1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/tracehook.h> 29 #include <linux/errno.h> 30 #include <linux/sched/signal.h> 31 #include <linux/sched/task.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/fs_context.h> 50 #include <linux/fs_parser.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/mutex.h> 83 #include <linux/posix-timers.h> 84 #include <linux/syslog.h> 85 #include <linux/user_namespace.h> 86 #include <linux/export.h> 87 #include <linux/msg.h> 88 #include <linux/shm.h> 89 #include <linux/bpf.h> 90 #include <linux/kernfs.h> 91 #include <linux/stringhash.h> /* for hashlen_string() */ 92 #include <uapi/linux/mount.h> 93 #include <linux/fsnotify.h> 94 #include <linux/fanotify.h> 95 96 #include "avc.h" 97 #include "objsec.h" 98 #include "netif.h" 99 #include "netnode.h" 100 #include "netport.h" 101 #include "ibpkey.h" 102 #include "xfrm.h" 103 #include "netlabel.h" 104 #include "audit.h" 105 #include "avc_ss.h" 106 107 struct selinux_state selinux_state; 108 109 /* SECMARK reference count */ 110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 111 112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 113 static int selinux_enforcing_boot __initdata; 114 115 static int __init enforcing_setup(char *str) 116 { 117 unsigned long enforcing; 118 if (!kstrtoul(str, 0, &enforcing)) 119 selinux_enforcing_boot = enforcing ? 1 : 0; 120 return 1; 121 } 122 __setup("enforcing=", enforcing_setup); 123 #else 124 #define selinux_enforcing_boot 1 125 #endif 126 127 int selinux_enabled_boot __initdata = 1; 128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 129 static int __init selinux_enabled_setup(char *str) 130 { 131 unsigned long enabled; 132 if (!kstrtoul(str, 0, &enabled)) 133 selinux_enabled_boot = enabled ? 1 : 0; 134 return 1; 135 } 136 __setup("selinux=", selinux_enabled_setup); 137 #endif 138 139 static unsigned int selinux_checkreqprot_boot = 140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 148 if (checkreqprot) 149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); 150 } 151 return 1; 152 } 153 __setup("checkreqprot=", checkreqprot_setup); 154 155 /** 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 157 * 158 * Description: 159 * This function checks the SECMARK reference counter to see if any SECMARK 160 * targets are currently configured, if the reference counter is greater than 161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network 163 * policy capability is enabled, SECMARK is always considered enabled. 164 * 165 */ 166 static int selinux_secmark_enabled(void) 167 { 168 return (selinux_policycap_alwaysnetwork() || 169 atomic_read(&selinux_secmark_refcount)); 170 } 171 172 /** 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 174 * 175 * Description: 176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 177 * (1) if any are enabled or false (0) if neither are enabled. If the 178 * always_check_network policy capability is enabled, peer labeling 179 * is always considered enabled. 180 * 181 */ 182 static int selinux_peerlbl_enabled(void) 183 { 184 return (selinux_policycap_alwaysnetwork() || 185 netlbl_enabled() || selinux_xfrm_enabled()); 186 } 187 188 static int selinux_netcache_avc_callback(u32 event) 189 { 190 if (event == AVC_CALLBACK_RESET) { 191 sel_netif_flush(); 192 sel_netnode_flush(); 193 sel_netport_flush(); 194 synchronize_net(); 195 } 196 return 0; 197 } 198 199 static int selinux_lsm_notifier_avc_callback(u32 event) 200 { 201 if (event == AVC_CALLBACK_RESET) { 202 sel_ib_pkey_flush(); 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 204 } 205 206 return 0; 207 } 208 209 /* 210 * initialise the security for the init task 211 */ 212 static void cred_init_security(void) 213 { 214 struct cred *cred = (struct cred *) current->real_cred; 215 struct task_security_struct *tsec; 216 217 tsec = selinux_cred(cred); 218 tsec->osid = tsec->sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 /* 233 * get the subjective security ID of a task 234 */ 235 static inline u32 task_sid_subj(const struct task_struct *task) 236 { 237 u32 sid; 238 239 rcu_read_lock(); 240 sid = cred_sid(rcu_dereference(task->cred)); 241 rcu_read_unlock(); 242 return sid; 243 } 244 245 /* 246 * get the objective security ID of a task 247 */ 248 static inline u32 task_sid_obj(const struct task_struct *task) 249 { 250 u32 sid; 251 252 rcu_read_lock(); 253 sid = cred_sid(__task_cred(task)); 254 rcu_read_unlock(); 255 return sid; 256 } 257 258 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 259 260 /* 261 * Try reloading inode security labels that have been marked as invalid. The 262 * @may_sleep parameter indicates when sleeping and thus reloading labels is 263 * allowed; when set to false, returns -ECHILD when the label is 264 * invalid. The @dentry parameter should be set to a dentry of the inode. 265 */ 266 static int __inode_security_revalidate(struct inode *inode, 267 struct dentry *dentry, 268 bool may_sleep) 269 { 270 struct inode_security_struct *isec = selinux_inode(inode); 271 272 might_sleep_if(may_sleep); 273 274 if (selinux_initialized(&selinux_state) && 275 isec->initialized != LABEL_INITIALIZED) { 276 if (!may_sleep) 277 return -ECHILD; 278 279 /* 280 * Try reloading the inode security label. This will fail if 281 * @opt_dentry is NULL and no dentry for this inode can be 282 * found; in that case, continue using the old label. 283 */ 284 inode_doinit_with_dentry(inode, dentry); 285 } 286 return 0; 287 } 288 289 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 290 { 291 return selinux_inode(inode); 292 } 293 294 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 295 { 296 int error; 297 298 error = __inode_security_revalidate(inode, NULL, !rcu); 299 if (error) 300 return ERR_PTR(error); 301 return selinux_inode(inode); 302 } 303 304 /* 305 * Get the security label of an inode. 306 */ 307 static struct inode_security_struct *inode_security(struct inode *inode) 308 { 309 __inode_security_revalidate(inode, NULL, true); 310 return selinux_inode(inode); 311 } 312 313 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 314 { 315 struct inode *inode = d_backing_inode(dentry); 316 317 return selinux_inode(inode); 318 } 319 320 /* 321 * Get the security label of a dentry's backing inode. 322 */ 323 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 324 { 325 struct inode *inode = d_backing_inode(dentry); 326 327 __inode_security_revalidate(inode, dentry, true); 328 return selinux_inode(inode); 329 } 330 331 static void inode_free_security(struct inode *inode) 332 { 333 struct inode_security_struct *isec = selinux_inode(inode); 334 struct superblock_security_struct *sbsec; 335 336 if (!isec) 337 return; 338 sbsec = selinux_superblock(inode->i_sb); 339 /* 340 * As not all inode security structures are in a list, we check for 341 * empty list outside of the lock to make sure that we won't waste 342 * time taking a lock doing nothing. 343 * 344 * The list_del_init() function can be safely called more than once. 345 * It should not be possible for this function to be called with 346 * concurrent list_add(), but for better safety against future changes 347 * in the code, we use list_empty_careful() here. 348 */ 349 if (!list_empty_careful(&isec->list)) { 350 spin_lock(&sbsec->isec_lock); 351 list_del_init(&isec->list); 352 spin_unlock(&sbsec->isec_lock); 353 } 354 } 355 356 struct selinux_mnt_opts { 357 const char *fscontext, *context, *rootcontext, *defcontext; 358 }; 359 360 static void selinux_free_mnt_opts(void *mnt_opts) 361 { 362 struct selinux_mnt_opts *opts = mnt_opts; 363 kfree(opts->fscontext); 364 kfree(opts->context); 365 kfree(opts->rootcontext); 366 kfree(opts->defcontext); 367 kfree(opts); 368 } 369 370 enum { 371 Opt_error = -1, 372 Opt_context = 0, 373 Opt_defcontext = 1, 374 Opt_fscontext = 2, 375 Opt_rootcontext = 3, 376 Opt_seclabel = 4, 377 }; 378 379 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 380 static struct { 381 const char *name; 382 int len; 383 int opt; 384 bool has_arg; 385 } tokens[] = { 386 A(context, true), 387 A(fscontext, true), 388 A(defcontext, true), 389 A(rootcontext, true), 390 A(seclabel, false), 391 }; 392 #undef A 393 394 static int match_opt_prefix(char *s, int l, char **arg) 395 { 396 int i; 397 398 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 399 size_t len = tokens[i].len; 400 if (len > l || memcmp(s, tokens[i].name, len)) 401 continue; 402 if (tokens[i].has_arg) { 403 if (len == l || s[len] != '=') 404 continue; 405 *arg = s + len + 1; 406 } else if (len != l) 407 continue; 408 return tokens[i].opt; 409 } 410 return Opt_error; 411 } 412 413 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 414 415 static int may_context_mount_sb_relabel(u32 sid, 416 struct superblock_security_struct *sbsec, 417 const struct cred *cred) 418 { 419 const struct task_security_struct *tsec = selinux_cred(cred); 420 int rc; 421 422 rc = avc_has_perm(&selinux_state, 423 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 424 FILESYSTEM__RELABELFROM, NULL); 425 if (rc) 426 return rc; 427 428 rc = avc_has_perm(&selinux_state, 429 tsec->sid, sid, SECCLASS_FILESYSTEM, 430 FILESYSTEM__RELABELTO, NULL); 431 return rc; 432 } 433 434 static int may_context_mount_inode_relabel(u32 sid, 435 struct superblock_security_struct *sbsec, 436 const struct cred *cred) 437 { 438 const struct task_security_struct *tsec = selinux_cred(cred); 439 int rc; 440 rc = avc_has_perm(&selinux_state, 441 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 442 FILESYSTEM__RELABELFROM, NULL); 443 if (rc) 444 return rc; 445 446 rc = avc_has_perm(&selinux_state, 447 sid, sbsec->sid, SECCLASS_FILESYSTEM, 448 FILESYSTEM__ASSOCIATE, NULL); 449 return rc; 450 } 451 452 static int selinux_is_genfs_special_handling(struct super_block *sb) 453 { 454 /* Special handling. Genfs but also in-core setxattr handler */ 455 return !strcmp(sb->s_type->name, "sysfs") || 456 !strcmp(sb->s_type->name, "pstore") || 457 !strcmp(sb->s_type->name, "debugfs") || 458 !strcmp(sb->s_type->name, "tracefs") || 459 !strcmp(sb->s_type->name, "rootfs") || 460 (selinux_policycap_cgroupseclabel() && 461 (!strcmp(sb->s_type->name, "cgroup") || 462 !strcmp(sb->s_type->name, "cgroup2"))); 463 } 464 465 static int selinux_is_sblabel_mnt(struct super_block *sb) 466 { 467 struct superblock_security_struct *sbsec = selinux_superblock(sb); 468 469 /* 470 * IMPORTANT: Double-check logic in this function when adding a new 471 * SECURITY_FS_USE_* definition! 472 */ 473 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 474 475 switch (sbsec->behavior) { 476 case SECURITY_FS_USE_XATTR: 477 case SECURITY_FS_USE_TRANS: 478 case SECURITY_FS_USE_TASK: 479 case SECURITY_FS_USE_NATIVE: 480 return 1; 481 482 case SECURITY_FS_USE_GENFS: 483 return selinux_is_genfs_special_handling(sb); 484 485 /* Never allow relabeling on context mounts */ 486 case SECURITY_FS_USE_MNTPOINT: 487 case SECURITY_FS_USE_NONE: 488 default: 489 return 0; 490 } 491 } 492 493 static int sb_check_xattr_support(struct super_block *sb) 494 { 495 struct superblock_security_struct *sbsec = sb->s_security; 496 struct dentry *root = sb->s_root; 497 struct inode *root_inode = d_backing_inode(root); 498 u32 sid; 499 int rc; 500 501 /* 502 * Make sure that the xattr handler exists and that no 503 * error other than -ENODATA is returned by getxattr on 504 * the root directory. -ENODATA is ok, as this may be 505 * the first boot of the SELinux kernel before we have 506 * assigned xattr values to the filesystem. 507 */ 508 if (!(root_inode->i_opflags & IOP_XATTR)) { 509 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 510 sb->s_id, sb->s_type->name); 511 goto fallback; 512 } 513 514 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 515 if (rc < 0 && rc != -ENODATA) { 516 if (rc == -EOPNOTSUPP) { 517 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 518 sb->s_id, sb->s_type->name); 519 goto fallback; 520 } else { 521 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 522 sb->s_id, sb->s_type->name, -rc); 523 return rc; 524 } 525 } 526 return 0; 527 528 fallback: 529 /* No xattr support - try to fallback to genfs if possible. */ 530 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/", 531 SECCLASS_DIR, &sid); 532 if (rc) 533 return -EOPNOTSUPP; 534 535 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 536 sb->s_id, sb->s_type->name); 537 sbsec->behavior = SECURITY_FS_USE_GENFS; 538 sbsec->sid = sid; 539 return 0; 540 } 541 542 static int sb_finish_set_opts(struct super_block *sb) 543 { 544 struct superblock_security_struct *sbsec = selinux_superblock(sb); 545 struct dentry *root = sb->s_root; 546 struct inode *root_inode = d_backing_inode(root); 547 int rc = 0; 548 549 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 550 rc = sb_check_xattr_support(sb); 551 if (rc) 552 return rc; 553 } 554 555 sbsec->flags |= SE_SBINITIALIZED; 556 557 /* 558 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 559 * leave the flag untouched because sb_clone_mnt_opts might be handing 560 * us a superblock that needs the flag to be cleared. 561 */ 562 if (selinux_is_sblabel_mnt(sb)) 563 sbsec->flags |= SBLABEL_MNT; 564 else 565 sbsec->flags &= ~SBLABEL_MNT; 566 567 /* Initialize the root inode. */ 568 rc = inode_doinit_with_dentry(root_inode, root); 569 570 /* Initialize any other inodes associated with the superblock, e.g. 571 inodes created prior to initial policy load or inodes created 572 during get_sb by a pseudo filesystem that directly 573 populates itself. */ 574 spin_lock(&sbsec->isec_lock); 575 while (!list_empty(&sbsec->isec_head)) { 576 struct inode_security_struct *isec = 577 list_first_entry(&sbsec->isec_head, 578 struct inode_security_struct, list); 579 struct inode *inode = isec->inode; 580 list_del_init(&isec->list); 581 spin_unlock(&sbsec->isec_lock); 582 inode = igrab(inode); 583 if (inode) { 584 if (!IS_PRIVATE(inode)) 585 inode_doinit_with_dentry(inode, NULL); 586 iput(inode); 587 } 588 spin_lock(&sbsec->isec_lock); 589 } 590 spin_unlock(&sbsec->isec_lock); 591 return rc; 592 } 593 594 static int bad_option(struct superblock_security_struct *sbsec, char flag, 595 u32 old_sid, u32 new_sid) 596 { 597 char mnt_flags = sbsec->flags & SE_MNTMASK; 598 599 /* check if the old mount command had the same options */ 600 if (sbsec->flags & SE_SBINITIALIZED) 601 if (!(sbsec->flags & flag) || 602 (old_sid != new_sid)) 603 return 1; 604 605 /* check if we were passed the same options twice, 606 * aka someone passed context=a,context=b 607 */ 608 if (!(sbsec->flags & SE_SBINITIALIZED)) 609 if (mnt_flags & flag) 610 return 1; 611 return 0; 612 } 613 614 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 615 { 616 int rc = security_context_str_to_sid(&selinux_state, s, 617 sid, GFP_KERNEL); 618 if (rc) 619 pr_warn("SELinux: security_context_str_to_sid" 620 "(%s) failed for (dev %s, type %s) errno=%d\n", 621 s, sb->s_id, sb->s_type->name, rc); 622 return rc; 623 } 624 625 /* 626 * Allow filesystems with binary mount data to explicitly set mount point 627 * labeling information. 628 */ 629 static int selinux_set_mnt_opts(struct super_block *sb, 630 void *mnt_opts, 631 unsigned long kern_flags, 632 unsigned long *set_kern_flags) 633 { 634 const struct cred *cred = current_cred(); 635 struct superblock_security_struct *sbsec = selinux_superblock(sb); 636 struct dentry *root = sb->s_root; 637 struct selinux_mnt_opts *opts = mnt_opts; 638 struct inode_security_struct *root_isec; 639 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 640 u32 defcontext_sid = 0; 641 int rc = 0; 642 643 mutex_lock(&sbsec->lock); 644 645 if (!selinux_initialized(&selinux_state)) { 646 if (!opts) { 647 /* Defer initialization until selinux_complete_init, 648 after the initial policy is loaded and the security 649 server is ready to handle calls. */ 650 goto out; 651 } 652 rc = -EINVAL; 653 pr_warn("SELinux: Unable to set superblock options " 654 "before the security server is initialized\n"); 655 goto out; 656 } 657 if (kern_flags && !set_kern_flags) { 658 /* Specifying internal flags without providing a place to 659 * place the results is not allowed */ 660 rc = -EINVAL; 661 goto out; 662 } 663 664 /* 665 * Binary mount data FS will come through this function twice. Once 666 * from an explicit call and once from the generic calls from the vfs. 667 * Since the generic VFS calls will not contain any security mount data 668 * we need to skip the double mount verification. 669 * 670 * This does open a hole in which we will not notice if the first 671 * mount using this sb set explict options and a second mount using 672 * this sb does not set any security options. (The first options 673 * will be used for both mounts) 674 */ 675 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 676 && !opts) 677 goto out; 678 679 root_isec = backing_inode_security_novalidate(root); 680 681 /* 682 * parse the mount options, check if they are valid sids. 683 * also check if someone is trying to mount the same sb more 684 * than once with different security options. 685 */ 686 if (opts) { 687 if (opts->fscontext) { 688 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 689 if (rc) 690 goto out; 691 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 692 fscontext_sid)) 693 goto out_double_mount; 694 sbsec->flags |= FSCONTEXT_MNT; 695 } 696 if (opts->context) { 697 rc = parse_sid(sb, opts->context, &context_sid); 698 if (rc) 699 goto out; 700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 701 context_sid)) 702 goto out_double_mount; 703 sbsec->flags |= CONTEXT_MNT; 704 } 705 if (opts->rootcontext) { 706 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 707 if (rc) 708 goto out; 709 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 710 rootcontext_sid)) 711 goto out_double_mount; 712 sbsec->flags |= ROOTCONTEXT_MNT; 713 } 714 if (opts->defcontext) { 715 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 716 if (rc) 717 goto out; 718 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 719 defcontext_sid)) 720 goto out_double_mount; 721 sbsec->flags |= DEFCONTEXT_MNT; 722 } 723 } 724 725 if (sbsec->flags & SE_SBINITIALIZED) { 726 /* previously mounted with options, but not on this attempt? */ 727 if ((sbsec->flags & SE_MNTMASK) && !opts) 728 goto out_double_mount; 729 rc = 0; 730 goto out; 731 } 732 733 if (strcmp(sb->s_type->name, "proc") == 0) 734 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 735 736 if (!strcmp(sb->s_type->name, "debugfs") || 737 !strcmp(sb->s_type->name, "tracefs") || 738 !strcmp(sb->s_type->name, "binder") || 739 !strcmp(sb->s_type->name, "bpf") || 740 !strcmp(sb->s_type->name, "pstore") || 741 !strcmp(sb->s_type->name, "securityfs")) 742 sbsec->flags |= SE_SBGENFS; 743 744 if (!strcmp(sb->s_type->name, "sysfs") || 745 !strcmp(sb->s_type->name, "cgroup") || 746 !strcmp(sb->s_type->name, "cgroup2")) 747 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 748 749 if (!sbsec->behavior) { 750 /* 751 * Determine the labeling behavior to use for this 752 * filesystem type. 753 */ 754 rc = security_fs_use(&selinux_state, sb); 755 if (rc) { 756 pr_warn("%s: security_fs_use(%s) returned %d\n", 757 __func__, sb->s_type->name, rc); 758 goto out; 759 } 760 } 761 762 /* 763 * If this is a user namespace mount and the filesystem type is not 764 * explicitly whitelisted, then no contexts are allowed on the command 765 * line and security labels must be ignored. 766 */ 767 if (sb->s_user_ns != &init_user_ns && 768 strcmp(sb->s_type->name, "tmpfs") && 769 strcmp(sb->s_type->name, "ramfs") && 770 strcmp(sb->s_type->name, "devpts") && 771 strcmp(sb->s_type->name, "overlay")) { 772 if (context_sid || fscontext_sid || rootcontext_sid || 773 defcontext_sid) { 774 rc = -EACCES; 775 goto out; 776 } 777 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 778 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 779 rc = security_transition_sid(&selinux_state, 780 current_sid(), 781 current_sid(), 782 SECCLASS_FILE, NULL, 783 &sbsec->mntpoint_sid); 784 if (rc) 785 goto out; 786 } 787 goto out_set_opts; 788 } 789 790 /* sets the context of the superblock for the fs being mounted. */ 791 if (fscontext_sid) { 792 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 793 if (rc) 794 goto out; 795 796 sbsec->sid = fscontext_sid; 797 } 798 799 /* 800 * Switch to using mount point labeling behavior. 801 * sets the label used on all file below the mountpoint, and will set 802 * the superblock context if not already set. 803 */ 804 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 805 sbsec->behavior = SECURITY_FS_USE_NATIVE; 806 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 807 } 808 809 if (context_sid) { 810 if (!fscontext_sid) { 811 rc = may_context_mount_sb_relabel(context_sid, sbsec, 812 cred); 813 if (rc) 814 goto out; 815 sbsec->sid = context_sid; 816 } else { 817 rc = may_context_mount_inode_relabel(context_sid, sbsec, 818 cred); 819 if (rc) 820 goto out; 821 } 822 if (!rootcontext_sid) 823 rootcontext_sid = context_sid; 824 825 sbsec->mntpoint_sid = context_sid; 826 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 827 } 828 829 if (rootcontext_sid) { 830 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 831 cred); 832 if (rc) 833 goto out; 834 835 root_isec->sid = rootcontext_sid; 836 root_isec->initialized = LABEL_INITIALIZED; 837 } 838 839 if (defcontext_sid) { 840 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 841 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 842 rc = -EINVAL; 843 pr_warn("SELinux: defcontext option is " 844 "invalid for this filesystem type\n"); 845 goto out; 846 } 847 848 if (defcontext_sid != sbsec->def_sid) { 849 rc = may_context_mount_inode_relabel(defcontext_sid, 850 sbsec, cred); 851 if (rc) 852 goto out; 853 } 854 855 sbsec->def_sid = defcontext_sid; 856 } 857 858 out_set_opts: 859 rc = sb_finish_set_opts(sb); 860 out: 861 mutex_unlock(&sbsec->lock); 862 return rc; 863 out_double_mount: 864 rc = -EINVAL; 865 pr_warn("SELinux: mount invalid. Same superblock, different " 866 "security settings for (dev %s, type %s)\n", sb->s_id, 867 sb->s_type->name); 868 goto out; 869 } 870 871 static int selinux_cmp_sb_context(const struct super_block *oldsb, 872 const struct super_block *newsb) 873 { 874 struct superblock_security_struct *old = selinux_superblock(oldsb); 875 struct superblock_security_struct *new = selinux_superblock(newsb); 876 char oldflags = old->flags & SE_MNTMASK; 877 char newflags = new->flags & SE_MNTMASK; 878 879 if (oldflags != newflags) 880 goto mismatch; 881 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 882 goto mismatch; 883 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 884 goto mismatch; 885 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 886 goto mismatch; 887 if (oldflags & ROOTCONTEXT_MNT) { 888 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 889 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 890 if (oldroot->sid != newroot->sid) 891 goto mismatch; 892 } 893 return 0; 894 mismatch: 895 pr_warn("SELinux: mount invalid. Same superblock, " 896 "different security settings for (dev %s, " 897 "type %s)\n", newsb->s_id, newsb->s_type->name); 898 return -EBUSY; 899 } 900 901 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 902 struct super_block *newsb, 903 unsigned long kern_flags, 904 unsigned long *set_kern_flags) 905 { 906 int rc = 0; 907 const struct superblock_security_struct *oldsbsec = 908 selinux_superblock(oldsb); 909 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 910 911 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 912 int set_context = (oldsbsec->flags & CONTEXT_MNT); 913 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 914 915 /* 916 * if the parent was able to be mounted it clearly had no special lsm 917 * mount options. thus we can safely deal with this superblock later 918 */ 919 if (!selinux_initialized(&selinux_state)) 920 return 0; 921 922 /* 923 * Specifying internal flags without providing a place to 924 * place the results is not allowed. 925 */ 926 if (kern_flags && !set_kern_flags) 927 return -EINVAL; 928 929 /* how can we clone if the old one wasn't set up?? */ 930 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 931 932 /* if fs is reusing a sb, make sure that the contexts match */ 933 if (newsbsec->flags & SE_SBINITIALIZED) { 934 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 935 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 936 return selinux_cmp_sb_context(oldsb, newsb); 937 } 938 939 mutex_lock(&newsbsec->lock); 940 941 newsbsec->flags = oldsbsec->flags; 942 943 newsbsec->sid = oldsbsec->sid; 944 newsbsec->def_sid = oldsbsec->def_sid; 945 newsbsec->behavior = oldsbsec->behavior; 946 947 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 948 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 949 rc = security_fs_use(&selinux_state, newsb); 950 if (rc) 951 goto out; 952 } 953 954 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 955 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 956 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 957 } 958 959 if (set_context) { 960 u32 sid = oldsbsec->mntpoint_sid; 961 962 if (!set_fscontext) 963 newsbsec->sid = sid; 964 if (!set_rootcontext) { 965 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 966 newisec->sid = sid; 967 } 968 newsbsec->mntpoint_sid = sid; 969 } 970 if (set_rootcontext) { 971 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 972 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 973 974 newisec->sid = oldisec->sid; 975 } 976 977 sb_finish_set_opts(newsb); 978 out: 979 mutex_unlock(&newsbsec->lock); 980 return rc; 981 } 982 983 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 984 { 985 struct selinux_mnt_opts *opts = *mnt_opts; 986 987 if (token == Opt_seclabel) /* eaten and completely ignored */ 988 return 0; 989 990 if (!opts) { 991 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 992 if (!opts) 993 return -ENOMEM; 994 *mnt_opts = opts; 995 } 996 if (!s) 997 return -ENOMEM; 998 switch (token) { 999 case Opt_context: 1000 if (opts->context || opts->defcontext) 1001 goto Einval; 1002 opts->context = s; 1003 break; 1004 case Opt_fscontext: 1005 if (opts->fscontext) 1006 goto Einval; 1007 opts->fscontext = s; 1008 break; 1009 case Opt_rootcontext: 1010 if (opts->rootcontext) 1011 goto Einval; 1012 opts->rootcontext = s; 1013 break; 1014 case Opt_defcontext: 1015 if (opts->context || opts->defcontext) 1016 goto Einval; 1017 opts->defcontext = s; 1018 break; 1019 } 1020 return 0; 1021 Einval: 1022 pr_warn(SEL_MOUNT_FAIL_MSG); 1023 return -EINVAL; 1024 } 1025 1026 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1027 void **mnt_opts) 1028 { 1029 int token = Opt_error; 1030 int rc, i; 1031 1032 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1033 if (strcmp(option, tokens[i].name) == 0) { 1034 token = tokens[i].opt; 1035 break; 1036 } 1037 } 1038 1039 if (token == Opt_error) 1040 return -EINVAL; 1041 1042 if (token != Opt_seclabel) { 1043 val = kmemdup_nul(val, len, GFP_KERNEL); 1044 if (!val) { 1045 rc = -ENOMEM; 1046 goto free_opt; 1047 } 1048 } 1049 rc = selinux_add_opt(token, val, mnt_opts); 1050 if (unlikely(rc)) { 1051 kfree(val); 1052 goto free_opt; 1053 } 1054 return rc; 1055 1056 free_opt: 1057 if (*mnt_opts) { 1058 selinux_free_mnt_opts(*mnt_opts); 1059 *mnt_opts = NULL; 1060 } 1061 return rc; 1062 } 1063 1064 static int show_sid(struct seq_file *m, u32 sid) 1065 { 1066 char *context = NULL; 1067 u32 len; 1068 int rc; 1069 1070 rc = security_sid_to_context(&selinux_state, sid, 1071 &context, &len); 1072 if (!rc) { 1073 bool has_comma = context && strchr(context, ','); 1074 1075 seq_putc(m, '='); 1076 if (has_comma) 1077 seq_putc(m, '\"'); 1078 seq_escape(m, context, "\"\n\\"); 1079 if (has_comma) 1080 seq_putc(m, '\"'); 1081 } 1082 kfree(context); 1083 return rc; 1084 } 1085 1086 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1087 { 1088 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1089 int rc; 1090 1091 if (!