1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kd.h> 28 #include <linux/kernel.h> 29 #include <linux/tracehook.h> 30 #include <linux/errno.h> 31 #include <linux/sched.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/netfilter_ipv4.h> 50 #include <linux/netfilter_ipv6.h> 51 #include <linux/tty.h> 52 #include <net/icmp.h> 53 #include <net/ip.h> /* for local_port_range[] */ 54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 55 #include <net/inet_connection_sock.h> 56 #include <net/net_namespace.h> 57 #include <net/netlabel.h> 58 #include <linux/uaccess.h> 59 #include <asm/ioctls.h> 60 #include <linux/atomic.h> 61 #include <linux/bitops.h> 62 #include <linux/interrupt.h> 63 #include <linux/netdevice.h> /* for network interface checks */ 64 #include <net/netlink.h> 65 #include <linux/tcp.h> 66 #include <linux/udp.h> 67 #include <linux/dccp.h> 68 #include <linux/quota.h> 69 #include <linux/un.h> /* for Unix socket types */ 70 #include <net/af_unix.h> /* for Unix socket types */ 71 #include <linux/parser.h> 72 #include <linux/nfs_mount.h> 73 #include <net/ipv6.h> 74 #include <linux/hugetlb.h> 75 #include <linux/personality.h> 76 #include <linux/audit.h> 77 #include <linux/string.h> 78 #include <linux/selinux.h> 79 #include <linux/mutex.h> 80 #include <linux/posix-timers.h> 81 #include <linux/syslog.h> 82 #include <linux/user_namespace.h> 83 #include <linux/export.h> 84 #include <linux/msg.h> 85 #include <linux/shm.h> 86 87 #include "avc.h" 88 #include "objsec.h" 89 #include "netif.h" 90 #include "netnode.h" 91 #include "netport.h" 92 #include "xfrm.h" 93 #include "netlabel.h" 94 #include "audit.h" 95 #include "avc_ss.h" 96 97 /* SECMARK reference count */ 98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 99 100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 101 int selinux_enforcing; 102 103 static int __init enforcing_setup(char *str) 104 { 105 unsigned long enforcing; 106 if (!kstrtoul(str, 0, &enforcing)) 107 selinux_enforcing = enforcing ? 1 : 0; 108 return 1; 109 } 110 __setup("enforcing=", enforcing_setup); 111 #endif 112 113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 115 116 static int __init selinux_enabled_setup(char *str) 117 { 118 unsigned long enabled; 119 if (!kstrtoul(str, 0, &enabled)) 120 selinux_enabled = enabled ? 1 : 0; 121 return 1; 122 } 123 __setup("selinux=", selinux_enabled_setup); 124 #else 125 int selinux_enabled = 1; 126 #endif 127 128 static struct kmem_cache *sel_inode_cache; 129 static struct kmem_cache *file_security_cache; 130 131 /** 132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 133 * 134 * Description: 135 * This function checks the SECMARK reference counter to see if any SECMARK 136 * targets are currently configured, if the reference counter is greater than 137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network 139 * policy capability is enabled, SECMARK is always considered enabled. 140 * 141 */ 142 static int selinux_secmark_enabled(void) 143 { 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 145 } 146 147 /** 148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 149 * 150 * Description: 151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 152 * (1) if any are enabled or false (0) if neither are enabled. If the 153 * always_check_network policy capability is enabled, peer labeling 154 * is always considered enabled. 155 * 156 */ 157 static int selinux_peerlbl_enabled(void) 158 { 159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 160 } 161 162 static int selinux_netcache_avc_callback(u32 event) 163 { 164 if (event == AVC_CALLBACK_RESET) { 165 sel_netif_flush(); 166 sel_netnode_flush(); 167 sel_netport_flush(); 168 synchronize_net(); 169 } 170 return 0; 171 } 172 173 /* 174 * initialise the security for the init task 175 */ 176 static void cred_init_security(void) 177 { 178 struct cred *cred = (struct cred *) current->real_cred; 179 struct task_security_struct *tsec; 180 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 182 if (!tsec) 183 panic("SELinux: Failed to initialize initial task.\n"); 184 185 tsec->osid = tsec->sid = SECINITSID_KERNEL; 186 cred->security = tsec; 187 } 188 189 /* 190 * get the security ID of a set of credentials 191 */ 192 static inline u32 cred_sid(const struct cred *cred) 193 { 194 const struct task_security_struct *tsec; 195 196 tsec = cred->security; 197 return tsec->sid; 198 } 199 200 /* 201 * get the objective security ID of a task 202 */ 203 static inline u32 task_sid(const struct task_struct *task) 204 { 205 u32 sid; 206 207 rcu_read_lock(); 208 sid = cred_sid(__task_cred(task)); 209 rcu_read_unlock(); 210 return sid; 211 } 212 213 /* 214 * get the subjective security ID of the current task 215 */ 216 static inline u32 current_sid(void) 217 { 218 const struct task_security_struct *tsec = current_security(); 219 220 return tsec->sid; 221 } 222 223 /* Allocate and free functions for each kind of security blob. */ 224 225 static int inode_alloc_security(struct inode *inode) 226 { 227 struct inode_security_struct *isec; 228 u32 sid = current_sid(); 229 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 231 if (!isec) 232 return -ENOMEM; 233 234 mutex_init(&isec->lock); 235 INIT_LIST_HEAD(&isec->list); 236 isec->inode = inode; 237 isec->sid = SECINITSID_UNLABELED; 238 isec->sclass = SECCLASS_FILE; 239 isec->task_sid = sid; 240 inode->i_security = isec; 241 242 return 0; 243 } 244 245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 246 247 /* 248 * Try reloading inode security labels that have been marked as invalid. The 249 * @may_sleep parameter indicates when sleeping and thus reloading labels is 250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is 251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 252 * when no dentry is available, set it to NULL instead. 253 */ 254 static int __inode_security_revalidate(struct inode *inode, 255 struct dentry *opt_dentry, 256 bool may_sleep) 257 { 258 struct inode_security_struct *isec = inode->i_security; 259 260 might_sleep_if(may_sleep); 261 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 263 if (!may_sleep) 264 return -ECHILD; 265 266 /* 267 * Try reloading the inode security label. This will fail if 268 * @opt_dentry is NULL and no dentry for this inode can be 269 * found; in that case, continue using the old label. 270 */ 271 inode_doinit_with_dentry(inode, opt_dentry); 272 } 273 return 0; 274 } 275 276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 277 { 278 return inode->i_security; 279 } 280 281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 282 { 283 int error; 284 285 error = __inode_security_revalidate(inode, NULL, !rcu); 286 if (error) 287 return ERR_PTR(error); 288 return inode->i_security; 289 } 290 291 /* 292 * Get the security label of an inode. 293 */ 294 static struct inode_security_struct *inode_security(struct inode *inode) 295 { 296 __inode_security_revalidate(inode, NULL, true); 297 return inode->i_security; 298 } 299 300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 301 { 302 struct inode *inode = d_backing_inode(dentry); 303 304 return inode->i_security; 305 } 306 307 /* 308 * Get the security label of a dentry's backing inode. 309 */ 310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 311 { 312 struct inode *inode = d_backing_inode(dentry); 313 314 __inode_security_revalidate(inode, dentry, true); 315 return inode->i_security; 316 } 317 318 static void inode_free_rcu(struct rcu_head *head) 319 { 320 struct inode_security_struct *isec; 321 322 isec = container_of(head, struct inode_security_struct, rcu); 323 kmem_cache_free(sel_inode_cache, isec); 324 } 325 326 static void inode_free_security(struct inode *inode) 327 { 328 struct inode_security_struct *isec = inode->i_security; 329 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 330 331 /* 332 * As not all inode security structures are in a list, we check for 333 * empty list outside of the lock to make sure that we won't waste 334 * time taking a lock doing nothing. 335 * 336 * The list_del_init() function can be safely called more than once. 337 * It should not be possible for this function to be called with 338 * concurrent list_add(), but for better safety against future changes 339 * in the code, we use list_empty_careful() here. 340 */ 341 if (!list_empty_careful(&isec->list)) { 342 spin_lock(&sbsec->isec_lock); 343 list_del_init(&isec->list); 344 spin_unlock(&sbsec->isec_lock); 345 } 346 347 /* 348 * The inode may still be referenced in a path walk and 349 * a call to selinux_inode_permission() can be made 350 * after inode_free_security() is called. Ideally, the VFS 351 * wouldn't do this, but fixing that is a much harder 352 * job. For now, simply free the i_security via RCU, and 353 * leave the current inode->i_security pointer intact. 354 * The inode will be freed after the RCU grace period too. 355 */ 356 call_rcu(&isec->rcu, inode_free_rcu); 357 } 358 359 static int file_alloc_security(struct file *file) 360 { 361 struct file_security_struct *fsec; 362 u32 sid = current_sid(); 363 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 365 if (!fsec) 366 return -ENOMEM; 367 368 fsec->sid = sid; 369 fsec->fown_sid = sid; 370 file->f_security = fsec; 371 372 return 0; 373 } 374 375 static void file_free_security(struct file *file) 376 { 377 struct file_security_struct *fsec = file->f_security; 378 file->f_security = NULL; 379 kmem_cache_free(file_security_cache, fsec); 380 } 381 382 static int superblock_alloc_security(struct super_block *sb) 383 { 384 struct superblock_security_struct *sbsec; 385 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 387 if (!sbsec) 388 return -ENOMEM; 389 390 mutex_init(&sbsec->lock); 391 INIT_LIST_HEAD(&sbsec->isec_head); 392 spin_lock_init(&sbsec->isec_lock); 393 sbsec->sb = sb; 394 sbsec->sid = SECINITSID_UNLABELED; 395 sbsec->def_sid = SECINITSID_FILE; 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 397 sb->s_security = sbsec; 398 399 return 0; 400 } 401 402 static void superblock_free_security(struct super_block *sb) 403 { 404 struct superblock_security_struct *sbsec = sb->s_security; 405 sb->s_security = NULL; 406 kfree(sbsec); 407 } 408 409 /* The file system's label must be initialized prior to use. */ 410 411 static const char *labeling_behaviors[7] = { 412 "uses xattr", 413 "uses transition SIDs", 414 "uses task SIDs", 415 "uses genfs_contexts", 416 "not configured for labeling", 417 "uses mountpoint labeling", 418 "uses native labeling", 419 }; 420 421 static inline int inode_doinit(struct inode *inode) 422 { 423 return inode_doinit_with_dentry(inode, NULL); 424 } 425 426 enum { 427 Opt_error = -1, 428 Opt_context = 1, 429 Opt_fscontext = 2, 430 Opt_defcontext = 3, 431 Opt_rootcontext = 4, 432 Opt_labelsupport = 5, 433 Opt_nextmntopt = 6, 434 }; 435 436 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 437 438 static const match_table_t tokens = { 439 {Opt_context, CONTEXT_STR "%s"}, 440 {Opt_fscontext, FSCONTEXT_STR "%s"}, 441 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 443 {Opt_labelsupport, LABELSUPP_STR}, 444 {Opt_error, NULL}, 445 }; 446 447 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 448 449 static int may_context_mount_sb_relabel(u32 sid, 450 struct superblock_security_struct *sbsec, 451 const struct cred *cred) 452 { 453 const struct task_security_struct *tsec = cred->security; 454 int rc; 455 456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 457 FILESYSTEM__RELABELFROM, NULL); 458 if (rc) 459 return rc; 460 461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 462 FILESYSTEM__RELABELTO, NULL); 463 return rc; 464 } 465 466 static int may_context_mount_inode_relabel(u32 sid, 467 struct superblock_security_struct *sbsec, 468 const struct cred *cred) 469 { 470 const struct task_security_struct *tsec = cred->security; 471 int rc; 472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 473 FILESYSTEM__RELABELFROM, NULL); 474 if (rc) 475 return rc; 476 477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 478 FILESYSTEM__ASSOCIATE, NULL); 479 return rc; 480 } 481 482 static int selinux_is_sblabel_mnt(struct super_block *sb) 483 { 484 struct superblock_security_struct *sbsec = sb->s_security; 485 486 return sbsec->behavior == SECURITY_FS_USE_XATTR || 487 sbsec->behavior == SECURITY_FS_USE_TRANS || 488 sbsec->behavior == SECURITY_FS_USE_TASK || 489 sbsec->behavior == SECURITY_FS_USE_NATIVE || 490 /* Special handling. Genfs but also in-core setxattr handler */ 491 !strcmp(sb->s_type->name, "sysfs") || 492 !strcmp(sb->s_type->name, "pstore") || 493 !strcmp(sb->s_type->name, "debugfs") || 494 !strcmp(sb->s_type->name, "rootfs"); 495 } 496 497 static int sb_finish_set_opts(struct super_block *sb) 498 { 499 struct superblock_security_struct *sbsec = sb->s_security; 500 struct dentry *root = sb->s_root; 501 struct inode *root_inode = d_backing_inode(root); 502 int rc = 0; 503 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 505 /* Make sure that the xattr handler exists and that no 506 error other than -ENODATA is returned by getxattr on 507 the root directory. -ENODATA is ok, as this may be 508 the first boot of the SELinux kernel before we have 509 assigned xattr values to the filesystem. */ 510 if (!(root_inode->i_opflags & IOP_XATTR)) { 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 512 "xattr support\n", sb->s_id, sb->s_type->name); 513 rc = -EOPNOTSUPP; 514 goto out; 515 } 516 517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 518 if (rc < 0 && rc != -ENODATA) { 519 if (rc == -EOPNOTSUPP) 520 printk(KERN_WARNING "SELinux: (dev %s, type " 521 "%s) has no security xattr handler\n", 522 sb->s_id, sb->s_type->name); 523 else 524 printk(KERN_WARNING "SELinux: (dev %s, type " 525 "%s) getxattr errno %d\n", sb->s_id, 526 sb->s_type->name, -rc); 527 goto out; 528 } 529 } 530 531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 533 sb->s_id, sb->s_type->name); 534 535 sbsec->flags |= SE_SBINITIALIZED; 536 if (selinux_is_sblabel_mnt(sb)) 537 sbsec->flags |= SBLABEL_MNT; 538 539 /* Initialize the root inode. */ 540 rc = inode_doinit_with_dentry(root_inode, root); 541 542 /* Initialize any other inodes associated with the superblock, e.g. 543 inodes created prior to initial policy load or inodes created 544 during get_sb by a pseudo filesystem that directly 545 populates itself. */ 546 spin_lock(&sbsec->isec_lock); 547 next_inode: 548 if (!list_empty(&sbsec->isec_head)) { 549 struct inode_security_struct *isec = 550 list_entry(sbsec->isec_head.next, 551 struct inode_security_struct, list); 552 struct inode *inode = isec->inode; 553 list_del_init(&isec->list); 554 spin_unlock(&sbsec->isec_lock); 555 inode = igrab(inode); 556 if (inode) { 557 if (!IS_PRIVATE(inode)) 558 inode_doinit(inode); 559 iput(inode); 560 } 561 spin_lock(&sbsec->isec_lock); 562 goto next_inode; 563 } 564 spin_unlock(&sbsec->isec_lock); 565 out: 566 return rc; 567 } 568 569 /* 570 * This function should allow an FS to ask what it's mount security 571 * options were so it can use those later for submounts, displaying 572 * mount options, or whatever. 573 */ 574 static int selinux_get_mnt_opts(const struct super_block *sb, 575 struct security_mnt_opts *opts) 576 { 577 int rc = 0, i; 578 struct superblock_security_struct *sbsec = sb->s_security; 579 char *context = NULL; 580 u32 len; 581 char tmp; 582 583 security_init_mnt_opts(opts); 584 585 if (!(sbsec->flags & SE_SBINITIALIZED)) 586 return -EINVAL; 587 588 if (!ss_initialized) 589 return -EINVAL; 590 591 /* make sure we always check enough bits to cover the mask */ 592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 593 594 tmp = sbsec->flags & SE_MNTMASK; 595 /* count the number of mount options for this sb */ 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 597 if (tmp & 0x01) 598 opts->num_mnt_opts++; 599 tmp >>= 1; 600 } 601 /* Check if the Label support flag is set */ 602 if (sbsec->flags & SBLABEL_MNT) 603 opts->num_mnt_opts++; 604 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 606 if (!opts->mnt_opts) { 607 rc = -ENOMEM; 608 goto out_free; 609 } 610 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 612 if (!opts->mnt_opts_flags) { 613 rc = -ENOMEM; 614 goto out_free; 615 } 616 617 i = 0; 618 if (sbsec->flags & FSCONTEXT_MNT) { 619 rc = security_sid_to_context(sbsec->sid, &context, &len); 620 if (rc) 621 goto out_free; 622 opts->mnt_opts[i] = context; 623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 624 } 625 if (sbsec->flags & CONTEXT_MNT) { 626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 627 if (rc) 628 goto out_free; 629 opts->mnt_opts[i] = context; 630 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 631 } 632 if (sbsec->flags & DEFCONTEXT_MNT) { 633 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 634 if (rc) 635 goto out_free; 636 opts->mnt_opts[i] = context; 637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 638 } 639 if (sbsec->flags & ROOTCONTEXT_MNT) { 640 struct dentry *root = sbsec->sb->s_root; 641 struct inode_security_struct *isec = backing_inode_security(root); 642 643 rc = security_sid_to_context(isec->sid, &context, &len); 644 if (rc) 645 goto out_free; 646 opts->mnt_opts[i] = context; 647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 648 } 649 if (sbsec->flags & SBLABEL_MNT) { 650 opts->mnt_opts[i] = NULL; 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 652 } 653 654 BUG_ON(i != opts->num_mnt_opts); 655 656 return 0; 657 658 out_free: 659 security_free_mnt_opts(opts); 660 return rc; 661 } 662 663 static int bad_option(struct superblock_security_struct *sbsec, char flag, 664 u32 old_sid, u32 new_sid) 665 { 666 char mnt_flags = sbsec->flags & SE_MNTMASK; 667 668 /* check if the old mount command had the same options */ 669 if (sbsec->flags & SE_SBINITIALIZED) 670 if (!(sbsec->flags & flag) || 671 (old_sid != new_sid)) 672 return 1; 673 674 /* check if we were passed the same options twice, 675 * aka someone passed context=a,context=b 676 */ 677 if (!(sbsec->flags & SE_SBINITIALIZED)) 678 if (mnt_flags & flag) 679 return 1; 680 return 0; 681 } 682 683 /* 684 * Allow filesystems with binary mount data to explicitly set mount point 685 * labeling information. 686 */ 687 static int selinux_set_mnt_opts(struct super_block *sb, 688 struct security_mnt_opts *opts, 689 unsigned long kern_flags, 690 unsigned long *set_kern_flags) 691 { 692 const struct cred *cred = current_cred(); 693 int rc = 0, i; 694 struct superblock_security_struct *sbsec = sb->s_security; 695 const char *name = sb->s_type->name; 696 struct dentry *root = sbsec->sb->s_root; 697 struct inode_security_struct *root_isec; 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 699 u32 defcontext_sid = 0; 700 char **mount_options = opts->mnt_opts; 701 int *flags = opts->mnt_opts_flags; 702 int num_opts = opts->num_mnt_opts; 703 704 mutex_lock(&sbsec->lock); 705 706 if (!ss_initialized) { 707 if (!num_opts) { 708 /* Defer initialization until selinux_complete_init, 709 after the initial policy is loaded and the security 710 server is ready to handle calls. */ 711 goto out; 712 } 713 rc = -EINVAL; 714 printk(KERN_WARNING "SELinux: Unable to set superblock options " 715 "before the security server is initialized\n"); 716 goto out; 717 } 718 if (kern_flags && !set_kern_flags) { 719 /* Specifying internal flags without providing a place to 720 * place the results is not allowed */ 721 rc = -EINVAL; 722 goto out; 723 } 724 725 /* 726 * Binary mount data FS will come through this function twice. Once 727 * from an explicit call and once from the generic calls from the vfs. 728 * Since the generic VFS calls will not contain any security mount data 729 * we need to skip the double mount verification. 730 * 731 * This does open a hole in which we will not notice if the first 732 * mount using this sb set explict options and a second mount using 733 * this sb does not set any security options. (The first options 734 * will be used for both mounts) 735 */ 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 737 && (num_opts == 0)) 738 goto out; 739 740 root_isec = backing_inode_security_novalidate(root); 741 742 /* 743 * parse the mount options, check if they are valid sids. 744 * also check if someone is trying to mount the same sb more 745 * than once with different security options. 746 */ 747 for (i = 0; i < num_opts; i++) { 748 u32 sid; 749 750 if (flags[i] == SBLABEL_MNT) 751 continue; 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 753 if (rc) { 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 755 "(%s) failed for (dev %s, type %s) errno=%d\n", 756 mount_options[i], sb->s_id, name, rc); 757 goto out; 758 } 759 switch (flags[i]) { 760 case FSCONTEXT_MNT: 761 fscontext_sid = sid; 762 763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 764 fscontext_sid)) 765 goto out_double_mount; 766 767 sbsec->flags |= FSCONTEXT_MNT; 768 break; 769 case CONTEXT_MNT: 770 context_sid = sid; 771 772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 773 context_sid)) 774 goto out_double_mount; 775 776 sbsec->flags |= CONTEXT_MNT; 777 break; 778 case ROOTCONTEXT_MNT: 779 rootcontext_sid = sid; 780 781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 782 rootcontext_sid)) 783 goto out_double_mount; 784 785 sbsec->flags |= ROOTCONTEXT_MNT; 786 787 break; 788 case DEFCONTEXT_MNT: 789 defcontext_sid = sid; 790 791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 792 defcontext_sid)) 793 goto out_double_mount; 794 795 sbsec->flags |= DEFCONTEXT_MNT; 796 797 break; 798 default: 799 rc = -EINVAL; 800 goto out; 801 } 802 } 803 804 if (sbsec->flags & SE_SBINITIALIZED) { 805 /* previously mounted with options, but not on this attempt? */ 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 807 goto out_double_mount; 808 rc = 0; 809 goto out; 810 } 811 812 if (strcmp(sb->s_type->name, "proc") == 0) 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 814 815 if (!strcmp(sb->s_type->name, "debugfs") || 816 !strcmp(sb->s_type->name, "sysfs") || 817 !strcmp(sb->s_type->name, "pstore")) 818 sbsec->flags |= SE_SBGENFS; 819 820 if (!sbsec->behavior) { 821 /* 822 * Determine the labeling behavior to use for this 823 * filesystem type. 824 */ 825 rc = security_fs_use(sb); 826 if (rc) { 827 printk(KERN_WARNING 828 "%s: security_fs_use(%s) returned %d\n", 829 __func__, sb->s_type->name, rc); 830 goto out; 831 } 832 } 833 834 /* 835 * If this is a user namespace mount, no contexts are allowed 836 * on the command line and security labels must be ignored. 