1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/selinux.h> 81 #include <linux/mutex.h> 82 #include <linux/posix-timers.h> 83 #include <linux/syslog.h> 84 #include <linux/user_namespace.h> 85 #include <linux/export.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 89 #include "avc.h" 90 #include "objsec.h" 91 #include "netif.h" 92 #include "netnode.h" 93 #include "netport.h" 94 #include "ibpkey.h" 95 #include "xfrm.h" 96 #include "netlabel.h" 97 #include "audit.h" 98 #include "avc_ss.h" 99 100 /* SECMARK reference count */ 101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 102 103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 104 int selinux_enforcing; 105 106 static int __init enforcing_setup(char *str) 107 { 108 unsigned long enforcing; 109 if (!kstrtoul(str, 0, &enforcing)) 110 selinux_enforcing = enforcing ? 1 : 0; 111 return 1; 112 } 113 __setup("enforcing=", enforcing_setup); 114 #endif 115 116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 118 119 static int __init selinux_enabled_setup(char *str) 120 { 121 unsigned long enabled; 122 if (!kstrtoul(str, 0, &enabled)) 123 selinux_enabled = enabled ? 1 : 0; 124 return 1; 125 } 126 __setup("selinux=", selinux_enabled_setup); 127 #else 128 int selinux_enabled = 1; 129 #endif 130 131 static struct kmem_cache *sel_inode_cache; 132 static struct kmem_cache *file_security_cache; 133 134 /** 135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 136 * 137 * Description: 138 * This function checks the SECMARK reference counter to see if any SECMARK 139 * targets are currently configured, if the reference counter is greater than 140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network 142 * policy capability is enabled, SECMARK is always considered enabled. 143 * 144 */ 145 static int selinux_secmark_enabled(void) 146 { 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 148 } 149 150 /** 151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 152 * 153 * Description: 154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 155 * (1) if any are enabled or false (0) if neither are enabled. If the 156 * always_check_network policy capability is enabled, peer labeling 157 * is always considered enabled. 158 * 159 */ 160 static int selinux_peerlbl_enabled(void) 161 { 162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 163 } 164 165 static int selinux_netcache_avc_callback(u32 event) 166 { 167 if (event == AVC_CALLBACK_RESET) { 168 sel_netif_flush(); 169 sel_netnode_flush(); 170 sel_netport_flush(); 171 synchronize_net(); 172 } 173 return 0; 174 } 175 176 static int selinux_lsm_notifier_avc_callback(u32 event) 177 { 178 if (event == AVC_CALLBACK_RESET) { 179 sel_ib_pkey_flush(); 180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 181 } 182 183 return 0; 184 } 185 186 /* 187 * initialise the security for the init task 188 */ 189 static void cred_init_security(void) 190 { 191 struct cred *cred = (struct cred *) current->real_cred; 192 struct task_security_struct *tsec; 193 194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 195 if (!tsec) 196 panic("SELinux: Failed to initialize initial task.\n"); 197 198 tsec->osid = tsec->sid = SECINITSID_KERNEL; 199 cred->security = tsec; 200 } 201 202 /* 203 * get the security ID of a set of credentials 204 */ 205 static inline u32 cred_sid(const struct cred *cred) 206 { 207 const struct task_security_struct *tsec; 208 209 tsec = cred->security; 210 return tsec->sid; 211 } 212 213 /* 214 * get the objective security ID of a task 215 */ 216 static inline u32 task_sid(const struct task_struct *task) 217 { 218 u32 sid; 219 220 rcu_read_lock(); 221 sid = cred_sid(__task_cred(task)); 222 rcu_read_unlock(); 223 return sid; 224 } 225 226 /* Allocate and free functions for each kind of security blob. */ 227 228 static int inode_alloc_security(struct inode *inode) 229 { 230 struct inode_security_struct *isec; 231 u32 sid = current_sid(); 232 233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 234 if (!isec) 235 return -ENOMEM; 236 237 spin_lock_init(&isec->lock); 238 INIT_LIST_HEAD(&isec->list); 239 isec->inode = inode; 240 isec->sid = SECINITSID_UNLABELED; 241 isec->sclass = SECCLASS_FILE; 242 isec->task_sid = sid; 243 isec->initialized = LABEL_INVALID; 244 inode->i_security = isec; 245 246 return 0; 247 } 248 249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 250 251 /* 252 * Try reloading inode security labels that have been marked as invalid. The 253 * @may_sleep parameter indicates when sleeping and thus reloading labels is 254 * allowed; when set to false, returns -ECHILD when the label is 255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 256 * when no dentry is available, set it to NULL instead. 257 */ 258 static int __inode_security_revalidate(struct inode *inode, 259 struct dentry *opt_dentry, 260 bool may_sleep) 261 { 262 struct inode_security_struct *isec = inode->i_security; 263 264 might_sleep_if(may_sleep); 265 266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 267 if (!may_sleep) 268 return -ECHILD; 269 270 /* 271 * Try reloading the inode security label. This will fail if 272 * @opt_dentry is NULL and no dentry for this inode can be 273 * found; in that case, continue using the old label. 274 */ 275 inode_doinit_with_dentry(inode, opt_dentry); 276 } 277 return 0; 278 } 279 280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 281 { 282 return inode->i_security; 283 } 284 285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 286 { 287 int error; 288 289 error = __inode_security_revalidate(inode, NULL, !rcu); 290 if (error) 291 return ERR_PTR(error); 292 return inode->i_security; 293 } 294 295 /* 296 * Get the security label of an inode. 297 */ 298 static struct inode_security_struct *inode_security(struct inode *inode) 299 { 300 __inode_security_revalidate(inode, NULL, true); 301 return inode->i_security; 302 } 303 304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 305 { 306 struct inode *inode = d_backing_inode(dentry); 307 308 return inode->i_security; 309 } 310 311 /* 312 * Get the security label of a dentry's backing inode. 313 */ 314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 315 { 316 struct inode *inode = d_backing_inode(dentry); 317 318 __inode_security_revalidate(inode, dentry, true); 319 return inode->i_security; 320 } 321 322 static void inode_free_rcu(struct rcu_head *head) 323 { 324 struct inode_security_struct *isec; 325 326 isec = container_of(head, struct inode_security_struct, rcu); 327 kmem_cache_free(sel_inode_cache, isec); 328 } 329 330 static void inode_free_security(struct inode *inode) 331 { 332 struct inode_security_struct *isec = inode->i_security; 333 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 334 335 /* 336 * As not all inode security structures are in a list, we check for 337 * empty list outside of the lock to make sure that we won't waste 338 * time taking a lock doing nothing. 339 * 340 * The list_del_init() function can be safely called more than once. 341 * It should not be possible for this function to be called with 342 * concurrent list_add(), but for better safety against future changes 343 * in the code, we use list_empty_careful() here. 344 */ 345 if (!list_empty_careful(&isec->list)) { 346 spin_lock(&sbsec->isec_lock); 347 list_del_init(&isec->list); 348 spin_unlock(&sbsec->isec_lock); 349 } 350 351 /* 352 * The inode may still be referenced in a path walk and 353 * a call to selinux_inode_permission() can be made 354 * after inode_free_security() is called. Ideally, the VFS 355 * wouldn't do this, but fixing that is a much harder 356 * job. For now, simply free the i_security via RCU, and 357 * leave the current inode->i_security pointer intact. 358 * The inode will be freed after the RCU grace period too. 359 */ 360 call_rcu(&isec->rcu, inode_free_rcu); 361 } 362 363 static int file_alloc_security(struct file *file) 364 { 365 struct file_security_struct *fsec; 366 u32 sid = current_sid(); 367 368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 369 if (!fsec) 370 return -ENOMEM; 371 372 fsec->sid = sid; 373 fsec->fown_sid = sid; 374 file->f_security = fsec; 375 376 return 0; 377 } 378 379 static void file_free_security(struct file *file) 380 { 381 struct file_security_struct *fsec = file->f_security; 382 file->f_security = NULL; 383 kmem_cache_free(file_security_cache, fsec); 384 } 385 386 static int superblock_alloc_security(struct super_block *sb) 387 { 388 struct superblock_security_struct *sbsec; 389 390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 391 if (!sbsec) 392 return -ENOMEM; 393 394 mutex_init(&sbsec->lock); 395 INIT_LIST_HEAD(&sbsec->isec_head); 396 spin_lock_init(&sbsec->isec_lock); 397 sbsec->sb = sb; 398 sbsec->sid = SECINITSID_UNLABELED; 399 sbsec->def_sid = SECINITSID_FILE; 400 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 401 sb->s_security = sbsec; 402 403 return 0; 404 } 405 406 static void superblock_free_security(struct super_block *sb) 407 { 408 struct superblock_security_struct *sbsec = sb->s_security; 409 sb->s_security = NULL; 410 kfree(sbsec); 411 } 412 413 static inline int inode_doinit(struct inode *inode) 414 { 415 return inode_doinit_with_dentry(inode, NULL); 416 } 417 418 enum { 419 Opt_error = -1, 420 Opt_context = 1, 421 Opt_fscontext = 2, 422 Opt_defcontext = 3, 423 Opt_rootcontext = 4, 424 Opt_labelsupport = 5, 425 Opt_nextmntopt = 6, 426 }; 427 428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 429 430 static const match_table_t tokens = { 431 {Opt_context, CONTEXT_STR "%s"}, 432 {Opt_fscontext, FSCONTEXT_STR "%s"}, 433 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 435 {Opt_labelsupport, LABELSUPP_STR}, 436 {Opt_error, NULL}, 437 }; 438 439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 440 441 static int may_context_mount_sb_relabel(u32 sid, 442 struct superblock_security_struct *sbsec, 443 const struct cred *cred) 444 { 445 const struct task_security_struct *tsec = cred->security; 446 int rc; 447 448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELFROM, NULL); 450 if (rc) 451 return rc; 452 453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 454 FILESYSTEM__RELABELTO, NULL); 455 return rc; 456 } 457 458 static int may_context_mount_inode_relabel(u32 sid, 459 struct superblock_security_struct *sbsec, 460 const struct cred *cred) 461 { 462 const struct task_security_struct *tsec = cred->security; 463 int rc; 464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__RELABELFROM, NULL); 466 if (rc) 467 return rc; 468 469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 470 FILESYSTEM__ASSOCIATE, NULL); 471 return rc; 472 } 473 474 static int selinux_is_sblabel_mnt(struct super_block *sb) 475 { 476 struct superblock_security_struct *sbsec = sb->s_security; 477 478 return sbsec->behavior == SECURITY_FS_USE_XATTR || 479 sbsec->behavior == SECURITY_FS_USE_TRANS || 480 sbsec->behavior == SECURITY_FS_USE_TASK || 481 sbsec->behavior == SECURITY_FS_USE_NATIVE || 482 /* Special handling. Genfs but also in-core setxattr handler */ 483 !strcmp(sb->s_type->name, "sysfs") || 484 !strcmp(sb->s_type->name, "pstore") || 485 !strcmp(sb->s_type->name, "debugfs") || 486 !strcmp(sb->s_type->name, "tracefs") || 487 !strcmp(sb->s_type->name, "rootfs") || 488 (selinux_policycap_cgroupseclabel && 489 (!strcmp(sb->s_type->name, "cgroup") || 490 !strcmp(sb->s_type->name, "cgroup2"))); 491 } 492 493 static int sb_finish_set_opts(struct super_block *sb) 494 { 495 struct superblock_security_struct *sbsec = sb->s_security; 496 struct dentry *root = sb->s_root; 497 struct inode *root_inode = d_backing_inode(root); 498 int rc = 0; 499 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 501 /* Make sure that the xattr handler exists and that no 502 error other than -ENODATA is returned by getxattr on 503 the root directory. -ENODATA is ok, as this may be 504 the first boot of the SELinux kernel before we have 505 assigned xattr values to the filesystem. */ 506 if (!(root_inode->i_opflags & IOP_XATTR)) { 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 508 "xattr support\n", sb->s_id, sb->s_type->name); 509 rc = -EOPNOTSUPP; 510 goto out; 511 } 512 513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 514 if (rc < 0 && rc != -ENODATA) { 515 if (rc == -EOPNOTSUPP) 516 printk(KERN_WARNING "SELinux: (dev %s, type " 517 "%s) has no security xattr handler\n", 518 sb->s_id, sb->s_type->name); 519 else 520 printk(KERN_WARNING "SELinux: (dev %s, type " 521 "%s) getxattr errno %d\n", sb->s_id, 522 sb->s_type->name, -rc); 523 goto out; 524 } 525 } 526 527 sbsec->flags |= SE_SBINITIALIZED; 528 529 /* 530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 531 * leave the flag untouched because sb_clone_mnt_opts might be handing 532 * us a superblock that needs the flag to be cleared. 533 */ 534 if (selinux_is_sblabel_mnt(sb)) 535 sbsec->flags |= SBLABEL_MNT; 536 else 537 sbsec->flags &= ~SBLABEL_MNT; 538 539 /* Initialize the root inode. */ 540 rc = inode_doinit_with_dentry(root_inode, root); 541 542 /* Initialize any other inodes associated with the superblock, e.g. 543 inodes created prior to initial policy load or inodes created 544 during get_sb by a pseudo filesystem that directly 545 populates itself. */ 546 spin_lock(&sbsec->isec_lock); 547 next_inode: 548 if (!list_empty(&sbsec->isec_head)) { 549 struct inode_security_struct *isec = 550 list_entry(sbsec->isec_head.next, 551 struct inode_security_struct, list); 552 struct inode *inode = isec->inode; 553 list_del_init(&isec->list); 554 spin_unlock(&sbsec->isec_lock); 555 inode = igrab(inode); 556 if (inode) { 557 if (!IS_PRIVATE(inode)) 558 inode_doinit(inode); 559 iput(inode); 560 } 561 spin_lock(&sbsec->isec_lock); 562 goto next_inode; 563 } 564 spin_unlock(&sbsec->isec_lock); 565 out: 566 return rc; 567 } 568 569 /* 570 * This function should allow an FS to ask what it's mount security 571 * options were so it can use those later for submounts, displaying 572 * mount options, or whatever. 573 */ 574 static int selinux_get_mnt_opts(const struct super_block *sb, 575 struct security_mnt_opts *opts) 576 { 577 int rc = 0, i; 578 struct superblock_security_struct *sbsec = sb->s_security; 579 char *context = NULL; 580 u32 len; 581 char tmp; 582 583 security_init_mnt_opts(opts); 584 585 if (!(sbsec->flags & SE_SBINITIALIZED)) 586 return -EINVAL; 587 588 if (!ss_initialized) 589 return -EINVAL; 590 591 /* make sure we always check enough bits to cover the mask */ 592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 593 594 tmp = sbsec->flags & SE_MNTMASK; 595 /* count the number of mount options for this sb */ 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 597 if (tmp & 0x01) 598 opts->num_mnt_opts++; 599 tmp >>= 1; 600 } 601 /* Check if the Label support flag is set */ 602 if (sbsec->flags & SBLABEL_MNT) 603 opts->num_mnt_opts++; 604 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 606 if (!opts->mnt_opts) { 607 rc = -ENOMEM; 608 goto out_free; 609 } 610 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 612 if (!opts->mnt_opts_flags) { 613 rc = -ENOMEM; 614 goto out_free; 615 } 616 617 i = 0; 618 if (sbsec->flags & FSCONTEXT_MNT) { 619 rc = security_sid_to_context(sbsec->sid, &context, &len); 620 if (rc) 621 goto out_free; 622 opts->mnt_opts[i] = context; 623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 624 } 625 if (sbsec->flags & CONTEXT_MNT) { 626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 627 if (rc) 628 goto out_free; 629 opts->mnt_opts[i] = context; 630 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 631 } 632 if (sbsec->flags & DEFCONTEXT_MNT) { 633 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 634 if (rc) 635 goto out_free; 636 opts->mnt_opts[i] = context; 637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 638 } 639 if (sbsec->flags & ROOTCONTEXT_MNT) { 640 struct dentry *root = sbsec->sb->s_root; 641 struct inode_security_struct *isec = backing_inode_security(root); 642 643 rc = security_sid_to_context(isec->sid, &context, &len); 644 if (rc) 645 goto out_free; 646 opts->mnt_opts[i] = context; 647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 648 } 649 if (sbsec->flags & SBLABEL_MNT) { 650 opts->mnt_opts[i] = NULL; 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 652 } 653 654 BUG_ON(i != opts->num_mnt_opts); 655 656 return 0; 657 658 out_free: 659 security_free_mnt_opts(opts); 660 return rc; 661 } 662 663 static int bad_option(struct superblock_security_struct *sbsec, char flag, 664 u32 old_sid, u32 new_sid) 665 { 666 char mnt_flags = sbsec->flags & SE_MNTMASK; 667 668 /* check if the old mount command had the same options */ 669 if (sbsec->flags & SE_SBINITIALIZED) 670 if (!(sbsec->flags & flag) || 671 (old_sid != new_sid)) 672 return 1; 673 674 /* check if we were passed the same options twice, 675 * aka someone passed context=a,context=b 676 */ 677 if (!(sbsec->flags & SE_SBINITIALIZED)) 678 if (mnt_flags & flag) 679 return 1; 680 return 0; 681 } 682 683 /* 684 * Allow filesystems with binary mount data to explicitly set mount point 685 * labeling information. 686 */ 687 static int selinux_set_mnt_opts(struct super_block *sb, 688 struct security_mnt_opts *opts, 689 unsigned long kern_flags, 690 unsigned long *set_kern_flags) 691 { 692 const struct cred *cred = current_cred(); 693 int rc = 0, i; 694 struct superblock_security_struct *sbsec = sb->s_security; 695 const char *name = sb->s_type->name; 696 struct dentry *root = sbsec->sb->s_root; 697 struct inode_security_struct *root_isec; 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 699 u32 defcontext_sid = 0; 700 char **mount_options = opts->mnt_opts; 701 int *flags = opts->mnt_opts_flags; 702 int num_opts = opts->num_mnt_opts; 703 704 mutex_lock(&sbsec->lock); 705 706 if (!ss_initialized) { 707 if (!num_opts) { 708 /* Defer initialization until selinux_complete_init, 709 after the initial policy is loaded and the security 710 server is ready to handle calls. */ 711 goto out; 712 } 713 rc = -EINVAL; 714 printk(KERN_WARNING "SELinux: Unable to set superblock options " 715 "before the security server is initialized\n"); 716 goto out; 717 } 718 if (kern_flags && !set_kern_flags) { 719 /* Specifying internal flags without providing a place to 720 * place the results is not allowed */ 721 rc = -EINVAL; 722 goto out; 723 } 724 725 /* 726 * Binary mount data FS will come through this function twice. Once 727 * from an explicit call and once from the generic calls from the vfs. 728 * Since the generic VFS calls will not contain any security mount data 729 * we need to skip the double mount verification. 730 * 731 * This does open a hole in which we will not notice if the first 732 * mount using this sb set explict options and a second mount using 733 * this sb does not set any security options. (The first options 734 * will be used for both mounts) 735 */ 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 737 && (num_opts == 0)) 738 goto out; 739 740 root_isec = backing_inode_security_novalidate(root); 741 742 /* 743 * parse the mount options, check if they are valid sids. 744 * also check if someone is trying to mount the same sb more 745 * than once with different security options. 746 */ 747 for (i = 0; i < num_opts; i++) { 748 u32 sid; 749 750 if (flags[i] == SBLABEL_MNT) 751 continue; 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 753 if (rc) { 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 755 "(%s) failed for (dev %s, type %s) errno=%d\n", 756 mount_options[i], sb->s_id, name, rc); 757 goto out; 758 } 759 switch (flags[i]) { 760 case FSCONTEXT_MNT: 761 fscontext_sid = sid; 762 763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 764 fscontext_sid)) 765 goto out_double_mount; 766 767 sbsec->flags |= FSCONTEXT_MNT; 768 break; 769 case CONTEXT_MNT: 770 context_sid = sid; 771 772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 773 context_sid)) 774 goto out_double_mount; 775 776 sbsec->flags |= CONTEXT_MNT; 777 break; 778 case ROOTCONTEXT_MNT: 779 rootcontext_sid = sid; 780 781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 782 rootcontext_sid)) 783 goto out_double_mount; 784 785 sbsec->flags |= ROOTCONTEXT_MNT; 786 787 break; 788 case DEFCONTEXT_MNT: 789 defcontext_sid = sid; 790 791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 792 defcontext_sid)) 793 goto out_double_mount; 794 795 sbsec->flags |= DEFCONTEXT_MNT; 796 797 break; 798 default: 799 rc = -EINVAL; 800 goto out; 801 } 802 } 803 804 if (sbsec->flags & SE_SBINITIALIZED) { 805 /* previously mounted with options, but not on this attempt? */ 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 807 goto out_double_mount; 808 rc = 0; 809 goto out; 810 } 811 812 if (strcmp(sb->s_type->name, "proc") == 0) 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 814 815 if (!strcmp(sb->s_type->name, "debugfs") || 816 !strcmp(sb->s_type->name, "tracefs") || 817 !strcmp(sb->s_type->name, "sysfs") || 818 !strcmp(sb->s_type->name, "pstore") || 819 !strcmp(sb->s_type->name, "cgroup") || 820 !strcmp(sb->s_type->name, "cgroup2")) 821 sbsec->flags |= SE_SBGENFS; 822 823 if (!sbsec->behavior) { 824 /* 825 * Determine the labeling behavior to use for this 826 * filesystem type. 827 */ 828 rc = security_fs_use(sb); 829 if (rc) { 830 printk(KERN_WARNING 831 "%s: security_fs_use(%s) returned %d\n", 832 __func__, sb->s_type->name, rc); 833 goto out; 834 } 835 } 836 837 /* 838 * If this is a user namespace mount and the filesystem type is not 839 * explicitly whitelisted, then no contexts are allowed on the command 840 * line and security labels must be ignored. 841 */ 842 if (sb->s_user_ns != &init_user_ns && 843 strcmp(sb->s_type->name, "tmpfs") && 844 strcmp(sb->s_type->name, "ramfs") && 845 strcmp(sb->s_type->name, "devpts")) { 846 if (context_sid || fscontext_sid || rootcontext_sid || 847 defcontext_sid) { 848 rc = -EACCES; 849 goto out; 850 } 851 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 852 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 853 rc = security_transition_sid(current_sid(), current_sid(), 854 SECCLASS_FILE, NULL, 855 &sbsec->mntpoint_sid); 856 if (rc) 857 goto out; 858 } 859 goto out_set_opts; 860 } 861 862 /* sets the context of the superblock for the fs being mounted. */ 863 if (fscontext_sid) { 864 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 865 if (rc) 866 goto out; 867 868 sbsec->sid = fscontext_sid; 869 } 870 871 /* 872 * Switch to using mount point labeling behavior. 