1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/tracehook.h> 29 #include <linux/errno.h> 30 #include <linux/sched/signal.h> 31 #include <linux/sched/task.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/fs_context.h> 50 #include <linux/fs_parser.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/mutex.h> 83 #include <linux/posix-timers.h> 84 #include <linux/syslog.h> 85 #include <linux/user_namespace.h> 86 #include <linux/export.h> 87 #include <linux/msg.h> 88 #include <linux/shm.h> 89 #include <linux/bpf.h> 90 #include <linux/kernfs.h> 91 #include <linux/stringhash.h> /* for hashlen_string() */ 92 #include <uapi/linux/mount.h> 93 #include <linux/fsnotify.h> 94 #include <linux/fanotify.h> 95 96 #include "avc.h" 97 #include "objsec.h" 98 #include "netif.h" 99 #include "netnode.h" 100 #include "netport.h" 101 #include "ibpkey.h" 102 #include "xfrm.h" 103 #include "netlabel.h" 104 #include "audit.h" 105 #include "avc_ss.h" 106 107 struct selinux_state selinux_state; 108 109 /* SECMARK reference count */ 110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 111 112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 113 static int selinux_enforcing_boot __initdata; 114 115 static int __init enforcing_setup(char *str) 116 { 117 unsigned long enforcing; 118 if (!kstrtoul(str, 0, &enforcing)) 119 selinux_enforcing_boot = enforcing ? 1 : 0; 120 return 1; 121 } 122 __setup("enforcing=", enforcing_setup); 123 #else 124 #define selinux_enforcing_boot 1 125 #endif 126 127 int selinux_enabled_boot __initdata = 1; 128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 129 static int __init selinux_enabled_setup(char *str) 130 { 131 unsigned long enabled; 132 if (!kstrtoul(str, 0, &enabled)) 133 selinux_enabled_boot = enabled ? 1 : 0; 134 return 1; 135 } 136 __setup("selinux=", selinux_enabled_setup); 137 #endif 138 139 static unsigned int selinux_checkreqprot_boot = 140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 148 if (checkreqprot) 149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); 150 } 151 return 1; 152 } 153 __setup("checkreqprot=", checkreqprot_setup); 154 155 /** 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 157 * 158 * Description: 159 * This function checks the SECMARK reference counter to see if any SECMARK 160 * targets are currently configured, if the reference counter is greater than 161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network 163 * policy capability is enabled, SECMARK is always considered enabled. 164 * 165 */ 166 static int selinux_secmark_enabled(void) 167 { 168 return (selinux_policycap_alwaysnetwork() || 169 atomic_read(&selinux_secmark_refcount)); 170 } 171 172 /** 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 174 * 175 * Description: 176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 177 * (1) if any are enabled or false (0) if neither are enabled. If the 178 * always_check_network policy capability is enabled, peer labeling 179 * is always considered enabled. 180 * 181 */ 182 static int selinux_peerlbl_enabled(void) 183 { 184 return (selinux_policycap_alwaysnetwork() || 185 netlbl_enabled() || selinux_xfrm_enabled()); 186 } 187 188 static int selinux_netcache_avc_callback(u32 event) 189 { 190 if (event == AVC_CALLBACK_RESET) { 191 sel_netif_flush(); 192 sel_netnode_flush(); 193 sel_netport_flush(); 194 synchronize_net(); 195 } 196 return 0; 197 } 198 199 static int selinux_lsm_notifier_avc_callback(u32 event) 200 { 201 if (event == AVC_CALLBACK_RESET) { 202 sel_ib_pkey_flush(); 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 204 } 205 206 return 0; 207 } 208 209 /* 210 * initialise the security for the init task 211 */ 212 static void cred_init_security(void) 213 { 214 struct cred *cred = (struct cred *) current->real_cred; 215 struct task_security_struct *tsec; 216 217 tsec = selinux_cred(cred); 218 tsec->osid = tsec->sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 /* 233 * get the subjective security ID of a task 234 */ 235 static inline u32 task_sid_subj(const struct task_struct *task) 236 { 237 u32 sid; 238 239 rcu_read_lock(); 240 sid = cred_sid(rcu_dereference(task->cred)); 241 rcu_read_unlock(); 242 return sid; 243 } 244 245 /* 246 * get the objective security ID of a task 247 */ 248 static inline u32 task_sid_obj(const struct task_struct *task) 249 { 250 u32 sid; 251 252 rcu_read_lock(); 253 sid = cred_sid(__task_cred(task)); 254 rcu_read_unlock(); 255 return sid; 256 } 257 258 /* 259 * get the security ID of a task for use with binder 260 */ 261 static inline u32 task_sid_binder(const struct task_struct *task) 262 { 263 /* 264 * In many case where this function is used we should be using the 265 * task's subjective SID, but we can't reliably access the subjective 266 * creds of a task other than our own so we must use the objective 267 * creds/SID, which are safe to access. The downside is that if a task 268 * is temporarily overriding it's creds it will not be reflected here; 269 * however, it isn't clear that binder would handle that case well 270 * anyway. 271 * 272 * If this ever changes and we can safely reference the subjective 273 * creds/SID of another task, this function will make it easier to 274 * identify the various places where we make use of the task SIDs in 275 * the binder code. It is also likely that we will need to adjust 276 * the main drivers/android binder code as well. 277 */ 278 return task_sid_obj(task); 279 } 280 281 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 282 283 /* 284 * Try reloading inode security labels that have been marked as invalid. The 285 * @may_sleep parameter indicates when sleeping and thus reloading labels is 286 * allowed; when set to false, returns -ECHILD when the label is 287 * invalid. The @dentry parameter should be set to a dentry of the inode. 288 */ 289 static int __inode_security_revalidate(struct inode *inode, 290 struct dentry *dentry, 291 bool may_sleep) 292 { 293 struct inode_security_struct *isec = selinux_inode(inode); 294 295 might_sleep_if(may_sleep); 296 297 if (selinux_initialized(&selinux_state) && 298 isec->initialized != LABEL_INITIALIZED) { 299 if (!may_sleep) 300 return -ECHILD; 301 302 /* 303 * Try reloading the inode security label. This will fail if 304 * @opt_dentry is NULL and no dentry for this inode can be 305 * found; in that case, continue using the old label. 306 */ 307 inode_doinit_with_dentry(inode, dentry); 308 } 309 return 0; 310 } 311 312 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 313 { 314 return selinux_inode(inode); 315 } 316 317 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 318 { 319 int error; 320 321 error = __inode_security_revalidate(inode, NULL, !rcu); 322 if (error) 323 return ERR_PTR(error); 324 return selinux_inode(inode); 325 } 326 327 /* 328 * Get the security label of an inode. 329 */ 330 static struct inode_security_struct *inode_security(struct inode *inode) 331 { 332 __inode_security_revalidate(inode, NULL, true); 333 return selinux_inode(inode); 334 } 335 336 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 337 { 338 struct inode *inode = d_backing_inode(dentry); 339 340 return selinux_inode(inode); 341 } 342 343 /* 344 * Get the security label of a dentry's backing inode. 345 */ 346 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 347 { 348 struct inode *inode = d_backing_inode(dentry); 349 350 __inode_security_revalidate(inode, dentry, true); 351 return selinux_inode(inode); 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 const char *fscontext, *context, *rootcontext, *defcontext; 381 }; 382 383 static void selinux_free_mnt_opts(void *mnt_opts) 384 { 385 struct selinux_mnt_opts *opts = mnt_opts; 386 kfree(opts->fscontext); 387 kfree(opts->context); 388 kfree(opts->rootcontext); 389 kfree(opts->defcontext); 390 kfree(opts); 391 } 392 393 enum { 394 Opt_error = -1, 395 Opt_context = 0, 396 Opt_defcontext = 1, 397 Opt_fscontext = 2, 398 Opt_rootcontext = 3, 399 Opt_seclabel = 4, 400 }; 401 402 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 403 static struct { 404 const char *name; 405 int len; 406 int opt; 407 bool has_arg; 408 } tokens[] = { 409 A(context, true), 410 A(fscontext, true), 411 A(defcontext, true), 412 A(rootcontext, true), 413 A(seclabel, false), 414 }; 415 #undef A 416 417 static int match_opt_prefix(char *s, int l, char **arg) 418 { 419 int i; 420 421 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 422 size_t len = tokens[i].len; 423 if (len > l || memcmp(s, tokens[i].name, len)) 424 continue; 425 if (tokens[i].has_arg) { 426 if (len == l || s[len] != '=') 427 continue; 428 *arg = s + len + 1; 429 } else if (len != l) 430 continue; 431 return tokens[i].opt; 432 } 433 return Opt_error; 434 } 435 436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 437 438 static int may_context_mount_sb_relabel(u32 sid, 439 struct superblock_security_struct *sbsec, 440 const struct cred *cred) 441 { 442 const struct task_security_struct *tsec = selinux_cred(cred); 443 int rc; 444 445 rc = avc_has_perm(&selinux_state, 446 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 447 FILESYSTEM__RELABELFROM, NULL); 448 if (rc) 449 return rc; 450 451 rc = avc_has_perm(&selinux_state, 452 tsec->sid, sid, SECCLASS_FILESYSTEM, 453 FILESYSTEM__RELABELTO, NULL); 454 return rc; 455 } 456 457 static int may_context_mount_inode_relabel(u32 sid, 458 struct superblock_security_struct *sbsec, 459 const struct cred *cred) 460 { 461 const struct task_security_struct *tsec = selinux_cred(cred); 462 int rc; 463 rc = avc_has_perm(&selinux_state, 464 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__RELABELFROM, NULL); 466 if (rc) 467 return rc; 468 469 rc = avc_has_perm(&selinux_state, 470 sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 FILESYSTEM__ASSOCIATE, NULL); 472 return rc; 473 } 474 475 static int selinux_is_genfs_special_handling(struct super_block *sb) 476 { 477 /* Special handling. Genfs but also in-core setxattr handler */ 478 return !strcmp(sb->s_type->name, "sysfs") || 479 !strcmp(sb->s_type->name, "pstore") || 480 !strcmp(sb->s_type->name, "debugfs") || 481 !strcmp(sb->s_type->name, "tracefs") || 482 !strcmp(sb->s_type->name, "rootfs") || 483 (selinux_policycap_cgroupseclabel() && 484 (!strcmp(sb->s_type->name, "cgroup") || 485 !strcmp(sb->s_type->name, "cgroup2"))); 486 } 487 488 static int selinux_is_sblabel_mnt(struct super_block *sb) 489 { 490 struct superblock_security_struct *sbsec = selinux_superblock(sb); 491 492 /* 493 * IMPORTANT: Double-check logic in this function when adding a new 494 * SECURITY_FS_USE_* definition! 495 */ 496 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 497 498 switch (sbsec->behavior) { 499 case SECURITY_FS_USE_XATTR: 500 case SECURITY_FS_USE_TRANS: 501 case SECURITY_FS_USE_TASK: 502 case SECURITY_FS_USE_NATIVE: 503 return 1; 504 505 case SECURITY_FS_USE_GENFS: 506 return selinux_is_genfs_special_handling(sb); 507 508 /* Never allow relabeling on context mounts */ 509 case SECURITY_FS_USE_MNTPOINT: 510 case SECURITY_FS_USE_NONE: 511 default: 512 return 0; 513 } 514 } 515 516 static int sb_check_xattr_support(struct super_block *sb) 517 { 518 struct superblock_security_struct *sbsec = sb->s_security; 519 struct dentry *root = sb->s_root; 520 struct inode *root_inode = d_backing_inode(root); 521 u32 sid; 522 int rc; 523 524 /* 525 * Make sure that the xattr handler exists and that no 526 * error other than -ENODATA is returned by getxattr on 527 * the root directory. -ENODATA is ok, as this may be 528 * the first boot of the SELinux kernel before we have 529 * assigned xattr values to the filesystem. 