837 */ 838 if (sb->s_user_ns != &init_user_ns) { 839 if (context_sid || fscontext_sid || rootcontext_sid || 840 defcontext_sid) { 841 rc = -EACCES; 842 goto out; 843 } 844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 846 rc = security_transition_sid(current_sid(), current_sid(), 847 SECCLASS_FILE, NULL, 848 &sbsec->mntpoint_sid); 849 if (rc) 850 goto out; 851 } 852 goto out_set_opts; 853 } 854 855 /* sets the context of the superblock for the fs being mounted. */ 856 if (fscontext_sid) { 857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 858 if (rc) 859 goto out; 860 861 sbsec->sid = fscontext_sid; 862 } 863 864 /* 865 * Switch to using mount point labeling behavior. 866 * sets the label used on all file below the mountpoint, and will set 867 * the superblock context if not already set. 868 */ 869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 870 sbsec->behavior = SECURITY_FS_USE_NATIVE; 871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 872 } 873 874 if (context_sid) { 875 if (!fscontext_sid) { 876 rc = may_context_mount_sb_relabel(context_sid, sbsec, 877 cred); 878 if (rc) 879 goto out; 880 sbsec->sid = context_sid; 881 } else { 882 rc = may_context_mount_inode_relabel(context_sid, sbsec, 883 cred); 884 if (rc) 885 goto out; 886 } 887 if (!rootcontext_sid) 888 rootcontext_sid = context_sid; 889 890 sbsec->mntpoint_sid = context_sid; 891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 892 } 893 894 if (rootcontext_sid) { 895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 896 cred); 897 if (rc) 898 goto out; 899 900 root_isec->sid = rootcontext_sid; 901 root_isec->initialized = LABEL_INITIALIZED; 902 } 903 904 if (defcontext_sid) { 905 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 906 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 907 rc = -EINVAL; 908 printk(KERN_WARNING "SELinux: defcontext option is " 909 "invalid for this filesystem type\n"); 910 goto out; 911 } 912 913 if (defcontext_sid != sbsec->def_sid) { 914 rc = may_context_mount_inode_relabel(defcontext_sid, 915 sbsec, cred); 916 if (rc) 917 goto out; 918 } 919 920 sbsec->def_sid = defcontext_sid; 921 } 922 923 out_set_opts: 924 rc = sb_finish_set_opts(sb); 925 out: 926 mutex_unlock(&sbsec->lock); 927 return rc; 928 out_double_mount: 929 rc = -EINVAL; 930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 931 "security settings for (dev %s, type %s)\n", sb->s_id, name); 932 goto out; 933 } 934 935 static int selinux_cmp_sb_context(const struct super_block *oldsb, 936 const struct super_block *newsb) 937 { 938 struct superblock_security_struct *old = oldsb->s_security; 939 struct superblock_security_struct *new = newsb->s_security; 940 char oldflags = old->flags & SE_MNTMASK; 941 char newflags = new->flags & SE_MNTMASK; 942 943 if (oldflags != newflags) 944 goto mismatch; 945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 946 goto mismatch; 947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 948 goto mismatch; 949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 950 goto mismatch; 951 if (oldflags & ROOTCONTEXT_MNT) { 952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 954 if (oldroot->sid != newroot->sid) 955 goto mismatch; 956 } 957 return 0; 958 mismatch: 959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 960 "different security settings for (dev %s, " 961 "type %s)\n", newsb->s_id, newsb->s_type->name); 962 return -EBUSY; 963 } 964 965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 966 struct super_block *newsb) 967 { 968 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 969 struct superblock_security_struct *newsbsec = newsb->s_security; 970 971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 972 int set_context = (oldsbsec->flags & CONTEXT_MNT); 973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 974 975 /* 976 * if the parent was able to be mounted it clearly had no special lsm 977 * mount options. thus we can safely deal with this superblock later 978 */ 979 if (!ss_initialized) 980 return 0; 981 982 /* how can we clone if the old one wasn't set up?? */ 983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 984 985 /* if fs is reusing a sb, make sure that the contexts match */ 986 if (newsbsec->flags & SE_SBINITIALIZED) 987 return selinux_cmp_sb_context(oldsb, newsb); 988 989 mutex_lock(&newsbsec->lock); 990 991 newsbsec->flags = oldsbsec->flags; 992 993 newsbsec->sid = oldsbsec->sid; 994 newsbsec->def_sid = oldsbsec->def_sid; 995 newsbsec->behavior = oldsbsec->behavior; 996 997 if (set_context) { 998 u32 sid = oldsbsec->mntpoint_sid; 999 1000 if (!set_fscontext) 1001 newsbsec->sid = sid; 1002 if (!set_rootcontext) { 1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1004 newisec->sid = sid; 1005 } 1006 newsbsec->mntpoint_sid = sid; 1007 } 1008 if (set_rootcontext) { 1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1011 1012 newisec->sid = oldisec->sid; 1013 } 1014 1015 sb_finish_set_opts(newsb); 1016 mutex_unlock(&newsbsec->lock); 1017 return 0; 1018 } 1019 1020 static int selinux_parse_opts_str(char *options, 1021 struct security_mnt_opts *opts) 1022 { 1023 char *p; 1024 char *context = NULL, *defcontext = NULL; 1025 char *fscontext = NULL, *rootcontext = NULL; 1026 int rc, num_mnt_opts = 0; 1027 1028 opts->num_mnt_opts = 0; 1029 1030 /* Standard string-based options. */ 1031 while ((p = strsep(&options, "|")) != NULL) { 1032 int token; 1033 substring_t args[MAX_OPT_ARGS]; 1034 1035 if (!*p) 1036 continue; 1037 1038 token = match_token(p, tokens, args); 1039 1040 switch (token) { 1041 case Opt_context: 1042 if (context || defcontext) { 1043 rc = -EINVAL; 1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1045 goto out_err; 1046 } 1047 context = match_strdup(&args[0]); 1048 if (!context) { 1049 rc = -ENOMEM; 1050 goto out_err; 1051 } 1052 break; 1053 1054 case Opt_fscontext: 1055 if (fscontext) { 1056 rc = -EINVAL; 1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1058 goto out_err; 1059 } 1060 fscontext = match_strdup(&args[0]); 1061 if (!fscontext) { 1062 rc = -ENOMEM; 1063 goto out_err; 1064 } 1065 break; 1066 1067 case Opt_rootcontext: 1068 if (rootcontext) { 1069 rc = -EINVAL; 1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1071 goto out_err; 1072 } 1073 rootcontext = match_strdup(&args[0]); 1074 if (!rootcontext) { 1075 rc = -ENOMEM; 1076 goto out_err; 1077 } 1078 break; 1079 1080 case Opt_defcontext: 1081 if (context || defcontext) { 1082 rc = -EINVAL; 1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1084 goto out_err; 1085 } 1086 defcontext = match_strdup(&args[0]); 1087 if (!defcontext) { 1088 rc = -ENOMEM; 1089 goto out_err; 1090 } 1091 break; 1092 case Opt_labelsupport: 1093 break; 1094 default: 1095 rc = -EINVAL; 1096 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1097 goto out_err; 1098 1099 } 1100 } 1101 1102 rc = -ENOMEM; 1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 1104 if (!opts->mnt_opts) 1105 goto out_err; 1106 1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 1108 if (!opts->mnt_opts_flags) { 1109 kfree(opts->mnt_opts); 1110 goto out_err; 1111 } 1112 1113 if (fscontext) { 1114 opts->mnt_opts[num_mnt_opts] = fscontext; 1115 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1116 } 1117 if (context) { 1118 opts->mnt_opts[num_mnt_opts] = context; 1119 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1120 } 1121 if (rootcontext) { 1122 opts->mnt_opts[num_mnt_opts] = rootcontext; 1123 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1124 } 1125 if (defcontext) { 1126 opts->mnt_opts[num_mnt_opts] = defcontext; 1127 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1128 } 1129 1130 opts->num_mnt_opts = num_mnt_opts; 1131 return 0; 1132 1133 out_err: 1134 kfree(context); 1135 kfree(defcontext); 1136 kfree(fscontext); 1137 kfree(rootcontext); 1138 return rc; 1139 } 1140 /* 1141 * string mount options parsing and call set the sbsec 1142 */ 1143 static int superblock_doinit(struct super_block *sb, void *data) 1144 { 1145 int rc = 0; 1146 char *options = data; 1147 struct security_mnt_opts opts; 1148 1149 security_init_mnt_opts(&opts); 1150 1151 if (!data) 1152 goto out; 1153 1154 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1155 1156 rc = selinux_parse_opts_str(options, &opts); 1157 if (rc) 1158 goto out_err; 1159 1160 out: 1161 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1162 1163 out_err: 1164 security_free_mnt_opts(&opts); 1165 return rc; 1166 } 1167 1168 static void selinux_write_opts(struct seq_file *m, 1169 struct security_mnt_opts *opts) 1170 { 1171 int i; 1172 char *prefix; 1173 1174 for (i = 0; i < opts->num_mnt_opts; i++) { 1175 char *has_comma; 1176 1177 if (opts->mnt_opts[i]) 1178 has_comma = strchr(opts->mnt_opts[i], ','); 1179 else 1180 has_comma = NULL; 1181 1182 switch (opts->mnt_opts_flags[i]) { 1183 case CONTEXT_MNT: 1184 prefix = CONTEXT_STR; 1185 break; 1186 case FSCONTEXT_MNT: 1187 prefix = FSCONTEXT_STR; 1188 break; 1189 case ROOTCONTEXT_MNT: 1190 prefix = ROOTCONTEXT_STR; 1191 break; 1192 case DEFCONTEXT_MNT: 1193 prefix = DEFCONTEXT_STR; 1194 break; 1195 case SBLABEL_MNT: 1196 seq_putc(m, ','); 1197 seq_puts(m, LABELSUPP_STR); 1198 continue; 1199 default: 1200 BUG(); 1201 return; 1202 }; 1203 /* we need a comma before each option */ 1204 seq_putc(m, ','); 1205 seq_puts(m, prefix); 1206 if (has_comma) 1207 seq_putc(m, '\"'); 1208 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1209 if (has_comma) 1210 seq_putc(m, '\"'); 1211 } 1212 } 1213 1214 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1215 { 1216 struct security_mnt_opts opts; 1217 int rc; 1218 1219 rc = selinux_get_mnt_opts(sb, &opts); 1220 if (rc) { 1221 /* before policy load we may get EINVAL, don't show anything */ 1222 if (rc == -EINVAL) 1223 rc = 0; 1224 return rc; 1225 } 1226 1227 selinux_write_opts(m, &opts); 1228 1229 security_free_mnt_opts(&opts); 1230 1231 return rc; 1232 } 1233 1234 static inline u16 inode_mode_to_security_class(umode_t mode) 1235 { 1236 switch (mode & S_IFMT) { 1237 case S_IFSOCK: 1238 return SECCLASS_SOCK_FILE; 1239 case S_IFLNK: 1240 return SECCLASS_LNK_FILE; 1241 case S_IFREG: 1242 return SECCLASS_FILE; 1243 case S_IFBLK: 1244 return SECCLASS_BLK_FILE; 1245 case S_IFDIR: 1246 return SECCLASS_DIR; 1247 case S_IFCHR: 1248 return SECCLASS_CHR_FILE; 1249 case S_IFIFO: 1250 return SECCLASS_FIFO_FILE; 1251 1252 } 1253 1254 return SECCLASS_FILE; 1255 } 1256 1257 static inline int default_protocol_stream(int protocol) 1258 { 1259 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1260 } 1261 1262 static inline int default_protocol_dgram(int protocol) 1263 { 1264 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1265 } 1266 1267 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1268 { 1269 switch (family) { 1270 case PF_UNIX: 1271 switch (type) { 1272 case SOCK_STREAM: 1273 case SOCK_SEQPACKET: 1274 return SECCLASS_UNIX_STREAM_SOCKET; 1275 case SOCK_DGRAM: 1276 return SECCLASS_UNIX_DGRAM_SOCKET; 1277 } 1278 break; 1279 case PF_INET: 1280 case PF_INET6: 1281 switch (type) { 1282 case SOCK_STREAM: 1283 if (default_protocol_stream(protocol)) 1284 return SECCLASS_TCP_SOCKET; 1285 else 1286 return SECCLASS_RAWIP_SOCKET; 1287 case SOCK_DGRAM: 1288 if (default_protocol_dgram(protocol)) 1289 return SECCLASS_UDP_SOCKET; 1290 else 1291 return SECCLASS_RAWIP_SOCKET; 1292 case SOCK_DCCP: 1293 return SECCLASS_DCCP_SOCKET; 1294 default: 1295 return SECCLASS_RAWIP_SOCKET; 1296 } 1297 break; 1298 case PF_NETLINK: 1299 switch (protocol) { 1300 case NETLINK_ROUTE: 1301 return SECCLASS_NETLINK_ROUTE_SOCKET; 1302 case NETLINK_SOCK_DIAG: 1303 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1304 case NETLINK_NFLOG: 1305 return SECCLASS_NETLINK_NFLOG_SOCKET; 1306 case NETLINK_XFRM: 1307 return SECCLASS_NETLINK_XFRM_SOCKET; 1308 case NETLINK_SELINUX: 1309 return SECCLASS_NETLINK_SELINUX_SOCKET; 1310 case NETLINK_ISCSI: 1311 return SECCLASS_NETLINK_ISCSI_SOCKET; 1312 case NETLINK_AUDIT: 1313 return SECCLASS_NETLINK_AUDIT_SOCKET; 1314 case NETLINK_FIB_LOOKUP: 1315 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1316 case NETLINK_CONNECTOR: 1317 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1318 case NETLINK_NETFILTER: 1319 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1320 case NETLINK_DNRTMSG: 1321 return SECCLASS_NETLINK_DNRT_SOCKET; 1322 case NETLINK_KOBJECT_UEVENT: 1323 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1324 case NETLINK_GENERIC: 1325 return SECCLASS_NETLINK_GENERIC_SOCKET; 1326 case NETLINK_SCSITRANSPORT: 1327 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1328 case NETLINK_RDMA: 1329 return SECCLASS_NETLINK_RDMA_SOCKET; 1330 case NETLINK_CRYPTO: 1331 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1332 default: 1333 return SECCLASS_NETLINK_SOCKET; 1334 } 1335 case PF_PACKET: 1336 return SECCLASS_PACKET_SOCKET; 1337 case PF_KEY: 1338 return SECCLASS_KEY_SOCKET; 1339 case PF_APPLETALK: 1340 return SECCLASS_APPLETALK_SOCKET; 1341 } 1342 1343 return SECCLASS_SOCKET; 1344 } 1345 1346 static int selinux_genfs_get_sid(struct dentry *dentry, 1347 u16 tclass, 1348 u16 flags, 1349 u32 *sid) 1350 { 1351 int rc; 1352 struct super_block *sb = dentry->d_sb; 1353 char *buffer, *path; 1354 1355 buffer = (char *)__get_free_page(GFP_KERNEL); 1356 if (!buffer) 1357 return -ENOMEM; 1358 1359 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1360 if (IS_ERR(path)) 1361 rc = PTR_ERR(path); 1362 else { 1363 if (flags & SE_SBPROC) { 1364 /* each process gets a /proc/PID/ entry. Strip off the 1365 * PID part to get a valid selinux labeling. 1366 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1367 while (path[1] >= '0' && path[1] <= '9') { 1368 path[1] = '/'; 1369 path++; 1370 } 1371 } 1372 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1373 } 1374 free_page((unsigned long)buffer); 1375 return rc; 1376 } 1377 1378 /* The inode's security attributes must be initialized before first use. */ 1379 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1380 { 1381 struct superblock_security_struct *sbsec = NULL; 1382 struct inode_security_struct *isec = inode->i_security; 1383 u32 sid; 1384 struct dentry *dentry; 1385 #define INITCONTEXTLEN 255 1386 char *context = NULL; 1387 unsigned len = 0; 1388 int rc = 0; 1389 1390 if (isec->initialized == LABEL_INITIALIZED) 1391 goto out; 1392 1393 mutex_lock(&isec->lock); 1394 if (isec->initialized == LABEL_INITIALIZED) 1395 goto out_unlock; 1396 1397 sbsec = inode->i_sb->s_security; 1398 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1399 /* Defer initialization until selinux_complete_init, 1400 after the initial policy is loaded and the security 1401 server is ready to handle calls. */ 1402 spin_lock(&sbsec->isec_lock); 1403 if (list_empty(&isec->list)) 1404 list_add(&isec->list, &sbsec->isec_head); 1405 spin_unlock(&sbsec->isec_lock); 1406 goto out_unlock; 1407 } 1408 1409 switch (sbsec->behavior) { 1410 case SECURITY_FS_USE_NATIVE: 1411 break; 1412 case SECURITY_FS_USE_XATTR: 1413 if (!(inode->i_opflags & IOP_XATTR)) { 1414 isec->sid = sbsec->def_sid; 1415 break; 1416 } 1417 /* Need a dentry, since the xattr API requires one. 1418 Life would be simpler if we could just pass the inode. */ 1419 if (opt_dentry) { 1420 /* Called from d_instantiate or d_splice_alias. */ 1421 dentry = dget(opt_dentry); 1422 } else { 1423 /* Called from selinux_complete_init, try to find a dentry. */ 1424 dentry = d_find_alias(inode); 1425 } 1426 if (!dentry) { 1427 /* 1428 * this is can be hit on boot when a file is accessed 1429 * before the policy is loaded. When we load policy we 1430 * may find inodes that have no dentry on the 1431 * sbsec->isec_head list. No reason to complain as these 1432 * will get fixed up the next time we go through 1433 * inode_doinit with a dentry, before these inodes could 1434 * be used again by userspace. 1435 */ 1436 goto out_unlock; 1437 } 1438 1439 len = INITCONTEXTLEN; 1440 context = kmalloc(len+1, GFP_NOFS); 1441 if (!context) { 1442 rc = -ENOMEM; 1443 dput(dentry); 1444 goto out_unlock; 1445 } 1446 context[len] = '\0'; 1447 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1448 if (rc == -ERANGE) { 1449 kfree(context); 1450 1451 /* Need a larger buffer. Query for the right size. */ 1452 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1453 if (rc < 0) { 1454 dput(dentry); 1455 goto out_unlock; 1456 } 1457 len = rc; 1458 context = kmalloc(len+1, GFP_NOFS); 1459 if (!context) { 1460 rc = -ENOMEM; 1461 dput(dentry); 1462 goto out_unlock; 1463 } 1464 context[len] = '\0'; 1465 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1466 } 1467 dput(dentry); 1468 if (rc < 0) { 1469 if (rc != -ENODATA) { 1470 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1471 "%d for dev=%s ino=%ld\n", __func__, 1472 -rc, inode->i_sb->s_id, inode->i_ino); 1473 kfree(context); 1474 goto out_unlock; 1475 } 1476 /* Map ENODATA to the default file SID */ 1477 sid = sbsec->def_sid; 1478 rc = 0; 1479 } else { 1480 rc = security_context_to_sid_default(context, rc, &sid, 1481 sbsec->def_sid, 1482 GFP_NOFS); 1483 if (rc) { 1484 char *dev = inode->i_sb->s_id; 1485 unsigned long ino = inode->i_ino; 1486 1487 if (rc == -EINVAL) { 1488 if (printk_ratelimit()) 1489 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1490 "context=%s. This indicates you may need to relabel the inode or the " 1491 "filesystem in question.\n", ino, dev, context); 1492 } else { 1493 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1494 "returned %d for dev=%s ino=%ld\n", 1495 __func__, context, -rc, dev, ino); 1496 } 1497 kfree(context); 1498 /* Leave with the unlabeled SID */ 1499 rc = 0; 1500 break; 1501 } 1502 } 1503 kfree(context); 1504 isec->sid = sid; 1505 break; 1506 case SECURITY_FS_USE_TASK: 1507 isec->sid = isec->task_sid; 1508 break; 1509 case SECURITY_FS_USE_TRANS: 1510 /* Default to the fs SID. */ 1511 isec->sid = sbsec->sid; 1512 1513 /* Try to obtain a transition SID. */ 1514 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1515 rc = security_transition_sid(isec->task_sid, sbsec->sid, 1516 isec->sclass, NULL, &sid); 1517 if (rc) 1518 goto out_unlock; 1519 isec->sid = sid; 1520 break; 1521 case SECURITY_FS_USE_MNTPOINT: 1522 isec->sid = sbsec->mntpoint_sid; 1523 break; 1524 default: 1525 /* Default to the fs superblock SID. */ 1526 isec->sid = sbsec->sid; 1527 1528 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1529 /* We must have a dentry to determine the label on 1530 * procfs inodes */ 1531 if (opt_dentry) 1532 /* Called from d_instantiate or 1533 * d_splice_alias. */ 1534 dentry = dget(opt_dentry); 1535 else 1536 /* Called from selinux_complete_init, try to 1537 * find a dentry. */ 1538 dentry = d_find_alias(inode); 1539 /* 1540 * This can be hit on boot when a file is accessed 1541 * before the policy is loaded. When we load policy we 1542 * may find inodes that have no dentry on the 1543 * sbsec->isec_head list. No reason to complain as 1544 * these will get fixed up the next time we go through 1545 * inode_doinit() with a dentry, before these inodes 1546 * could be used again by userspace. 1547 */ 1548 if (!dentry) 1549 goto out_unlock; 1550 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1551 rc = selinux_genfs_get_sid(dentry, isec->sclass, 1552 sbsec->flags, &sid); 1553 dput(dentry); 1554 if (rc) 1555 goto out_unlock; 1556 isec->sid = sid; 1557 } 1558 break; 1559 } 1560 1561 isec->initialized = LABEL_INITIALIZED; 1562 1563 out_unlock: 1564 mutex_unlock(&isec->lock); 1565 out: 1566 if (isec->sclass == SECCLASS_FILE) 1567 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1568 return rc; 1569 } 1570 1571 /* Convert a Linux signal to an access vector. */ 1572 static inline u32 signal_to_av(int sig) 1573 { 1574 u32 perm = 0; 1575 1576 switch (sig) { 1577 case SIGCHLD: 1578 /* Commonly granted from child to parent. */ 1579 perm = PROCESS__SIGCHLD; 1580 break; 1581 case SIGKILL: 1582 /* Cannot be caught or ignored */ 1583 perm = PROCESS__SIGKILL; 1584 break; 1585 case SIGSTOP: 1586 /* Cannot be caught or ignored */ 1587 perm = PROCESS__SIGSTOP; 1588 break; 1589 default: 1590 /* All other signals. */ 1591 perm = PROCESS__SIGNAL; 1592 break; 1593 } 1594 1595 return perm; 1596 } 1597 1598 /* 1599 * Check permission between a pair of credentials 1600 * fork check, ptrace check, etc. 1601 */ 1602 static int cred_has_perm(const struct cred *actor, 1603 const struct cred *target, 1604 u32 perms) 1605 { 1606 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1607 1608 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1609 } 1610 1611 /* 1612 * Check permission between a pair of tasks, e.g. signal checks, 1613 * fork check, ptrace check, etc. 1614 * tsk1 is the actor and tsk2 is the target 1615 * - this uses the default subjective creds of tsk1 1616 */ 1617 static int task_has_perm(const struct task_struct *tsk1, 1618 const struct task_struct *tsk2, 1619 u32 perms) 1620 { 1621 const struct task_security_struct *__tsec1, *__tsec2; 1622 u32 sid1, sid2; 1623 1624 rcu_read_lock(); 1625 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1626 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1627 rcu_read_unlock(); 1628 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1629 } 1630 1631 /* 1632 * Check permission between current and another task, e.g. signal checks, 1633 * fork check, ptrace check, etc. 1634 * current is the actor and tsk2 is the target 1635 * - this uses current's subjective creds 1636 */ 1637 static int current_has_perm(const struct task_struct *tsk, 1638 u32 perms) 1639 { 1640 u32 sid, tsid; 1641 1642 sid = current_sid(); 1643 tsid = task_sid(tsk); 1644 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1645 } 1646 1647 #if CAP_LAST_CAP > 63 1648 #error Fix SELinux to handle capabilities > 63. 