873 * sets the label used on all file below the mountpoint, and will set 874 * the superblock context if not already set. 875 */ 876 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 877 sbsec->behavior = SECURITY_FS_USE_NATIVE; 878 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 879 } 880 881 if (context_sid) { 882 if (!fscontext_sid) { 883 rc = may_context_mount_sb_relabel(context_sid, sbsec, 884 cred); 885 if (rc) 886 goto out; 887 sbsec->sid = context_sid; 888 } else { 889 rc = may_context_mount_inode_relabel(context_sid, sbsec, 890 cred); 891 if (rc) 892 goto out; 893 } 894 if (!rootcontext_sid) 895 rootcontext_sid = context_sid; 896 897 sbsec->mntpoint_sid = context_sid; 898 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 899 } 900 901 if (rootcontext_sid) { 902 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 903 cred); 904 if (rc) 905 goto out; 906 907 root_isec->sid = rootcontext_sid; 908 root_isec->initialized = LABEL_INITIALIZED; 909 } 910 911 if (defcontext_sid) { 912 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 913 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 914 rc = -EINVAL; 915 printk(KERN_WARNING "SELinux: defcontext option is " 916 "invalid for this filesystem type\n"); 917 goto out; 918 } 919 920 if (defcontext_sid != sbsec->def_sid) { 921 rc = may_context_mount_inode_relabel(defcontext_sid, 922 sbsec, cred); 923 if (rc) 924 goto out; 925 } 926 927 sbsec->def_sid = defcontext_sid; 928 } 929 930 out_set_opts: 931 rc = sb_finish_set_opts(sb); 932 out: 933 mutex_unlock(&sbsec->lock); 934 return rc; 935 out_double_mount: 936 rc = -EINVAL; 937 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 938 "security settings for (dev %s, type %s)\n", sb->s_id, name); 939 goto out; 940 } 941 942 static int selinux_cmp_sb_context(const struct super_block *oldsb, 943 const struct super_block *newsb) 944 { 945 struct superblock_security_struct *old = oldsb->s_security; 946 struct superblock_security_struct *new = newsb->s_security; 947 char oldflags = old->flags & SE_MNTMASK; 948 char newflags = new->flags & SE_MNTMASK; 949 950 if (oldflags != newflags) 951 goto mismatch; 952 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 953 goto mismatch; 954 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 955 goto mismatch; 956 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 957 goto mismatch; 958 if (oldflags & ROOTCONTEXT_MNT) { 959 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 960 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 961 if (oldroot->sid != newroot->sid) 962 goto mismatch; 963 } 964 return 0; 965 mismatch: 966 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 967 "different security settings for (dev %s, " 968 "type %s)\n", newsb->s_id, newsb->s_type->name); 969 return -EBUSY; 970 } 971 972 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 973 struct super_block *newsb, 974 unsigned long kern_flags, 975 unsigned long *set_kern_flags) 976 { 977 int rc = 0; 978 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 979 struct superblock_security_struct *newsbsec = newsb->s_security; 980 981 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 982 int set_context = (oldsbsec->flags & CONTEXT_MNT); 983 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 984 985 /* 986 * if the parent was able to be mounted it clearly had no special lsm 987 * mount options. thus we can safely deal with this superblock later 988 */ 989 if (!ss_initialized) 990 return 0; 991 992 /* 993 * Specifying internal flags without providing a place to 994 * place the results is not allowed. 995 */ 996 if (kern_flags && !set_kern_flags) 997 return -EINVAL; 998 999 /* how can we clone if the old one wasn't set up?? */ 1000 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 1001 1002 /* if fs is reusing a sb, make sure that the contexts match */ 1003 if (newsbsec->flags & SE_SBINITIALIZED) 1004 return selinux_cmp_sb_context(oldsb, newsb); 1005 1006 mutex_lock(&newsbsec->lock); 1007 1008 newsbsec->flags = oldsbsec->flags; 1009 1010 newsbsec->sid = oldsbsec->sid; 1011 newsbsec->def_sid = oldsbsec->def_sid; 1012 newsbsec->behavior = oldsbsec->behavior; 1013 1014 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1015 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1016 rc = security_fs_use(newsb); 1017 if (rc) 1018 goto out; 1019 } 1020 1021 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 1022 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 1023 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 1024 } 1025 1026 if (set_context) { 1027 u32 sid = oldsbsec->mntpoint_sid; 1028 1029 if (!set_fscontext) 1030 newsbsec->sid = sid; 1031 if (!set_rootcontext) { 1032 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1033 newisec->sid = sid; 1034 } 1035 newsbsec->mntpoint_sid = sid; 1036 } 1037 if (set_rootcontext) { 1038 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1039 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1040 1041 newisec->sid = oldisec->sid; 1042 } 1043 1044 sb_finish_set_opts(newsb); 1045 out: 1046 mutex_unlock(&newsbsec->lock); 1047 return rc; 1048 } 1049 1050 static int selinux_parse_opts_str(char *options, 1051 struct security_mnt_opts *opts) 1052 { 1053 char *p; 1054 char *context = NULL, *defcontext = NULL; 1055 char *fscontext = NULL, *rootcontext = NULL; 1056 int rc, num_mnt_opts = 0; 1057 1058 opts->num_mnt_opts = 0; 1059 1060 /* Standard string-based options. */ 1061 while ((p = strsep(&options, "|")) != NULL) { 1062 int token; 1063 substring_t args[MAX_OPT_ARGS]; 1064 1065 if (!*p) 1066 continue; 1067 1068 token = match_token(p, tokens, args); 1069 1070 switch (token) { 1071 case Opt_context: 1072 if (context || defcontext) { 1073 rc = -EINVAL; 1074 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1075 goto out_err; 1076 } 1077 context = match_strdup(&args[0]); 1078 if (!context) { 1079 rc = -ENOMEM; 1080 goto out_err; 1081 } 1082 break; 1083 1084 case Opt_fscontext: 1085 if (fscontext) { 1086 rc = -EINVAL; 1087 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1088 goto out_err; 1089 } 1090 fscontext = match_strdup(&args[0]); 1091 if (!fscontext) { 1092 rc = -ENOMEM; 1093 goto out_err; 1094 } 1095 break; 1096 1097 case Opt_rootcontext: 1098 if (rootcontext) { 1099 rc = -EINVAL; 1100 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1101 goto out_err; 1102 } 1103 rootcontext = match_strdup(&args[0]); 1104 if (!rootcontext) { 1105 rc = -ENOMEM; 1106 goto out_err; 1107 } 1108 break; 1109 1110 case Opt_defcontext: 1111 if (context || defcontext) { 1112 rc = -EINVAL; 1113 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1114 goto out_err; 1115 } 1116 defcontext = match_strdup(&args[0]); 1117 if (!defcontext) { 1118 rc = -ENOMEM; 1119 goto out_err; 1120 } 1121 break; 1122 case Opt_labelsupport: 1123 break; 1124 default: 1125 rc = -EINVAL; 1126 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1127 goto out_err; 1128 1129 } 1130 } 1131 1132 rc = -ENOMEM; 1133 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL); 1134 if (!opts->mnt_opts) 1135 goto out_err; 1136 1137 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), 1138 GFP_KERNEL); 1139 if (!opts->mnt_opts_flags) 1140 goto out_err; 1141 1142 if (fscontext) { 1143 opts->mnt_opts[num_mnt_opts] = fscontext; 1144 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1145 } 1146 if (context) { 1147 opts->mnt_opts[num_mnt_opts] = context; 1148 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1149 } 1150 if (rootcontext) { 1151 opts->mnt_opts[num_mnt_opts] = rootcontext; 1152 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1153 } 1154 if (defcontext) { 1155 opts->mnt_opts[num_mnt_opts] = defcontext; 1156 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1157 } 1158 1159 opts->num_mnt_opts = num_mnt_opts; 1160 return 0; 1161 1162 out_err: 1163 security_free_mnt_opts(opts); 1164 kfree(context); 1165 kfree(defcontext); 1166 kfree(fscontext); 1167 kfree(rootcontext); 1168 return rc; 1169 } 1170 /* 1171 * string mount options parsing and call set the sbsec 1172 */ 1173 static int superblock_doinit(struct super_block *sb, void *data) 1174 { 1175 int rc = 0; 1176 char *options = data; 1177 struct security_mnt_opts opts; 1178 1179 security_init_mnt_opts(&opts); 1180 1181 if (!data) 1182 goto out; 1183 1184 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1185 1186 rc = selinux_parse_opts_str(options, &opts); 1187 if (rc) 1188 goto out_err; 1189 1190 out: 1191 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1192 1193 out_err: 1194 security_free_mnt_opts(&opts); 1195 return rc; 1196 } 1197 1198 static void selinux_write_opts(struct seq_file *m, 1199 struct security_mnt_opts *opts) 1200 { 1201 int i; 1202 char *prefix; 1203 1204 for (i = 0; i < opts->num_mnt_opts; i++) { 1205 char *has_comma; 1206 1207 if (opts->mnt_opts[i]) 1208 has_comma = strchr(opts->mnt_opts[i], ','); 1209 else 1210 has_comma = NULL; 1211 1212 switch (opts->mnt_opts_flags[i]) { 1213 case CONTEXT_MNT: 1214 prefix = CONTEXT_STR; 1215 break; 1216 case FSCONTEXT_MNT: 1217 prefix = FSCONTEXT_STR; 1218 break; 1219 case ROOTCONTEXT_MNT: 1220 prefix = ROOTCONTEXT_STR; 1221 break; 1222 case DEFCONTEXT_MNT: 1223 prefix = DEFCONTEXT_STR; 1224 break; 1225 case SBLABEL_MNT: 1226 seq_putc(m, ','); 1227 seq_puts(m, LABELSUPP_STR); 1228 continue; 1229 default: 1230 BUG(); 1231 return; 1232 }; 1233 /* we need a comma before each option */ 1234 seq_putc(m, ','); 1235 seq_puts(m, prefix); 1236 if (has_comma) 1237 seq_putc(m, '\"'); 1238 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1239 if (has_comma) 1240 seq_putc(m, '\"'); 1241 } 1242 } 1243 1244 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1245 { 1246 struct security_mnt_opts opts; 1247 int rc; 1248 1249 rc = selinux_get_mnt_opts(sb, &opts); 1250 if (rc) { 1251 /* before policy load we may get EINVAL, don't show anything */ 1252 if (rc == -EINVAL) 1253 rc = 0; 1254 return rc; 1255 } 1256 1257 selinux_write_opts(m, &opts); 1258 1259 security_free_mnt_opts(&opts); 1260 1261 return rc; 1262 } 1263 1264 static inline u16 inode_mode_to_security_class(umode_t mode) 1265 { 1266 switch (mode & S_IFMT) { 1267 case S_IFSOCK: 1268 return SECCLASS_SOCK_FILE; 1269 case S_IFLNK: 1270 return SECCLASS_LNK_FILE; 1271 case S_IFREG: 1272 return SECCLASS_FILE; 1273 case S_IFBLK: 1274 return SECCLASS_BLK_FILE; 1275 case S_IFDIR: 1276 return SECCLASS_DIR; 1277 case S_IFCHR: 1278 return SECCLASS_CHR_FILE; 1279 case S_IFIFO: 1280 return SECCLASS_FIFO_FILE; 1281 1282 } 1283 1284 return SECCLASS_FILE; 1285 } 1286 1287 static inline int default_protocol_stream(int protocol) 1288 { 1289 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1290 } 1291 1292 static inline int default_protocol_dgram(int protocol) 1293 { 1294 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1295 } 1296 1297 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1298 { 1299 int extsockclass = selinux_policycap_extsockclass; 1300 1301 switch (family) { 1302 case PF_UNIX: 1303 switch (type) { 1304 case SOCK_STREAM: 1305 case SOCK_SEQPACKET: 1306 return SECCLASS_UNIX_STREAM_SOCKET; 1307 case SOCK_DGRAM: 1308 case SOCK_RAW: 1309 return SECCLASS_UNIX_DGRAM_SOCKET; 1310 } 1311 break; 1312 case PF_INET: 1313 case PF_INET6: 1314 switch (type) { 1315 case SOCK_STREAM: 1316 case SOCK_SEQPACKET: 1317 if (default_protocol_stream(protocol)) 1318 return SECCLASS_TCP_SOCKET; 1319 else if (extsockclass && protocol == IPPROTO_SCTP) 1320 return SECCLASS_SCTP_SOCKET; 1321 else 1322 return SECCLASS_RAWIP_SOCKET; 1323 case SOCK_DGRAM: 1324 if (default_protocol_dgram(protocol)) 1325 return SECCLASS_UDP_SOCKET; 1326 else if (extsockclass && (protocol == IPPROTO_ICMP || 1327 protocol == IPPROTO_ICMPV6)) 1328 return SECCLASS_ICMP_SOCKET; 1329 else 1330 return SECCLASS_RAWIP_SOCKET; 1331 case SOCK_DCCP: 1332 return SECCLASS_DCCP_SOCKET; 1333 default: 1334 return SECCLASS_RAWIP_SOCKET; 1335 } 1336 break; 1337 case PF_NETLINK: 1338 switch (protocol) { 1339 case NETLINK_ROUTE: 1340 return SECCLASS_NETLINK_ROUTE_SOCKET; 1341 case NETLINK_SOCK_DIAG: 1342 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1343 case NETLINK_NFLOG: 1344 return SECCLASS_NETLINK_NFLOG_SOCKET; 1345 case NETLINK_XFRM: 1346 return SECCLASS_NETLINK_XFRM_SOCKET; 1347 case NETLINK_SELINUX: 1348 return SECCLASS_NETLINK_SELINUX_SOCKET; 1349 case NETLINK_ISCSI: 1350 return SECCLASS_NETLINK_ISCSI_SOCKET; 1351 case NETLINK_AUDIT: 1352 return SECCLASS_NETLINK_AUDIT_SOCKET; 1353 case NETLINK_FIB_LOOKUP: 1354 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1355 case NETLINK_CONNECTOR: 1356 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1357 case NETLINK_NETFILTER: 1358 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1359 case NETLINK_DNRTMSG: 1360 return SECCLASS_NETLINK_DNRT_SOCKET; 1361 case NETLINK_KOBJECT_UEVENT: 1362 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1363 case NETLINK_GENERIC: 1364 return SECCLASS_NETLINK_GENERIC_SOCKET; 1365 case NETLINK_SCSITRANSPORT: 1366 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1367 case NETLINK_RDMA: 1368 return SECCLASS_NETLINK_RDMA_SOCKET; 1369 case NETLINK_CRYPTO: 1370 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1371 default: 1372 return SECCLASS_NETLINK_SOCKET; 1373 } 1374 case PF_PACKET: 1375 return SECCLASS_PACKET_SOCKET; 1376 case PF_KEY: 1377 return SECCLASS_KEY_SOCKET; 1378 case PF_APPLETALK: 1379 return SECCLASS_APPLETALK_SOCKET; 1380 } 1381 1382 if (extsockclass) { 1383 switch (family) { 1384 case PF_AX25: 1385 return SECCLASS_AX25_SOCKET; 1386 case PF_IPX: 1387 return SECCLASS_IPX_SOCKET; 1388 case PF_NETROM: 1389 return SECCLASS_NETROM_SOCKET; 1390 case PF_ATMPVC: 1391 return SECCLASS_ATMPVC_SOCKET; 1392 case PF_X25: 1393 return SECCLASS_X25_SOCKET; 1394 case PF_ROSE: 1395 return SECCLASS_ROSE_SOCKET; 1396 case PF_DECnet: 1397 return SECCLASS_DECNET_SOCKET; 1398 case PF_ATMSVC: 1399 return SECCLASS_ATMSVC_SOCKET; 1400 case PF_RDS: 1401 return SECCLASS_RDS_SOCKET; 1402 case PF_IRDA: 1403 return SECCLASS_IRDA_SOCKET; 1404 case PF_PPPOX: 1405 return SECCLASS_PPPOX_SOCKET; 1406 case PF_LLC: 1407 return SECCLASS_LLC_SOCKET; 1408 case PF_CAN: 1409 return SECCLASS_CAN_SOCKET; 1410 case PF_TIPC: 1411 return SECCLASS_TIPC_SOCKET; 1412 case PF_BLUETOOTH: 1413 return SECCLASS_BLUETOOTH_SOCKET; 1414 case PF_IUCV: 1415 return SECCLASS_IUCV_SOCKET; 1416 case PF_RXRPC: 1417 return SECCLASS_RXRPC_SOCKET; 1418 case PF_ISDN: 1419 return SECCLASS_ISDN_SOCKET; 1420 case PF_PHONET: 1421 return SECCLASS_PHONET_SOCKET; 1422 case PF_IEEE802154: 1423 return SECCLASS_IEEE802154_SOCKET; 1424 case PF_CAIF: 1425 return SECCLASS_CAIF_SOCKET; 1426 case PF_ALG: 1427 return SECCLASS_ALG_SOCKET; 1428 case PF_NFC: 1429 return SECCLASS_NFC_SOCKET; 1430 case PF_VSOCK: 1431 return SECCLASS_VSOCK_SOCKET; 1432 case PF_KCM: 1433 return SECCLASS_KCM_SOCKET; 1434 case PF_QIPCRTR: 1435 return SECCLASS_QIPCRTR_SOCKET; 1436 case PF_SMC: 1437 return SECCLASS_SMC_SOCKET; 1438 #if PF_MAX > 44 1439 #error New address family defined, please update this function. 1440 #endif 1441 } 1442 } 1443 1444 return SECCLASS_SOCKET; 1445 } 1446 1447 static int selinux_genfs_get_sid(struct dentry *dentry, 1448 u16 tclass, 1449 u16 flags, 1450 u32 *sid) 1451 { 1452 int rc; 1453 struct super_block *sb = dentry->d_sb; 1454 char *buffer, *path; 1455 1456 buffer = (char *)__get_free_page(GFP_KERNEL); 1457 if (!buffer) 1458 return -ENOMEM; 1459 1460 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1461 if (IS_ERR(path)) 1462 rc = PTR_ERR(path); 1463 else { 1464 if (flags & SE_SBPROC) { 1465 /* each process gets a /proc/PID/ entry. Strip off the 1466 * PID part to get a valid selinux labeling. 1467 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1468 while (path[1] >= '0' && path[1] <= '9') { 1469 path[1] = '/'; 1470 path++; 1471 } 1472 } 1473 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1474 } 1475 free_page((unsigned long)buffer); 1476 return rc; 1477 } 1478 1479 /* The inode's security attributes must be initialized before first use. */ 1480 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1481 { 1482 struct superblock_security_struct *sbsec = NULL; 1483 struct inode_security_struct *isec = inode->i_security; 1484 u32 task_sid, sid = 0; 1485 u16 sclass; 1486 struct dentry *dentry; 1487 #define INITCONTEXTLEN 255 1488 char *context = NULL; 1489 unsigned len = 0; 1490 int rc = 0; 1491 1492 if (isec->initialized == LABEL_INITIALIZED) 1493 return 0; 1494 1495 spin_lock(&isec->lock); 1496 if (isec->initialized == LABEL_INITIALIZED) 1497 goto out_unlock; 1498 1499 if (isec->sclass == SECCLASS_FILE) 1500 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1501 1502 sbsec = inode->i_sb->s_security; 1503 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1504 /* Defer initialization until selinux_complete_init, 1505 after the initial policy is loaded and the security 1506 server is ready to handle calls. */ 1507 spin_lock(&sbsec->isec_lock); 1508 if (list_empty(&isec->list)) 1509 list_add(&isec->list, &sbsec->isec_head); 1510 spin_unlock(&sbsec->isec_lock); 1511 goto out_unlock; 1512 } 1513 1514 sclass = isec->sclass; 1515 task_sid = isec->task_sid; 1516 sid = isec->sid; 1517 isec->initialized = LABEL_PENDING; 1518 spin_unlock(&isec->lock); 1519 1520 switch (sbsec->behavior) { 1521 case SECURITY_FS_USE_NATIVE: 1522 break; 1523 case SECURITY_FS_USE_XATTR: 1524 if (!(inode->i_opflags & IOP_XATTR)) { 1525 sid = sbsec->def_sid; 1526 break; 1527 } 1528 /* Need a dentry, since the xattr API requires one. 1529 Life would be simpler if we could just pass the inode. */ 1530 if (opt_dentry) { 1531 /* Called from d_instantiate or d_splice_alias. */ 1532 dentry = dget(opt_dentry); 1533 } else { 1534 /* Called from selinux_complete_init, try to find a dentry. */ 1535 dentry = d_find_alias(inode); 1536 } 1537 if (!dentry) { 1538 /* 1539 * this is can be hit on boot when a file is accessed 1540 * before the policy is loaded. When we load policy we 1541 * may find inodes that have no dentry on the 1542 * sbsec->isec_head list. No reason to complain as these 1543 * will get fixed up the next time we go through 1544 * inode_doinit with a dentry, before these inodes could 1545 * be used again by userspace. 1546 */ 1547 goto out; 1548 } 1549 1550 len = INITCONTEXTLEN; 1551 context = kmalloc(len+1, GFP_NOFS); 1552 if (!context) { 1553 rc = -ENOMEM; 1554 dput(dentry); 1555 goto out; 1556 } 1557 context[len] = '\0'; 1558 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1559 if (rc == -ERANGE) { 1560 kfree(context); 1561 1562 /* Need a larger buffer. Query for the right size. */ 1563 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1564 if (rc < 0) { 1565 dput(dentry); 1566 goto out; 1567 } 1568 len = rc; 1569 context = kmalloc(len+1, GFP_NOFS); 1570 if (!context) { 1571 rc = -ENOMEM; 1572 dput(dentry); 1573 goto out; 1574 } 1575 context[len] = '\0'; 1576 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1577 } 1578 dput(dentry); 1579 if (rc < 0) { 1580 if (rc != -ENODATA) { 1581 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1582 "%d for dev=%s ino=%ld\n", __func__, 1583 -rc, inode->i_sb->s_id, inode->i_ino); 1584 kfree(context); 1585 goto out; 1586 } 1587 /* Map ENODATA to the default file SID */ 1588 sid = sbsec->def_sid; 1589 rc = 0; 1590 } else { 1591 rc = security_context_to_sid_default(context, rc, &sid, 1592 sbsec->def_sid, 1593 GFP_NOFS); 1594 if (rc) { 1595 char *dev = inode->i_sb->s_id; 1596 unsigned long ino = inode->i_ino; 1597 1598 if (rc == -EINVAL) { 1599 if (printk_ratelimit()) 1600 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1601 "context=%s. This indicates you may need to relabel the inode or the " 1602 "filesystem in question.\n", ino, dev, context); 1603 } else { 1604 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1605 "returned %d for dev=%s ino=%ld\n", 1606 __func__, context, -rc, dev, ino); 1607 } 1608 kfree(context); 1609 /* Leave with the unlabeled SID */ 1610 rc = 0; 1611 break; 1612 } 1613 } 1614 kfree(context); 1615 break; 1616 case SECURITY_FS_USE_TASK: 1617 sid = task_sid; 1618 break; 1619 case SECURITY_FS_USE_TRANS: 1620 /* Default to the fs SID. */ 1621 sid = sbsec->sid; 1622 1623 /* Try to obtain a transition SID. */ 1624 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1625 if (rc) 1626 goto out; 1627 break; 1628 case SECURITY_FS_USE_MNTPOINT: 1629 sid = sbsec->mntpoint_sid; 1630 break; 1631 default: 1632 /* Default to the fs superblock SID. */ 1633 sid = sbsec->sid; 1634 1635 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1636 /* We must have a dentry to determine the label on 1637 * procfs inodes */ 1638 if (opt_dentry) 1639 /* Called from d_instantiate or 1640 * d_splice_alias. */ 1641 dentry = dget(opt_dentry); 1642 else 1643 /* Called from selinux_complete_init, try to 1644 * find a dentry. */ 1645 dentry = d_find_alias(inode); 1646 /* 1647 * This can be hit on boot when a file is accessed 1648 * before the policy is loaded. When we load policy we 1649 * may find inodes that have no dentry on the 1650 * sbsec->isec_head list. No reason to complain as 1651 * these will get fixed up the next time we go through 1652 * inode_doinit() with a dentry, before these inodes 1653 * could be used again by userspace. 1654 */ 1655 if (!dentry) 1656 goto out; 1657 rc = selinux_genfs_get_sid(dentry, sclass, 1658 sbsec->flags, &sid); 1659 dput(dentry); 1660 if (rc) 1661 goto out; 1662 } 1663 break; 1664 } 1665 1666 out: 1667 spin_lock(&isec->lock); 1668 if (isec->initialized == LABEL_PENDING) { 1669 if (!sid || rc) { 1670 isec->initialized = LABEL_INVALID; 1671 goto out_unlock; 1672 } 1673 1674 isec->initialized = LABEL_INITIALIZED; 1675 isec->sid = sid; 1676 } 1677 1678 out_unlock: 1679 spin_unlock(&isec->lock); 1680 return rc; 1681 } 1682 1683 /* Convert a Linux signal to an access vector. */ 1684 static inline u32 signal_to_av(int sig) 1685 { 1686 u32 perm = 0; 1687 1688 switch (sig) { 1689 case SIGCHLD: 1690 /* Commonly granted from child to parent. */ 1691 perm = PROCESS__SIGCHLD; 1692 break; 1693 case SIGKILL: 1694 /* Cannot be caught or ignored */ 1695 perm = PROCESS__SIGKILL; 1696 break; 1697 case SIGSTOP: 1698 /* Cannot be caught or ignored */ 1699 perm = PROCESS__SIGSTOP; 1700 break; 1701 default: 1702 /* All other signals. */ 1703 perm = PROCESS__SIGNAL; 1704 break; 1705 } 1706 1707 return perm; 1708 } 1709 1710 #if CAP_LAST_CAP > 63 1711 #error Fix SELinux to handle capabilities > 63. 1712 #endif 1713 1714 /* Check whether a task is allowed to use a capability. */ 1715 static int cred_has_capability(const struct cred *cred, 1716 int cap, int audit, bool initns) 1717 { 1718 struct common_audit_data ad; 1719 struct av_decision avd; 1720 u16 sclass; 1721 u32 sid = cred_sid(cred); 1722 u32 av = CAP_TO_MASK(cap); 1723 int rc; 1724 1725 ad.type = LSM_AUDIT_DATA_CAP; 1726 ad.u.cap = cap; 1727 1728 switch (CAP_TO_INDEX(cap)) { 1729 case 0: 1730 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1731 break; 1732 case 1: 1733 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1734 break; 1735 default: 1736 printk(KERN_ERR 1737 "SELinux: out of range capability %d\n", cap); 1738 BUG(); 1739 return -EINVAL; 1740 } 1741 1742 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1743 if (audit == SECURITY_CAP_AUDIT) { 1744 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1745 if (rc2) 1746 return rc2; 1747 } 1748 return rc; 1749 } 1750 1751 /* Check whether a task has a particular permission to an inode. 