530 */ 531 if (!(root_inode->i_opflags & IOP_XATTR)) { 532 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 533 sb->s_id, sb->s_type->name); 534 goto fallback; 535 } 536 537 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 538 if (rc < 0 && rc != -ENODATA) { 539 if (rc == -EOPNOTSUPP) { 540 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 541 sb->s_id, sb->s_type->name); 542 goto fallback; 543 } else { 544 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 545 sb->s_id, sb->s_type->name, -rc); 546 return rc; 547 } 548 } 549 return 0; 550 551 fallback: 552 /* No xattr support - try to fallback to genfs if possible. */ 553 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/", 554 SECCLASS_DIR, &sid); 555 if (rc) 556 return -EOPNOTSUPP; 557 558 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 559 sb->s_id, sb->s_type->name); 560 sbsec->behavior = SECURITY_FS_USE_GENFS; 561 sbsec->sid = sid; 562 return 0; 563 } 564 565 static int sb_finish_set_opts(struct super_block *sb) 566 { 567 struct superblock_security_struct *sbsec = selinux_superblock(sb); 568 struct dentry *root = sb->s_root; 569 struct inode *root_inode = d_backing_inode(root); 570 int rc = 0; 571 572 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 573 rc = sb_check_xattr_support(sb); 574 if (rc) 575 return rc; 576 } 577 578 sbsec->flags |= SE_SBINITIALIZED; 579 580 /* 581 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 582 * leave the flag untouched because sb_clone_mnt_opts might be handing 583 * us a superblock that needs the flag to be cleared. 584 */ 585 if (selinux_is_sblabel_mnt(sb)) 586 sbsec->flags |= SBLABEL_MNT; 587 else 588 sbsec->flags &= ~SBLABEL_MNT; 589 590 /* Initialize the root inode. */ 591 rc = inode_doinit_with_dentry(root_inode, root); 592 593 /* Initialize any other inodes associated with the superblock, e.g. 594 inodes created prior to initial policy load or inodes created 595 during get_sb by a pseudo filesystem that directly 596 populates itself. */ 597 spin_lock(&sbsec->isec_lock); 598 while (!list_empty(&sbsec->isec_head)) { 599 struct inode_security_struct *isec = 600 list_first_entry(&sbsec->isec_head, 601 struct inode_security_struct, list); 602 struct inode *inode = isec->inode; 603 list_del_init(&isec->list); 604 spin_unlock(&sbsec->isec_lock); 605 inode = igrab(inode); 606 if (inode) { 607 if (!IS_PRIVATE(inode)) 608 inode_doinit_with_dentry(inode, NULL); 609 iput(inode); 610 } 611 spin_lock(&sbsec->isec_lock); 612 } 613 spin_unlock(&sbsec->isec_lock); 614 return rc; 615 } 616 617 static int bad_option(struct superblock_security_struct *sbsec, char flag, 618 u32 old_sid, u32 new_sid) 619 { 620 char mnt_flags = sbsec->flags & SE_MNTMASK; 621 622 /* check if the old mount command had the same options */ 623 if (sbsec->flags & SE_SBINITIALIZED) 624 if (!(sbsec->flags & flag) || 625 (old_sid != new_sid)) 626 return 1; 627 628 /* check if we were passed the same options twice, 629 * aka someone passed context=a,context=b 630 */ 631 if (!(sbsec->flags & SE_SBINITIALIZED)) 632 if (mnt_flags & flag) 633 return 1; 634 return 0; 635 } 636 637 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 638 { 639 int rc = security_context_str_to_sid(&selinux_state, s, 640 sid, GFP_KERNEL); 641 if (rc) 642 pr_warn("SELinux: security_context_str_to_sid" 643 "(%s) failed for (dev %s, type %s) errno=%d\n", 644 s, sb->s_id, sb->s_type->name, rc); 645 return rc; 646 } 647 648 /* 649 * Allow filesystems with binary mount data to explicitly set mount point 650 * labeling information. 651 */ 652 static int selinux_set_mnt_opts(struct super_block *sb, 653 void *mnt_opts, 654 unsigned long kern_flags, 655 unsigned long *set_kern_flags) 656 { 657 const struct cred *cred = current_cred(); 658 struct superblock_security_struct *sbsec = selinux_superblock(sb); 659 struct dentry *root = sb->s_root; 660 struct selinux_mnt_opts *opts = mnt_opts; 661 struct inode_security_struct *root_isec; 662 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 663 u32 defcontext_sid = 0; 664 int rc = 0; 665 666 mutex_lock(&sbsec->lock); 667 668 if (!selinux_initialized(&selinux_state)) { 669 if (!opts) { 670 /* Defer initialization until selinux_complete_init, 671 after the initial policy is loaded and the security 672 server is ready to handle calls. */ 673 goto out; 674 } 675 rc = -EINVAL; 676 pr_warn("SELinux: Unable to set superblock options " 677 "before the security server is initialized\n"); 678 goto out; 679 } 680 if (kern_flags && !set_kern_flags) { 681 /* Specifying internal flags without providing a place to 682 * place the results is not allowed */ 683 rc = -EINVAL; 684 goto out; 685 } 686 687 /* 688 * Binary mount data FS will come through this function twice. Once 689 * from an explicit call and once from the generic calls from the vfs. 690 * Since the generic VFS calls will not contain any security mount data 691 * we need to skip the double mount verification. 692 * 693 * This does open a hole in which we will not notice if the first 694 * mount using this sb set explict options and a second mount using 695 * this sb does not set any security options. (The first options 696 * will be used for both mounts) 697 */ 698 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 699 && !opts) 700 goto out; 701 702 root_isec = backing_inode_security_novalidate(root); 703 704 /* 705 * parse the mount options, check if they are valid sids. 706 * also check if someone is trying to mount the same sb more 707 * than once with different security options. 708 */ 709 if (opts) { 710 if (opts->fscontext) { 711 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 712 if (rc) 713 goto out; 714 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 715 fscontext_sid)) 716 goto out_double_mount; 717 sbsec->flags |= FSCONTEXT_MNT; 718 } 719 if (opts->context) { 720 rc = parse_sid(sb, opts->context, &context_sid); 721 if (rc) 722 goto out; 723 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 724 context_sid)) 725 goto out_double_mount; 726 sbsec->flags |= CONTEXT_MNT; 727 } 728 if (opts->rootcontext) { 729 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 730 if (rc) 731 goto out; 732 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 733 rootcontext_sid)) 734 goto out_double_mount; 735 sbsec->flags |= ROOTCONTEXT_MNT; 736 } 737 if (opts->defcontext) { 738 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 739 if (rc) 740 goto out; 741 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 742 defcontext_sid)) 743 goto out_double_mount; 744 sbsec->flags |= DEFCONTEXT_MNT; 745 } 746 } 747 748 if (sbsec->flags & SE_SBINITIALIZED) { 749 /* previously mounted with options, but not on this attempt? */ 750 if ((sbsec->flags & SE_MNTMASK) && !opts) 751 goto out_double_mount; 752 rc = 0; 753 goto out; 754 } 755 756 if (strcmp(sb->s_type->name, "proc") == 0) 757 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 758 759 if (!strcmp(sb->s_type->name, "debugfs") || 760 !strcmp(sb->s_type->name, "tracefs") || 761 !strcmp(sb->s_type->name, "binder") || 762 !strcmp(sb->s_type->name, "bpf") || 763 !strcmp(sb->s_type->name, "pstore")) 764 sbsec->flags |= SE_SBGENFS; 765 766 if (!strcmp(sb->s_type->name, "sysfs") || 767 !strcmp(sb->s_type->name, "cgroup") || 768 !strcmp(sb->s_type->name, "cgroup2")) 769 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 770 771 if (!sbsec->behavior) { 772 /* 773 * Determine the labeling behavior to use for this 774 * filesystem type. 775 */ 776 rc = security_fs_use(&selinux_state, sb); 777 if (rc) { 778 pr_warn("%s: security_fs_use(%s) returned %d\n", 779 __func__, sb->s_type->name, rc); 780 goto out; 781 } 782 } 783 784 /* 785 * If this is a user namespace mount and the filesystem type is not 786 * explicitly whitelisted, then no contexts are allowed on the command 787 * line and security labels must be ignored. 788 */ 789 if (sb->s_user_ns != &init_user_ns && 790 strcmp(sb->s_type->name, "tmpfs") && 791 strcmp(sb->s_type->name, "ramfs") && 792 strcmp(sb->s_type->name, "devpts") && 793 strcmp(sb->s_type->name, "overlay")) { 794 if (context_sid || fscontext_sid || rootcontext_sid || 795 defcontext_sid) { 796 rc = -EACCES; 797 goto out; 798 } 799 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 800 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 801 rc = security_transition_sid(&selinux_state, 802 current_sid(), 803 current_sid(), 804 SECCLASS_FILE, NULL, 805 &sbsec->mntpoint_sid); 806 if (rc) 807 goto out; 808 } 809 goto out_set_opts; 810 } 811 812 /* sets the context of the superblock for the fs being mounted. */ 813 if (fscontext_sid) { 814 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 815 if (rc) 816 goto out; 817 818 sbsec->sid = fscontext_sid; 819 } 820 821 /* 822 * Switch to using mount point labeling behavior. 823 * sets the label used on all file below the mountpoint, and will set 824 * the superblock context if not already set. 825 */ 826 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 827 sbsec->behavior = SECURITY_FS_USE_NATIVE; 828 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 829 } 830 831 if (context_sid) { 832 if (!fscontext_sid) { 833 rc = may_context_mount_sb_relabel(context_sid, sbsec, 834 cred); 835 if (rc) 836 goto out; 837 sbsec->sid = context_sid; 838 } else { 839 rc = may_context_mount_inode_relabel(context_sid, sbsec, 840 cred); 841 if (rc) 842 goto out; 843 } 844 if (!rootcontext_sid) 845 rootcontext_sid = context_sid; 846 847 sbsec->mntpoint_sid = context_sid; 848 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 849 } 850 851 if (rootcontext_sid) { 852 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 853 cred); 854 if (rc) 855 goto out; 856 857 root_isec->sid = rootcontext_sid; 858 root_isec->initialized = LABEL_INITIALIZED; 859 } 860 861 if (defcontext_sid) { 862 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 863 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 864 rc = -EINVAL; 865 pr_warn("SELinux: defcontext option is " 866 "invalid for this filesystem type\n"); 867 goto out; 868 } 869 870 if (defcontext_sid != sbsec->def_sid) { 871 rc = may_context_mount_inode_relabel(defcontext_sid, 872 sbsec, cred); 873 if (rc) 874 goto out; 875 } 876 877 sbsec->def_sid = defcontext_sid; 878 } 879 880 out_set_opts: 881 rc = sb_finish_set_opts(sb); 882 out: 883 mutex_unlock(&sbsec->lock); 884 return rc; 885 out_double_mount: 886 rc = -EINVAL; 887 pr_warn("SELinux: mount invalid. Same superblock, different " 888 "security settings for (dev %s, type %s)\n", sb->s_id, 889 sb->s_type->name); 890 goto out; 891 } 892 893 static int selinux_cmp_sb_context(const struct super_block *oldsb, 894 const struct super_block *newsb) 895 { 896 struct superblock_security_struct *old = selinux_superblock(oldsb); 897 struct superblock_security_struct *new = selinux_superblock(newsb); 898 char oldflags = old->flags & SE_MNTMASK; 899 char newflags = new->flags & SE_MNTMASK; 900 901 if (oldflags != newflags) 902 goto mismatch; 903 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 904 goto mismatch; 905 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 906 goto mismatch; 907 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 908 goto mismatch; 909 if (oldflags & ROOTCONTEXT_MNT) { 910 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 911 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 912 if (oldroot->sid != newroot->sid) 913 goto mismatch; 914 } 915 return 0; 916 mismatch: 917 pr_warn("SELinux: mount invalid. Same superblock, " 918 "different security settings for (dev %s, " 919 "type %s)\n", newsb->s_id, newsb->s_type->name); 920 return -EBUSY; 921 } 922 923 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 924 struct super_block *newsb, 925 unsigned long kern_flags, 926 unsigned long *set_kern_flags) 927 { 928 int rc = 0; 929 const struct superblock_security_struct *oldsbsec = 930 selinux_superblock(oldsb); 931 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 932 933 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 934 int set_context = (oldsbsec->flags & CONTEXT_MNT); 935 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 936 937 /* 938 * if the parent was able to be mounted it clearly had no special lsm 939 * mount options. thus we can safely deal with this superblock later 940 */ 941 if (!selinux_initialized(&selinux_state)) 942 return 0; 943 944 /* 945 * Specifying internal flags without providing a place to 946 * place the results is not allowed. 