1649 #endif 1650 1651 /* Check whether a task is allowed to use a capability. */ 1652 static int cred_has_capability(const struct cred *cred, 1653 int cap, int audit, bool initns) 1654 { 1655 struct common_audit_data ad; 1656 struct av_decision avd; 1657 u16 sclass; 1658 u32 sid = cred_sid(cred); 1659 u32 av = CAP_TO_MASK(cap); 1660 int rc; 1661 1662 ad.type = LSM_AUDIT_DATA_CAP; 1663 ad.u.cap = cap; 1664 1665 switch (CAP_TO_INDEX(cap)) { 1666 case 0: 1667 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1668 break; 1669 case 1: 1670 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1671 break; 1672 default: 1673 printk(KERN_ERR 1674 "SELinux: out of range capability %d\n", cap); 1675 BUG(); 1676 return -EINVAL; 1677 } 1678 1679 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1680 if (audit == SECURITY_CAP_AUDIT) { 1681 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1682 if (rc2) 1683 return rc2; 1684 } 1685 return rc; 1686 } 1687 1688 /* Check whether a task is allowed to use a system operation. */ 1689 static int task_has_system(struct task_struct *tsk, 1690 u32 perms) 1691 { 1692 u32 sid = task_sid(tsk); 1693 1694 return avc_has_perm(sid, SECINITSID_KERNEL, 1695 SECCLASS_SYSTEM, perms, NULL); 1696 } 1697 1698 /* Check whether a task has a particular permission to an inode. 1699 The 'adp' parameter is optional and allows other audit 1700 data to be passed (e.g. the dentry). */ 1701 static int inode_has_perm(const struct cred *cred, 1702 struct inode *inode, 1703 u32 perms, 1704 struct common_audit_data *adp) 1705 { 1706 struct inode_security_struct *isec; 1707 u32 sid; 1708 1709 validate_creds(cred); 1710 1711 if (unlikely(IS_PRIVATE(inode))) 1712 return 0; 1713 1714 sid = cred_sid(cred); 1715 isec = inode->i_security; 1716 1717 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1718 } 1719 1720 /* Same as inode_has_perm, but pass explicit audit data containing 1721 the dentry to help the auditing code to more easily generate the 1722 pathname if needed. */ 1723 static inline int dentry_has_perm(const struct cred *cred, 1724 struct dentry *dentry, 1725 u32 av) 1726 { 1727 struct inode *inode = d_backing_inode(dentry); 1728 struct common_audit_data ad; 1729 1730 ad.type = LSM_AUDIT_DATA_DENTRY; 1731 ad.u.dentry = dentry; 1732 __inode_security_revalidate(inode, dentry, true); 1733 return inode_has_perm(cred, inode, av, &ad); 1734 } 1735 1736 /* Same as inode_has_perm, but pass explicit audit data containing 1737 the path to help the auditing code to more easily generate the 1738 pathname if needed. */ 1739 static inline int path_has_perm(const struct cred *cred, 1740 const struct path *path, 1741 u32 av) 1742 { 1743 struct inode *inode = d_backing_inode(path->dentry); 1744 struct common_audit_data ad; 1745 1746 ad.type = LSM_AUDIT_DATA_PATH; 1747 ad.u.path = *path; 1748 __inode_security_revalidate(inode, path->dentry, true); 1749 return inode_has_perm(cred, inode, av, &ad); 1750 } 1751 1752 /* Same as path_has_perm, but uses the inode from the file struct. */ 1753 static inline int file_path_has_perm(const struct cred *cred, 1754 struct file *file, 1755 u32 av) 1756 { 1757 struct common_audit_data ad; 1758 1759 ad.type = LSM_AUDIT_DATA_FILE; 1760 ad.u.file = file; 1761 return inode_has_perm(cred, file_inode(file), av, &ad); 1762 } 1763 1764 /* Check whether a task can use an open file descriptor to 1765 access an inode in a given way. Check access to the 1766 descriptor itself, and then use dentry_has_perm to 1767 check a particular permission to the file. 1768 Access to the descriptor is implicitly granted if it 1769 has the same SID as the process. If av is zero, then 1770 access to the file is not checked, e.g. for cases 1771 where only the descriptor is affected like seek. */ 1772 static int file_has_perm(const struct cred *cred, 1773 struct file *file, 1774 u32 av) 1775 { 1776 struct file_security_struct *fsec = file->f_security; 1777 struct inode *inode = file_inode(file); 1778 struct common_audit_data ad; 1779 u32 sid = cred_sid(cred); 1780 int rc; 1781 1782 ad.type = LSM_AUDIT_DATA_FILE; 1783 ad.u.file = file; 1784 1785 if (sid != fsec->sid) { 1786 rc = avc_has_perm(sid, fsec->sid, 1787 SECCLASS_FD, 1788 FD__USE, 1789 &ad); 1790 if (rc) 1791 goto out; 1792 } 1793 1794 /* av is zero if only checking access to the descriptor. */ 1795 rc = 0; 1796 if (av) 1797 rc = inode_has_perm(cred, inode, av, &ad); 1798 1799 out: 1800 return rc; 1801 } 1802 1803 /* 1804 * Determine the label for an inode that might be unioned. 1805 */ 1806 static int 1807 selinux_determine_inode_label(const struct task_security_struct *tsec, 1808 struct inode *dir, 1809 const struct qstr *name, u16 tclass, 1810 u32 *_new_isid) 1811 { 1812 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1813 1814 if ((sbsec->flags & SE_SBINITIALIZED) && 1815 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1816 *_new_isid = sbsec->mntpoint_sid; 1817 } else if ((sbsec->flags & SBLABEL_MNT) && 1818 tsec->create_sid) { 1819 *_new_isid = tsec->create_sid; 1820 } else { 1821 const struct inode_security_struct *dsec = inode_security(dir); 1822 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1823 name, _new_isid); 1824 } 1825 1826 return 0; 1827 } 1828 1829 /* Check whether a task can create a file. */ 1830 static int may_create(struct inode *dir, 1831 struct dentry *dentry, 1832 u16 tclass) 1833 { 1834 const struct task_security_struct *tsec = current_security(); 1835 struct inode_security_struct *dsec; 1836 struct superblock_security_struct *sbsec; 1837 u32 sid, newsid; 1838 struct common_audit_data ad; 1839 int rc; 1840 1841 dsec = inode_security(dir); 1842 sbsec = dir->i_sb->s_security; 1843 1844 sid = tsec->sid; 1845 1846 ad.type = LSM_AUDIT_DATA_DENTRY; 1847 ad.u.dentry = dentry; 1848 1849 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1850 DIR__ADD_NAME | DIR__SEARCH, 1851 &ad); 1852 if (rc) 1853 return rc; 1854 1855 rc = selinux_determine_inode_label(current_security(), dir, 1856 &dentry->d_name, tclass, &newsid); 1857 if (rc) 1858 return rc; 1859 1860 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1861 if (rc) 1862 return rc; 1863 1864 return avc_has_perm(newsid, sbsec->sid, 1865 SECCLASS_FILESYSTEM, 1866 FILESYSTEM__ASSOCIATE, &ad); 1867 } 1868 1869 /* Check whether a task can create a key. */ 1870 static int may_create_key(u32 ksid, 1871 struct task_struct *ctx) 1872 { 1873 u32 sid = task_sid(ctx); 1874 1875 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1876 } 1877 1878 #define MAY_LINK 0 1879 #define MAY_UNLINK 1 1880 #define MAY_RMDIR 2 1881 1882 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1883 static int may_link(struct inode *dir, 1884 struct dentry *dentry, 1885 int kind) 1886 1887 { 1888 struct inode_security_struct *dsec, *isec; 1889 struct common_audit_data ad; 1890 u32 sid = current_sid(); 1891 u32 av; 1892 int rc; 1893 1894 dsec = inode_security(dir); 1895 isec = backing_inode_security(dentry); 1896 1897 ad.type = LSM_AUDIT_DATA_DENTRY; 1898 ad.u.dentry = dentry; 1899 1900 av = DIR__SEARCH; 1901 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1903 if (rc) 1904 return rc; 1905 1906 switch (kind) { 1907 case MAY_LINK: 1908 av = FILE__LINK; 1909 break; 1910 case MAY_UNLINK: 1911 av = FILE__UNLINK; 1912 break; 1913 case MAY_RMDIR: 1914 av = DIR__RMDIR; 1915 break; 1916 default: 1917 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1918 __func__, kind); 1919 return 0; 1920 } 1921 1922 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1923 return rc; 1924 } 1925 1926 static inline int may_rename(struct inode *old_dir, 1927 struct dentry *old_dentry, 1928 struct inode *new_dir, 1929 struct dentry *new_dentry) 1930 { 1931 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1932 struct common_audit_data ad; 1933 u32 sid = current_sid(); 1934 u32 av; 1935 int old_is_dir, new_is_dir; 1936 int rc; 1937 1938 old_dsec = inode_security(old_dir); 1939 old_isec = backing_inode_security(old_dentry); 1940 old_is_dir = d_is_dir(old_dentry); 1941 new_dsec = inode_security(new_dir); 1942 1943 ad.type = LSM_AUDIT_DATA_DENTRY; 1944 1945 ad.u.dentry = old_dentry; 1946 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1947 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1948 if (rc) 1949 return rc; 1950 rc = avc_has_perm(sid, old_isec->sid, 1951 old_isec->sclass, FILE__RENAME, &ad); 1952 if (rc) 1953 return rc; 1954 if (old_is_dir && new_dir != old_dir) { 1955 rc = avc_has_perm(sid, old_isec->sid, 1956 old_isec->sclass, DIR__REPARENT, &ad); 1957 if (rc) 1958 return rc; 1959 } 1960 1961 ad.u.dentry = new_dentry; 1962 av = DIR__ADD_NAME | DIR__SEARCH; 1963 if (d_is_positive(new_dentry)) 1964 av |= DIR__REMOVE_NAME; 1965 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1966 if (rc) 1967 return rc; 1968 if (d_is_positive(new_dentry)) { 1969 new_isec = backing_inode_security(new_dentry); 1970 new_is_dir = d_is_dir(new_dentry); 1971 rc = avc_has_perm(sid, new_isec->sid, 1972 new_isec->sclass, 1973 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1974 if (rc) 1975 return rc; 1976 } 1977 1978 return 0; 1979 } 1980 1981 /* Check whether a task can perform a filesystem operation. */ 1982 static int superblock_has_perm(const struct cred *cred, 1983 struct super_block *sb, 1984 u32 perms, 1985 struct common_audit_data *ad) 1986 { 1987 struct superblock_security_struct *sbsec; 1988 u32 sid = cred_sid(cred); 1989 1990 sbsec = sb->s_security; 1991 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1992 } 1993 1994 /* Convert a Linux mode and permission mask to an access vector. */ 1995 static inline u32 file_mask_to_av(int mode, int mask) 1996 { 1997 u32 av = 0; 1998 1999 if (!S_ISDIR(mode)) { 2000 if (mask & MAY_EXEC) 2001 av |= FILE__EXECUTE; 2002 if (mask & MAY_READ) 2003 av |= FILE__READ; 2004 2005 if (mask & MAY_APPEND) 2006 av |= FILE__APPEND; 2007 else if (mask & MAY_WRITE) 2008 av |= FILE__WRITE; 2009 2010 } else { 2011 if (mask & MAY_EXEC) 2012 av |= DIR__SEARCH; 2013 if (mask & MAY_WRITE) 2014 av |= DIR__WRITE; 2015 if (mask & MAY_READ) 2016 av |= DIR__READ; 2017 } 2018 2019 return av; 2020 } 2021 2022 /* Convert a Linux file to an access vector. */ 2023 static inline u32 file_to_av(struct file *file) 2024 { 2025 u32 av = 0; 2026 2027 if (file->f_mode & FMODE_READ) 2028 av |= FILE__READ; 2029 if (file->f_mode & FMODE_WRITE) { 2030 if (file->f_flags & O_APPEND) 2031 av |= FILE__APPEND; 2032 else 2033 av |= FILE__WRITE; 2034 } 2035 if (!av) { 2036 /* 2037 * Special file opened with flags 3 for ioctl-only use. 2038 */ 2039 av = FILE__IOCTL; 2040 } 2041 2042 return av; 2043 } 2044 2045 /* 2046 * Convert a file to an access vector and include the correct open 2047 * open permission. 2048 */ 2049 static inline u32 open_file_to_av(struct file *file) 2050 { 2051 u32 av = file_to_av(file); 2052 2053 if (selinux_policycap_openperm) 2054 av |= FILE__OPEN; 2055 2056 return av; 2057 } 2058 2059 /* Hook functions begin here. */ 2060 2061 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2062 { 2063 u32 mysid = current_sid(); 2064 u32 mgrsid = task_sid(mgr); 2065 2066 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2067 BINDER__SET_CONTEXT_MGR, NULL); 2068 } 2069 2070 static int selinux_binder_transaction(struct task_struct *from, 2071 struct task_struct *to) 2072 { 2073 u32 mysid = current_sid(); 2074 u32 fromsid = task_sid(from); 2075 u32 tosid = task_sid(to); 2076 int rc; 2077 2078 if (mysid != fromsid) { 2079 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2080 BINDER__IMPERSONATE, NULL); 2081 if (rc) 2082 return rc; 2083 } 2084 2085 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2086 NULL); 2087 } 2088 2089 static int selinux_binder_transfer_binder(struct task_struct *from, 2090 struct task_struct *to) 2091 { 2092 u32 fromsid = task_sid(from); 2093 u32 tosid = task_sid(to); 2094 2095 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2096 NULL); 2097 } 2098 2099 static int selinux_binder_transfer_file(struct task_struct *from, 2100 struct task_struct *to, 2101 struct file *file) 2102 { 2103 u32 sid = task_sid(to); 2104 struct file_security_struct *fsec = file->f_security; 2105 struct dentry *dentry = file->f_path.dentry; 2106 struct inode_security_struct *isec; 2107 struct common_audit_data ad; 2108 int rc; 2109 2110 ad.type = LSM_AUDIT_DATA_PATH; 2111 ad.u.path = file->f_path; 2112 2113 if (sid != fsec->sid) { 2114 rc = avc_has_perm(sid, fsec->sid, 2115 SECCLASS_FD, 2116 FD__USE, 2117 &ad); 2118 if (rc) 2119 return rc; 2120 } 2121 2122 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2123 return 0; 2124 2125 isec = backing_inode_security(dentry); 2126 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2127 &ad); 2128 } 2129 2130 static int selinux_ptrace_access_check(struct task_struct *child, 2131 unsigned int mode) 2132 { 2133 if (mode & PTRACE_MODE_READ) { 2134 u32 sid = current_sid(); 2135 u32 csid = task_sid(child); 2136 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2137 } 2138 2139 return current_has_perm(child, PROCESS__PTRACE); 2140 } 2141 2142 static int selinux_ptrace_traceme(struct task_struct *parent) 2143 { 2144 return task_has_perm(parent, current, PROCESS__PTRACE); 2145 } 2146 2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2148 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2149 { 2150 return current_has_perm(target, PROCESS__GETCAP); 2151 } 2152 2153 static int selinux_capset(struct cred *new, const struct cred *old, 2154 const kernel_cap_t *effective, 2155 const kernel_cap_t *inheritable, 2156 const kernel_cap_t *permitted) 2157 { 2158 return cred_has_perm(old, new, PROCESS__SETCAP); 2159 } 2160 2161 /* 2162 * (This comment used to live with the selinux_task_setuid hook, 2163 * which was removed). 2164 * 2165 * Since setuid only affects the current process, and since the SELinux 2166 * controls are not based on the Linux identity attributes, SELinux does not 2167 * need to control this operation. However, SELinux does control the use of 2168 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2169 */ 2170 2171 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2172 int cap, int audit) 2173 { 2174 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2175 } 2176 2177 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2178 { 2179 const struct cred *cred = current_cred(); 2180 int rc = 0; 2181 2182 if (!sb) 2183 return 0; 2184 2185 switch (cmds) { 2186 case Q_SYNC: 2187 case Q_QUOTAON: 2188 case Q_QUOTAOFF: 2189 case Q_SETINFO: 2190 case Q_SETQUOTA: 2191 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2192 break; 2193 case Q_GETFMT: 2194 case Q_GETINFO: 2195 case Q_GETQUOTA: 2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2197 break; 2198 default: 2199 rc = 0; /* let the kernel handle invalid cmds */ 2200 break; 2201 } 2202 return rc; 2203 } 2204 2205 static int selinux_quota_on(struct dentry *dentry) 2206 { 2207 const struct cred *cred = current_cred(); 2208 2209 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2210 } 2211 2212 static int selinux_syslog(int type) 2213 { 2214 int rc; 2215 2216 switch (type) { 2217 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2218 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2219 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2220 break; 2221 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2222 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2223 /* Set level of messages printed to console */ 2224 case SYSLOG_ACTION_CONSOLE_LEVEL: 2225 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2226 break; 2227 case SYSLOG_ACTION_CLOSE: /* Close log */ 2228 case SYSLOG_ACTION_OPEN: /* Open log */ 2229 case SYSLOG_ACTION_READ: /* Read from log */ 2230 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 2231 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 2232 default: 2233 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2234 break; 2235 } 2236 return rc; 2237 } 2238 2239 /* 2240 * Check that a process has enough memory to allocate a new virtual 2241 * mapping. 0 means there is enough memory for the allocation to 2242 * succeed and -ENOMEM implies there is not. 2243 * 2244 * Do not audit the selinux permission check, as this is applied to all 2245 * processes that allocate mappings. 2246 */ 2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2248 { 2249 int rc, cap_sys_admin = 0; 2250 2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2252 SECURITY_CAP_NOAUDIT, true); 2253 if (rc == 0) 2254 cap_sys_admin = 1; 2255 2256 return cap_sys_admin; 2257 } 2258 2259 /* binprm security operations */ 2260 2261 static u32 ptrace_parent_sid(struct task_struct *task) 2262 { 2263 u32 sid = 0; 2264 struct task_struct *tracer; 2265 2266 rcu_read_lock(); 2267 tracer = ptrace_parent(task); 2268 if (tracer) 2269 sid = task_sid(tracer); 2270 rcu_read_unlock(); 2271 2272 return sid; 2273 } 2274 2275 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2276 const struct task_security_struct *old_tsec, 2277 const struct task_security_struct *new_tsec) 2278 { 2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2281 int rc; 2282 2283 if (!nnp && !nosuid) 2284 return 0; /* neither NNP nor nosuid */ 2285 2286 if (new_tsec->sid == old_tsec->sid) 2287 return 0; /* No change in credentials */ 2288 2289 /* 2290 * The only transitions we permit under NNP or nosuid 2291 * are transitions to bounded SIDs, i.e. SIDs that are 2292 * guaranteed to only be allowed a subset of the permissions 2293 * of the current SID. 2294 */ 2295 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2296 if (rc) { 2297 /* 2298 * On failure, preserve the errno values for NNP vs nosuid. 2299 * NNP: Operation not permitted for caller. 2300 * nosuid: Permission denied to file. 2301 */ 2302 if (nnp) 2303 return -EPERM; 2304 else 2305 return -EACCES; 2306 } 2307 return 0; 2308 } 2309 2310 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2311 { 2312 const struct task_security_struct *old_tsec; 2313 struct task_security_struct *new_tsec; 2314 struct inode_security_struct *isec; 2315 struct common_audit_data ad; 2316 struct inode *inode = file_inode(bprm->file); 2317 int rc; 2318 2319 /* SELinux context only depends on initial program or script and not 2320 * the script interpreter */ 2321 if (bprm->cred_prepared) 2322 return 0; 2323 2324 old_tsec = current_security(); 2325 new_tsec = bprm->cred->security; 2326 isec = inode_security(inode); 2327 2328 /* Default to the current task SID. */ 2329 new_tsec->sid = old_tsec->sid; 2330 new_tsec->osid = old_tsec->sid; 2331 2332 /* Reset fs, key, and sock SIDs on execve. */ 2333 new_tsec->create_sid = 0; 2334 new_tsec->keycreate_sid = 0; 2335 new_tsec->sockcreate_sid = 0; 2336 2337 if (old_tsec->exec_sid) { 2338 new_tsec->sid = old_tsec->exec_sid; 2339 /* Reset exec SID on execve. */ 2340 new_tsec->exec_sid = 0; 2341 2342 /* Fail on NNP or nosuid if not an allowed transition. */ 2343 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2344 if (rc) 2345 return rc; 2346 } else { 2347 /* Check for a default transition on this program. */ 2348 rc = security_transition_sid(old_tsec->sid, isec->sid, 2349 SECCLASS_PROCESS, NULL, 2350 &new_tsec->sid); 2351 if (rc) 2352 return rc; 2353 2354 /* 2355 * Fallback to old SID on NNP or nosuid if not an allowed 2356 * transition. 2357 */ 2358 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2359 if (rc) 2360 new_tsec->sid = old_tsec->sid; 2361 } 2362 2363 ad.type = LSM_AUDIT_DATA_FILE; 2364 ad.u.file = bprm->file; 2365 2366 if (new_tsec->sid == old_tsec->sid) { 2367 rc = avc_has_perm(old_tsec->sid, isec->sid, 2368 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2369 if (rc) 2370 return rc; 2371 } else { 2372 /* Check permissions for the transition. */ 2373 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2374 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2375 if (rc) 2376 return rc; 2377 2378 rc = avc_has_perm(new_tsec->sid, isec->sid, 2379 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2380 if (rc) 2381 return rc; 2382 2383 /* Check for shared state */ 2384 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2385 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2386 SECCLASS_PROCESS, PROCESS__SHARE, 2387 NULL); 2388 if (rc) 2389 return -EPERM; 2390 } 2391 2392 /* Make sure that anyone attempting to ptrace over a task that 2393 * changes its SID has the appropriate permit */ 2394 if (bprm->unsafe & 2395 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2396 u32 ptsid = ptrace_parent_sid(current); 2397 if (ptsid != 0) { 2398 rc = avc_has_perm(ptsid, new_tsec->sid, 2399 SECCLASS_PROCESS, 2400 PROCESS__PTRACE, NULL); 2401 if (rc) 2402 return -EPERM; 2403 } 2404 } 2405 2406 /* Clear any possibly unsafe personality bits on exec: */ 2407 bprm->per_clear |= PER_CLEAR_ON_SETID; 2408 } 2409 2410 return 0; 2411 } 2412 2413 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2414 { 2415 const struct task_security_struct *tsec = current_security(); 2416 u32 sid, osid; 2417 int atsecure = 0; 2418 2419 sid = tsec->sid; 2420 osid = tsec->osid; 2421 2422 if (osid != sid) { 2423 /* Enable secure mode for SIDs transitions unless 2424 the noatsecure permission is granted between 2425 the two SIDs, i.e. ahp returns 0. */ 2426 atsecure = avc_has_perm(osid, sid, 2427 SECCLASS_PROCESS, 2428 PROCESS__NOATSECURE, NULL); 2429 } 2430 2431 return !!atsecure; 2432 } 2433 2434 static int match_file(const void *p, struct file *file, unsigned fd) 2435 { 2436 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2437 } 2438 2439 /* Derived from fs/exec.c:flush_old_files. */ 2440 static inline void flush_unauthorized_files(const struct cred *cred, 2441 struct files_struct *files) 2442 { 2443 struct file *file, *devnull = NULL; 2444 struct tty_struct *tty; 2445 int drop_tty = 0; 2446 unsigned n; 2447 2448 tty = get_current_tty(); 2449 if (tty) { 2450 spin_lock(&tty->files_lock); 2451 if (!list_empty(&tty->tty_files)) { 2452 struct tty_file_private *file_priv; 2453 2454 /* Revalidate access to controlling tty. 2455 Use file_path_has_perm on the tty path directly 2456 rather than using file_has_perm, as this particular 2457 open file may belong to another process and we are 2458 only interested in the inode-based check here. */ 2459 file_priv = list_first_entry(&tty->tty_files, 2460 struct tty_file_private, list); 2461 file = file_priv->file; 2462 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2463 drop_tty = 1; 2464 } 2465 spin_unlock(&tty->files_lock); 2466 tty_kref_put(tty); 2467 } 2468 /* Reset controlling tty. */ 2469 if (drop_tty) 2470 no_tty(); 2471 2472 /* Revalidate access to inherited open files. */ 2473 n = iterate_fd(files, 0, match_file, cred); 2474 if (!n) /* none found? */ 2475 return; 2476 2477 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2478 if (IS_ERR(devnull)) 2479 devnull = NULL; 2480 /* replace all the matching ones with this */ 2481 do { 2482 replace_fd(n - 1, devnull, 0); 2483 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2484 if (devnull) 2485 fput(devnull); 2486 } 2487 2488 /* 2489 * Prepare a process for imminent new credential changes due to exec 2490 */ 2491 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2492 { 2493 struct task_security_struct *new_tsec; 2494 struct rlimit *rlim, *initrlim; 2495 int rc, i; 2496 2497 new_tsec = bprm->cred->security; 2498 if (new_tsec->sid == new_tsec->osid) 2499 return; 2500 2501 /* Close files for which the new task SID is not authorized. */ 2502 flush_unauthorized_files(bprm->cred, current->files); 2503 2504 /* Always clear parent death signal on SID transitions. */ 2505 current->pdeath_signal = 0; 2506 2507 /* Check whether the new SID can inherit resource limits from the old 2508 * SID. If not, reset all soft limits to the lower of the current 2509 * task's hard limit and the init task's soft limit. 