1752 The 'adp' parameter is optional and allows other audit 1753 data to be passed (e.g. the dentry). */ 1754 static int inode_has_perm(const struct cred *cred, 1755 struct inode *inode, 1756 u32 perms, 1757 struct common_audit_data *adp) 1758 { 1759 struct inode_security_struct *isec; 1760 u32 sid; 1761 1762 validate_creds(cred); 1763 1764 if (unlikely(IS_PRIVATE(inode))) 1765 return 0; 1766 1767 sid = cred_sid(cred); 1768 isec = inode->i_security; 1769 1770 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1771 } 1772 1773 /* Same as inode_has_perm, but pass explicit audit data containing 1774 the dentry to help the auditing code to more easily generate the 1775 pathname if needed. */ 1776 static inline int dentry_has_perm(const struct cred *cred, 1777 struct dentry *dentry, 1778 u32 av) 1779 { 1780 struct inode *inode = d_backing_inode(dentry); 1781 struct common_audit_data ad; 1782 1783 ad.type = LSM_AUDIT_DATA_DENTRY; 1784 ad.u.dentry = dentry; 1785 __inode_security_revalidate(inode, dentry, true); 1786 return inode_has_perm(cred, inode, av, &ad); 1787 } 1788 1789 /* Same as inode_has_perm, but pass explicit audit data containing 1790 the path to help the auditing code to more easily generate the 1791 pathname if needed. */ 1792 static inline int path_has_perm(const struct cred *cred, 1793 const struct path *path, 1794 u32 av) 1795 { 1796 struct inode *inode = d_backing_inode(path->dentry); 1797 struct common_audit_data ad; 1798 1799 ad.type = LSM_AUDIT_DATA_PATH; 1800 ad.u.path = *path; 1801 __inode_security_revalidate(inode, path->dentry, true); 1802 return inode_has_perm(cred, inode, av, &ad); 1803 } 1804 1805 /* Same as path_has_perm, but uses the inode from the file struct. */ 1806 static inline int file_path_has_perm(const struct cred *cred, 1807 struct file *file, 1808 u32 av) 1809 { 1810 struct common_audit_data ad; 1811 1812 ad.type = LSM_AUDIT_DATA_FILE; 1813 ad.u.file = file; 1814 return inode_has_perm(cred, file_inode(file), av, &ad); 1815 } 1816 1817 /* Check whether a task can use an open file descriptor to 1818 access an inode in a given way. Check access to the 1819 descriptor itself, and then use dentry_has_perm to 1820 check a particular permission to the file. 1821 Access to the descriptor is implicitly granted if it 1822 has the same SID as the process. If av is zero, then 1823 access to the file is not checked, e.g. for cases 1824 where only the descriptor is affected like seek. */ 1825 static int file_has_perm(const struct cred *cred, 1826 struct file *file, 1827 u32 av) 1828 { 1829 struct file_security_struct *fsec = file->f_security; 1830 struct inode *inode = file_inode(file); 1831 struct common_audit_data ad; 1832 u32 sid = cred_sid(cred); 1833 int rc; 1834 1835 ad.type = LSM_AUDIT_DATA_FILE; 1836 ad.u.file = file; 1837 1838 if (sid != fsec->sid) { 1839 rc = avc_has_perm(sid, fsec->sid, 1840 SECCLASS_FD, 1841 FD__USE, 1842 &ad); 1843 if (rc) 1844 goto out; 1845 } 1846 1847 /* av is zero if only checking access to the descriptor. */ 1848 rc = 0; 1849 if (av) 1850 rc = inode_has_perm(cred, inode, av, &ad); 1851 1852 out: 1853 return rc; 1854 } 1855 1856 /* 1857 * Determine the label for an inode that might be unioned. 1858 */ 1859 static int 1860 selinux_determine_inode_label(const struct task_security_struct *tsec, 1861 struct inode *dir, 1862 const struct qstr *name, u16 tclass, 1863 u32 *_new_isid) 1864 { 1865 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1866 1867 if ((sbsec->flags & SE_SBINITIALIZED) && 1868 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1869 *_new_isid = sbsec->mntpoint_sid; 1870 } else if ((sbsec->flags & SBLABEL_MNT) && 1871 tsec->create_sid) { 1872 *_new_isid = tsec->create_sid; 1873 } else { 1874 const struct inode_security_struct *dsec = inode_security(dir); 1875 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1876 name, _new_isid); 1877 } 1878 1879 return 0; 1880 } 1881 1882 /* Check whether a task can create a file. */ 1883 static int may_create(struct inode *dir, 1884 struct dentry *dentry, 1885 u16 tclass) 1886 { 1887 const struct task_security_struct *tsec = current_security(); 1888 struct inode_security_struct *dsec; 1889 struct superblock_security_struct *sbsec; 1890 u32 sid, newsid; 1891 struct common_audit_data ad; 1892 int rc; 1893 1894 dsec = inode_security(dir); 1895 sbsec = dir->i_sb->s_security; 1896 1897 sid = tsec->sid; 1898 1899 ad.type = LSM_AUDIT_DATA_DENTRY; 1900 ad.u.dentry = dentry; 1901 1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1903 DIR__ADD_NAME | DIR__SEARCH, 1904 &ad); 1905 if (rc) 1906 return rc; 1907 1908 rc = selinux_determine_inode_label(current_security(), dir, 1909 &dentry->d_name, tclass, &newsid); 1910 if (rc) 1911 return rc; 1912 1913 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1914 if (rc) 1915 return rc; 1916 1917 return avc_has_perm(newsid, sbsec->sid, 1918 SECCLASS_FILESYSTEM, 1919 FILESYSTEM__ASSOCIATE, &ad); 1920 } 1921 1922 #define MAY_LINK 0 1923 #define MAY_UNLINK 1 1924 #define MAY_RMDIR 2 1925 1926 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1927 static int may_link(struct inode *dir, 1928 struct dentry *dentry, 1929 int kind) 1930 1931 { 1932 struct inode_security_struct *dsec, *isec; 1933 struct common_audit_data ad; 1934 u32 sid = current_sid(); 1935 u32 av; 1936 int rc; 1937 1938 dsec = inode_security(dir); 1939 isec = backing_inode_security(dentry); 1940 1941 ad.type = LSM_AUDIT_DATA_DENTRY; 1942 ad.u.dentry = dentry; 1943 1944 av = DIR__SEARCH; 1945 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1946 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1947 if (rc) 1948 return rc; 1949 1950 switch (kind) { 1951 case MAY_LINK: 1952 av = FILE__LINK; 1953 break; 1954 case MAY_UNLINK: 1955 av = FILE__UNLINK; 1956 break; 1957 case MAY_RMDIR: 1958 av = DIR__RMDIR; 1959 break; 1960 default: 1961 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1962 __func__, kind); 1963 return 0; 1964 } 1965 1966 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1967 return rc; 1968 } 1969 1970 static inline int may_rename(struct inode *old_dir, 1971 struct dentry *old_dentry, 1972 struct inode *new_dir, 1973 struct dentry *new_dentry) 1974 { 1975 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1976 struct common_audit_data ad; 1977 u32 sid = current_sid(); 1978 u32 av; 1979 int old_is_dir, new_is_dir; 1980 int rc; 1981 1982 old_dsec = inode_security(old_dir); 1983 old_isec = backing_inode_security(old_dentry); 1984 old_is_dir = d_is_dir(old_dentry); 1985 new_dsec = inode_security(new_dir); 1986 1987 ad.type = LSM_AUDIT_DATA_DENTRY; 1988 1989 ad.u.dentry = old_dentry; 1990 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1991 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1992 if (rc) 1993 return rc; 1994 rc = avc_has_perm(sid, old_isec->sid, 1995 old_isec->sclass, FILE__RENAME, &ad); 1996 if (rc) 1997 return rc; 1998 if (old_is_dir && new_dir != old_dir) { 1999 rc = avc_has_perm(sid, old_isec->sid, 2000 old_isec->sclass, DIR__REPARENT, &ad); 2001 if (rc) 2002 return rc; 2003 } 2004 2005 ad.u.dentry = new_dentry; 2006 av = DIR__ADD_NAME | DIR__SEARCH; 2007 if (d_is_positive(new_dentry)) 2008 av |= DIR__REMOVE_NAME; 2009 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2010 if (rc) 2011 return rc; 2012 if (d_is_positive(new_dentry)) { 2013 new_isec = backing_inode_security(new_dentry); 2014 new_is_dir = d_is_dir(new_dentry); 2015 rc = avc_has_perm(sid, new_isec->sid, 2016 new_isec->sclass, 2017 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2018 if (rc) 2019 return rc; 2020 } 2021 2022 return 0; 2023 } 2024 2025 /* Check whether a task can perform a filesystem operation. */ 2026 static int superblock_has_perm(const struct cred *cred, 2027 struct super_block *sb, 2028 u32 perms, 2029 struct common_audit_data *ad) 2030 { 2031 struct superblock_security_struct *sbsec; 2032 u32 sid = cred_sid(cred); 2033 2034 sbsec = sb->s_security; 2035 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2036 } 2037 2038 /* Convert a Linux mode and permission mask to an access vector. */ 2039 static inline u32 file_mask_to_av(int mode, int mask) 2040 { 2041 u32 av = 0; 2042 2043 if (!S_ISDIR(mode)) { 2044 if (mask & MAY_EXEC) 2045 av |= FILE__EXECUTE; 2046 if (mask & MAY_READ) 2047 av |= FILE__READ; 2048 2049 if (mask & MAY_APPEND) 2050 av |= FILE__APPEND; 2051 else if (mask & MAY_WRITE) 2052 av |= FILE__WRITE; 2053 2054 } else { 2055 if (mask & MAY_EXEC) 2056 av |= DIR__SEARCH; 2057 if (mask & MAY_WRITE) 2058 av |= DIR__WRITE; 2059 if (mask & MAY_READ) 2060 av |= DIR__READ; 2061 } 2062 2063 return av; 2064 } 2065 2066 /* Convert a Linux file to an access vector. */ 2067 static inline u32 file_to_av(struct file *file) 2068 { 2069 u32 av = 0; 2070 2071 if (file->f_mode & FMODE_READ) 2072 av |= FILE__READ; 2073 if (file->f_mode & FMODE_WRITE) { 2074 if (file->f_flags & O_APPEND) 2075 av |= FILE__APPEND; 2076 else 2077 av |= FILE__WRITE; 2078 } 2079 if (!av) { 2080 /* 2081 * Special file opened with flags 3 for ioctl-only use. 2082 */ 2083 av = FILE__IOCTL; 2084 } 2085 2086 return av; 2087 } 2088 2089 /* 2090 * Convert a file to an access vector and include the correct open 2091 * open permission. 2092 */ 2093 static inline u32 open_file_to_av(struct file *file) 2094 { 2095 u32 av = file_to_av(file); 2096 struct inode *inode = file_inode(file); 2097 2098 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2099 av |= FILE__OPEN; 2100 2101 return av; 2102 } 2103 2104 /* Hook functions begin here. */ 2105 2106 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2107 { 2108 u32 mysid = current_sid(); 2109 u32 mgrsid = task_sid(mgr); 2110 2111 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2112 BINDER__SET_CONTEXT_MGR, NULL); 2113 } 2114 2115 static int selinux_binder_transaction(struct task_struct *from, 2116 struct task_struct *to) 2117 { 2118 u32 mysid = current_sid(); 2119 u32 fromsid = task_sid(from); 2120 u32 tosid = task_sid(to); 2121 int rc; 2122 2123 if (mysid != fromsid) { 2124 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2125 BINDER__IMPERSONATE, NULL); 2126 if (rc) 2127 return rc; 2128 } 2129 2130 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2131 NULL); 2132 } 2133 2134 static int selinux_binder_transfer_binder(struct task_struct *from, 2135 struct task_struct *to) 2136 { 2137 u32 fromsid = task_sid(from); 2138 u32 tosid = task_sid(to); 2139 2140 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2141 NULL); 2142 } 2143 2144 static int selinux_binder_transfer_file(struct task_struct *from, 2145 struct task_struct *to, 2146 struct file *file) 2147 { 2148 u32 sid = task_sid(to); 2149 struct file_security_struct *fsec = file->f_security; 2150 struct dentry *dentry = file->f_path.dentry; 2151 struct inode_security_struct *isec; 2152 struct common_audit_data ad; 2153 int rc; 2154 2155 ad.type = LSM_AUDIT_DATA_PATH; 2156 ad.u.path = file->f_path; 2157 2158 if (sid != fsec->sid) { 2159 rc = avc_has_perm(sid, fsec->sid, 2160 SECCLASS_FD, 2161 FD__USE, 2162 &ad); 2163 if (rc) 2164 return rc; 2165 } 2166 2167 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2168 return 0; 2169 2170 isec = backing_inode_security(dentry); 2171 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2172 &ad); 2173 } 2174 2175 static int selinux_ptrace_access_check(struct task_struct *child, 2176 unsigned int mode) 2177 { 2178 u32 sid = current_sid(); 2179 u32 csid = task_sid(child); 2180 2181 if (mode & PTRACE_MODE_READ) 2182 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2183 2184 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2185 } 2186 2187 static int selinux_ptrace_traceme(struct task_struct *parent) 2188 { 2189 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2190 PROCESS__PTRACE, NULL); 2191 } 2192 2193 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2194 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2195 { 2196 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2197 PROCESS__GETCAP, NULL); 2198 } 2199 2200 static int selinux_capset(struct cred *new, const struct cred *old, 2201 const kernel_cap_t *effective, 2202 const kernel_cap_t *inheritable, 2203 const kernel_cap_t *permitted) 2204 { 2205 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2206 PROCESS__SETCAP, NULL); 2207 } 2208 2209 /* 2210 * (This comment used to live with the selinux_task_setuid hook, 2211 * which was removed). 2212 * 2213 * Since setuid only affects the current process, and since the SELinux 2214 * controls are not based on the Linux identity attributes, SELinux does not 2215 * need to control this operation. However, SELinux does control the use of 2216 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2217 */ 2218 2219 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2220 int cap, int audit) 2221 { 2222 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2223 } 2224 2225 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2226 { 2227 const struct cred *cred = current_cred(); 2228 int rc = 0; 2229 2230 if (!sb) 2231 return 0; 2232 2233 switch (cmds) { 2234 case Q_SYNC: 2235 case Q_QUOTAON: 2236 case Q_QUOTAOFF: 2237 case Q_SETINFO: 2238 case Q_SETQUOTA: 2239 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2240 break; 2241 case Q_GETFMT: 2242 case Q_GETINFO: 2243 case Q_GETQUOTA: 2244 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2245 break; 2246 default: 2247 rc = 0; /* let the kernel handle invalid cmds */ 2248 break; 2249 } 2250 return rc; 2251 } 2252 2253 static int selinux_quota_on(struct dentry *dentry) 2254 { 2255 const struct cred *cred = current_cred(); 2256 2257 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2258 } 2259 2260 static int selinux_syslog(int type) 2261 { 2262 switch (type) { 2263 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2264 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2265 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2266 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2267 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2268 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2269 /* Set level of messages printed to console */ 2270 case SYSLOG_ACTION_CONSOLE_LEVEL: 2271 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2272 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2273 NULL); 2274 } 2275 /* All other syslog types */ 2276 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2277 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2278 } 2279 2280 /* 2281 * Check that a process has enough memory to allocate a new virtual 2282 * mapping. 0 means there is enough memory for the allocation to 2283 * succeed and -ENOMEM implies there is not. 2284 * 2285 * Do not audit the selinux permission check, as this is applied to all 2286 * processes that allocate mappings. 2287 */ 2288 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2289 { 2290 int rc, cap_sys_admin = 0; 2291 2292 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2293 SECURITY_CAP_NOAUDIT, true); 2294 if (rc == 0) 2295 cap_sys_admin = 1; 2296 2297 return cap_sys_admin; 2298 } 2299 2300 /* binprm security operations */ 2301 2302 static u32 ptrace_parent_sid(void) 2303 { 2304 u32 sid = 0; 2305 struct task_struct *tracer; 2306 2307 rcu_read_lock(); 2308 tracer = ptrace_parent(current); 2309 if (tracer) 2310 sid = task_sid(tracer); 2311 rcu_read_unlock(); 2312 2313 return sid; 2314 } 2315 2316 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2317 const struct task_security_struct *old_tsec, 2318 const struct task_security_struct *new_tsec) 2319 { 2320 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2321 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2322 int rc; 2323 u32 av; 2324 2325 if (!nnp && !nosuid) 2326 return 0; /* neither NNP nor nosuid */ 2327 2328 if (new_tsec->sid == old_tsec->sid) 2329 return 0; /* No change in credentials */ 2330 2331 /* 2332 * If the policy enables the nnp_nosuid_transition policy capability, 2333 * then we permit transitions under NNP or nosuid if the 2334 * policy allows the corresponding permission between 2335 * the old and new contexts. 2336 */ 2337 if (selinux_policycap_nnp_nosuid_transition) { 2338 av = 0; 2339 if (nnp) 2340 av |= PROCESS2__NNP_TRANSITION; 2341 if (nosuid) 2342 av |= PROCESS2__NOSUID_TRANSITION; 2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2344 SECCLASS_PROCESS2, av, NULL); 2345 if (!rc) 2346 return 0; 2347 } 2348 2349 /* 2350 * We also permit NNP or nosuid transitions to bounded SIDs, 2351 * i.e. SIDs that are guaranteed to only be allowed a subset 2352 * of the permissions of the current SID. 2353 */ 2354 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2355 if (!rc) 2356 return 0; 2357 2358 /* 2359 * On failure, preserve the errno values for NNP vs nosuid. 2360 * NNP: Operation not permitted for caller. 2361 * nosuid: Permission denied to file. 2362 */ 2363 if (nnp) 2364 return -EPERM; 2365 return -EACCES; 2366 } 2367 2368 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2369 { 2370 const struct task_security_struct *old_tsec; 2371 struct task_security_struct *new_tsec; 2372 struct inode_security_struct *isec; 2373 struct common_audit_data ad; 2374 struct inode *inode = file_inode(bprm->file); 2375 int rc; 2376 2377 /* SELinux context only depends on initial program or script and not 2378 * the script interpreter */ 2379 if (bprm->called_set_creds) 2380 return 0; 2381 2382 old_tsec = current_security(); 2383 new_tsec = bprm->cred->security; 2384 isec = inode_security(inode); 2385 2386 /* Default to the current task SID. */ 2387 new_tsec->sid = old_tsec->sid; 2388 new_tsec->osid = old_tsec->sid; 2389 2390 /* Reset fs, key, and sock SIDs on execve. */ 2391 new_tsec->create_sid = 0; 2392 new_tsec->keycreate_sid = 0; 2393 new_tsec->sockcreate_sid = 0; 2394 2395 if (old_tsec->exec_sid) { 2396 new_tsec->sid = old_tsec->exec_sid; 2397 /* Reset exec SID on execve. */ 2398 new_tsec->exec_sid = 0; 2399 2400 /* Fail on NNP or nosuid if not an allowed transition. */ 2401 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2402 if (rc) 2403 return rc; 2404 } else { 2405 /* Check for a default transition on this program. */ 2406 rc = security_transition_sid(old_tsec->sid, isec->sid, 2407 SECCLASS_PROCESS, NULL, 2408 &new_tsec->sid); 2409 if (rc) 2410 return rc; 2411 2412 /* 2413 * Fallback to old SID on NNP or nosuid if not an allowed 2414 * transition. 2415 */ 2416 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2417 if (rc) 2418 new_tsec->sid = old_tsec->sid; 2419 } 2420 2421 ad.type = LSM_AUDIT_DATA_FILE; 2422 ad.u.file = bprm->file; 2423 2424 if (new_tsec->sid == old_tsec->sid) { 2425 rc = avc_has_perm(old_tsec->sid, isec->sid, 2426 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2427 if (rc) 2428 return rc; 2429 } else { 2430 /* Check permissions for the transition. */ 2431 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2432 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2433 if (rc) 2434 return rc; 2435 2436 rc = avc_has_perm(new_tsec->sid, isec->sid, 2437 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2438 if (rc) 2439 return rc; 2440 2441 /* Check for shared state */ 2442 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2443 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2444 SECCLASS_PROCESS, PROCESS__SHARE, 2445 NULL); 2446 if (rc) 2447 return -EPERM; 2448 } 2449 2450 /* Make sure that anyone attempting to ptrace over a task that 2451 * changes its SID has the appropriate permit */ 2452 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2453 u32 ptsid = ptrace_parent_sid(); 2454 if (ptsid != 0) { 2455 rc = avc_has_perm(ptsid, new_tsec->sid, 2456 SECCLASS_PROCESS, 2457 PROCESS__PTRACE, NULL); 2458 if (rc) 2459 return -EPERM; 2460 } 2461 } 2462 2463 /* Clear any possibly unsafe personality bits on exec: */ 2464 bprm->per_clear |= PER_CLEAR_ON_SETID; 2465 2466 /* Enable secure mode for SIDs transitions unless 2467 the noatsecure permission is granted between 2468 the two SIDs, i.e. ahp returns 0. */ 2469 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2470 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2471 NULL); 2472 bprm->secureexec |= !!rc; 2473 } 2474 2475 return 0; 2476 } 2477 2478 static int match_file(const void *p, struct file *file, unsigned fd) 2479 { 2480 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2481 } 2482 2483 /* Derived from fs/exec.c:flush_old_files. */ 2484 static inline void flush_unauthorized_files(const struct cred *cred, 2485 struct files_struct *files) 2486 { 2487 struct file *file, *devnull = NULL; 2488 struct tty_struct *tty; 2489 int drop_tty = 0; 2490 unsigned n; 2491 2492 tty = get_current_tty(); 2493 if (tty) { 2494 spin_lock(&tty->files_lock); 2495 if (!list_empty(&tty->tty_files)) { 2496 struct tty_file_private *file_priv; 2497 2498 /* Revalidate access to controlling tty. 2499 Use file_path_has_perm on the tty path directly 2500 rather than using file_has_perm, as this particular 2501 open file may belong to another process and we are 2502 only interested in the inode-based check here. */ 2503 file_priv = list_first_entry(&tty->tty_files, 2504 struct tty_file_private, list); 2505 file = file_priv->file; 2506 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2507 drop_tty = 1; 2508 } 2509 spin_unlock(&tty->files_lock); 2510 tty_kref_put(tty); 2511 } 2512 /* Reset controlling tty. */ 2513 if (drop_tty) 2514 no_tty(); 2515 2516 /* Revalidate access to inherited open files. */ 2517 n = iterate_fd(files, 0, match_file, cred); 2518 if (!n) /* none found? */ 2519 return; 2520 2521 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2522 if (IS_ERR(devnull)) 2523 devnull = NULL; 2524 /* replace all the matching ones with this */ 2525 do { 2526 replace_fd(n - 1, devnull, 0); 2527 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2528 if (devnull) 2529 fput(devnull); 2530 } 2531 2532 /* 2533 * Prepare a process for imminent new credential changes due to exec 2534 */ 2535 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2536 { 2537 struct task_security_struct *new_tsec; 2538 struct rlimit *rlim, *initrlim; 2539 int rc, i; 2540 2541 new_tsec = bprm->cred->security; 2542 if (new_tsec->sid == new_tsec->osid) 2543 return; 2544 2545 /* Close files for which the new task SID is not authorized. */ 2546 flush_unauthorized_files(bprm->cred, current->files); 2547 2548 /* Always clear parent death signal on SID transitions. */ 2549 current->pdeath_signal = 0; 2550 2551 /* Check whether the new SID can inherit resource limits from the old 2552 * SID. If not, reset all soft limits to the lower of the current 2553 * task's hard limit and the init task's soft limit. 