947 */ 948 if (kern_flags && !set_kern_flags) 949 return -EINVAL; 950 951 /* how can we clone if the old one wasn't set up?? */ 952 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 953 954 /* if fs is reusing a sb, make sure that the contexts match */ 955 if (newsbsec->flags & SE_SBINITIALIZED) { 956 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 957 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 958 return selinux_cmp_sb_context(oldsb, newsb); 959 } 960 961 mutex_lock(&newsbsec->lock); 962 963 newsbsec->flags = oldsbsec->flags; 964 965 newsbsec->sid = oldsbsec->sid; 966 newsbsec->def_sid = oldsbsec->def_sid; 967 newsbsec->behavior = oldsbsec->behavior; 968 969 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 970 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 971 rc = security_fs_use(&selinux_state, newsb); 972 if (rc) 973 goto out; 974 } 975 976 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 977 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 978 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 979 } 980 981 if (set_context) { 982 u32 sid = oldsbsec->mntpoint_sid; 983 984 if (!set_fscontext) 985 newsbsec->sid = sid; 986 if (!set_rootcontext) { 987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 988 newisec->sid = sid; 989 } 990 newsbsec->mntpoint_sid = sid; 991 } 992 if (set_rootcontext) { 993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 995 996 newisec->sid = oldisec->sid; 997 } 998 999 sb_finish_set_opts(newsb); 1000 out: 1001 mutex_unlock(&newsbsec->lock); 1002 return rc; 1003 } 1004 1005 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1006 { 1007 struct selinux_mnt_opts *opts = *mnt_opts; 1008 1009 if (token == Opt_seclabel) /* eaten and completely ignored */ 1010 return 0; 1011 1012 if (!opts) { 1013 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1014 if (!opts) 1015 return -ENOMEM; 1016 *mnt_opts = opts; 1017 } 1018 if (!s) 1019 return -ENOMEM; 1020 switch (token) { 1021 case Opt_context: 1022 if (opts->context || opts->defcontext) 1023 goto Einval; 1024 opts->context = s; 1025 break; 1026 case Opt_fscontext: 1027 if (opts->fscontext) 1028 goto Einval; 1029 opts->fscontext = s; 1030 break; 1031 case Opt_rootcontext: 1032 if (opts->rootcontext) 1033 goto Einval; 1034 opts->rootcontext = s; 1035 break; 1036 case Opt_defcontext: 1037 if (opts->context || opts->defcontext) 1038 goto Einval; 1039 opts->defcontext = s; 1040 break; 1041 } 1042 return 0; 1043 Einval: 1044 pr_warn(SEL_MOUNT_FAIL_MSG); 1045 return -EINVAL; 1046 } 1047 1048 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1049 void **mnt_opts) 1050 { 1051 int token = Opt_error; 1052 int rc, i; 1053 1054 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1055 if (strcmp(option, tokens[i].name) == 0) { 1056 token = tokens[i].opt; 1057 break; 1058 } 1059 } 1060 1061 if (token == Opt_error) 1062 return -EINVAL; 1063 1064 if (token != Opt_seclabel) { 1065 val = kmemdup_nul(val, len, GFP_KERNEL); 1066 if (!val) { 1067 rc = -ENOMEM; 1068 goto free_opt; 1069 } 1070 } 1071 rc = selinux_add_opt(token, val, mnt_opts); 1072 if (unlikely(rc)) { 1073 kfree(val); 1074 goto free_opt; 1075 } 1076 return rc; 1077 1078 free_opt: 1079 if (*mnt_opts) { 1080 selinux_free_mnt_opts(*mnt_opts); 1081 *mnt_opts = NULL; 1082 } 1083 return rc; 1084 } 1085 1086 static int show_sid(struct seq_file *m, u32 sid) 1087 { 1088 char *context = NULL; 1089 u32 len; 1090 int rc; 1091 1092 rc = security_sid_to_context(&selinux_state, sid, 1093 &context, &len); 1094 if (!rc) { 1095 bool has_comma = context && strchr(context, ','); 1096 1097 seq_putc(m, '='); 1098 if (has_comma) 1099 seq_putc(m, '\"'); 1100 seq_escape(m, context, "\"\n\\"); 1101 if (has_comma) 1102 seq_putc(m, '\"'); 1103 } 1104 kfree(context); 1105 return rc; 1106 } 1107 1108 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1109 { 1110 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1111 int rc; 1112 1113 if (!(sbsec->flags & SE_SBINITIALIZED)) 1114 return 0; 1115 1116 if (!selinux_initialized(&selinux_state)) 1117 return 0; 1118 1119 if (sbsec->flags & FSCONTEXT_MNT) { 1120 seq_putc(m, ','); 1121 seq_puts(m, FSCONTEXT_STR); 1122 rc = show_sid(m, sbsec->sid); 1123 if (rc) 1124 return rc; 1125 } 1126 if (sbsec->flags & CONTEXT_MNT) { 1127 seq_putc(m, ','); 1128 seq_puts(m, CONTEXT_STR); 1129 rc = show_sid(m, sbsec->mntpoint_sid); 1130 if (rc) 1131 return rc; 1132 } 1133 if (sbsec->flags & DEFCONTEXT_MNT) { 1134 seq_putc(m, ','); 1135 seq_puts(m, DEFCONTEXT_STR); 1136 rc = show_sid(m, sbsec->def_sid); 1137 if (rc) 1138 return rc; 1139 } 1140 if (sbsec->flags & ROOTCONTEXT_MNT) { 1141 struct dentry *root = sb->s_root; 1142 struct inode_security_struct *isec = backing_inode_security(root); 1143 seq_putc(m, ','); 1144 seq_puts(m, ROOTCONTEXT_STR); 1145 rc = show_sid(m, isec->sid); 1146 if (rc) 1147 return rc; 1148 } 1149 if (sbsec->flags & SBLABEL_MNT) { 1150 seq_putc(m, ','); 1151 seq_puts(m, SECLABEL_STR); 1152 } 1153 return 0; 1154 } 1155 1156 static inline u16 inode_mode_to_security_class(umode_t mode) 1157 { 1158 switch (mode & S_IFMT) { 1159 case S_IFSOCK: 1160 return SECCLASS_SOCK_FILE; 1161 case S_IFLNK: 1162 return SECCLASS_LNK_FILE; 1163 case S_IFREG: 1164 return SECCLASS_FILE; 1165 case S_IFBLK: 1166 return SECCLASS_BLK_FILE; 1167 case S_IFDIR: 1168 return SECCLASS_DIR; 1169 case S_IFCHR: 1170 return SECCLASS_CHR_FILE; 1171 case S_IFIFO: 1172 return SECCLASS_FIFO_FILE; 1173 1174 } 1175 1176 return SECCLASS_FILE; 1177 } 1178 1179 static inline int default_protocol_stream(int protocol) 1180 { 1181 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1182 protocol == IPPROTO_MPTCP); 1183 } 1184 1185 static inline int default_protocol_dgram(int protocol) 1186 { 1187 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1188 } 1189 1190 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1191 { 1192 int extsockclass = selinux_policycap_extsockclass(); 1193 1194 switch (family) { 1195 case PF_UNIX: 1196 switch (type) { 1197 case SOCK_STREAM: 1198 case SOCK_SEQPACKET: 1199 return SECCLASS_UNIX_STREAM_SOCKET; 1200 case SOCK_DGRAM: 1201 case SOCK_RAW: 1202 return SECCLASS_UNIX_DGRAM_SOCKET; 1203 } 1204 break; 1205 case PF_INET: 1206 case PF_INET6: 1207 switch (type) { 1208 case SOCK_STREAM: 1209 case SOCK_SEQPACKET: 1210 if (default_protocol_stream(protocol)) 1211 return SECCLASS_TCP_SOCKET; 1212 else if (extsockclass && protocol == IPPROTO_SCTP) 1213 return SECCLASS_SCTP_SOCKET; 1214 else 1215 return SECCLASS_RAWIP_SOCKET; 1216 case SOCK_DGRAM: 1217 if (default_protocol_dgram(protocol)) 1218 return SECCLASS_UDP_SOCKET; 1219 else if (extsockclass && (protocol == IPPROTO_ICMP || 1220 protocol == IPPROTO_ICMPV6)) 1221 return SECCLASS_ICMP_SOCKET; 1222 else 1223 return SECCLASS_RAWIP_SOCKET; 1224 case SOCK_DCCP: 1225 return SECCLASS_DCCP_SOCKET; 1226 default: 1227 return SECCLASS_RAWIP_SOCKET; 1228 } 1229 break; 1230 case PF_NETLINK: 1231 switch (protocol) { 1232 case NETLINK_ROUTE: 1233 return SECCLASS_NETLINK_ROUTE_SOCKET; 1234 case NETLINK_SOCK_DIAG: 1235 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1236 case NETLINK_NFLOG: 1237 return SECCLASS_NETLINK_NFLOG_SOCKET; 1238 case NETLINK_XFRM: 1239 return SECCLASS_NETLINK_XFRM_SOCKET; 1240 case NETLINK_SELINUX: 1241 return SECCLASS_NETLINK_SELINUX_SOCKET; 1242 case NETLINK_ISCSI: 1243 return SECCLASS_NETLINK_ISCSI_SOCKET; 1244 case NETLINK_AUDIT: 1245 return SECCLASS_NETLINK_AUDIT_SOCKET; 1246 case NETLINK_FIB_LOOKUP: 1247 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1248 case NETLINK_CONNECTOR: 1249 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1250 case NETLINK_NETFILTER: 1251 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1252 case NETLINK_DNRTMSG: 1253 return SECCLASS_NETLINK_DNRT_SOCKET; 1254 case NETLINK_KOBJECT_UEVENT: 1255 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1256 case NETLINK_GENERIC: 1257 return SECCLASS_NETLINK_GENERIC_SOCKET; 1258 case NETLINK_SCSITRANSPORT: 1259 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1260 case NETLINK_RDMA: 1261 return SECCLASS_NETLINK_RDMA_SOCKET; 1262 case NETLINK_CRYPTO: 1263 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1264 default: 1265 return SECCLASS_NETLINK_SOCKET; 1266 } 1267 case PF_PACKET: 1268 return SECCLASS_PACKET_SOCKET; 1269 case PF_KEY: 1270 return SECCLASS_KEY_SOCKET; 1271 case PF_APPLETALK: 1272 return SECCLASS_APPLETALK_SOCKET; 1273 } 1274 1275 if (extsockclass) { 1276 switch (family) { 1277 case PF_AX25: 1278 return SECCLASS_AX25_SOCKET; 1279 case PF_IPX: 1280 return SECCLASS_IPX_SOCKET; 1281 case PF_NETROM: 1282 return SECCLASS_NETROM_SOCKET; 1283 case PF_ATMPVC: 1284 return SECCLASS_ATMPVC_SOCKET; 1285 case PF_X25: 1286 return SECCLASS_X25_SOCKET; 1287 case PF_ROSE: 1288 return SECCLASS_ROSE_SOCKET; 1289 case PF_DECnet: 1290 return SECCLASS_DECNET_SOCKET; 1291 case PF_ATMSVC: 1292 return SECCLASS_ATMSVC_SOCKET; 1293 case PF_RDS: 1294 return SECCLASS_RDS_SOCKET; 1295 case PF_IRDA: 1296 return SECCLASS_IRDA_SOCKET; 1297 case PF_PPPOX: 1298 return SECCLASS_PPPOX_SOCKET; 1299 case PF_LLC: 1300 return SECCLASS_LLC_SOCKET; 1301 case PF_CAN: 1302 return SECCLASS_CAN_SOCKET; 1303 case PF_TIPC: 1304 return SECCLASS_TIPC_SOCKET; 1305 case PF_BLUETOOTH: 1306 return SECCLASS_BLUETOOTH_SOCKET; 1307 case PF_IUCV: 1308 return SECCLASS_IUCV_SOCKET; 1309 case PF_RXRPC: 1310 return SECCLASS_RXRPC_SOCKET; 1311 case PF_ISDN: 1312 return SECCLASS_ISDN_SOCKET; 1313 case PF_PHONET: 1314 return SECCLASS_PHONET_SOCKET; 1315 case PF_IEEE802154: 1316 return SECCLASS_IEEE802154_SOCKET; 1317 case PF_CAIF: 1318 return SECCLASS_CAIF_SOCKET; 1319 case PF_ALG: 1320 return SECCLASS_ALG_SOCKET; 1321 case PF_NFC: 1322 return SECCLASS_NFC_SOCKET; 1323 case PF_VSOCK: 1324 return SECCLASS_VSOCK_SOCKET; 1325 case PF_KCM: 1326 return SECCLASS_KCM_SOCKET; 1327 case PF_QIPCRTR: 1328 return SECCLASS_QIPCRTR_SOCKET; 1329 case PF_SMC: 1330 return SECCLASS_SMC_SOCKET; 1331 case PF_XDP: 1332 return SECCLASS_XDP_SOCKET; 1333 case PF_MCTP: 1334 return SECCLASS_MCTP_SOCKET; 1335 #if PF_MAX > 46 1336 #error New address family defined, please update this function. 1337 #endif 1338 } 1339 } 1340 1341 return SECCLASS_SOCKET; 1342 } 1343 1344 static int selinux_genfs_get_sid(struct dentry *dentry, 1345 u16 tclass, 1346 u16 flags, 1347 u32 *sid) 1348 { 1349 int rc; 1350 struct super_block *sb = dentry->d_sb; 1351 char *buffer, *path; 1352 1353 buffer = (char *)__get_free_page(GFP_KERNEL); 1354 if (!buffer) 1355 return -ENOMEM; 1356 1357 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1358 if (IS_ERR(path)) 1359 rc = PTR_ERR(path); 1360 else { 1361 if (flags & SE_SBPROC) { 1362 /* each process gets a /proc/PID/ entry. Strip off the 1363 * PID part to get a valid selinux labeling. 