2510 * 2511 * Note that the setting of hard limits (even to lower them) can be 2512 * controlled by the setrlimit check. The inclusion of the init task's 2513 * soft limit into the computation is to avoid resetting soft limits 2514 * higher than the default soft limit for cases where the default is 2515 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2516 */ 2517 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2518 PROCESS__RLIMITINH, NULL); 2519 if (rc) { 2520 /* protect against do_prlimit() */ 2521 task_lock(current); 2522 for (i = 0; i < RLIM_NLIMITS; i++) { 2523 rlim = current->signal->rlim + i; 2524 initrlim = init_task.signal->rlim + i; 2525 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2526 } 2527 task_unlock(current); 2528 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2529 } 2530 } 2531 2532 /* 2533 * Clean up the process immediately after the installation of new credentials 2534 * due to exec 2535 */ 2536 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2537 { 2538 const struct task_security_struct *tsec = current_security(); 2539 struct itimerval itimer; 2540 u32 osid, sid; 2541 int rc, i; 2542 2543 osid = tsec->osid; 2544 sid = tsec->sid; 2545 2546 if (sid == osid) 2547 return; 2548 2549 /* Check whether the new SID can inherit signal state from the old SID. 2550 * If not, clear itimers to avoid subsequent signal generation and 2551 * flush and unblock signals. 2552 * 2553 * This must occur _after_ the task SID has been updated so that any 2554 * kill done after the flush will be checked against the new SID. 2555 */ 2556 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2557 if (rc) { 2558 memset(&itimer, 0, sizeof itimer); 2559 for (i = 0; i < 3; i++) 2560 do_setitimer(i, &itimer, NULL); 2561 spin_lock_irq(¤t->sighand->siglock); 2562 if (!fatal_signal_pending(current)) { 2563 flush_sigqueue(¤t->pending); 2564 flush_sigqueue(¤t->signal->shared_pending); 2565 flush_signal_handlers(current, 1); 2566 sigemptyset(¤t->blocked); 2567 recalc_sigpending(); 2568 } 2569 spin_unlock_irq(¤t->sighand->siglock); 2570 } 2571 2572 /* Wake up the parent if it is waiting so that it can recheck 2573 * wait permission to the new task SID. */ 2574 read_lock(&tasklist_lock); 2575 __wake_up_parent(current, current->real_parent); 2576 read_unlock(&tasklist_lock); 2577 } 2578 2579 /* superblock security operations */ 2580 2581 static int selinux_sb_alloc_security(struct super_block *sb) 2582 { 2583 return superblock_alloc_security(sb); 2584 } 2585 2586 static void selinux_sb_free_security(struct super_block *sb) 2587 { 2588 superblock_free_security(sb); 2589 } 2590 2591 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2592 { 2593 if (plen > olen) 2594 return 0; 2595 2596 return !memcmp(prefix, option, plen); 2597 } 2598 2599 static inline int selinux_option(char *option, int len) 2600 { 2601 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2602 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2603 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2604 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2605 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2606 } 2607 2608 static inline void take_option(char **to, char *from, int *first, int len) 2609 { 2610 if (!*first) { 2611 **to = ','; 2612 *to += 1; 2613 } else 2614 *first = 0; 2615 memcpy(*to, from, len); 2616 *to += len; 2617 } 2618 2619 static inline void take_selinux_option(char **to, char *from, int *first, 2620 int len) 2621 { 2622 int current_size = 0; 2623 2624 if (!*first) { 2625 **to = '|'; 2626 *to += 1; 2627 } else 2628 *first = 0; 2629 2630 while (current_size < len) { 2631 if (*from != '"') { 2632 **to = *from; 2633 *to += 1; 2634 } 2635 from += 1; 2636 current_size += 1; 2637 } 2638 } 2639 2640 static int selinux_sb_copy_data(char *orig, char *copy) 2641 { 2642 int fnosec, fsec, rc = 0; 2643 char *in_save, *in_curr, *in_end; 2644 char *sec_curr, *nosec_save, *nosec; 2645 int open_quote = 0; 2646 2647 in_curr = orig; 2648 sec_curr = copy; 2649 2650 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2651 if (!nosec) { 2652 rc = -ENOMEM; 2653 goto out; 2654 } 2655 2656 nosec_save = nosec; 2657 fnosec = fsec = 1; 2658 in_save = in_end = orig; 2659 2660 do { 2661 if (*in_end == '"') 2662 open_quote = !open_quote; 2663 if ((*in_end == ',' && open_quote == 0) || 2664 *in_end == '\0') { 2665 int len = in_end - in_curr; 2666 2667 if (selinux_option(in_curr, len)) 2668 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2669 else 2670 take_option(&nosec, in_curr, &fnosec, len); 2671 2672 in_curr = in_end + 1; 2673 } 2674 } while (*in_end++); 2675 2676 strcpy(in_save, nosec_save); 2677 free_page((unsigned long)nosec_save); 2678 out: 2679 return rc; 2680 } 2681 2682 static int selinux_sb_remount(struct super_block *sb, void *data) 2683 { 2684 int rc, i, *flags; 2685 struct security_mnt_opts opts; 2686 char *secdata, **mount_options; 2687 struct superblock_security_struct *sbsec = sb->s_security; 2688 2689 if (!(sbsec->flags & SE_SBINITIALIZED)) 2690 return 0; 2691 2692 if (!data) 2693 return 0; 2694 2695 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2696 return 0; 2697 2698 security_init_mnt_opts(&opts); 2699 secdata = alloc_secdata(); 2700 if (!secdata) 2701 return -ENOMEM; 2702 rc = selinux_sb_copy_data(data, secdata); 2703 if (rc) 2704 goto out_free_secdata; 2705 2706 rc = selinux_parse_opts_str(secdata, &opts); 2707 if (rc) 2708 goto out_free_secdata; 2709 2710 mount_options = opts.mnt_opts; 2711 flags = opts.mnt_opts_flags; 2712 2713 for (i = 0; i < opts.num_mnt_opts; i++) { 2714 u32 sid; 2715 2716 if (flags[i] == SBLABEL_MNT) 2717 continue; 2718 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2719 if (rc) { 2720 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2721 "(%s) failed for (dev %s, type %s) errno=%d\n", 2722 mount_options[i], sb->s_id, sb->s_type->name, rc); 2723 goto out_free_opts; 2724 } 2725 rc = -EINVAL; 2726 switch (flags[i]) { 2727 case FSCONTEXT_MNT: 2728 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2729 goto out_bad_option; 2730 break; 2731 case CONTEXT_MNT: 2732 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2733 goto out_bad_option; 2734 break; 2735 case ROOTCONTEXT_MNT: { 2736 struct inode_security_struct *root_isec; 2737 root_isec = backing_inode_security(sb->s_root); 2738 2739 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2740 goto out_bad_option; 2741 break; 2742 } 2743 case DEFCONTEXT_MNT: 2744 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2745 goto out_bad_option; 2746 break; 2747 default: 2748 goto out_free_opts; 2749 } 2750 } 2751 2752 rc = 0; 2753 out_free_opts: 2754 security_free_mnt_opts(&opts); 2755 out_free_secdata: 2756 free_secdata(secdata); 2757 return rc; 2758 out_bad_option: 2759 printk(KERN_WARNING "SELinux: unable to change security options " 2760 "during remount (dev %s, type=%s)\n", sb->s_id, 2761 sb->s_type->name); 2762 goto out_free_opts; 2763 } 2764 2765 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2766 { 2767 const struct cred *cred = current_cred(); 2768 struct common_audit_data ad; 2769 int rc; 2770 2771 rc = superblock_doinit(sb, data); 2772 if (rc) 2773 return rc; 2774 2775 /* Allow all mounts performed by the kernel */ 2776 if (flags & MS_KERNMOUNT) 2777 return 0; 2778 2779 ad.type = LSM_AUDIT_DATA_DENTRY; 2780 ad.u.dentry = sb->s_root; 2781 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2782 } 2783 2784 static int selinux_sb_statfs(struct dentry *dentry) 2785 { 2786 const struct cred *cred = current_cred(); 2787 struct common_audit_data ad; 2788 2789 ad.type = LSM_AUDIT_DATA_DENTRY; 2790 ad.u.dentry = dentry->d_sb->s_root; 2791 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2792 } 2793 2794 static int selinux_mount(const char *dev_name, 2795 const struct path *path, 2796 const char *type, 2797 unsigned long flags, 2798 void *data) 2799 { 2800 const struct cred *cred = current_cred(); 2801 2802 if (flags & MS_REMOUNT) 2803 return superblock_has_perm(cred, path->dentry->d_sb, 2804 FILESYSTEM__REMOUNT, NULL); 2805 else 2806 return path_has_perm(cred, path, FILE__MOUNTON); 2807 } 2808 2809 static int selinux_umount(struct vfsmount *mnt, int flags) 2810 { 2811 const struct cred *cred = current_cred(); 2812 2813 return superblock_has_perm(cred, mnt->mnt_sb, 2814 FILESYSTEM__UNMOUNT, NULL); 2815 } 2816 2817 /* inode security operations */ 2818 2819 static int selinux_inode_alloc_security(struct inode *inode) 2820 { 2821 return inode_alloc_security(inode); 2822 } 2823 2824 static void selinux_inode_free_security(struct inode *inode) 2825 { 2826 inode_free_security(inode); 2827 } 2828 2829 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2830 const struct qstr *name, void **ctx, 2831 u32 *ctxlen) 2832 { 2833 u32 newsid; 2834 int rc; 2835 2836 rc = selinux_determine_inode_label(current_security(), 2837 d_inode(dentry->d_parent), name, 2838 inode_mode_to_security_class(mode), 2839 &newsid); 2840 if (rc) 2841 return rc; 2842 2843 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2844 } 2845 2846 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2847 struct qstr *name, 2848 const struct cred *old, 2849 struct cred *new) 2850 { 2851 u32 newsid; 2852 int rc; 2853 struct task_security_struct *tsec; 2854 2855 rc = selinux_determine_inode_label(old->security, 2856 d_inode(dentry->d_parent), name, 2857 inode_mode_to_security_class(mode), 2858 &newsid); 2859 if (rc) 2860 return rc; 2861 2862 tsec = new->security; 2863 tsec->create_sid = newsid; 2864 return 0; 2865 } 2866 2867 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2868 const struct qstr *qstr, 2869 const char **name, 2870 void **value, size_t *len) 2871 { 2872 const struct task_security_struct *tsec = current_security(); 2873 struct superblock_security_struct *sbsec; 2874 u32 sid, newsid, clen; 2875 int rc; 2876 char *context; 2877 2878 sbsec = dir->i_sb->s_security; 2879 2880 sid = tsec->sid; 2881 newsid = tsec->create_sid; 2882 2883 rc = selinux_determine_inode_label(current_security(), 2884 dir, qstr, 2885 inode_mode_to_security_class(inode->i_mode), 2886 &newsid); 2887 if (rc) 2888 return rc; 2889 2890 /* Possibly defer initialization to selinux_complete_init. */ 2891 if (sbsec->flags & SE_SBINITIALIZED) { 2892 struct inode_security_struct *isec = inode->i_security; 2893 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2894 isec->sid = newsid; 2895 isec->initialized = LABEL_INITIALIZED; 2896 } 2897 2898 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2899 return -EOPNOTSUPP; 2900 2901 if (name) 2902 *name = XATTR_SELINUX_SUFFIX; 2903 2904 if (value && len) { 2905 rc = security_sid_to_context_force(newsid, &context, &clen); 2906 if (rc) 2907 return rc; 2908 *value = context; 2909 *len = clen; 2910 } 2911 2912 return 0; 2913 } 2914 2915 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2916 { 2917 return may_create(dir, dentry, SECCLASS_FILE); 2918 } 2919 2920 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2921 { 2922 return may_link(dir, old_dentry, MAY_LINK); 2923 } 2924 2925 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2926 { 2927 return may_link(dir, dentry, MAY_UNLINK); 2928 } 2929 2930 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2931 { 2932 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2933 } 2934 2935 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2936 { 2937 return may_create(dir, dentry, SECCLASS_DIR); 2938 } 2939 2940 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2941 { 2942 return may_link(dir, dentry, MAY_RMDIR); 2943 } 2944 2945 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2946 { 2947 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2948 } 2949 2950 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2951 struct inode *new_inode, struct dentry *new_dentry) 2952 { 2953 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2954 } 2955 2956 static int selinux_inode_readlink(struct dentry *dentry) 2957 { 2958 const struct cred *cred = current_cred(); 2959 2960 return dentry_has_perm(cred, dentry, FILE__READ); 2961 } 2962 2963 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2964 bool rcu) 2965 { 2966 const struct cred *cred = current_cred(); 2967 struct common_audit_data ad; 2968 struct inode_security_struct *isec; 2969 u32 sid; 2970 2971 validate_creds(cred); 2972 2973 ad.type = LSM_AUDIT_DATA_DENTRY; 2974 ad.u.dentry = dentry; 2975 sid = cred_sid(cred); 2976 isec = inode_security_rcu(inode, rcu); 2977 if (IS_ERR(isec)) 2978 return PTR_ERR(isec); 2979 2980 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 2981 rcu ? MAY_NOT_BLOCK : 0); 2982 } 2983 2984 static noinline int audit_inode_permission(struct inode *inode, 2985 u32 perms, u32 audited, u32 denied, 2986 int result, 2987 unsigned flags) 2988 { 2989 struct common_audit_data ad; 2990 struct inode_security_struct *isec = inode->i_security; 2991 int rc; 2992 2993 ad.type = LSM_AUDIT_DATA_INODE; 2994 ad.u.inode = inode; 2995 2996 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 2997 audited, denied, result, &ad, flags); 2998 if (rc) 2999 return rc; 3000 return 0; 3001 } 3002 3003 static int selinux_inode_permission(struct inode *inode, int mask) 3004 { 3005 const struct cred *cred = current_cred(); 3006 u32 perms; 3007 bool from_access; 3008 unsigned flags = mask & MAY_NOT_BLOCK; 3009 struct inode_security_struct *isec; 3010 u32 sid; 3011 struct av_decision avd; 3012 int rc, rc2; 3013 u32 audited, denied; 3014 3015 from_access = mask & MAY_ACCESS; 3016 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3017 3018 /* No permission to check. Existence test. */ 3019 if (!mask) 3020 return 0; 3021 3022 validate_creds(cred); 3023 3024 if (unlikely(IS_PRIVATE(inode))) 3025 return 0; 3026 3027 perms = file_mask_to_av(inode->i_mode, mask); 3028 3029 sid = cred_sid(cred); 3030 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3031 if (IS_ERR(isec)) 3032 return PTR_ERR(isec); 3033 3034 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3035 audited = avc_audit_required(perms, &avd, rc, 3036 from_access ? FILE__AUDIT_ACCESS : 0, 3037 &denied); 3038 if (likely(!audited)) 3039 return rc; 3040 3041 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3042 if (rc2) 3043 return rc2; 3044 return rc; 3045 } 3046 3047 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3048 { 3049 const struct cred *cred = current_cred(); 3050 unsigned int ia_valid = iattr->ia_valid; 3051 __u32 av = FILE__WRITE; 3052 3053 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3054 if (ia_valid & ATTR_FORCE) { 3055 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3056 ATTR_FORCE); 3057 if (!ia_valid) 3058 return 0; 3059 } 3060 3061 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3062 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3063 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3064 3065 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) 3066 && !(ia_valid & ATTR_FILE)) 3067 av |= FILE__OPEN; 3068 3069 return dentry_has_perm(cred, dentry, av); 3070 } 3071 3072 static int selinux_inode_getattr(const struct path *path) 3073 { 3074 return path_has_perm(current_cred(), path, FILE__GETATTR); 3075 } 3076 3077 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 3078 { 3079 const struct cred *cred = current_cred(); 3080 3081 if (!strncmp(name, XATTR_SECURITY_PREFIX, 3082 sizeof XATTR_SECURITY_PREFIX - 1)) { 3083 if (!strcmp(name, XATTR_NAME_CAPS)) { 3084 if (!capable(CAP_SETFCAP)) 3085 return -EPERM; 3086 } else if (!capable(CAP_SYS_ADMIN)) { 3087 /* A different attribute in the security namespace. 3088 Restrict to administrator. */ 3089 return -EPERM; 3090 } 3091 } 3092 3093 /* Not an attribute we recognize, so just check the 3094 ordinary setattr permission. */ 3095 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3096 } 3097 3098 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3099 const void *value, size_t size, int flags) 3100 { 3101 struct inode *inode = d_backing_inode(dentry); 3102 struct inode_security_struct *isec; 3103 struct superblock_security_struct *sbsec; 3104 struct common_audit_data ad; 3105 u32 newsid, sid = current_sid(); 3106 int rc = 0; 3107 3108 if (strcmp(name, XATTR_NAME_SELINUX)) 3109 return selinux_inode_setotherxattr(dentry, name); 3110 3111 sbsec = inode->i_sb->s_security; 3112 if (!(sbsec->flags & SBLABEL_MNT)) 3113 return -EOPNOTSUPP; 3114 3115 if (!inode_owner_or_capable(inode)) 3116 return -EPERM; 3117 3118 ad.type = LSM_AUDIT_DATA_DENTRY; 3119 ad.u.dentry = dentry; 3120 3121 isec = backing_inode_security(dentry); 3122 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3123 FILE__RELABELFROM, &ad); 3124 if (rc) 3125 return rc; 3126 3127 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3128 if (rc == -EINVAL) { 3129 if (!capable(CAP_MAC_ADMIN)) { 3130 struct audit_buffer *ab; 3131 size_t audit_size; 3132 const char *str; 3133 3134 /* We strip a nul only if it is at the end, otherwise the 3135 * context contains a nul and we should audit that */ 3136 if (value) { 3137 str = value; 3138 if (str[size - 1] == '\0') 3139 audit_size = size - 1; 3140 else 3141 audit_size = size; 3142 } else { 3143 str = ""; 3144 audit_size = 0; 3145 } 3146 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3147 audit_log_format(ab, "op=setxattr invalid_context="); 3148 audit_log_n_untrustedstring(ab, value, audit_size); 3149 audit_log_end(ab); 3150 3151 return rc; 3152 } 3153 rc = security_context_to_sid_force(value, size, &newsid); 3154 } 3155 if (rc) 3156 return rc; 3157 3158 rc = avc_has_perm(sid, newsid, isec->sclass, 3159 FILE__RELABELTO, &ad); 3160 if (rc) 3161 return rc; 3162 3163 rc = security_validate_transition(isec->sid, newsid, sid, 3164 isec->sclass); 3165 if (rc) 3166 return rc; 3167 3168 return avc_has_perm(newsid, 3169 sbsec->sid, 3170 SECCLASS_FILESYSTEM, 3171 FILESYSTEM__ASSOCIATE, 3172 &ad); 3173 } 3174 3175 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3176 const void *value, size_t size, 3177 int flags) 3178 { 3179 struct inode *inode = d_backing_inode(dentry); 3180 struct inode_security_struct *isec; 3181 u32 newsid; 3182 int rc; 3183 3184 if (strcmp(name, XATTR_NAME_SELINUX)) { 3185 /* Not an attribute we recognize, so nothing to do. */ 3186 return; 3187 } 3188 3189 rc = security_context_to_sid_force(value, size, &newsid); 3190 if (rc) { 3191 printk(KERN_ERR "SELinux: unable to map context to SID" 3192 "for (%s, %lu), rc=%d\n", 3193 inode->i_sb->s_id, inode->i_ino, -rc); 3194 return; 3195 } 3196 3197 isec = backing_inode_security(dentry); 3198 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3199 isec->sid = newsid; 3200 isec->initialized = LABEL_INITIALIZED; 3201 3202 return; 3203 } 3204 3205 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3206 { 3207 const struct cred *cred = current_cred(); 3208 3209 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3210 } 3211 3212 static int selinux_inode_listxattr(struct dentry *dentry) 3213 { 3214 const struct cred *cred = current_cred(); 3215 3216 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3217 } 3218 3219 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3220 { 3221 if (strcmp(name, XATTR_NAME_SELINUX)) 3222 return selinux_inode_setotherxattr(dentry, name); 3223 3224 /* No one is allowed to remove a SELinux security label. 3225 You can change the label, but all data must be labeled. */ 3226 return -EACCES; 3227 } 3228 3229 /* 3230 * Copy the inode security context value to the user. 3231 * 3232 * Permission check is handled by selinux_inode_getxattr hook. 3233 */ 3234 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3235 { 3236 u32 size; 3237 int error; 3238 char *context = NULL; 3239 struct inode_security_struct *isec; 3240 3241 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3242 return -EOPNOTSUPP; 3243 3244 /* 3245 * If the caller has CAP_MAC_ADMIN, then get the raw context 3246 * value even if it is not defined by current policy; otherwise, 3247 * use the in-core value under current policy. 3248 * Use the non-auditing forms of the permission checks since 3249 * getxattr may be called by unprivileged processes commonly 3250 * and lack of permission just means that we fall back to the 3251 * in-core context value, not a denial. 3252 */ 3253 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 3254 SECURITY_CAP_NOAUDIT); 3255 if (!error) 3256 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, 3257 SECURITY_CAP_NOAUDIT, true); 3258 isec = inode_security(inode); 3259 if (!error) 3260 error = security_sid_to_context_force(isec->sid, &context, 3261 &size); 3262 else 3263 error = security_sid_to_context(isec->sid, &context, &size); 3264 if (error) 3265 return error; 3266 error = size; 3267 if (alloc) { 3268 *buffer = context; 3269 goto out_nofree; 3270 } 3271 kfree(context); 3272 out_nofree: 3273 return error; 3274 } 3275 3276 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3277 const void *value, size_t size, int flags) 3278 { 3279 struct inode_security_struct *isec = inode_security_novalidate(inode); 3280 u32 newsid; 3281 int rc; 3282 3283 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3284 return -EOPNOTSUPP; 3285 3286 if (!value || !size) 3287 return -EACCES; 3288 3289 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3290 if (rc) 3291 return rc; 3292 3293 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3294 isec->sid = newsid; 3295 isec->initialized = LABEL_INITIALIZED; 3296 return 0; 3297 } 3298 3299 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3300 { 3301 const int len = sizeof(XATTR_NAME_SELINUX); 3302 if (buffer && len <= buffer_size) 3303 memcpy(buffer, XATTR_NAME_SELINUX, len); 3304 return len; 3305 } 3306 3307 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3308 { 3309 struct inode_security_struct *isec = inode_security_novalidate(inode); 3310 *secid = isec->sid; 3311 } 3312 3313 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3314 { 3315 u32 sid; 3316 struct task_security_struct *tsec; 3317 struct cred *new_creds = *new; 3318 3319 if (new_creds == NULL) { 3320 new_creds = prepare_creds(); 3321 if (!new_creds) 3322 return -ENOMEM; 3323 } 3324 3325 tsec = new_creds->security; 3326 /* Get label from overlay inode and set it in create_sid */ 3327 selinux_inode_getsecid(d_inode(src), &sid); 3328 tsec->create_sid = sid; 3329 *new = new_creds; 3330 return 0; 3331 } 3332 3333 static int selinux_inode_copy_up_xattr(const char *name) 3334 { 3335 /* The copy_up hook above sets the initial context on an inode, but we 3336 * don't then want to overwrite it by blindly copying all the lower 3337 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3338 */ 3339 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3340 return 1; /* Discard */ 3341 /* 3342 * Any other attribute apart from SELINUX is not claimed, supported 3343 * by selinux. 