2554 * 2555 * Note that the setting of hard limits (even to lower them) can be 2556 * controlled by the setrlimit check. The inclusion of the init task's 2557 * soft limit into the computation is to avoid resetting soft limits 2558 * higher than the default soft limit for cases where the default is 2559 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2560 */ 2561 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2562 PROCESS__RLIMITINH, NULL); 2563 if (rc) { 2564 /* protect against do_prlimit() */ 2565 task_lock(current); 2566 for (i = 0; i < RLIM_NLIMITS; i++) { 2567 rlim = current->signal->rlim + i; 2568 initrlim = init_task.signal->rlim + i; 2569 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2570 } 2571 task_unlock(current); 2572 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2573 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2574 } 2575 } 2576 2577 /* 2578 * Clean up the process immediately after the installation of new credentials 2579 * due to exec 2580 */ 2581 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2582 { 2583 const struct task_security_struct *tsec = current_security(); 2584 struct itimerval itimer; 2585 u32 osid, sid; 2586 int rc, i; 2587 2588 osid = tsec->osid; 2589 sid = tsec->sid; 2590 2591 if (sid == osid) 2592 return; 2593 2594 /* Check whether the new SID can inherit signal state from the old SID. 2595 * If not, clear itimers to avoid subsequent signal generation and 2596 * flush and unblock signals. 2597 * 2598 * This must occur _after_ the task SID has been updated so that any 2599 * kill done after the flush will be checked against the new SID. 2600 */ 2601 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2602 if (rc) { 2603 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2604 memset(&itimer, 0, sizeof itimer); 2605 for (i = 0; i < 3; i++) 2606 do_setitimer(i, &itimer, NULL); 2607 } 2608 spin_lock_irq(¤t->sighand->siglock); 2609 if (!fatal_signal_pending(current)) { 2610 flush_sigqueue(¤t->pending); 2611 flush_sigqueue(¤t->signal->shared_pending); 2612 flush_signal_handlers(current, 1); 2613 sigemptyset(¤t->blocked); 2614 recalc_sigpending(); 2615 } 2616 spin_unlock_irq(¤t->sighand->siglock); 2617 } 2618 2619 /* Wake up the parent if it is waiting so that it can recheck 2620 * wait permission to the new task SID. */ 2621 read_lock(&tasklist_lock); 2622 __wake_up_parent(current, current->real_parent); 2623 read_unlock(&tasklist_lock); 2624 } 2625 2626 /* superblock security operations */ 2627 2628 static int selinux_sb_alloc_security(struct super_block *sb) 2629 { 2630 return superblock_alloc_security(sb); 2631 } 2632 2633 static void selinux_sb_free_security(struct super_block *sb) 2634 { 2635 superblock_free_security(sb); 2636 } 2637 2638 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2639 { 2640 if (plen > olen) 2641 return 0; 2642 2643 return !memcmp(prefix, option, plen); 2644 } 2645 2646 static inline int selinux_option(char *option, int len) 2647 { 2648 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2649 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2650 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2651 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2652 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2653 } 2654 2655 static inline void take_option(char **to, char *from, int *first, int len) 2656 { 2657 if (!*first) { 2658 **to = ','; 2659 *to += 1; 2660 } else 2661 *first = 0; 2662 memcpy(*to, from, len); 2663 *to += len; 2664 } 2665 2666 static inline void take_selinux_option(char **to, char *from, int *first, 2667 int len) 2668 { 2669 int current_size = 0; 2670 2671 if (!*first) { 2672 **to = '|'; 2673 *to += 1; 2674 } else 2675 *first = 0; 2676 2677 while (current_size < len) { 2678 if (*from != '"') { 2679 **to = *from; 2680 *to += 1; 2681 } 2682 from += 1; 2683 current_size += 1; 2684 } 2685 } 2686 2687 static int selinux_sb_copy_data(char *orig, char *copy) 2688 { 2689 int fnosec, fsec, rc = 0; 2690 char *in_save, *in_curr, *in_end; 2691 char *sec_curr, *nosec_save, *nosec; 2692 int open_quote = 0; 2693 2694 in_curr = orig; 2695 sec_curr = copy; 2696 2697 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2698 if (!nosec) { 2699 rc = -ENOMEM; 2700 goto out; 2701 } 2702 2703 nosec_save = nosec; 2704 fnosec = fsec = 1; 2705 in_save = in_end = orig; 2706 2707 do { 2708 if (*in_end == '"') 2709 open_quote = !open_quote; 2710 if ((*in_end == ',' && open_quote == 0) || 2711 *in_end == '\0') { 2712 int len = in_end - in_curr; 2713 2714 if (selinux_option(in_curr, len)) 2715 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2716 else 2717 take_option(&nosec, in_curr, &fnosec, len); 2718 2719 in_curr = in_end + 1; 2720 } 2721 } while (*in_end++); 2722 2723 strcpy(in_save, nosec_save); 2724 free_page((unsigned long)nosec_save); 2725 out: 2726 return rc; 2727 } 2728 2729 static int selinux_sb_remount(struct super_block *sb, void *data) 2730 { 2731 int rc, i, *flags; 2732 struct security_mnt_opts opts; 2733 char *secdata, **mount_options; 2734 struct superblock_security_struct *sbsec = sb->s_security; 2735 2736 if (!(sbsec->flags & SE_SBINITIALIZED)) 2737 return 0; 2738 2739 if (!data) 2740 return 0; 2741 2742 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2743 return 0; 2744 2745 security_init_mnt_opts(&opts); 2746 secdata = alloc_secdata(); 2747 if (!secdata) 2748 return -ENOMEM; 2749 rc = selinux_sb_copy_data(data, secdata); 2750 if (rc) 2751 goto out_free_secdata; 2752 2753 rc = selinux_parse_opts_str(secdata, &opts); 2754 if (rc) 2755 goto out_free_secdata; 2756 2757 mount_options = opts.mnt_opts; 2758 flags = opts.mnt_opts_flags; 2759 2760 for (i = 0; i < opts.num_mnt_opts; i++) { 2761 u32 sid; 2762 2763 if (flags[i] == SBLABEL_MNT) 2764 continue; 2765 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2766 if (rc) { 2767 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2768 "(%s) failed for (dev %s, type %s) errno=%d\n", 2769 mount_options[i], sb->s_id, sb->s_type->name, rc); 2770 goto out_free_opts; 2771 } 2772 rc = -EINVAL; 2773 switch (flags[i]) { 2774 case FSCONTEXT_MNT: 2775 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2776 goto out_bad_option; 2777 break; 2778 case CONTEXT_MNT: 2779 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2780 goto out_bad_option; 2781 break; 2782 case ROOTCONTEXT_MNT: { 2783 struct inode_security_struct *root_isec; 2784 root_isec = backing_inode_security(sb->s_root); 2785 2786 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2787 goto out_bad_option; 2788 break; 2789 } 2790 case DEFCONTEXT_MNT: 2791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2792 goto out_bad_option; 2793 break; 2794 default: 2795 goto out_free_opts; 2796 } 2797 } 2798 2799 rc = 0; 2800 out_free_opts: 2801 security_free_mnt_opts(&opts); 2802 out_free_secdata: 2803 free_secdata(secdata); 2804 return rc; 2805 out_bad_option: 2806 printk(KERN_WARNING "SELinux: unable to change security options " 2807 "during remount (dev %s, type=%s)\n", sb->s_id, 2808 sb->s_type->name); 2809 goto out_free_opts; 2810 } 2811 2812 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2813 { 2814 const struct cred *cred = current_cred(); 2815 struct common_audit_data ad; 2816 int rc; 2817 2818 rc = superblock_doinit(sb, data); 2819 if (rc) 2820 return rc; 2821 2822 /* Allow all mounts performed by the kernel */ 2823 if (flags & MS_KERNMOUNT) 2824 return 0; 2825 2826 ad.type = LSM_AUDIT_DATA_DENTRY; 2827 ad.u.dentry = sb->s_root; 2828 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2829 } 2830 2831 static int selinux_sb_statfs(struct dentry *dentry) 2832 { 2833 const struct cred *cred = current_cred(); 2834 struct common_audit_data ad; 2835 2836 ad.type = LSM_AUDIT_DATA_DENTRY; 2837 ad.u.dentry = dentry->d_sb->s_root; 2838 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2839 } 2840 2841 static int selinux_mount(const char *dev_name, 2842 const struct path *path, 2843 const char *type, 2844 unsigned long flags, 2845 void *data) 2846 { 2847 const struct cred *cred = current_cred(); 2848 2849 if (flags & MS_REMOUNT) 2850 return superblock_has_perm(cred, path->dentry->d_sb, 2851 FILESYSTEM__REMOUNT, NULL); 2852 else 2853 return path_has_perm(cred, path, FILE__MOUNTON); 2854 } 2855 2856 static int selinux_umount(struct vfsmount *mnt, int flags) 2857 { 2858 const struct cred *cred = current_cred(); 2859 2860 return superblock_has_perm(cred, mnt->mnt_sb, 2861 FILESYSTEM__UNMOUNT, NULL); 2862 } 2863 2864 /* inode security operations */ 2865 2866 static int selinux_inode_alloc_security(struct inode *inode) 2867 { 2868 return inode_alloc_security(inode); 2869 } 2870 2871 static void selinux_inode_free_security(struct inode *inode) 2872 { 2873 inode_free_security(inode); 2874 } 2875 2876 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2877 const struct qstr *name, void **ctx, 2878 u32 *ctxlen) 2879 { 2880 u32 newsid; 2881 int rc; 2882 2883 rc = selinux_determine_inode_label(current_security(), 2884 d_inode(dentry->d_parent), name, 2885 inode_mode_to_security_class(mode), 2886 &newsid); 2887 if (rc) 2888 return rc; 2889 2890 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2891 } 2892 2893 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2894 struct qstr *name, 2895 const struct cred *old, 2896 struct cred *new) 2897 { 2898 u32 newsid; 2899 int rc; 2900 struct task_security_struct *tsec; 2901 2902 rc = selinux_determine_inode_label(old->security, 2903 d_inode(dentry->d_parent), name, 2904 inode_mode_to_security_class(mode), 2905 &newsid); 2906 if (rc) 2907 return rc; 2908 2909 tsec = new->security; 2910 tsec->create_sid = newsid; 2911 return 0; 2912 } 2913 2914 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2915 const struct qstr *qstr, 2916 const char **name, 2917 void **value, size_t *len) 2918 { 2919 const struct task_security_struct *tsec = current_security(); 2920 struct superblock_security_struct *sbsec; 2921 u32 sid, newsid, clen; 2922 int rc; 2923 char *context; 2924 2925 sbsec = dir->i_sb->s_security; 2926 2927 sid = tsec->sid; 2928 newsid = tsec->create_sid; 2929 2930 rc = selinux_determine_inode_label(current_security(), 2931 dir, qstr, 2932 inode_mode_to_security_class(inode->i_mode), 2933 &newsid); 2934 if (rc) 2935 return rc; 2936 2937 /* Possibly defer initialization to selinux_complete_init. */ 2938 if (sbsec->flags & SE_SBINITIALIZED) { 2939 struct inode_security_struct *isec = inode->i_security; 2940 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2941 isec->sid = newsid; 2942 isec->initialized = LABEL_INITIALIZED; 2943 } 2944 2945 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2946 return -EOPNOTSUPP; 2947 2948 if (name) 2949 *name = XATTR_SELINUX_SUFFIX; 2950 2951 if (value && len) { 2952 rc = security_sid_to_context_force(newsid, &context, &clen); 2953 if (rc) 2954 return rc; 2955 *value = context; 2956 *len = clen; 2957 } 2958 2959 return 0; 2960 } 2961 2962 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2963 { 2964 return may_create(dir, dentry, SECCLASS_FILE); 2965 } 2966 2967 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2968 { 2969 return may_link(dir, old_dentry, MAY_LINK); 2970 } 2971 2972 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2973 { 2974 return may_link(dir, dentry, MAY_UNLINK); 2975 } 2976 2977 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2978 { 2979 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2980 } 2981 2982 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2983 { 2984 return may_create(dir, dentry, SECCLASS_DIR); 2985 } 2986 2987 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2988 { 2989 return may_link(dir, dentry, MAY_RMDIR); 2990 } 2991 2992 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2993 { 2994 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2995 } 2996 2997 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2998 struct inode *new_inode, struct dentry *new_dentry) 2999 { 3000 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3001 } 3002 3003 static int selinux_inode_readlink(struct dentry *dentry) 3004 { 3005 const struct cred *cred = current_cred(); 3006 3007 return dentry_has_perm(cred, dentry, FILE__READ); 3008 } 3009 3010 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3011 bool rcu) 3012 { 3013 const struct cred *cred = current_cred(); 3014 struct common_audit_data ad; 3015 struct inode_security_struct *isec; 3016 u32 sid; 3017 3018 validate_creds(cred); 3019 3020 ad.type = LSM_AUDIT_DATA_DENTRY; 3021 ad.u.dentry = dentry; 3022 sid = cred_sid(cred); 3023 isec = inode_security_rcu(inode, rcu); 3024 if (IS_ERR(isec)) 3025 return PTR_ERR(isec); 3026 3027 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3028 rcu ? MAY_NOT_BLOCK : 0); 3029 } 3030 3031 static noinline int audit_inode_permission(struct inode *inode, 3032 u32 perms, u32 audited, u32 denied, 3033 int result, 3034 unsigned flags) 3035 { 3036 struct common_audit_data ad; 3037 struct inode_security_struct *isec = inode->i_security; 3038 int rc; 3039 3040 ad.type = LSM_AUDIT_DATA_INODE; 3041 ad.u.inode = inode; 3042 3043 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3044 audited, denied, result, &ad, flags); 3045 if (rc) 3046 return rc; 3047 return 0; 3048 } 3049 3050 static int selinux_inode_permission(struct inode *inode, int mask) 3051 { 3052 const struct cred *cred = current_cred(); 3053 u32 perms; 3054 bool from_access; 3055 unsigned flags = mask & MAY_NOT_BLOCK; 3056 struct inode_security_struct *isec; 3057 u32 sid; 3058 struct av_decision avd; 3059 int rc, rc2; 3060 u32 audited, denied; 3061 3062 from_access = mask & MAY_ACCESS; 3063 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3064 3065 /* No permission to check. Existence test. */ 3066 if (!mask) 3067 return 0; 3068 3069 validate_creds(cred); 3070 3071 if (unlikely(IS_PRIVATE(inode))) 3072 return 0; 3073 3074 perms = file_mask_to_av(inode->i_mode, mask); 3075 3076 sid = cred_sid(cred); 3077 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3078 if (IS_ERR(isec)) 3079 return PTR_ERR(isec); 3080 3081 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3082 audited = avc_audit_required(perms, &avd, rc, 3083 from_access ? FILE__AUDIT_ACCESS : 0, 3084 &denied); 3085 if (likely(!audited)) 3086 return rc; 3087 3088 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3089 if (rc2) 3090 return rc2; 3091 return rc; 3092 } 3093 3094 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3095 { 3096 const struct cred *cred = current_cred(); 3097 struct inode *inode = d_backing_inode(dentry); 3098 unsigned int ia_valid = iattr->ia_valid; 3099 __u32 av = FILE__WRITE; 3100 3101 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3102 if (ia_valid & ATTR_FORCE) { 3103 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3104 ATTR_FORCE); 3105 if (!ia_valid) 3106 return 0; 3107 } 3108 3109 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3110 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3111 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3112 3113 if (selinux_policycap_openperm && 3114 inode->i_sb->s_magic != SOCKFS_MAGIC && 3115 (ia_valid & ATTR_SIZE) && 3116 !(ia_valid & ATTR_FILE)) 3117 av |= FILE__OPEN; 3118 3119 return dentry_has_perm(cred, dentry, av); 3120 } 3121 3122 static int selinux_inode_getattr(const struct path *path) 3123 { 3124 return path_has_perm(current_cred(), path, FILE__GETATTR); 3125 } 3126 3127 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 3128 { 3129 const struct cred *cred = current_cred(); 3130 3131 if (!strncmp(name, XATTR_SECURITY_PREFIX, 3132 sizeof XATTR_SECURITY_PREFIX - 1)) { 3133 if (!strcmp(name, XATTR_NAME_CAPS)) { 3134 if (!capable(CAP_SETFCAP)) 3135 return -EPERM; 3136 } else if (!capable(CAP_SYS_ADMIN)) { 3137 /* A different attribute in the security namespace. 3138 Restrict to administrator. */ 3139 return -EPERM; 3140 } 3141 } 3142 3143 /* Not an attribute we recognize, so just check the 3144 ordinary setattr permission. */ 3145 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3146 } 3147 3148 static bool has_cap_mac_admin(bool audit) 3149 { 3150 const struct cred *cred = current_cred(); 3151 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT; 3152 3153 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit)) 3154 return false; 3155 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true)) 3156 return false; 3157 return true; 3158 } 3159 3160 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3161 const void *value, size_t size, int flags) 3162 { 3163 struct inode *inode = d_backing_inode(dentry); 3164 struct inode_security_struct *isec; 3165 struct superblock_security_struct *sbsec; 3166 struct common_audit_data ad; 3167 u32 newsid, sid = current_sid(); 3168 int rc = 0; 3169 3170 if (strcmp(name, XATTR_NAME_SELINUX)) 3171 return selinux_inode_setotherxattr(dentry, name); 3172 3173 sbsec = inode->i_sb->s_security; 3174 if (!(sbsec->flags & SBLABEL_MNT)) 3175 return -EOPNOTSUPP; 3176 3177 if (!inode_owner_or_capable(inode)) 3178 return -EPERM; 3179 3180 ad.type = LSM_AUDIT_DATA_DENTRY; 3181 ad.u.dentry = dentry; 3182 3183 isec = backing_inode_security(dentry); 3184 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3185 FILE__RELABELFROM, &ad); 3186 if (rc) 3187 return rc; 3188 3189 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3190 if (rc == -EINVAL) { 3191 if (!has_cap_mac_admin(true)) { 3192 struct audit_buffer *ab; 3193 size_t audit_size; 3194 const char *str; 3195 3196 /* We strip a nul only if it is at the end, otherwise the 3197 * context contains a nul and we should audit that */ 3198 if (value) { 3199 str = value; 3200 if (str[size - 1] == '\0') 3201 audit_size = size - 1; 3202 else 3203 audit_size = size; 3204 } else { 3205 str = ""; 3206 audit_size = 0; 3207 } 3208 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3209 audit_log_format(ab, "op=setxattr invalid_context="); 3210 audit_log_n_untrustedstring(ab, value, audit_size); 3211 audit_log_end(ab); 3212 3213 return rc; 3214 } 3215 rc = security_context_to_sid_force(value, size, &newsid); 3216 } 3217 if (rc) 3218 return rc; 3219 3220 rc = avc_has_perm(sid, newsid, isec->sclass, 3221 FILE__RELABELTO, &ad); 3222 if (rc) 3223 return rc; 3224 3225 rc = security_validate_transition(isec->sid, newsid, sid, 3226 isec->sclass); 3227 if (rc) 3228 return rc; 3229 3230 return avc_has_perm(newsid, 3231 sbsec->sid, 3232 SECCLASS_FILESYSTEM, 3233 FILESYSTEM__ASSOCIATE, 3234 &ad); 3235 } 3236 3237 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3238 const void *value, size_t size, 3239 int flags) 3240 { 3241 struct inode *inode = d_backing_inode(dentry); 3242 struct inode_security_struct *isec; 3243 u32 newsid; 3244 int rc; 3245 3246 if (strcmp(name, XATTR_NAME_SELINUX)) { 3247 /* Not an attribute we recognize, so nothing to do. */ 3248 return; 3249 } 3250 3251 rc = security_context_to_sid_force(value, size, &newsid); 3252 if (rc) { 3253 printk(KERN_ERR "SELinux: unable to map context to SID" 3254 "for (%s, %lu), rc=%d\n", 3255 inode->i_sb->s_id, inode->i_ino, -rc); 3256 return; 3257 } 3258 3259 isec = backing_inode_security(dentry); 3260 spin_lock(&isec->lock); 3261 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3262 isec->sid = newsid; 3263 isec->initialized = LABEL_INITIALIZED; 3264 spin_unlock(&isec->lock); 3265 3266 return; 3267 } 3268 3269 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3270 { 3271 const struct cred *cred = current_cred(); 3272 3273 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3274 } 3275 3276 static int selinux_inode_listxattr(struct dentry *dentry) 3277 { 3278 const struct cred *cred = current_cred(); 3279 3280 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3281 } 3282 3283 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3284 { 3285 if (strcmp(name, XATTR_NAME_SELINUX)) 3286 return selinux_inode_setotherxattr(dentry, name); 3287 3288 /* No one is allowed to remove a SELinux security label. 3289 You can change the label, but all data must be labeled. */ 3290 return -EACCES; 3291 } 3292 3293 /* 3294 * Copy the inode security context value to the user. 3295 * 3296 * Permission check is handled by selinux_inode_getxattr hook. 3297 */ 3298 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3299 { 3300 u32 size; 3301 int error; 3302 char *context = NULL; 3303 struct inode_security_struct *isec; 3304 3305 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3306 return -EOPNOTSUPP; 3307 3308 /* 3309 * If the caller has CAP_MAC_ADMIN, then get the raw context 3310 * value even if it is not defined by current policy; otherwise, 3311 * use the in-core value under current policy. 3312 * Use the non-auditing forms of the permission checks since 3313 * getxattr may be called by unprivileged processes commonly 3314 * and lack of permission just means that we fall back to the 3315 * in-core context value, not a denial. 3316 */ 3317 isec = inode_security(inode); 3318 if (has_cap_mac_admin(false)) 3319 error = security_sid_to_context_force(isec->sid, &context, 3320 &size); 3321 else 3322 error = security_sid_to_context(isec->sid, &context, &size); 3323 if (error) 3324 return error; 3325 error = size; 3326 if (alloc) { 3327 *buffer = context; 3328 goto out_nofree; 3329 } 3330 kfree(context); 3331 out_nofree: 3332 return error; 3333 } 3334 3335 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3336 const void *value, size_t size, int flags) 3337 { 3338 struct inode_security_struct *isec = inode_security_novalidate(inode); 3339 u32 newsid; 3340 int rc; 3341 3342 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3343 return -EOPNOTSUPP; 3344 3345 if (!value || !size) 3346 return -EACCES; 3347 3348 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3349 if (rc) 3350 return rc; 3351 3352 spin_lock(&isec->lock); 3353 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3354 isec->sid = newsid; 3355 isec->initialized = LABEL_INITIALIZED; 3356 spin_unlock(&isec->lock); 3357 return 0; 3358 } 3359 3360 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3361 { 3362 const int len = sizeof(XATTR_NAME_SELINUX); 3363 if (buffer && len <= buffer_size) 3364 memcpy(buffer, XATTR_NAME_SELINUX, len); 3365 return len; 3366 } 3367 3368 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3369 { 3370 struct inode_security_struct *isec = inode_security_novalidate(inode); 3371 *secid = isec->sid; 3372 } 3373 3374 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3375 { 3376 u32 sid; 3377 struct task_security_struct *tsec; 3378 struct cred *new_creds = *new; 3379 3380 if (new_creds == NULL) { 3381 new_creds = prepare_creds(); 3382 if (!new_creds) 3383 return -ENOMEM; 3384 } 3385 3386 tsec = new_creds->security; 3387 /* Get label from overlay inode and set it in create_sid */ 3388 selinux_inode_getsecid(d_inode(src), &sid); 3389 tsec->create_sid = sid; 3390 *new = new_creds; 3391 return 0; 3392 } 3393 3394 static int selinux_inode_copy_up_xattr(const char *name) 3395 { 3396 /* The copy_up hook above sets the initial context on an inode, but we 3397 * don't then want to overwrite it by blindly copying all the lower 3398 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3399 */ 3400 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3401 return 1; /* Discard */ 3402 /* 3403 * Any other attribute apart from SELINUX is not claimed, supported 3404 * by selinux. 