1364 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1365 while (path[1] >= '0' && path[1] <= '9') { 1366 path[1] = '/'; 1367 path++; 1368 } 1369 } 1370 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1371 path, tclass, sid); 1372 if (rc == -ENOENT) { 1373 /* No match in policy, mark as unlabeled. */ 1374 *sid = SECINITSID_UNLABELED; 1375 rc = 0; 1376 } 1377 } 1378 free_page((unsigned long)buffer); 1379 return rc; 1380 } 1381 1382 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1383 u32 def_sid, u32 *sid) 1384 { 1385 #define INITCONTEXTLEN 255 1386 char *context; 1387 unsigned int len; 1388 int rc; 1389 1390 len = INITCONTEXTLEN; 1391 context = kmalloc(len + 1, GFP_NOFS); 1392 if (!context) 1393 return -ENOMEM; 1394 1395 context[len] = '\0'; 1396 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1397 if (rc == -ERANGE) { 1398 kfree(context); 1399 1400 /* Need a larger buffer. Query for the right size. */ 1401 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1402 if (rc < 0) 1403 return rc; 1404 1405 len = rc; 1406 context = kmalloc(len + 1, GFP_NOFS); 1407 if (!context) 1408 return -ENOMEM; 1409 1410 context[len] = '\0'; 1411 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1412 context, len); 1413 } 1414 if (rc < 0) { 1415 kfree(context); 1416 if (rc != -ENODATA) { 1417 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1418 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1419 return rc; 1420 } 1421 *sid = def_sid; 1422 return 0; 1423 } 1424 1425 rc = security_context_to_sid_default(&selinux_state, context, rc, sid, 1426 def_sid, GFP_NOFS); 1427 if (rc) { 1428 char *dev = inode->i_sb->s_id; 1429 unsigned long ino = inode->i_ino; 1430 1431 if (rc == -EINVAL) { 1432 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1433 ino, dev, context); 1434 } else { 1435 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1436 __func__, context, -rc, dev, ino); 1437 } 1438 } 1439 kfree(context); 1440 return 0; 1441 } 1442 1443 /* The inode's security attributes must be initialized before first use. */ 1444 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1445 { 1446 struct superblock_security_struct *sbsec = NULL; 1447 struct inode_security_struct *isec = selinux_inode(inode); 1448 u32 task_sid, sid = 0; 1449 u16 sclass; 1450 struct dentry *dentry; 1451 int rc = 0; 1452 1453 if (isec->initialized == LABEL_INITIALIZED) 1454 return 0; 1455 1456 spin_lock(&isec->lock); 1457 if (isec->initialized == LABEL_INITIALIZED) 1458 goto out_unlock; 1459 1460 if (isec->sclass == SECCLASS_FILE) 1461 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1462 1463 sbsec = selinux_superblock(inode->i_sb); 1464 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1465 /* Defer initialization until selinux_complete_init, 1466 after the initial policy is loaded and the security 1467 server is ready to handle calls. */ 1468 spin_lock(&sbsec->isec_lock); 1469 if (list_empty(&isec->list)) 1470 list_add(&isec->list, &sbsec->isec_head); 1471 spin_unlock(&sbsec->isec_lock); 1472 goto out_unlock; 1473 } 1474 1475 sclass = isec->sclass; 1476 task_sid = isec->task_sid; 1477 sid = isec->sid; 1478 isec->initialized = LABEL_PENDING; 1479 spin_unlock(&isec->lock); 1480 1481 switch (sbsec->behavior) { 1482 case SECURITY_FS_USE_NATIVE: 1483 break; 1484 case SECURITY_FS_USE_XATTR: 1485 if (!(inode->i_opflags & IOP_XATTR)) { 1486 sid = sbsec->def_sid; 1487 break; 1488 } 1489 /* Need a dentry, since the xattr API requires one. 1490 Life would be simpler if we could just pass the inode. */ 1491 if (opt_dentry) { 1492 /* Called from d_instantiate or d_splice_alias. */ 1493 dentry = dget(opt_dentry); 1494 } else { 1495 /* 1496 * Called from selinux_complete_init, try to find a dentry. 1497 * Some filesystems really want a connected one, so try 1498 * that first. We could split SECURITY_FS_USE_XATTR in 1499 * two, depending upon that... 1500 */ 1501 dentry = d_find_alias(inode); 1502 if (!dentry) 1503 dentry = d_find_any_alias(inode); 1504 } 1505 if (!dentry) { 1506 /* 1507 * this is can be hit on boot when a file is accessed 1508 * before the policy is loaded. When we load policy we 1509 * may find inodes that have no dentry on the 1510 * sbsec->isec_head list. No reason to complain as these 1511 * will get fixed up the next time we go through 1512 * inode_doinit with a dentry, before these inodes could 1513 * be used again by userspace. 1514 */ 1515 goto out_invalid; 1516 } 1517 1518 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1519 &sid); 1520 dput(dentry); 1521 if (rc) 1522 goto out; 1523 break; 1524 case SECURITY_FS_USE_TASK: 1525 sid = task_sid; 1526 break; 1527 case SECURITY_FS_USE_TRANS: 1528 /* Default to the fs SID. */ 1529 sid = sbsec->sid; 1530 1531 /* Try to obtain a transition SID. */ 1532 rc = security_transition_sid(&selinux_state, task_sid, sid, 1533 sclass, NULL, &sid); 1534 if (rc) 1535 goto out; 1536 break; 1537 case SECURITY_FS_USE_MNTPOINT: 1538 sid = sbsec->mntpoint_sid; 1539 break; 1540 default: 1541 /* Default to the fs superblock SID. */ 1542 sid = sbsec->sid; 1543 1544 if ((sbsec->flags & SE_SBGENFS) && 1545 (!S_ISLNK(inode->i_mode) || 1546 selinux_policycap_genfs_seclabel_symlinks())) { 1547 /* We must have a dentry to determine the label on 1548 * procfs inodes */ 1549 if (opt_dentry) { 1550 /* Called from d_instantiate or 1551 * d_splice_alias. */ 1552 dentry = dget(opt_dentry); 1553 } else { 1554 /* Called from selinux_complete_init, try to 1555 * find a dentry. Some filesystems really want 1556 * a connected one, so try that first. 1557 */ 1558 dentry = d_find_alias(inode); 1559 if (!dentry) 1560 dentry = d_find_any_alias(inode); 1561 } 1562 /* 1563 * This can be hit on boot when a file is accessed 1564 * before the policy is loaded. When we load policy we 1565 * may find inodes that have no dentry on the 1566 * sbsec->isec_head list. No reason to complain as 1567 * these will get fixed up the next time we go through 1568 * inode_doinit() with a dentry, before these inodes 1569 * could be used again by userspace. 1570 */ 1571 if (!dentry) 1572 goto out_invalid; 1573 rc = selinux_genfs_get_sid(dentry, sclass, 1574 sbsec->flags, &sid); 1575 if (rc) { 1576 dput(dentry); 1577 goto out; 1578 } 1579 1580 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1581 (inode->i_opflags & IOP_XATTR)) { 1582 rc = inode_doinit_use_xattr(inode, dentry, 1583 sid, &sid); 1584 if (rc) { 1585 dput(dentry); 1586 goto out; 1587 } 1588 } 1589 dput(dentry); 1590 } 1591 break; 1592 } 1593 1594 out: 1595 spin_lock(&isec->lock); 1596 if (isec->initialized == LABEL_PENDING) { 1597 if (rc) { 1598 isec->initialized = LABEL_INVALID; 1599 goto out_unlock; 1600 } 1601 isec->initialized = LABEL_INITIALIZED; 1602 isec->sid = sid; 1603 } 1604 1605 out_unlock: 1606 spin_unlock(&isec->lock); 1607 return rc; 1608 1609 out_invalid: 1610 spin_lock(&isec->lock); 1611 if (isec->initialized == LABEL_PENDING) { 1612 isec->initialized = LABEL_INVALID; 1613 isec->sid = sid; 1614 } 1615 spin_unlock(&isec->lock); 1616 return 0; 1617 } 1618 1619 /* Convert a Linux signal to an access vector. */ 1620 static inline u32 signal_to_av(int sig) 1621 { 1622 u32 perm = 0; 1623 1624 switch (sig) { 1625 case SIGCHLD: 1626 /* Commonly granted from child to parent. */ 1627 perm = PROCESS__SIGCHLD; 1628 break; 1629 case SIGKILL: 1630 /* Cannot be caught or ignored */ 1631 perm = PROCESS__SIGKILL; 1632 break; 1633 case SIGSTOP: 1634 /* Cannot be caught or ignored */ 1635 perm = PROCESS__SIGSTOP; 1636 break; 1637 default: 1638 /* All other signals. */ 1639 perm = PROCESS__SIGNAL; 1640 break; 1641 } 1642 1643 return perm; 1644 } 1645 1646 #if CAP_LAST_CAP > 63 1647 #error Fix SELinux to handle capabilities > 63. 1648 #endif 1649 1650 /* Check whether a task is allowed to use a capability. */ 1651 static int cred_has_capability(const struct cred *cred, 1652 int cap, unsigned int opts, bool initns) 1653 { 1654 struct common_audit_data ad; 1655 struct av_decision avd; 1656 u16 sclass; 1657 u32 sid = cred_sid(cred); 1658 u32 av = CAP_TO_MASK(cap); 1659 int rc; 1660 1661 ad.type = LSM_AUDIT_DATA_CAP; 1662 ad.u.cap = cap; 1663 1664 switch (CAP_TO_INDEX(cap)) { 1665 case 0: 1666 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1667 break; 1668 case 1: 1669 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1670 break; 1671 default: 1672 pr_err("SELinux: out of range capability %d\n", cap); 1673 BUG(); 1674 return -EINVAL; 1675 } 1676 1677 rc = avc_has_perm_noaudit(&selinux_state, 1678 sid, sid, sclass, av, 0, &avd); 1679 if (!(opts & CAP_OPT_NOAUDIT)) { 1680 int rc2 = avc_audit(&selinux_state, 1681 sid, sid, sclass, av, &avd, rc, &ad); 1682 if (rc2) 1683 return rc2; 1684 } 1685 return rc; 1686 } 1687 1688 /* Check whether a task has a particular permission to an inode. 1689 The 'adp' parameter is optional and allows other audit 1690 data to be passed (e.g. the dentry). */ 1691 static int inode_has_perm(const struct cred *cred, 1692 struct inode *inode, 1693 u32 perms, 1694 struct common_audit_data *adp) 1695 { 1696 struct inode_security_struct *isec; 1697 u32 sid; 1698 1699 validate_creds(cred); 1700 1701 if (unlikely(IS_PRIVATE(inode))) 1702 return 0; 1703 1704 sid = cred_sid(cred); 1705 isec = selinux_inode(inode); 1706 1707 return avc_has_perm(&selinux_state, 1708 sid, isec->sid, isec->sclass, perms, adp); 1709 } 1710 1711 /* Same as inode_has_perm, but pass explicit audit data containing 1712 the dentry to help the auditing code to more easily generate the 1713 pathname if needed. */ 1714 static inline int dentry_has_perm(const struct cred *cred, 1715 struct dentry *dentry, 1716 u32 av) 1717 { 1718 struct inode *inode = d_backing_inode(dentry); 1719 struct common_audit_data ad; 1720 1721 ad.type = LSM_AUDIT_DATA_DENTRY; 1722 ad.u.dentry = dentry; 1723 __inode_security_revalidate(inode, dentry, true); 1724 return inode_has_perm(cred, inode, av, &ad); 1725 } 1726 1727 /* Same as inode_has_perm, but pass explicit audit data containing 1728 the path to help the auditing code to more easily generate the 1729 pathname if needed. */ 1730 static inline int path_has_perm(const struct cred *cred, 1731 const struct path *path, 1732 u32 av) 1733 { 1734 struct inode *inode = d_backing_inode(path->dentry); 1735 struct common_audit_data ad; 1736 1737 ad.type = LSM_AUDIT_DATA_PATH; 1738 ad.u.path = *path; 1739 __inode_security_revalidate(inode, path->dentry, true); 1740 return inode_has_perm(cred, inode, av, &ad); 1741 } 1742 1743 /* Same as path_has_perm, but uses the inode from the file struct. */ 1744 static inline int file_path_has_perm(const struct cred *cred, 1745 struct file *file, 1746 u32 av) 1747 { 1748 struct common_audit_data ad; 1749 1750 ad.type = LSM_AUDIT_DATA_FILE; 1751 ad.u.file = file; 1752 return inode_has_perm(cred, file_inode(file), av, &ad); 1753 } 1754 1755 #ifdef CONFIG_BPF_SYSCALL 1756 static int bpf_fd_pass(struct file *file, u32 sid); 1757 #endif 1758 1759 /* Check whether a task can use an open file descriptor to 1760 access an inode in a given way. Check access to the 1761 descriptor itself, and then use dentry_has_perm to 1762 check a particular permission to the file. 1763 Access to the descriptor is implicitly granted if it 1764 has the same SID as the process. If av is zero, then 1765 access to the file is not checked, e.g. for cases 1766 where only the descriptor is affected like seek. */ 1767 static int file_has_perm(const struct cred *cred, 1768 struct file *file, 1769 u32 av) 1770 { 1771 struct file_security_struct *fsec = selinux_file(file); 1772 struct inode *inode = file_inode(file); 1773 struct common_audit_data ad; 1774 u32 sid = cred_sid(cred); 1775 int rc; 1776 1777 ad.type = LSM_AUDIT_DATA_FILE; 1778 ad.u.file = file; 1779 1780 if (sid != fsec->sid) { 1781 rc = avc_has_perm(&selinux_state, 1782 sid, fsec->sid, 1783 SECCLASS_FD, 1784 FD__USE, 1785 &ad); 1786 if (rc) 1787 goto out; 1788 } 1789 1790 #ifdef CONFIG_BPF_SYSCALL 1791 rc = bpf_fd_pass(file, cred_sid(cred)); 1792 if (rc) 1793 return rc; 1794 #endif 1795 1796 /* av is zero if only checking access to the descriptor. */ 1797 rc = 0; 1798 if (av) 1799 rc = inode_has_perm(cred, inode, av, &ad); 1800 1801 out: 1802 return rc; 1803 } 1804 1805 /* 1806 * Determine the label for an inode that might be unioned. 