3344 */ 3345 return -EOPNOTSUPP; 3346 } 3347 3348 /* file security operations */ 3349 3350 static int selinux_revalidate_file_permission(struct file *file, int mask) 3351 { 3352 const struct cred *cred = current_cred(); 3353 struct inode *inode = file_inode(file); 3354 3355 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3356 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3357 mask |= MAY_APPEND; 3358 3359 return file_has_perm(cred, file, 3360 file_mask_to_av(inode->i_mode, mask)); 3361 } 3362 3363 static int selinux_file_permission(struct file *file, int mask) 3364 { 3365 struct inode *inode = file_inode(file); 3366 struct file_security_struct *fsec = file->f_security; 3367 struct inode_security_struct *isec; 3368 u32 sid = current_sid(); 3369 3370 if (!mask) 3371 /* No permission to check. Existence test. */ 3372 return 0; 3373 3374 isec = inode_security(inode); 3375 if (sid == fsec->sid && fsec->isid == isec->sid && 3376 fsec->pseqno == avc_policy_seqno()) 3377 /* No change since file_open check. */ 3378 return 0; 3379 3380 return selinux_revalidate_file_permission(file, mask); 3381 } 3382 3383 static int selinux_file_alloc_security(struct file *file) 3384 { 3385 return file_alloc_security(file); 3386 } 3387 3388 static void selinux_file_free_security(struct file *file) 3389 { 3390 file_free_security(file); 3391 } 3392 3393 /* 3394 * Check whether a task has the ioctl permission and cmd 3395 * operation to an inode. 3396 */ 3397 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3398 u32 requested, u16 cmd) 3399 { 3400 struct common_audit_data ad; 3401 struct file_security_struct *fsec = file->f_security; 3402 struct inode *inode = file_inode(file); 3403 struct inode_security_struct *isec; 3404 struct lsm_ioctlop_audit ioctl; 3405 u32 ssid = cred_sid(cred); 3406 int rc; 3407 u8 driver = cmd >> 8; 3408 u8 xperm = cmd & 0xff; 3409 3410 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3411 ad.u.op = &ioctl; 3412 ad.u.op->cmd = cmd; 3413 ad.u.op->path = file->f_path; 3414 3415 if (ssid != fsec->sid) { 3416 rc = avc_has_perm(ssid, fsec->sid, 3417 SECCLASS_FD, 3418 FD__USE, 3419 &ad); 3420 if (rc) 3421 goto out; 3422 } 3423 3424 if (unlikely(IS_PRIVATE(inode))) 3425 return 0; 3426 3427 isec = inode_security(inode); 3428 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3429 requested, driver, xperm, &ad); 3430 out: 3431 return rc; 3432 } 3433 3434 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3435 unsigned long arg) 3436 { 3437 const struct cred *cred = current_cred(); 3438 int error = 0; 3439 3440 switch (cmd) { 3441 case FIONREAD: 3442 /* fall through */ 3443 case FIBMAP: 3444 /* fall through */ 3445 case FIGETBSZ: 3446 /* fall through */ 3447 case FS_IOC_GETFLAGS: 3448 /* fall through */ 3449 case FS_IOC_GETVERSION: 3450 error = file_has_perm(cred, file, FILE__GETATTR); 3451 break; 3452 3453 case FS_IOC_SETFLAGS: 3454 /* fall through */ 3455 case FS_IOC_SETVERSION: 3456 error = file_has_perm(cred, file, FILE__SETATTR); 3457 break; 3458 3459 /* sys_ioctl() checks */ 3460 case FIONBIO: 3461 /* fall through */ 3462 case FIOASYNC: 3463 error = file_has_perm(cred, file, 0); 3464 break; 3465 3466 case KDSKBENT: 3467 case KDSKBSENT: 3468 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3469 SECURITY_CAP_AUDIT, true); 3470 break; 3471 3472 /* default case assumes that the command will go 3473 * to the file's ioctl() function. 3474 */ 3475 default: 3476 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3477 } 3478 return error; 3479 } 3480 3481 static int default_noexec; 3482 3483 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3484 { 3485 const struct cred *cred = current_cred(); 3486 int rc = 0; 3487 3488 if (default_noexec && 3489 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3490 (!shared && (prot & PROT_WRITE)))) { 3491 /* 3492 * We are making executable an anonymous mapping or a 3493 * private file mapping that will also be writable. 3494 * This has an additional check. 3495 */ 3496 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3497 if (rc) 3498 goto error; 3499 } 3500 3501 if (file) { 3502 /* read access is always possible with a mapping */ 3503 u32 av = FILE__READ; 3504 3505 /* write access only matters if the mapping is shared */ 3506 if (shared && (prot & PROT_WRITE)) 3507 av |= FILE__WRITE; 3508 3509 if (prot & PROT_EXEC) 3510 av |= FILE__EXECUTE; 3511 3512 return file_has_perm(cred, file, av); 3513 } 3514 3515 error: 3516 return rc; 3517 } 3518 3519 static int selinux_mmap_addr(unsigned long addr) 3520 { 3521 int rc = 0; 3522 3523 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3524 u32 sid = current_sid(); 3525 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3526 MEMPROTECT__MMAP_ZERO, NULL); 3527 } 3528 3529 return rc; 3530 } 3531 3532 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3533 unsigned long prot, unsigned long flags) 3534 { 3535 if (selinux_checkreqprot) 3536 prot = reqprot; 3537 3538 return file_map_prot_check(file, prot, 3539 (flags & MAP_TYPE) == MAP_SHARED); 3540 } 3541 3542 static int selinux_file_mprotect(struct vm_area_struct *vma, 3543 unsigned long reqprot, 3544 unsigned long prot) 3545 { 3546 const struct cred *cred = current_cred(); 3547 3548 if (selinux_checkreqprot) 3549 prot = reqprot; 3550 3551 if (default_noexec && 3552 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3553 int rc = 0; 3554 if (vma->vm_start >= vma->vm_mm->start_brk && 3555 vma->vm_end <= vma->vm_mm->brk) { 3556 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3557 } else if (!vma->vm_file && 3558 ((vma->vm_start <= vma->vm_mm->start_stack && 3559 vma->vm_end >= vma->vm_mm->start_stack) || 3560 vma_is_stack_for_current(vma))) { 3561 rc = current_has_perm(current, PROCESS__EXECSTACK); 3562 } else if (vma->vm_file && vma->anon_vma) { 3563 /* 3564 * We are making executable a file mapping that has 3565 * had some COW done. Since pages might have been 3566 * written, check ability to execute the possibly 3567 * modified content. This typically should only 3568 * occur for text relocations. 3569 */ 3570 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3571 } 3572 if (rc) 3573 return rc; 3574 } 3575 3576 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3577 } 3578 3579 static int selinux_file_lock(struct file *file, unsigned int cmd) 3580 { 3581 const struct cred *cred = current_cred(); 3582 3583 return file_has_perm(cred, file, FILE__LOCK); 3584 } 3585 3586 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3587 unsigned long arg) 3588 { 3589 const struct cred *cred = current_cred(); 3590 int err = 0; 3591 3592 switch (cmd) { 3593 case F_SETFL: 3594 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3595 err = file_has_perm(cred, file, FILE__WRITE); 3596 break; 3597 } 3598 /* fall through */ 3599 case F_SETOWN: 3600 case F_SETSIG: 3601 case F_GETFL: 3602 case F_GETOWN: 3603 case F_GETSIG: 3604 case F_GETOWNER_UIDS: 3605 /* Just check FD__USE permission */ 3606 err = file_has_perm(cred, file, 0); 3607 break; 3608 case F_GETLK: 3609 case F_SETLK: 3610 case F_SETLKW: 3611 case F_OFD_GETLK: 3612 case F_OFD_SETLK: 3613 case F_OFD_SETLKW: 3614 #if BITS_PER_LONG == 32 3615 case F_GETLK64: 3616 case F_SETLK64: 3617 case F_SETLKW64: 3618 #endif 3619 err = file_has_perm(cred, file, FILE__LOCK); 3620 break; 3621 } 3622 3623 return err; 3624 } 3625 3626 static void selinux_file_set_fowner(struct file *file) 3627 { 3628 struct file_security_struct *fsec; 3629 3630 fsec = file->f_security; 3631 fsec->fown_sid = current_sid(); 3632 } 3633 3634 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3635 struct fown_struct *fown, int signum) 3636 { 3637 struct file *file; 3638 u32 sid = task_sid(tsk); 3639 u32 perm; 3640 struct file_security_struct *fsec; 3641 3642 /* struct fown_struct is never outside the context of a struct file */ 3643 file = container_of(fown, struct file, f_owner); 3644 3645 fsec = file->f_security; 3646 3647 if (!signum) 3648 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3649 else 3650 perm = signal_to_av(signum); 3651 3652 return avc_has_perm(fsec->fown_sid, sid, 3653 SECCLASS_PROCESS, perm, NULL); 3654 } 3655 3656 static int selinux_file_receive(struct file *file) 3657 { 3658 const struct cred *cred = current_cred(); 3659 3660 return file_has_perm(cred, file, file_to_av(file)); 3661 } 3662 3663 static int selinux_file_open(struct file *file, const struct cred *cred) 3664 { 3665 struct file_security_struct *fsec; 3666 struct inode_security_struct *isec; 3667 3668 fsec = file->f_security; 3669 isec = inode_security(file_inode(file)); 3670 /* 3671 * Save inode label and policy sequence number 3672 * at open-time so that selinux_file_permission 3673 * can determine whether revalidation is necessary. 3674 * Task label is already saved in the file security 3675 * struct as its SID. 3676 */ 3677 fsec->isid = isec->sid; 3678 fsec->pseqno = avc_policy_seqno(); 3679 /* 3680 * Since the inode label or policy seqno may have changed 3681 * between the selinux_inode_permission check and the saving 3682 * of state above, recheck that access is still permitted. 3683 * Otherwise, access might never be revalidated against the 3684 * new inode label or new policy. 3685 * This check is not redundant - do not remove. 3686 */ 3687 return file_path_has_perm(cred, file, open_file_to_av(file)); 3688 } 3689 3690 /* task security operations */ 3691 3692 static int selinux_task_create(unsigned long clone_flags) 3693 { 3694 return current_has_perm(current, PROCESS__FORK); 3695 } 3696 3697 /* 3698 * allocate the SELinux part of blank credentials 3699 */ 3700 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3701 { 3702 struct task_security_struct *tsec; 3703 3704 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3705 if (!tsec) 3706 return -ENOMEM; 3707 3708 cred->security = tsec; 3709 return 0; 3710 } 3711 3712 /* 3713 * detach and free the LSM part of a set of credentials 3714 */ 3715 static void selinux_cred_free(struct cred *cred) 3716 { 3717 struct task_security_struct *tsec = cred->security; 3718 3719 /* 3720 * cred->security == NULL if security_cred_alloc_blank() or 3721 * security_prepare_creds() returned an error. 3722 */ 3723 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3724 cred->security = (void *) 0x7UL; 3725 kfree(tsec); 3726 } 3727 3728 /* 3729 * prepare a new set of credentials for modification 3730 */ 3731 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3732 gfp_t gfp) 3733 { 3734 const struct task_security_struct *old_tsec; 3735 struct task_security_struct *tsec; 3736 3737 old_tsec = old->security; 3738 3739 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3740 if (!tsec) 3741 return -ENOMEM; 3742 3743 new->security = tsec; 3744 return 0; 3745 } 3746 3747 /* 3748 * transfer the SELinux data to a blank set of creds 3749 */ 3750 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3751 { 3752 const struct task_security_struct *old_tsec = old->security; 3753 struct task_security_struct *tsec = new->security; 3754 3755 *tsec = *old_tsec; 3756 } 3757 3758 /* 3759 * set the security data for a kernel service 3760 * - all the creation contexts are set to unlabelled 3761 */ 3762 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3763 { 3764 struct task_security_struct *tsec = new->security; 3765 u32 sid = current_sid(); 3766 int ret; 3767 3768 ret = avc_has_perm(sid, secid, 3769 SECCLASS_KERNEL_SERVICE, 3770 KERNEL_SERVICE__USE_AS_OVERRIDE, 3771 NULL); 3772 if (ret == 0) { 3773 tsec->sid = secid; 3774 tsec->create_sid = 0; 3775 tsec->keycreate_sid = 0; 3776 tsec->sockcreate_sid = 0; 3777 } 3778 return ret; 3779 } 3780 3781 /* 3782 * set the file creation context in a security record to the same as the 3783 * objective context of the specified inode 3784 */ 3785 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3786 { 3787 struct inode_security_struct *isec = inode_security(inode); 3788 struct task_security_struct *tsec = new->security; 3789 u32 sid = current_sid(); 3790 int ret; 3791 3792 ret = avc_has_perm(sid, isec->sid, 3793 SECCLASS_KERNEL_SERVICE, 3794 KERNEL_SERVICE__CREATE_FILES_AS, 3795 NULL); 3796 3797 if (ret == 0) 3798 tsec->create_sid = isec->sid; 3799 return ret; 3800 } 3801 3802 static int selinux_kernel_module_request(char *kmod_name) 3803 { 3804 u32 sid; 3805 struct common_audit_data ad; 3806 3807 sid = task_sid(current); 3808 3809 ad.type = LSM_AUDIT_DATA_KMOD; 3810 ad.u.kmod_name = kmod_name; 3811 3812 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3813 SYSTEM__MODULE_REQUEST, &ad); 3814 } 3815 3816 static int selinux_kernel_module_from_file(struct file *file) 3817 { 3818 struct common_audit_data ad; 3819 struct inode_security_struct *isec; 3820 struct file_security_struct *fsec; 3821 u32 sid = current_sid(); 3822 int rc; 3823 3824 /* init_module */ 3825 if (file == NULL) 3826 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3827 SYSTEM__MODULE_LOAD, NULL); 3828 3829 /* finit_module */ 3830 3831 ad.type = LSM_AUDIT_DATA_FILE; 3832 ad.u.file = file; 3833 3834 fsec = file->f_security; 3835 if (sid != fsec->sid) { 3836 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3837 if (rc) 3838 return rc; 3839 } 3840 3841 isec = inode_security(file_inode(file)); 3842 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3843 SYSTEM__MODULE_LOAD, &ad); 3844 } 3845 3846 static int selinux_kernel_read_file(struct file *file, 3847 enum kernel_read_file_id id) 3848 { 3849 int rc = 0; 3850 3851 switch (id) { 3852 case READING_MODULE: 3853 rc = selinux_kernel_module_from_file(file); 3854 break; 3855 default: 3856 break; 3857 } 3858 3859 return rc; 3860 } 3861 3862 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3863 { 3864 return current_has_perm(p, PROCESS__SETPGID); 3865 } 3866 3867 static int selinux_task_getpgid(struct task_struct *p) 3868 { 3869 return current_has_perm(p, PROCESS__GETPGID); 3870 } 3871 3872 static int selinux_task_getsid(struct task_struct *p) 3873 { 3874 return current_has_perm(p, PROCESS__GETSESSION); 3875 } 3876 3877 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3878 { 3879 *secid = task_sid(p); 3880 } 3881 3882 static int selinux_task_setnice(struct task_struct *p, int nice) 3883 { 3884 return current_has_perm(p, PROCESS__SETSCHED); 3885 } 3886 3887 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3888 { 3889 return current_has_perm(p, PROCESS__SETSCHED); 3890 } 3891 3892 static int selinux_task_getioprio(struct task_struct *p) 3893 { 3894 return current_has_perm(p, PROCESS__GETSCHED); 3895 } 3896 3897 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3898 struct rlimit *new_rlim) 3899 { 3900 struct rlimit *old_rlim = p->signal->rlim + resource; 3901 3902 /* Control the ability to change the hard limit (whether 3903 lowering or raising it), so that the hard limit can 3904 later be used as a safe reset point for the soft limit 3905 upon context transitions. See selinux_bprm_committing_creds. */ 3906 if (old_rlim->rlim_max != new_rlim->rlim_max) 3907 return current_has_perm(p, PROCESS__SETRLIMIT); 3908 3909 return 0; 3910 } 3911 3912 static int selinux_task_setscheduler(struct task_struct *p) 3913 { 3914 return current_has_perm(p, PROCESS__SETSCHED); 3915 } 3916 3917 static int selinux_task_getscheduler(struct task_struct *p) 3918 { 3919 return current_has_perm(p, PROCESS__GETSCHED); 3920 } 3921 3922 static int selinux_task_movememory(struct task_struct *p) 3923 { 3924 return current_has_perm(p, PROCESS__SETSCHED); 3925 } 3926 3927 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3928 int sig, u32 secid) 3929 { 3930 u32 perm; 3931 int rc; 3932 3933 if (!sig) 3934 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3935 else 3936 perm = signal_to_av(sig); 3937 if (secid) 3938 rc = avc_has_perm(secid, task_sid(p), 3939 SECCLASS_PROCESS, perm, NULL); 3940 else 3941 rc = current_has_perm(p, perm); 3942 return rc; 3943 } 3944 3945 static int selinux_task_wait(struct task_struct *p) 3946 { 3947 return task_has_perm(p, current, PROCESS__SIGCHLD); 3948 } 3949 3950 static void selinux_task_to_inode(struct task_struct *p, 3951 struct inode *inode) 3952 { 3953 struct inode_security_struct *isec = inode->i_security; 3954 u32 sid = task_sid(p); 3955 3956 isec->sid = sid; 3957 isec->initialized = LABEL_INITIALIZED; 3958 } 3959 3960 /* Returns error only if unable to parse addresses */ 3961 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3962 struct common_audit_data *ad, u8 *proto) 3963 { 3964 int offset, ihlen, ret = -EINVAL; 3965 struct iphdr _iph, *ih; 3966 3967 offset = skb_network_offset(skb); 3968 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3969 if (ih == NULL) 3970 goto out; 3971 3972 ihlen = ih->ihl * 4; 3973 if (ihlen < sizeof(_iph)) 3974 goto out; 3975 3976 ad->u.net->v4info.saddr = ih->saddr; 3977 ad->u.net->v4info.daddr = ih->daddr; 3978 ret = 0; 3979 3980 if (proto) 3981 *proto = ih->protocol; 3982 3983 switch (ih->protocol) { 3984 case IPPROTO_TCP: { 3985 struct tcphdr _tcph, *th; 3986 3987 if (ntohs(ih->frag_off) & IP_OFFSET) 3988 break; 3989 3990 offset += ihlen; 3991 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3992 if (th == NULL) 3993 break; 3994 3995 ad->u.net->sport = th->source; 3996 ad->u.net->dport = th->dest; 3997 break; 3998 } 3999 4000 case IPPROTO_UDP: { 4001 struct udphdr _udph, *uh; 4002 4003 if (ntohs(ih->frag_off) & IP_OFFSET) 4004 break; 4005 4006 offset += ihlen; 4007 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4008 if (uh == NULL) 4009 break; 4010 4011 ad->u.net->sport = uh->source; 4012 ad->u.net->dport = uh->dest; 4013 break; 4014 } 4015 4016 case IPPROTO_DCCP: { 4017 struct dccp_hdr _dccph, *dh; 4018 4019 if (ntohs(ih->frag_off) & IP_OFFSET) 4020 break; 4021 4022 offset += ihlen; 4023 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4024 if (dh == NULL) 4025 break; 4026 4027 ad->u.net->sport = dh->dccph_sport; 4028 ad->u.net->dport = dh->dccph_dport; 4029 break; 4030 } 4031 4032 default: 4033 break; 4034 } 4035 out: 4036 return ret; 4037 } 4038 4039 #if IS_ENABLED(CONFIG_IPV6) 4040 4041 /* Returns error only if unable to parse addresses */ 4042 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4043 struct common_audit_data *ad, u8 *proto) 4044 { 4045 u8 nexthdr; 4046 int ret = -EINVAL, offset; 4047 struct ipv6hdr _ipv6h, *ip6; 4048 __be16 frag_off; 4049 4050 offset = skb_network_offset(skb); 4051 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4052 if (ip6 == NULL) 4053 goto out; 4054 4055 ad->u.net->v6info.saddr = ip6->saddr; 4056 ad->u.net->v6info.daddr = ip6->daddr; 4057 ret = 0; 4058 4059 nexthdr = ip6->nexthdr; 4060 offset += sizeof(_ipv6h); 4061 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4062 if (offset < 0) 4063 goto out; 4064 4065 if (proto) 4066 *proto = nexthdr; 4067 4068 switch (nexthdr) { 4069 case IPPROTO_TCP: { 4070 struct tcphdr _tcph, *th; 4071 4072 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4073 if (th == NULL) 4074 break; 4075 4076 ad->u.net->sport = th->source; 4077 ad->u.net->dport = th->dest; 4078 break; 4079 } 4080 4081 case IPPROTO_UDP: { 4082 struct udphdr _udph, *uh; 4083 4084 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4085 if (uh == NULL) 4086 break; 4087 4088 ad->u.net->sport = uh->source; 4089 ad->u.net->dport = uh->dest; 4090 break; 4091 } 4092 4093 case IPPROTO_DCCP: { 4094 struct dccp_hdr _dccph, *dh; 4095 4096 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4097 if (dh == NULL) 4098 break; 4099 4100 ad->u.net->sport = dh->dccph_sport; 4101 ad->u.net->dport = dh->dccph_dport; 4102 break; 4103 } 4104 4105 /* includes fragments */ 4106 default: 4107 break; 4108 } 4109 out: 4110 return ret; 4111 } 4112 4113 #endif /* IPV6 */ 4114 4115 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4116 char **_addrp, int src, u8 *proto) 4117 { 4118 char *addrp; 4119 int ret; 4120 4121 switch (ad->u.net->family) { 4122 case PF_INET: 4123 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4124 if (ret) 4125 goto parse_error; 4126 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4127 &ad->u.net->v4info.daddr); 4128 goto okay; 4129 4130 #if IS_ENABLED(CONFIG_IPV6) 4131 case PF_INET6: 4132 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4133 if (ret) 4134 goto parse_error; 4135 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4136 &ad->u.net->v6info.daddr); 4137 goto okay; 4138 #endif /* IPV6 */ 4139 default: 4140 addrp = NULL; 4141 goto okay; 4142 } 4143 4144 parse_error: 4145 printk(KERN_WARNING 4146 "SELinux: failure in selinux_parse_skb()," 4147 " unable to parse packet\n"); 4148 return ret; 4149 4150 okay: 4151 if (_addrp) 4152 *_addrp = addrp; 4153 return 0; 4154 } 4155 4156 /** 4157 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4158 * @skb: the packet 4159 * @family: protocol family 4160 * @sid: the packet's peer label SID 4161 * 4162 * Description: 4163 * Check the various different forms of network peer labeling and determine 4164 * the peer label/SID for the packet; most of the magic actually occurs in 4165 * the security server function security_net_peersid_cmp(). The function 4166 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4167 * or -EACCES if @sid is invalid due to inconsistencies with the different 4168 * peer labels. 