3405 */ 3406 return -EOPNOTSUPP; 3407 } 3408 3409 /* file security operations */ 3410 3411 static int selinux_revalidate_file_permission(struct file *file, int mask) 3412 { 3413 const struct cred *cred = current_cred(); 3414 struct inode *inode = file_inode(file); 3415 3416 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3417 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3418 mask |= MAY_APPEND; 3419 3420 return file_has_perm(cred, file, 3421 file_mask_to_av(inode->i_mode, mask)); 3422 } 3423 3424 static int selinux_file_permission(struct file *file, int mask) 3425 { 3426 struct inode *inode = file_inode(file); 3427 struct file_security_struct *fsec = file->f_security; 3428 struct inode_security_struct *isec; 3429 u32 sid = current_sid(); 3430 3431 if (!mask) 3432 /* No permission to check. Existence test. */ 3433 return 0; 3434 3435 isec = inode_security(inode); 3436 if (sid == fsec->sid && fsec->isid == isec->sid && 3437 fsec->pseqno == avc_policy_seqno()) 3438 /* No change since file_open check. */ 3439 return 0; 3440 3441 return selinux_revalidate_file_permission(file, mask); 3442 } 3443 3444 static int selinux_file_alloc_security(struct file *file) 3445 { 3446 return file_alloc_security(file); 3447 } 3448 3449 static void selinux_file_free_security(struct file *file) 3450 { 3451 file_free_security(file); 3452 } 3453 3454 /* 3455 * Check whether a task has the ioctl permission and cmd 3456 * operation to an inode. 3457 */ 3458 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3459 u32 requested, u16 cmd) 3460 { 3461 struct common_audit_data ad; 3462 struct file_security_struct *fsec = file->f_security; 3463 struct inode *inode = file_inode(file); 3464 struct inode_security_struct *isec; 3465 struct lsm_ioctlop_audit ioctl; 3466 u32 ssid = cred_sid(cred); 3467 int rc; 3468 u8 driver = cmd >> 8; 3469 u8 xperm = cmd & 0xff; 3470 3471 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3472 ad.u.op = &ioctl; 3473 ad.u.op->cmd = cmd; 3474 ad.u.op->path = file->f_path; 3475 3476 if (ssid != fsec->sid) { 3477 rc = avc_has_perm(ssid, fsec->sid, 3478 SECCLASS_FD, 3479 FD__USE, 3480 &ad); 3481 if (rc) 3482 goto out; 3483 } 3484 3485 if (unlikely(IS_PRIVATE(inode))) 3486 return 0; 3487 3488 isec = inode_security(inode); 3489 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3490 requested, driver, xperm, &ad); 3491 out: 3492 return rc; 3493 } 3494 3495 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3496 unsigned long arg) 3497 { 3498 const struct cred *cred = current_cred(); 3499 int error = 0; 3500 3501 switch (cmd) { 3502 case FIONREAD: 3503 /* fall through */ 3504 case FIBMAP: 3505 /* fall through */ 3506 case FIGETBSZ: 3507 /* fall through */ 3508 case FS_IOC_GETFLAGS: 3509 /* fall through */ 3510 case FS_IOC_GETVERSION: 3511 error = file_has_perm(cred, file, FILE__GETATTR); 3512 break; 3513 3514 case FS_IOC_SETFLAGS: 3515 /* fall through */ 3516 case FS_IOC_SETVERSION: 3517 error = file_has_perm(cred, file, FILE__SETATTR); 3518 break; 3519 3520 /* sys_ioctl() checks */ 3521 case FIONBIO: 3522 /* fall through */ 3523 case FIOASYNC: 3524 error = file_has_perm(cred, file, 0); 3525 break; 3526 3527 case KDSKBENT: 3528 case KDSKBSENT: 3529 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3530 SECURITY_CAP_AUDIT, true); 3531 break; 3532 3533 /* default case assumes that the command will go 3534 * to the file's ioctl() function. 3535 */ 3536 default: 3537 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3538 } 3539 return error; 3540 } 3541 3542 static int default_noexec; 3543 3544 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3545 { 3546 const struct cred *cred = current_cred(); 3547 u32 sid = cred_sid(cred); 3548 int rc = 0; 3549 3550 if (default_noexec && 3551 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3552 (!shared && (prot & PROT_WRITE)))) { 3553 /* 3554 * We are making executable an anonymous mapping or a 3555 * private file mapping that will also be writable. 3556 * This has an additional check. 3557 */ 3558 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3559 PROCESS__EXECMEM, NULL); 3560 if (rc) 3561 goto error; 3562 } 3563 3564 if (file) { 3565 /* read access is always possible with a mapping */ 3566 u32 av = FILE__READ; 3567 3568 /* write access only matters if the mapping is shared */ 3569 if (shared && (prot & PROT_WRITE)) 3570 av |= FILE__WRITE; 3571 3572 if (prot & PROT_EXEC) 3573 av |= FILE__EXECUTE; 3574 3575 return file_has_perm(cred, file, av); 3576 } 3577 3578 error: 3579 return rc; 3580 } 3581 3582 static int selinux_mmap_addr(unsigned long addr) 3583 { 3584 int rc = 0; 3585 3586 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3587 u32 sid = current_sid(); 3588 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3589 MEMPROTECT__MMAP_ZERO, NULL); 3590 } 3591 3592 return rc; 3593 } 3594 3595 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3596 unsigned long prot, unsigned long flags) 3597 { 3598 struct common_audit_data ad; 3599 int rc; 3600 3601 if (file) { 3602 ad.type = LSM_AUDIT_DATA_FILE; 3603 ad.u.file = file; 3604 rc = inode_has_perm(current_cred(), file_inode(file), 3605 FILE__MAP, &ad); 3606 if (rc) 3607 return rc; 3608 } 3609 3610 if (selinux_checkreqprot) 3611 prot = reqprot; 3612 3613 return file_map_prot_check(file, prot, 3614 (flags & MAP_TYPE) == MAP_SHARED); 3615 } 3616 3617 static int selinux_file_mprotect(struct vm_area_struct *vma, 3618 unsigned long reqprot, 3619 unsigned long prot) 3620 { 3621 const struct cred *cred = current_cred(); 3622 u32 sid = cred_sid(cred); 3623 3624 if (selinux_checkreqprot) 3625 prot = reqprot; 3626 3627 if (default_noexec && 3628 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3629 int rc = 0; 3630 if (vma->vm_start >= vma->vm_mm->start_brk && 3631 vma->vm_end <= vma->vm_mm->brk) { 3632 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3633 PROCESS__EXECHEAP, NULL); 3634 } else if (!vma->vm_file && 3635 ((vma->vm_start <= vma->vm_mm->start_stack && 3636 vma->vm_end >= vma->vm_mm->start_stack) || 3637 vma_is_stack_for_current(vma))) { 3638 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3639 PROCESS__EXECSTACK, NULL); 3640 } else if (vma->vm_file && vma->anon_vma) { 3641 /* 3642 * We are making executable a file mapping that has 3643 * had some COW done. Since pages might have been 3644 * written, check ability to execute the possibly 3645 * modified content. This typically should only 3646 * occur for text relocations. 3647 */ 3648 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3649 } 3650 if (rc) 3651 return rc; 3652 } 3653 3654 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3655 } 3656 3657 static int selinux_file_lock(struct file *file, unsigned int cmd) 3658 { 3659 const struct cred *cred = current_cred(); 3660 3661 return file_has_perm(cred, file, FILE__LOCK); 3662 } 3663 3664 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3665 unsigned long arg) 3666 { 3667 const struct cred *cred = current_cred(); 3668 int err = 0; 3669 3670 switch (cmd) { 3671 case F_SETFL: 3672 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3673 err = file_has_perm(cred, file, FILE__WRITE); 3674 break; 3675 } 3676 /* fall through */ 3677 case F_SETOWN: 3678 case F_SETSIG: 3679 case F_GETFL: 3680 case F_GETOWN: 3681 case F_GETSIG: 3682 case F_GETOWNER_UIDS: 3683 /* Just check FD__USE permission */ 3684 err = file_has_perm(cred, file, 0); 3685 break; 3686 case F_GETLK: 3687 case F_SETLK: 3688 case F_SETLKW: 3689 case F_OFD_GETLK: 3690 case F_OFD_SETLK: 3691 case F_OFD_SETLKW: 3692 #if BITS_PER_LONG == 32 3693 case F_GETLK64: 3694 case F_SETLK64: 3695 case F_SETLKW64: 3696 #endif 3697 err = file_has_perm(cred, file, FILE__LOCK); 3698 break; 3699 } 3700 3701 return err; 3702 } 3703 3704 static void selinux_file_set_fowner(struct file *file) 3705 { 3706 struct file_security_struct *fsec; 3707 3708 fsec = file->f_security; 3709 fsec->fown_sid = current_sid(); 3710 } 3711 3712 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3713 struct fown_struct *fown, int signum) 3714 { 3715 struct file *file; 3716 u32 sid = task_sid(tsk); 3717 u32 perm; 3718 struct file_security_struct *fsec; 3719 3720 /* struct fown_struct is never outside the context of a struct file */ 3721 file = container_of(fown, struct file, f_owner); 3722 3723 fsec = file->f_security; 3724 3725 if (!signum) 3726 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3727 else 3728 perm = signal_to_av(signum); 3729 3730 return avc_has_perm(fsec->fown_sid, sid, 3731 SECCLASS_PROCESS, perm, NULL); 3732 } 3733 3734 static int selinux_file_receive(struct file *file) 3735 { 3736 const struct cred *cred = current_cred(); 3737 3738 return file_has_perm(cred, file, file_to_av(file)); 3739 } 3740 3741 static int selinux_file_open(struct file *file, const struct cred *cred) 3742 { 3743 struct file_security_struct *fsec; 3744 struct inode_security_struct *isec; 3745 3746 fsec = file->f_security; 3747 isec = inode_security(file_inode(file)); 3748 /* 3749 * Save inode label and policy sequence number 3750 * at open-time so that selinux_file_permission 3751 * can determine whether revalidation is necessary. 3752 * Task label is already saved in the file security 3753 * struct as its SID. 3754 */ 3755 fsec->isid = isec->sid; 3756 fsec->pseqno = avc_policy_seqno(); 3757 /* 3758 * Since the inode label or policy seqno may have changed 3759 * between the selinux_inode_permission check and the saving 3760 * of state above, recheck that access is still permitted. 3761 * Otherwise, access might never be revalidated against the 3762 * new inode label or new policy. 3763 * This check is not redundant - do not remove. 3764 */ 3765 return file_path_has_perm(cred, file, open_file_to_av(file)); 3766 } 3767 3768 /* task security operations */ 3769 3770 static int selinux_task_alloc(struct task_struct *task, 3771 unsigned long clone_flags) 3772 { 3773 u32 sid = current_sid(); 3774 3775 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3776 } 3777 3778 /* 3779 * allocate the SELinux part of blank credentials 3780 */ 3781 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3782 { 3783 struct task_security_struct *tsec; 3784 3785 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3786 if (!tsec) 3787 return -ENOMEM; 3788 3789 cred->security = tsec; 3790 return 0; 3791 } 3792 3793 /* 3794 * detach and free the LSM part of a set of credentials 3795 */ 3796 static void selinux_cred_free(struct cred *cred) 3797 { 3798 struct task_security_struct *tsec = cred->security; 3799 3800 /* 3801 * cred->security == NULL if security_cred_alloc_blank() or 3802 * security_prepare_creds() returned an error. 3803 */ 3804 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3805 cred->security = (void *) 0x7UL; 3806 kfree(tsec); 3807 } 3808 3809 /* 3810 * prepare a new set of credentials for modification 3811 */ 3812 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3813 gfp_t gfp) 3814 { 3815 const struct task_security_struct *old_tsec; 3816 struct task_security_struct *tsec; 3817 3818 old_tsec = old->security; 3819 3820 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3821 if (!tsec) 3822 return -ENOMEM; 3823 3824 new->security = tsec; 3825 return 0; 3826 } 3827 3828 /* 3829 * transfer the SELinux data to a blank set of creds 3830 */ 3831 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3832 { 3833 const struct task_security_struct *old_tsec = old->security; 3834 struct task_security_struct *tsec = new->security; 3835 3836 *tsec = *old_tsec; 3837 } 3838 3839 /* 3840 * set the security data for a kernel service 3841 * - all the creation contexts are set to unlabelled 3842 */ 3843 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3844 { 3845 struct task_security_struct *tsec = new->security; 3846 u32 sid = current_sid(); 3847 int ret; 3848 3849 ret = avc_has_perm(sid, secid, 3850 SECCLASS_KERNEL_SERVICE, 3851 KERNEL_SERVICE__USE_AS_OVERRIDE, 3852 NULL); 3853 if (ret == 0) { 3854 tsec->sid = secid; 3855 tsec->create_sid = 0; 3856 tsec->keycreate_sid = 0; 3857 tsec->sockcreate_sid = 0; 3858 } 3859 return ret; 3860 } 3861 3862 /* 3863 * set the file creation context in a security record to the same as the 3864 * objective context of the specified inode 3865 */ 3866 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3867 { 3868 struct inode_security_struct *isec = inode_security(inode); 3869 struct task_security_struct *tsec = new->security; 3870 u32 sid = current_sid(); 3871 int ret; 3872 3873 ret = avc_has_perm(sid, isec->sid, 3874 SECCLASS_KERNEL_SERVICE, 3875 KERNEL_SERVICE__CREATE_FILES_AS, 3876 NULL); 3877 3878 if (ret == 0) 3879 tsec->create_sid = isec->sid; 3880 return ret; 3881 } 3882 3883 static int selinux_kernel_module_request(char *kmod_name) 3884 { 3885 struct common_audit_data ad; 3886 3887 ad.type = LSM_AUDIT_DATA_KMOD; 3888 ad.u.kmod_name = kmod_name; 3889 3890 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3891 SYSTEM__MODULE_REQUEST, &ad); 3892 } 3893 3894 static int selinux_kernel_module_from_file(struct file *file) 3895 { 3896 struct common_audit_data ad; 3897 struct inode_security_struct *isec; 3898 struct file_security_struct *fsec; 3899 u32 sid = current_sid(); 3900 int rc; 3901 3902 /* init_module */ 3903 if (file == NULL) 3904 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3905 SYSTEM__MODULE_LOAD, NULL); 3906 3907 /* finit_module */ 3908 3909 ad.type = LSM_AUDIT_DATA_FILE; 3910 ad.u.file = file; 3911 3912 fsec = file->f_security; 3913 if (sid != fsec->sid) { 3914 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3915 if (rc) 3916 return rc; 3917 } 3918 3919 isec = inode_security(file_inode(file)); 3920 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3921 SYSTEM__MODULE_LOAD, &ad); 3922 } 3923 3924 static int selinux_kernel_read_file(struct file *file, 3925 enum kernel_read_file_id id) 3926 { 3927 int rc = 0; 3928 3929 switch (id) { 3930 case READING_MODULE: 3931 rc = selinux_kernel_module_from_file(file); 3932 break; 3933 default: 3934 break; 3935 } 3936 3937 return rc; 3938 } 3939 3940 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3941 { 3942 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3943 PROCESS__SETPGID, NULL); 3944 } 3945 3946 static int selinux_task_getpgid(struct task_struct *p) 3947 { 3948 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3949 PROCESS__GETPGID, NULL); 3950 } 3951 3952 static int selinux_task_getsid(struct task_struct *p) 3953 { 3954 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3955 PROCESS__GETSESSION, NULL); 3956 } 3957 3958 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3959 { 3960 *secid = task_sid(p); 3961 } 3962 3963 static int selinux_task_setnice(struct task_struct *p, int nice) 3964 { 3965 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3966 PROCESS__SETSCHED, NULL); 3967 } 3968 3969 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3970 { 3971 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3972 PROCESS__SETSCHED, NULL); 3973 } 3974 3975 static int selinux_task_getioprio(struct task_struct *p) 3976 { 3977 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 3978 PROCESS__GETSCHED, NULL); 3979 } 3980 3981 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3982 unsigned int flags) 3983 { 3984 u32 av = 0; 3985 3986 if (!flags) 3987 return 0; 3988 if (flags & LSM_PRLIMIT_WRITE) 3989 av |= PROCESS__SETRLIMIT; 3990 if (flags & LSM_PRLIMIT_READ) 3991 av |= PROCESS__GETRLIMIT; 3992 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 3993 SECCLASS_PROCESS, av, NULL); 3994 } 3995 3996 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3997 struct rlimit *new_rlim) 3998 { 3999 struct rlimit *old_rlim = p->signal->rlim + resource; 4000 4001 /* Control the ability to change the hard limit (whether 4002 lowering or raising it), so that the hard limit can 4003 later be used as a safe reset point for the soft limit 4004 upon context transitions. See selinux_bprm_committing_creds. */ 4005 if (old_rlim->rlim_max != new_rlim->rlim_max) 4006 return avc_has_perm(current_sid(), task_sid(p), 4007 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4008 4009 return 0; 4010 } 4011 4012 static int selinux_task_setscheduler(struct task_struct *p) 4013 { 4014 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4015 PROCESS__SETSCHED, NULL); 4016 } 4017 4018 static int selinux_task_getscheduler(struct task_struct *p) 4019 { 4020 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4021 PROCESS__GETSCHED, NULL); 4022 } 4023 4024 static int selinux_task_movememory(struct task_struct *p) 4025 { 4026 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4027 PROCESS__SETSCHED, NULL); 4028 } 4029 4030 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4031 int sig, u32 secid) 4032 { 4033 u32 perm; 4034 4035 if (!sig) 4036 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4037 else 4038 perm = signal_to_av(sig); 4039 if (!secid) 4040 secid = current_sid(); 4041 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4042 } 4043 4044 static void selinux_task_to_inode(struct task_struct *p, 4045 struct inode *inode) 4046 { 4047 struct inode_security_struct *isec = inode->i_security; 4048 u32 sid = task_sid(p); 4049 4050 spin_lock(&isec->lock); 4051 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4052 isec->sid = sid; 4053 isec->initialized = LABEL_INITIALIZED; 4054 spin_unlock(&isec->lock); 4055 } 4056 4057 /* Returns error only if unable to parse addresses */ 4058 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4059 struct common_audit_data *ad, u8 *proto) 4060 { 4061 int offset, ihlen, ret = -EINVAL; 4062 struct iphdr _iph, *ih; 4063 4064 offset = skb_network_offset(skb); 4065 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4066 if (ih == NULL) 4067 goto out; 4068 4069 ihlen = ih->ihl * 4; 4070 if (ihlen < sizeof(_iph)) 4071 goto out; 4072 4073 ad->u.net->v4info.saddr = ih->saddr; 4074 ad->u.net->v4info.daddr = ih->daddr; 4075 ret = 0; 4076 4077 if (proto) 4078 *proto = ih->protocol; 4079 4080 switch (ih->protocol) { 4081 case IPPROTO_TCP: { 4082 struct tcphdr _tcph, *th; 4083 4084 if (ntohs(ih->frag_off) & IP_OFFSET) 4085 break; 4086 4087 offset += ihlen; 4088 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4089 if (th == NULL) 4090 break; 4091 4092 ad->u.net->sport = th->source; 4093 ad->u.net->dport = th->dest; 4094 break; 4095 } 4096 4097 case IPPROTO_UDP: { 4098 struct udphdr _udph, *uh; 4099 4100 if (ntohs(ih->frag_off) & IP_OFFSET) 4101 break; 4102 4103 offset += ihlen; 4104 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4105 if (uh == NULL) 4106 break; 4107 4108 ad->u.net->sport = uh->source; 4109 ad->u.net->dport = uh->dest; 4110 break; 4111 } 4112 4113 case IPPROTO_DCCP: { 4114 struct dccp_hdr _dccph, *dh; 4115 4116 if (ntohs(ih->frag_off) & IP_OFFSET) 4117 break; 4118 4119 offset += ihlen; 4120 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4121 if (dh == NULL) 4122 break; 4123 4124 ad->u.net->sport = dh->dccph_sport; 4125 ad->u.net->dport = dh->dccph_dport; 4126 break; 4127 } 4128 4129 default: 4130 break; 4131 } 4132 out: 4133 return ret; 4134 } 4135 4136 #if IS_ENABLED(CONFIG_IPV6) 4137 4138 /* Returns error only if unable to parse addresses */ 4139 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4140 struct common_audit_data *ad, u8 *proto) 4141 { 4142 u8 nexthdr; 4143 int ret = -EINVAL, offset; 4144 struct ipv6hdr _ipv6h, *ip6; 4145 __be16 frag_off; 4146 4147 offset = skb_network_offset(skb); 4148 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4149 if (ip6 == NULL) 4150 goto out; 4151 4152 ad->u.net->v6info.saddr = ip6->saddr; 4153 ad->u.net->v6info.daddr = ip6->daddr; 4154 ret = 0; 4155 4156 nexthdr = ip6->nexthdr; 4157 offset += sizeof(_ipv6h); 4158 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4159 if (offset < 0) 4160 goto out; 4161 4162 if (proto) 4163 *proto = nexthdr; 4164 4165 switch (nexthdr) { 4166 case IPPROTO_TCP: { 4167 struct tcphdr _tcph, *th; 4168 4169 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4170 if (th == NULL) 4171 break; 4172 4173 ad->u.net->sport = th->source; 4174 ad->u.net->dport = th->dest; 4175 break; 4176 } 4177 4178 case IPPROTO_UDP: { 4179 struct udphdr _udph, *uh; 4180 4181 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4182 if (uh == NULL) 4183 break; 4184 4185 ad->u.net->sport = uh->source; 4186 ad->u.net->dport = uh->dest; 4187 break; 4188 } 4189 4190 case IPPROTO_DCCP: { 4191 struct dccp_hdr _dccph, *dh; 4192 4193 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4194 if (dh == NULL) 4195 break; 4196 4197 ad->u.net->sport = dh->dccph_sport; 4198 ad->u.net->dport = dh->dccph_dport; 4199 break; 4200 } 4201 4202 /* includes fragments */ 4203 default: 4204 break; 4205 } 4206 out: 4207 return ret; 4208 } 4209 4210 #endif /* IPV6 */ 4211 4212 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4213 char **_addrp, int src, u8 *proto) 4214 { 4215 char *addrp; 4216 int ret; 4217 4218 switch (ad->u.net->family) { 4219 case PF_INET: 4220 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4221 if (ret) 4222 goto parse_error; 4223 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4224 &ad->u.net->v4info.daddr); 4225 goto okay; 4226 4227 #if IS_ENABLED(CONFIG_IPV6) 4228 case PF_INET6: 4229 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4230 if (ret) 4231 goto parse_error; 4232 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4233 &ad->u.net->v6info.daddr); 4234 goto okay; 4235 #endif /* IPV6 */ 4236 default: 4237 addrp = NULL; 4238 goto okay; 4239 } 4240 4241 parse_error: 4242 printk(KERN_WARNING 4243 "SELinux: failure in selinux_parse_skb()," 4244 " unable to parse packet\n"); 4245 return ret; 4246 4247 okay: 4248 if (_addrp) 4249 *_addrp = addrp; 4250 return 0; 4251 } 4252 4253 /** 4254 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4255 * @skb: the packet 4256 * @family: protocol family 4257 * @sid: the packet's peer label SID 4258 * 4259 * Description: 4260 * Check the various different forms of network peer labeling and determine 4261 * the peer label/SID for the packet; most of the magic actually occurs in 4262 * the security server function security_net_peersid_cmp(). The function 4263 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4264 * or -EACCES if @sid is invalid due to inconsistencies with the different 4265 * peer labels. 4266 * 4267 */ 4268 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4269 { 4270 int err; 4271 u32 xfrm_sid; 4272 u32 nlbl_sid; 4273 u32 nlbl_type; 4274 4275 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4276 if (unlikely(err)) 4277 return -EACCES; 4278 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4279 if (unlikely(err)) 4280 return -EACCES; 4281 4282 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4283 if (unlikely(err)) { 4284 printk(KERN_WARNING 4285 "SELinux: failure in selinux_skb_peerlbl_sid()," 4286 " unable to determine packet's peer label\n"); 4287 return -EACCES; 4288 } 4289 4290 return 0; 4291 } 4292 4293 /** 4294 * selinux_conn_sid - Determine the child socket label for a connection 4295 * @sk_sid: the parent socket's SID 4296 * @skb_sid: the packet's SID 4297 * @conn_sid: the resulting connection SID 4298 * 4299 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4300 * combined with the MLS information from @skb_sid in order to create 4301 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4302 * of @sk_sid. Returns zero on success, negative values on failure. 