1807 */ 1808 static int 1809 selinux_determine_inode_label(const struct task_security_struct *tsec, 1810 struct inode *dir, 1811 const struct qstr *name, u16 tclass, 1812 u32 *_new_isid) 1813 { 1814 const struct superblock_security_struct *sbsec = 1815 selinux_superblock(dir->i_sb); 1816 1817 if ((sbsec->flags & SE_SBINITIALIZED) && 1818 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1819 *_new_isid = sbsec->mntpoint_sid; 1820 } else if ((sbsec->flags & SBLABEL_MNT) && 1821 tsec->create_sid) { 1822 *_new_isid = tsec->create_sid; 1823 } else { 1824 const struct inode_security_struct *dsec = inode_security(dir); 1825 return security_transition_sid(&selinux_state, tsec->sid, 1826 dsec->sid, tclass, 1827 name, _new_isid); 1828 } 1829 1830 return 0; 1831 } 1832 1833 /* Check whether a task can create a file. */ 1834 static int may_create(struct inode *dir, 1835 struct dentry *dentry, 1836 u16 tclass) 1837 { 1838 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1839 struct inode_security_struct *dsec; 1840 struct superblock_security_struct *sbsec; 1841 u32 sid, newsid; 1842 struct common_audit_data ad; 1843 int rc; 1844 1845 dsec = inode_security(dir); 1846 sbsec = selinux_superblock(dir->i_sb); 1847 1848 sid = tsec->sid; 1849 1850 ad.type = LSM_AUDIT_DATA_DENTRY; 1851 ad.u.dentry = dentry; 1852 1853 rc = avc_has_perm(&selinux_state, 1854 sid, dsec->sid, SECCLASS_DIR, 1855 DIR__ADD_NAME | DIR__SEARCH, 1856 &ad); 1857 if (rc) 1858 return rc; 1859 1860 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1861 &newsid); 1862 if (rc) 1863 return rc; 1864 1865 rc = avc_has_perm(&selinux_state, 1866 sid, newsid, tclass, FILE__CREATE, &ad); 1867 if (rc) 1868 return rc; 1869 1870 return avc_has_perm(&selinux_state, 1871 newsid, sbsec->sid, 1872 SECCLASS_FILESYSTEM, 1873 FILESYSTEM__ASSOCIATE, &ad); 1874 } 1875 1876 #define MAY_LINK 0 1877 #define MAY_UNLINK 1 1878 #define MAY_RMDIR 2 1879 1880 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1881 static int may_link(struct inode *dir, 1882 struct dentry *dentry, 1883 int kind) 1884 1885 { 1886 struct inode_security_struct *dsec, *isec; 1887 struct common_audit_data ad; 1888 u32 sid = current_sid(); 1889 u32 av; 1890 int rc; 1891 1892 dsec = inode_security(dir); 1893 isec = backing_inode_security(dentry); 1894 1895 ad.type = LSM_AUDIT_DATA_DENTRY; 1896 ad.u.dentry = dentry; 1897 1898 av = DIR__SEARCH; 1899 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1900 rc = avc_has_perm(&selinux_state, 1901 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1902 if (rc) 1903 return rc; 1904 1905 switch (kind) { 1906 case MAY_LINK: 1907 av = FILE__LINK; 1908 break; 1909 case MAY_UNLINK: 1910 av = FILE__UNLINK; 1911 break; 1912 case MAY_RMDIR: 1913 av = DIR__RMDIR; 1914 break; 1915 default: 1916 pr_warn("SELinux: %s: unrecognized kind %d\n", 1917 __func__, kind); 1918 return 0; 1919 } 1920 1921 rc = avc_has_perm(&selinux_state, 1922 sid, isec->sid, isec->sclass, av, &ad); 1923 return rc; 1924 } 1925 1926 static inline int may_rename(struct inode *old_dir, 1927 struct dentry *old_dentry, 1928 struct inode *new_dir, 1929 struct dentry *new_dentry) 1930 { 1931 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1932 struct common_audit_data ad; 1933 u32 sid = current_sid(); 1934 u32 av; 1935 int old_is_dir, new_is_dir; 1936 int rc; 1937 1938 old_dsec = inode_security(old_dir); 1939 old_isec = backing_inode_security(old_dentry); 1940 old_is_dir = d_is_dir(old_dentry); 1941 new_dsec = inode_security(new_dir); 1942 1943 ad.type = LSM_AUDIT_DATA_DENTRY; 1944 1945 ad.u.dentry = old_dentry; 1946 rc = avc_has_perm(&selinux_state, 1947 sid, old_dsec->sid, SECCLASS_DIR, 1948 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1949 if (rc) 1950 return rc; 1951 rc = avc_has_perm(&selinux_state, 1952 sid, old_isec->sid, 1953 old_isec->sclass, FILE__RENAME, &ad); 1954 if (rc) 1955 return rc; 1956 if (old_is_dir && new_dir != old_dir) { 1957 rc = avc_has_perm(&selinux_state, 1958 sid, old_isec->sid, 1959 old_isec->sclass, DIR__REPARENT, &ad); 1960 if (rc) 1961 return rc; 1962 } 1963 1964 ad.u.dentry = new_dentry; 1965 av = DIR__ADD_NAME | DIR__SEARCH; 1966 if (d_is_positive(new_dentry)) 1967 av |= DIR__REMOVE_NAME; 1968 rc = avc_has_perm(&selinux_state, 1969 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1970 if (rc) 1971 return rc; 1972 if (d_is_positive(new_dentry)) { 1973 new_isec = backing_inode_security(new_dentry); 1974 new_is_dir = d_is_dir(new_dentry); 1975 rc = avc_has_perm(&selinux_state, 1976 sid, new_isec->sid, 1977 new_isec->sclass, 1978 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1979 if (rc) 1980 return rc; 1981 } 1982 1983 return 0; 1984 } 1985 1986 /* Check whether a task can perform a filesystem operation. */ 1987 static int superblock_has_perm(const struct cred *cred, 1988 struct super_block *sb, 1989 u32 perms, 1990 struct common_audit_data *ad) 1991 { 1992 struct superblock_security_struct *sbsec; 1993 u32 sid = cred_sid(cred); 1994 1995 sbsec = selinux_superblock(sb); 1996 return avc_has_perm(&selinux_state, 1997 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1998 } 1999 2000 /* Convert a Linux mode and permission mask to an access vector. */ 2001 static inline u32 file_mask_to_av(int mode, int mask) 2002 { 2003 u32 av = 0; 2004 2005 if (!S_ISDIR(mode)) { 2006 if (mask & MAY_EXEC) 2007 av |= FILE__EXECUTE; 2008 if (mask & MAY_READ) 2009 av |= FILE__READ; 2010 2011 if (mask & MAY_APPEND) 2012 av |= FILE__APPEND; 2013 else if (mask & MAY_WRITE) 2014 av |= FILE__WRITE; 2015 2016 } else { 2017 if (mask & MAY_EXEC) 2018 av |= DIR__SEARCH; 2019 if (mask & MAY_WRITE) 2020 av |= DIR__WRITE; 2021 if (mask & MAY_READ) 2022 av |= DIR__READ; 2023 } 2024 2025 return av; 2026 } 2027 2028 /* Convert a Linux file to an access vector. */ 2029 static inline u32 file_to_av(struct file *file) 2030 { 2031 u32 av = 0; 2032 2033 if (file->f_mode & FMODE_READ) 2034 av |= FILE__READ; 2035 if (file->f_mode & FMODE_WRITE) { 2036 if (file->f_flags & O_APPEND) 2037 av |= FILE__APPEND; 2038 else 2039 av |= FILE__WRITE; 2040 } 2041 if (!av) { 2042 /* 2043 * Special file opened with flags 3 for ioctl-only use. 2044 */ 2045 av = FILE__IOCTL; 2046 } 2047 2048 return av; 2049 } 2050 2051 /* 2052 * Convert a file to an access vector and include the correct 2053 * open permission. 2054 */ 2055 static inline u32 open_file_to_av(struct file *file) 2056 { 2057 u32 av = file_to_av(file); 2058 struct inode *inode = file_inode(file); 2059 2060 if (selinux_policycap_openperm() && 2061 inode->i_sb->s_magic != SOCKFS_MAGIC) 2062 av |= FILE__OPEN; 2063 2064 return av; 2065 } 2066 2067 /* Hook functions begin here. */ 2068 2069 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2070 { 2071 return avc_has_perm(&selinux_state, 2072 current_sid(), task_sid_binder(mgr), SECCLASS_BINDER, 2073 BINDER__SET_CONTEXT_MGR, NULL); 2074 } 2075 2076 static int selinux_binder_transaction(struct task_struct *from, 2077 struct task_struct *to) 2078 { 2079 u32 mysid = current_sid(); 2080 u32 fromsid = task_sid_binder(from); 2081 int rc; 2082 2083 if (mysid != fromsid) { 2084 rc = avc_has_perm(&selinux_state, 2085 mysid, fromsid, SECCLASS_BINDER, 2086 BINDER__IMPERSONATE, NULL); 2087 if (rc) 2088 return rc; 2089 } 2090 2091 return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to), 2092 SECCLASS_BINDER, BINDER__CALL, NULL); 2093 } 2094 2095 static int selinux_binder_transfer_binder(struct task_struct *from, 2096 struct task_struct *to) 2097 { 2098 return avc_has_perm(&selinux_state, 2099 task_sid_binder(from), task_sid_binder(to), 2100 SECCLASS_BINDER, BINDER__TRANSFER, 2101 NULL); 2102 } 2103 2104 static int selinux_binder_transfer_file(struct task_struct *from, 2105 struct task_struct *to, 2106 struct file *file) 2107 { 2108 u32 sid = task_sid_binder(to); 2109 struct file_security_struct *fsec = selinux_file(file); 2110 struct dentry *dentry = file->f_path.dentry; 2111 struct inode_security_struct *isec; 2112 struct common_audit_data ad; 2113 int rc; 2114 2115 ad.type = LSM_AUDIT_DATA_PATH; 2116 ad.u.path = file->f_path; 2117 2118 if (sid != fsec->sid) { 2119 rc = avc_has_perm(&selinux_state, 2120 sid, fsec->sid, 2121 SECCLASS_FD, 2122 FD__USE, 2123 &ad); 2124 if (rc) 2125 return rc; 2126 } 2127 2128 #ifdef CONFIG_BPF_SYSCALL 2129 rc = bpf_fd_pass(file, sid); 2130 if (rc) 2131 return rc; 2132 #endif 2133 2134 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2135 return 0; 2136 2137 isec = backing_inode_security(dentry); 2138 return avc_has_perm(&selinux_state, 2139 sid, isec->sid, isec->sclass, file_to_av(file), 2140 &ad); 2141 } 2142 2143 static int selinux_ptrace_access_check(struct task_struct *child, 2144 unsigned int mode) 2145 { 2146 u32 sid = current_sid(); 2147 u32 csid = task_sid_obj(child); 2148 2149 if (mode & PTRACE_MODE_READ) 2150 return avc_has_perm(&selinux_state, 2151 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2152 2153 return avc_has_perm(&selinux_state, 2154 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2155 } 2156 2157 static int selinux_ptrace_traceme(struct task_struct *parent) 2158 { 2159 return avc_has_perm(&selinux_state, 2160 task_sid_subj(parent), task_sid_obj(current), 2161 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2162 } 2163 2164 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2165 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2166 { 2167 return avc_has_perm(&selinux_state, 2168 current_sid(), task_sid_obj(target), SECCLASS_PROCESS, 2169 PROCESS__GETCAP, NULL); 2170 } 2171 2172 static int selinux_capset(struct cred *new, const struct cred *old, 2173 const kernel_cap_t *effective, 2174 const kernel_cap_t *inheritable, 2175 const kernel_cap_t *permitted) 2176 { 2177 return avc_has_perm(&selinux_state, 2178 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2179 PROCESS__SETCAP, NULL); 2180 } 2181 2182 /* 2183 * (This comment used to live with the selinux_task_setuid hook, 2184 * which was removed). 