4169 * 4170 */ 4171 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4172 { 4173 int err; 4174 u32 xfrm_sid; 4175 u32 nlbl_sid; 4176 u32 nlbl_type; 4177 4178 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4179 if (unlikely(err)) 4180 return -EACCES; 4181 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4182 if (unlikely(err)) 4183 return -EACCES; 4184 4185 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4186 if (unlikely(err)) { 4187 printk(KERN_WARNING 4188 "SELinux: failure in selinux_skb_peerlbl_sid()," 4189 " unable to determine packet's peer label\n"); 4190 return -EACCES; 4191 } 4192 4193 return 0; 4194 } 4195 4196 /** 4197 * selinux_conn_sid - Determine the child socket label for a connection 4198 * @sk_sid: the parent socket's SID 4199 * @skb_sid: the packet's SID 4200 * @conn_sid: the resulting connection SID 4201 * 4202 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4203 * combined with the MLS information from @skb_sid in order to create 4204 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4205 * of @sk_sid. Returns zero on success, negative values on failure. 4206 * 4207 */ 4208 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4209 { 4210 int err = 0; 4211 4212 if (skb_sid != SECSID_NULL) 4213 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4214 else 4215 *conn_sid = sk_sid; 4216 4217 return err; 4218 } 4219 4220 /* socket security operations */ 4221 4222 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4223 u16 secclass, u32 *socksid) 4224 { 4225 if (tsec->sockcreate_sid > SECSID_NULL) { 4226 *socksid = tsec->sockcreate_sid; 4227 return 0; 4228 } 4229 4230 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4231 socksid); 4232 } 4233 4234 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 4235 { 4236 struct sk_security_struct *sksec = sk->sk_security; 4237 struct common_audit_data ad; 4238 struct lsm_network_audit net = {0,}; 4239 u32 tsid = task_sid(task); 4240 4241 if (sksec->sid == SECINITSID_KERNEL) 4242 return 0; 4243 4244 ad.type = LSM_AUDIT_DATA_NET; 4245 ad.u.net = &net; 4246 ad.u.net->sk = sk; 4247 4248 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); 4249 } 4250 4251 static int selinux_socket_create(int family, int type, 4252 int protocol, int kern) 4253 { 4254 const struct task_security_struct *tsec = current_security(); 4255 u32 newsid; 4256 u16 secclass; 4257 int rc; 4258 4259 if (kern) 4260 return 0; 4261 4262 secclass = socket_type_to_security_class(family, type, protocol); 4263 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4264 if (rc) 4265 return rc; 4266 4267 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4268 } 4269 4270 static int selinux_socket_post_create(struct socket *sock, int family, 4271 int type, int protocol, int kern) 4272 { 4273 const struct task_security_struct *tsec = current_security(); 4274 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4275 struct sk_security_struct *sksec; 4276 int err = 0; 4277 4278 isec->sclass = socket_type_to_security_class(family, type, protocol); 4279 4280 if (kern) 4281 isec->sid = SECINITSID_KERNEL; 4282 else { 4283 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); 4284 if (err) 4285 return err; 4286 } 4287 4288 isec->initialized = LABEL_INITIALIZED; 4289 4290 if (sock->sk) { 4291 sksec = sock->sk->sk_security; 4292 sksec->sid = isec->sid; 4293 sksec->sclass = isec->sclass; 4294 err = selinux_netlbl_socket_post_create(sock->sk, family); 4295 } 4296 4297 return err; 4298 } 4299 4300 /* Range of port numbers used to automatically bind. 4301 Need to determine whether we should perform a name_bind 4302 permission check between the socket and the port number. */ 4303 4304 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4305 { 4306 struct sock *sk = sock->sk; 4307 u16 family; 4308 int err; 4309 4310 err = sock_has_perm(current, sk, SOCKET__BIND); 4311 if (err) 4312 goto out; 4313 4314 /* 4315 * If PF_INET or PF_INET6, check name_bind permission for the port. 4316 * Multiple address binding for SCTP is not supported yet: we just 4317 * check the first address now. 4318 */ 4319 family = sk->sk_family; 4320 if (family == PF_INET || family == PF_INET6) { 4321 char *addrp; 4322 struct sk_security_struct *sksec = sk->sk_security; 4323 struct common_audit_data ad; 4324 struct lsm_network_audit net = {0,}; 4325 struct sockaddr_in *addr4 = NULL; 4326 struct sockaddr_in6 *addr6 = NULL; 4327 unsigned short snum; 4328 u32 sid, node_perm; 4329 4330 if (family == PF_INET) { 4331 addr4 = (struct sockaddr_in *)address; 4332 snum = ntohs(addr4->sin_port); 4333 addrp = (char *)&addr4->sin_addr.s_addr; 4334 } else { 4335 addr6 = (struct sockaddr_in6 *)address; 4336 snum = ntohs(addr6->sin6_port); 4337 addrp = (char *)&addr6->sin6_addr.s6_addr; 4338 } 4339 4340 if (snum) { 4341 int low, high; 4342 4343 inet_get_local_port_range(sock_net(sk), &low, &high); 4344 4345 if (snum < max(PROT_SOCK, low) || snum > high) { 4346 err = sel_netport_sid(sk->sk_protocol, 4347 snum, &sid); 4348 if (err) 4349 goto out; 4350 ad.type = LSM_AUDIT_DATA_NET; 4351 ad.u.net = &net; 4352 ad.u.net->sport = htons(snum); 4353 ad.u.net->family = family; 4354 err = avc_has_perm(sksec->sid, sid, 4355 sksec->sclass, 4356 SOCKET__NAME_BIND, &ad); 4357 if (err) 4358 goto out; 4359 } 4360 } 4361 4362 switch (sksec->sclass) { 4363 case SECCLASS_TCP_SOCKET: 4364 node_perm = TCP_SOCKET__NODE_BIND; 4365 break; 4366 4367 case SECCLASS_UDP_SOCKET: 4368 node_perm = UDP_SOCKET__NODE_BIND; 4369 break; 4370 4371 case SECCLASS_DCCP_SOCKET: 4372 node_perm = DCCP_SOCKET__NODE_BIND; 4373 break; 4374 4375 default: 4376 node_perm = RAWIP_SOCKET__NODE_BIND; 4377 break; 4378 } 4379 4380 err = sel_netnode_sid(addrp, family, &sid); 4381 if (err) 4382 goto out; 4383 4384 ad.type = LSM_AUDIT_DATA_NET; 4385 ad.u.net = &net; 4386 ad.u.net->sport = htons(snum); 4387 ad.u.net->family = family; 4388 4389 if (family == PF_INET) 4390 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4391 else 4392 ad.u.net->v6info.saddr = addr6->sin6_addr; 4393 4394 err = avc_has_perm(sksec->sid, sid, 4395 sksec->sclass, node_perm, &ad); 4396 if (err) 4397 goto out; 4398 } 4399 out: 4400 return err; 4401 } 4402 4403 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4404 { 4405 struct sock *sk = sock->sk; 4406 struct sk_security_struct *sksec = sk->sk_security; 4407 int err; 4408 4409 err = sock_has_perm(current, sk, SOCKET__CONNECT); 4410 if (err) 4411 return err; 4412 4413 /* 4414 * If a TCP or DCCP socket, check name_connect permission for the port. 4415 */ 4416 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4417 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4418 struct common_audit_data ad; 4419 struct lsm_network_audit net = {0,}; 4420 struct sockaddr_in *addr4 = NULL; 4421 struct sockaddr_in6 *addr6 = NULL; 4422 unsigned short snum; 4423 u32 sid, perm; 4424 4425 if (sk->sk_family == PF_INET) { 4426 addr4 = (struct sockaddr_in *)address; 4427 if (addrlen < sizeof(struct sockaddr_in)) 4428 return -EINVAL; 4429 snum = ntohs(addr4->sin_port); 4430 } else { 4431 addr6 = (struct sockaddr_in6 *)address; 4432 if (addrlen < SIN6_LEN_RFC2133) 4433 return -EINVAL; 4434 snum = ntohs(addr6->sin6_port); 4435 } 4436 4437 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4438 if (err) 4439 goto out; 4440 4441 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4442 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4443 4444 ad.type = LSM_AUDIT_DATA_NET; 4445 ad.u.net = &net; 4446 ad.u.net->dport = htons(snum); 4447 ad.u.net->family = sk->sk_family; 4448 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4449 if (err) 4450 goto out; 4451 } 4452 4453 err = selinux_netlbl_socket_connect(sk, address); 4454 4455 out: 4456 return err; 4457 } 4458 4459 static int selinux_socket_listen(struct socket *sock, int backlog) 4460 { 4461 return sock_has_perm(current, sock->sk, SOCKET__LISTEN); 4462 } 4463 4464 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4465 { 4466 int err; 4467 struct inode_security_struct *isec; 4468 struct inode_security_struct *newisec; 4469 4470 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); 4471 if (err) 4472 return err; 4473 4474 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4475 4476 isec = inode_security_novalidate(SOCK_INODE(sock)); 4477 newisec->sclass = isec->sclass; 4478 newisec->sid = isec->sid; 4479 newisec->initialized = LABEL_INITIALIZED; 4480 4481 return 0; 4482 } 4483 4484 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4485 int size) 4486 { 4487 return sock_has_perm(current, sock->sk, SOCKET__WRITE); 4488 } 4489 4490 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4491 int size, int flags) 4492 { 4493 return sock_has_perm(current, sock->sk, SOCKET__READ); 4494 } 4495 4496 static int selinux_socket_getsockname(struct socket *sock) 4497 { 4498 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4499 } 4500 4501 static int selinux_socket_getpeername(struct socket *sock) 4502 { 4503 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4504 } 4505 4506 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4507 { 4508 int err; 4509 4510 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); 4511 if (err) 4512 return err; 4513 4514 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4515 } 4516 4517 static int selinux_socket_getsockopt(struct socket *sock, int level, 4518 int optname) 4519 { 4520 return sock_has_perm(current, sock->sk, SOCKET__GETOPT); 4521 } 4522 4523 static int selinux_socket_shutdown(struct socket *sock, int how) 4524 { 4525 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); 4526 } 4527 4528 static int selinux_socket_unix_stream_connect(struct sock *sock, 4529 struct sock *other, 4530 struct sock *newsk) 4531 { 4532 struct sk_security_struct *sksec_sock = sock->sk_security; 4533 struct sk_security_struct *sksec_other = other->sk_security; 4534 struct sk_security_struct *sksec_new = newsk->sk_security; 4535 struct common_audit_data ad; 4536 struct lsm_network_audit net = {0,}; 4537 int err; 4538 4539 ad.type = LSM_AUDIT_DATA_NET; 4540 ad.u.net = &net; 4541 ad.u.net->sk = other; 4542 4543 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4544 sksec_other->sclass, 4545 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4546 if (err) 4547 return err; 4548 4549 /* server child socket */ 4550 sksec_new->peer_sid = sksec_sock->sid; 4551 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4552 &sksec_new->sid); 4553 if (err) 4554 return err; 4555 4556 /* connecting socket */ 4557 sksec_sock->peer_sid = sksec_new->sid; 4558 4559 return 0; 4560 } 4561 4562 static int selinux_socket_unix_may_send(struct socket *sock, 4563 struct socket *other) 4564 { 4565 struct sk_security_struct *ssec = sock->sk->sk_security; 4566 struct sk_security_struct *osec = other->sk->sk_security; 4567 struct common_audit_data ad; 4568 struct lsm_network_audit net = {0,}; 4569 4570 ad.type = LSM_AUDIT_DATA_NET; 4571 ad.u.net = &net; 4572 ad.u.net->sk = other->sk; 4573 4574 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4575 &ad); 4576 } 4577 4578 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4579 char *addrp, u16 family, u32 peer_sid, 4580 struct common_audit_data *ad) 4581 { 4582 int err; 4583 u32 if_sid; 4584 u32 node_sid; 4585 4586 err = sel_netif_sid(ns, ifindex, &if_sid); 4587 if (err) 4588 return err; 4589 err = avc_has_perm(peer_sid, if_sid, 4590 SECCLASS_NETIF, NETIF__INGRESS, ad); 4591 if (err) 4592 return err; 4593 4594 err = sel_netnode_sid(addrp, family, &node_sid); 4595 if (err) 4596 return err; 4597 return avc_has_perm(peer_sid, node_sid, 4598 SECCLASS_NODE, NODE__RECVFROM, ad); 4599 } 4600 4601 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4602 u16 family) 4603 { 4604 int err = 0; 4605 struct sk_security_struct *sksec = sk->sk_security; 4606 u32 sk_sid = sksec->sid; 4607 struct common_audit_data ad; 4608 struct lsm_network_audit net = {0,}; 4609 char *addrp; 4610 4611 ad.type = LSM_AUDIT_DATA_NET; 4612 ad.u.net = &net; 4613 ad.u.net->netif = skb->skb_iif; 4614 ad.u.net->family = family; 4615 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4616 if (err) 4617 return err; 4618 4619 if (selinux_secmark_enabled()) { 4620 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4621 PACKET__RECV, &ad); 4622 if (err) 4623 return err; 4624 } 4625 4626 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4627 if (err) 4628 return err; 4629 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4630 4631 return err; 4632 } 4633 4634 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4635 { 4636 int err; 4637 struct sk_security_struct *sksec = sk->sk_security; 4638 u16 family = sk->sk_family; 4639 u32 sk_sid = sksec->sid; 4640 struct common_audit_data ad; 4641 struct lsm_network_audit net = {0,}; 4642 char *addrp; 4643 u8 secmark_active; 4644 u8 peerlbl_active; 4645 4646 if (family != PF_INET && family != PF_INET6) 4647 return 0; 4648 4649 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4650 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4651 family = PF_INET; 4652 4653 /* If any sort of compatibility mode is enabled then handoff processing 4654 * to the selinux_sock_rcv_skb_compat() function to deal with the 4655 * special handling. We do this in an attempt to keep this function 4656 * as fast and as clean as possible. */ 4657 if (!selinux_policycap_netpeer) 4658 return selinux_sock_rcv_skb_compat(sk, skb, family); 4659 4660 secmark_active = selinux_secmark_enabled(); 4661 peerlbl_active = selinux_peerlbl_enabled(); 4662 if (!secmark_active && !peerlbl_active) 4663 return 0; 4664 4665 ad.type = LSM_AUDIT_DATA_NET; 4666 ad.u.net = &net; 4667 ad.u.net->netif = skb->skb_iif; 4668 ad.u.net->family = family; 4669 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4670 if (err) 4671 return err; 4672 4673 if (peerlbl_active) { 4674 u32 peer_sid; 4675 4676 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4677 if (err) 4678 return err; 4679 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4680 addrp, family, peer_sid, &ad); 4681 if (err) { 4682 selinux_netlbl_err(skb, family, err, 0); 4683 return err; 4684 } 4685 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4686 PEER__RECV, &ad); 4687 if (err) { 4688 selinux_netlbl_err(skb, family, err, 0); 4689 return err; 4690 } 4691 } 4692 4693 if (secmark_active) { 4694 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4695 PACKET__RECV, &ad); 4696 if (err) 4697 return err; 4698 } 4699 4700 return err; 4701 } 4702 4703 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4704 int __user *optlen, unsigned len) 4705 { 4706 int err = 0; 4707 char *scontext; 4708 u32 scontext_len; 4709 struct sk_security_struct *sksec = sock->sk->sk_security; 4710 u32 peer_sid = SECSID_NULL; 4711 4712 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4713 sksec->sclass == SECCLASS_TCP_SOCKET) 4714 peer_sid = sksec->peer_sid; 4715 if (peer_sid == SECSID_NULL) 4716 return -ENOPROTOOPT; 4717 4718 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4719 if (err) 4720 return err; 4721 4722 if (scontext_len > len) { 4723 err = -ERANGE; 4724 goto out_len; 4725 } 4726 4727 if (copy_to_user(optval, scontext, scontext_len)) 4728 err = -EFAULT; 4729 4730 out_len: 4731 if (put_user(scontext_len, optlen)) 4732 err = -EFAULT; 4733 kfree(scontext); 4734 return err; 4735 } 4736 4737 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4738 { 4739 u32 peer_secid = SECSID_NULL; 4740 u16 family; 4741 struct inode_security_struct *isec; 4742 4743 if (skb && skb->protocol == htons(ETH_P_IP)) 4744 family = PF_INET; 4745 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4746 family = PF_INET6; 4747 else if (sock) 4748 family = sock->sk->sk_family; 4749 else 4750 goto out; 4751 4752 if (sock && family == PF_UNIX) { 4753 isec = inode_security_novalidate(SOCK_INODE(sock)); 4754 peer_secid = isec->sid; 4755 } else if (skb) 4756 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4757 4758 out: 4759 *secid = peer_secid; 4760 if (peer_secid == SECSID_NULL) 4761 return -EINVAL; 4762 return 0; 4763 } 4764 4765 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4766 { 4767 struct sk_security_struct *sksec; 4768 4769 sksec = kzalloc(sizeof(*sksec), priority); 4770 if (!sksec) 4771 return -ENOMEM; 4772 4773 sksec->peer_sid = SECINITSID_UNLABELED; 4774 sksec->sid = SECINITSID_UNLABELED; 4775 sksec->sclass = SECCLASS_SOCKET; 4776 selinux_netlbl_sk_security_reset(sksec); 4777 sk->sk_security = sksec; 4778 4779 return 0; 4780 } 4781 4782 static void selinux_sk_free_security(struct sock *sk) 4783 { 4784 struct sk_security_struct *sksec = sk->sk_security; 4785 4786 sk->sk_security = NULL; 4787 selinux_netlbl_sk_security_free(sksec); 4788 kfree(sksec); 4789 } 4790 4791 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4792 { 4793 struct sk_security_struct *sksec = sk->sk_security; 4794 struct sk_security_struct *newsksec = newsk->sk_security; 4795 4796 newsksec->sid = sksec->sid; 4797 newsksec->peer_sid = sksec->peer_sid; 4798 newsksec->sclass = sksec->sclass; 4799 4800 selinux_netlbl_sk_security_reset(newsksec); 4801 } 4802 4803 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4804 { 4805 if (!sk) 4806 *secid = SECINITSID_ANY_SOCKET; 4807 else { 4808 struct sk_security_struct *sksec = sk->sk_security; 4809 4810 *secid = sksec->sid; 4811 } 4812 } 4813 4814 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4815 { 4816 struct inode_security_struct *isec = 4817 inode_security_novalidate(SOCK_INODE(parent)); 4818 struct sk_security_struct *sksec = sk->sk_security; 4819 4820 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4821 sk->sk_family == PF_UNIX) 4822 isec->sid = sksec->sid; 4823 sksec->sclass = isec->sclass; 4824 } 4825 4826 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4827 struct request_sock *req) 4828 { 4829 struct sk_security_struct *sksec = sk->sk_security; 4830 int err; 4831 u16 family = req->rsk_ops->family; 4832 u32 connsid; 4833 u32 peersid; 4834 4835 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4836 if (err) 4837 return err; 4838 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4839 if (err) 4840 return err; 4841 req->secid = connsid; 4842 req->peer_secid = peersid; 4843 4844 return selinux_netlbl_inet_conn_request(req, family); 4845 } 4846 4847 static void selinux_inet_csk_clone(struct sock *newsk, 4848 const struct request_sock *req) 4849 { 4850 struct sk_security_struct *newsksec = newsk->sk_security; 4851 4852 newsksec->sid = req->secid; 4853 newsksec->peer_sid = req->peer_secid; 4854 /* NOTE: Ideally, we should also get the isec->sid for the 4855 new socket in sync, but we don't have the isec available yet. 4856 So we will wait until sock_graft to do it, by which 4857 time it will have been created and available. */ 4858 4859 /* We don't need to take any sort of lock here as we are the only 4860 * thread with access to newsksec */ 4861 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4862 } 4863 4864 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4865 { 4866 u16 family = sk->sk_family; 4867 struct sk_security_struct *sksec = sk->sk_security; 4868 4869 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4870 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4871 family = PF_INET; 4872 4873 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4874 } 4875 4876 static int selinux_secmark_relabel_packet(u32 sid) 4877 { 4878 const struct task_security_struct *__tsec; 4879 u32 tsid; 4880 4881 __tsec = current_security(); 4882 tsid = __tsec->sid; 4883 4884 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4885 } 4886 4887 static void selinux_secmark_refcount_inc(void) 4888 { 4889 atomic_inc(&selinux_secmark_refcount); 4890 } 4891 4892 static void selinux_secmark_refcount_dec(void) 4893 { 4894 atomic_dec(&selinux_secmark_refcount); 4895 } 4896 4897 static void selinux_req_classify_flow(const struct request_sock *req, 4898 struct flowi *fl) 4899 { 4900 fl->flowi_secid = req->secid; 4901 } 4902 4903 static int selinux_tun_dev_alloc_security(void **security) 4904 { 4905 struct tun_security_struct *tunsec; 4906 4907 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 4908 if (!tunsec) 4909 return -ENOMEM; 4910 tunsec->sid = current_sid(); 4911 4912 *security = tunsec; 4913 return 0; 4914 } 4915 4916 static void selinux_tun_dev_free_security(void *security) 4917 { 4918 kfree(security); 4919 } 4920 4921 static int selinux_tun_dev_create(void) 4922 { 4923 u32 sid = current_sid(); 4924 4925 /* we aren't taking into account the "sockcreate" SID since the socket 4926 * that is being created here is not a socket in the traditional sense, 4927 * instead it is a private sock, accessible only to the kernel, and 4928 * representing a wide range of network traffic spanning multiple 4929 * connections unlike traditional sockets - check the TUN driver to 4930 * get a better understanding of why this socket is special */ 4931 4932 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4933 NULL); 4934 } 4935 4936 static int selinux_tun_dev_attach_queue(void *security) 4937 { 4938 struct tun_security_struct *tunsec = security; 4939 4940 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 4941 TUN_SOCKET__ATTACH_QUEUE, NULL); 4942 } 4943 4944 static int selinux_tun_dev_attach(struct sock *sk, void *security) 4945 { 4946 struct tun_security_struct *tunsec = security; 4947 struct sk_security_struct *sksec = sk->sk_security; 4948 4949 /* we don't currently perform any NetLabel based labeling here and it 4950 * isn't clear that we would want to do so anyway; while we could apply 4951 * labeling without the support of the TUN user the resulting labeled 4952 * traffic from the other end of the connection would almost certainly 4953 * cause confusion to the TUN user that had no idea network labeling 4954 * protocols were being used */ 4955 4956 sksec->sid = tunsec->sid; 4957 sksec->sclass = SECCLASS_TUN_SOCKET; 4958 4959 return 0; 4960 } 4961 4962 static int selinux_tun_dev_open(void *security) 4963 { 4964 struct tun_security_struct *tunsec = security; 4965 u32 sid = current_sid(); 4966 int err; 4967 4968 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 4969 TUN_SOCKET__RELABELFROM, NULL); 4970 if (err) 4971 return err; 4972 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4973 TUN_SOCKET__RELABELTO, NULL); 4974 if (err) 4975 return err; 4976 tunsec->sid = sid; 4977 4978 return 0; 4979 } 4980 4981 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4982 { 4983 int err = 0; 4984 u32 