(sbsec->flags & SE_SBINITIALIZED)) 1092 return 0; 1093 1094 if (!selinux_initialized(&selinux_state)) 1095 return 0; 1096 1097 if (sbsec->flags & FSCONTEXT_MNT) { 1098 seq_putc(m, ','); 1099 seq_puts(m, FSCONTEXT_STR); 1100 rc = show_sid(m, sbsec->sid); 1101 if (rc) 1102 return rc; 1103 } 1104 if (sbsec->flags & CONTEXT_MNT) { 1105 seq_putc(m, ','); 1106 seq_puts(m, CONTEXT_STR); 1107 rc = show_sid(m, sbsec->mntpoint_sid); 1108 if (rc) 1109 return rc; 1110 } 1111 if (sbsec->flags & DEFCONTEXT_MNT) { 1112 seq_putc(m, ','); 1113 seq_puts(m, DEFCONTEXT_STR); 1114 rc = show_sid(m, sbsec->def_sid); 1115 if (rc) 1116 return rc; 1117 } 1118 if (sbsec->flags & ROOTCONTEXT_MNT) { 1119 struct dentry *root = sb->s_root; 1120 struct inode_security_struct *isec = backing_inode_security(root); 1121 seq_putc(m, ','); 1122 seq_puts(m, ROOTCONTEXT_STR); 1123 rc = show_sid(m, isec->sid); 1124 if (rc) 1125 return rc; 1126 } 1127 if (sbsec->flags & SBLABEL_MNT) { 1128 seq_putc(m, ','); 1129 seq_puts(m, SECLABEL_STR); 1130 } 1131 return 0; 1132 } 1133 1134 static inline u16 inode_mode_to_security_class(umode_t mode) 1135 { 1136 switch (mode & S_IFMT) { 1137 case S_IFSOCK: 1138 return SECCLASS_SOCK_FILE; 1139 case S_IFLNK: 1140 return SECCLASS_LNK_FILE; 1141 case S_IFREG: 1142 return SECCLASS_FILE; 1143 case S_IFBLK: 1144 return SECCLASS_BLK_FILE; 1145 case S_IFDIR: 1146 return SECCLASS_DIR; 1147 case S_IFCHR: 1148 return SECCLASS_CHR_FILE; 1149 case S_IFIFO: 1150 return SECCLASS_FIFO_FILE; 1151 1152 } 1153 1154 return SECCLASS_FILE; 1155 } 1156 1157 static inline int default_protocol_stream(int protocol) 1158 { 1159 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1160 protocol == IPPROTO_MPTCP); 1161 } 1162 1163 static inline int default_protocol_dgram(int protocol) 1164 { 1165 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1166 } 1167 1168 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1169 { 1170 int extsockclass = selinux_policycap_extsockclass(); 1171 1172 switch (family) { 1173 case PF_UNIX: 1174 switch (type) { 1175 case SOCK_STREAM: 1176 case SOCK_SEQPACKET: 1177 return SECCLASS_UNIX_STREAM_SOCKET; 1178 case SOCK_DGRAM: 1179 case SOCK_RAW: 1180 return SECCLASS_UNIX_DGRAM_SOCKET; 1181 } 1182 break; 1183 case PF_INET: 1184 case PF_INET6: 1185 switch (type) { 1186 case SOCK_STREAM: 1187 case SOCK_SEQPACKET: 1188 if (default_protocol_stream(protocol)) 1189 return SECCLASS_TCP_SOCKET; 1190 else if (extsockclass && protocol == IPPROTO_SCTP) 1191 return SECCLASS_SCTP_SOCKET; 1192 else 1193 return SECCLASS_RAWIP_SOCKET; 1194 case SOCK_DGRAM: 1195 if (default_protocol_dgram(protocol)) 1196 return SECCLASS_UDP_SOCKET; 1197 else if (extsockclass && (protocol == IPPROTO_ICMP || 1198 protocol == IPPROTO_ICMPV6)) 1199 return SECCLASS_ICMP_SOCKET; 1200 else 1201 return SECCLASS_RAWIP_SOCKET; 1202 case SOCK_DCCP: 1203 return SECCLASS_DCCP_SOCKET; 1204 default: 1205 return SECCLASS_RAWIP_SOCKET; 1206 } 1207 break; 1208 case PF_NETLINK: 1209 switch (protocol) { 1210 case NETLINK_ROUTE: 1211 return SECCLASS_NETLINK_ROUTE_SOCKET; 1212 case NETLINK_SOCK_DIAG: 1213 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1214 case NETLINK_NFLOG: 1215 return SECCLASS_NETLINK_NFLOG_SOCKET; 1216 case NETLINK_XFRM: 1217 return SECCLASS_NETLINK_XFRM_SOCKET; 1218 case NETLINK_SELINUX: 1219 return SECCLASS_NETLINK_SELINUX_SOCKET; 1220 case NETLINK_ISCSI: 1221 return SECCLASS_NETLINK_ISCSI_SOCKET; 1222 case NETLINK_AUDIT: 1223 return SECCLASS_NETLINK_AUDIT_SOCKET; 1224 case NETLINK_FIB_LOOKUP: 1225 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1226 case NETLINK_CONNECTOR: 1227 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1228 case NETLINK_NETFILTER: 1229 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1230 case NETLINK_DNRTMSG: 1231 return SECCLASS_NETLINK_DNRT_SOCKET; 1232 case NETLINK_KOBJECT_UEVENT: 1233 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1234 case NETLINK_GENERIC: 1235 return SECCLASS_NETLINK_GENERIC_SOCKET; 1236 case NETLINK_SCSITRANSPORT: 1237 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1238 case NETLINK_RDMA: 1239 return SECCLASS_NETLINK_RDMA_SOCKET; 1240 case NETLINK_CRYPTO: 1241 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1242 default: 1243 return SECCLASS_NETLINK_SOCKET; 1244 } 1245 case PF_PACKET: 1246 return SECCLASS_PACKET_SOCKET; 1247 case PF_KEY: 1248 return SECCLASS_KEY_SOCKET; 1249 case PF_APPLETALK: 1250 return SECCLASS_APPLETALK_SOCKET; 1251 } 1252 1253 if (extsockclass) { 1254 switch (family) { 1255 case PF_AX25: 1256 return SECCLASS_AX25_SOCKET; 1257 case PF_IPX: 1258 return SECCLASS_IPX_SOCKET; 1259 case PF_NETROM: 1260 return SECCLASS_NETROM_SOCKET; 1261 case PF_ATMPVC: 1262 return SECCLASS_ATMPVC_SOCKET; 1263 case PF_X25: 1264 return SECCLASS_X25_SOCKET; 1265 case PF_ROSE: 1266 return SECCLASS_ROSE_SOCKET; 1267 case PF_DECnet: 1268 return SECCLASS_DECNET_SOCKET; 1269 case PF_ATMSVC: 1270 return SECCLASS_ATMSVC_SOCKET; 1271 case PF_RDS: 1272 return SECCLASS_RDS_SOCKET; 1273 case PF_IRDA: 1274 return SECCLASS_IRDA_SOCKET; 1275 case PF_PPPOX: 1276 return SECCLASS_PPPOX_SOCKET; 1277 case PF_LLC: 1278 return SECCLASS_LLC_SOCKET; 1279 case PF_CAN: 1280 return SECCLASS_CAN_SOCKET; 1281 case PF_TIPC: 1282 return SECCLASS_TIPC_SOCKET; 1283 case PF_BLUETOOTH: 1284 return SECCLASS_BLUETOOTH_SOCKET; 1285 case PF_IUCV: 1286 return SECCLASS_IUCV_SOCKET; 1287 case PF_RXRPC: 1288 return SECCLASS_RXRPC_SOCKET; 1289 case PF_ISDN: 1290 return SECCLASS_ISDN_SOCKET; 1291 case PF_PHONET: 1292 return SECCLASS_PHONET_SOCKET; 1293 case PF_IEEE802154: 1294 return SECCLASS_IEEE802154_SOCKET; 1295 case PF_CAIF: 1296 return SECCLASS_CAIF_SOCKET; 1297 case PF_ALG: 1298 return SECCLASS_ALG_SOCKET; 1299 case PF_NFC: 1300 return SECCLASS_NFC_SOCKET; 1301 case PF_VSOCK: 1302 return SECCLASS_VSOCK_SOCKET; 1303 case PF_KCM: 1304 return SECCLASS_KCM_SOCKET; 1305 case PF_QIPCRTR: 1306 return SECCLASS_QIPCRTR_SOCKET; 1307 case PF_SMC: 1308 return SECCLASS_SMC_SOCKET; 1309 case PF_XDP: 1310 return SECCLASS_XDP_SOCKET; 1311 case PF_MCTP: 1312 return SECCLASS_MCTP_SOCKET; 1313 #if PF_MAX > 46 1314 #error New address family defined, please update this function. 1315 #endif 1316 } 1317 } 1318 1319 return SECCLASS_SOCKET; 1320 } 1321 1322 static int selinux_genfs_get_sid(struct dentry *dentry, 1323 u16 tclass, 1324 u16 flags, 1325 u32 *sid) 1326 { 1327 int rc; 1328 struct super_block *sb = dentry->d_sb; 1329 char *buffer, *path; 1330 1331 buffer = (char *)__get_free_page(GFP_KERNEL); 1332 if (!buffer) 1333 return -ENOMEM; 1334 1335 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1336 if (IS_ERR(path)) 1337 rc = PTR_ERR(path); 1338 else { 1339 if (flags & SE_SBPROC) { 1340 /* each process gets a /proc/PID/ entry. Strip off the 1341 * PID part to get a valid selinux labeling. 1342 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1343 while (path[1] >= '0' && path[1] <= '9') { 1344 path[1] = '/'; 1345 path++; 1346 } 1347 } 1348 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1349 path, tclass, sid); 1350 if (rc == -ENOENT) { 1351 /* No match in policy, mark as unlabeled. */ 1352 *sid = SECINITSID_UNLABELED; 1353 rc = 0; 1354 } 1355 } 1356 free_page((unsigned long)buffer); 1357 return rc; 1358 } 1359 1360 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1361 u32 def_sid, u32 *sid) 1362 { 1363 #define INITCONTEXTLEN 255 1364 char *context; 1365 unsigned int len; 1366 int rc; 1367 1368 len = INITCONTEXTLEN; 1369 context = kmalloc(len + 1, GFP_NOFS); 1370 if (!context) 1371 return -ENOMEM; 1372 1373 context[len] = '\0'; 1374 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1375 if (rc == -ERANGE) { 1376 kfree(context); 1377 1378 /* Need a larger buffer. Query for the right size. */ 1379 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1380 if (rc < 0) 1381 return rc; 1382 1383 len = rc; 1384 context = kmalloc(len + 1, GFP_NOFS); 1385 if (!context) 1386 return -ENOMEM; 1387 1388 context[len] = '\0'; 1389 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1390 context, len); 1391 } 1392 if (rc < 0) { 1393 kfree(context); 1394 if (rc != -ENODATA) { 1395 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1396 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1397 return rc; 1398 } 1399 *sid = def_sid; 1400 return 0; 1401 } 1402 1403 rc = security_context_to_sid_default(&selinux_state, context, rc, sid, 1404 def_sid, GFP_NOFS); 1405 if (rc) { 1406 char *dev = inode->i_sb->s_id; 1407 unsigned long ino = inode->i_ino; 1408 1409 if (rc == -EINVAL) { 1410 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1411 ino, dev, context); 1412 } else { 1413 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1414 __func__, context, -rc, dev, ino); 1415 } 1416 } 1417 kfree(context); 1418 return 0; 1419 } 1420 1421 /* The inode's security attributes must be initialized before first use. */ 1422 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1423 { 1424 struct superblock_security_struct *sbsec = NULL; 1425 struct inode_security_struct *isec = selinux_inode(inode); 1426 u32 task_sid, sid = 0; 1427 u16 sclass; 1428 struct dentry *dentry; 1429 int rc = 0; 1430 1431 if (isec->initialized == LABEL_INITIALIZED) 1432 return 0; 1433 1434 spin_lock(&isec->lock); 1435 if (isec->initialized == LABEL_INITIALIZED) 1436 goto out_unlock; 1437 1438 if (isec->sclass == SECCLASS_FILE) 1439 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1440 1441 sbsec = selinux_superblock(inode->i_sb); 1442 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1443 /* Defer initialization until selinux_complete_init, 1444 after the initial policy is loaded and the security 1445 server is ready to handle calls. */ 1446 spin_lock(&sbsec->isec_lock); 1447 if (list_empty(&isec->list)) 1448 list_add(&isec->list, &sbsec->isec_head); 1449 spin_unlock(&sbsec->isec_lock); 1450 goto out_unlock; 1451 } 1452 1453 sclass = isec->sclass; 1454 task_sid = isec->task_sid; 1455 sid = isec->sid; 1456 isec->initialized = LABEL_PENDING; 1457 spin_unlock(&isec->lock); 1458 1459 switch (sbsec->behavior) { 1460 case SECURITY_FS_USE_NATIVE: 1461 break; 1462 case SECURITY_FS_USE_XATTR: 1463 if (!(inode->i_opflags & IOP_XATTR)) { 1464 sid = sbsec->def_sid; 1465 break; 1466 } 1467 /* Need a dentry, since the xattr API requires one. 1468 Life would be simpler if we could just pass the inode. */ 1469 if (opt_dentry) { 1470 /* Called from d_instantiate or d_splice_alias. */ 1471 dentry = dget(opt_dentry); 1472 } else { 1473 /* 1474 * Called from selinux_complete_init, try to find a dentry. 1475 * Some filesystems really want a connected one, so try 1476 * that first. We could split SECURITY_FS_USE_XATTR in 1477 * two, depending upon that... 1478 */ 1479 dentry = d_find_alias(inode); 1480 if (!dentry) 1481 dentry = d_find_any_alias(inode); 1482 } 1483 if (!dentry) { 1484 /* 1485 * this is can be hit on boot when a file is accessed 1486 * before the policy is loaded. When we load policy we 1487 * may find inodes that have no dentry on the 1488 * sbsec->isec_head list. No reason to complain as these 1489 * will get fixed up the next time we go through 1490 * inode_doinit with a dentry, before these inodes could 1491 * be used again by userspace. 1492 */ 1493 goto out_invalid; 1494 } 1495 1496 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1497 &sid); 1498 dput(dentry); 1499 if (rc) 1500 goto out; 1501 break; 1502 case SECURITY_FS_USE_TASK: 1503 sid = task_sid; 1504 break; 1505 case SECURITY_FS_USE_TRANS: 1506 /* Default to the fs SID. */ 1507 sid = sbsec->sid; 1508 1509 /* Try to obtain a transition SID. */ 1510 rc = security_transition_sid(&selinux_state, task_sid, sid, 1511 sclass, NULL, &sid); 1512 if (rc) 1513 goto out; 1514 break; 1515 case SECURITY_FS_USE_MNTPOINT: 1516 sid = sbsec->mntpoint_sid; 1517 break; 1518 default: 1519 /* Default to the fs superblock SID. */ 1520 sid = sbsec->sid; 1521 1522 if ((sbsec->flags & SE_SBGENFS) && 1523 (!S_ISLNK(inode->i_mode) || 1524 selinux_policycap_genfs_seclabel_symlinks())) { 1525 /* We must have a dentry to determine the label on 1526 * procfs inodes */ 1527 if (opt_dentry) { 1528 /* Called from d_instantiate or 1529 * d_splice_alias. */ 1530 dentry = dget(opt_dentry); 1531 } else { 1532 /* Called from selinux_complete_init, try to 1533 * find a dentry. Some filesystems really want 1534 * a connected one, so try that first. 1535 */ 1536 dentry = d_find_alias(inode); 1537 if (!dentry) 1538 dentry = d_find_any_alias(inode); 1539 } 1540 /* 1541 * This can be hit on boot when a file is accessed 1542 * before the policy is loaded. When we load policy we 1543 * may find inodes that have no dentry on the 1544 * sbsec->isec_head list. No reason to complain as 1545 * these will get fixed up the next time we go through 1546 * inode_doinit() with a dentry, before these inodes 1547 * could be used again by userspace. 1548 */ 1549 if (!dentry) 1550 goto out_invalid; 1551 rc = selinux_genfs_get_sid(dentry, sclass, 1552 sbsec->flags, &sid); 1553 if (rc) { 1554 dput(dentry); 1555 goto out; 1556 } 1557 1558 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1559 (inode->i_opflags & IOP_XATTR)) { 1560 rc = inode_doinit_use_xattr(inode, dentry, 1561 sid, &sid); 1562 if (rc) { 1563 dput(dentry); 1564 goto out; 1565 } 1566 } 1567 dput(dentry); 1568 } 1569 break; 1570 } 1571 1572 out: 1573 spin_lock(&isec->lock); 1574 if (isec->initialized == LABEL_PENDING) { 1575 if (rc) { 1576 isec->initialized = LABEL_INVALID; 1577 goto out_unlock; 1578 } 1579 isec->initialized = LABEL_INITIALIZED; 1580 isec->sid = sid; 1581 } 1582 1583 out_unlock: 1584 spin_unlock(&isec->lock); 1585 return rc; 1586 1587 out_invalid: 1588 spin_lock(&isec->lock); 1589 if (isec->initialized == LABEL_PENDING) { 1590 isec->initialized = LABEL_INVALID; 1591 isec->sid = sid; 1592 } 1593 spin_unlock(&isec->lock); 1594 return 0; 1595 } 1596 1597 /* Convert a Linux signal to an access vector. */ 1598 static inline u32 signal_to_av(int sig) 1599 { 1600 u32 perm = 0; 1601 1602 switch (sig) { 1603 case SIGCHLD: 1604 /* Commonly granted from child to parent. */ 1605 perm = PROCESS__SIGCHLD; 1606 break; 1607 case SIGKILL: 1608 /* Cannot be caught or ignored */ 1609 perm = PROCESS__SIGKILL; 1610 break; 1611 case SIGSTOP: 1612 /* Cannot be caught or ignored */ 1613 perm = PROCESS__SIGSTOP; 1614 break; 1615 default: 1616 /* All other signals. */ 1617 perm = PROCESS__SIGNAL; 1618 break; 1619 } 1620 1621 return perm; 1622 } 1623 1624 #if CAP_LAST_CAP > 63 1625 #error Fix SELinux to handle capabilities > 63. 1626 #endif 1627 1628 /* Check whether a task is allowed to use a capability. */ 1629 static int cred_has_capability(const struct cred *cred, 1630 int cap, unsigned int opts, bool initns) 1631 { 1632 struct common_audit_data ad; 1633 struct av_decision avd; 1634 u16 sclass; 1635 u32 sid = cred_sid(cred); 1636 u32 av = CAP_TO_MASK(cap); 1637 int rc; 1638 1639 ad.type = LSM_AUDIT_DATA_CAP; 1640 ad.u.cap = cap; 1641 1642 switch (CAP_TO_INDEX(cap)) { 1643 case 0: 1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1645 break; 1646 case 1: 1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1648 break; 1649 default: 1650 pr_err("SELinux: out of range capability %d\n", cap); 1651 BUG(); 1652 return -EINVAL; 1653 } 1654 1655 rc = avc_has_perm_noaudit(&selinux_state, 1656 sid, sid, sclass, av, 0, &avd); 1657 if (!(opts & CAP_OPT_NOAUDIT)) { 1658 int rc2 = avc_audit(&selinux_state, 1659 sid, sid, sclass, av, &avd, rc, &ad); 1660 if (rc2) 1661 return rc2; 1662 } 1663 return rc; 1664 } 1665 1666 /* Check whether a task has a particular permission to an inode. 1667 The 'adp' parameter is optional and allows other audit 1668 data to be passed (e.g. the dentry). */ 1669 static int inode_has_perm(const struct cred *cred, 1670 struct inode *inode, 1671 u32 perms, 1672 struct common_audit_data *adp) 1673 { 1674 struct inode_security_struct *isec; 1675 u32 sid; 1676 1677 validate_creds(cred); 1678 1679 if (unlikely(IS_PRIVATE(inode))) 1680 return 0; 1681 1682 sid = cred_sid(cred); 1683 isec = selinux_inode(inode); 1684 1685 return avc_has_perm(&selinux_state, 1686 sid, isec->sid, isec->sclass, perms, adp); 1687 } 1688 1689 /* Same as inode_has_perm, but pass explicit audit data containing 1690 the dentry to help the auditing code to more easily generate the 1691 pathname if needed. */ 1692 static inline int dentry_has_perm(const struct cred *cred, 1693 struct dentry *dentry, 1694 u32 av) 1695 { 1696 struct inode *inode = d_backing_inode(dentry); 1697 struct common_audit_data ad; 1698 1699 ad.type = LSM_AUDIT_DATA_DENTRY; 1700 ad.u.dentry = dentry; 1701 __inode_security_revalidate(inode, dentry, true); 1702 return inode_has_perm(cred, inode, av, &ad); 1703 } 1704 1705 /* Same as inode_has_perm, but pass explicit audit data containing 1706 the path to help the auditing code to more easily generate the 1707 pathname if needed. */ 1708 static inline int path_has_perm(const struct cred *cred, 1709 const struct path *path, 1710 u32 av) 1711 { 1712 struct inode *inode = d_backing_inode(path->dentry); 1713 struct common_audit_data ad; 1714 1715 ad.type = LSM_AUDIT_DATA_PATH; 1716 ad.u.path = *path; 1717 __inode_security_revalidate(inode, path->dentry, true); 1718 return inode_has_perm(cred, inode, av, &ad); 1719 } 1720 1721 /* Same as path_has_perm, but uses the inode from the file struct. */ 1722 static inline int file_path_has_perm(const struct cred *cred, 1723 struct file *file, 1724 u32 av) 1725 { 1726 struct common_audit_data ad; 1727 1728 ad.type = LSM_AUDIT_DATA_FILE; 1729 ad.u.file = file; 1730 return inode_has_perm(cred, file_inode(file), av, &ad); 1731 } 1732 1733 #ifdef CONFIG_BPF_SYSCALL 1734 static int bpf_fd_pass(struct file *file, u32 sid); 1735 #endif 1736 1737 /* Check whether a task can use an open file descriptor to 1738 access an inode in a given way. Check access to the 1739 descriptor itself, and then use dentry_has_perm to 1740 check a particular permission to the file. 1741 Access to the descriptor is implicitly granted if it 1742 has the same SID as the process. If av is zero, then 1743 access to the file is not checked, e.g. for cases 1744 where only the descriptor is affected like seek. */ 1745 static int file_has_perm(const struct cred *cred, 1746 struct file *file, 1747 u32 av) 1748 { 1749 struct file_security_struct *fsec = selinux_file(file); 1750 struct inode *inode = file_inode(file); 1751 struct common_audit_data ad; 1752 u32 sid = cred_sid(cred); 1753 int rc; 1754 1755 ad.type = LSM_AUDIT_DATA_FILE; 1756 ad.u.file = file; 1757 1758 if (sid != fsec->sid) { 1759 rc = avc_has_perm(&selinux_state, 1760 sid, fsec->sid, 1761 SECCLASS_FD, 1762 FD__USE, 1763 &ad); 1764 if (rc) 1765 goto out; 1766 } 1767 1768 #ifdef CONFIG_BPF_SYSCALL 1769 rc = bpf_fd_pass(file, cred_sid(cred)); 1770 if (rc) 1771 return rc; 1772 #endif 1773 1774 /* av is zero if only checking access to the descriptor. */ 1775 rc = 0; 1776 if (av) 1777 rc = inode_has_perm(cred, inode, av, &ad); 1778 1779 out: 1780 return rc; 1781 } 1782 1783 /* 1784 * Determine the label for an inode that might be unioned. 1785 */ 1786 static int 1787 selinux_determine_inode_label(const struct task_security_struct *tsec, 1788 struct inode *dir, 1789 const struct qstr *name, u16 tclass, 1790 u32 *_new_isid) 1791 { 1792 const struct superblock_security_struct *sbsec = 1793 selinux_superblock(dir->i_sb); 1794 1795 if ((sbsec->flags & SE_SBINITIALIZED) && 1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1797 *_new_isid = sbsec->mntpoint_sid; 1798 } else if ((sbsec->flags & SBLABEL_MNT) && 1799 tsec->create_sid) { 1800 *_new_isid = tsec->create_sid; 1801 } else { 1802 const struct inode_security_struct *dsec = inode_security(dir); 1803 return security_transition_sid(&selinux_state, tsec->sid, 1804 dsec->sid, tclass, 1805 name, _new_isid); 1806 } 1807 1808 return 0; 1809 } 1810 1811 /* Check whether a task can create a file. */ 1812 static int may_create(struct inode *dir, 1813 struct dentry *dentry, 1814 u16 tclass) 1815 { 1816 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1817 struct inode_security_struct *dsec; 1818 struct superblock_security_struct *sbsec; 1819 u32 sid, newsid; 1820 struct common_audit_data ad; 1821 int rc; 1822 1823 dsec = inode_security(dir); 1824 sbsec = selinux_superblock(dir->i_sb); 1825 1826 sid = tsec->sid; 1827 1828 ad.type = LSM_AUDIT_DATA_DENTRY; 1829 ad.u.dentry = dentry; 1830 1831 rc = avc_has_perm(&selinux_state, 1832 sid, dsec->sid, SECCLASS_DIR, 1833 DIR__ADD_NAME | DIR__SEARCH, 1834 &ad); 1835 if (rc) 1836 return rc; 1837 1838 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1839 &newsid); 1840 if (rc) 1841 return rc; 1842 1843 rc = avc_has_perm(&selinux_state, 1844 sid, newsid, tclass, FILE__CREATE, &ad); 1845 if (rc) 1846 return rc; 1847 1848 return avc_has_perm(&selinux_state, 1849 newsid, sbsec->sid, 1850 SECCLASS_FILESYSTEM, 1851 FILESYSTEM__ASSOCIATE, &ad); 1852 } 1853 1854 #define MAY_LINK 0 1855 #define MAY_UNLINK 1 1856 #define MAY_RMDIR 2 1857 1858 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1859 static int may_link(struct inode *dir, 1860 struct dentry *dentry, 1861 int kind) 1862 1863 { 1864 struct inode_security_struct *dsec, *isec; 1865 struct common_audit_data ad; 1866 u32 sid = current_sid(); 1867 u32 av; 1868 int rc; 1869 1870 dsec = inode_security(dir); 1871 isec = backing_inode_security(dentry); 1872 1873 ad.type = LSM_AUDIT_DATA_DENTRY; 1874 ad.u.dentry = dentry; 1875 1876 av = DIR__SEARCH; 1877 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1878 rc = avc_has_perm(&selinux_state, 1879 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1880 if (rc) 1881 return rc; 1882 1883 switch (kind) { 1884 case MAY_LINK: 1885 av = FILE__LINK; 1886 break; 1887 case MAY_UNLINK: 1888 av = FILE__UNLINK; 1889 break; 1890 case MAY_RMDIR: 1891 av = DIR__RMDIR; 1892 break; 1893 default: 1894 pr_warn("SELinux: %s: unrecognized kind %d\n", 1895 __func__, kind); 1896 return 0; 1897 } 1898 1899 rc = avc_has_perm(&selinux_state, 1900 sid, isec->sid, isec->sclass, av, &ad); 1901 return rc; 1902 } 1903 1904 static inline int may_rename(struct inode *old_dir, 1905 struct dentry *old_dentry, 1906 struct inode *new_dir, 1907 struct dentry *new_dentry) 1908 { 1909 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1910 struct common_audit_data ad; 1911 u32 sid = current_sid(); 1912 u32 av; 1913 int old_is_dir, new_is_dir; 1914 int rc; 1915 1916 old_dsec = inode_security(old_dir); 1917 old_isec = backing_inode_security(old_dentry); 1918 old_is_dir = d_is_dir(old_dentry); 1919 new_dsec = inode_security(new_dir); 1920 1921 ad.type = LSM_AUDIT_DATA_DENTRY; 1922 1923 ad.u.dentry = old_dentry; 1924 rc = avc_has_perm(&selinux_state, 1925 sid, old_dsec->sid, SECCLASS_DIR, 1926 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1927 if (rc) 1928 return rc; 1929 rc = avc_has_perm(&selinux_state, 1930 sid, old_isec->sid, 1931 old_isec->sclass, FILE__RENAME, &ad); 1932 if (rc) 1933 return rc; 1934 if (old_is_dir && new_dir != old_dir) { 1935 rc = avc_has_perm(&selinux_state, 1936 sid, old_isec->sid, 1937 old_isec->sclass, DIR__REPARENT, &ad); 1938 if (rc) 1939 return rc; 1940 } 1941 1942 ad.u.dentry = new_dentry; 1943 av = DIR__ADD_NAME | DIR__SEARCH; 1944 if (d_is_positive(new_dentry)) 1945 av |= DIR__REMOVE_NAME; 1946 rc = avc_has_perm(&selinux_state, 1947 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1948 if (rc) 1949 return rc; 1950 if (d_is_positive(new_dentry)) { 1951 new_isec = backing_inode_security(new_dentry); 1952 new_is_dir = d_is_dir(new_dentry); 1953 rc = avc_has_perm(&selinux_state, 1954 sid, new_isec->sid, 1955 new_isec->sclass, 1956 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1957 if (rc) 1958 return rc; 1959 } 1960 1961 return 0; 1962 } 1963 1964 /* Check whether a task can perform a filesystem operation. */ 1965 static int superblock_has_perm(const struct cred *cred, 1966 struct super_block *sb, 1967 u32 perms, 1968 struct common_audit_data *ad) 1969 { 1970 struct superblock_security_struct *sbsec; 1971 u32 sid = cred_sid(cred); 1972 1973 sbsec = selinux_superblock(sb); 1974 return avc_has_perm(&selinux_state, 1975 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1976 } 1977 1978 /* Convert a Linux mode and permission mask to an access vector. */ 1979 static inline u32 file_mask_to_av(int mode, int mask) 1980 { 1981 u32 av = 0; 1982 1983 if (!S_ISDIR(mode)) { 1984 if (mask & MAY_EXEC) 1985 av |= FILE__EXECUTE; 1986 if (mask & MAY_READ) 1987 av |= FILE__READ; 1988 1989 if (mask & MAY_APPEND) 1990 av |= FILE__APPEND; 1991 else if (mask & MAY_WRITE) 1992 av |= FILE__WRITE; 1993 1994 } else { 1995 if (mask & MAY_EXEC) 1996 av |= DIR__SEARCH; 1997 if (mask & MAY_WRITE) 1998 av |= DIR__WRITE; 1999 if (mask & MAY_READ) 2000 av |= DIR__READ; 2001 } 2002 2003 return av; 2004 } 2005 2006 /* Convert a Linux file to an access vector. */ 2007 static inline u32 file_to_av(struct file *file) 2008 { 2009 u32 av = 0; 2010 2011 if (file->f_mode & FMODE_READ) 2012 av |= FILE__READ; 2013 if (file->f_mode & FMODE_WRITE) { 2014 if (file->f_flags & O_APPEND) 2015 av |= FILE__APPEND; 2016 else 2017 av |= FILE__WRITE; 2018 } 2019 if (!av) { 2020 /* 2021 * Special file opened with flags 3 for ioctl-only use. 2022 */ 2023 av = FILE__IOCTL; 2024 } 2025 2026 return av; 2027 } 2028 2029 /* 2030 * Convert a file to an access vector and include the correct 2031 * open permission. 