2185 * 2186 * Since setuid only affects the current process, and since the SELinux 2187 * controls are not based on the Linux identity attributes, SELinux does not 2188 * need to control this operation. However, SELinux does control the use of 2189 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2190 */ 2191 2192 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2193 int cap, unsigned int opts) 2194 { 2195 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2196 } 2197 2198 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2199 { 2200 const struct cred *cred = current_cred(); 2201 int rc = 0; 2202 2203 if (!sb) 2204 return 0; 2205 2206 switch (cmds) { 2207 case Q_SYNC: 2208 case Q_QUOTAON: 2209 case Q_QUOTAOFF: 2210 case Q_SETINFO: 2211 case Q_SETQUOTA: 2212 case Q_XQUOTAOFF: 2213 case Q_XQUOTAON: 2214 case Q_XSETQLIM: 2215 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2216 break; 2217 case Q_GETFMT: 2218 case Q_GETINFO: 2219 case Q_GETQUOTA: 2220 case Q_XGETQUOTA: 2221 case Q_XGETQSTAT: 2222 case Q_XGETQSTATV: 2223 case Q_XGETNEXTQUOTA: 2224 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2225 break; 2226 default: 2227 rc = 0; /* let the kernel handle invalid cmds */ 2228 break; 2229 } 2230 return rc; 2231 } 2232 2233 static int selinux_quota_on(struct dentry *dentry) 2234 { 2235 const struct cred *cred = current_cred(); 2236 2237 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2238 } 2239 2240 static int selinux_syslog(int type) 2241 { 2242 switch (type) { 2243 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2244 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2245 return avc_has_perm(&selinux_state, 2246 current_sid(), SECINITSID_KERNEL, 2247 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2248 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2249 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2250 /* Set level of messages printed to console */ 2251 case SYSLOG_ACTION_CONSOLE_LEVEL: 2252 return avc_has_perm(&selinux_state, 2253 current_sid(), SECINITSID_KERNEL, 2254 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2255 NULL); 2256 } 2257 /* All other syslog types */ 2258 return avc_has_perm(&selinux_state, 2259 current_sid(), SECINITSID_KERNEL, 2260 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2261 } 2262 2263 /* 2264 * Check that a process has enough memory to allocate a new virtual 2265 * mapping. 0 means there is enough memory for the allocation to 2266 * succeed and -ENOMEM implies there is not. 2267 * 2268 * Do not audit the selinux permission check, as this is applied to all 2269 * processes that allocate mappings. 2270 */ 2271 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2272 { 2273 int rc, cap_sys_admin = 0; 2274 2275 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2276 CAP_OPT_NOAUDIT, true); 2277 if (rc == 0) 2278 cap_sys_admin = 1; 2279 2280 return cap_sys_admin; 2281 } 2282 2283 /* binprm security operations */ 2284 2285 static u32 ptrace_parent_sid(void) 2286 { 2287 u32 sid = 0; 2288 struct task_struct *tracer; 2289 2290 rcu_read_lock(); 2291 tracer = ptrace_parent(current); 2292 if (tracer) 2293 sid = task_sid_obj(tracer); 2294 rcu_read_unlock(); 2295 2296 return sid; 2297 } 2298 2299 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2300 const struct task_security_struct *old_tsec, 2301 const struct task_security_struct *new_tsec) 2302 { 2303 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2304 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2305 int rc; 2306 u32 av; 2307 2308 if (!nnp && !nosuid) 2309 return 0; /* neither NNP nor nosuid */ 2310 2311 if (new_tsec->sid == old_tsec->sid) 2312 return 0; /* No change in credentials */ 2313 2314 /* 2315 * If the policy enables the nnp_nosuid_transition policy capability, 2316 * then we permit transitions under NNP or nosuid if the 2317 * policy allows the corresponding permission between 2318 * the old and new contexts. 2319 */ 2320 if (selinux_policycap_nnp_nosuid_transition()) { 2321 av = 0; 2322 if (nnp) 2323 av |= PROCESS2__NNP_TRANSITION; 2324 if (nosuid) 2325 av |= PROCESS2__NOSUID_TRANSITION; 2326 rc = avc_has_perm(&selinux_state, 2327 old_tsec->sid, new_tsec->sid, 2328 SECCLASS_PROCESS2, av, NULL); 2329 if (!rc) 2330 return 0; 2331 } 2332 2333 /* 2334 * We also permit NNP or nosuid transitions to bounded SIDs, 2335 * i.e. SIDs that are guaranteed to only be allowed a subset 2336 * of the permissions of the current SID. 2337 */ 2338 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2339 new_tsec->sid); 2340 if (!rc) 2341 return 0; 2342 2343 /* 2344 * On failure, preserve the errno values for NNP vs nosuid. 2345 * NNP: Operation not permitted for caller. 2346 * nosuid: Permission denied to file. 2347 */ 2348 if (nnp) 2349 return -EPERM; 2350 return -EACCES; 2351 } 2352 2353 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2354 { 2355 const struct task_security_struct *old_tsec; 2356 struct task_security_struct *new_tsec; 2357 struct inode_security_struct *isec; 2358 struct common_audit_data ad; 2359 struct inode *inode = file_inode(bprm->file); 2360 int rc; 2361 2362 /* SELinux context only depends on initial program or script and not 2363 * the script interpreter */ 2364 2365 old_tsec = selinux_cred(current_cred()); 2366 new_tsec = selinux_cred(bprm->cred); 2367 isec = inode_security(inode); 2368 2369 /* Default to the current task SID. */ 2370 new_tsec->sid = old_tsec->sid; 2371 new_tsec->osid = old_tsec->sid; 2372 2373 /* Reset fs, key, and sock SIDs on execve. */ 2374 new_tsec->create_sid = 0; 2375 new_tsec->keycreate_sid = 0; 2376 new_tsec->sockcreate_sid = 0; 2377 2378 if (old_tsec->exec_sid) { 2379 new_tsec->sid = old_tsec->exec_sid; 2380 /* Reset exec SID on execve. */ 2381 new_tsec->exec_sid = 0; 2382 2383 /* Fail on NNP or nosuid if not an allowed transition. */ 2384 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2385 if (rc) 2386 return rc; 2387 } else { 2388 /* Check for a default transition on this program. */ 2389 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2390 isec->sid, SECCLASS_PROCESS, NULL, 2391 &new_tsec->sid); 2392 if (rc) 2393 return rc; 2394 2395 /* 2396 * Fallback to old SID on NNP or nosuid if not an allowed 2397 * transition. 2398 */ 2399 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2400 if (rc) 2401 new_tsec->sid = old_tsec->sid; 2402 } 2403 2404 ad.type = LSM_AUDIT_DATA_FILE; 2405 ad.u.file = bprm->file; 2406 2407 if (new_tsec->sid == old_tsec->sid) { 2408 rc = avc_has_perm(&selinux_state, 2409 old_tsec->sid, isec->sid, 2410 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2411 if (rc) 2412 return rc; 2413 } else { 2414 /* Check permissions for the transition. */ 2415 rc = avc_has_perm(&selinux_state, 2416 old_tsec->sid, new_tsec->sid, 2417 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2418 if (rc) 2419 return rc; 2420 2421 rc = avc_has_perm(&selinux_state, 2422 new_tsec->sid, isec->sid, 2423 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2424 if (rc) 2425 return rc; 2426 2427 /* Check for shared state */ 2428 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2429 rc = avc_has_perm(&selinux_state, 2430 old_tsec->sid, new_tsec->sid, 2431 SECCLASS_PROCESS, PROCESS__SHARE, 2432 NULL); 2433 if (rc) 2434 return -EPERM; 2435 } 2436 2437 /* Make sure that anyone attempting to ptrace over a task that 2438 * changes its SID has the appropriate permit */ 2439 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2440 u32 ptsid = ptrace_parent_sid(); 2441 if (ptsid != 0) { 2442 rc = avc_has_perm(&selinux_state, 2443 ptsid, new_tsec->sid, 2444 SECCLASS_PROCESS, 2445 PROCESS__PTRACE, NULL); 2446 if (rc) 2447 return -EPERM; 2448 } 2449 } 2450 2451 /* Clear any possibly unsafe personality bits on exec: */ 2452 bprm->per_clear |= PER_CLEAR_ON_SETID; 2453 2454 /* Enable secure mode for SIDs transitions unless 2455 the noatsecure permission is granted between 2456 the two SIDs, i.e. ahp returns 0. */ 2457 rc = avc_has_perm(&selinux_state, 2458 old_tsec->sid, new_tsec->sid, 2459 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2460 NULL); 2461 bprm->secureexec |= !!rc; 2462 } 2463 2464 return 0; 2465 } 2466 2467 static int match_file(const void *p, struct file *file, unsigned fd) 2468 { 2469 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2470 } 2471 2472 /* Derived from fs/exec.c:flush_old_files. */ 2473 static inline void flush_unauthorized_files(const struct cred *cred, 2474 struct files_struct *files) 2475 { 2476 struct file *file, *devnull = NULL; 2477 struct tty_struct *tty; 2478 int drop_tty = 0; 2479 unsigned n; 2480 2481 tty = get_current_tty(); 2482 if (tty) { 2483 spin_lock(&tty->files_lock); 2484 if (!list_empty(&tty->tty_files)) { 2485 struct tty_file_private *file_priv; 2486 2487 /* Revalidate access to controlling tty. 2488 Use file_path_has_perm on the tty path directly 2489 rather than using file_has_perm, as this particular 2490 open file may belong to another process and we are 2491 only interested in the inode-based check here. */ 2492 file_priv = list_first_entry(&tty->tty_files, 2493 struct tty_file_private, list); 2494 file = file_priv->file; 2495 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2496 drop_tty = 1; 2497 } 2498 spin_unlock(&tty->files_lock); 2499 tty_kref_put(tty); 2500 } 2501 /* Reset controlling tty. */ 2502 if (drop_tty) 2503 no_tty(); 2504 2505 /* Revalidate access to inherited open files. */ 2506 n = iterate_fd(files, 0, match_file, cred); 2507 if (!n) /* none found? */ 2508 return; 2509 2510 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2511 if (IS_ERR(devnull)) 2512 devnull = NULL; 2513 /* replace all the matching ones with this */ 2514 do { 2515 replace_fd(n - 1, devnull, 0); 2516 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2517 if (devnull) 2518 fput(devnull); 2519 } 2520 2521 /* 2522 * Prepare a process for imminent new credential changes due to exec 2523 */ 2524 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2525 { 2526 struct task_security_struct *new_tsec; 2527 struct rlimit *rlim, *initrlim; 2528 int rc, i; 2529 2530 new_tsec = selinux_cred(bprm->cred); 2531 if (new_tsec->sid == new_tsec->osid) 2532 return; 2533 2534 /* Close files for which the new task SID is not authorized. */ 2535 flush_unauthorized_files(bprm->cred, current->files); 2536 2537 /* Always clear parent death signal on SID transitions. */ 2538 current->pdeath_signal = 0; 2539 2540 /* Check whether the new SID can inherit resource limits from the old 2541 * SID. If not, reset all soft limits to the lower of the current 2542 * task's hard limit and the init task's soft limit. 2543 * 2544 * Note that the setting of hard limits (even to lower them) can be 2545 * controlled by the setrlimit check. The inclusion of the init task's 2546 * soft limit into the computation is to avoid resetting soft limits 2547 * higher than the default soft limit for cases where the default is 2548 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2549 */ 2550 rc = avc_has_perm(&selinux_state, 2551 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2552 PROCESS__RLIMITINH, NULL); 2553 if (rc) { 2554 /* protect against do_prlimit() */ 2555 task_lock(current); 2556 for (i = 0; i < RLIM_NLIMITS; i++) { 2557 rlim = current->signal->rlim + i; 2558 initrlim = init_task.signal->rlim + i; 2559 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2560 } 2561 task_unlock(current); 2562 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2563 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2564 } 2565 } 2566 2567 /* 2568 * Clean up the process immediately after the installation of new credentials 2569 * due to exec 2570 */ 2571 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2572 { 2573 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2574 u32 osid, sid; 2575 int rc; 2576 2577 osid = tsec->osid; 2578 sid = tsec->sid; 2579 2580 if (sid == osid) 2581 return; 2582 2583 /* Check whether the new SID can inherit signal state from the old SID. 2584 * If not, clear itimers to avoid subsequent signal generation and 2585 * flush and unblock signals. 