4303 * 4304 */ 4305 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4306 { 4307 int err = 0; 4308 4309 if (skb_sid != SECSID_NULL) 4310 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4311 else 4312 *conn_sid = sk_sid; 4313 4314 return err; 4315 } 4316 4317 /* socket security operations */ 4318 4319 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4320 u16 secclass, u32 *socksid) 4321 { 4322 if (tsec->sockcreate_sid > SECSID_NULL) { 4323 *socksid = tsec->sockcreate_sid; 4324 return 0; 4325 } 4326 4327 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4328 socksid); 4329 } 4330 4331 static int sock_has_perm(struct sock *sk, u32 perms) 4332 { 4333 struct sk_security_struct *sksec = sk->sk_security; 4334 struct common_audit_data ad; 4335 struct lsm_network_audit net = {0,}; 4336 4337 if (sksec->sid == SECINITSID_KERNEL) 4338 return 0; 4339 4340 ad.type = LSM_AUDIT_DATA_NET; 4341 ad.u.net = &net; 4342 ad.u.net->sk = sk; 4343 4344 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4345 &ad); 4346 } 4347 4348 static int selinux_socket_create(int family, int type, 4349 int protocol, int kern) 4350 { 4351 const struct task_security_struct *tsec = current_security(); 4352 u32 newsid; 4353 u16 secclass; 4354 int rc; 4355 4356 if (kern) 4357 return 0; 4358 4359 secclass = socket_type_to_security_class(family, type, protocol); 4360 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4361 if (rc) 4362 return rc; 4363 4364 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4365 } 4366 4367 static int selinux_socket_post_create(struct socket *sock, int family, 4368 int type, int protocol, int kern) 4369 { 4370 const struct task_security_struct *tsec = current_security(); 4371 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4372 struct sk_security_struct *sksec; 4373 u16 sclass = socket_type_to_security_class(family, type, protocol); 4374 u32 sid = SECINITSID_KERNEL; 4375 int err = 0; 4376 4377 if (!kern) { 4378 err = socket_sockcreate_sid(tsec, sclass, &sid); 4379 if (err) 4380 return err; 4381 } 4382 4383 isec->sclass = sclass; 4384 isec->sid = sid; 4385 isec->initialized = LABEL_INITIALIZED; 4386 4387 if (sock->sk) { 4388 sksec = sock->sk->sk_security; 4389 sksec->sclass = sclass; 4390 sksec->sid = sid; 4391 err = selinux_netlbl_socket_post_create(sock->sk, family); 4392 } 4393 4394 return err; 4395 } 4396 4397 /* Range of port numbers used to automatically bind. 4398 Need to determine whether we should perform a name_bind 4399 permission check between the socket and the port number. */ 4400 4401 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4402 { 4403 struct sock *sk = sock->sk; 4404 u16 family; 4405 int err; 4406 4407 err = sock_has_perm(sk, SOCKET__BIND); 4408 if (err) 4409 goto out; 4410 4411 /* 4412 * If PF_INET or PF_INET6, check name_bind permission for the port. 4413 * Multiple address binding for SCTP is not supported yet: we just 4414 * check the first address now. 4415 */ 4416 family = sk->sk_family; 4417 if (family == PF_INET || family == PF_INET6) { 4418 char *addrp; 4419 struct sk_security_struct *sksec = sk->sk_security; 4420 struct common_audit_data ad; 4421 struct lsm_network_audit net = {0,}; 4422 struct sockaddr_in *addr4 = NULL; 4423 struct sockaddr_in6 *addr6 = NULL; 4424 unsigned short snum; 4425 u32 sid, node_perm; 4426 4427 if (family == PF_INET) { 4428 if (addrlen < sizeof(struct sockaddr_in)) { 4429 err = -EINVAL; 4430 goto out; 4431 } 4432 addr4 = (struct sockaddr_in *)address; 4433 snum = ntohs(addr4->sin_port); 4434 addrp = (char *)&addr4->sin_addr.s_addr; 4435 } else { 4436 if (addrlen < SIN6_LEN_RFC2133) { 4437 err = -EINVAL; 4438 goto out; 4439 } 4440 addr6 = (struct sockaddr_in6 *)address; 4441 snum = ntohs(addr6->sin6_port); 4442 addrp = (char *)&addr6->sin6_addr.s6_addr; 4443 } 4444 4445 if (snum) { 4446 int low, high; 4447 4448 inet_get_local_port_range(sock_net(sk), &low, &high); 4449 4450 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4451 snum > high) { 4452 err = sel_netport_sid(sk->sk_protocol, 4453 snum, &sid); 4454 if (err) 4455 goto out; 4456 ad.type = LSM_AUDIT_DATA_NET; 4457 ad.u.net = &net; 4458 ad.u.net->sport = htons(snum); 4459 ad.u.net->family = family; 4460 err = avc_has_perm(sksec->sid, sid, 4461 sksec->sclass, 4462 SOCKET__NAME_BIND, &ad); 4463 if (err) 4464 goto out; 4465 } 4466 } 4467 4468 switch (sksec->sclass) { 4469 case SECCLASS_TCP_SOCKET: 4470 node_perm = TCP_SOCKET__NODE_BIND; 4471 break; 4472 4473 case SECCLASS_UDP_SOCKET: 4474 node_perm = UDP_SOCKET__NODE_BIND; 4475 break; 4476 4477 case SECCLASS_DCCP_SOCKET: 4478 node_perm = DCCP_SOCKET__NODE_BIND; 4479 break; 4480 4481 default: 4482 node_perm = RAWIP_SOCKET__NODE_BIND; 4483 break; 4484 } 4485 4486 err = sel_netnode_sid(addrp, family, &sid); 4487 if (err) 4488 goto out; 4489 4490 ad.type = LSM_AUDIT_DATA_NET; 4491 ad.u.net = &net; 4492 ad.u.net->sport = htons(snum); 4493 ad.u.net->family = family; 4494 4495 if (family == PF_INET) 4496 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4497 else 4498 ad.u.net->v6info.saddr = addr6->sin6_addr; 4499 4500 err = avc_has_perm(sksec->sid, sid, 4501 sksec->sclass, node_perm, &ad); 4502 if (err) 4503 goto out; 4504 } 4505 out: 4506 return err; 4507 } 4508 4509 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4510 { 4511 struct sock *sk = sock->sk; 4512 struct sk_security_struct *sksec = sk->sk_security; 4513 int err; 4514 4515 err = sock_has_perm(sk, SOCKET__CONNECT); 4516 if (err) 4517 return err; 4518 4519 /* 4520 * If a TCP or DCCP socket, check name_connect permission for the port. 4521 */ 4522 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4523 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4524 struct common_audit_data ad; 4525 struct lsm_network_audit net = {0,}; 4526 struct sockaddr_in *addr4 = NULL; 4527 struct sockaddr_in6 *addr6 = NULL; 4528 unsigned short snum; 4529 u32 sid, perm; 4530 4531 if (sk->sk_family == PF_INET) { 4532 addr4 = (struct sockaddr_in *)address; 4533 if (addrlen < sizeof(struct sockaddr_in)) 4534 return -EINVAL; 4535 snum = ntohs(addr4->sin_port); 4536 } else { 4537 addr6 = (struct sockaddr_in6 *)address; 4538 if (addrlen < SIN6_LEN_RFC2133) 4539 return -EINVAL; 4540 snum = ntohs(addr6->sin6_port); 4541 } 4542 4543 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4544 if (err) 4545 goto out; 4546 4547 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4548 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4549 4550 ad.type = LSM_AUDIT_DATA_NET; 4551 ad.u.net = &net; 4552 ad.u.net->dport = htons(snum); 4553 ad.u.net->family = sk->sk_family; 4554 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4555 if (err) 4556 goto out; 4557 } 4558 4559 err = selinux_netlbl_socket_connect(sk, address); 4560 4561 out: 4562 return err; 4563 } 4564 4565 static int selinux_socket_listen(struct socket *sock, int backlog) 4566 { 4567 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4568 } 4569 4570 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4571 { 4572 int err; 4573 struct inode_security_struct *isec; 4574 struct inode_security_struct *newisec; 4575 u16 sclass; 4576 u32 sid; 4577 4578 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4579 if (err) 4580 return err; 4581 4582 isec = inode_security_novalidate(SOCK_INODE(sock)); 4583 spin_lock(&isec->lock); 4584 sclass = isec->sclass; 4585 sid = isec->sid; 4586 spin_unlock(&isec->lock); 4587 4588 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4589 newisec->sclass = sclass; 4590 newisec->sid = sid; 4591 newisec->initialized = LABEL_INITIALIZED; 4592 4593 return 0; 4594 } 4595 4596 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4597 int size) 4598 { 4599 return sock_has_perm(sock->sk, SOCKET__WRITE); 4600 } 4601 4602 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4603 int size, int flags) 4604 { 4605 return sock_has_perm(sock->sk, SOCKET__READ); 4606 } 4607 4608 static int selinux_socket_getsockname(struct socket *sock) 4609 { 4610 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4611 } 4612 4613 static int selinux_socket_getpeername(struct socket *sock) 4614 { 4615 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4616 } 4617 4618 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4619 { 4620 int err; 4621 4622 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4623 if (err) 4624 return err; 4625 4626 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4627 } 4628 4629 static int selinux_socket_getsockopt(struct socket *sock, int level, 4630 int optname) 4631 { 4632 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4633 } 4634 4635 static int selinux_socket_shutdown(struct socket *sock, int how) 4636 { 4637 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4638 } 4639 4640 static int selinux_socket_unix_stream_connect(struct sock *sock, 4641 struct sock *other, 4642 struct sock *newsk) 4643 { 4644 struct sk_security_struct *sksec_sock = sock->sk_security; 4645 struct sk_security_struct *sksec_other = other->sk_security; 4646 struct sk_security_struct *sksec_new = newsk->sk_security; 4647 struct common_audit_data ad; 4648 struct lsm_network_audit net = {0,}; 4649 int err; 4650 4651 ad.type = LSM_AUDIT_DATA_NET; 4652 ad.u.net = &net; 4653 ad.u.net->sk = other; 4654 4655 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4656 sksec_other->sclass, 4657 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4658 if (err) 4659 return err; 4660 4661 /* server child socket */ 4662 sksec_new->peer_sid = sksec_sock->sid; 4663 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4664 &sksec_new->sid); 4665 if (err) 4666 return err; 4667 4668 /* connecting socket */ 4669 sksec_sock->peer_sid = sksec_new->sid; 4670 4671 return 0; 4672 } 4673 4674 static int selinux_socket_unix_may_send(struct socket *sock, 4675 struct socket *other) 4676 { 4677 struct sk_security_struct *ssec = sock->sk->sk_security; 4678 struct sk_security_struct *osec = other->sk->sk_security; 4679 struct common_audit_data ad; 4680 struct lsm_network_audit net = {0,}; 4681 4682 ad.type = LSM_AUDIT_DATA_NET; 4683 ad.u.net = &net; 4684 ad.u.net->sk = other->sk; 4685 4686 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4687 &ad); 4688 } 4689 4690 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4691 char *addrp, u16 family, u32 peer_sid, 4692 struct common_audit_data *ad) 4693 { 4694 int err; 4695 u32 if_sid; 4696 u32 node_sid; 4697 4698 err = sel_netif_sid(ns, ifindex, &if_sid); 4699 if (err) 4700 return err; 4701 err = avc_has_perm(peer_sid, if_sid, 4702 SECCLASS_NETIF, NETIF__INGRESS, ad); 4703 if (err) 4704 return err; 4705 4706 err = sel_netnode_sid(addrp, family, &node_sid); 4707 if (err) 4708 return err; 4709 return avc_has_perm(peer_sid, node_sid, 4710 SECCLASS_NODE, NODE__RECVFROM, ad); 4711 } 4712 4713 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4714 u16 family) 4715 { 4716 int err = 0; 4717 struct sk_security_struct *sksec = sk->sk_security; 4718 u32 sk_sid = sksec->sid; 4719 struct common_audit_data ad; 4720 struct lsm_network_audit net = {0,}; 4721 char *addrp; 4722 4723 ad.type = LSM_AUDIT_DATA_NET; 4724 ad.u.net = &net; 4725 ad.u.net->netif = skb->skb_iif; 4726 ad.u.net->family = family; 4727 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4728 if (err) 4729 return err; 4730 4731 if (selinux_secmark_enabled()) { 4732 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4733 PACKET__RECV, &ad); 4734 if (err) 4735 return err; 4736 } 4737 4738 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4739 if (err) 4740 return err; 4741 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4742 4743 return err; 4744 } 4745 4746 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4747 { 4748 int err; 4749 struct sk_security_struct *sksec = sk->sk_security; 4750 u16 family = sk->sk_family; 4751 u32 sk_sid = sksec->sid; 4752 struct common_audit_data ad; 4753 struct lsm_network_audit net = {0,}; 4754 char *addrp; 4755 u8 secmark_active; 4756 u8 peerlbl_active; 4757 4758 if (family != PF_INET && family != PF_INET6) 4759 return 0; 4760 4761 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4762 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4763 family = PF_INET; 4764 4765 /* If any sort of compatibility mode is enabled then handoff processing 4766 * to the selinux_sock_rcv_skb_compat() function to deal with the 4767 * special handling. We do this in an attempt to keep this function 4768 * as fast and as clean as possible. */ 4769 if (!selinux_policycap_netpeer) 4770 return selinux_sock_rcv_skb_compat(sk, skb, family); 4771 4772 secmark_active = selinux_secmark_enabled(); 4773 peerlbl_active = selinux_peerlbl_enabled(); 4774 if (!secmark_active && !peerlbl_active) 4775 return 0; 4776 4777 ad.type = LSM_AUDIT_DATA_NET; 4778 ad.u.net = &net; 4779 ad.u.net->netif = skb->skb_iif; 4780 ad.u.net->family = family; 4781 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4782 if (err) 4783 return err; 4784 4785 if (peerlbl_active) { 4786 u32 peer_sid; 4787 4788 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4789 if (err) 4790 return err; 4791 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4792 addrp, family, peer_sid, &ad); 4793 if (err) { 4794 selinux_netlbl_err(skb, family, err, 0); 4795 return err; 4796 } 4797 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4798 PEER__RECV, &ad); 4799 if (err) { 4800 selinux_netlbl_err(skb, family, err, 0); 4801 return err; 4802 } 4803 } 4804 4805 if (secmark_active) { 4806 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4807 PACKET__RECV, &ad); 4808 if (err) 4809 return err; 4810 } 4811 4812 return err; 4813 } 4814 4815 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4816 int __user *optlen, unsigned len) 4817 { 4818 int err = 0; 4819 char *scontext; 4820 u32 scontext_len; 4821 struct sk_security_struct *sksec = sock->sk->sk_security; 4822 u32 peer_sid = SECSID_NULL; 4823 4824 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4825 sksec->sclass == SECCLASS_TCP_SOCKET) 4826 peer_sid = sksec->peer_sid; 4827 if (peer_sid == SECSID_NULL) 4828 return -ENOPROTOOPT; 4829 4830 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4831 if (err) 4832 return err; 4833 4834 if (scontext_len > len) { 4835 err = -ERANGE; 4836 goto out_len; 4837 } 4838 4839 if (copy_to_user(optval, scontext, scontext_len)) 4840 err = -EFAULT; 4841 4842 out_len: 4843 if (put_user(scontext_len, optlen)) 4844 err = -EFAULT; 4845 kfree(scontext); 4846 return err; 4847 } 4848 4849 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4850 { 4851 u32 peer_secid = SECSID_NULL; 4852 u16 family; 4853 struct inode_security_struct *isec; 4854 4855 if (skb && skb->protocol == htons(ETH_P_IP)) 4856 family = PF_INET; 4857 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4858 family = PF_INET6; 4859 else if (sock) 4860 family = sock->sk->sk_family; 4861 else 4862 goto out; 4863 4864 if (sock && family == PF_UNIX) { 4865 isec = inode_security_novalidate(SOCK_INODE(sock)); 4866 peer_secid = isec->sid; 4867 } else if (skb) 4868 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4869 4870 out: 4871 *secid = peer_secid; 4872 if (peer_secid == SECSID_NULL) 4873 return -EINVAL; 4874 return 0; 4875 } 4876 4877 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4878 { 4879 struct sk_security_struct *sksec; 4880 4881 sksec = kzalloc(sizeof(*sksec), priority); 4882 if (!sksec) 4883 return -ENOMEM; 4884 4885 sksec->peer_sid = SECINITSID_UNLABELED; 4886 sksec->sid = SECINITSID_UNLABELED; 4887 sksec->sclass = SECCLASS_SOCKET; 4888 selinux_netlbl_sk_security_reset(sksec); 4889 sk->sk_security = sksec; 4890 4891 return 0; 4892 } 4893 4894 static void selinux_sk_free_security(struct sock *sk) 4895 { 4896 struct sk_security_struct *sksec = sk->sk_security; 4897 4898 sk->sk_security = NULL; 4899 selinux_netlbl_sk_security_free(sksec); 4900 kfree(sksec); 4901 } 4902 4903 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4904 { 4905 struct sk_security_struct *sksec = sk->sk_security; 4906 struct sk_security_struct *newsksec = newsk->sk_security; 4907 4908 newsksec->sid = sksec->sid; 4909 newsksec->peer_sid = sksec->peer_sid; 4910 newsksec->sclass = sksec->sclass; 4911 4912 selinux_netlbl_sk_security_reset(newsksec); 4913 } 4914 4915 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4916 { 4917 if (!sk) 4918 *secid = SECINITSID_ANY_SOCKET; 4919 else { 4920 struct sk_security_struct *sksec = sk->sk_security; 4921 4922 *secid = sksec->sid; 4923 } 4924 } 4925 4926 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4927 { 4928 struct inode_security_struct *isec = 4929 inode_security_novalidate(SOCK_INODE(parent)); 4930 struct sk_security_struct *sksec = sk->sk_security; 4931 4932 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4933 sk->sk_family == PF_UNIX) 4934 isec->sid = sksec->sid; 4935 sksec->sclass = isec->sclass; 4936 } 4937 4938 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4939 struct request_sock *req) 4940 { 4941 struct sk_security_struct *sksec = sk->sk_security; 4942 int err; 4943 u16 family = req->rsk_ops->family; 4944 u32 connsid; 4945 u32 peersid; 4946 4947 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4948 if (err) 4949 return err; 4950 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4951 if (err) 4952 return err; 4953 req->secid = connsid; 4954 req->peer_secid = peersid; 4955 4956 return selinux_netlbl_inet_conn_request(req, family); 4957 } 4958 4959 static void selinux_inet_csk_clone(struct sock *newsk, 4960 const struct request_sock *req) 4961 { 4962 struct sk_security_struct *newsksec = newsk->sk_security; 4963 4964 newsksec->sid = req->secid; 4965 newsksec->peer_sid = req->peer_secid; 4966 /* NOTE: Ideally, we should also get the isec->sid for the 4967 new socket in sync, but we don't have the isec available yet. 4968 So we will wait until sock_graft to do it, by which 4969 time it will have been created and available. */ 4970 4971 /* We don't need to take any sort of lock here as we are the only 4972 * thread with access to newsksec */ 4973 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4974 } 4975 4976 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4977 { 4978 u16 family = sk->sk_family; 4979 struct sk_security_struct *sksec = sk->sk_security; 4980 4981 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4982 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4983 family = PF_INET; 4984 4985 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4986 } 4987 4988 static int selinux_secmark_relabel_packet(u32 sid) 4989 { 4990 const struct task_security_struct *__tsec; 4991 u32 tsid; 4992 4993 __tsec = current_security(); 4994 tsid = __tsec->sid; 4995 4996 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4997 } 4998 4999 static void selinux_secmark_refcount_inc(void) 5000 { 5001 atomic_inc(&selinux_secmark_refcount); 5002 } 5003 5004 static void selinux_secmark_refcount_dec(void) 5005 { 5006 atomic_dec(&selinux_secmark_refcount); 5007 } 5008 5009 static void selinux_req_classify_flow(const struct request_sock *req, 5010 struct flowi *fl) 5011 { 5012 fl->flowi_secid = req->secid; 5013 } 5014 5015 static int selinux_tun_dev_alloc_security(void **security) 5016 { 5017 struct tun_security_struct *tunsec; 5018 5019 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5020 if (!tunsec) 5021 return -ENOMEM; 5022 tunsec->sid = current_sid(); 5023 5024 *security = tunsec; 5025 return 0; 5026 } 5027 5028 static void selinux_tun_dev_free_security(void *security) 5029 { 5030 kfree(security); 5031 } 5032 5033 static int selinux_tun_dev_create(void) 5034 { 5035 u32 sid = current_sid(); 5036 5037 /* we aren't taking into account the "sockcreate" SID since the socket 5038 * that is being created here is not a socket in the traditional sense, 5039 * instead it is a private sock, accessible only to the kernel, and 5040 * representing a wide range of network traffic spanning multiple 5041 * connections unlike traditional sockets - check the TUN driver to 5042 * get a better understanding of why this socket is special */ 5043 5044 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5045 NULL); 5046 } 5047 5048 static int selinux_tun_dev_attach_queue(void *security) 5049 { 5050 struct tun_security_struct *tunsec = security; 5051 5052 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5053 TUN_SOCKET__ATTACH_QUEUE, NULL); 5054 } 5055 5056 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5057 { 5058 struct tun_security_struct *tunsec = security; 5059 struct sk_security_struct *sksec = sk->sk_security; 5060 5061 /* we don't currently perform any NetLabel based labeling here and it 5062 * isn't clear that we would want to do so anyway; while we could apply 5063 * labeling without the support of the TUN user the resulting labeled 5064 * traffic from the other end of the connection would almost certainly 5065 * cause confusion to the TUN user that had no idea network labeling 5066 * protocols were being used */ 5067 5068 sksec->sid = tunsec->sid; 5069 sksec->sclass = SECCLASS_TUN_SOCKET; 5070 5071 return 0; 5072 } 5073 5074 static int selinux_tun_dev_open(void *security) 5075 { 5076 struct tun_security_struct *tunsec = security; 5077 u32 sid = current_sid(); 5078 int err; 5079 5080 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5081 TUN_SOCKET__RELABELFROM, NULL); 5082 if (err) 5083 return err; 5084 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5085 TUN_SOCKET__RELABELTO, NULL); 5086 if (err) 5087 return err; 5088 tunsec->sid = sid; 5089 5090 return 0; 5091 } 5092 5093 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5094 { 5095 int err = 0; 5096 u32 perm; 5097 struct nlmsghdr *nlh; 5098 struct sk_security_struct *sksec = sk->sk_security; 5099 5100 if (skb->len < NLMSG_HDRLEN) { 5101 err = -EINVAL; 5102 goto out; 5103 } 5104 nlh = nlmsg_hdr(skb); 5105 5106 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5107 if (err) { 5108 if (err == -EINVAL) { 5109 pr_warn_ratelimited("SELinux: unrecognized netlink" 5110 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5111 " pig=%d comm=%s\n", 5112 sk->sk_protocol, nlh->nlmsg_type, 5113 secclass_map[sksec->sclass - 1].name, 5114 task_pid_nr(current), current->comm); 5115 if (!selinux_enforcing || security_get_allow_unknown()) 5116 err = 0; 5117 } 5118 5119 /* Ignore */ 5120 if (err == -ENOENT) 5121 err = 0; 5122 goto out; 5123 } 5124 5125 err = sock_has_perm(sk, perm); 5126 out: 5127 return err; 5128 } 5129 5130 #ifdef CONFIG_NETFILTER 5131 5132 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5133 const struct net_device *indev, 5134 u16 family) 5135 { 5136 int err; 5137 char *addrp; 5138 u32 peer_sid; 5139 struct common_audit_data ad; 5140 struct lsm_network_audit net = {0,}; 5141 u8 secmark_active; 5142 u8 netlbl_active; 5143 u8 peerlbl_active; 5144 5145 if (!selinux_policycap_netpeer) 5146 return NF_ACCEPT; 5147 5148 secmark_active = selinux_secmark_enabled(); 5149 netlbl_active = netlbl_enabled(); 5150 peerlbl_active = selinux_peerlbl_enabled(); 5151 if (!secmark_active && !peerlbl_active) 5152 return NF_ACCEPT; 5153 5154 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5155 return NF_DROP; 5156 5157 ad.type = LSM_AUDIT_DATA_NET; 5158 ad.u.net = &net; 5159 ad.u.net->netif = indev->ifindex; 5160 ad.u.net->family = family; 5161 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5162 return NF_DROP; 5163 5164 if (peerlbl_active) { 5165 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5166 addrp, family, peer_sid, &ad); 5167 if (err) { 5168 selinux_netlbl_err(skb, family, err, 1); 5169 return NF_DROP; 5170 } 5171 } 5172 5173 if (secmark_active) 5174 if (avc_has_perm(peer_sid, skb->secmark, 5175 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5176 return NF_DROP; 5177 5178 if (netlbl_active) 5179 /* we do this in the FORWARD path and not the POST_ROUTING 5180 * path because we want to make sure we apply the necessary 5181 * labeling before IPsec is applied so we can leverage AH 5182 * protection */ 5183 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5184 return NF_DROP; 5185 5186 return NF_ACCEPT; 5187 } 5188 5189 static unsigned int selinux_ipv4_forward(void *priv, 5190 struct sk_buff *skb, 5191 const struct nf_hook_state *state) 5192 { 5193 return selinux_ip_forward(skb, state->in, PF_INET); 5194 } 5195 5196 #if IS_ENABLED(CONFIG_IPV6) 5197 static unsigned int selinux_ipv6_forward(void *priv, 5198 struct sk_buff *skb, 5199 const struct nf_hook_state *state) 5200 { 5201 return selinux_ip_forward(skb, state->in, PF_INET6); 5202 } 5203 #endif /* IPV6 */ 5204 5205 static unsigned int selinux_ip_output(struct sk_buff *skb, 5206 u16 family) 5207 { 5208 struct sock *sk; 5209 u32 sid; 5210 5211 if (!netlbl_enabled()) 5212 return NF_ACCEPT; 5213 5214 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5215 * because we want to make sure we apply the necessary labeling 5216 * before IPsec is applied so we can leverage AH protection */ 5217 sk = skb->sk; 5218 if (sk) { 5219 struct sk_security_struct *sksec; 5220 5221 if (sk_listener(sk)) 5222 /* if the socket is the listening state then this 5223 * packet is a SYN-ACK packet which means it needs to 5224 * be labeled based on the connection/request_sock and 5225 * not the parent socket. unfortunately, we can't 5226 * lookup the request_sock yet as it isn't queued on 5227 * the parent socket until after the SYN-ACK is sent. 5228 * the "solution" is to simply pass the packet as-is 5229 * as any IP option based labeling should be copied 5230 * from the initial connection request (in the IP 5231 * layer). it is far from ideal, but until we get a 5232 * security label in the packet itself this is the 5233 * best we can do. */ 5234 return NF_ACCEPT; 5235 5236 /* standard practice, label using the parent socket */ 5237 sksec = sk->sk_security; 5238 sid = sksec->sid; 5239 } else 5240 sid = SECINITSID_KERNEL; 5241 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5242 return NF_DROP; 5243 5244 return NF_ACCEPT; 5245 } 5246 5247 static unsigned int selinux_ipv4_output(void *priv, 5248 struct sk_buff *skb, 5249 const struct nf_hook_state *state) 5250 { 5251 return selinux_ip_output(skb, PF_INET); 5252 } 5253 5254 #if IS_ENABLED(CONFIG_IPV6) 5255 static unsigned int selinux_ipv6_output(void *priv, 5256 struct sk_buff *skb, 5257 const struct nf_hook_state *state) 5258 { 5259 return selinux_ip_output(skb, PF_INET6); 5260 } 5261 #endif /* IPV6 */ 5262 5263 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5264 int ifindex, 5265 u16 family) 5266 { 5267 struct sock *sk = skb_to_full_sk(skb); 5268 struct sk_security_struct *sksec; 5269 struct common_audit_data ad; 5270 struct lsm_network_audit net = {0,}; 5271 char *addrp; 5272 u8 proto; 5273 5274 if (sk == NULL) 5275 return NF_ACCEPT; 5276 sksec = sk->sk_security; 5277 5278 ad.type = LSM_AUDIT_DATA_NET; 5279 ad.u.net = &net; 5280 ad.u.net->netif = ifindex; 5281 ad.u.net->family = family; 5282 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5283 return NF_DROP; 5284 5285 if (selinux_secmark_enabled()) 5286 if (avc_has_perm(sksec->sid, skb->secmark, 5287 SECCLASS_PACKET, PACKET__SEND, &ad)) 5288 return NF_DROP_ERR(-ECONNREFUSED); 5289 5290 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5291 return NF_DROP_ERR(-ECONNREFUSED); 5292 5293 return NF_ACCEPT; 5294 } 5295 5296 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5297 const struct net_device *outdev, 5298 u16 family) 5299 { 5300 u32 secmark_perm; 5301 u32 peer_sid; 5302 int ifindex = outdev->ifindex; 5303 struct sock *sk; 5304 struct common_audit_data ad; 5305 struct lsm_network_audit net = {0,}; 5306 char *addrp; 5307 u8 secmark_active; 5308 u8 peerlbl_active; 5309 5310 /* If any sort of compatibility mode is enabled then handoff processing 5311 * to the selinux_ip_postroute_compat() function to deal with the 5312 * special handling. We do this in an attempt to keep this function 5313 * as fast and as clean as possible. */ 5314 if (!selinux_policycap_netpeer) 5315 return selinux_ip_postroute_compat(skb, ifindex, family); 5316 5317 secmark_active = selinux_secmark_enabled(); 5318 peerlbl_active = selinux_peerlbl_enabled(); 5319 if (!secmark_active && !peerlbl_active) 5320 return NF_ACCEPT; 5321 5322 sk = skb_to_full_sk(skb); 5323 5324 #ifdef CONFIG_XFRM 5325 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5326 * packet transformation so allow the packet to pass without any checks 5327 * since we'll have another chance to perform access control checks 5328 * when the packet is on it's final way out. 5329 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5330 * is NULL, in this case go ahead and apply access control. 5331 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5332 * TCP listening state we cannot wait until the XFRM processing 5333 * is done as we will miss out on the SA label if we do; 5334 * unfortunately, this means more work, but it is only once per 5335 * connection. */ 5336 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5337 !(sk && sk_listener(sk))) 5338 return NF_ACCEPT; 5339 #endif 5340 5341 if (sk == NULL) { 5342 /* Without an associated socket the packet is either coming 5343 * from the kernel or it is being forwarded; check the packet 5344 * to determine which and if the packet is being forwarded 5345 * query the packet directly to determine the security label. */ 5346 if (skb->skb_iif) { 5347 secmark_perm = PACKET__FORWARD_OUT; 5348 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5349 return NF_DROP; 5350 } else { 5351 secmark_perm = PACKET__SEND; 5352 peer_sid = SECINITSID_KERNEL; 5353 } 5354 } else if (sk_listener(sk)) { 5355 /* Locally generated packet but the associated socket is in the 5356 * listening state which means this is a SYN-ACK packet. In 5357 * this particular case the correct security label is assigned 5358 * to the connection/request_sock but unfortunately we can't 5359 * query the request_sock as it isn't queued on the parent 5360 * socket until after the SYN-ACK packet is sent; the only 5361 * viable choice is to regenerate the label like we do in 5362 * selinux_inet_conn_request(). See also selinux_ip_output() 5363 * for similar problems. */ 5364 u32 skb_sid; 5365 struct sk_security_struct *sksec; 5366 5367 sksec = sk->sk_security; 5368 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5369 return NF_DROP; 5370 /* At this point, if the returned skb peerlbl is SECSID_NULL 5371 * and the packet has been through at least one XFRM 5372 * transformation then we must be dealing with the "final" 5373 * form of labeled IPsec packet; since we've already applied 5374 * all of our access controls on this packet we can safely 5375 * pass the packet. */ 5376 if (skb_sid == SECSID_NULL) { 5377 switch (family) { 5378 case PF_INET: 5379 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5380 return NF_ACCEPT; 5381 break; 5382 case PF_INET6: 5383 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5384 return NF_ACCEPT; 5385 break; 5386 default: 5387 return NF_DROP_ERR(-ECONNREFUSED); 5388 } 5389 } 5390 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5391 return NF_DROP; 5392 secmark_perm = PACKET__SEND; 5393 } else { 5394 /* Locally generated packet, fetch the security label from the 5395 * associated socket. */ 5396 struct sk_security_struct *sksec = sk->sk_security; 5397 peer_sid = sksec->sid; 5398 secmark_perm = PACKET__SEND; 5399 } 5400 5401 ad.type = LSM_AUDIT_DATA_NET; 5402 ad.u.net = &net; 5403 ad.u.net->netif = ifindex; 5404 ad.u.net->family = family; 5405 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5406 return NF_DROP; 5407 5408 if (secmark_active) 5409 if (avc_has_perm(peer_sid, skb->secmark, 5410 SECCLASS_PACKET, secmark_perm, &ad)) 5411 return NF_DROP_ERR(-ECONNREFUSED); 5412 5413 if (peerlbl_active) { 5414 u32 if_sid; 5415 u32 node_sid; 5416 5417 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5418 return NF_DROP; 5419 if (avc_has_perm(peer_sid, if_sid, 5420 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5421 return NF_DROP_ERR(-ECONNREFUSED); 5422 5423 if (sel_netnode_sid(addrp, family, &node_sid)) 5424 return NF_DROP; 5425 if (avc_has_perm(peer_sid, node_sid, 5426 SECCLASS_NODE, NODE__SENDTO, &ad)) 5427 return NF_DROP_ERR(-ECONNREFUSED); 5428 } 5429 5430 return NF_ACCEPT; 5431 } 5432 5433 static unsigned int selinux_ipv4_postroute(void *priv, 5434 struct sk_buff *skb, 5435 const struct nf_hook_state *state) 5436 { 5437 return selinux_ip_postroute(skb, state->out, PF_INET); 5438 } 5439 5440 #if IS_ENABLED(CONFIG_IPV6) 5441 static unsigned int selinux_ipv6_postroute(void *priv, 5442 struct sk_buff *skb, 5443 const struct nf_hook_state *state) 5444 { 5445 return selinux_ip_postroute(skb, state->out, PF_INET6); 5446 } 5447 #endif /* IPV6 */ 5448 5449 #endif /* CONFIG_NETFILTER */ 5450 5451 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5452 { 5453 return selinux_nlmsg_perm(sk, skb); 5454 } 5455 5456 static int ipc_alloc_security(struct kern_ipc_perm *perm, 5457 u16 sclass) 5458 { 5459 struct ipc_security_struct *isec; 5460 5461 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5462 if (!isec) 5463 return -ENOMEM; 5464 5465 isec->sclass = sclass; 5466 isec->sid = current_sid(); 5467 perm->security = isec; 5468 5469 return 0; 5470 } 5471 5472 static void ipc_free_security(struct kern_ipc_perm *perm) 5473 { 5474 struct ipc_security_struct *isec = perm->security; 5475 perm->security = NULL; 5476 kfree(isec); 5477 } 5478 5479 static int msg_msg_alloc_security(struct msg_msg *msg) 5480 { 5481 struct msg_security_struct *msec; 5482 5483 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5484 if (!msec) 5485 return -ENOMEM; 5486 5487 msec->sid = SECINITSID_UNLABELED; 5488 msg->security = msec; 5489 5490 return 0; 5491 } 5492 5493 static void msg_msg_free_security(struct msg_msg *msg) 5494 { 5495 struct msg_security_struct *msec = msg->security; 5496 5497 msg->security = NULL; 5498 kfree(msec); 5499 } 5500 5501 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5502 u32 perms) 5503 { 5504 struct ipc_security_struct *isec; 5505 struct common_audit_data ad; 5506 u32 sid = current_sid(); 5507 5508 isec = ipc_perms->security; 5509 5510 ad.type = LSM_AUDIT_DATA_IPC; 5511 ad.u.ipc_id = ipc_perms->key; 5512 5513 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5514 } 5515 5516 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5517 { 5518 return msg_msg_alloc_security(msg); 5519 } 5520 5521 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5522 { 5523 msg_msg_free_security(msg); 5524 } 5525 5526 /* message queue security operations */ 5527 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5528 { 5529 struct ipc_security_struct *isec; 5530 struct common_audit_data ad; 5531 u32 sid = current_sid(); 5532 int rc; 5533 5534 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5535 if (rc) 5536 return rc; 5537 5538 isec = msq->q_perm.security; 5539 5540 ad.type = LSM_AUDIT_DATA_IPC; 5541 ad.u.ipc_id = msq->q_perm.key; 5542 5543 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5544 MSGQ__CREATE, &ad); 5545 if (rc) { 5546 ipc_free_security(&msq->q_perm); 5547 return rc; 5548 } 5549 return 0; 5550 } 5551 5552 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5553 { 5554 ipc_free_security(&msq->q_perm); 5555 } 5556 5557 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5558 { 5559 struct ipc_security_struct *isec; 5560 struct common_audit_data ad; 5561 u32 sid = current_sid(); 5562 5563 isec = msq->q_perm.security; 5564 5565 ad.type = LSM_AUDIT_DATA_IPC; 5566 ad.u.ipc_id = msq->q_perm.key; 5567 5568 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5569 MSGQ__ASSOCIATE, &ad); 5570 } 5571 5572 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5573 { 5574 int err; 5575 int perms; 5576 5577 switch (cmd) { 5578 case IPC_INFO: 5579 case MSG_INFO: 5580 /* No specific object, just general system-wide information. */ 5581 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5582 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5583 case IPC_STAT: 5584 case MSG_STAT: 5585 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5586 break; 5587 case IPC_SET: 5588 perms = MSGQ__SETATTR; 5589 break; 5590 case IPC_RMID: 5591 perms = MSGQ__DESTROY; 5592 break; 5593 default: 5594 return 0; 5595 } 5596 5597 err = ipc_has_perm(&msq->q_perm, perms); 5598 return err; 5599 } 5600 5601 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5602 { 5603 struct ipc_security_struct *isec; 5604 struct msg_security_struct *msec; 5605 struct common_audit_data ad; 5606 u32 sid = current_sid(); 5607 int rc; 5608 5609 isec = msq->q_perm.security; 5610 msec = msg->security; 5611 5612 /* 5613 * First time through, need to assign label to the message 5614 */ 5615 if (msec->sid == SECINITSID_UNLABELED) { 5616 /* 5617 * Compute new sid based on current process and 5618 * message queue this message will be stored in 5619 */ 5620 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5621 NULL, &msec->sid); 5622 if (rc) 5623 return rc; 5624 } 5625 5626 ad.type = LSM_AUDIT_DATA_IPC; 5627 ad.u.ipc_id = msq->q_perm.key; 5628 5629 /* Can this process write to the queue? */ 5630 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5631 MSGQ__WRITE, &ad); 5632 if (!rc) 5633 /* Can this process send the message */ 5634 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5635 MSG__SEND, &ad); 5636 if (!rc) 5637 /* Can the message be put in the queue? */ 5638 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5639 MSGQ__ENQUEUE, &ad); 5640 5641 return rc; 5642 } 5643 5644 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5645 struct task_struct *target, 5646 long type, int mode) 5647 { 5648 struct ipc_security_struct *isec; 5649 struct msg_security_struct *msec; 5650 struct common_audit_data ad; 5651 u32 sid = task_sid(target); 5652 int rc; 5653 5654 isec = msq->q_perm.security; 5655 msec = msg->security; 5656 5657 ad.type = LSM_AUDIT_DATA_IPC; 5658 ad.u.ipc_id = msq->q_perm.key; 5659 5660 rc = avc_has_perm(sid, isec->sid, 5661 SECCLASS_MSGQ, MSGQ__READ, &ad); 5662 if (!rc) 5663 rc = avc_has_perm(sid, msec->sid, 5664 SECCLASS_MSG, MSG__RECEIVE, &ad); 5665 return rc; 5666 } 5667 5668 /* Shared Memory security operations */ 5669 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5670 { 5671 struct ipc_security_struct *isec; 5672 struct common_audit_data ad; 5673 u32 sid = current_sid(); 5674 int rc; 5675 5676 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 5677 if (rc) 5678 return rc; 5679 5680 isec = shp->shm_perm.security; 5681 5682 ad.type = LSM_AUDIT_DATA_IPC; 5683 ad.u.ipc_id = shp->shm_perm.key; 5684 5685 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5686 SHM__CREATE, &ad); 5687 if (rc) { 5688 ipc_free_security(&shp->shm_perm); 5689 return rc; 5690 } 5691 return 0; 5692 } 5693 5694 static void selinux_shm_free_security(struct shmid_kernel *shp) 5695 { 5696 ipc_free_security(&shp->shm_perm); 5697 } 5698 5699 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5700 { 5701 struct ipc_security_struct *isec; 5702 struct common_audit_data ad; 5703 u32 sid = current_sid(); 5704 5705 isec = shp->shm_perm.security; 5706 5707 ad.type = LSM_AUDIT_DATA_IPC; 5708 ad.u.ipc_id = shp->shm_perm.key; 5709 5710 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5711 SHM__ASSOCIATE, &ad); 5712 } 5713 5714 /* Note, at this point, shp is locked down */ 5715 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5716 { 5717 int perms; 5718 int err; 5719 5720 switch (cmd) { 5721 case IPC_INFO: 5722 case SHM_INFO: 5723 /* No specific object, just general system-wide information. */ 5724 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5725 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5726 case IPC_STAT: 5727 case SHM_STAT: 5728 perms = SHM__GETATTR | SHM__ASSOCIATE; 5729 break; 5730 case IPC_SET: 5731 perms = SHM__SETATTR; 5732 break; 5733 case SHM_LOCK: 5734 case SHM_UNLOCK: 5735 perms = SHM__LOCK; 5736 break; 5737 case IPC_RMID: 5738 perms = SHM__DESTROY; 5739 break; 5740 default: 5741 return 0; 5742 } 5743 5744 err = ipc_has_perm(&shp->shm_perm, perms); 5745 return err; 5746 } 5747 5748 static int selinux_shm_shmat(struct shmid_kernel *shp, 5749 char __user *shmaddr, int shmflg) 5750 { 5751 u32 perms; 5752 5753 if (shmflg & SHM_RDONLY) 5754 perms = SHM__READ; 5755 else 5756 perms = SHM__READ | SHM__WRITE; 5757 5758 return ipc_has_perm(&shp->shm_perm, perms); 5759 } 5760 5761 /* Semaphore security operations */ 5762 static int selinux_sem_alloc_security(struct sem_array *sma) 5763 { 5764 struct ipc_security_struct *isec; 5765 struct common_audit_data ad; 5766 u32 sid = current_sid(); 5767 int rc; 5768 5769 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 5770 if (rc) 5771 return rc; 5772 5773 isec = sma->sem_perm.security; 5774 5775 ad.type = LSM_AUDIT_DATA_IPC; 5776 ad.u.ipc_id = sma->sem_perm.key; 5777 5778 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5779 SEM__CREATE, &ad); 5780 if (rc) { 5781 ipc_free_security(&sma->sem_perm); 5782 return rc; 5783 } 5784 return 0; 5785 } 5786 5787 static void selinux_sem_free_security(struct sem_array *sma) 5788 { 5789 ipc_free_security(&sma->sem_perm); 5790 } 5791 5792 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5793 { 5794 struct ipc_security_struct *isec; 5795 struct common_audit_data ad; 5796 u32 sid = current_sid(); 5797 5798 isec = sma->sem_perm.security; 5799 5800 ad.type = LSM_AUDIT_DATA_IPC; 5801 ad.u.ipc_id = sma->sem_perm.key; 5802 5803 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5804 SEM__ASSOCIATE, &ad); 5805 } 5806 5807 /* Note, at this point, sma is locked down */ 5808 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5809 { 5810 int err; 5811 u32 perms; 5812 5813 switch (cmd) { 5814 case IPC_INFO: 5815 case SEM_INFO: 5816 /* No specific object, just general system-wide information. */ 5817 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5818 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5819 case GETPID: 5820 case GETNCNT: 5821 case GETZCNT: 5822 perms = SEM__GETATTR; 5823 break; 5824 case GETVAL: 5825 case GETALL: 5826 perms = SEM__READ; 5827 break; 5828 case SETVAL: 5829 case SETALL: 5830 perms = SEM__WRITE; 5831 break; 5832 case IPC_RMID: 5833 perms = SEM__DESTROY; 5834 break; 5835 case IPC_SET: 5836 perms = SEM__SETATTR; 5837 break; 5838 case IPC_STAT: 5839 case SEM_STAT: 5840 perms = SEM__GETATTR | SEM__ASSOCIATE; 5841 break; 5842 default: 5843 return 0; 5844 } 5845 5846 err = ipc_has_perm(&sma->sem_perm, perms); 5847 return err; 5848 } 5849 5850 static int selinux_sem_semop(struct sem_array *sma, 5851 struct sembuf *sops, unsigned nsops, int alter) 5852 { 5853 u32 perms; 5854 5855 if (alter) 5856 perms = SEM__READ | SEM__WRITE; 5857 else 5858 perms = SEM__READ; 5859 5860 return ipc_has_perm(&sma->sem_perm, perms); 5861 } 5862 5863 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5864 { 5865 u32 av = 0; 5866 5867 av = 0; 5868 if (flag & S_IRUGO) 5869 av |= IPC__UNIX_READ; 5870 if (flag & S_IWUGO) 5871 av |= IPC__UNIX_WRITE; 5872 5873 if (av == 0) 5874 return 0; 5875 5876 return ipc_has_perm(ipcp, av); 5877 } 5878 5879 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5880 { 5881 struct ipc_security_struct *isec = ipcp->security; 5882 *secid = isec->sid; 5883 } 5884 5885 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5886 { 5887 if (inode) 5888 inode_doinit_with_dentry(inode, dentry); 5889 } 5890 5891 static int selinux_getprocattr(struct task_struct *p, 5892 char *name, char **value) 5893 { 5894 const struct task_security_struct *__tsec; 5895 u32 sid; 5896 int error; 5897 unsigned len; 5898 5899 rcu_read_lock(); 5900 __tsec = __task_cred(p)->security; 5901 5902 if (current != p) { 5903 error = avc_has_perm(current_sid(), __tsec->sid, 5904 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 5905 if (error) 5906 goto bad; 5907 } 5908 5909 if (!strcmp(name, "current")) 5910 sid = __tsec->sid; 5911 else if (!strcmp(name, "prev")) 5912 sid = __tsec->osid; 5913 else if (!strcmp(name, "exec")) 5914 sid = __tsec->exec_sid; 5915 else if (!strcmp(name, "fscreate")) 5916 sid = __tsec->create_sid; 5917 else if (!strcmp(name, "keycreate")) 5918 sid = __tsec->keycreate_sid; 5919 else if (!strcmp(name, "sockcreate")) 5920 sid = __tsec->sockcreate_sid; 5921 else { 5922 error = -EINVAL; 5923 goto bad; 5924 } 5925 rcu_read_unlock(); 5926 5927 if (!sid) 5928 return 0; 5929 5930 error = security_sid_to_context(sid, value, &len); 5931 if (error) 5932 return error; 5933 return len; 5934 5935 bad: 5936 rcu_read_unlock(); 5937 return error; 5938 } 5939 5940 static int selinux_setprocattr(const char *name, void *value, size_t size) 5941 { 5942 struct task_security_struct *tsec; 5943 struct cred *new; 5944 u32 mysid = current_sid(), sid = 0, ptsid; 5945 int error; 5946 char *str = value; 5947 5948 /* 5949 * Basic control over ability to set these attributes at all. 5950 */ 5951 if (!strcmp(name, "exec")) 5952 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5953 PROCESS__SETEXEC, NULL); 5954 else if (!strcmp(name, "fscreate")) 5955 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5956 PROCESS__SETFSCREATE, NULL); 5957 else if (!strcmp(name, "keycreate")) 5958 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5959 PROCESS__SETKEYCREATE, NULL); 5960 else if (!strcmp(name, "sockcreate")) 5961 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5962 PROCESS__SETSOCKCREATE, NULL); 5963 else if (!strcmp(name, "current")) 5964 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 5965 PROCESS__SETCURRENT, NULL); 5966 else 5967 error = -EINVAL; 5968 if (error) 5969 return error; 5970 5971 /* Obtain a SID for the context, if one was specified. */ 5972 if (size && str[0] && str[0] != '\n') { 5973 if (str[size-1] == '\n') { 5974 str[size-1] = 0; 5975 size--; 5976 } 5977 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5978 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5979 if (!has_cap_mac_admin(true)) { 5980 struct audit_buffer *ab; 5981 size_t audit_size; 5982 5983 /* We strip a nul only if it is at the end, otherwise the 5984 * context contains a nul and we should audit