2032 */ 2033 static inline u32 open_file_to_av(struct file *file) 2034 { 2035 u32 av = file_to_av(file); 2036 struct inode *inode = file_inode(file); 2037 2038 if (selinux_policycap_openperm() && 2039 inode->i_sb->s_magic != SOCKFS_MAGIC) 2040 av |= FILE__OPEN; 2041 2042 return av; 2043 } 2044 2045 /* Hook functions begin here. */ 2046 2047 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2048 { 2049 return avc_has_perm(&selinux_state, 2050 current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2051 BINDER__SET_CONTEXT_MGR, NULL); 2052 } 2053 2054 static int selinux_binder_transaction(const struct cred *from, 2055 const struct cred *to) 2056 { 2057 u32 mysid = current_sid(); 2058 u32 fromsid = cred_sid(from); 2059 u32 tosid = cred_sid(to); 2060 int rc; 2061 2062 if (mysid != fromsid) { 2063 rc = avc_has_perm(&selinux_state, 2064 mysid, fromsid, SECCLASS_BINDER, 2065 BINDER__IMPERSONATE, NULL); 2066 if (rc) 2067 return rc; 2068 } 2069 2070 return avc_has_perm(&selinux_state, fromsid, tosid, 2071 SECCLASS_BINDER, BINDER__CALL, NULL); 2072 } 2073 2074 static int selinux_binder_transfer_binder(const struct cred *from, 2075 const struct cred *to) 2076 { 2077 return avc_has_perm(&selinux_state, 2078 cred_sid(from), cred_sid(to), 2079 SECCLASS_BINDER, BINDER__TRANSFER, 2080 NULL); 2081 } 2082 2083 static int selinux_binder_transfer_file(const struct cred *from, 2084 const struct cred *to, 2085 struct file *file) 2086 { 2087 u32 sid = cred_sid(to); 2088 struct file_security_struct *fsec = selinux_file(file); 2089 struct dentry *dentry = file->f_path.dentry; 2090 struct inode_security_struct *isec; 2091 struct common_audit_data ad; 2092 int rc; 2093 2094 ad.type = LSM_AUDIT_DATA_PATH; 2095 ad.u.path = file->f_path; 2096 2097 if (sid != fsec->sid) { 2098 rc = avc_has_perm(&selinux_state, 2099 sid, fsec->sid, 2100 SECCLASS_FD, 2101 FD__USE, 2102 &ad); 2103 if (rc) 2104 return rc; 2105 } 2106 2107 #ifdef CONFIG_BPF_SYSCALL 2108 rc = bpf_fd_pass(file, sid); 2109 if (rc) 2110 return rc; 2111 #endif 2112 2113 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2114 return 0; 2115 2116 isec = backing_inode_security(dentry); 2117 return avc_has_perm(&selinux_state, 2118 sid, isec->sid, isec->sclass, file_to_av(file), 2119 &ad); 2120 } 2121 2122 static int selinux_ptrace_access_check(struct task_struct *child, 2123 unsigned int mode) 2124 { 2125 u32 sid = current_sid(); 2126 u32 csid = task_sid_obj(child); 2127 2128 if (mode & PTRACE_MODE_READ) 2129 return avc_has_perm(&selinux_state, 2130 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2131 2132 return avc_has_perm(&selinux_state, 2133 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2134 } 2135 2136 static int selinux_ptrace_traceme(struct task_struct *parent) 2137 { 2138 return avc_has_perm(&selinux_state, 2139 task_sid_obj(parent), task_sid_obj(current), 2140 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2141 } 2142 2143 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2144 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2145 { 2146 return avc_has_perm(&selinux_state, 2147 current_sid(), task_sid_obj(target), SECCLASS_PROCESS, 2148 PROCESS__GETCAP, NULL); 2149 } 2150 2151 static int selinux_capset(struct cred *new, const struct cred *old, 2152 const kernel_cap_t *effective, 2153 const kernel_cap_t *inheritable, 2154 const kernel_cap_t *permitted) 2155 { 2156 return avc_has_perm(&selinux_state, 2157 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2158 PROCESS__SETCAP, NULL); 2159 } 2160 2161 /* 2162 * (This comment used to live with the selinux_task_setuid hook, 2163 * which was removed). 2164 * 2165 * Since setuid only affects the current process, and since the SELinux 2166 * controls are not based on the Linux identity attributes, SELinux does not 2167 * need to control this operation. However, SELinux does control the use of 2168 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2169 */ 2170 2171 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2172 int cap, unsigned int opts) 2173 { 2174 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2175 } 2176 2177 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2178 { 2179 const struct cred *cred = current_cred(); 2180 int rc = 0; 2181 2182 if (!sb) 2183 return 0; 2184 2185 switch (cmds) { 2186 case Q_SYNC: 2187 case Q_QUOTAON: 2188 case Q_QUOTAOFF: 2189 case Q_SETINFO: 2190 case Q_SETQUOTA: 2191 case Q_XQUOTAOFF: 2192 case Q_XQUOTAON: 2193 case Q_XSETQLIM: 2194 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2195 break; 2196 case Q_GETFMT: 2197 case Q_GETINFO: 2198 case Q_GETQUOTA: 2199 case Q_XGETQUOTA: 2200 case Q_XGETQSTAT: 2201 case Q_XGETQSTATV: 2202 case Q_XGETNEXTQUOTA: 2203 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2204 break; 2205 default: 2206 rc = 0; /* let the kernel handle invalid cmds */ 2207 break; 2208 } 2209 return rc; 2210 } 2211 2212 static int selinux_quota_on(struct dentry *dentry) 2213 { 2214 const struct cred *cred = current_cred(); 2215 2216 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2217 } 2218 2219 static int selinux_syslog(int type) 2220 { 2221 switch (type) { 2222 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2223 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2224 return avc_has_perm(&selinux_state, 2225 current_sid(), SECINITSID_KERNEL, 2226 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2227 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2228 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2229 /* Set level of messages printed to console */ 2230 case SYSLOG_ACTION_CONSOLE_LEVEL: 2231 return avc_has_perm(&selinux_state, 2232 current_sid(), SECINITSID_KERNEL, 2233 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2234 NULL); 2235 } 2236 /* All other syslog types */ 2237 return avc_has_perm(&selinux_state, 2238 current_sid(), SECINITSID_KERNEL, 2239 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2240 } 2241 2242 /* 2243 * Check that a process has enough memory to allocate a new virtual 2244 * mapping. 0 means there is enough memory for the allocation to 2245 * succeed and -ENOMEM implies there is not. 2246 * 2247 * Do not audit the selinux permission check, as this is applied to all 2248 * processes that allocate mappings. 2249 */ 2250 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2251 { 2252 int rc, cap_sys_admin = 0; 2253 2254 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2255 CAP_OPT_NOAUDIT, true); 2256 if (rc == 0) 2257 cap_sys_admin = 1; 2258 2259 return cap_sys_admin; 2260 } 2261 2262 /* binprm security operations */ 2263 2264 static u32 ptrace_parent_sid(void) 2265 { 2266 u32 sid = 0; 2267 struct task_struct *tracer; 2268 2269 rcu_read_lock(); 2270 tracer = ptrace_parent(current); 2271 if (tracer) 2272 sid = task_sid_obj(tracer); 2273 rcu_read_unlock(); 2274 2275 return sid; 2276 } 2277 2278 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2279 const struct task_security_struct *old_tsec, 2280 const struct task_security_struct *new_tsec) 2281 { 2282 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2283 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2284 int rc; 2285 u32 av; 2286 2287 if (!nnp && !nosuid) 2288 return 0; /* neither NNP nor nosuid */ 2289 2290 if (new_tsec->sid == old_tsec->sid) 2291 return 0; /* No change in credentials */ 2292 2293 /* 2294 * If the policy enables the nnp_nosuid_transition policy capability, 2295 * then we permit transitions under NNP or nosuid if the 2296 * policy allows the corresponding permission between 2297 * the old and new contexts. 2298 */ 2299 if (selinux_policycap_nnp_nosuid_transition()) { 2300 av = 0; 2301 if (nnp) 2302 av |= PROCESS2__NNP_TRANSITION; 2303 if (nosuid) 2304 av |= PROCESS2__NOSUID_TRANSITION; 2305 rc = avc_has_perm(&selinux_state, 2306 old_tsec->sid, new_tsec->sid, 2307 SECCLASS_PROCESS2, av, NULL); 2308 if (!rc) 2309 return 0; 2310 } 2311 2312 /* 2313 * We also permit NNP or nosuid transitions to bounded SIDs, 2314 * i.e. SIDs that are guaranteed to only be allowed a subset 2315 * of the permissions of the current SID. 2316 */ 2317 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2318 new_tsec->sid); 2319 if (!rc) 2320 return 0; 2321 2322 /* 2323 * On failure, preserve the errno values for NNP vs nosuid. 2324 * NNP: Operation not permitted for caller. 2325 * nosuid: Permission denied to file. 2326 */ 2327 if (nnp) 2328 return -EPERM; 2329 return -EACCES; 2330 } 2331 2332 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2333 { 2334 const struct task_security_struct *old_tsec; 2335 struct task_security_struct *new_tsec; 2336 struct inode_security_struct *isec; 2337 struct common_audit_data ad; 2338 struct inode *inode = file_inode(bprm->file); 2339 int rc; 2340 2341 /* SELinux context only depends on initial program or script and not 2342 * the script interpreter */ 2343 2344 old_tsec = selinux_cred(current_cred()); 2345 new_tsec = selinux_cred(bprm->cred); 2346 isec = inode_security(inode); 2347 2348 /* Default to the current task SID. */ 2349 new_tsec->sid = old_tsec->sid; 2350 new_tsec->osid = old_tsec->sid; 2351 2352 /* Reset fs, key, and sock SIDs on execve. */ 2353 new_tsec->create_sid = 0; 2354 new_tsec->keycreate_sid = 0; 2355 new_tsec->sockcreate_sid = 0; 2356 2357 if (old_tsec->exec_sid) { 2358 new_tsec->sid = old_tsec->exec_sid; 2359 /* Reset exec SID on execve. */ 2360 new_tsec->exec_sid = 0; 2361 2362 /* Fail on NNP or nosuid if not an allowed transition. */ 2363 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2364 if (rc) 2365 return rc; 2366 } else { 2367 /* Check for a default transition on this program. */ 2368 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2369 isec->sid, SECCLASS_PROCESS, NULL, 2370 &new_tsec->sid); 2371 if (rc) 2372 return rc; 2373 2374 /* 2375 * Fallback to old SID on NNP or nosuid if not an allowed 2376 * transition. 2377 */ 2378 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2379 if (rc) 2380 new_tsec->sid = old_tsec->sid; 2381 } 2382 2383 ad.type = LSM_AUDIT_DATA_FILE; 2384 ad.u.file = bprm->file; 2385 2386 if (new_tsec->sid == old_tsec->sid) { 2387 rc = avc_has_perm(&selinux_state, 2388 old_tsec->sid, isec->sid, 2389 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2390 if (rc) 2391 return rc; 2392 } else { 2393 /* Check permissions for the transition. */ 2394 rc = avc_has_perm(&selinux_state, 2395 old_tsec->sid, new_tsec->sid, 2396 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2397 if (rc) 2398 return rc; 2399 2400 rc = avc_has_perm(&selinux_state, 2401 new_tsec->sid, isec->sid, 2402 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2403 if (rc) 2404 return rc; 2405 2406 /* Check for shared state */ 2407 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2408 rc = avc_has_perm(&selinux_state, 2409 old_tsec->sid, new_tsec->sid, 2410 SECCLASS_PROCESS, PROCESS__SHARE, 2411 NULL); 2412 if (rc) 2413 return -EPERM; 2414 } 2415 2416 /* Make sure that anyone attempting to ptrace over a task that 2417 * changes its SID has the appropriate permit */ 2418 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2419 u32 ptsid = ptrace_parent_sid(); 2420 if (ptsid != 0) { 2421 rc = avc_has_perm(&selinux_state, 2422 ptsid, new_tsec->sid, 2423 SECCLASS_PROCESS, 2424 PROCESS__PTRACE, NULL); 2425 if (rc) 2426 return -EPERM; 2427 } 2428 } 2429 2430 /* Clear any possibly unsafe personality bits on exec: */ 2431 bprm->per_clear |= PER_CLEAR_ON_SETID; 2432 2433 /* Enable secure mode for SIDs transitions unless 2434 the noatsecure permission is granted between 2435 the two SIDs, i.e. ahp returns 0. */ 2436 rc = avc_has_perm(&selinux_state, 2437 old_tsec->sid, new_tsec->sid, 2438 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2439 NULL); 2440 bprm->secureexec |= !!rc; 2441 } 2442 2443 return 0; 2444 } 2445 2446 static int match_file(const void *p, struct file *file, unsigned fd) 2447 { 2448 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2449 } 2450 2451 /* Derived from fs/exec.c:flush_old_files. */ 2452 static inline void flush_unauthorized_files(const struct cred *cred, 2453 struct files_struct *files) 2454 { 2455 struct file *file, *devnull = NULL; 2456 struct tty_struct *tty; 2457 int drop_tty = 0; 2458 unsigned n; 2459 2460 tty = get_current_tty(); 2461 if (tty) { 2462 spin_lock(&tty->files_lock); 2463 if (!list_empty(&tty->tty_files)) { 2464 struct tty_file_private *file_priv; 2465 2466 /* Revalidate access to controlling tty. 2467 Use file_path_has_perm on the tty path directly 2468 rather than using file_has_perm, as this particular 2469 open file may belong to another process and we are 2470 only interested in the inode-based check here. */ 2471 file_priv = list_first_entry(&tty->tty_files, 2472 struct tty_file_private, list); 2473 file = file_priv->file; 2474 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2475 drop_tty = 1; 2476 } 2477 spin_unlock(&tty->files_lock); 2478 tty_kref_put(tty); 2479 } 2480 /* Reset controlling tty. */ 2481 if (drop_tty) 2482 no_tty(); 2483 2484 /* Revalidate access to inherited open files. */ 2485 n = iterate_fd(files, 0, match_file, cred); 2486 if (!n) /* none found? */ 2487 return; 2488 2489 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2490 if (IS_ERR(devnull)) 2491 devnull = NULL; 2492 /* replace all the matching ones with this */ 2493 do { 2494 replace_fd(n - 1, devnull, 0); 2495 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2496 if (devnull) 2497 fput(devnull); 2498 } 2499 2500 /* 2501 * Prepare a process for imminent new credential changes due to exec 2502 */ 2503 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2504 { 2505 struct task_security_struct *new_tsec; 2506 struct rlimit *rlim, *initrlim; 2507 int rc, i; 2508 2509 new_tsec = selinux_cred(bprm->cred); 2510 if (new_tsec->sid == new_tsec->osid) 2511 return; 2512 2513 /* Close files for which the new task SID is not authorized. */ 2514 flush_unauthorized_files(bprm->cred, current->files); 2515 2516 /* Always clear parent death signal on SID transitions. */ 2517 current->pdeath_signal = 0; 2518 2519 /* Check whether the new SID can inherit resource limits from the old 2520 * SID. If not, reset all soft limits to the lower of the current 2521 * task's hard limit and the init task's soft limit. 2522 * 2523 * Note that the setting of hard limits (even to lower them) can be 2524 * controlled by the setrlimit check. The inclusion of the init task's 2525 * soft limit into the computation is to avoid resetting soft limits 2526 * higher than the default soft limit for cases where the default is 2527 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2528 */ 2529 rc = avc_has_perm(&selinux_state, 2530 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2531 PROCESS__RLIMITINH, NULL); 2532 if (rc) { 2533 /* protect against do_prlimit() */ 2534 task_lock(current); 2535 for (i = 0; i < RLIM_NLIMITS; i++) { 2536 rlim = current->signal->rlim + i; 2537 initrlim = init_task.signal->rlim + i; 2538 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2539 } 2540 task_unlock(current); 2541 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2542 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2543 } 2544 } 2545 2546 /* 2547 * Clean up the process immediately after the installation of new credentials 2548 * due to exec 2549 */ 2550 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2551 { 2552 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2553 u32 osid, sid; 2554 int rc; 2555 2556 osid = tsec->osid; 2557 sid = tsec->sid; 2558 2559 if (sid == osid) 2560 return; 2561 2562 /* Check whether the new SID can inherit signal state from the old SID. 2563 * If not, clear itimers to avoid subsequent signal generation and 2564 * flush and unblock signals. 2565 * 2566 * This must occur _after_ the task SID has been updated so that any 2567 * kill done after the flush will be checked against the new SID. 2568 */ 2569 rc = avc_has_perm(&selinux_state, 2570 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2571 if (rc) { 2572 clear_itimer(); 2573 2574 spin_lock_irq(¤t->sighand->siglock); 2575 if (!fatal_signal_pending(current)) { 2576 flush_sigqueue(¤t->pending); 2577 flush_sigqueue(¤t->signal->shared_pending); 2578 flush_signal_handlers(current, 1); 2579 sigemptyset(¤t->blocked); 2580 recalc_sigpending(); 2581 } 2582 spin_unlock_irq(¤t->sighand->siglock); 2583 } 2584 2585 /* Wake up the parent if it is waiting so that it can recheck 2586 * wait permission to the new task SID. */ 2587 read_lock(&tasklist_lock); 2588 __wake_up_parent(current, current->real_parent); 2589 read_unlock(&tasklist_lock); 2590 } 2591 2592 /* superblock security operations */ 2593 2594 static int selinux_sb_alloc_security(struct super_block *sb) 2595 { 2596 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2597 2598 mutex_init(&sbsec->lock); 2599 INIT_LIST_HEAD(&sbsec->isec_head); 2600 spin_lock_init(&sbsec->isec_lock); 2601 sbsec->sid = SECINITSID_UNLABELED; 2602 sbsec->def_sid = SECINITSID_FILE; 2603 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2604 2605 return 0; 2606 } 2607 2608 static inline int opt_len(const char *s) 2609 { 2610 bool open_quote = false; 2611 int len; 2612 char c; 2613 2614 for (len = 0; (c = s[len]) != '\0'; len++) { 2615 if (c == '"') 2616 open_quote = !open_quote; 2617 if (c == ',' && !open_quote) 2618 break; 2619 } 2620 return len; 2621 } 2622 2623 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2624 { 2625 char *from = options; 2626 char *to = options; 2627 bool first = true; 2628 int rc; 2629 2630 while (1) { 2631 int len = opt_len(from); 2632 int token; 2633 char *arg = NULL; 2634 2635 token = match_opt_prefix(from, len, &arg); 2636 2637 if (token != Opt_error) { 2638 char *p, *q; 2639 2640 /* strip quotes */ 2641 if (arg) { 2642 for (p = q = arg; p < from + len; p++) { 2643 char c = *p; 2644 if (c != '"') 2645 *q++ = c; 2646 } 2647 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2648 if (!arg) { 2649 rc = -ENOMEM; 2650 goto free_opt; 2651 } 2652 } 2653 rc = selinux_add_opt(token, arg, mnt_opts); 2654 if (unlikely(rc)) { 2655 kfree(arg); 2656 goto free_opt; 2657 } 2658 } else { 2659 if (!first) { // copy with preceding comma 2660 from--; 2661 len++; 2662 } 2663 if (to != from) 2664 memmove(to, from, len); 2665 to += len; 2666 first = false; 2667 } 2668 if (!from[len]) 2669 break; 2670 from += len + 1; 2671 } 2672 *to = '\0'; 2673 return 0; 2674 2675 free_opt: 2676 if (*mnt_opts) { 2677 selinux_free_mnt_opts(*mnt_opts); 2678 *mnt_opts = NULL; 2679 } 2680 return rc; 2681 } 2682 2683 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2684 { 2685 struct selinux_mnt_opts *opts = mnt_opts; 2686 struct superblock_security_struct *sbsec = sb->s_security; 2687 u32 sid; 2688 int rc; 2689 2690 /* 2691 * Superblock not initialized (i.e. no options) - reject if any 2692 * options specified, otherwise accept. 2693 */ 2694 if (!(sbsec->flags & SE_SBINITIALIZED)) 2695 return opts ? 1 : 0; 2696 2697 /* 2698 * Superblock initialized and no options specified - reject if 2699 * superblock has any options set, otherwise accept. 2700 */ 2701 if (!opts) 2702 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2703 2704 if (opts->fscontext) { 2705 rc = parse_sid(sb, opts->fscontext, &sid); 2706 if (rc) 2707 return 1; 2708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2709 return 1; 2710 } 2711 if (opts->context) { 2712 rc = parse_sid(sb, opts->context, &sid); 2713 if (rc) 2714 return 1; 2715 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2716 return 1; 2717 } 2718 if (opts->rootcontext) { 2719 struct inode_security_struct *root_isec; 2720 2721 root_isec = backing_inode_security(sb->s_root); 2722 rc = parse_sid(sb, opts->rootcontext, &sid); 2723 if (rc) 2724 return 1; 2725 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2726 return 1; 2727 } 2728 if (opts->defcontext) { 2729 rc = parse_sid(sb, opts->defcontext, &sid); 2730 if (rc) 2731 return 1; 2732 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2733 return 1; 2734 } 2735 return 0; 2736 } 2737 2738 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2739 { 2740 struct selinux_mnt_opts *opts = mnt_opts; 2741 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2742 u32 sid; 2743 int rc; 2744 2745 if (!(sbsec->flags & SE_SBINITIALIZED)) 2746 return 0; 2747 2748 if (!opts) 2749 return 0; 2750 2751 if (opts->fscontext) { 2752 rc = parse_sid(sb, opts->fscontext, &sid); 2753 if (rc) 2754 return rc; 2755 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2756 goto out_bad_option; 2757 } 2758 if (opts->context) { 2759 rc = parse_sid(sb, opts->context, &sid); 2760 if (rc) 2761 return rc; 2762 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2763 goto out_bad_option; 2764 } 2765 if (opts->rootcontext) { 2766 struct inode_security_struct *root_isec; 2767 root_isec = backing_inode_security(sb->s_root); 2768 rc = parse_sid(sb, opts->rootcontext, &sid); 2769 if (rc) 2770 return rc; 2771 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2772 goto out_bad_option; 2773 } 2774 if (opts->defcontext) { 2775 rc = parse_sid(sb, opts->defcontext, &sid); 2776 if (rc) 2777 return rc; 2778 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2779 goto out_bad_option; 2780 } 2781 return 0; 2782 2783 out_bad_option: 2784 pr_warn("SELinux: unable to change security options " 2785 "during remount (dev %s, type=%s)\n", sb->s_id, 2786 sb->s_type->name); 2787 return -EINVAL; 2788 } 2789 2790 static int selinux_sb_kern_mount(struct super_block *sb) 2791 { 2792 const struct cred *cred = current_cred(); 2793 struct common_audit_data ad; 2794 2795 ad.type = LSM_AUDIT_DATA_DENTRY; 2796 ad.u.dentry = sb->s_root; 2797 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2798 } 2799 2800 static int selinux_sb_statfs(struct dentry *dentry) 2801 { 2802 const struct cred *cred = current_cred(); 2803 struct common_audit_data ad; 2804 2805 ad.type = LSM_AUDIT_DATA_DENTRY; 2806 ad.u.dentry = dentry->d_sb->s_root; 2807 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2808 } 2809 2810 static int selinux_mount(const char *dev_name, 2811 const struct path *path, 2812 const char *type, 2813 unsigned long flags, 2814 void *data) 2815 { 2816 const struct cred *cred = current_cred(); 2817 2818 if (flags & MS_REMOUNT) 2819 return superblock_has_perm(cred, path->dentry->d_sb, 2820 FILESYSTEM__REMOUNT, NULL); 2821 else 2822 return path_has_perm(cred, path, FILE__MOUNTON); 2823 } 2824 2825 static int selinux_move_mount(const struct path *from_path, 2826 const struct path *to_path) 2827 { 2828 const struct cred *cred = current_cred(); 2829 2830 return path_has_perm(cred, to_path, FILE__MOUNTON); 2831 } 2832 2833 static int selinux_umount(struct vfsmount *mnt, int flags) 2834 { 2835 const struct cred *cred = current_cred(); 2836 2837 return superblock_has_perm(cred, mnt->mnt_sb, 2838 FILESYSTEM__UNMOUNT, NULL); 2839 } 2840 2841 static int selinux_fs_context_dup(struct fs_context *fc, 2842 struct fs_context *src_fc) 2843 { 2844 const struct selinux_mnt_opts *src = src_fc->security; 2845 struct selinux_mnt_opts *opts; 2846 2847 if (!src) 2848 return 0; 2849 2850 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 2851 if (!fc->security) 2852 return -ENOMEM; 2853 2854 opts = fc->security; 2855 2856 if (src->fscontext) { 2857 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL); 2858 if (!opts->fscontext) 2859 return -ENOMEM; 2860 } 2861 if (src->context) { 2862 opts->context = kstrdup(src->context, GFP_KERNEL); 2863 if (!opts->context) 2864 return -ENOMEM; 2865 } 2866 if (src->rootcontext) { 2867 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL); 2868 if (!opts->rootcontext) 2869 return -ENOMEM; 2870 } 2871 if (src->defcontext) { 2872 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL); 2873 if (!opts->defcontext) 2874 return -ENOMEM; 2875 } 2876 return 0; 2877 } 2878 2879 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2880 fsparam_string(CONTEXT_STR, Opt_context), 2881 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2882 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2883 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2884 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2885 {} 2886 }; 2887 2888 static int selinux_fs_context_parse_param(struct fs_context *fc, 2889 struct fs_parameter *param) 2890 { 2891 struct fs_parse_result result; 2892 int opt, rc; 2893 2894 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2895 if (opt < 0) 2896 return opt; 2897 2898 rc = selinux_add_opt(opt, param->string, &fc->security); 2899 if (!rc) { 2900 param->string = NULL; 2901 rc = 1; 2902 } 2903 return rc; 2904 } 2905 2906 /* inode security operations */ 2907 2908 static int selinux_inode_alloc_security(struct inode *inode) 2909 { 2910 struct inode_security_struct *isec = selinux_inode(inode); 2911 u32 sid = current_sid(); 2912 2913 spin_lock_init(&isec->lock); 2914 INIT_LIST_HEAD(&isec->list); 2915 isec->inode = inode; 2916 isec->sid = SECINITSID_UNLABELED; 2917 isec->sclass = SECCLASS_FILE; 2918 isec->task_sid = sid; 2919 isec->initialized = LABEL_INVALID; 2920 2921 return 0; 2922 } 2923 2924 static void selinux_inode_free_security(struct inode *inode) 2925 { 2926 inode_free_security(inode); 2927 } 2928 2929 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2930 const struct qstr *name, 2931 const char **xattr_name, void **ctx, 2932 u32 *ctxlen) 2933 { 2934 u32 newsid; 2935 int rc; 2936 2937 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2938 d_inode(dentry->d_parent), name, 2939 inode_mode_to_security_class(mode), 2940 &newsid); 2941 if (rc) 2942 return rc; 2943 2944 if (xattr_name) 2945 *xattr_name = XATTR_NAME_SELINUX; 2946 2947 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2948 ctxlen); 2949 } 2950 2951 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2952 struct qstr *name, 2953 const struct cred *old, 2954 struct cred *new) 2955 { 2956 u32 newsid; 2957 int rc; 2958 struct task_security_struct *tsec; 2959 2960 rc = selinux_determine_inode_label(selinux_cred(old), 2961 d_inode(dentry->d_parent), name, 2962 inode_mode_to_security_class(mode), 2963 &newsid); 2964 if (rc) 2965 return rc; 2966 2967 tsec = selinux_cred(new); 2968 tsec->create_sid = newsid; 2969 return 0; 2970 } 2971 2972 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2973 const struct qstr *qstr, 2974 const char **name, 2975 void **value, size_t *len) 2976 { 2977 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2978 struct superblock_security_struct *sbsec; 2979 u32 newsid, clen; 2980 int rc; 2981 char *context; 2982 2983 sbsec = selinux_superblock(dir->i_sb); 2984 2985 newsid = tsec->create_sid; 2986 2987 rc = selinux_determine_inode_label(tsec, dir, qstr, 2988 inode_mode_to_security_class(inode->i_mode), 2989 &newsid); 2990 if (rc) 2991 return rc; 2992 2993 /* Possibly defer initialization to selinux_complete_init. */ 2994 if (sbsec->flags & SE_SBINITIALIZED) { 2995 struct inode_security_struct *isec = selinux_inode(inode); 2996 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2997 isec->sid = newsid; 2998 isec->initialized = LABEL_INITIALIZED; 2999 } 3000 3001 if (!selinux_initialized(&selinux_state) || 3002 !