2586 * 2587 * This must occur _after_ the task SID has been updated so that any 2588 * kill done after the flush will be checked against the new SID. 2589 */ 2590 rc = avc_has_perm(&selinux_state, 2591 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2592 if (rc) { 2593 clear_itimer(); 2594 2595 spin_lock_irq(¤t->sighand->siglock); 2596 if (!fatal_signal_pending(current)) { 2597 flush_sigqueue(¤t->pending); 2598 flush_sigqueue(¤t->signal->shared_pending); 2599 flush_signal_handlers(current, 1); 2600 sigemptyset(¤t->blocked); 2601 recalc_sigpending(); 2602 } 2603 spin_unlock_irq(¤t->sighand->siglock); 2604 } 2605 2606 /* Wake up the parent if it is waiting so that it can recheck 2607 * wait permission to the new task SID. */ 2608 read_lock(&tasklist_lock); 2609 __wake_up_parent(current, current->real_parent); 2610 read_unlock(&tasklist_lock); 2611 } 2612 2613 /* superblock security operations */ 2614 2615 static int selinux_sb_alloc_security(struct super_block *sb) 2616 { 2617 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2618 2619 mutex_init(&sbsec->lock); 2620 INIT_LIST_HEAD(&sbsec->isec_head); 2621 spin_lock_init(&sbsec->isec_lock); 2622 sbsec->sid = SECINITSID_UNLABELED; 2623 sbsec->def_sid = SECINITSID_FILE; 2624 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2625 2626 return 0; 2627 } 2628 2629 static inline int opt_len(const char *s) 2630 { 2631 bool open_quote = false; 2632 int len; 2633 char c; 2634 2635 for (len = 0; (c = s[len]) != '\0'; len++) { 2636 if (c == '"') 2637 open_quote = !open_quote; 2638 if (c == ',' && !open_quote) 2639 break; 2640 } 2641 return len; 2642 } 2643 2644 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2645 { 2646 char *from = options; 2647 char *to = options; 2648 bool first = true; 2649 int rc; 2650 2651 while (1) { 2652 int len = opt_len(from); 2653 int token; 2654 char *arg = NULL; 2655 2656 token = match_opt_prefix(from, len, &arg); 2657 2658 if (token != Opt_error) { 2659 char *p, *q; 2660 2661 /* strip quotes */ 2662 if (arg) { 2663 for (p = q = arg; p < from + len; p++) { 2664 char c = *p; 2665 if (c != '"') 2666 *q++ = c; 2667 } 2668 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2669 if (!arg) { 2670 rc = -ENOMEM; 2671 goto free_opt; 2672 } 2673 } 2674 rc = selinux_add_opt(token, arg, mnt_opts); 2675 if (unlikely(rc)) { 2676 kfree(arg); 2677 goto free_opt; 2678 } 2679 } else { 2680 if (!first) { // copy with preceding comma 2681 from--; 2682 len++; 2683 } 2684 if (to != from) 2685 memmove(to, from, len); 2686 to += len; 2687 first = false; 2688 } 2689 if (!from[len]) 2690 break; 2691 from += len + 1; 2692 } 2693 *to = '\0'; 2694 return 0; 2695 2696 free_opt: 2697 if (*mnt_opts) { 2698 selinux_free_mnt_opts(*mnt_opts); 2699 *mnt_opts = NULL; 2700 } 2701 return rc; 2702 } 2703 2704 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2705 { 2706 struct selinux_mnt_opts *opts = mnt_opts; 2707 struct superblock_security_struct *sbsec = sb->s_security; 2708 u32 sid; 2709 int rc; 2710 2711 /* 2712 * Superblock not initialized (i.e. no options) - reject if any 2713 * options specified, otherwise accept. 2714 */ 2715 if (!(sbsec->flags & SE_SBINITIALIZED)) 2716 return opts ? 1 : 0; 2717 2718 /* 2719 * Superblock initialized and no options specified - reject if 2720 * superblock has any options set, otherwise accept. 2721 */ 2722 if (!opts) 2723 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2724 2725 if (opts->fscontext) { 2726 rc = parse_sid(sb, opts->fscontext, &sid); 2727 if (rc) 2728 return 1; 2729 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2730 return 1; 2731 } 2732 if (opts->context) { 2733 rc = parse_sid(sb, opts->context, &sid); 2734 if (rc) 2735 return 1; 2736 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2737 return 1; 2738 } 2739 if (opts->rootcontext) { 2740 struct inode_security_struct *root_isec; 2741 2742 root_isec = backing_inode_security(sb->s_root); 2743 rc = parse_sid(sb, opts->rootcontext, &sid); 2744 if (rc) 2745 return 1; 2746 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2747 return 1; 2748 } 2749 if (opts->defcontext) { 2750 rc = parse_sid(sb, opts->defcontext, &sid); 2751 if (rc) 2752 return 1; 2753 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2754 return 1; 2755 } 2756 return 0; 2757 } 2758 2759 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2760 { 2761 struct selinux_mnt_opts *opts = mnt_opts; 2762 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2763 u32 sid; 2764 int rc; 2765 2766 if (!(sbsec->flags & SE_SBINITIALIZED)) 2767 return 0; 2768 2769 if (!opts) 2770 return 0; 2771 2772 if (opts->fscontext) { 2773 rc = parse_sid(sb, opts->fscontext, &sid); 2774 if (rc) 2775 return rc; 2776 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2777 goto out_bad_option; 2778 } 2779 if (opts->context) { 2780 rc = parse_sid(sb, opts->context, &sid); 2781 if (rc) 2782 return rc; 2783 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2784 goto out_bad_option; 2785 } 2786 if (opts->rootcontext) { 2787 struct inode_security_struct *root_isec; 2788 root_isec = backing_inode_security(sb->s_root); 2789 rc = parse_sid(sb, opts->rootcontext, &sid); 2790 if (rc) 2791 return rc; 2792 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2793 goto out_bad_option; 2794 } 2795 if (opts->defcontext) { 2796 rc = parse_sid(sb, opts->defcontext, &sid); 2797 if (rc) 2798 return rc; 2799 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2800 goto out_bad_option; 2801 } 2802 return 0; 2803 2804 out_bad_option: 2805 pr_warn("SELinux: unable to change security options " 2806 "during remount (dev %s, type=%s)\n", sb->s_id, 2807 sb->s_type->name); 2808 return -EINVAL; 2809 } 2810 2811 static int selinux_sb_kern_mount(struct super_block *sb) 2812 { 2813 const struct cred *cred = current_cred(); 2814 struct common_audit_data ad; 2815 2816 ad.type = LSM_AUDIT_DATA_DENTRY; 2817 ad.u.dentry = sb->s_root; 2818 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2819 } 2820 2821 static int selinux_sb_statfs(struct dentry *dentry) 2822 { 2823 const struct cred *cred = current_cred(); 2824 struct common_audit_data ad; 2825 2826 ad.type = LSM_AUDIT_DATA_DENTRY; 2827 ad.u.dentry = dentry->d_sb->s_root; 2828 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2829 } 2830 2831 static int selinux_mount(const char *dev_name, 2832 const struct path *path, 2833 const char *type, 2834 unsigned long flags, 2835 void *data) 2836 { 2837 const struct cred *cred = current_cred(); 2838 2839 if (flags & MS_REMOUNT) 2840 return superblock_has_perm(cred, path->dentry->d_sb, 2841 FILESYSTEM__REMOUNT, NULL); 2842 else 2843 return path_has_perm(cred, path, FILE__MOUNTON); 2844 } 2845 2846 static int selinux_move_mount(const struct path *from_path, 2847 const struct path *to_path) 2848 { 2849 const struct cred *cred = current_cred(); 2850 2851 return path_has_perm(cred, to_path, FILE__MOUNTON); 2852 } 2853 2854 static int selinux_umount(struct vfsmount *mnt, int flags) 2855 { 2856 const struct cred *cred = current_cred(); 2857 2858 return superblock_has_perm(cred, mnt->mnt_sb, 2859 FILESYSTEM__UNMOUNT, NULL); 2860 } 2861 2862 static int selinux_fs_context_dup(struct fs_context *fc, 2863 struct fs_context *src_fc) 2864 { 2865 const struct selinux_mnt_opts *src = src_fc->security; 2866 struct selinux_mnt_opts *opts; 2867 2868 if (!src) 2869 return 0; 2870 2871 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 2872 if (!fc->security) 2873 return -ENOMEM; 2874 2875 opts = fc->security; 2876 2877 if (src->fscontext) { 2878 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL); 2879 if (!opts->fscontext) 2880 return -ENOMEM; 2881 } 2882 if (src->context) { 2883 opts->context = kstrdup(src->context, GFP_KERNEL); 2884 if (!opts->context) 2885 return -ENOMEM; 2886 } 2887 if (src->rootcontext) { 2888 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL); 2889 if (!opts->rootcontext) 2890 return -ENOMEM; 2891 } 2892 if (src->defcontext) { 2893 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL); 2894 if (!opts->defcontext) 2895 return -ENOMEM; 2896 } 2897 return 0; 2898 } 2899 2900 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2901 fsparam_string(CONTEXT_STR, Opt_context), 2902 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2903 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2904 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2905 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2906 {} 2907 }; 2908 2909 static int selinux_fs_context_parse_param(struct fs_context *fc, 2910 struct fs_parameter *param) 2911 { 2912 struct fs_parse_result result; 2913 int opt, rc; 2914 2915 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2916 if (opt < 0) 2917 return opt; 2918 2919 rc = selinux_add_opt(opt, param->string, &fc->security); 2920 if (!rc) { 2921 param->string = NULL; 2922 rc = 1; 2923 } 2924 return rc; 2925 } 2926 2927 /* inode security operations */ 2928 2929 static int selinux_inode_alloc_security(struct inode *inode) 2930 { 2931 struct inode_security_struct *isec = selinux_inode(inode); 2932 u32 sid = current_sid(); 2933 2934 spin_lock_init(&isec->lock); 2935 INIT_LIST_HEAD(&isec->list); 2936 isec->inode = inode; 2937 isec->sid = SECINITSID_UNLABELED; 2938 isec->sclass = SECCLASS_FILE; 2939 isec->task_sid = sid; 2940 isec->initialized = LABEL_INVALID; 2941 2942 return 0; 2943 } 2944 2945 static void selinux_inode_free_security(struct inode *inode) 2946 { 2947 inode_free_security(inode); 2948 } 2949 2950 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2951 const struct qstr *name, void **ctx, 2952 u32 *ctxlen) 2953 { 2954 u32 newsid; 2955 int rc; 2956 2957 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2958 d_inode(dentry->d_parent), name, 2959 inode_mode_to_security_class(mode), 2960 &newsid); 2961 if (rc) 2962 return rc; 2963 2964 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2965 ctxlen); 2966 } 2967 2968 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2969 struct qstr *name, 2970 const struct cred *old, 2971 struct cred *new) 2972 { 2973 u32 newsid; 2974 int rc; 2975 struct task_security_struct *tsec; 2976 2977 rc = selinux_determine_inode_label(selinux_cred(old), 2978 d_inode(dentry->d_parent), name, 2979 inode_mode_to_security_class(mode), 2980 &newsid); 2981 if (rc) 2982 return rc; 2983 2984 tsec = selinux_cred(new); 2985 tsec->create_sid = newsid; 2986 return 0; 2987 } 2988 2989 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2990 const struct qstr *qstr, 2991 const char **name, 2992 void **value, size_t *len) 2993 { 2994 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2995 struct superblock_security_struct *sbsec; 2996 u32 newsid, clen; 2997 int rc; 2998 char *context; 2999 3000 sbsec = selinux_superblock(dir->i_sb); 3001 3002 newsid = tsec->create_sid; 3003 3004 rc = selinux_determine_inode_label(tsec, dir, qstr, 3005 inode_mode_to_security_class(inode->i_mode), 3006 &newsid); 3007 if (rc) 3008 return rc; 3009 3010 /* Possibly defer initialization to selinux_complete_init. */ 3011 if (sbsec->flags & SE_SBINITIALIZED) { 3012 struct inode_security_struct *isec = selinux_inode(inode); 3013 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3014 isec->sid = newsid; 3015 isec->initialized = LABEL_INITIALIZED; 3016 } 3017 3018 if (!selinux_initialized(&selinux_state) || 3019 !