that */ 5985 if (str[size - 1] == '\0') 5986 audit_size = size - 1; 5987 else 5988 audit_size = size; 5989 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5990 audit_log_format(ab, "op=fscreate invalid_context="); 5991 audit_log_n_untrustedstring(ab, value, audit_size); 5992 audit_log_end(ab); 5993 5994 return error; 5995 } 5996 error = security_context_to_sid_force(value, size, 5997 &sid); 5998 } 5999 if (error) 6000 return error; 6001 } 6002 6003 new = prepare_creds(); 6004 if (!new) 6005 return -ENOMEM; 6006 6007 /* Permission checking based on the specified context is 6008 performed during the actual operation (execve, 6009 open/mkdir/...), when we know the full context of the 6010 operation. See selinux_bprm_set_creds for the execve 6011 checks and may_create for the file creation checks. The 6012 operation will then fail if the context is not permitted. */ 6013 tsec = new->security; 6014 if (!strcmp(name, "exec")) { 6015 tsec->exec_sid = sid; 6016 } else if (!strcmp(name, "fscreate")) { 6017 tsec->create_sid = sid; 6018 } else if (!strcmp(name, "keycreate")) { 6019 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6020 NULL); 6021 if (error) 6022 goto abort_change; 6023 tsec->keycreate_sid = sid; 6024 } else if (!strcmp(name, "sockcreate")) { 6025 tsec->sockcreate_sid = sid; 6026 } else if (!strcmp(name, "current")) { 6027 error = -EINVAL; 6028 if (sid == 0) 6029 goto abort_change; 6030 6031 /* Only allow single threaded processes to change context */ 6032 error = -EPERM; 6033 if (!current_is_single_threaded()) { 6034 error = security_bounded_transition(tsec->sid, sid); 6035 if (error) 6036 goto abort_change; 6037 } 6038 6039 /* Check permissions for the transition. */ 6040 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6041 PROCESS__DYNTRANSITION, NULL); 6042 if (error) 6043 goto abort_change; 6044 6045 /* Check for ptracing, and update the task SID if ok. 6046 Otherwise, leave SID unchanged and fail. */ 6047 ptsid = ptrace_parent_sid(); 6048 if (ptsid != 0) { 6049 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6050 PROCESS__PTRACE, NULL); 6051 if (error) 6052 goto abort_change; 6053 } 6054 6055 tsec->sid = sid; 6056 } else { 6057 error = -EINVAL; 6058 goto abort_change; 6059 } 6060 6061 commit_creds(new); 6062 return size; 6063 6064 abort_change: 6065 abort_creds(new); 6066 return error; 6067 } 6068 6069 static int selinux_ismaclabel(const char *name) 6070 { 6071 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6072 } 6073 6074 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6075 { 6076 return security_sid_to_context(secid, secdata, seclen); 6077 } 6078 6079 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6080 { 6081 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6082 } 6083 6084 static void selinux_release_secctx(char *secdata, u32 seclen) 6085 { 6086 kfree(secdata); 6087 } 6088 6089 static void selinux_inode_invalidate_secctx(struct inode *inode) 6090 { 6091 struct inode_security_struct *isec = inode->i_security; 6092 6093 spin_lock(&isec->lock); 6094 isec->initialized = LABEL_INVALID; 6095 spin_unlock(&isec->lock); 6096 } 6097 6098 /* 6099 * called with inode->i_mutex locked 6100 */ 6101 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6102 { 6103 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6104 } 6105 6106 /* 6107 * called with inode->i_mutex locked 6108 */ 6109 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6110 { 6111 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6112 } 6113 6114 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6115 { 6116 int len = 0; 6117 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6118 ctx, true); 6119 if (len < 0) 6120 return len; 6121 *ctxlen = len; 6122 return 0; 6123 } 6124 #ifdef CONFIG_KEYS 6125 6126 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6127 unsigned long flags) 6128 { 6129 const struct task_security_struct *tsec; 6130 struct key_security_struct *ksec; 6131 6132 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6133 if (!ksec) 6134 return -ENOMEM; 6135 6136 tsec = cred->security; 6137 if (tsec->keycreate_sid) 6138 ksec->sid = tsec->keycreate_sid; 6139 else 6140 ksec->sid = tsec->sid; 6141 6142 k->security = ksec; 6143 return 0; 6144 } 6145 6146 static void selinux_key_free(struct key *k) 6147 { 6148 struct key_security_struct *ksec = k->security; 6149 6150 k->security = NULL; 6151 kfree(ksec); 6152 } 6153 6154 static int selinux_key_permission(key_ref_t key_ref, 6155 const struct cred *cred, 6156 unsigned perm) 6157 { 6158 struct key *key; 6159 struct key_security_struct *ksec; 6160 u32 sid; 6161 6162 /* if no specific permissions are requested, we skip the 6163 permission check. No serious, additional covert channels 6164 appear to be created. */ 6165 if (perm == 0) 6166 return 0; 6167 6168 sid = cred_sid(cred); 6169 6170 key = key_ref_to_ptr(key_ref); 6171 ksec = key->security; 6172 6173 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6174 } 6175 6176 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6177 { 6178 struct key_security_struct *ksec = key->security; 6179 char *context = NULL; 6180 unsigned len; 6181 int rc; 6182 6183 rc = security_sid_to_context(ksec->sid, &context, &len); 6184 if (!rc) 6185 rc = len; 6186 *_buffer = context; 6187 return rc; 6188 } 6189 #endif 6190 6191 #ifdef CONFIG_SECURITY_INFINIBAND 6192 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6193 { 6194 struct common_audit_data ad; 6195 int err; 6196 u32 sid = 0; 6197 struct ib_security_struct *sec = ib_sec; 6198 struct lsm_ibpkey_audit ibpkey; 6199 6200 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6201 if (err) 6202 return err; 6203 6204 ad.type = LSM_AUDIT_DATA_IBPKEY; 6205 ibpkey.subnet_prefix = subnet_prefix; 6206 ibpkey.pkey = pkey_val; 6207 ad.u.ibpkey = &ibpkey; 6208 return avc_has_perm(sec->sid, sid, 6209 SECCLASS_INFINIBAND_PKEY, 6210 INFINIBAND_PKEY__ACCESS, &ad); 6211 } 6212 6213 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6214 u8 port_num) 6215 { 6216 struct common_audit_data ad; 6217 int err; 6218 u32 sid = 0; 6219 struct ib_security_struct *sec = ib_sec; 6220 struct lsm_ibendport_audit ibendport; 6221 6222 err = security_ib_endport_sid(dev_name, port_num, &sid); 6223 6224 if (err) 6225 return err; 6226 6227 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6228 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6229 ibendport.port = port_num; 6230 ad.u.ibendport = &ibendport; 6231 return avc_has_perm(sec->sid, sid, 6232 SECCLASS_INFINIBAND_ENDPORT, 6233 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6234 } 6235 6236 static int selinux_ib_alloc_security(void **ib_sec) 6237 { 6238 struct ib_security_struct *sec; 6239 6240 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6241 if (!sec) 6242 return -ENOMEM; 6243 sec->sid = current_sid(); 6244 6245 *ib_sec = sec; 6246 return 0; 6247 } 6248 6249 static void selinux_ib_free_security(void *ib_sec) 6250 { 6251 kfree(ib_sec); 6252 } 6253 #endif 6254 6255 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6256 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6257 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6258 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6259 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6260 6261 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6262 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6263 LSM_HOOK_INIT(capget, selinux_capget), 6264 LSM_HOOK_INIT(capset, selinux_capset), 6265 LSM_HOOK_INIT(capable, selinux_capable), 6266 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6267 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6268 LSM_HOOK_INIT(syslog, selinux_syslog), 6269 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6270 6271 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6272 6273 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6274 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6275 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6276 6277 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6278 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6279 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6280 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6281 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6282 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6283 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6284 LSM_HOOK_INIT(sb_mount, selinux_mount), 6285 LSM_HOOK_INIT(sb_umount, selinux_umount), 6286 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6287 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6288 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6289 6290 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6291 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6292 6293 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6294 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6295 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6296 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6297 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6298 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6299 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6300 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6301 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6302 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6303 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6304 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6305 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6306 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6307 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6308 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6309 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6310 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6311 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6312 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6313 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6314 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6315 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6316 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6317 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6318 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6319 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6320 6321 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6322 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6323 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6324 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6325 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6326 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6327 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6328 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6329 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6330 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6331 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6332 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6333 6334 LSM_HOOK_INIT(file_open, selinux_file_open), 6335 6336 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6337 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6338 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6339 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6340 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6341 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6342 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6343 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6344 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6345 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6346 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6347 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6348 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6349 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6350 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6351 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6352 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6353 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6354 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6355 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6356 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6357 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6358 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6359 6360 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6361 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6362 6363 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6364 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6365 6366 LSM_HOOK_INIT(msg_queue_alloc_security, 6367 selinux_msg_queue_alloc_security), 6368 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6369 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6370 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6371 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6372 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6373 6374 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6375 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6376 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6377 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6378 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6379 6380 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6381 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6382 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6383 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6384 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6385 6386 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6387 6388 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6389 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6390 6391 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6392 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6393 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6394 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6395 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6396 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6397 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6398 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6399 6400 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6401 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6402 6403 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6404 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6405 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6406 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6407 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6408 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6409 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6410 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6411 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6412 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6413 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6414 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6415 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6416 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6417 LSM_HOOK_INIT(socket_getpeersec_stream, 6418 selinux_socket_getpeersec_stream), 6419 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6420 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6421 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6422 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6423 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6424 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6425 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6426 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6427 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6428 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6429 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6430 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6431 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6432 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6433 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6434 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6435 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6436 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6437 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6438 #ifdef CONFIG_SECURITY_INFINIBAND 6439 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6440 LSM_HOOK_INIT(ib_endport_manage_subnet, 6441 selinux_ib_endport_manage_subnet), 6442 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6443 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6444 #endif 6445 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6446 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6447 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6448 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6449 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6450 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6451 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6452 selinux_xfrm_state_alloc_acquire), 6453 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6454 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6455 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6456 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6457 selinux_xfrm_state_pol_flow_match), 6458 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6459 #endif 6460 6461 #ifdef CONFIG_KEYS 6462 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6463 LSM_HOOK_INIT(key_free, selinux_key_free), 6464 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6465 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6466 #endif 6467 6468 #ifdef CONFIG_AUDIT 6469 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6470 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6471 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6472 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6473 #endif 6474 }; 6475 6476 static __init int selinux_init(void) 6477 { 6478 if (!security_module_enable("selinux")) { 6479 selinux_enabled = 0; 6480 return 0; 6481 } 6482 6483 if (!selinux_enabled) { 6484 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6485 return 0; 6486 } 6487 6488 printk(KERN_INFO "SELinux: Initializing.\n"); 6489 6490 /* Set the security state for the initial task. */ 6491 cred_init_security(); 6492 6493 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6494 6495 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6496 sizeof(struct inode_security_struct), 6497 0, SLAB_PANIC, NULL); 6498 file_security_cache = kmem_cache_create("selinux_file_security", 6499 sizeof(struct file_security_struct), 6500 0, SLAB_PANIC, NULL); 6501 avc_init(); 6502 6503 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6504 6505 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6506 panic("SELinux: Unable to register AVC netcache callback\n"); 6507 6508 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6509 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6510 6511 if (selinux_enforcing) 6512 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6513 else 6514 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6515 6516 return 0; 6517 } 6518 6519 static void delayed_superblock_init(struct super_block *sb, void *unused) 6520 { 6521 superblock_doinit(sb, NULL); 6522 } 6523 6524 void selinux_complete_init(void) 6525 { 6526 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6527 6528 /* Set up any superblocks initialized prior to the policy load. */ 6529 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6530 iterate_supers(delayed_superblock_init, NULL); 6531 } 6532 6533 /* SELinux requires early initialization in order to label 6534 all processes and objects when they are created. */ 6535 security_initcall(selinux_init); 6536 6537 #if defined(CONFIG_NETFILTER) 6538 6539 static const struct nf_hook_ops selinux_nf_ops[] = { 6540 { 6541 .hook = selinux_ipv4_postroute, 6542 .pf = NFPROTO_IPV4, 6543 .hooknum = NF_INET_POST_ROUTING, 6544 .priority = NF_IP_PRI_SELINUX_LAST, 6545 }, 6546 { 6547 .hook = selinux_ipv4_forward, 6548 .pf = NFPROTO_IPV4, 6549 .hooknum = NF_INET_FORWARD, 6550 .priority = NF_IP_PRI_SELINUX_FIRST, 6551 }, 6552 { 6553 .hook = selinux_ipv4_output, 6554 .pf = NFPROTO_IPV4, 6555 .hooknum = NF_INET_LOCAL_OUT, 6556 .priority = NF_IP_PRI_SELINUX_FIRST, 6557 }, 6558 #if IS_ENABLED(CONFIG_IPV6) 6559 { 6560 .hook = selinux_ipv6_postroute, 6561 .pf = NFPROTO_IPV6, 6562 .hooknum = NF_INET_POST_ROUTING, 6563 .priority = NF_IP6_PRI_SELINUX_LAST, 6564 }, 6565 { 6566 .hook = selinux_ipv6_forward, 6567 .pf = NFPROTO_IPV6, 6568 .hooknum = NF_INET_FORWARD, 6569 .priority = NF_IP6_PRI_SELINUX_FIRST, 6570 }, 6571 { 6572 .hook = selinux_ipv6_output, 6573 .pf = NFPROTO_IPV6, 6574 .hooknum = NF_INET_LOCAL_OUT, 6575 .priority = NF_IP6_PRI_SELINUX_FIRST, 6576 }, 6577 #endif /* IPV6 */ 6578 }; 6579 6580 static int __net_init selinux_nf_register(struct net *net) 6581 { 6582 return nf_register_net_hooks(net, selinux_nf_ops, 6583 ARRAY_SIZE(selinux_nf_ops)); 6584 } 6585 6586 static void __net_exit selinux_nf_unregister(struct net *net) 6587 { 6588 nf_unregister_net_hooks(net, selinux_nf_ops, 6589 ARRAY_SIZE(selinux_nf_ops)); 6590 } 6591 6592 static struct pernet_operations selinux_net_ops = { 6593 .init = selinux_nf_register, 6594 .exit = selinux_nf_unregister, 6595 }; 6596 6597 static int __init selinux_nf_ip_init(void) 6598 { 6599 int err; 6600 6601 if (!selinux_enabled) 6602 return 0; 6603 6604 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6605 6606 err = register_pernet_subsys(&selinux_net_ops); 6607 if (err) 6608 panic("SELinux: register_pernet_subsys: error %d\n", err); 6609 6610 return 0; 6611 } 6612 __initcall(selinux_nf_ip_init); 6613 6614 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6615 static void selinux_nf_ip_exit(void) 6616 { 6617 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6618 6619 unregister_pernet_subsys(&selinux_net_ops); 6620 } 6621 #endif 6622 6623 #else /* CONFIG_NETFILTER */ 6624 6625 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6626 #define selinux_nf_ip_exit() 6627 #endif 6628 6629 #endif /* CONFIG_NETFILTER */ 6630 6631 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6632 static int selinux_disabled; 6633 6634 int selinux_disable(void) 6635 { 6636 if (ss_initialized) { 6637 /* Not permitted after initial policy load. */ 6638 return -EINVAL; 6639 } 6640 6641 if (selinux_disabled) { 6642 /* Only do this once. */ 6643 return -EINVAL; 6644 } 6645 6646 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6647 6648 selinux_disabled = 1; 6649 selinux_enabled = 0; 6650 6651 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6652 6653 /* Try to destroy the avc node cache */ 6654 avc_disable(); 6655 6656 /* Unregister netfilter hooks. */ 6657 selinux_nf_ip_exit(); 6658 6659 /* Unregister selinuxfs. */ 6660 exit_sel_fs(); 6661 6662 return 0; 6663 } 6664 #endif 6665