(sbsec->flags & SBLABEL_MNT)) 3003 return -EOPNOTSUPP; 3004 3005 if (name) 3006 *name = XATTR_SELINUX_SUFFIX; 3007 3008 if (value && len) { 3009 rc = security_sid_to_context_force(&selinux_state, newsid, 3010 &context, &clen); 3011 if (rc) 3012 return rc; 3013 *value = context; 3014 *len = clen; 3015 } 3016 3017 return 0; 3018 } 3019 3020 static int selinux_inode_init_security_anon(struct inode *inode, 3021 const struct qstr *name, 3022 const struct inode *context_inode) 3023 { 3024 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3025 struct common_audit_data ad; 3026 struct inode_security_struct *isec; 3027 int rc; 3028 3029 if (unlikely(!selinux_initialized(&selinux_state))) 3030 return 0; 3031 3032 isec = selinux_inode(inode); 3033 3034 /* 3035 * We only get here once per ephemeral inode. The inode has 3036 * been initialized via inode_alloc_security but is otherwise 3037 * untouched. 3038 */ 3039 3040 if (context_inode) { 3041 struct inode_security_struct *context_isec = 3042 selinux_inode(context_inode); 3043 if (context_isec->initialized != LABEL_INITIALIZED) { 3044 pr_err("SELinux: context_inode is not initialized"); 3045 return -EACCES; 3046 } 3047 3048 isec->sclass = context_isec->sclass; 3049 isec->sid = context_isec->sid; 3050 } else { 3051 isec->sclass = SECCLASS_ANON_INODE; 3052 rc = security_transition_sid( 3053 &selinux_state, tsec->sid, tsec->sid, 3054 isec->sclass, name, &isec->sid); 3055 if (rc) 3056 return rc; 3057 } 3058 3059 isec->initialized = LABEL_INITIALIZED; 3060 /* 3061 * Now that we've initialized security, check whether we're 3062 * allowed to actually create this type of anonymous inode. 3063 */ 3064 3065 ad.type = LSM_AUDIT_DATA_INODE; 3066 ad.u.inode = inode; 3067 3068 return avc_has_perm(&selinux_state, 3069 tsec->sid, 3070 isec->sid, 3071 isec->sclass, 3072 FILE__CREATE, 3073 &ad); 3074 } 3075 3076 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3077 { 3078 return may_create(dir, dentry, SECCLASS_FILE); 3079 } 3080 3081 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3082 { 3083 return may_link(dir, old_dentry, MAY_LINK); 3084 } 3085 3086 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3087 { 3088 return may_link(dir, dentry, MAY_UNLINK); 3089 } 3090 3091 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3092 { 3093 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3094 } 3095 3096 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3097 { 3098 return may_create(dir, dentry, SECCLASS_DIR); 3099 } 3100 3101 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3102 { 3103 return may_link(dir, dentry, MAY_RMDIR); 3104 } 3105 3106 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3107 { 3108 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3109 } 3110 3111 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3112 struct inode *new_inode, struct dentry *new_dentry) 3113 { 3114 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3115 } 3116 3117 static int selinux_inode_readlink(struct dentry *dentry) 3118 { 3119 const struct cred *cred = current_cred(); 3120 3121 return dentry_has_perm(cred, dentry, FILE__READ); 3122 } 3123 3124 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3125 bool rcu) 3126 { 3127 const struct cred *cred = current_cred(); 3128 struct common_audit_data ad; 3129 struct inode_security_struct *isec; 3130 u32 sid; 3131 3132 validate_creds(cred); 3133 3134 ad.type = LSM_AUDIT_DATA_DENTRY; 3135 ad.u.dentry = dentry; 3136 sid = cred_sid(cred); 3137 isec = inode_security_rcu(inode, rcu); 3138 if (IS_ERR(isec)) 3139 return PTR_ERR(isec); 3140 3141 return avc_has_perm(&selinux_state, 3142 sid, isec->sid, isec->sclass, FILE__READ, &ad); 3143 } 3144 3145 static noinline int audit_inode_permission(struct inode *inode, 3146 u32 perms, u32 audited, u32 denied, 3147 int result) 3148 { 3149 struct common_audit_data ad; 3150 struct inode_security_struct *isec = selinux_inode(inode); 3151 3152 ad.type = LSM_AUDIT_DATA_INODE; 3153 ad.u.inode = inode; 3154 3155 return slow_avc_audit(&selinux_state, 3156 current_sid(), isec->sid, isec->sclass, perms, 3157 audited, denied, result, &ad); 3158 } 3159 3160 static int selinux_inode_permission(struct inode *inode, int mask) 3161 { 3162 const struct cred *cred = current_cred(); 3163 u32 perms; 3164 bool from_access; 3165 bool no_block = mask & MAY_NOT_BLOCK; 3166 struct inode_security_struct *isec; 3167 u32 sid; 3168 struct av_decision avd; 3169 int rc, rc2; 3170 u32 audited, denied; 3171 3172 from_access = mask & MAY_ACCESS; 3173 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3174 3175 /* No permission to check. Existence test. */ 3176 if (!mask) 3177 return 0; 3178 3179 validate_creds(cred); 3180 3181 if (unlikely(IS_PRIVATE(inode))) 3182 return 0; 3183 3184 perms = file_mask_to_av(inode->i_mode, mask); 3185 3186 sid = cred_sid(cred); 3187 isec = inode_security_rcu(inode, no_block); 3188 if (IS_ERR(isec)) 3189 return PTR_ERR(isec); 3190 3191 rc = avc_has_perm_noaudit(&selinux_state, 3192 sid, isec->sid, isec->sclass, perms, 0, 3193 &avd); 3194 audited = avc_audit_required(perms, &avd, rc, 3195 from_access ? FILE__AUDIT_ACCESS : 0, 3196 &denied); 3197 if (likely(!audited)) 3198 return rc; 3199 3200 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3201 if (rc2) 3202 return rc2; 3203 return rc; 3204 } 3205 3206 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3207 { 3208 const struct cred *cred = current_cred(); 3209 struct inode *inode = d_backing_inode(dentry); 3210 unsigned int ia_valid = iattr->ia_valid; 3211 __u32 av = FILE__WRITE; 3212 3213 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3214 if (ia_valid & ATTR_FORCE) { 3215 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3216 ATTR_FORCE); 3217 if (!ia_valid) 3218 return 0; 3219 } 3220 3221 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3222 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3223 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3224 3225 if (selinux_policycap_openperm() && 3226 inode->i_sb->s_magic != SOCKFS_MAGIC && 3227 (ia_valid & ATTR_SIZE) && 3228 !(ia_valid & ATTR_FILE)) 3229 av |= FILE__OPEN; 3230 3231 return dentry_has_perm(cred, dentry, av); 3232 } 3233 3234 static int selinux_inode_getattr(const struct path *path) 3235 { 3236 return path_has_perm(current_cred(), path, FILE__GETATTR); 3237 } 3238 3239 static bool has_cap_mac_admin(bool audit) 3240 { 3241 const struct cred *cred = current_cred(); 3242 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3243 3244 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3245 return false; 3246 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3247 return false; 3248 return true; 3249 } 3250 3251 static int selinux_inode_setxattr(struct user_namespace *mnt_userns, 3252 struct dentry *dentry, const char *name, 3253 const void *value, size_t size, int flags) 3254 { 3255 struct inode *inode = d_backing_inode(dentry); 3256 struct inode_security_struct *isec; 3257 struct superblock_security_struct *sbsec; 3258 struct common_audit_data ad; 3259 u32 newsid, sid = current_sid(); 3260 int rc = 0; 3261 3262 if (strcmp(name, XATTR_NAME_SELINUX)) { 3263 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3264 if (rc) 3265 return rc; 3266 3267 /* Not an attribute we recognize, so just check the 3268 ordinary setattr permission. */ 3269 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3270 } 3271 3272 if (!selinux_initialized(&selinux_state)) 3273 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM); 3274 3275 sbsec = selinux_superblock(inode->i_sb); 3276 if (!(sbsec->flags & SBLABEL_MNT)) 3277 return -EOPNOTSUPP; 3278 3279 if (!inode_owner_or_capable(mnt_userns, inode)) 3280 return -EPERM; 3281 3282 ad.type = LSM_AUDIT_DATA_DENTRY; 3283 ad.u.dentry = dentry; 3284 3285 isec = backing_inode_security(dentry); 3286 rc = avc_has_perm(&selinux_state, 3287 sid, isec->sid, isec->sclass, 3288 FILE__RELABELFROM, &ad); 3289 if (rc) 3290 return rc; 3291 3292 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3293 GFP_KERNEL); 3294 if (rc == -EINVAL) { 3295 if (!has_cap_mac_admin(true)) { 3296 struct audit_buffer *ab; 3297 size_t audit_size; 3298 3299 /* We strip a nul only if it is at the end, otherwise the 3300 * context contains a nul and we should audit that */ 3301 if (value) { 3302 const char *str = value; 3303 3304 if (str[size - 1] == '\0') 3305 audit_size = size - 1; 3306 else 3307 audit_size = size; 3308 } else { 3309 audit_size = 0; 3310 } 3311 ab = audit_log_start(audit_context(), 3312 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3313 if (!ab) 3314 return rc; 3315 audit_log_format(ab, "op=setxattr invalid_context="); 3316 audit_log_n_untrustedstring(ab, value, audit_size); 3317 audit_log_end(ab); 3318 3319 return rc; 3320 } 3321 rc = security_context_to_sid_force(&selinux_state, value, 3322 size, &newsid); 3323 } 3324 if (rc) 3325 return rc; 3326 3327 rc = avc_has_perm(&selinux_state, 3328 sid, newsid, isec->sclass, 3329 FILE__RELABELTO, &ad); 3330 if (rc) 3331 return rc; 3332 3333 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3334 sid, isec->sclass); 3335 if (rc) 3336 return rc; 3337 3338 return avc_has_perm(&selinux_state, 3339 newsid, 3340 sbsec->sid, 3341 SECCLASS_FILESYSTEM, 3342 FILESYSTEM__ASSOCIATE, 3343 &ad); 3344 } 3345 3346 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3347 const void *value, size_t size, 3348 int flags) 3349 { 3350 struct inode *inode = d_backing_inode(dentry); 3351 struct inode_security_struct *isec; 3352 u32 newsid; 3353 int rc; 3354 3355 if (strcmp(name, XATTR_NAME_SELINUX)) { 3356 /* Not an attribute we recognize, so nothing to do. */ 3357 return; 3358 } 3359 3360 if (!selinux_initialized(&selinux_state)) { 3361 /* If we haven't even been initialized, then we can't validate 3362 * against a policy, so leave the label as invalid. It may 3363 * resolve to a valid label on the next revalidation try if 3364 * we've since initialized. 3365 */ 3366 return; 3367 } 3368 3369 rc = security_context_to_sid_force(&selinux_state, value, size, 3370 &newsid); 3371 if (rc) { 3372 pr_err("SELinux: unable to map context to SID" 3373 "for (%s, %lu), rc=%d\n", 3374 inode->i_sb->s_id, inode->i_ino, -rc); 3375 return; 3376 } 3377 3378 isec = backing_inode_security(dentry); 3379 spin_lock(&isec->lock); 3380 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3381 isec->sid = newsid; 3382 isec->initialized = LABEL_INITIALIZED; 3383 spin_unlock(&isec->lock); 3384 3385 return; 3386 } 3387 3388 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3389 { 3390 const struct cred *cred = current_cred(); 3391 3392 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3393 } 3394 3395 static int selinux_inode_listxattr(struct dentry *dentry) 3396 { 3397 const struct cred *cred = current_cred(); 3398 3399 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3400 } 3401 3402 static int selinux_inode_removexattr(struct user_namespace *mnt_userns, 3403 struct dentry *dentry, const char *name) 3404 { 3405 if (strcmp(name, XATTR_NAME_SELINUX)) { 3406 int rc = cap_inode_removexattr(mnt_userns, dentry, name); 3407 if (rc) 3408 return rc; 3409 3410 /* Not an attribute we recognize, so just check the 3411 ordinary setattr permission. */ 3412 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3413 } 3414 3415 if (!selinux_initialized(&selinux_state)) 3416 return 0; 3417 3418 /* No one is allowed to remove a SELinux security label. 3419 You can change the label, but all data must be labeled. */ 3420 return -EACCES; 3421 } 3422 3423 static int selinux_path_notify(const struct path *path, u64 mask, 3424 unsigned int obj_type) 3425 { 3426 int ret; 3427 u32 perm; 3428 3429 struct common_audit_data ad; 3430 3431 ad.type = LSM_AUDIT_DATA_PATH; 3432 ad.u.path = *path; 3433 3434 /* 3435 * Set permission needed based on the type of mark being set. 3436 * Performs an additional check for sb watches. 3437 */ 3438 switch (obj_type) { 3439 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3440 perm = FILE__WATCH_MOUNT; 3441 break; 3442 case FSNOTIFY_OBJ_TYPE_SB: 3443 perm = FILE__WATCH_SB; 3444 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3445 FILESYSTEM__WATCH, &ad); 3446 if (ret) 3447 return ret; 3448 break; 3449 case FSNOTIFY_OBJ_TYPE_INODE: 3450 perm = FILE__WATCH; 3451 break; 3452 default: 3453 return -EINVAL; 3454 } 3455 3456 /* blocking watches require the file:watch_with_perm permission */ 3457 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3458 perm |= FILE__WATCH_WITH_PERM; 3459 3460 /* watches on read-like events need the file:watch_reads permission */ 3461 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3462 perm |= FILE__WATCH_READS; 3463 3464 return path_has_perm(current_cred(), path, perm); 3465 } 3466 3467 /* 3468 * Copy the inode security context value to the user. 3469 * 3470 * Permission check is handled by selinux_inode_getxattr hook. 3471 */ 3472 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns, 3473 struct inode *inode, const char *name, 3474 void **buffer, bool alloc) 3475 { 3476 u32 size; 3477 int error; 3478 char *context = NULL; 3479 struct inode_security_struct *isec; 3480 3481 /* 3482 * If we're not initialized yet, then we can't validate contexts, so 3483 * just let vfs_getxattr fall back to using the on-disk xattr. 3484 */ 3485 if (!selinux_initialized(&selinux_state) || 3486 strcmp(name, XATTR_SELINUX_SUFFIX)) 3487 return -EOPNOTSUPP; 3488 3489 /* 3490 * If the caller has CAP_MAC_ADMIN, then get the raw context 3491 * value even if it is not defined by current policy; otherwise, 3492 * use the in-core value under current policy. 3493 * Use the non-auditing forms of the permission checks since 3494 * getxattr may be called by unprivileged processes commonly 3495 * and lack of permission just means that we fall back to the 3496 * in-core context value, not a denial. 3497 */ 3498 isec = inode_security(inode); 3499 if (has_cap_mac_admin(false)) 3500 error = security_sid_to_context_force(&selinux_state, 3501 isec->sid, &context, 3502 &size); 3503 else 3504 error = security_sid_to_context(&selinux_state, isec->sid, 3505 &context, &size); 3506 if (error) 3507 return error; 3508 error = size; 3509 if (alloc) { 3510 *buffer = context; 3511 goto out_nofree; 3512 } 3513 kfree(context); 3514 out_nofree: 3515 return error; 3516 } 3517 3518 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3519 const void *value, size_t size, int flags) 3520 { 3521 struct inode_security_struct *isec = inode_security_novalidate(inode); 3522 struct superblock_security_struct *sbsec; 3523 u32 newsid; 3524 int rc; 3525 3526 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3527 return -EOPNOTSUPP; 3528 3529 sbsec = selinux_superblock(inode->i_sb); 3530 if (!(sbsec->flags & SBLABEL_MNT)) 3531 return -EOPNOTSUPP; 3532 3533 if (!value || !size) 3534 return -EACCES; 3535 3536 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3537 GFP_KERNEL); 3538 if (rc) 3539 return rc; 3540 3541 spin_lock(&isec->lock); 3542 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3543 isec->sid = newsid; 3544 isec->initialized = LABEL_INITIALIZED; 3545 spin_unlock(&isec->lock); 3546 return 0; 3547 } 3548 3549 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3550 { 3551 const int len = sizeof(XATTR_NAME_SELINUX); 3552 3553 if (!selinux_initialized(&selinux_state)) 3554 return 0; 3555 3556 if (buffer && len <= buffer_size) 3557 memcpy(buffer, XATTR_NAME_SELINUX, len); 3558 return len; 3559 } 3560 3561 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3562 { 3563 struct inode_security_struct *isec = inode_security_novalidate(inode); 3564 *secid = isec->sid; 3565 } 3566 3567 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3568 { 3569 u32 sid; 3570 struct task_security_struct *tsec; 3571 struct cred *new_creds = *new; 3572 3573 if (new_creds == NULL) { 3574 new_creds = prepare_creds(); 3575 if (!new_creds) 3576 return -ENOMEM; 3577 } 3578 3579 tsec = selinux_cred(new_creds); 3580 /* Get label from overlay inode and set it in create_sid */ 3581 selinux_inode_getsecid(d_inode(src), &sid); 3582 tsec->create_sid = sid; 3583 *new = new_creds; 3584 return 0; 3585 } 3586 3587 static int selinux_inode_copy_up_xattr(const char *name) 3588 { 3589 /* The copy_up hook above sets the initial context on an inode, but we 3590 * don't then want to overwrite it by blindly copying all the lower 3591 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3592 */ 3593 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3594 return 1; /* Discard */ 3595 /* 3596 * Any other attribute apart from SELINUX is not claimed, supported 3597 * by selinux. 3598 */ 3599 return -EOPNOTSUPP; 3600 } 3601 3602 /* kernfs node operations */ 3603 3604 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3605 struct kernfs_node *kn) 3606 { 3607 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3608 u32 parent_sid, newsid, clen; 3609 int rc; 3610 char *context; 3611 3612 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3613 if (rc == -ENODATA) 3614 return 0; 3615 else if (rc < 0) 3616 return rc; 3617 3618 clen = (u32)rc; 3619 context = kmalloc(clen, GFP_KERNEL); 3620 if (!context) 3621 return -ENOMEM; 3622 3623 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3624 if (rc < 0) { 3625 kfree(context); 3626 return rc; 3627 } 3628 3629 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid, 3630 GFP_KERNEL); 3631 kfree(context); 3632 if (rc) 3633 return rc; 3634 3635 if (tsec->create_sid) { 3636 newsid = tsec->create_sid; 3637 } else { 3638 u16 secclass = inode_mode_to_security_class(kn->mode); 3639 struct qstr q; 3640 3641 q.name = kn->name; 3642 q.hash_len = hashlen_string(kn_dir, kn->name); 3643 3644 rc = security_transition_sid(&selinux_state, tsec->sid, 3645 parent_sid, secclass, &q, 3646 &newsid); 3647 if (rc) 3648 return rc; 3649 } 3650 3651 rc = security_sid_to_context_force(&selinux_state, newsid, 3652 &context, &clen); 3653 if (rc) 3654 return rc; 3655 3656 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3657 XATTR_CREATE); 3658 kfree(context); 3659 return rc; 3660 } 3661 3662 3663 /* file security operations */ 3664 3665 static int selinux_revalidate_file_permission(struct file *file, int mask) 3666 { 3667 const struct cred *cred = current_cred(); 3668 struct inode *inode = file_inode(file); 3669 3670 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3671 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3672 mask |= MAY_APPEND; 3673 3674 return file_has_perm(cred, file, 3675 file_mask_to_av(inode->i_mode, mask)); 3676 } 3677 3678 static int selinux_file_permission(struct file *file, int mask) 3679 { 3680 struct inode *inode = file_inode(file); 3681 struct file_security_struct *fsec = selinux_file(file); 3682 struct inode_security_struct *isec; 3683 u32 sid = current_sid(); 3684 3685 if (!mask) 3686 /* No permission to check. Existence test. */ 3687 return 0; 3688 3689 isec = inode_security(inode); 3690 if (sid == fsec->sid && fsec->isid == isec->sid && 3691 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3692 /* No change since file_open check. */ 3693 return 0; 3694 3695 return selinux_revalidate_file_permission(file, mask); 3696 } 3697 3698 static int selinux_file_alloc_security(struct file *file) 3699 { 3700 struct file_security_struct *fsec = selinux_file(file); 3701 u32 sid = current_sid(); 3702 3703 fsec->sid = sid; 3704 fsec->fown_sid = sid; 3705 3706 return 0; 3707 } 3708 3709 /* 3710 * Check whether a task has the ioctl permission and cmd 3711 * operation to an inode. 3712 */ 3713 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3714 u32 requested, u16 cmd) 3715 { 3716 struct common_audit_data ad; 3717 struct file_security_struct *fsec = selinux_file(file); 3718 struct inode *inode = file_inode(file); 3719 struct inode_security_struct *isec; 3720 struct lsm_ioctlop_audit ioctl; 3721 u32 ssid = cred_sid(cred); 3722 int rc; 3723 u8 driver = cmd >> 8; 3724 u8 xperm = cmd & 0xff; 3725 3726 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3727 ad.u.op = &ioctl; 3728 ad.u.op->cmd = cmd; 3729 ad.u.op->path = file->f_path; 3730 3731 if (ssid != fsec->sid) { 3732 rc = avc_has_perm(&selinux_state, 3733 ssid, fsec->sid, 3734 SECCLASS_FD, 3735 FD__USE, 3736 &ad); 3737 if (rc) 3738 goto out; 3739 } 3740 3741 if (unlikely(IS_PRIVATE(inode))) 3742 return 0; 3743 3744 isec = inode_security(inode); 3745 rc = avc_has_extended_perms(&selinux_state, 3746 ssid, isec->sid, isec->sclass, 3747 requested, driver, xperm, &ad); 3748 out: 3749 return rc; 3750 } 3751 3752 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3753 unsigned long arg) 3754 { 3755 const struct cred *cred = current_cred(); 3756 int error = 0; 3757 3758 switch (cmd) { 3759 case FIONREAD: 3760 case FIBMAP: 3761 case FIGETBSZ: 3762 case FS_IOC_GETFLAGS: 3763 case FS_IOC_GETVERSION: 3764 error = file_has_perm(cred, file, FILE__GETATTR); 3765 break; 3766 3767 case FS_IOC_SETFLAGS: 3768 case FS_IOC_SETVERSION: 3769 error = file_has_perm(cred, file, FILE__SETATTR); 3770 break; 3771 3772 /* sys_ioctl() checks */ 3773 case FIONBIO: 3774 case FIOASYNC: 3775 error = file_has_perm(cred, file, 0); 3776 break; 3777 3778 case KDSKBENT: 3779 case KDSKBSENT: 3780 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3781 CAP_OPT_NONE, true); 3782 break; 3783 3784 /* default case assumes that the command will go 3785 * to the file's ioctl() function. 3786 */ 3787 default: 3788 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3789 } 3790 return error; 3791 } 3792 3793 static int default_noexec __ro_after_init; 3794 3795 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3796 { 3797 const struct cred *cred = current_cred(); 3798 u32 sid = cred_sid(cred); 3799 int rc = 0; 3800 3801 if (default_noexec && 3802 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3803 (!shared && (prot & PROT_WRITE)))) { 3804 /* 3805 * We are making executable an anonymous mapping or a 3806 * private file mapping that will also be writable. 3807 * This has an additional check. 3808 */ 3809 rc = avc_has_perm(&selinux_state, 3810 sid, sid, SECCLASS_PROCESS, 3811 PROCESS__EXECMEM, NULL); 3812 if (rc) 3813 goto error; 3814 } 3815 3816 if (file) { 3817 /* read access is always possible with a mapping */ 3818 u32 av = FILE__READ; 3819 3820 /* write access only matters if the mapping is shared */ 3821 if (shared && (prot & PROT_WRITE)) 3822 av |= FILE__WRITE; 3823 3824 if (prot & PROT_EXEC) 3825 av |= FILE__EXECUTE; 3826 3827 return file_has_perm(cred, file, av); 3828 } 3829 3830 error: 3831 return rc; 3832 } 3833 3834 static int selinux_mmap_addr(unsigned long addr) 3835 { 3836 int rc = 0; 3837 3838 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3839 u32 sid = current_sid(); 3840 rc = avc_has_perm(&selinux_state, 3841 sid, sid, SECCLASS_MEMPROTECT, 3842 MEMPROTECT__MMAP_ZERO, NULL); 3843 } 3844 3845 return rc; 3846 } 3847 3848 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3849 unsigned long prot, unsigned long flags) 3850 { 3851 struct common_audit_data ad; 3852 int rc; 3853 3854 if (file) { 3855 ad.type = LSM_AUDIT_DATA_FILE; 3856 ad.u.file = file; 3857 rc = inode_has_perm(current_cred(), file_inode(file), 3858 FILE__MAP, &ad); 3859 if (rc) 3860 return rc; 3861 } 3862 3863 if (checkreqprot_get(&selinux_state)) 3864 prot = reqprot; 3865 3866 return file_map_prot_check(file, prot, 3867 (flags & MAP_TYPE) == MAP_SHARED); 3868 } 3869 3870 static int selinux_file_mprotect(struct vm_area_struct *vma, 3871 unsigned long reqprot, 3872 unsigned long prot) 3873 { 3874 const struct cred *cred = current_cred(); 3875 u32 sid = cred_sid(cred); 3876 3877 if (checkreqprot_get(&selinux_state)) 3878 prot = reqprot; 3879 3880 if (default_noexec && 3881 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3882 int rc = 0; 3883 if (vma->vm_start >= vma->vm_mm->start_brk && 3884 vma->vm_end <= vma->vm_mm->brk) { 3885 rc = avc_has_perm(&selinux_state, 3886 sid, sid, SECCLASS_PROCESS, 3887 PROCESS__EXECHEAP, NULL); 3888 } else if (!vma->vm_file && 3889 ((vma->vm_start <= vma->vm_mm->start_stack && 3890 vma->vm_end >= vma->vm_mm->start_stack) || 3891 vma_is_stack_for_current(vma))) { 3892 rc = avc_has_perm(&selinux_state, 3893 sid, sid, SECCLASS_PROCESS, 3894 PROCESS__EXECSTACK, NULL); 3895 } else if (vma->vm_file && vma->anon_vma) { 3896 /* 3897 * We are making executable a file mapping that has 3898 * had some COW done. Since pages might have been 3899 * written, check ability to execute the possibly 3900 * modified content. This typically should only 3901 * occur for text relocations. 