register, 7236 .exit = selinux_nf_unregister, 7237 }; 7238 7239 static int __init selinux_nf_ip_init(void) 7240 { 7241 int err; 7242 7243 if (!selinux_enabled) 7244 return 0; 7245 7246 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 7247 7248 err = register_pernet_subsys(&selinux_net_ops); 7249 if (err) 7250 panic("SELinux: register_pernet_subsys: error %d\n", err); 7251 7252 return 0; 7253 } 7254 __initcall(selinux_nf_ip_init); 7255 7256 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7257 static void selinux_nf_ip_exit(void) 7258 { 7259 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 7260 7261 unregister_pernet_subsys(&selinux_net_ops); 7262 } 7263 #endif 7264 7265 #else /* CONFIG_NETFILTER */ 7266 7267 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7268 #define selinux_nf_ip_exit() 7269 #endif 7270 7271 #endif /* CONFIG_NETFILTER */ 7272 7273 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7274 int selinux_disable(struct selinux_state *state) 7275 { 7276 if (state->initialized) { 7277 /* Not permitted after initial policy load. */ 7278 return -EINVAL; 7279 } 7280 7281 if (state->disabled) { 7282 /* Only do this once. */ 7283 return -EINVAL; 7284 } 7285 7286 state->disabled = 1; 7287 7288 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7289 7290 selinux_enabled = 0; 7291 7292 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7293 7294 /* Try to destroy the avc node cache */ 7295 avc_disable(); 7296 7297 /* Unregister netfilter hooks. */ 7298 selinux_nf_ip_exit(); 7299 7300 /* Unregister selinuxfs. */ 7301 exit_sel_fs(); 7302 7303 return 0; 7304 } 7305 #endif 7306