perm; 4985 struct nlmsghdr *nlh; 4986 struct sk_security_struct *sksec = sk->sk_security; 4987 4988 if (skb->len < NLMSG_HDRLEN) { 4989 err = -EINVAL; 4990 goto out; 4991 } 4992 nlh = nlmsg_hdr(skb); 4993 4994 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4995 if (err) { 4996 if (err == -EINVAL) { 4997 pr_warn_ratelimited("SELinux: unrecognized netlink" 4998 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 4999 " pig=%d comm=%s\n", 5000 sk->sk_protocol, nlh->nlmsg_type, 5001 secclass_map[sksec->sclass - 1].name, 5002 task_pid_nr(current), current->comm); 5003 if (!selinux_enforcing || security_get_allow_unknown()) 5004 err = 0; 5005 } 5006 5007 /* Ignore */ 5008 if (err == -ENOENT) 5009 err = 0; 5010 goto out; 5011 } 5012 5013 err = sock_has_perm(current, sk, perm); 5014 out: 5015 return err; 5016 } 5017 5018 #ifdef CONFIG_NETFILTER 5019 5020 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5021 const struct net_device *indev, 5022 u16 family) 5023 { 5024 int err; 5025 char *addrp; 5026 u32 peer_sid; 5027 struct common_audit_data ad; 5028 struct lsm_network_audit net = {0,}; 5029 u8 secmark_active; 5030 u8 netlbl_active; 5031 u8 peerlbl_active; 5032 5033 if (!selinux_policycap_netpeer) 5034 return NF_ACCEPT; 5035 5036 secmark_active = selinux_secmark_enabled(); 5037 netlbl_active = netlbl_enabled(); 5038 peerlbl_active = selinux_peerlbl_enabled(); 5039 if (!secmark_active && !peerlbl_active) 5040 return NF_ACCEPT; 5041 5042 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5043 return NF_DROP; 5044 5045 ad.type = LSM_AUDIT_DATA_NET; 5046 ad.u.net = &net; 5047 ad.u.net->netif = indev->ifindex; 5048 ad.u.net->family = family; 5049 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5050 return NF_DROP; 5051 5052 if (peerlbl_active) { 5053 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5054 addrp, family, peer_sid, &ad); 5055 if (err) { 5056 selinux_netlbl_err(skb, family, err, 1); 5057 return NF_DROP; 5058 } 5059 } 5060 5061 if (secmark_active) 5062 if (avc_has_perm(peer_sid, skb->secmark, 5063 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5064 return NF_DROP; 5065 5066 if (netlbl_active) 5067 /* we do this in the FORWARD path and not the POST_ROUTING 5068 * path because we want to make sure we apply the necessary 5069 * labeling before IPsec is applied so we can leverage AH 5070 * protection */ 5071 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5072 return NF_DROP; 5073 5074 return NF_ACCEPT; 5075 } 5076 5077 static unsigned int selinux_ipv4_forward(void *priv, 5078 struct sk_buff *skb, 5079 const struct nf_hook_state *state) 5080 { 5081 return selinux_ip_forward(skb, state->in, PF_INET); 5082 } 5083 5084 #if IS_ENABLED(CONFIG_IPV6) 5085 static unsigned int selinux_ipv6_forward(void *priv, 5086 struct sk_buff *skb, 5087 const struct nf_hook_state *state) 5088 { 5089 return selinux_ip_forward(skb, state->in, PF_INET6); 5090 } 5091 #endif /* IPV6 */ 5092 5093 static unsigned int selinux_ip_output(struct sk_buff *skb, 5094 u16 family) 5095 { 5096 struct sock *sk; 5097 u32 sid; 5098 5099 if (!netlbl_enabled()) 5100 return NF_ACCEPT; 5101 5102 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5103 * because we want to make sure we apply the necessary labeling 5104 * before IPsec is applied so we can leverage AH protection */ 5105 sk = skb->sk; 5106 if (sk) { 5107 struct sk_security_struct *sksec; 5108 5109 if (sk_listener(sk)) 5110 /* if the socket is the listening state then this 5111 * packet is a SYN-ACK packet which means it needs to 5112 * be labeled based on the connection/request_sock and 5113 * not the parent socket. unfortunately, we can't 5114 * lookup the request_sock yet as it isn't queued on 5115 * the parent socket until after the SYN-ACK is sent. 5116 * the "solution" is to simply pass the packet as-is 5117 * as any IP option based labeling should be copied 5118 * from the initial connection request (in the IP 5119 * layer). it is far from ideal, but until we get a 5120 * security label in the packet itself this is the 5121 * best we can do. */ 5122 return NF_ACCEPT; 5123 5124 /* standard practice, label using the parent socket */ 5125 sksec = sk->sk_security; 5126 sid = sksec->sid; 5127 } else 5128 sid = SECINITSID_KERNEL; 5129 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5130 return NF_DROP; 5131 5132 return NF_ACCEPT; 5133 } 5134 5135 static unsigned int selinux_ipv4_output(void *priv, 5136 struct sk_buff *skb, 5137 const struct nf_hook_state *state) 5138 { 5139 return selinux_ip_output(skb, PF_INET); 5140 } 5141 5142 #if IS_ENABLED(CONFIG_IPV6) 5143 static unsigned int selinux_ipv6_output(void *priv, 5144 struct sk_buff *skb, 5145 const struct nf_hook_state *state) 5146 { 5147 return selinux_ip_output(skb, PF_INET6); 5148 } 5149 #endif /* IPV6 */ 5150 5151 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5152 int ifindex, 5153 u16 family) 5154 { 5155 struct sock *sk = skb_to_full_sk(skb); 5156 struct sk_security_struct *sksec; 5157 struct common_audit_data ad; 5158 struct lsm_network_audit net = {0,}; 5159 char *addrp; 5160 u8 proto; 5161 5162 if (sk == NULL) 5163 return NF_ACCEPT; 5164 sksec = sk->sk_security; 5165 5166 ad.type = LSM_AUDIT_DATA_NET; 5167 ad.u.net = &net; 5168 ad.u.net->netif = ifindex; 5169 ad.u.net->family = family; 5170 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5171 return NF_DROP; 5172 5173 if (selinux_secmark_enabled()) 5174 if (avc_has_perm(sksec->sid, skb->secmark, 5175 SECCLASS_PACKET, PACKET__SEND, &ad)) 5176 return NF_DROP_ERR(-ECONNREFUSED); 5177 5178 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5179 return NF_DROP_ERR(-ECONNREFUSED); 5180 5181 return NF_ACCEPT; 5182 } 5183 5184 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5185 const struct net_device *outdev, 5186 u16 family) 5187 { 5188 u32 secmark_perm; 5189 u32 peer_sid; 5190 int ifindex = outdev->ifindex; 5191 struct sock *sk; 5192 struct common_audit_data ad; 5193 struct lsm_network_audit net = {0,}; 5194 char *addrp; 5195 u8 secmark_active; 5196 u8 peerlbl_active; 5197 5198 /* If any sort of compatibility mode is enabled then handoff processing 5199 * to the selinux_ip_postroute_compat() function to deal with the 5200 * special handling. We do this in an attempt to keep this function 5201 * as fast and as clean as possible. */ 5202 if (!selinux_policycap_netpeer) 5203 return selinux_ip_postroute_compat(skb, ifindex, family); 5204 5205 secmark_active = selinux_secmark_enabled(); 5206 peerlbl_active = selinux_peerlbl_enabled(); 5207 if (!secmark_active && !peerlbl_active) 5208 return NF_ACCEPT; 5209 5210 sk = skb_to_full_sk(skb); 5211 5212 #ifdef CONFIG_XFRM 5213 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5214 * packet transformation so allow the packet to pass without any checks 5215 * since we'll have another chance to perform access control checks 5216 * when the packet is on it's final way out. 5217 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5218 * is NULL, in this case go ahead and apply access control. 5219 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5220 * TCP listening state we cannot wait until the XFRM processing 5221 * is done as we will miss out on the SA label if we do; 5222 * unfortunately, this means more work, but it is only once per 5223 * connection. */ 5224 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5225 !(sk && sk_listener(sk))) 5226 return NF_ACCEPT; 5227 #endif 5228 5229 if (sk == NULL) { 5230 /* Without an associated socket the packet is either coming 5231 * from the kernel or it is being forwarded; check the packet 5232 * to determine which and if the packet is being forwarded 5233 * query the packet directly to determine the security label. */ 5234 if (skb->skb_iif) { 5235 secmark_perm = PACKET__FORWARD_OUT; 5236 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5237 return NF_DROP; 5238 } else { 5239 secmark_perm = PACKET__SEND; 5240 peer_sid = SECINITSID_KERNEL; 5241 } 5242 } else if (sk_listener(sk)) { 5243 /* Locally generated packet but the associated socket is in the 5244 * listening state which means this is a SYN-ACK packet. In 5245 * this particular case the correct security label is assigned 5246 * to the connection/request_sock but unfortunately we can't 5247 * query the request_sock as it isn't queued on the parent 5248 * socket until after the SYN-ACK packet is sent; the only 5249 * viable choice is to regenerate the label like we do in 5250 * selinux_inet_conn_request(). See also selinux_ip_output() 5251 * for similar problems. */ 5252 u32 skb_sid; 5253 struct sk_security_struct *sksec; 5254 5255 sksec = sk->sk_security; 5256 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5257 return NF_DROP; 5258 /* At this point, if the returned skb peerlbl is SECSID_NULL 5259 * and the packet has been through at least one XFRM 5260 * transformation then we must be dealing with the "final" 5261 * form of labeled IPsec packet; since we've already applied 5262 * all of our access controls on this packet we can safely 5263 * pass the packet. */ 5264 if (skb_sid == SECSID_NULL) { 5265 switch (family) { 5266 case PF_INET: 5267 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5268 return NF_ACCEPT; 5269 break; 5270 case PF_INET6: 5271 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5272 return NF_ACCEPT; 5273 break; 5274 default: 5275 return NF_DROP_ERR(-ECONNREFUSED); 5276 } 5277 } 5278 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5279 return NF_DROP; 5280 secmark_perm = PACKET__SEND; 5281 } else { 5282 /* Locally generated packet, fetch the security label from the 5283 * associated socket. */ 5284 struct sk_security_struct *sksec = sk->sk_security; 5285 peer_sid = sksec->sid; 5286 secmark_perm = PACKET__SEND; 5287 } 5288 5289 ad.type = LSM_AUDIT_DATA_NET; 5290 ad.u.net = &net; 5291 ad.u.net->netif = ifindex; 5292 ad.u.net->family = family; 5293 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5294 return NF_DROP; 5295 5296 if (secmark_active) 5297 if (avc_has_perm(peer_sid, skb->secmark, 5298 SECCLASS_PACKET, secmark_perm, &ad)) 5299 return NF_DROP_ERR(-ECONNREFUSED); 5300 5301 if (peerlbl_active) { 5302 u32 if_sid; 5303 u32 node_sid; 5304 5305 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5306 return NF_DROP; 5307 if (avc_has_perm(peer_sid, if_sid, 5308 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5309 return NF_DROP_ERR(-ECONNREFUSED); 5310 5311 if (sel_netnode_sid(addrp, family, &node_sid)) 5312 return NF_DROP; 5313 if (avc_has_perm(peer_sid, node_sid, 5314 SECCLASS_NODE, NODE__SENDTO, &ad)) 5315 return NF_DROP_ERR(-ECONNREFUSED); 5316 } 5317 5318 return NF_ACCEPT; 5319 } 5320 5321 static unsigned int selinux_ipv4_postroute(void *priv, 5322 struct sk_buff *skb, 5323 const struct nf_hook_state *state) 5324 { 5325 return selinux_ip_postroute(skb, state->out, PF_INET); 5326 } 5327 5328 #if IS_ENABLED(CONFIG_IPV6) 5329 static unsigned int selinux_ipv6_postroute(void *priv, 5330 struct sk_buff *skb, 5331 const struct nf_hook_state *state) 5332 { 5333 return selinux_ip_postroute(skb, state->out, PF_INET6); 5334 } 5335 #endif /* IPV6 */ 5336 5337 #endif /* CONFIG_NETFILTER */ 5338 5339 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5340 { 5341 return selinux_nlmsg_perm(sk, skb); 5342 } 5343 5344 static int ipc_alloc_security(struct task_struct *task, 5345 struct kern_ipc_perm *perm, 5346 u16 sclass) 5347 { 5348 struct ipc_security_struct *isec; 5349 u32 sid; 5350 5351 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5352 if (!isec) 5353 return -ENOMEM; 5354 5355 sid = task_sid(task); 5356 isec->sclass = sclass; 5357 isec->sid = sid; 5358 perm->security = isec; 5359 5360 return 0; 5361 } 5362 5363 static void ipc_free_security(struct kern_ipc_perm *perm) 5364 { 5365 struct ipc_security_struct *isec = perm->security; 5366 perm->security = NULL; 5367 kfree(isec); 5368 } 5369 5370 static int msg_msg_alloc_security(struct msg_msg *msg) 5371 { 5372 struct msg_security_struct *msec; 5373 5374 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5375 if (!msec) 5376 return -ENOMEM; 5377 5378 msec->sid = SECINITSID_UNLABELED; 5379 msg->security = msec; 5380 5381 return 0; 5382 } 5383 5384 static void msg_msg_free_security(struct msg_msg *msg) 5385 { 5386 struct msg_security_struct *msec = msg->security; 5387 5388 msg->security = NULL; 5389 kfree(msec); 5390 } 5391 5392 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5393 u32 perms) 5394 { 5395 struct ipc_security_struct *isec; 5396 struct common_audit_data ad; 5397 u32 sid = current_sid(); 5398 5399 isec = ipc_perms->security; 5400 5401 ad.type = LSM_AUDIT_DATA_IPC; 5402 ad.u.ipc_id = ipc_perms->key; 5403 5404 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5405 } 5406 5407 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5408 { 5409 return msg_msg_alloc_security(msg); 5410 } 5411 5412 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5413 { 5414 msg_msg_free_security(msg); 5415 } 5416 5417 /* message queue security operations */ 5418 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5419 { 5420 struct ipc_security_struct *isec; 5421 struct common_audit_data ad; 5422 u32 sid = current_sid(); 5423 int rc; 5424 5425 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 5426 if (rc) 5427 return rc; 5428 5429 isec = msq->q_perm.security; 5430 5431 ad.type = LSM_AUDIT_DATA_IPC; 5432 ad.u.ipc_id = msq->q_perm.key; 5433 5434 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5435 MSGQ__CREATE, &ad); 5436 if (rc) { 5437 ipc_free_security(&msq->q_perm); 5438 return rc; 5439 } 5440 return 0; 5441 } 5442 5443 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5444 { 5445 ipc_free_security(&msq->q_perm); 5446 } 5447 5448 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5449 { 5450 struct ipc_security_struct *isec; 5451 struct common_audit_data ad; 5452 u32 sid = current_sid(); 5453 5454 isec = msq->q_perm.security; 5455 5456 ad.type = LSM_AUDIT_DATA_IPC; 5457 ad.u.ipc_id = msq->q_perm.key; 5458 5459 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5460 MSGQ__ASSOCIATE, &ad); 5461 } 5462 5463 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5464 { 5465 int err; 5466 int perms; 5467 5468 switch (cmd) { 5469 case IPC_INFO: 5470 case MSG_INFO: 5471 /* No specific object, just general system-wide information. */ 5472 return task_has_system(current, SYSTEM__IPC_INFO); 5473 case IPC_STAT: 5474 case MSG_STAT: 5475 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5476 break; 5477 case IPC_SET: 5478 perms = MSGQ__SETATTR; 5479 break; 5480 case IPC_RMID: 5481 perms = MSGQ__DESTROY; 5482 break; 5483 default: 5484 return 0; 5485 } 5486 5487 err = ipc_has_perm(&msq->q_perm, perms); 5488 return err; 5489 } 5490 5491 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5492 { 5493 struct ipc_security_struct *isec; 5494 struct msg_security_struct *msec; 5495 struct common_audit_data ad; 5496 u32 sid = current_sid(); 5497 int rc; 5498 5499 isec = msq->q_perm.security; 5500 msec = msg->security; 5501 5502 /* 5503 * First time through, need to assign label to the message 5504 */ 5505 if (msec->sid == SECINITSID_UNLABELED) { 5506 /* 5507 * Compute new sid based on current process and 5508 * message queue this message will be stored in 5509 */ 5510 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5511 NULL, &msec->sid); 5512 if (rc) 5513 return rc; 5514 } 5515 5516 ad.type = LSM_AUDIT_DATA_IPC; 5517 ad.u.ipc_id = msq->q_perm.key; 5518 5519 /* Can this process write to the queue? */ 5520 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5521 MSGQ__WRITE, &ad); 5522 if (!rc) 5523 /* Can this process send the message */ 5524 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5525 MSG__SEND, &ad); 5526 if (!rc) 5527 /* Can the message be put in the queue? */ 5528 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5529 MSGQ__ENQUEUE, &ad); 5530 5531 return rc; 5532 } 5533 5534 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5535 struct task_struct *target, 5536 long type, int mode) 5537 { 5538 struct ipc_security_struct *isec; 5539 struct msg_security_struct *msec; 5540 struct common_audit_data ad; 5541 u32 sid = task_sid(target); 5542 int rc; 5543 5544 isec = msq->q_perm.security; 5545 msec = msg->security; 5546 5547 ad.type = LSM_AUDIT_DATA_IPC; 5548 ad.u.ipc_id = msq->q_perm.key; 5549 5550 rc = avc_has_perm(sid, isec->sid, 5551 SECCLASS_MSGQ, MSGQ__READ, &ad); 5552 if (!rc) 5553 rc = avc_has_perm(sid, msec->sid, 5554 SECCLASS_MSG, MSG__RECEIVE, &ad); 5555 return rc; 5556 } 5557 5558 /* Shared Memory security operations */ 5559 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5560 { 5561 struct ipc_security_struct *isec; 5562 struct common_audit_data ad; 5563 u32 sid = current_sid(); 5564 int rc; 5565 5566 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5567 if (rc) 5568 return rc; 5569 5570 isec = shp->shm_perm.security; 5571 5572 ad.type = LSM_AUDIT_DATA_IPC; 5573 ad.u.ipc_id = shp->shm_perm.key; 5574 5575 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5576 SHM__CREATE, &ad); 5577 if (rc) { 5578 ipc_free_security(&shp->shm_perm); 5579 return rc; 5580 } 5581 return 0; 5582 } 5583 5584 static void selinux_shm_free_security(struct shmid_kernel *shp) 5585 { 5586 ipc_free_security(&shp->shm_perm); 5587 } 5588 5589 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5590 { 5591 struct ipc_security_struct *isec; 5592 struct common_audit_data ad; 5593 u32 sid = current_sid(); 5594 5595 isec = shp->shm_perm.security; 5596 5597 ad.type = LSM_AUDIT_DATA_IPC; 5598 ad.u.ipc_id = shp->shm_perm.key; 5599 5600 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5601 SHM__ASSOCIATE, &ad); 5602 } 5603 5604 /* Note, at this point, shp is locked down */ 5605 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5606 { 5607 int perms; 5608 int err; 5609 5610 switch (cmd) { 5611 case IPC_INFO: 5612 case SHM_INFO: 5613 /* No specific object, just general system-wide information. */ 5614 return task_has_system(current, SYSTEM__IPC_INFO); 5615 case IPC_STAT: 5616 case SHM_STAT: 5617 perms = SHM__GETATTR | SHM__ASSOCIATE; 5618 break; 5619 case IPC_SET: 5620 perms = SHM__SETATTR; 5621 break; 5622 case SHM_LOCK: 5623 case SHM_UNLOCK: 5624 perms = SHM__LOCK; 5625 break; 5626 case IPC_RMID: 5627 perms = SHM__DESTROY; 5628 break; 5629 default: 5630 return 0; 5631 } 5632 5633 err = ipc_has_perm(&shp->shm_perm, perms); 5634 return err; 5635 } 5636 5637 static int selinux_shm_shmat(struct shmid_kernel *shp, 5638 char __user *shmaddr, int shmflg) 5639 { 5640 u32 perms; 5641 5642 if (shmflg & SHM_RDONLY) 5643 perms = SHM__READ; 5644 else 5645 perms = SHM__READ | SHM__WRITE; 5646 5647 return ipc_has_perm(&shp->shm_perm, perms); 5648 } 5649 5650 /* Semaphore security operations */ 5651 static int selinux_sem_alloc_security(struct sem_array *sma) 5652 { 5653 struct ipc_security_struct *isec; 5654 struct common_audit_data ad; 5655 u32 sid = current_sid(); 5656 int rc; 5657 5658 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5659 if (rc) 5660 return rc; 5661 5662 isec = sma->sem_perm.security; 5663 5664 ad.type = LSM_AUDIT_DATA_IPC; 5665 ad.u.ipc_id = sma->sem_perm.key; 5666 5667 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5668 SEM__CREATE, &ad); 5669 if (rc) { 5670 ipc_free_security(&sma->sem_perm); 5671 return rc; 5672 } 5673 return 0; 5674 } 5675 5676 static void selinux_sem_free_security(struct sem_array *sma) 5677 { 5678 ipc_free_security(&sma->sem_perm); 5679 } 5680 5681 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5682 { 5683 struct ipc_security_struct *isec; 5684 struct common_audit_data ad; 5685 u32 sid = current_sid(); 5686 5687 isec = sma->sem_perm.security; 5688 5689 ad.type = LSM_AUDIT_DATA_IPC; 5690 ad.u.ipc_id = sma->sem_perm.key; 5691 5692 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5693 SEM__ASSOCIATE, &ad); 5694 } 5695 5696 /* Note, at this point, sma is locked down */ 5697 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5698 { 5699 int err; 5700 u32 perms; 5701 5702 switch (cmd) { 5703 case IPC_INFO: 5704 case SEM_INFO: 5705 /* No specific object, just general system-wide information. */ 5706 return task_has_system(current, SYSTEM__IPC_INFO); 5707 case GETPID: 5708 case GETNCNT: 5709 case GETZCNT: 5710 perms = SEM__GETATTR; 5711 break; 5712 case GETVAL: 5713 case GETALL: 5714 perms = SEM__READ; 5715 break; 5716 case SETVAL: 5717 case SETALL: 5718 perms = SEM__WRITE; 5719 break; 5720 case IPC_RMID: 5721 perms = SEM__DESTROY; 5722 break; 5723 case IPC_SET: 5724 perms = SEM__SETATTR; 5725 break; 5726 case IPC_STAT: 5727 case SEM_STAT: 5728 perms = SEM__GETATTR | SEM__ASSOCIATE; 5729 break; 5730 default: 5731 return 0; 5732 } 5733 5734 err = ipc_has_perm(&sma->sem_perm, perms); 5735 return err; 5736 } 5737 5738 static int selinux_sem_semop(struct sem_array *sma, 5739 struct sembuf *sops, unsigned nsops, int alter) 5740 { 5741 u32 perms; 5742 5743 if (alter) 5744 perms = SEM__READ | SEM__WRITE; 5745 else 5746 perms = SEM__READ; 5747 5748 return ipc_has_perm(&sma->sem_perm, perms); 5749 } 5750 5751 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5752 { 5753 u32 av = 0; 5754 5755 av = 0; 5756 if (flag & S_IRUGO) 5757 av |= IPC__UNIX_READ; 5758 if (flag & S_IWUGO) 5759 av |= IPC__UNIX_WRITE; 5760 5761 if (av == 0) 5762 return 0; 5763 5764 return ipc_has_perm(ipcp, av); 5765 } 5766 5767 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5768 { 5769 struct ipc_security_struct *isec = ipcp->security; 5770 *secid = isec->sid; 5771 } 5772 5773 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5774 { 5775 if (inode) 5776 inode_doinit_with_dentry(inode, dentry); 5777 } 5778 5779 static int selinux_getprocattr(struct task_struct *p, 5780 char *name, char **value) 5781 { 5782 const struct task_security_struct *__tsec; 5783 u32 sid; 5784 int error; 5785 unsigned len; 5786 5787 if (current != p) { 5788 error = current_has_perm(p, PROCESS__GETATTR); 5789 if (error) 5790 return error; 5791 } 5792 5793 rcu_read_lock(); 5794 __tsec = __task_cred(p)->security; 5795 5796 if (!strcmp(name, "current")) 5797 sid = __tsec->sid; 5798 else if (!strcmp(name, "prev")) 5799 sid = __tsec->osid; 5800 else if (!strcmp(name, "exec")) 5801 sid = __tsec->exec_sid; 5802 else if (!strcmp(name, "fscreate")) 5803 sid = __tsec->create_sid; 5804 else if (!strcmp(name, "keycreate")) 5805 sid = __tsec->keycreate_sid; 5806 else if (!strcmp(name, "sockcreate")) 5807 sid = __tsec->sockcreate_sid; 5808 else 5809 goto invalid; 5810 rcu_read_unlock(); 5811 5812 if (!sid) 5813 return 0; 5814 5815 error = security_sid_to_context(sid, value, &len); 5816 if (error) 5817 return error; 5818 return len; 5819 5820 invalid: 5821 rcu_read_unlock(); 5822 return -EINVAL; 5823 } 5824 5825 static int selinux_setprocattr(struct task_struct *p, 5826 char *name, void *value, size_t size) 5827 { 5828 struct task_security_struct *tsec; 5829 struct cred *new; 5830 u32 sid = 0, ptsid; 5831 int error; 5832 char *str = value; 5833 5834 if (current != p) { 5835 /* SELinux only allows a process to change its own 5836 security attributes. */ 5837 return -EACCES; 5838 } 5839 5840 /* 5841 * Basic control over ability to set these attributes at all. 5842 * current == p, but we'll pass them separately in case the 5843 * above restriction is ever removed. 