3902 */ 3903 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3904 } 3905 if (rc) 3906 return rc; 3907 } 3908 3909 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3910 } 3911 3912 static int selinux_file_lock(struct file *file, unsigned int cmd) 3913 { 3914 const struct cred *cred = current_cred(); 3915 3916 return file_has_perm(cred, file, FILE__LOCK); 3917 } 3918 3919 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3920 unsigned long arg) 3921 { 3922 const struct cred *cred = current_cred(); 3923 int err = 0; 3924 3925 switch (cmd) { 3926 case F_SETFL: 3927 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3928 err = file_has_perm(cred, file, FILE__WRITE); 3929 break; 3930 } 3931 fallthrough; 3932 case F_SETOWN: 3933 case F_SETSIG: 3934 case F_GETFL: 3935 case F_GETOWN: 3936 case F_GETSIG: 3937 case F_GETOWNER_UIDS: 3938 /* Just check FD__USE permission */ 3939 err = file_has_perm(cred, file, 0); 3940 break; 3941 case F_GETLK: 3942 case F_SETLK: 3943 case F_SETLKW: 3944 case F_OFD_GETLK: 3945 case F_OFD_SETLK: 3946 case F_OFD_SETLKW: 3947 #if BITS_PER_LONG == 32 3948 case F_GETLK64: 3949 case F_SETLK64: 3950 case F_SETLKW64: 3951 #endif 3952 err = file_has_perm(cred, file, FILE__LOCK); 3953 break; 3954 } 3955 3956 return err; 3957 } 3958 3959 static void selinux_file_set_fowner(struct file *file) 3960 { 3961 struct file_security_struct *fsec; 3962 3963 fsec = selinux_file(file); 3964 fsec->fown_sid = current_sid(); 3965 } 3966 3967 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3968 struct fown_struct *fown, int signum) 3969 { 3970 struct file *file; 3971 u32 sid = task_sid_obj(tsk); 3972 u32 perm; 3973 struct file_security_struct *fsec; 3974 3975 /* struct fown_struct is never outside the context of a struct file */ 3976 file = container_of(fown, struct file, f_owner); 3977 3978 fsec = selinux_file(file); 3979 3980 if (!signum) 3981 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3982 else 3983 perm = signal_to_av(signum); 3984 3985 return avc_has_perm(&selinux_state, 3986 fsec->fown_sid, sid, 3987 SECCLASS_PROCESS, perm, NULL); 3988 } 3989 3990 static int selinux_file_receive(struct file *file) 3991 { 3992 const struct cred *cred = current_cred(); 3993 3994 return file_has_perm(cred, file, file_to_av(file)); 3995 } 3996 3997 static int selinux_file_open(struct file *file) 3998 { 3999 struct file_security_struct *fsec; 4000 struct inode_security_struct *isec; 4001 4002 fsec = selinux_file(file); 4003 isec = inode_security(file_inode(file)); 4004 /* 4005 * Save inode label and policy sequence number 4006 * at open-time so that selinux_file_permission 4007 * can determine whether revalidation is necessary. 4008 * Task label is already saved in the file security 4009 * struct as its SID. 4010 */ 4011 fsec->isid = isec->sid; 4012 fsec->pseqno = avc_policy_seqno(&selinux_state); 4013 /* 4014 * Since the inode label or policy seqno may have changed 4015 * between the selinux_inode_permission check and the saving 4016 * of state above, recheck that access is still permitted. 4017 * Otherwise, access might never be revalidated against the 4018 * new inode label or new policy. 4019 * This check is not redundant - do not remove. 4020 */ 4021 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4022 } 4023 4024 /* task security operations */ 4025 4026 static int selinux_task_alloc(struct task_struct *task, 4027 unsigned long clone_flags) 4028 { 4029 u32 sid = current_sid(); 4030 4031 return avc_has_perm(&selinux_state, 4032 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4033 } 4034 4035 /* 4036 * prepare a new set of credentials for modification 4037 */ 4038 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4039 gfp_t gfp) 4040 { 4041 const struct task_security_struct *old_tsec = selinux_cred(old); 4042 struct task_security_struct *tsec = selinux_cred(new); 4043 4044 *tsec = *old_tsec; 4045 return 0; 4046 } 4047 4048 /* 4049 * transfer the SELinux data to a blank set of creds 4050 */ 4051 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4052 { 4053 const struct task_security_struct *old_tsec = selinux_cred(old); 4054 struct task_security_struct *tsec = selinux_cred(new); 4055 4056 *tsec = *old_tsec; 4057 } 4058 4059 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4060 { 4061 *secid = cred_sid(c); 4062 } 4063 4064 /* 4065 * set the security data for a kernel service 4066 * - all the creation contexts are set to unlabelled 4067 */ 4068 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4069 { 4070 struct task_security_struct *tsec = selinux_cred(new); 4071 u32 sid = current_sid(); 4072 int ret; 4073 4074 ret = avc_has_perm(&selinux_state, 4075 sid, secid, 4076 SECCLASS_KERNEL_SERVICE, 4077 KERNEL_SERVICE__USE_AS_OVERRIDE, 4078 NULL); 4079 if (ret == 0) { 4080 tsec->sid = secid; 4081 tsec->create_sid = 0; 4082 tsec->keycreate_sid = 0; 4083 tsec->sockcreate_sid = 0; 4084 } 4085 return ret; 4086 } 4087 4088 /* 4089 * set the file creation context in a security record to the same as the 4090 * objective context of the specified inode 4091 */ 4092 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4093 { 4094 struct inode_security_struct *isec = inode_security(inode); 4095 struct task_security_struct *tsec = selinux_cred(new); 4096 u32 sid = current_sid(); 4097 int ret; 4098 4099 ret = avc_has_perm(&selinux_state, 4100 sid, isec->sid, 4101 SECCLASS_KERNEL_SERVICE, 4102 KERNEL_SERVICE__CREATE_FILES_AS, 4103 NULL); 4104 4105 if (ret == 0) 4106 tsec->create_sid = isec->sid; 4107 return ret; 4108 } 4109 4110 static int selinux_kernel_module_request(char *kmod_name) 4111 { 4112 struct common_audit_data ad; 4113 4114 ad.type = LSM_AUDIT_DATA_KMOD; 4115 ad.u.kmod_name = kmod_name; 4116 4117 return avc_has_perm(&selinux_state, 4118 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4119 SYSTEM__MODULE_REQUEST, &ad); 4120 } 4121 4122 static int selinux_kernel_module_from_file(struct file *file) 4123 { 4124 struct common_audit_data ad; 4125 struct inode_security_struct *isec; 4126 struct file_security_struct *fsec; 4127 u32 sid = current_sid(); 4128 int rc; 4129 4130 /* init_module */ 4131 if (file == NULL) 4132 return avc_has_perm(&selinux_state, 4133 sid, sid, SECCLASS_SYSTEM, 4134 SYSTEM__MODULE_LOAD, NULL); 4135 4136 /* finit_module */ 4137 4138 ad.type = LSM_AUDIT_DATA_FILE; 4139 ad.u.file = file; 4140 4141 fsec = selinux_file(file); 4142 if (sid != fsec->sid) { 4143 rc = avc_has_perm(&selinux_state, 4144 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4145 if (rc) 4146 return rc; 4147 } 4148 4149 isec = inode_security(file_inode(file)); 4150 return avc_has_perm(&selinux_state, 4151 sid, isec->sid, SECCLASS_SYSTEM, 4152 SYSTEM__MODULE_LOAD, &ad); 4153 } 4154 4155 static int selinux_kernel_read_file(struct file *file, 4156 enum kernel_read_file_id id, 4157 bool contents) 4158 { 4159 int rc = 0; 4160 4161 switch (id) { 4162 case READING_MODULE: 4163 rc = selinux_kernel_module_from_file(contents ? file : NULL); 4164 break; 4165 default: 4166 break; 4167 } 4168 4169 return rc; 4170 } 4171 4172 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4173 { 4174 int rc = 0; 4175 4176 switch (id) { 4177 case LOADING_MODULE: 4178 rc = selinux_kernel_module_from_file(NULL); 4179 break; 4180 default: 4181 break; 4182 } 4183 4184 return rc; 4185 } 4186 4187 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4188 { 4189 return avc_has_perm(&selinux_state, 4190 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4191 PROCESS__SETPGID, NULL); 4192 } 4193 4194 static int selinux_task_getpgid(struct task_struct *p) 4195 { 4196 return avc_has_perm(&selinux_state, 4197 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4198 PROCESS__GETPGID, NULL); 4199 } 4200 4201 static int selinux_task_getsid(struct task_struct *p) 4202 { 4203 return avc_has_perm(&selinux_state, 4204 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4205 PROCESS__GETSESSION, NULL); 4206 } 4207 4208 static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) 4209 { 4210 *secid = task_sid_subj(p); 4211 } 4212 4213 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4214 { 4215 *secid = task_sid_obj(p); 4216 } 4217 4218 static int selinux_task_setnice(struct task_struct *p, int nice) 4219 { 4220 return avc_has_perm(&selinux_state, 4221 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4222 PROCESS__SETSCHED, NULL); 4223 } 4224 4225 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4226 { 4227 return avc_has_perm(&selinux_state, 4228 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4229 PROCESS__SETSCHED, NULL); 4230 } 4231 4232 static int selinux_task_getioprio(struct task_struct *p) 4233 { 4234 return avc_has_perm(&selinux_state, 4235 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4236 PROCESS__GETSCHED, NULL); 4237 } 4238 4239 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4240 unsigned int flags) 4241 { 4242 u32 av = 0; 4243 4244 if (!flags) 4245 return 0; 4246 if (flags & LSM_PRLIMIT_WRITE) 4247 av |= PROCESS__SETRLIMIT; 4248 if (flags & LSM_PRLIMIT_READ) 4249 av |= PROCESS__GETRLIMIT; 4250 return avc_has_perm(&selinux_state, 4251 cred_sid(cred), cred_sid(tcred), 4252 SECCLASS_PROCESS, av, NULL); 4253 } 4254 4255 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4256 struct rlimit *new_rlim) 4257 { 4258 struct rlimit *old_rlim = p->signal->rlim + resource; 4259 4260 /* Control the ability to change the hard limit (whether 4261 lowering or raising it), so that the hard limit can 4262 later be used as a safe reset point for the soft limit 4263 upon context transitions. See selinux_bprm_committing_creds. */ 4264 if (old_rlim->rlim_max != new_rlim->rlim_max) 4265 return avc_has_perm(&selinux_state, 4266 current_sid(), task_sid_obj(p), 4267 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4268 4269 return 0; 4270 } 4271 4272 static int selinux_task_setscheduler(struct task_struct *p) 4273 { 4274 return avc_has_perm(&selinux_state, 4275 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4276 PROCESS__SETSCHED, NULL); 4277 } 4278 4279 static int selinux_task_getscheduler(struct task_struct *p) 4280 { 4281 return avc_has_perm(&selinux_state, 4282 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4283 PROCESS__GETSCHED, NULL); 4284 } 4285 4286 static int selinux_task_movememory(struct task_struct *p) 4287 { 4288 return avc_has_perm(&selinux_state, 4289 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4290 PROCESS__SETSCHED, NULL); 4291 } 4292 4293 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4294 int sig, const struct cred *cred) 4295 { 4296 u32 secid; 4297 u32 perm; 4298 4299 if (!sig) 4300 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4301 else 4302 perm = signal_to_av(sig); 4303 if (!cred) 4304 secid = current_sid(); 4305 else 4306 secid = cred_sid(cred); 4307 return avc_has_perm(&selinux_state, 4308 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4309 } 4310 4311 static void selinux_task_to_inode(struct task_struct *p, 4312 struct inode *inode) 4313 { 4314 struct inode_security_struct *isec = selinux_inode(inode); 4315 u32 sid = task_sid_obj(p); 4316 4317 spin_lock(&isec->lock); 4318 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4319 isec->sid = sid; 4320 isec->initialized = LABEL_INITIALIZED; 4321 spin_unlock(&isec->lock); 4322 } 4323 4324 /* Returns error only if unable to parse addresses */ 4325 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4326 struct common_audit_data *ad, u8 *proto) 4327 { 4328 int offset, ihlen, ret = -EINVAL; 4329 struct iphdr _iph, *ih; 4330 4331 offset = skb_network_offset(skb); 4332 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4333 if (ih == NULL) 4334 goto out; 4335 4336 ihlen = ih->ihl * 4; 4337 if (ihlen < sizeof(_iph)) 4338 goto out; 4339 4340 ad->u.net->v4info.saddr = ih->saddr; 4341 ad->u.net->v4info.daddr = ih->daddr; 4342 ret = 0; 4343 4344 if (proto) 4345 *proto = ih->protocol; 4346 4347 switch (ih->protocol) { 4348 case IPPROTO_TCP: { 4349 struct tcphdr _tcph, *th; 4350 4351 if (ntohs(ih->frag_off) & IP_OFFSET) 4352 break; 4353 4354 offset += ihlen; 4355 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4356 if (th == NULL) 4357 break; 4358 4359 ad->u.net->sport = th->source; 4360 ad->u.net->dport = th->dest; 4361 break; 4362 } 4363 4364 case IPPROTO_UDP: { 4365 struct udphdr _udph, *uh; 4366 4367 if (ntohs(ih->frag_off) & IP_OFFSET) 4368 break; 4369 4370 offset += ihlen; 4371 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4372 if (uh == NULL) 4373 break; 4374 4375 ad->u.net->sport = uh->source; 4376 ad->u.net->dport = uh->dest; 4377 break; 4378 } 4379 4380 case IPPROTO_DCCP: { 4381 struct dccp_hdr _dccph, *dh; 4382 4383 if (ntohs(ih->frag_off) & IP_OFFSET) 4384 break; 4385 4386 offset += ihlen; 4387 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4388 if (dh == NULL) 4389 break; 4390 4391 ad->u.net->sport = dh->dccph_sport; 4392 ad->u.net->dport = dh->dccph_dport; 4393 break; 4394 } 4395 4396 #if IS_ENABLED(CONFIG_IP_SCTP) 4397 case IPPROTO_SCTP: { 4398 struct sctphdr _sctph, *sh; 4399 4400 if (ntohs(ih->frag_off) & IP_OFFSET) 4401 break; 4402 4403 offset += ihlen; 4404 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4405 if (sh == NULL) 4406 break; 4407 4408 ad->u.net->sport = sh->source; 4409 ad->u.net->dport = sh->dest; 4410 break; 4411 } 4412 #endif 4413 default: 4414 break; 4415 } 4416 out: 4417 return ret; 4418 } 4419 4420 #if IS_ENABLED(CONFIG_IPV6) 4421 4422 /* Returns error only if unable to parse addresses */ 4423 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4424 struct common_audit_data *ad, u8 *proto) 4425 { 4426 u8 nexthdr; 4427 int ret = -EINVAL, offset; 4428 struct ipv6hdr _ipv6h, *ip6; 4429 __be16 frag_off; 4430 4431 offset = skb_network_offset(skb); 4432 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4433 if (ip6 == NULL) 4434 goto out; 4435 4436 ad->u.net->v6info.saddr = ip6->saddr; 4437 ad->u.net->v6info.daddr = ip6->daddr; 4438 ret = 0; 4439 4440 nexthdr = ip6->nexthdr; 4441 offset += sizeof(_ipv6h); 4442 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4443 if (offset < 0) 4444 goto out; 4445 4446 if (proto) 4447 *proto = nexthdr; 4448 4449 switch (nexthdr) { 4450 case IPPROTO_TCP: { 4451 struct tcphdr _tcph, *th; 4452 4453 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4454 if (th == NULL) 4455 break; 4456 4457 ad->u.net->sport = th->source; 4458 ad->u.net->dport = th->dest; 4459 break; 4460 } 4461 4462 case IPPROTO_UDP: { 4463 struct udphdr _udph, *uh; 4464 4465 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4466 if (uh == NULL) 4467 break; 4468 4469 ad->u.net->sport = uh->source; 4470 ad->u.net->dport = uh->dest; 4471 break; 4472 } 4473 4474 case IPPROTO_DCCP: { 4475 struct dccp_hdr _dccph, *dh; 4476 4477 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4478 if (dh == NULL) 4479 break; 4480 4481 ad->u.net->sport = dh->dccph_sport; 4482 ad->u.net->dport = dh->dccph_dport; 4483 break; 4484 } 4485 4486 #if IS_ENABLED(CONFIG_IP_SCTP) 4487 case IPPROTO_SCTP: { 4488 struct sctphdr _sctph, *sh; 4489 4490 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4491 if (sh == NULL) 4492 break; 4493 4494 ad->u.net->sport = sh->source; 4495 ad->u.net->dport = sh->dest; 4496 break; 4497 } 4498 #endif 4499 /* includes fragments */ 4500 default: 4501 break; 4502 } 4503 out: 4504 return ret; 4505 } 4506 4507 #endif /* IPV6 */ 4508 4509 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4510 char **_addrp, int src, u8 *proto) 4511 { 4512 char *addrp; 4513 int ret; 4514 4515 switch (ad->u.net->family) { 4516 case PF_INET: 4517 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4518 if (ret) 4519 goto parse_error; 4520 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4521 &ad->u.net->v4info.daddr); 4522 goto okay; 4523 4524 #if IS_ENABLED(CONFIG_IPV6) 4525 case PF_INET6: 4526 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4527 if (ret) 4528 goto parse_error; 4529 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4530 &ad->u.net->v6info.daddr); 4531 goto okay; 4532 #endif /* IPV6 */ 4533 default: 4534 addrp = NULL; 4535 goto okay; 4536 } 4537 4538 parse_error: 4539 pr_warn( 4540 "SELinux: failure in selinux_parse_skb()," 4541 " unable to parse packet\n"); 4542 return ret; 4543 4544 okay: 4545 if (_addrp) 4546 *_addrp = addrp; 4547 return 0; 4548 } 4549 4550 /** 4551 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4552 * @skb: the packet 4553 * @family: protocol family 4554 * @sid: the packet's peer label SID 4555 * 4556 * Description: 4557 * Check the various different forms of network peer labeling and determine 4558 * the peer label/SID for the packet; most of the magic actually occurs in 4559 * the security server function security_net_peersid_cmp(). The function 4560 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4561 * or -EACCES if @sid is invalid due to inconsistencies with the different 4562 * peer labels. 4563 * 4564 */ 4565 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4566 { 4567 int err; 4568 u32 xfrm_sid; 4569 u32 nlbl_sid; 4570 u32 nlbl_type; 4571 4572 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4573 if (unlikely(err)) 4574 return -EACCES; 4575 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4576 if (unlikely(err)) 4577 return -EACCES; 4578 4579 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4580 nlbl_type, xfrm_sid, sid); 4581 if (unlikely(err)) { 4582 pr_warn( 4583 "SELinux: failure in selinux_skb_peerlbl_sid()," 4584 " unable to determine packet's peer label\n"); 4585 return -EACCES; 4586 } 4587 4588 return 0; 4589 } 4590 4591 /** 4592 * selinux_conn_sid - Determine the child socket label for a connection 4593 * @sk_sid: the parent socket's SID 4594 * @skb_sid: the packet's SID 4595 * @conn_sid: the resulting connection SID 4596 * 4597 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4598 * combined with the MLS information from @skb_sid in order to create 4599 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4600 * of @sk_sid. Returns zero on success, negative values on failure. 4601 * 4602 */ 4603 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4604 { 4605 int err = 0; 4606 4607 if (skb_sid != SECSID_NULL) 4608 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4609 conn_sid); 4610 else 4611 *conn_sid = sk_sid; 4612 4613 return err; 4614 } 4615 4616 /* socket security operations */ 4617 4618 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4619 u16 secclass, u32 *socksid) 4620 { 4621 if (tsec->sockcreate_sid > SECSID_NULL) { 4622 *socksid = tsec->sockcreate_sid; 4623 return 0; 4624 } 4625 4626 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4627 secclass, NULL, socksid); 4628 } 4629 4630 static int sock_has_perm(struct sock *sk, u32 perms) 4631 { 4632 struct sk_security_struct *sksec = sk->sk_security; 4633 struct common_audit_data ad; 4634 struct lsm_network_audit net = {0,}; 4635 4636 if (sksec->sid == SECINITSID_KERNEL) 4637 return 0; 4638 4639 ad.type = LSM_AUDIT_DATA_NET; 4640 ad.u.net = &net; 4641 ad.u.net->sk = sk; 4642 4643 return avc_has_perm(&selinux_state, 4644 current_sid(), sksec->sid, sksec->sclass, perms, 4645 &ad); 4646 } 4647 4648 static int selinux_socket_create(int family, int type, 4649 int protocol, int kern) 4650 { 4651 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4652 u32 newsid; 4653 u16 secclass; 4654 int rc; 4655 4656 if (kern) 4657 return 0; 4658 4659 secclass = socket_type_to_security_class(family, type, protocol); 4660 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4661 if (rc) 4662 return rc; 4663 4664 return avc_has_perm(&selinux_state, 4665 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4666 } 4667 4668 static int selinux_socket_post_create(struct socket *sock, int family, 4669 int type, int protocol, int kern) 4670 { 4671 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4672 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4673 struct sk_security_struct *sksec; 4674 u16 sclass = socket_type_to_security_class(family, type, protocol); 4675 u32 sid = SECINITSID_KERNEL; 4676 int err = 0; 4677 4678 if (!kern) { 4679 err = socket_sockcreate_sid(tsec, sclass, &sid); 4680 if (err) 4681 return err; 4682 } 4683 4684 isec->sclass = sclass; 4685 isec->sid = sid; 4686 isec->initialized = LABEL_INITIALIZED; 4687 4688 if (sock->sk) { 4689 sksec = sock->sk->sk_security; 4690 sksec->sclass = sclass; 4691 sksec->sid = sid; 4692 /* Allows detection of the first association on this socket */ 4693 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4694 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4695 4696 err = selinux_netlbl_socket_post_create(sock->sk, family); 4697 } 4698 4699 return err; 4700 } 4701 4702 static int selinux_socket_socketpair(struct socket *socka, 4703 struct socket *sockb) 4704 { 4705 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4706 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4707 4708 sksec_a->peer_sid = sksec_b->sid; 4709 sksec_b->peer_sid = sksec_a->sid; 4710 4711 return 0; 4712 } 4713 4714 /* Range of port numbers used to automatically bind. 4715 Need to determine whether we should perform a name_bind 4716 permission check between the socket and the port number. */ 4717 4718 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4719 { 4720 struct sock *sk = sock->sk; 4721 struct sk_security_struct *sksec = sk->sk_security; 4722 u16 family; 4723 int err; 4724 4725 err = sock_has_perm(sk, SOCKET__BIND); 4726 if (err) 4727 goto out; 4728 4729 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4730 family = sk->sk_family; 4731 if (family == PF_INET || family == PF_INET6) { 4732 char *addrp; 4733 struct common_audit_data ad; 4734 struct lsm_network_audit net = {0,}; 4735 struct sockaddr_in *addr4 = NULL; 4736 struct sockaddr_in6 *addr6 = NULL; 4737 u16 family_sa; 4738 unsigned short snum; 4739 u32 sid, node_perm; 4740 4741 /* 4742 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4743 * that validates multiple binding addresses. Because of this 4744 * need to check address->sa_family as it is possible to have 4745 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4746 */ 4747 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4748 return -EINVAL; 4749 family_sa = address->sa_family; 4750 switch (family_sa) { 4751 case AF_UNSPEC: 4752 case AF_INET: 4753 if (addrlen < sizeof(struct sockaddr_in)) 4754 return -EINVAL; 4755 addr4 = (struct sockaddr_in *)address; 4756 if (family_sa == AF_UNSPEC) { 4757 /* see __inet_bind(), we only want to allow 4758 * AF_UNSPEC if the address is INADDR_ANY 4759 */ 4760 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4761 goto err_af; 4762 family_sa = AF_INET; 4763 } 4764 snum = ntohs(addr4->sin_port); 4765 addrp = (char *)&addr4->sin_addr.s_addr; 4766 break; 4767 case AF_INET6: 4768 if (addrlen < SIN6_LEN_RFC2133) 4769 return -EINVAL; 4770 addr6 = (struct sockaddr_in6 *)address; 4771 snum = ntohs(addr6->sin6_port); 4772 addrp = (char *)&addr6->sin6_addr.s6_addr; 4773 break; 4774 default: 4775 goto err_af; 4776 } 4777 4778 ad.type = LSM_AUDIT_DATA_NET; 4779 ad.u.net = &net; 4780 ad.u.net->sport = htons(snum); 4781 ad.u.net->family = family_sa; 4782 4783 if (snum) { 4784 int low, high; 4785 4786 inet_get_local_port_range(sock_net(sk), &low, &high); 4787 4788 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4789 snum < low || snum > high) { 4790 err = sel_netport_sid(sk->sk_protocol, 4791 snum, &sid); 4792 if (err) 4793 goto out; 4794 err = avc_has_perm(&selinux_state, 4795 sksec->sid, sid, 4796 sksec->sclass, 4797 SOCKET__NAME_BIND, &ad); 4798 if (err) 4799 goto out; 4800 } 4801 } 4802 4803 switch (sksec->sclass) { 4804 case SECCLASS_TCP_SOCKET: 4805 node_perm = TCP_SOCKET__NODE_BIND; 4806 break; 4807 4808 case SECCLASS_UDP_SOCKET: 4809 node_perm = UDP_SOCKET__NODE_BIND; 4810 break; 4811 4812 case SECCLASS_DCCP_SOCKET: 4813 node_perm = DCCP_SOCKET__NODE_BIND; 4814 break; 4815 4816 case SECCLASS_SCTP_SOCKET: 4817 node_perm = SCTP_SOCKET__NODE_BIND; 4818 break; 4819 4820 default: 4821 node_perm = RAWIP_SOCKET__NODE_BIND; 4822 break; 4823 } 4824 4825 err = sel_netnode_sid(addrp, family_sa, &sid); 4826 if (err) 4827 goto out; 4828 4829 if (family_sa == AF_INET) 4830 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4831 else 4832 ad.u.net->v6info.saddr = addr6->sin6_addr; 4833 4834 err = avc_has_perm(&selinux_state, 4835 sksec->sid, sid, 4836 sksec->sclass, node_perm, &ad); 4837 if (err) 4838 goto out; 4839 } 4840 out: 4841 return err; 4842 err_af: 4843 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4844 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4845 return -EINVAL; 4846 return -EAFNOSUPPORT; 4847 } 4848 4849 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4850 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4851 */ 4852 static int selinux_socket_connect_helper(struct socket *sock, 4853 struct sockaddr *address, int addrlen) 4854 { 4855 struct sock *sk = sock->sk; 4856 struct sk_security_struct *sksec = sk->sk_security; 4857 int err; 4858 4859 err = sock_has_perm(sk, SOCKET__CONNECT); 4860 if (err) 4861 return err; 4862 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4863 return -EINVAL; 4864 4865 /* connect(AF_UNSPEC) has special handling, as it is a documented 4866 * way to disconnect the socket 4867 */ 4868 if (address->sa_family == AF_UNSPEC) 4869 return 0; 4870 4871 /* 4872 * If a TCP, DCCP or SCTP socket, check name_connect permission 4873 * for the port. 4874 */ 4875 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4876 sksec->sclass == SECCLASS_DCCP_SOCKET || 4877 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4878 struct common_audit_data ad; 4879 struct lsm_network_audit net = {0,}; 4880 struct sockaddr_in *addr4 = NULL; 4881 struct sockaddr_in6 *addr6 = NULL; 4882 unsigned short snum; 4883 u32 sid, perm; 4884 4885 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4886 * that validates multiple connect addresses. Because of this 4887 * need to check address->sa_family as it is possible to have 4888 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4889 */ 4890 switch (address->sa_family) { 4891 case AF_INET: 4892 addr4 = (struct sockaddr_in *)address; 4893 if (addrlen < sizeof(struct sockaddr_in)) 4894 return -EINVAL; 4895 snum = ntohs(addr4->sin_port); 4896 break; 4897 case AF_INET6: 4898 addr6 = (struct sockaddr_in6 *)address; 4899 if (addrlen < SIN6_LEN_RFC2133) 4900 return -EINVAL; 4901 snum = ntohs(addr6->sin6_port); 4902 break; 4903 default: 4904 /* Note that SCTP services expect -EINVAL, whereas 4905 * others expect -EAFNOSUPPORT. 4906 */ 4907 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4908 return -EINVAL; 4909 else 4910 return -EAFNOSUPPORT; 4911 } 4912 4913 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4914 if (err) 4915 return err; 4916 4917 switch (sksec->sclass) { 4918 case SECCLASS_TCP_SOCKET: 4919 perm = TCP_SOCKET__NAME_CONNECT; 4920 break; 4921 case SECCLASS_DCCP_SOCKET: 4922 perm = DCCP_SOCKET__NAME_CONNECT; 4923 break; 4924 case SECCLASS_SCTP_SOCKET: 4925 perm = SCTP_SOCKET__NAME_CONNECT; 4926 break; 4927 } 4928 4929 ad.type = LSM_AUDIT_DATA_NET; 4930 ad.u.net = &net; 4931 ad.u.net->dport = htons(snum); 4932 ad.u.net->family = address->sa_family; 4933 err = avc_has_perm(&selinux_state, 4934 sksec->sid, sid, sksec->sclass, perm, &ad); 4935 if (err) 4936 return err; 4937 } 4938 4939 return 0; 4940 } 4941 4942 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4943 static int selinux_socket_connect(struct socket *sock, 4944 struct sockaddr *address, int addrlen) 4945 { 4946 int err; 4947 struct sock *sk = sock->sk; 4948 4949 err = selinux_socket_connect_helper(sock, address, addrlen); 4950 if (err) 4951 return err; 4952 4953 return selinux_netlbl_socket_connect(sk, address); 4954 } 4955 4956 static int selinux_socket_listen(struct socket *sock, int backlog) 4957 { 4958 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4959 } 4960 4961 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4962 { 4963 int err; 4964 struct inode_security_struct *isec; 4965 struct inode_security_struct *newisec; 4966 u16 sclass; 4967 u32 sid; 4968 4969 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4970 if (err) 4971 return err; 4972 4973 isec = inode_security_novalidate(SOCK_INODE(sock)); 4974 spin_lock(&isec->lock); 4975 sclass = isec->sclass; 4976 sid = isec->sid; 4977 spin_unlock(&isec->lock); 4978 4979 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4980 newisec->sclass = sclass; 4981 newisec->sid = sid; 4982 newisec->initialized = LABEL_INITIALIZED; 4983 4984 return 0; 4985 } 4986 4987 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4988 int size) 4989 { 4990 return sock_has_perm(sock->sk, SOCKET__WRITE); 4991 } 4992 4993 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4994 int size, int flags) 4995 { 4996 return sock_has_perm(sock->sk, SOCKET__READ); 4997 } 4998 4999 static int selinux_socket_getsockname(struct socket *sock) 5000 { 5001 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5002 } 5003 5004 static int selinux_socket_getpeername(struct socket *sock) 5005 { 5006 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5007 } 5008 5009 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5010 { 5011 int err; 5012 5013 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5014 if (err) 5015 return err; 5016 5017 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5018 } 5019 5020 static int selinux_socket_getsockopt(struct socket *sock, int level, 5021 int optname) 5022 { 5023 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5024 } 5025 5026 static int selinux_socket_shutdown(struct socket *sock, int how) 5027 { 5028 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5029 } 5030 5031 static int selinux_socket_unix_stream_connect(struct sock *sock, 5032 struct sock *other, 5033 struct sock *newsk) 5034 { 5035 struct sk_security_struct *sksec_sock = sock->sk_security; 5036 struct sk_security_struct *sksec_other = other->sk_security; 5037 struct sk_security_struct *sksec_new = newsk->sk_security; 5038 struct common_audit_data ad; 5039 struct lsm_network_audit net = {0,}; 5040 int err; 5041 5042 ad.type = LSM_AUDIT_DATA_NET; 5043 ad.u.net = &net; 5044 ad.u.net->sk = other; 5045 5046 err = avc_has_perm(&selinux_state, 5047 sksec_sock->sid, sksec_other->sid, 5048 sksec_other->sclass, 5049 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5050 if (err) 5051 return err; 5052 5053 /* server child socket */ 5054 sksec_new->peer_sid = sksec_sock->sid; 5055 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 5056 sksec_sock->sid, &sksec_new->sid); 5057 if (err) 5058 return err; 5059 5060 /* connecting socket */ 5061 sksec_sock->peer_sid = sksec_new->sid; 5062 5063 return 0; 5064 } 5065 5066 static int selinux_socket_unix_may_send(struct socket *sock, 5067 struct socket *other) 5068 { 5069 struct sk_security_struct *ssec = sock->sk->sk_security; 5070 struct sk_security_struct *osec = other->sk->sk_security; 5071 struct common_audit_data ad; 5072 struct lsm_network_audit net = {0,}; 5073 5074 ad.type = LSM_AUDIT_DATA_NET; 5075 ad.u.net = &net; 5076 ad.u.net->sk = other->sk; 5077 5078 return avc_has_perm(&selinux_state, 5079 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5080 &ad); 5081 } 5082 5083 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5084 char *addrp, u16 family, u32 peer_sid, 5085 struct common_audit_data *ad) 5086 { 5087 int err; 5088 u32 if_sid; 5089 u32 node_sid; 5090 5091 err = sel_netif_sid(ns, ifindex, &if_sid); 5092 if (err) 5093 return err; 5094 err = avc_has_perm(&selinux_state, 5095 peer_sid, if_sid, 5096 SECCLASS_NETIF, NETIF__INGRESS, ad); 5097 if (err) 5098 return err; 5099 5100 err = sel_netnode_sid(addrp, family, &node_sid); 5101 if (err) 5102 return err; 5103 return avc_has_perm(&selinux_state, 5104 peer_sid, node_sid, 5105 SECCLASS_NODE, NODE__RECVFROM, ad); 5106 } 5107 5108 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5109 u16 family) 5110 { 5111 int err = 0; 5112 struct sk_security_struct *sksec = sk->sk_security; 5113 u32 sk_sid = sksec->sid; 5114 struct common_audit_data ad; 5115 struct lsm_network_audit net = {0,}; 5116 char *addrp; 5117 5118 ad.type = LSM_AUDIT_DATA_NET; 5119 ad.u.net = &net; 5120 ad.u.net->netif = skb->skb_iif; 5121 ad.u.net->family = family; 5122 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5123 if (err) 5124 return err; 5125 5126 if (selinux_secmark_enabled()) { 5127 err = avc_has_perm(&selinux_state, 5128 sk_sid, skb->secmark, SECCLASS_PACKET, 5129 PACKET__RECV, &ad); 5130 if (err) 5131 return err; 5132 } 5133 5134 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5135 if (err) 5136 return err; 5137 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5138 5139 return err; 5140 } 5141 5142 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5143 { 5144 int err; 5145 struct sk_security_struct *sksec = sk->sk_security; 5146 u16 family = sk->sk_family; 5147 u32 sk_sid = sksec->sid; 5148 struct common_audit_data ad; 5149 struct lsm_network_audit net = {0,}; 5150 char *addrp; 5151 u8 secmark_active; 5152 u8 peerlbl_active; 5153 5154 if (family != PF_INET && family != PF_INET6) 5155 return 0; 5156 5157 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5158 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5159 family = PF_INET; 5160 5161 /* If any sort of compatibility mode is enabled then handoff processing 5162 * to the selinux_sock_rcv_skb_compat() function to deal with the 5163 * special handling. We do this in an attempt to keep this function 5164 * as fast and as clean as possible. */ 5165 if (!selinux_policycap_netpeer()) 5166 return selinux_sock_rcv_skb_compat(sk, skb, family); 5167 5168 secmark_active = selinux_secmark_enabled(); 5169 peerlbl_active = selinux_peerlbl_enabled(); 5170 if (!secmark_active && !peerlbl_active) 5171 return 0; 5172 5173 ad.type = LSM_AUDIT_DATA_NET; 5174 ad.u.net = &net; 5175 ad.u.net->netif = skb->skb_iif; 5176 ad.u.net->family = family; 5177 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5178 if (err) 5179 return err; 5180 5181 if (peerlbl_active) { 5182 u32 peer_sid; 5183 5184 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5185 if (err) 5186 return err; 5187 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5188 addrp, family, peer_sid, &ad); 5189 if (err) { 5190 selinux_netlbl_err(skb, family, err, 0); 5191 return err; 5192 } 5193 err = avc_has_perm(&selinux_state, 5194 sk_sid, peer_sid, SECCLASS_PEER, 5195 PEER__RECV, &ad); 5196 if (err) { 5197 selinux_netlbl_err(skb, family, err, 0); 5198 return err; 5199 } 5200 } 5201 5202 if (secmark_active) { 5203 err = avc_has_perm(&selinux_state, 5204 sk_sid, skb->secmark, SECCLASS_PACKET, 5205 PACKET__RECV, &ad); 5206 if (err) 5207 return err; 5208 } 5209 5210 return err; 5211 } 5212 5213 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5214 int __user *optlen, unsigned len) 5215 { 5216 int err = 0; 5217 char *scontext; 5218 u32 scontext_len; 5219 struct sk_security_struct *sksec = sock->sk->sk_security; 5220 u32 peer_sid = SECSID_NULL; 5221 5222 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5223 sksec->sclass == SECCLASS_TCP_SOCKET || 5224 sksec->sclass == SECCLASS_SCTP_SOCKET) 5225 peer_sid = sksec->peer_sid; 5226 if (peer_sid == SECSID_NULL) 5227 return -ENOPROTOOPT; 5228 5229 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5230 &scontext_len); 5231 if (err) 5232 return err; 5233 5234 if (scontext_len > len) { 5235 err = -ERANGE; 5236 goto out_len; 5237 } 5238 5239 if (copy_to_user(optval, scontext, scontext_len)) 5240 err = -EFAULT; 5241 5242 out_len: 5243 if (put_user(scontext_len, optlen)) 5244 err = -EFAULT; 5245 kfree(scontext); 5246 return err; 5247 } 5248 5249 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5250 { 5251 u32 peer_secid = SECSID_NULL; 5252 u16 family; 5253 struct inode_security_struct *isec; 5254 5255 if (skb && skb->protocol == htons(ETH_P_IP)) 5256 family = PF_INET; 5257 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5258 family = PF_INET6; 5259 else if (sock) 5260 family = sock->sk->sk_family; 5261 else 5262 goto out; 5263 5264 if (sock && family == PF_UNIX) { 5265 isec = inode_security_novalidate(SOCK_INODE(sock)); 5266 peer_secid = isec->sid; 5267 } else if (skb) 5268 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5269 5270 out: 5271 *secid = peer_secid; 5272 if (peer_secid == SECSID_NULL) 5273 return -EINVAL; 5274 return 0; 5275 } 5276 5277 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5278 { 5279 struct sk_security_struct *sksec; 5280 5281 sksec = kzalloc(sizeof(*sksec), priority); 5282 if (!sksec) 5283 return -ENOMEM; 5284 5285 sksec->peer_sid = SECINITSID_UNLABELED; 5286 sksec->sid = SECINITSID_UNLABELED; 5287 sksec->sclass = SECCLASS_SOCKET; 5288 selinux_netlbl_sk_security_reset(sksec); 5289 sk->sk_security = sksec; 5290 5291 return 0; 5292 } 5293 5294 static void selinux_sk_free_security(struct sock *sk) 5295 { 5296 struct sk_security_struct *sksec = sk->sk_security; 5297 5298 sk->sk_security = NULL; 5299 selinux_netlbl_sk_security_free(sksec); 5300 kfree(sksec); 5301 } 5302 5303 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5304 { 5305 struct sk_security_struct *sksec = sk->sk_security; 5306 struct sk_security_struct *newsksec = newsk->sk_security; 5307 5308 newsksec->sid = sksec->sid; 5309 newsksec->peer_sid = sksec->peer_sid; 5310 newsksec->sclass = sksec->sclass; 5311 5312 selinux_netlbl_sk_security_reset(newsksec); 5313 } 5314 5315 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5316 { 5317 if (!sk) 5318 *secid = SECINITSID_ANY_SOCKET; 5319 else { 5320 struct sk_security_struct *sksec = sk->sk_security; 5321 5322 *secid = sksec->sid; 5323 } 5324 } 5325 5326 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5327 { 5328 struct inode_security_struct *isec = 5329 inode_security_novalidate(SOCK_INODE(parent)); 5330 struct sk_security_struct *sksec = sk->sk_security; 5331 5332 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5333 sk->sk_family == PF_UNIX) 5334 isec->sid = sksec->sid; 5335 sksec->sclass = isec->sclass; 5336 } 5337 5338 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5339 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5340 * already present). 5341 */ 5342 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5343 struct sk_buff *skb) 5344 { 5345 struct sk_security_struct *sksec = asoc->base.sk->sk_security; 5346 struct common_audit_data ad; 5347 struct lsm_network_audit net = {0,}; 5348 u8 peerlbl_active; 5349 u32 peer_sid = SECINITSID_UNLABELED; 5350 u32 conn_sid; 5351 int err = 0; 5352 5353 if (!selinux_policycap_extsockclass()) 5354 return 0; 5355 5356 peerlbl_active = selinux_peerlbl_enabled(); 5357 5358 if (peerlbl_active) { 5359 /* This will return peer_sid = SECSID_NULL if there are 5360 * no peer labels, see security_net_peersid_resolve(). 5361 */ 5362 err = selinux_skb_peerlbl_sid(skb, asoc->base.sk->sk_family, 5363 &peer_sid); 5364 if (err) 5365 return err; 5366 5367 if (peer_sid == SECSID_NULL) 5368 peer_sid = SECINITSID_UNLABELED; 5369 } 5370 5371 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5372 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5373 5374 /* Here as first association on socket. As the peer SID 5375 * was allowed by peer recv (and the netif/node checks), 5376 * then it is approved by policy and used as the primary 5377 * peer SID for getpeercon(3). 5378 */ 5379 sksec->peer_sid = peer_sid; 5380 } else if (sksec->peer_sid != peer_sid) { 5381 /* Other association peer SIDs are checked to enforce 5382 * consistency among the peer SIDs. 5383 */ 5384 ad.type = LSM_AUDIT_DATA_NET; 5385 ad.u.net = &net; 5386 ad.u.net->sk = asoc->base.sk; 5387 err = avc_has_perm(&selinux_state, 5388 sksec->peer_sid, peer_sid, sksec->sclass, 5389 SCTP_SOCKET__ASSOCIATION, &ad); 5390 if (err) 5391 return err; 5392 } 5393 5394 /* Compute the MLS component for the connection and store 5395 * the information in asoc. This will be used by SCTP TCP type 5396 * sockets and peeled off connections as they cause a new 5397 * socket to be generated. selinux_sctp_sk_clone() will then 5398 * plug this into the new socket. 5399 */ 5400 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5401 if (err) 5402 return err; 5403 5404 asoc->secid = conn_sid; 5405 asoc->peer_secid = peer_sid; 5406 5407 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5408 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5409 } 5410 5411 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5412 * based on their @optname. 5413 */ 5414 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5415 struct sockaddr *address, 5416 int addrlen) 5417 { 5418 int len, err = 0, walk_size = 0; 5419 void *addr_buf; 5420 struct sockaddr *addr; 5421 struct socket *sock; 5422 5423 if (!selinux_policycap_extsockclass()) 5424 return 0; 5425 5426 /* Process one or more addresses that may be IPv4 or IPv6 */ 5427 sock = sk->sk_socket; 5428 addr_buf = address; 5429 5430 while (walk_size < addrlen) { 5431 if (walk_size + sizeof(sa_family_t) > addrlen) 5432 return -EINVAL; 5433 5434 addr = addr_buf; 5435 switch (addr->sa_family) { 5436 case AF_UNSPEC: 5437 case AF_INET: 5438 len = sizeof(struct sockaddr_in); 5439 break; 5440 case AF_INET6: 5441 len = sizeof(struct sockaddr_in6); 5442 break; 5443 default: 5444 return -EINVAL; 5445 } 5446 5447 if (walk_size + len > addrlen) 5448 return -EINVAL; 5449 5450 err = -EINVAL; 5451 switch (optname) { 5452 /* Bind checks */ 5453 case SCTP_PRIMARY_ADDR: 5454 case SCTP_SET_PEER_PRIMARY_ADDR: 5455 case SCTP_SOCKOPT_BINDX_ADD: 5456 err = selinux_socket_bind(sock, addr, len); 5457 break; 5458 /* Connect checks */ 5459 case SCTP_SOCKOPT_CONNECTX: 5460 case SCTP_PARAM_SET_PRIMARY: 5461 case SCTP_PARAM_ADD_IP: 5462 case SCTP_SENDMSG_CONNECT: 5463 err = selinux_socket_connect_helper(sock, addr, len); 5464 if (err) 5465 return err; 5466 5467 /* As selinux_sctp_bind_connect() is called by the 5468 * SCTP protocol layer, the socket is already locked, 5469 * therefore selinux_netlbl_socket_connect_locked() 5470 * is called here. The situations handled are: 5471 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5472 * whenever a new IP address is added or when a new 5473 * primary address is selected. 5474 * Note that an SCTP connect(2) call happens before 5475 * the SCTP protocol layer and is handled via 5476 * selinux_socket_connect(). 5477 */ 5478 err = selinux_netlbl_socket_connect_locked(sk, addr); 5479 break; 5480 } 5481 5482 if (err) 5483 return err; 5484 5485 addr_buf += len; 5486 walk_size += len; 5487 } 5488 5489 return 0; 5490 } 5491 5492 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5493 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5494 struct sock *newsk) 5495 { 5496 struct sk_security_struct *sksec = sk->sk_security; 5497 struct sk_security_struct *newsksec = newsk->sk_security; 5498 5499 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5500 * the non-sctp clone version. 5501 */ 5502 if (!selinux_policycap_extsockclass()) 5503 return selinux_sk_clone_security(sk, newsk); 5504 5505 newsksec->sid = asoc->secid; 5506 newsksec->peer_sid = asoc->peer_secid; 5507 newsksec->sclass = sksec->sclass; 5508 selinux_netlbl_sctp_sk_clone(sk, newsk); 5509 } 5510 5511 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5512 struct request_sock *req) 5513 { 5514 struct sk_security_struct *sksec = sk->sk_security; 5515 int err; 5516 u16 family = req->rsk_ops->family; 5517 u32 connsid; 5518 u32 peersid; 5519 5520 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5521 if (err) 5522 return err; 5523 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5524 if (err) 5525 return err; 5526 req->secid = connsid; 5527 req->peer_secid = peersid; 5528 5529 return selinux_netlbl_inet_conn_request(req, family); 5530 } 5531 5532 static void selinux_inet_csk_clone(struct sock *newsk, 5533 const struct request_sock *req) 5534 { 5535 struct sk_security_struct *newsksec = newsk->sk_security; 5536 5537 newsksec->sid = req->secid; 5538 newsksec->peer_sid = req->peer_secid; 5539 /* NOTE: Ideally, we should also get the isec->sid for the 5540 new socket in sync, but we don't have the isec available yet. 5541 So we will wait until sock_graft to do it, by which 5542 time it will have been created and available. */ 5543 5544 /* We don't need to take any sort of lock here as we are the only 5545 * thread with access to newsksec */ 5546 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5547 } 5548 5549 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5550 { 5551 u16 family = sk->sk_family; 5552 struct sk_security_struct *sksec = sk->sk_security; 5553 5554 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5555 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5556 family = PF_INET; 5557 5558 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5559 } 5560 5561 static int selinux_secmark_relabel_packet(u32 sid) 5562 { 5563 const struct task_security_struct *__tsec; 5564 u32 tsid; 5565 5566 __tsec = selinux_cred(current_cred()); 5567 tsid = __tsec->sid; 5568 5569 return avc_has_perm(&selinux_state, 5570 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5571 NULL); 5572 } 5573 5574 static void selinux_secmark_refcount_inc(void) 5575 { 5576 atomic_inc(&selinux_secmark_refcount); 5577 } 5578 5579 static void selinux_secmark_refcount_dec(void) 5580 { 5581 atomic_dec(&selinux_secmark_refcount); 5582 } 5583 5584 static void selinux_req_classify_flow(const struct request_sock *req, 5585 struct flowi_common *flic) 5586 { 5587 flic->flowic_secid = req->secid; 5588 } 5589 5590 static int selinux_tun_dev_alloc_security(void **security) 5591 { 5592 struct tun_security_struct *tunsec; 5593 5594 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5595 if (!tunsec) 5596 return -ENOMEM; 5597 tunsec->sid = current_sid(); 5598 5599 *security = tunsec; 5600 return 0; 5601 } 5602 5603 static void selinux_tun_dev_free_security(void *security) 5604 { 5605 kfree(security); 5606 } 5607 5608 static int selinux_tun_dev_create(void) 5609 { 5610 u32 sid = current_sid(); 5611 5612 /* we aren't taking into account the "sockcreate" SID since the socket 5613 * that is being created here is not a socket in the traditional sense, 5614 * instead it is a private sock, accessible only to the kernel, and 5615 * representing a wide range of network traffic spanning multiple 5616 * connections unlike traditional sockets - check the TUN driver to 5617 * get a better understanding of why this socket is special */ 5618 5619 return avc_has_perm(&selinux_state, 5620 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5621 NULL); 5622 } 5623 5624 static int selinux_tun_dev_attach_queue(void *security) 5625 { 5626 struct tun_security_struct *tunsec = security; 5627 5628 return avc_has_perm(&selinux_state, 5629 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5630 TUN_SOCKET__ATTACH_QUEUE, NULL); 5631 } 5632 5633 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5634 { 5635 struct tun_security_struct *tunsec = security; 5636 struct sk_security_struct *sksec = sk->sk_security; 5637 5638 /* we don't currently perform any NetLabel based labeling here and it 5639 * isn't clear that we would want to do so anyway; while we could apply 5640 * labeling without the support of the TUN user the resulting labeled 5641 * traffic from the other end of the connection would almost certainly 5642 * cause confusion to the TUN user that had no idea network labeling 5643 * protocols were being used */ 5644 5645 sksec->sid = tunsec->sid; 5646 sksec->sclass = SECCLASS_TUN_SOCKET; 5647 5648 return 0; 5649 } 5650 5651 static int selinux_tun_dev_open(void *security) 5652 { 5653 struct tun_security_struct *tunsec = security; 5654 u32 sid = current_sid(); 5655 int err; 5656 5657 err = avc_has_perm(&selinux_state, 5658 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5659 TUN_SOCKET__RELABELFROM, NULL); 5660 if (err) 5661 return err; 5662 err = avc_has_perm(&selinux_state, 5663 sid, sid, SECCLASS_TUN_SOCKET, 5664 TUN_SOCKET__RELABELTO, NULL); 5665 if (err) 5666 return err; 5667 tunsec->sid = sid; 5668 5669 return 0; 5670 } 5671 5672 #ifdef CONFIG_NETFILTER 5673 5674 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5675 const struct nf_hook_state *state) 5676 { 5677 int ifindex; 5678 u16 family; 5679 char *addrp; 5680 u32 peer_sid; 5681 struct common_audit_data ad; 5682 struct lsm_network_audit net = {0,}; 5683 int secmark_active, peerlbl_active; 5684 5685 if (!selinux_policycap_netpeer()) 5686 return NF_ACCEPT; 5687 5688 secmark_active = selinux_secmark_enabled(); 5689 peerlbl_active = selinux_peerlbl_enabled(); 5690 if (!secmark_active && !peerlbl_active) 5691 return NF_ACCEPT; 5692 5693 family = state->pf; 5694 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5695 return NF_DROP; 5696 5697 ifindex = state->in->ifindex; 5698 ad.type = LSM_AUDIT_DATA_NET; 5699 ad.u.net = &net; 5700 ad.u.net->netif = ifindex; 5701 ad.u.net->family = family; 5702 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5703 return NF_DROP; 5704 5705 if (peerlbl_active) { 5706 int err; 5707 5708 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5709 addrp, family, peer_sid, &ad); 5710 if (err) { 5711 selinux_netlbl_err(skb, family, err, 1); 5712 return NF_DROP; 5713 } 5714 } 5715 5716 if (secmark_active) 5717 if (avc_has_perm(&selinux_state, 5718 peer_sid, skb->secmark, 5719 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5720 return NF_DROP; 5721 5722 if (netlbl_enabled()) 5723 /* we do this in the FORWARD path and not the POST_ROUTING 5724 * path because we want to make sure we apply the necessary 5725 * labeling before IPsec is applied so we can leverage AH 5726 * protection */ 5727 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5728 return NF_DROP; 5729 5730 return NF_ACCEPT; 5731 } 5732 5733 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5734 const struct nf_hook_state *state) 5735 { 5736 struct sock *sk; 5737 u32 sid; 5738 5739 if (!netlbl_enabled()) 5740 return NF_ACCEPT; 5741 5742 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5743 * because we want to make sure we apply the necessary labeling 5744 * before IPsec is applied so we can leverage AH protection */ 5745 sk = skb->sk; 5746 if (sk) { 5747 struct sk_security_struct *sksec; 5748 5749 if (sk_listener(sk)) 5750 /* if the socket is the listening state then this 5751 * packet is a SYN-ACK packet which means it needs to 5752 * be labeled based on the connection/request_sock and 5753 * not the parent socket. unfortunately, we can't 5754 * lookup the request_sock yet as it isn't queued on 5755 * the parent socket until after the SYN-ACK is sent. 5756 * the "solution" is to simply pass the packet as-is 5757 * as any IP option based labeling should be copied 5758 * from the initial connection request (in the IP 5759 * layer). it is far from ideal, but until we get a 5760 * security label in the packet itself this is the 5761 * best we can do. */ 5762 return NF_ACCEPT; 5763 5764 /* standard practice, label using the parent socket */ 5765 sksec = sk->sk_security; 5766 sid = sksec->sid; 5767 } else 5768 sid = SECINITSID_KERNEL; 5769 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5770 return NF_DROP; 5771 5772 return NF_ACCEPT; 5773 } 5774 5775 5776 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5777 const struct nf_hook_state *state) 5778 { 5779 struct sock *sk; 5780 struct sk_security_struct *sksec; 5781 struct common_audit_data ad; 5782 struct lsm_network_audit net = {0,}; 5783 u8 proto; 5784 5785 sk = skb_to_full_sk(skb); 5786 if (sk == NULL) 5787 return NF_ACCEPT; 5788 sksec = sk->sk_security; 5789 5790 ad.type = LSM_AUDIT_DATA_NET; 5791 ad.u.net = &net; 5792 ad.u.net->netif = state->out->ifindex; 5793 ad.u.net->family = state->pf; 5794 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5795 return NF_DROP; 5796 5797 if (selinux_secmark_enabled()) 5798 if (avc_has_perm(&selinux_state, 5799 sksec->sid, skb->secmark, 5800 SECCLASS_PACKET, PACKET__SEND, &ad)) 5801 return NF_DROP_ERR(-ECONNREFUSED); 5802 5803 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5804 return NF_DROP_ERR(-ECONNREFUSED); 5805 5806 return NF_ACCEPT; 5807 } 5808 5809 static unsigned int selinux_ip_postroute(void *priv, 5810 struct sk_buff *skb, 5811 const struct nf_hook_state *state) 5812 { 5813 u16 family; 5814 u32 secmark_perm; 5815 u32 peer_sid; 5816 int ifindex; 5817 struct sock *sk; 5818 struct common_audit_data ad; 5819 struct lsm_network_audit net = {0,}; 5820 char *addrp; 5821 int secmark_active, peerlbl_active; 5822 5823 /* If any sort of compatibility mode is enabled then handoff processing 5824 * to the selinux_ip_postroute_compat() function to deal with the 5825 * special handling. We do this in an attempt to keep this function 5826 * as fast and as clean as possible. */ 5827 if (!selinux_policycap_netpeer()) 5828 return selinux_ip_postroute_compat(skb, state); 5829 5830 secmark_active = selinux_secmark_enabled(); 5831 peerlbl_active = selinux_peerlbl_enabled(); 5832 if (!secmark_active && !peerlbl_active) 5833 return NF_ACCEPT; 5834 5835 sk = skb_to_full_sk(skb); 5836 5837 #ifdef CONFIG_XFRM 5838 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5839 * packet transformation so allow the packet to pass without any checks 5840 * since we'll have another chance to perform access control checks 5841 * when the packet is on it's final way out. 5842 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5843 * is NULL, in this case go ahead and apply access control. 