5844 */ 5845 if (!strcmp(name, "exec")) 5846 error = current_has_perm(p, PROCESS__SETEXEC); 5847 else if (!strcmp(name, "fscreate")) 5848 error = current_has_perm(p, PROCESS__SETFSCREATE); 5849 else if (!strcmp(name, "keycreate")) 5850 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5851 else if (!strcmp(name, "sockcreate")) 5852 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5853 else if (!strcmp(name, "current")) 5854 error = current_has_perm(p, PROCESS__SETCURRENT); 5855 else 5856 error = -EINVAL; 5857 if (error) 5858 return error; 5859 5860 /* Obtain a SID for the context, if one was specified. */ 5861 if (size && str[1] && str[1] != '\n') { 5862 if (str[size-1] == '\n') { 5863 str[size-1] = 0; 5864 size--; 5865 } 5866 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5867 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5868 if (!capable(CAP_MAC_ADMIN)) { 5869 struct audit_buffer *ab; 5870 size_t audit_size; 5871 5872 /* We strip a nul only if it is at the end, otherwise the 5873 * context contains a nul and we should audit that */ 5874 if (str[size - 1] == '\0') 5875 audit_size = size - 1; 5876 else 5877 audit_size = size; 5878 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5879 audit_log_format(ab, "op=fscreate invalid_context="); 5880 audit_log_n_untrustedstring(ab, value, audit_size); 5881 audit_log_end(ab); 5882 5883 return error; 5884 } 5885 error = security_context_to_sid_force(value, size, 5886 &sid); 5887 } 5888 if (error) 5889 return error; 5890 } 5891 5892 new = prepare_creds(); 5893 if (!new) 5894 return -ENOMEM; 5895 5896 /* Permission checking based on the specified context is 5897 performed during the actual operation (execve, 5898 open/mkdir/...), when we know the full context of the 5899 operation. See selinux_bprm_set_creds for the execve 5900 checks and may_create for the file creation checks. The 5901 operation will then fail if the context is not permitted. */ 5902 tsec = new->security; 5903 if (!strcmp(name, "exec")) { 5904 tsec->exec_sid = sid; 5905 } else if (!strcmp(name, "fscreate")) { 5906 tsec->create_sid = sid; 5907 } else if (!strcmp(name, "keycreate")) { 5908 error = may_create_key(sid, p); 5909 if (error) 5910 goto abort_change; 5911 tsec->keycreate_sid = sid; 5912 } else if (!strcmp(name, "sockcreate")) { 5913 tsec->sockcreate_sid = sid; 5914 } else if (!strcmp(name, "current")) { 5915 error = -EINVAL; 5916 if (sid == 0) 5917 goto abort_change; 5918 5919 /* Only allow single threaded processes to change context */ 5920 error = -EPERM; 5921 if (!current_is_single_threaded()) { 5922 error = security_bounded_transition(tsec->sid, sid); 5923 if (error) 5924 goto abort_change; 5925 } 5926 5927 /* Check permissions for the transition. */ 5928 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5929 PROCESS__DYNTRANSITION, NULL); 5930 if (error) 5931 goto abort_change; 5932 5933 /* Check for ptracing, and update the task SID if ok. 5934 Otherwise, leave SID unchanged and fail. */ 5935 ptsid = ptrace_parent_sid(p); 5936 if (ptsid != 0) { 5937 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5938 PROCESS__PTRACE, NULL); 5939 if (error) 5940 goto abort_change; 5941 } 5942 5943 tsec->sid = sid; 5944 } else { 5945 error = -EINVAL; 5946 goto abort_change; 5947 } 5948 5949 commit_creds(new); 5950 return size; 5951 5952 abort_change: 5953 abort_creds(new); 5954 return error; 5955 } 5956 5957 static int selinux_ismaclabel(const char *name) 5958 { 5959 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 5960 } 5961 5962 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5963 { 5964 return security_sid_to_context(secid, secdata, seclen); 5965 } 5966 5967 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5968 { 5969 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 5970 } 5971 5972 static void selinux_release_secctx(char *secdata, u32 seclen) 5973 { 5974 kfree(secdata); 5975 } 5976 5977 static void selinux_inode_invalidate_secctx(struct inode *inode) 5978 { 5979 struct inode_security_struct *isec = inode->i_security; 5980 5981 mutex_lock(&isec->lock); 5982 isec->initialized = LABEL_INVALID; 5983 mutex_unlock(&isec->lock); 5984 } 5985 5986 /* 5987 * called with inode->i_mutex locked 5988 */ 5989 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5990 { 5991 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5992 } 5993 5994 /* 5995 * called with inode->i_mutex locked 5996 */ 5997 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 5998 { 5999 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6000 } 6001 6002 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6003 { 6004 int len = 0; 6005 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6006 ctx, true); 6007 if (len < 0) 6008 return len; 6009 *ctxlen = len; 6010 return 0; 6011 } 6012 #ifdef CONFIG_KEYS 6013 6014 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6015 unsigned long flags) 6016 { 6017 const struct task_security_struct *tsec; 6018 struct key_security_struct *ksec; 6019 6020 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6021 if (!ksec) 6022 return -ENOMEM; 6023 6024 tsec = cred->security; 6025 if (tsec->keycreate_sid) 6026 ksec->sid = tsec->keycreate_sid; 6027 else 6028 ksec->sid = tsec->sid; 6029 6030 k->security = ksec; 6031 return 0; 6032 } 6033 6034 static void selinux_key_free(struct key *k) 6035 { 6036 struct key_security_struct *ksec = k->security; 6037 6038 k->security = NULL; 6039 kfree(ksec); 6040 } 6041 6042 static int selinux_key_permission(key_ref_t key_ref, 6043 const struct cred *cred, 6044 unsigned perm) 6045 { 6046 struct key *key; 6047 struct key_security_struct *ksec; 6048 u32 sid; 6049 6050 /* if no specific permissions are requested, we skip the 6051 permission check. No serious, additional covert channels 6052 appear to be created. */ 6053 if (perm == 0) 6054 return 0; 6055 6056 sid = cred_sid(cred); 6057 6058 key = key_ref_to_ptr(key_ref); 6059 ksec = key->security; 6060 6061 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6062 } 6063 6064 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6065 { 6066 struct key_security_struct *ksec = key->security; 6067 char *context = NULL; 6068 unsigned len; 6069 int rc; 6070 6071 rc = security_sid_to_context(ksec->sid, &context, &len); 6072 if (!rc) 6073 rc = len; 6074 *_buffer = context; 6075 return rc; 6076 } 6077 6078 #endif 6079 6080 static struct security_hook_list selinux_hooks[] = { 6081 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6082 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6083 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6084 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6085 6086 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6087 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6088 LSM_HOOK_INIT(capget, selinux_capget), 6089 LSM_HOOK_INIT(capset, selinux_capset), 6090 LSM_HOOK_INIT(capable, selinux_capable), 6091 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6092 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6093 LSM_HOOK_INIT(syslog, selinux_syslog), 6094 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6095 6096 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6097 6098 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6099 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6100 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6101 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), 6102 6103 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6104 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6105 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6106 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6107 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6108 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6109 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6110 LSM_HOOK_INIT(sb_mount, selinux_mount), 6111 LSM_HOOK_INIT(sb_umount, selinux_umount), 6112 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6113 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6114 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6115 6116 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6117 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6118 6119 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6120 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6121 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6122 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6123 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6124 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6125 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6126 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6127 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6128 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6129 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6130 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6131 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6132 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6133 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6134 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6135 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6136 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6137 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6138 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6139 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6140 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6141 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6142 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6143 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6144 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6145 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6146 6147 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6148 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6149 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6150 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6151 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6152 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6153 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6154 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6155 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6156 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6157 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6158 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6159 6160 LSM_HOOK_INIT(file_open, selinux_file_open), 6161 6162 LSM_HOOK_INIT(task_create, selinux_task_create), 6163 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6164 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6165 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6166 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6167 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6168 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6169 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6170 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6171 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6172 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6173 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6174 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6175 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6176 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6177 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6178 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6179 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6180 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6181 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6182 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6183 LSM_HOOK_INIT(task_wait, selinux_task_wait), 6184 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6185 6186 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6187 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6188 6189 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6190 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6191 6192 LSM_HOOK_INIT(msg_queue_alloc_security, 6193 selinux_msg_queue_alloc_security), 6194 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6195 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6196 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6197 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6198 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6199 6200 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6201 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6202 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6203 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6204 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6205 6206 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6207 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6208 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6209 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6210 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6211 6212 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6213 6214 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6215 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6216 6217 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6218 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6219 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6220 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6221 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6222 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6223 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6224 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6225 6226 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6227 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6228 6229 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6230 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6231 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6232 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6233 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6234 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6235 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6236 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6237 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6238 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6239 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6240 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6241 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6242 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6243 LSM_HOOK_INIT(socket_getpeersec_stream, 6244 selinux_socket_getpeersec_stream), 6245 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6246 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6247 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6248 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6249 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6250 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6251 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6252 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6253 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6254 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6255 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6256 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6257 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6258 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6259 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6260 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6261 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6262 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6263 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6264 6265 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6266 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6267 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6268 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6269 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6270 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6271 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6272 selinux_xfrm_state_alloc_acquire), 6273 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6274 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6275 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6276 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6277 selinux_xfrm_state_pol_flow_match), 6278 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6279 #endif 6280 6281 #ifdef CONFIG_KEYS 6282 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6283 LSM_HOOK_INIT(key_free, selinux_key_free), 6284 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6285 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6286 #endif 6287 6288 #ifdef CONFIG_AUDIT 6289 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6290 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6291 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6292 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6293 #endif 6294 }; 6295 6296 static __init int selinux_init(void) 6297 { 6298 if (!security_module_enable("selinux")) { 6299 selinux_enabled = 0; 6300 return 0; 6301 } 6302 6303 if (!selinux_enabled) { 6304 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6305 return 0; 6306 } 6307 6308 printk(KERN_INFO "SELinux: Initializing.\n"); 6309 6310 /* Set the security state for the initial task. */ 6311 cred_init_security(); 6312 6313 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6314 6315 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6316 sizeof(struct inode_security_struct), 6317 0, SLAB_PANIC, NULL); 6318 file_security_cache = kmem_cache_create("selinux_file_security", 6319 sizeof(struct file_security_struct), 6320 0, SLAB_PANIC, NULL); 6321 avc_init(); 6322 6323 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6324 6325 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6326 panic("SELinux: Unable to register AVC netcache callback\n"); 6327 6328 if (selinux_enforcing) 6329 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6330 else 6331 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6332 6333 return 0; 6334 } 6335 6336 static void delayed_superblock_init(struct super_block *sb, void *unused) 6337 { 6338 superblock_doinit(sb, NULL); 6339 } 6340 6341 void selinux_complete_init(void) 6342 { 6343 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6344 6345 /* Set up any superblocks initialized prior to the policy load. */ 6346 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6347 iterate_supers(delayed_superblock_init, NULL); 6348 } 6349 6350 /* SELinux requires early initialization in order to label 6351 all processes and objects when they are created. */ 6352 security_initcall(selinux_init); 6353 6354 #if defined(CONFIG_NETFILTER) 6355 6356 static struct nf_hook_ops selinux_nf_ops[] = { 6357 { 6358 .hook = selinux_ipv4_postroute, 6359 .pf = NFPROTO_IPV4, 6360 .hooknum = NF_INET_POST_ROUTING, 6361 .priority = NF_IP_PRI_SELINUX_LAST, 6362 }, 6363 { 6364 .hook = selinux_ipv4_forward, 6365 .pf = NFPROTO_IPV4, 6366 .hooknum = NF_INET_FORWARD, 6367 .priority = NF_IP_PRI_SELINUX_FIRST, 6368 }, 6369 { 6370 .hook = selinux_ipv4_output, 6371 .pf = NFPROTO_IPV4, 6372 .hooknum = NF_INET_LOCAL_OUT, 6373 .priority = NF_IP_PRI_SELINUX_FIRST, 6374 }, 6375 #if IS_ENABLED(CONFIG_IPV6) 6376 { 6377 .hook = selinux_ipv6_postroute, 6378 .pf = NFPROTO_IPV6, 6379 .hooknum = NF_INET_POST_ROUTING, 6380 .priority = NF_IP6_PRI_SELINUX_LAST, 6381 }, 6382 { 6383 .hook = selinux_ipv6_forward, 6384 .pf = NFPROTO_IPV6, 6385 .hooknum = NF_INET_FORWARD, 6386 .priority = NF_IP6_PRI_SELINUX_FIRST, 6387 }, 6388 { 6389 .hook = selinux_ipv6_output, 6390 .pf = NFPROTO_IPV6, 6391 .hooknum = NF_INET_LOCAL_OUT, 6392 .priority = NF_IP6_PRI_SELINUX_FIRST, 6393 }, 6394 #endif /* IPV6 */ 6395 }; 6396 6397 static int __init selinux_nf_ip_init(void) 6398 { 6399 int err; 6400 6401 if (!selinux_enabled) 6402 return 0; 6403 6404 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6405 6406 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6407 if (err) 6408 panic("SELinux: nf_register_hooks: error %d\n", err); 6409 6410 return 0; 6411 } 6412 6413 __initcall(selinux_nf_ip_init); 6414 6415 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6416 static void selinux_nf_ip_exit(void) 6417 { 6418 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6419 6420 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6421 } 6422 #endif 6423 6424 #else /* CONFIG_NETFILTER */ 6425 6426 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6427 #define selinux_nf_ip_exit() 6428 #endif 6429 6430 #endif /* CONFIG_NETFILTER */ 6431 6432 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6433 static int selinux_disabled; 6434 6435 int selinux_disable(void) 6436 { 6437 if (ss_initialized) { 6438 /* Not permitted after initial policy load. */ 6439 return -EINVAL; 6440 } 6441 6442 if (selinux_disabled) { 6443 /* Only do this once. */ 6444 return -EINVAL; 6445 } 6446 6447 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6448 6449 selinux_disabled = 1; 6450 selinux_enabled = 0; 6451 6452 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6453 6454 /* Try to destroy the avc node cache */ 6455 avc_disable(); 6456 6457 /* Unregister netfilter hooks. */ 6458 selinux_nf_ip_exit(); 6459 6460 /* Unregister selinuxfs. */ 6461 exit_sel_fs(); 6462 6463 return 0; 6464 } 6465 #endif 6466