5844 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5845 * TCP listening state we cannot wait until the XFRM processing 5846 * is done as we will miss out on the SA label if we do; 5847 * unfortunately, this means more work, but it is only once per 5848 * connection. */ 5849 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5850 !(sk && sk_listener(sk))) 5851 return NF_ACCEPT; 5852 #endif 5853 5854 family = state->pf; 5855 if (sk == NULL) { 5856 /* Without an associated socket the packet is either coming 5857 * from the kernel or it is being forwarded; check the packet 5858 * to determine which and if the packet is being forwarded 5859 * query the packet directly to determine the security label. */ 5860 if (skb->skb_iif) { 5861 secmark_perm = PACKET__FORWARD_OUT; 5862 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5863 return NF_DROP; 5864 } else { 5865 secmark_perm = PACKET__SEND; 5866 peer_sid = SECINITSID_KERNEL; 5867 } 5868 } else if (sk_listener(sk)) { 5869 /* Locally generated packet but the associated socket is in the 5870 * listening state which means this is a SYN-ACK packet. In 5871 * this particular case the correct security label is assigned 5872 * to the connection/request_sock but unfortunately we can't 5873 * query the request_sock as it isn't queued on the parent 5874 * socket until after the SYN-ACK packet is sent; the only 5875 * viable choice is to regenerate the label like we do in 5876 * selinux_inet_conn_request(). See also selinux_ip_output() 5877 * for similar problems. */ 5878 u32 skb_sid; 5879 struct sk_security_struct *sksec; 5880 5881 sksec = sk->sk_security; 5882 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5883 return NF_DROP; 5884 /* At this point, if the returned skb peerlbl is SECSID_NULL 5885 * and the packet has been through at least one XFRM 5886 * transformation then we must be dealing with the "final" 5887 * form of labeled IPsec packet; since we've already applied 5888 * all of our access controls on this packet we can safely 5889 * pass the packet. */ 5890 if (skb_sid == SECSID_NULL) { 5891 switch (family) { 5892 case PF_INET: 5893 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5894 return NF_ACCEPT; 5895 break; 5896 case PF_INET6: 5897 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5898 return NF_ACCEPT; 5899 break; 5900 default: 5901 return NF_DROP_ERR(-ECONNREFUSED); 5902 } 5903 } 5904 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5905 return NF_DROP; 5906 secmark_perm = PACKET__SEND; 5907 } else { 5908 /* Locally generated packet, fetch the security label from the 5909 * associated socket. */ 5910 struct sk_security_struct *sksec = sk->sk_security; 5911 peer_sid = sksec->sid; 5912 secmark_perm = PACKET__SEND; 5913 } 5914 5915 ifindex = state->out->ifindex; 5916 ad.type = LSM_AUDIT_DATA_NET; 5917 ad.u.net = &net; 5918 ad.u.net->netif = ifindex; 5919 ad.u.net->family = family; 5920 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5921 return NF_DROP; 5922 5923 if (secmark_active) 5924 if (avc_has_perm(&selinux_state, 5925 peer_sid, skb->secmark, 5926 SECCLASS_PACKET, secmark_perm, &ad)) 5927 return NF_DROP_ERR(-ECONNREFUSED); 5928 5929 if (peerlbl_active) { 5930 u32 if_sid; 5931 u32 node_sid; 5932 5933 if (sel_netif_sid(state->net, ifindex, &if_sid)) 5934 return NF_DROP; 5935 if (avc_has_perm(&selinux_state, 5936 peer_sid, if_sid, 5937 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5938 return NF_DROP_ERR(-ECONNREFUSED); 5939 5940 if (sel_netnode_sid(addrp, family, &node_sid)) 5941 return NF_DROP; 5942 if (avc_has_perm(&selinux_state, 5943 peer_sid, node_sid, 5944 SECCLASS_NODE, NODE__SENDTO, &ad)) 5945 return NF_DROP_ERR(-ECONNREFUSED); 5946 } 5947 5948 return NF_ACCEPT; 5949 } 5950 #endif /* CONFIG_NETFILTER */ 5951 5952 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5953 { 5954 int rc = 0; 5955 unsigned int msg_len; 5956 unsigned int data_len = skb->len; 5957 unsigned char *data = skb->data; 5958 struct nlmsghdr *nlh; 5959 struct sk_security_struct *sksec = sk->sk_security; 5960 u16 sclass = sksec->sclass; 5961 u32 perm; 5962 5963 while (data_len >= nlmsg_total_size(0)) { 5964 nlh = (struct nlmsghdr *)data; 5965 5966 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 5967 * users which means we can't reject skb's with bogus 5968 * length fields; our solution is to follow what 5969 * netlink_rcv_skb() does and simply skip processing at 5970 * messages with length fields that are clearly junk 5971 */ 5972 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 5973 return 0; 5974 5975 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 5976 if (rc == 0) { 5977 rc = sock_has_perm(sk, perm); 5978 if (rc) 5979 return rc; 5980 } else if (rc == -EINVAL) { 5981 /* -EINVAL is a missing msg/perm mapping */ 5982 pr_warn_ratelimited("SELinux: unrecognized netlink" 5983 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5984 " pid=%d comm=%s\n", 5985 sk->sk_protocol, nlh->nlmsg_type, 5986 secclass_map[sclass - 1].name, 5987 task_pid_nr(current), current->comm); 5988 if (enforcing_enabled(&selinux_state) && 5989 !security_get_allow_unknown(&selinux_state)) 5990 return rc; 5991 rc = 0; 5992 } else if (rc == -ENOENT) { 5993 /* -ENOENT is a missing socket/class mapping, ignore */ 5994 rc = 0; 5995 } else { 5996 return rc; 5997 } 5998 5999 /* move to the next message after applying netlink padding */ 6000 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6001 if (msg_len >= data_len) 6002 return 0; 6003 data_len -= msg_len; 6004 data += msg_len; 6005 } 6006 6007 return rc; 6008 } 6009 6010 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6011 { 6012 isec->sclass = sclass; 6013 isec->sid = current_sid(); 6014 } 6015 6016 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6017 u32 perms) 6018 { 6019 struct ipc_security_struct *isec; 6020 struct common_audit_data ad; 6021 u32 sid = current_sid(); 6022 6023 isec = selinux_ipc(ipc_perms); 6024 6025 ad.type = LSM_AUDIT_DATA_IPC; 6026 ad.u.ipc_id = ipc_perms->key; 6027 6028 return avc_has_perm(&selinux_state, 6029 sid, isec->sid, isec->sclass, perms, &ad); 6030 } 6031 6032 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6033 { 6034 struct msg_security_struct *msec; 6035 6036 msec = selinux_msg_msg(msg); 6037 msec->sid = SECINITSID_UNLABELED; 6038 6039 return 0; 6040 } 6041 6042 /* message queue security operations */ 6043 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6044 { 6045 struct ipc_security_struct *isec; 6046 struct common_audit_data ad; 6047 u32 sid = current_sid(); 6048 int rc; 6049 6050 isec = selinux_ipc(msq); 6051 ipc_init_security(isec, SECCLASS_MSGQ); 6052 6053 ad.type = LSM_AUDIT_DATA_IPC; 6054 ad.u.ipc_id = msq->key; 6055 6056 rc = avc_has_perm(&selinux_state, 6057 sid, isec->sid, SECCLASS_MSGQ, 6058 MSGQ__CREATE, &ad); 6059 return rc; 6060 } 6061 6062 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6063 { 6064 struct ipc_security_struct *isec; 6065 struct common_audit_data ad; 6066 u32 sid = current_sid(); 6067 6068 isec = selinux_ipc(msq); 6069 6070 ad.type = LSM_AUDIT_DATA_IPC; 6071 ad.u.ipc_id = msq->key; 6072 6073 return avc_has_perm(&selinux_state, 6074 sid, isec->sid, SECCLASS_MSGQ, 6075 MSGQ__ASSOCIATE, &ad); 6076 } 6077 6078 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6079 { 6080 int err; 6081 int perms; 6082 6083 switch (cmd) { 6084 case IPC_INFO: 6085 case MSG_INFO: 6086 /* No specific object, just general system-wide information. */ 6087 return avc_has_perm(&selinux_state, 6088 current_sid(), SECINITSID_KERNEL, 6089 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6090 case IPC_STAT: 6091 case MSG_STAT: 6092 case MSG_STAT_ANY: 6093 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6094 break; 6095 case IPC_SET: 6096 perms = MSGQ__SETATTR; 6097 break; 6098 case IPC_RMID: 6099 perms = MSGQ__DESTROY; 6100 break; 6101 default: 6102 return 0; 6103 } 6104 6105 err = ipc_has_perm(msq, perms); 6106 return err; 6107 } 6108 6109 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6110 { 6111 struct ipc_security_struct *isec; 6112 struct msg_security_struct *msec; 6113 struct common_audit_data ad; 6114 u32 sid = current_sid(); 6115 int rc; 6116 6117 isec = selinux_ipc(msq); 6118 msec = selinux_msg_msg(msg); 6119 6120 /* 6121 * First time through, need to assign label to the message 6122 */ 6123 if (msec->sid == SECINITSID_UNLABELED) { 6124 /* 6125 * Compute new sid based on current process and 6126 * message queue this message will be stored in 6127 */ 6128 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6129 SECCLASS_MSG, NULL, &msec->sid); 6130 if (rc) 6131 return rc; 6132 } 6133 6134 ad.type = LSM_AUDIT_DATA_IPC; 6135 ad.u.ipc_id = msq->key; 6136 6137 /* Can this process write to the queue? */ 6138 rc = avc_has_perm(&selinux_state, 6139 sid, isec->sid, SECCLASS_MSGQ, 6140 MSGQ__WRITE, &ad); 6141 if (!rc) 6142 /* Can this process send the message */ 6143 rc = avc_has_perm(&selinux_state, 6144 sid, msec->sid, SECCLASS_MSG, 6145 MSG__SEND, &ad); 6146 if (!rc) 6147 /* Can the message be put in the queue? */ 6148 rc = avc_has_perm(&selinux_state, 6149 msec->sid, isec->sid, SECCLASS_MSGQ, 6150 MSGQ__ENQUEUE, &ad); 6151 6152 return rc; 6153 } 6154 6155 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6156 struct task_struct *target, 6157 long type, int mode) 6158 { 6159 struct ipc_security_struct *isec; 6160 struct msg_security_struct *msec; 6161 struct common_audit_data ad; 6162 u32 sid = task_sid_obj(target); 6163 int rc; 6164 6165 isec = selinux_ipc(msq); 6166 msec = selinux_msg_msg(msg); 6167 6168 ad.type = LSM_AUDIT_DATA_IPC; 6169 ad.u.ipc_id = msq->key; 6170 6171 rc = avc_has_perm(&selinux_state, 6172 sid, isec->sid, 6173 SECCLASS_MSGQ, MSGQ__READ, &ad); 6174 if (!rc) 6175 rc = avc_has_perm(&selinux_state, 6176 sid, msec->sid, 6177 SECCLASS_MSG, MSG__RECEIVE, &ad); 6178 return rc; 6179 } 6180 6181 /* Shared Memory security operations */ 6182 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6183 { 6184 struct ipc_security_struct *isec; 6185 struct common_audit_data ad; 6186 u32 sid = current_sid(); 6187 int rc; 6188 6189 isec = selinux_ipc(shp); 6190 ipc_init_security(isec, SECCLASS_SHM); 6191 6192 ad.type = LSM_AUDIT_DATA_IPC; 6193 ad.u.ipc_id = shp->key; 6194 6195 rc = avc_has_perm(&selinux_state, 6196 sid, isec->sid, SECCLASS_SHM, 6197 SHM__CREATE, &ad); 6198 return rc; 6199 } 6200 6201 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6202 { 6203 struct ipc_security_struct *isec; 6204 struct common_audit_data ad; 6205 u32 sid = current_sid(); 6206 6207 isec = selinux_ipc(shp); 6208 6209 ad.type = LSM_AUDIT_DATA_IPC; 6210 ad.u.ipc_id = shp->key; 6211 6212 return avc_has_perm(&selinux_state, 6213 sid, isec->sid, SECCLASS_SHM, 6214 SHM__ASSOCIATE, &ad); 6215 } 6216 6217 /* Note, at this point, shp is locked down */ 6218 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6219 { 6220 int perms; 6221 int err; 6222 6223 switch (cmd) { 6224 case IPC_INFO: 6225 case SHM_INFO: 6226 /* No specific object, just general system-wide information. */ 6227 return avc_has_perm(&selinux_state, 6228 current_sid(), SECINITSID_KERNEL, 6229 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6230 case IPC_STAT: 6231 case SHM_STAT: 6232 case SHM_STAT_ANY: 6233 perms = SHM__GETATTR | SHM__ASSOCIATE; 6234 break; 6235 case IPC_SET: 6236 perms = SHM__SETATTR; 6237 break; 6238 case SHM_LOCK: 6239 case SHM_UNLOCK: 6240 perms = SHM__LOCK; 6241 break; 6242 case IPC_RMID: 6243 perms = SHM__DESTROY; 6244 break; 6245 default: 6246 return 0; 6247 } 6248 6249 err = ipc_has_perm(shp, perms); 6250 return err; 6251 } 6252 6253 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6254 char __user *shmaddr, int shmflg) 6255 { 6256 u32 perms; 6257 6258 if (shmflg & SHM_RDONLY) 6259 perms = SHM__READ; 6260 else 6261 perms = SHM__READ | SHM__WRITE; 6262 6263 return ipc_has_perm(shp, perms); 6264 } 6265 6266 /* Semaphore security operations */ 6267 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6268 { 6269 struct ipc_security_struct *isec; 6270 struct common_audit_data ad; 6271 u32 sid = current_sid(); 6272 int rc; 6273 6274 isec = selinux_ipc(sma); 6275 ipc_init_security(isec, SECCLASS_SEM); 6276 6277 ad.type = LSM_AUDIT_DATA_IPC; 6278 ad.u.ipc_id = sma->key; 6279 6280 rc = avc_has_perm(&selinux_state, 6281 sid, isec->sid, SECCLASS_SEM, 6282 SEM__CREATE, &ad); 6283 return rc; 6284 } 6285 6286 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6287 { 6288 struct ipc_security_struct *isec; 6289 struct common_audit_data ad; 6290 u32 sid = current_sid(); 6291 6292 isec = selinux_ipc(sma); 6293 6294 ad.type = LSM_AUDIT_DATA_IPC; 6295 ad.u.ipc_id = sma->key; 6296 6297 return avc_has_perm(&selinux_state, 6298 sid, isec->sid, SECCLASS_SEM, 6299 SEM__ASSOCIATE, &ad); 6300 } 6301 6302 /* Note, at this point, sma is locked down */ 6303 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6304 { 6305 int err; 6306 u32 perms; 6307 6308 switch (cmd) { 6309 case IPC_INFO: 6310 case SEM_INFO: 6311 /* No specific object, just general system-wide information. */ 6312 return avc_has_perm(&selinux_state, 6313 current_sid(), SECINITSID_KERNEL, 6314 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6315 case GETPID: 6316 case GETNCNT: 6317 case GETZCNT: 6318 perms = SEM__GETATTR; 6319 break; 6320 case GETVAL: 6321 case GETALL: 6322 perms = SEM__READ; 6323 break; 6324 case SETVAL: 6325 case SETALL: 6326 perms = SEM__WRITE; 6327 break; 6328 case IPC_RMID: 6329 perms = SEM__DESTROY; 6330 break; 6331 case IPC_SET: 6332 perms = SEM__SETATTR; 6333 break; 6334 case IPC_STAT: 6335 case SEM_STAT: 6336 case SEM_STAT_ANY: 6337 perms = SEM__GETATTR | SEM__ASSOCIATE; 6338 break; 6339 default: 6340 return 0; 6341 } 6342 6343 err = ipc_has_perm(sma, perms); 6344 return err; 6345 } 6346 6347 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6348 struct sembuf *sops, unsigned nsops, int alter) 6349 { 6350 u32 perms; 6351 6352 if (alter) 6353 perms = SEM__READ | SEM__WRITE; 6354 else 6355 perms = SEM__READ; 6356 6357 return ipc_has_perm(sma, perms); 6358 } 6359 6360 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6361 { 6362 u32 av = 0; 6363 6364 av = 0; 6365 if (flag & S_IRUGO) 6366 av |= IPC__UNIX_READ; 6367 if (flag & S_IWUGO) 6368 av |= IPC__UNIX_WRITE; 6369 6370 if (av == 0) 6371 return 0; 6372 6373 return ipc_has_perm(ipcp, av); 6374 } 6375 6376 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6377 { 6378 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6379 *secid = isec->sid; 6380 } 6381 6382 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6383 { 6384 if (inode) 6385 inode_doinit_with_dentry(inode, dentry); 6386 } 6387 6388 static int selinux_getprocattr(struct task_struct *p, 6389 char *name, char **value) 6390 { 6391 const struct task_security_struct *__tsec; 6392 u32 sid; 6393 int error; 6394 unsigned len; 6395 6396 rcu_read_lock(); 6397 __tsec = selinux_cred(__task_cred(p)); 6398 6399 if (current != p) { 6400 error = avc_has_perm(&selinux_state, 6401 current_sid(), __tsec->sid, 6402 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6403 if (error) 6404 goto bad; 6405 } 6406 6407 if (!strcmp(name, "current")) 6408 sid = __tsec->sid; 6409 else if (!strcmp(name, "prev")) 6410 sid = __tsec->osid; 6411 else if (!strcmp(name, "exec")) 6412 sid = __tsec->exec_sid; 6413 else if (!strcmp(name, "fscreate")) 6414 sid = __tsec->create_sid; 6415 else if (!strcmp(name, "keycreate")) 6416 sid = __tsec->keycreate_sid; 6417 else if (!strcmp(name, "sockcreate")) 6418 sid = __tsec->sockcreate_sid; 6419 else { 6420 error = -EINVAL; 6421 goto bad; 6422 } 6423 rcu_read_unlock(); 6424 6425 if (!sid) 6426 return 0; 6427 6428 error = security_sid_to_context(&selinux_state, sid, value, &len); 6429 if (error) 6430 return error; 6431 return len; 6432 6433 bad: 6434 rcu_read_unlock(); 6435 return error; 6436 } 6437 6438 static int selinux_setprocattr(const char *name, void *value, size_t size) 6439 { 6440 struct task_security_struct *tsec; 6441 struct cred *new; 6442 u32 mysid = current_sid(), sid = 0, ptsid; 6443 int error; 6444 char *str = value; 6445 6446 /* 6447 * Basic control over ability to set these attributes at all. 6448 */ 6449 if (!strcmp(name, "exec")) 6450 error = avc_has_perm(&selinux_state, 6451 mysid, mysid, SECCLASS_PROCESS, 6452 PROCESS__SETEXEC, NULL); 6453 else if (!strcmp(name, "fscreate")) 6454 error = avc_has_perm(&selinux_state, 6455 mysid, mysid, SECCLASS_PROCESS, 6456 PROCESS__SETFSCREATE, NULL); 6457 else if (!strcmp(name, "keycreate")) 6458 error = avc_has_perm(&selinux_state, 6459 mysid, mysid, SECCLASS_PROCESS, 6460 PROCESS__SETKEYCREATE, NULL); 6461 else if (!strcmp(name, "sockcreate")) 6462 error = avc_has_perm(&selinux_state, 6463 mysid, mysid, SECCLASS_PROCESS, 6464 PROCESS__SETSOCKCREATE, NULL); 6465 else if (!strcmp(name, "current")) 6466 error = avc_has_perm(&selinux_state, 6467 mysid, mysid, SECCLASS_PROCESS, 6468 PROCESS__SETCURRENT, NULL); 6469 else 6470 error = -EINVAL; 6471 if (error) 6472 return error; 6473 6474 /* Obtain a SID for the context, if one was specified. */ 6475 if (size && str[0] && str[0] != '\n') { 6476 if (str[size-1] == '\n') { 6477 str[size-1] = 0; 6478 size--; 6479 } 6480 error = security_context_to_sid(&selinux_state, value, size, 6481 &sid, GFP_KERNEL); 6482 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6483 if (!has_cap_mac_admin(true)) { 6484 struct audit_buffer *ab; 6485 size_t audit_size; 6486 6487 /* We strip a nul only if it is at the end, otherwise the 6488 * context contains a nul and we should audit that */ 6489 if (str[size - 1] == '\0') 6490 audit_size = size - 1; 6491 else 6492 audit_size = size; 6493 ab = audit_log_start(audit_context(), 6494 GFP_ATOMIC, 6495 AUDIT_SELINUX_ERR); 6496 if (!ab) 6497 return error; 6498 audit_log_format(ab, "op=fscreate invalid_context="); 6499 audit_log_n_untrustedstring(ab, value, audit_size); 6500 audit_log_end(ab); 6501 6502 return error; 6503 } 6504 error = security_context_to_sid_force( 6505 &selinux_state, 6506 value, size, &sid); 6507 } 6508 if (error) 6509 return error; 6510 } 6511 6512 new = prepare_creds(); 6513 if (!new) 6514 return -ENOMEM; 6515 6516 /* Permission checking based on the specified context is 6517 performed during the actual operation (execve, 6518 open/mkdir/...), when we know the full context of the 6519 operation. See selinux_bprm_creds_for_exec for the execve 6520 checks and may_create for the file creation checks. The 6521 operation will then fail if the context is not permitted. */ 6522 tsec = selinux_cred(new); 6523 if (!strcmp(name, "exec")) { 6524 tsec->exec_sid = sid; 6525 } else if (!strcmp(name, "fscreate")) { 6526 tsec->create_sid = sid; 6527 } else if (!strcmp(name, "keycreate")) { 6528 if (sid) { 6529 error = avc_has_perm(&selinux_state, mysid, sid, 6530 SECCLASS_KEY, KEY__CREATE, NULL); 6531 if (error) 6532 goto abort_change; 6533 } 6534 tsec->keycreate_sid = sid; 6535 } else if (!strcmp(name, "sockcreate")) { 6536 tsec->sockcreate_sid = sid; 6537 } else if (!strcmp(name, "current")) { 6538 error = -EINVAL; 6539 if (sid == 0) 6540 goto abort_change; 6541 6542 /* Only allow single threaded processes to change context */ 6543 error = -EPERM; 6544 if (!current_is_single_threaded()) { 6545 error = security_bounded_transition(&selinux_state, 6546 tsec->sid, sid); 6547 if (error) 6548 goto abort_change; 6549 } 6550 6551 /* Check permissions for the transition. */ 6552 error = avc_has_perm(&selinux_state, 6553 tsec->sid, sid, SECCLASS_PROCESS, 6554 PROCESS__DYNTRANSITION, NULL); 6555 if (error) 6556 goto abort_change; 6557 6558 /* Check for ptracing, and update the task SID if ok. 6559 Otherwise, leave SID unchanged and fail. */ 6560 ptsid = ptrace_parent_sid(); 6561 if (ptsid != 0) { 6562 error = avc_has_perm(&selinux_state, 6563 ptsid, sid, SECCLASS_PROCESS, 6564 PROCESS__PTRACE, NULL); 6565 if (error) 6566 goto abort_change; 6567 } 6568 6569 tsec->sid = sid; 6570 } else { 6571 error = -EINVAL; 6572 goto abort_change; 6573 } 6574 6575 commit_creds(new); 6576 return size; 6577 6578 abort_change: 6579 abort_creds(new); 6580 return error; 6581 } 6582 6583 static int selinux_ismaclabel(const char *name) 6584 { 6585 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6586 } 6587 6588 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6589 { 6590 return security_sid_to_context(&selinux_state, secid, 6591 secdata, seclen); 6592 } 6593 6594 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6595 { 6596 return security_context_to_sid(&selinux_state, secdata, seclen, 6597 secid, GFP_KERNEL); 6598 } 6599 6600 static void selinux_release_secctx(char *secdata, u32 seclen) 6601 { 6602 kfree(secdata); 6603 } 6604 6605 static void selinux_inode_invalidate_secctx(struct inode *inode) 6606 { 6607 struct inode_security_struct *isec = selinux_inode(inode); 6608 6609 spin_lock(&isec->lock); 6610 isec->initialized = LABEL_INVALID; 6611 spin_unlock(&isec->lock); 6612 } 6613 6614 /* 6615 * called with inode->i_mutex locked 6616 */ 6617 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6618 { 6619 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6620 ctx, ctxlen, 0); 6621 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6622 return rc == -EOPNOTSUPP ? 0 : rc; 6623 } 6624 6625 /* 6626 * called with inode->i_mutex locked 6627 */ 6628 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6629 { 6630 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX, 6631 ctx, ctxlen, 0); 6632 } 6633 6634 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6635 { 6636 int len = 0; 6637 len = selinux_inode_getsecurity(&init_user_ns, inode, 6638 XATTR_SELINUX_SUFFIX, ctx, true); 6639 if (len < 0) 6640 return len; 6641 *ctxlen = len; 6642 return 0; 6643 } 6644 #ifdef CONFIG_KEYS 6645 6646 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6647 unsigned long flags) 6648 { 6649 const struct task_security_struct *tsec; 6650 struct key_security_struct *ksec; 6651 6652 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6653 if (!ksec) 6654 return -ENOMEM; 6655 6656 tsec = selinux_cred(cred); 6657 if (tsec->keycreate_sid) 6658 ksec->sid = tsec->keycreate_sid; 6659 else 6660 ksec->sid = tsec->sid; 6661 6662 k->security = ksec; 6663 return 0; 6664 } 6665 6666 static void selinux_key_free(struct key *k) 6667 { 6668 struct key_security_struct *ksec = k->security; 6669 6670 k->security = NULL; 6671 kfree(ksec); 6672 } 6673 6674 static int selinux_key_permission(key_ref_t key_ref, 6675 const struct cred *cred, 6676 enum key_need_perm need_perm) 6677 { 6678 struct key *key; 6679 struct key_security_struct *ksec; 6680 u32 perm, sid; 6681 6682 switch (need_perm) { 6683 case KEY_NEED_VIEW: 6684 perm = KEY__VIEW; 6685 break; 6686 case KEY_NEED_READ: 6687 perm = KEY__READ; 6688 break; 6689 case KEY_NEED_WRITE: 6690 perm = KEY__WRITE; 6691 break; 6692 case KEY_NEED_SEARCH: 6693 perm = KEY__SEARCH; 6694 break; 6695 case KEY_NEED_LINK: 6696 perm = KEY__LINK; 6697 break; 6698 case KEY_NEED_SETATTR: 6699 perm = KEY__SETATTR; 6700 break; 6701 case KEY_NEED_UNLINK: 6702 case KEY_SYSADMIN_OVERRIDE: 6703 case KEY_AUTHTOKEN_OVERRIDE: 6704 case KEY_DEFER_PERM_CHECK: 6705 return 0; 6706 default: 6707 WARN_ON(1); 6708 return -EPERM; 6709 6710 } 6711 6712 sid = cred_sid(cred); 6713 key = key_ref_to_ptr(key_ref); 6714 ksec = key->security; 6715 6716 return avc_has_perm(&selinux_state, 6717 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6718 } 6719 6720 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6721 { 6722 struct key_security_struct *ksec = key->security; 6723 char *context = NULL; 6724 unsigned len; 6725 int rc; 6726 6727 rc = security_sid_to_context(&selinux_state, ksec->sid, 6728 &context, &len); 6729 if (!rc) 6730 rc = len; 6731 *_buffer = context; 6732 return rc; 6733 } 6734 6735 #ifdef CONFIG_KEY_NOTIFICATIONS 6736 static int selinux_watch_key(struct key *key) 6737 { 6738 struct key_security_struct *ksec = key->security; 6739 u32 sid = current_sid(); 6740 6741 return avc_has_perm(&selinux_state, 6742 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6743 } 6744 #endif 6745 #endif 6746 6747 #ifdef CONFIG_SECURITY_INFINIBAND 6748 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6749 { 6750 struct common_audit_data ad; 6751 int err; 6752 u32 sid = 0; 6753 struct ib_security_struct *sec = ib_sec; 6754 struct lsm_ibpkey_audit ibpkey; 6755 6756 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6757 if (err) 6758 return err; 6759 6760 ad.type = LSM_AUDIT_DATA_IBPKEY; 6761 ibpkey.subnet_prefix = subnet_prefix; 6762 ibpkey.pkey = pkey_val; 6763 ad.u.ibpkey = &ibpkey; 6764 return avc_has_perm(&selinux_state, 6765 sec->sid, sid, 6766 SECCLASS_INFINIBAND_PKEY, 6767 INFINIBAND_PKEY__ACCESS, &ad); 6768 } 6769 6770 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6771 u8 port_num) 6772 { 6773 struct common_audit_data ad; 6774 int err; 6775 u32 sid = 0; 6776 struct ib_security_struct *sec = ib_sec; 6777 struct lsm_ibendport_audit ibendport; 6778 6779 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6780 &sid); 6781 6782 if (err) 6783 return err; 6784 6785 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6786 ibendport.dev_name = dev_name; 6787 ibendport.port = port_num; 6788 ad.u.ibendport = &ibendport; 6789 return avc_has_perm(&selinux_state, 6790 sec->sid, sid, 6791 SECCLASS_INFINIBAND_ENDPORT, 6792 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6793 } 6794 6795 static int selinux_ib_alloc_security(void **ib_sec) 6796 { 6797 struct ib_security_struct *sec; 6798 6799 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6800 if (!sec) 6801 return -ENOMEM; 6802 sec->sid = current_sid(); 6803 6804 *ib_sec = sec; 6805 return 0; 6806 } 6807 6808 static void selinux_ib_free_security(void *ib_sec) 6809 { 6810 kfree(ib_sec); 6811 } 6812 #endif 6813 6814 #ifdef CONFIG_BPF_SYSCALL 6815 static int selinux_bpf(int cmd, union bpf_attr *attr, 6816 unsigned int size) 6817 { 6818 u32 sid = current_sid(); 6819 int ret; 6820 6821 switch (cmd) { 6822 case BPF_MAP_CREATE: 6823 ret = avc_has_perm(&selinux_state, 6824 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6825 NULL); 6826 break; 6827 case BPF_PROG_LOAD: 6828 ret = avc_has_perm(&selinux_state, 6829 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6830 NULL); 6831 break; 6832 default: 6833 ret = 0; 6834 break; 6835 } 6836 6837 return ret; 6838 } 6839 6840 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6841 { 6842 u32 av = 0; 6843 6844 if (fmode & FMODE_READ) 6845 av |= BPF__MAP_READ; 6846 if (fmode & FMODE_WRITE) 6847 av |= BPF__MAP_WRITE; 6848 return av; 6849 } 6850 6851 /* This function will check the file pass through unix socket or binder to see 6852 * if it is a bpf related object. And apply correspinding checks on the bpf 6853 * object based on the type. The bpf maps and programs, not like other files and 6854 * socket, are using a shared anonymous inode inside the kernel as their inode. 6855 * So checking that inode cannot identify if the process have privilege to 6856 * access the bpf object and that's why we have to add this additional check in 6857 * selinux_file_receive and selinux_binder_transfer_files. 6858 */ 6859 static int bpf_fd_pass(struct file *file, u32 sid) 6860 { 6861 struct bpf_security_struct *bpfsec; 6862 struct bpf_prog *prog; 6863 struct bpf_map *map; 6864 int ret; 6865 6866 if (file->f_op == &bpf_map_fops) { 6867 map = file->private_data; 6868 bpfsec = map->security; 6869 ret = avc_has_perm(&selinux_state, 6870 sid, bpfsec->sid, SECCLASS_BPF, 6871 bpf_map_fmode_to_av(file->f_mode), NULL); 6872 if (ret) 6873 return ret; 6874 } else if (file->f_op == &bpf_prog_fops) { 6875 prog = file->private_data; 6876 bpfsec = prog->aux->security; 6877 ret = avc_has_perm(&selinux_state, 6878 sid, bpfsec->sid, SECCLASS_BPF, 6879 BPF__PROG_RUN, NULL); 6880 if (ret) 6881 return ret; 6882 } 6883 return 0; 6884 } 6885 6886 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6887 { 6888 u32 sid = current_sid(); 6889 struct bpf_security_struct *bpfsec; 6890 6891 bpfsec = map->security; 6892 return avc_has_perm(&selinux_state, 6893 sid, bpfsec->sid, SECCLASS_BPF, 6894 bpf_map_fmode_to_av(fmode), NULL); 6895 } 6896 6897 static int selinux_bpf_prog(struct bpf_prog *prog) 6898 { 6899 u32 sid = current_sid(); 6900 struct bpf_security_struct *bpfsec; 6901 6902 bpfsec = prog->aux->security; 6903 return avc_has_perm(&selinux_state, 6904 sid, bpfsec->sid, SECCLASS_BPF, 6905 BPF__PROG_RUN, NULL); 6906 } 6907 6908 static int selinux_bpf_map_alloc(struct bpf_map *map) 6909 { 6910 struct bpf_security_struct *bpfsec; 6911 6912 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6913 if (!bpfsec) 6914 return -ENOMEM; 6915 6916 bpfsec->sid = current_sid(); 6917 map->security = bpfsec; 6918 6919 return 0; 6920 } 6921 6922 static void selinux_bpf_map_free(struct bpf_map *map) 6923 { 6924 struct bpf_security_struct *bpfsec = map->security; 6925 6926 map->security = NULL; 6927 kfree(bpfsec); 6928 } 6929 6930 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6931 { 6932 struct bpf_security_struct *bpfsec; 6933 6934 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6935 if (!bpfsec) 6936 return -ENOMEM; 6937 6938 bpfsec->sid = current_sid(); 6939 aux->security = bpfsec; 6940 6941 return 0; 6942 } 6943 6944 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6945 { 6946 struct bpf_security_struct *bpfsec = aux->security; 6947 6948 aux->security = NULL; 6949 kfree(bpfsec); 6950 } 6951 #endif 6952 6953 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6954 .lbs_cred = sizeof(struct task_security_struct), 6955 .lbs_file = sizeof(struct file_security_struct), 6956 .lbs_inode = sizeof(struct inode_security_struct), 6957 .lbs_ipc = sizeof(struct ipc_security_struct), 6958 .lbs_msg_msg = sizeof(struct msg_security_struct), 6959 .lbs_superblock = sizeof(struct superblock_security_struct), 6960 }; 6961 6962 #ifdef CONFIG_PERF_EVENTS 6963 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 6964 { 6965 u32 requested, sid = current_sid(); 6966 6967 if (type == PERF_SECURITY_OPEN) 6968 requested = PERF_EVENT__OPEN; 6969 else if (type == PERF_SECURITY_CPU) 6970 requested = PERF_EVENT__CPU; 6971 else if (type == PERF_SECURITY_KERNEL) 6972 requested = PERF_EVENT__KERNEL; 6973 else if (type == PERF_SECURITY_TRACEPOINT) 6974 requested = PERF_EVENT__TRACEPOINT; 6975 else 6976 return -EINVAL; 6977 6978 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT, 6979 requested, NULL); 6980 } 6981 6982 static int selinux_perf_event_alloc(struct perf_event *event) 6983 { 6984 struct perf_event_security_struct *perfsec; 6985 6986 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 6987 if (!perfsec) 6988 return -ENOMEM; 6989 6990 perfsec->sid = current_sid(); 6991 event->security = perfsec; 6992 6993 return 0; 6994 } 6995 6996 static void selinux_perf_event_free(struct perf_event *event) 6997 { 6998 struct perf_event_security_struct *perfsec = event->security; 6999 7000 event->security = NULL; 7001 kfree(perfsec); 7002 } 7003 7004 static int selinux_perf_event_read(struct perf_event *event) 7005 { 7006 struct perf_event_security_struct *perfsec = event->security; 7007 u32 sid = current_sid(); 7008 7009 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7010 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7011 } 7012 7013 static int selinux_perf_event_write(struct perf_event *event) 7014 { 7015 struct perf_event_security_struct *perfsec = event->security; 7016 u32 sid = current_sid(); 7017 7018 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7019 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7020 } 7021 #endif 7022 7023 #ifdef CONFIG_IO_URING 7024 /** 7025 * selinux_uring_override_creds - check the requested cred override 7026 * @new: the target creds 7027 * 7028 * Check to see if the current task is allowed to override it's credentials 7029 * to service an io_uring operation. 7030 */ 7031 static int selinux_uring_override_creds(const struct cred *new) 7032 { 7033 return avc_has_perm(&selinux_state, current_sid(), cred_sid(new), 7034 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7035 } 7036 7037 /** 7038 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7039 * 7040 * Check to see if the current task is allowed to create a new io_uring 7041 * kernel polling thread. 7042 */ 7043 static int selinux_uring_sqpoll(void) 7044 { 7045 int sid = current_sid(); 7046 7047 return avc_has_perm(&selinux_state, sid, sid, 7048 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7049 } 7050 #endif /* CONFIG_IO_URING */ 7051 7052 /* 7053 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7054 * 1. any hooks that don't belong to (2.) or (3.) below, 7055 * 2. hooks that both access structures allocated by other hooks, and allocate 7056 * structures that can be later accessed by other hooks (mostly "cloning" 7057 * hooks), 7058 * 3. hooks that only allocate structures that can be later accessed by other 7059 * hooks ("allocating" hooks). 7060 * 7061 * Please follow block comment delimiters in the list to keep this order. 7062 * 7063 * This ordering is needed for SELinux runtime disable to work at least somewhat 7064 * safely. Breaking the ordering rules above might lead to NULL pointer derefs 7065 * when disabling SELinux at runtime. 7066 */ 7067 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 7068 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7069 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7070 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7071 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7072 7073 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7074 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7075 LSM_HOOK_INIT(capget, selinux_capget), 7076 LSM_HOOK_INIT(capset, selinux_capset), 7077 LSM_HOOK_INIT(capable, selinux_capable), 7078 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7079 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7080 LSM_HOOK_INIT(syslog, selinux_syslog), 7081 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7082 7083 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7084 7085 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7086 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7087 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7088 7089 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7090 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7091 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7092 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7093 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7094 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7095 LSM_HOOK_INIT(sb_mount, selinux_mount), 7096 LSM_HOOK_INIT(sb_umount, selinux_umount), 7097 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7098 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7099 7100 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7101 7102 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7103 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7104 7105 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7106 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7107 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7108 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7109 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7110 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7111 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7112 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7113 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7114 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7115 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7116 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7117 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7118 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7119 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7120 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7121 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7122 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7123 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7124 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7125 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7126 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7127 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7128 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7129 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 7130 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7131 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7132 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7133 7134 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7135 7136 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7137 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7138 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7139 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7140 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7141 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7142 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7143 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7144 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7145 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7146 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7147 7148 LSM_HOOK_INIT(file_open, selinux_file_open), 7149 7150 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7151 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7152 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7153 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7154 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7155 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7156 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7157 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7158 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7159 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7160 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7161 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7162 LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), 7163 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7164 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7165 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7166 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7167 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7168 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7169 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7170 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7171 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7172 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7173 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7174 7175 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7176 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7177 7178 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7179 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7180 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7181 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7182 7183 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7184 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7185 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7186 7187 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7188 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7189 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7190 7191 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7192 7193 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7194 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7195 7196 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7197 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7198 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7199 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7200 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7201 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7202 7203 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7204 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7205 7206 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7207 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7208 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7209 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7210 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7211 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7212 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7213 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7214 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7215 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7216 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7217 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7218 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7219 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7220 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7221 LSM_HOOK_INIT(socket_getpeersec_stream, 7222 selinux_socket_getpeersec_stream), 7223 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7224 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7225 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7226 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7227 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7228 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7229 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7230 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7231 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7232 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7233 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7234 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7235 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7236 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7237 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7238 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7239 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7240 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7241 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7242 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7243 #ifdef CONFIG_SECURITY_INFINIBAND 7244 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7245 LSM_HOOK_INIT(ib_endport_manage_subnet, 7246 selinux_ib_endport_manage_subnet), 7247 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7248 #endif 7249 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7250 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7251 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7252 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7253 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7254 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7255 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7256 selinux_xfrm_state_pol_flow_match), 7257 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7258 #endif 7259 7260 #ifdef CONFIG_KEYS 7261 LSM_HOOK_INIT(key_free, selinux_key_free), 7262 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7263 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7264 #ifdef CONFIG_KEY_NOTIFICATIONS 7265 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7266 #endif 7267 #endif 7268 7269 #ifdef CONFIG_AUDIT 7270 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7271 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7272 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7273 #endif 7274 7275 #ifdef CONFIG_BPF_SYSCALL 7276 LSM_HOOK_INIT(bpf, selinux_bpf), 7277 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7278 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7279 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7280 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7281 #endif 7282 7283 #ifdef CONFIG_PERF_EVENTS 7284 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7285 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7286 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7287 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7288 #endif 7289 7290 #ifdef CONFIG_IO_URING 7291 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7292 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7293 #endif 7294 7295 /* 7296 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7297 */ 7298 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7299 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7300 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7301 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 7302 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7303 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7304 #endif 7305 7306 /* 7307 * PUT "ALLOCATING" HOOKS HERE 7308 */ 7309 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7310 LSM_HOOK_INIT(msg_queue_alloc_security, 7311 selinux_msg_queue_alloc_security), 7312 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7313 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7314 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7315 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7316 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7317 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7318 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7319 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7320 #ifdef CONFIG_SECURITY_INFINIBAND 7321 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7322 #endif 7323 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7324 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7325 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7326 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7327 selinux_xfrm_state_alloc_acquire), 7328 #endif 7329 #ifdef CONFIG_KEYS 7330 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7331 #endif 7332 #ifdef CONFIG_AUDIT 7333 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7334 #endif 7335 #ifdef CONFIG_BPF_SYSCALL 7336 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7337 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7338 #endif 7339 #ifdef CONFIG_PERF_EVENTS 7340 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7341 #endif 7342 }; 7343 7344 static __init int selinux_init(void) 7345 { 7346 pr_info("SELinux: Initializing.\n"); 7347 7348 memset(&selinux_state, 0, sizeof(selinux_state)); 7349 enforcing_set(&selinux_state, selinux_enforcing_boot); 7350 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot); 7351 selinux_avc_init(&selinux_state.avc); 7352 mutex_init(&selinux_state.status_lock); 7353 mutex_init(&selinux_state.policy_mutex); 7354 7355 /* Set the security state for the initial task. */ 7356 cred_init_security(); 7357 7358 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7359 7360 avc_init(); 7361 7362 avtab_cache_init(); 7363 7364 ebitmap_cache_init(); 7365 7366 hashtab_cache_init(); 7367 7368 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7369 7370 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7371 panic("SELinux: Unable to register AVC netcache callback\n"); 7372 7373 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7374 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7375 7376 if (selinux_enforcing_boot) 7377 pr_debug("SELinux: Starting in enforcing mode\n"); 7378 else 7379 pr_debug("SELinux: Starting in permissive mode\n"); 7380 7381 fs_validate_description("selinux", selinux_fs_parameters); 7382 7383 return 0; 7384 } 7385 7386 static void delayed_superblock_init(struct super_block *sb, void *unused) 7387 { 7388 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7389 } 7390 7391 void selinux_complete_init(void) 7392 { 7393 pr_debug("SELinux: Completing initialization.\n"); 7394 7395 /* Set up any superblocks initialized prior to the policy load. */ 7396 pr_debug("SELinux: Setting up existing superblocks.\n"); 7397 iterate_supers(delayed_superblock_init, NULL); 7398 } 7399 7400 /* SELinux requires early initialization in order to label 7401 all processes and objects when they are created. */ 7402 DEFINE_LSM(selinux) = { 7403 .name = "selinux", 7404 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7405 .enabled = &selinux_enabled_boot, 7406 .blobs = &selinux_blob_sizes, 7407 .init = selinux_init, 7408 }; 7409 7410 #if defined(CONFIG_NETFILTER) 7411 7412 static const struct nf_hook_ops selinux_nf_ops[] = { 7413 { 7414 .hook = selinux_ip_postroute, 7415 .pf = NFPROTO_IPV4, 7416 .hooknum = NF_INET_POST_ROUTING, 7417 .priority = NF_IP_PRI_SELINUX_LAST, 7418 }, 7419 { 7420 .hook = selinux_ip_forward, 7421 .pf = NFPROTO_IPV4, 7422 .hooknum = NF_INET_FORWARD, 7423 .priority = NF_IP_PRI_SELINUX_FIRST, 7424 }, 7425 { 7426 .hook = selinux_ip_output, 7427 .pf = NFPROTO_IPV4, 7428 .hooknum = NF_INET_LOCAL_OUT, 7429 .priority = NF_IP_PRI_SELINUX_FIRST, 7430 }, 7431 #if IS_ENABLED(CONFIG_IPV6) 7432 { 7433 .hook = selinux_ip_postroute, 7434 .pf = NFPROTO_IPV6, 7435 .hooknum = NF_INET_POST_ROUTING, 7436 .priority = NF_IP6_PRI_SELINUX_LAST, 7437 }, 7438 { 7439 .hook = selinux_ip_forward, 7440 .pf = NFPROTO_IPV6, 7441 .hooknum = NF_INET_FORWARD, 7442 .priority = NF_IP6_PRI_SELINUX_FIRST, 7443 }, 7444 { 7445 .hook = selinux_ip_output, 7446 .pf = NFPROTO_IPV6, 7447 .hooknum = NF_INET_LOCAL_OUT, 7448 .priority = NF_IP6_PRI_SELINUX_FIRST, 7449 }, 7450 #endif /* IPV6 */ 7451 }; 7452 7453 static int __net_init selinux_nf_register(struct net *net) 7454 { 7455 return nf_register_net_hooks(net, selinux_nf_ops, 7456 ARRAY_SIZE(selinux_nf_ops)); 7457 } 7458 7459 static void __net_exit selinux_nf_unregister(struct net *net) 7460 { 7461 nf_unregister_net_hooks(net, selinux_nf_ops, 7462 ARRAY_SIZE(selinux_nf_ops)); 7463 } 7464 7465 static struct pernet_operations selinux_net_ops = { 7466 .init = selinux_nf_register, 7467 .exit = selinux_nf_unregister, 7468 }; 7469 7470 static int __init selinux_nf_ip_init(void) 7471 { 7472 int err; 7473 7474 if (!selinux_enabled_boot) 7475 return 0; 7476 7477 pr_debug("SELinux: Registering netfilter hooks\n"); 7478 7479 err = register_pernet_subsys(&selinux_net_ops); 7480 if (err) 7481 panic("SELinux: register_pernet_subsys: error %d\n", err); 7482 7483 return 0; 7484 } 7485 __initcall(selinux_nf_ip_init); 7486 7487 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7488 static void selinux_nf_ip_exit(void) 7489 { 7490 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7491 7492 unregister_pernet_subsys(&selinux_net_ops); 7493 } 7494 #endif 7495 7496 #else /* CONFIG_NETFILTER */ 7497 7498 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7499 #define selinux_nf_ip_exit() 7500 #endif 7501 7502 #endif /* CONFIG_NETFILTER */ 7503 7504 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7505 int selinux_disable(struct selinux_state *state) 7506 { 7507 if (selinux_initialized(state)) { 7508 /* Not permitted after initial policy load. */ 7509 return -EINVAL; 7510 } 7511 7512 if (selinux_disabled(state)) { 7513 /* Only do this once. */ 7514 return -EINVAL; 7515 } 7516 7517 selinux_mark_disabled(state); 7518 7519 pr_info("SELinux: Disabled at runtime.\n"); 7520 7521 /* 7522 * Unregister netfilter hooks. 7523 * Must be done before security_delete_hooks() to avoid breaking 7524 * runtime disable. 7525 */ 7526 selinux_nf_ip_exit(); 7527 7528 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7529 7530 /* Try to destroy the avc node cache */ 7531 avc_disable(); 7532 7533 /* Unregister selinuxfs. */ 7534 exit_sel_fs(); 7535 7536 return 0; 7537 } 7538 #endif 7539