(sbsec->flags & SBLABEL_MNT)) 3020 return -EOPNOTSUPP; 3021 3022 if (name) 3023 *name = XATTR_SELINUX_SUFFIX; 3024 3025 if (value && len) { 3026 rc = security_sid_to_context_force(&selinux_state, newsid, 3027 &context, &clen); 3028 if (rc) 3029 return rc; 3030 *value = context; 3031 *len = clen; 3032 } 3033 3034 return 0; 3035 } 3036 3037 static int selinux_inode_init_security_anon(struct inode *inode, 3038 const struct qstr *name, 3039 const struct inode *context_inode) 3040 { 3041 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3042 struct common_audit_data ad; 3043 struct inode_security_struct *isec; 3044 int rc; 3045 3046 if (unlikely(!selinux_initialized(&selinux_state))) 3047 return 0; 3048 3049 isec = selinux_inode(inode); 3050 3051 /* 3052 * We only get here once per ephemeral inode. The inode has 3053 * been initialized via inode_alloc_security but is otherwise 3054 * untouched. 3055 */ 3056 3057 if (context_inode) { 3058 struct inode_security_struct *context_isec = 3059 selinux_inode(context_inode); 3060 if (context_isec->initialized != LABEL_INITIALIZED) { 3061 pr_err("SELinux: context_inode is not initialized"); 3062 return -EACCES; 3063 } 3064 3065 isec->sclass = context_isec->sclass; 3066 isec->sid = context_isec->sid; 3067 } else { 3068 isec->sclass = SECCLASS_ANON_INODE; 3069 rc = security_transition_sid( 3070 &selinux_state, tsec->sid, tsec->sid, 3071 isec->sclass, name, &isec->sid); 3072 if (rc) 3073 return rc; 3074 } 3075 3076 isec->initialized = LABEL_INITIALIZED; 3077 /* 3078 * Now that we've initialized security, check whether we're 3079 * allowed to actually create this type of anonymous inode. 3080 */ 3081 3082 ad.type = LSM_AUDIT_DATA_INODE; 3083 ad.u.inode = inode; 3084 3085 return avc_has_perm(&selinux_state, 3086 tsec->sid, 3087 isec->sid, 3088 isec->sclass, 3089 FILE__CREATE, 3090 &ad); 3091 } 3092 3093 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3094 { 3095 return may_create(dir, dentry, SECCLASS_FILE); 3096 } 3097 3098 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3099 { 3100 return may_link(dir, old_dentry, MAY_LINK); 3101 } 3102 3103 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3104 { 3105 return may_link(dir, dentry, MAY_UNLINK); 3106 } 3107 3108 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3109 { 3110 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3111 } 3112 3113 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3114 { 3115 return may_create(dir, dentry, SECCLASS_DIR); 3116 } 3117 3118 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3119 { 3120 return may_link(dir, dentry, MAY_RMDIR); 3121 } 3122 3123 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3124 { 3125 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3126 } 3127 3128 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3129 struct inode *new_inode, struct dentry *new_dentry) 3130 { 3131 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3132 } 3133 3134 static int selinux_inode_readlink(struct dentry *dentry) 3135 { 3136 const struct cred *cred = current_cred(); 3137 3138 return dentry_has_perm(cred, dentry, FILE__READ); 3139 } 3140 3141 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3142 bool rcu) 3143 { 3144 const struct cred *cred = current_cred(); 3145 struct common_audit_data ad; 3146 struct inode_security_struct *isec; 3147 u32 sid; 3148 3149 validate_creds(cred); 3150 3151 ad.type = LSM_AUDIT_DATA_DENTRY; 3152 ad.u.dentry = dentry; 3153 sid = cred_sid(cred); 3154 isec = inode_security_rcu(inode, rcu); 3155 if (IS_ERR(isec)) 3156 return PTR_ERR(isec); 3157 3158 return avc_has_perm(&selinux_state, 3159 sid, isec->sid, isec->sclass, FILE__READ, &ad); 3160 } 3161 3162 static noinline int audit_inode_permission(struct inode *inode, 3163 u32 perms, u32 audited, u32 denied, 3164 int result) 3165 { 3166 struct common_audit_data ad; 3167 struct inode_security_struct *isec = selinux_inode(inode); 3168 3169 ad.type = LSM_AUDIT_DATA_INODE; 3170 ad.u.inode = inode; 3171 3172 return slow_avc_audit(&selinux_state, 3173 current_sid(), isec->sid, isec->sclass, perms, 3174 audited, denied, result, &ad); 3175 } 3176 3177 static int selinux_inode_permission(struct inode *inode, int mask) 3178 { 3179 const struct cred *cred = current_cred(); 3180 u32 perms; 3181 bool from_access; 3182 bool no_block = mask & MAY_NOT_BLOCK; 3183 struct inode_security_struct *isec; 3184 u32 sid; 3185 struct av_decision avd; 3186 int rc, rc2; 3187 u32 audited, denied; 3188 3189 from_access = mask & MAY_ACCESS; 3190 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3191 3192 /* No permission to check. Existence test. */ 3193 if (!mask) 3194 return 0; 3195 3196 validate_creds(cred); 3197 3198 if (unlikely(IS_PRIVATE(inode))) 3199 return 0; 3200 3201 perms = file_mask_to_av(inode->i_mode, mask); 3202 3203 sid = cred_sid(cred); 3204 isec = inode_security_rcu(inode, no_block); 3205 if (IS_ERR(isec)) 3206 return PTR_ERR(isec); 3207 3208 rc = avc_has_perm_noaudit(&selinux_state, 3209 sid, isec->sid, isec->sclass, perms, 0, 3210 &avd); 3211 audited = avc_audit_required(perms, &avd, rc, 3212 from_access ? FILE__AUDIT_ACCESS : 0, 3213 &denied); 3214 if (likely(!audited)) 3215 return rc; 3216 3217 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3218 if (rc2) 3219 return rc2; 3220 return rc; 3221 } 3222 3223 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3224 { 3225 const struct cred *cred = current_cred(); 3226 struct inode *inode = d_backing_inode(dentry); 3227 unsigned int ia_valid = iattr->ia_valid; 3228 __u32 av = FILE__WRITE; 3229 3230 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3231 if (ia_valid & ATTR_FORCE) { 3232 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3233 ATTR_FORCE); 3234 if (!ia_valid) 3235 return 0; 3236 } 3237 3238 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3239 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3240 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3241 3242 if (selinux_policycap_openperm() && 3243 inode->i_sb->s_magic != SOCKFS_MAGIC && 3244 (ia_valid & ATTR_SIZE) && 3245 !(ia_valid & ATTR_FILE)) 3246 av |= FILE__OPEN; 3247 3248 return dentry_has_perm(cred, dentry, av); 3249 } 3250 3251 static int selinux_inode_getattr(const struct path *path) 3252 { 3253 return path_has_perm(current_cred(), path, FILE__GETATTR); 3254 } 3255 3256 static bool has_cap_mac_admin(bool audit) 3257 { 3258 const struct cred *cred = current_cred(); 3259 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3260 3261 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3262 return false; 3263 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3264 return false; 3265 return true; 3266 } 3267 3268 static int selinux_inode_setxattr(struct user_namespace *mnt_userns, 3269 struct dentry *dentry, const char *name, 3270 const void *value, size_t size, int flags) 3271 { 3272 struct inode *inode = d_backing_inode(dentry); 3273 struct inode_security_struct *isec; 3274 struct superblock_security_struct *sbsec; 3275 struct common_audit_data ad; 3276 u32 newsid, sid = current_sid(); 3277 int rc = 0; 3278 3279 if (strcmp(name, XATTR_NAME_SELINUX)) { 3280 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3281 if (rc) 3282 return rc; 3283 3284 /* Not an attribute we recognize, so just check the 3285 ordinary setattr permission. */ 3286 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3287 } 3288 3289 if (!selinux_initialized(&selinux_state)) 3290 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM); 3291 3292 sbsec = selinux_superblock(inode->i_sb); 3293 if (!(sbsec->flags & SBLABEL_MNT)) 3294 return -EOPNOTSUPP; 3295 3296 if (!inode_owner_or_capable(mnt_userns, inode)) 3297 return -EPERM; 3298 3299 ad.type = LSM_AUDIT_DATA_DENTRY; 3300 ad.u.dentry = dentry; 3301 3302 isec = backing_inode_security(dentry); 3303 rc = avc_has_perm(&selinux_state, 3304 sid, isec->sid, isec->sclass, 3305 FILE__RELABELFROM, &ad); 3306 if (rc) 3307 return rc; 3308 3309 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3310 GFP_KERNEL); 3311 if (rc == -EINVAL) { 3312 if (!has_cap_mac_admin(true)) { 3313 struct audit_buffer *ab; 3314 size_t audit_size; 3315 3316 /* We strip a nul only if it is at the end, otherwise the 3317 * context contains a nul and we should audit that */ 3318 if (value) { 3319 const char *str = value; 3320 3321 if (str[size - 1] == '\0') 3322 audit_size = size - 1; 3323 else 3324 audit_size = size; 3325 } else { 3326 audit_size = 0; 3327 } 3328 ab = audit_log_start(audit_context(), 3329 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3330 audit_log_format(ab, "op=setxattr invalid_context="); 3331 audit_log_n_untrustedstring(ab, value, audit_size); 3332 audit_log_end(ab); 3333 3334 return rc; 3335 } 3336 rc = security_context_to_sid_force(&selinux_state, value, 3337 size, &newsid); 3338 } 3339 if (rc) 3340 return rc; 3341 3342 rc = avc_has_perm(&selinux_state, 3343 sid, newsid, isec->sclass, 3344 FILE__RELABELTO, &ad); 3345 if (rc) 3346 return rc; 3347 3348 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3349 sid, isec->sclass); 3350 if (rc) 3351 return rc; 3352 3353 return avc_has_perm(&selinux_state, 3354 newsid, 3355 sbsec->sid, 3356 SECCLASS_FILESYSTEM, 3357 FILESYSTEM__ASSOCIATE, 3358 &ad); 3359 } 3360 3361 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3362 const void *value, size_t size, 3363 int flags) 3364 { 3365 struct inode *inode = d_backing_inode(dentry); 3366 struct inode_security_struct *isec; 3367 u32 newsid; 3368 int rc; 3369 3370 if (strcmp(name, XATTR_NAME_SELINUX)) { 3371 /* Not an attribute we recognize, so nothing to do. */ 3372 return; 3373 } 3374 3375 if (!selinux_initialized(&selinux_state)) { 3376 /* If we haven't even been initialized, then we can't validate 3377 * against a policy, so leave the label as invalid. It may 3378 * resolve to a valid label on the next revalidation try if 3379 * we've since initialized. 3380 */ 3381 return; 3382 } 3383 3384 rc = security_context_to_sid_force(&selinux_state, value, size, 3385 &newsid); 3386 if (rc) { 3387 pr_err("SELinux: unable to map context to SID" 3388 "for (%s, %lu), rc=%d\n", 3389 inode->i_sb->s_id, inode->i_ino, -rc); 3390 return; 3391 } 3392 3393 isec = backing_inode_security(dentry); 3394 spin_lock(&isec->lock); 3395 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3396 isec->sid = newsid; 3397 isec->initialized = LABEL_INITIALIZED; 3398 spin_unlock(&isec->lock); 3399 3400 return; 3401 } 3402 3403 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3404 { 3405 const struct cred *cred = current_cred(); 3406 3407 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3408 } 3409 3410 static int selinux_inode_listxattr(struct dentry *dentry) 3411 { 3412 const struct cred *cred = current_cred(); 3413 3414 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3415 } 3416 3417 static int selinux_inode_removexattr(struct user_namespace *mnt_userns, 3418 struct dentry *dentry, const char *name) 3419 { 3420 if (strcmp(name, XATTR_NAME_SELINUX)) { 3421 int rc = cap_inode_removexattr(mnt_userns, dentry, name); 3422 if (rc) 3423 return rc; 3424 3425 /* Not an attribute we recognize, so just check the 3426 ordinary setattr permission. */ 3427 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3428 } 3429 3430 if (!selinux_initialized(&selinux_state)) 3431 return 0; 3432 3433 /* No one is allowed to remove a SELinux security label. 3434 You can change the label, but all data must be labeled. */ 3435 return -EACCES; 3436 } 3437 3438 static int selinux_path_notify(const struct path *path, u64 mask, 3439 unsigned int obj_type) 3440 { 3441 int ret; 3442 u32 perm; 3443 3444 struct common_audit_data ad; 3445 3446 ad.type = LSM_AUDIT_DATA_PATH; 3447 ad.u.path = *path; 3448 3449 /* 3450 * Set permission needed based on the type of mark being set. 3451 * Performs an additional check for sb watches. 3452 */ 3453 switch (obj_type) { 3454 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3455 perm = FILE__WATCH_MOUNT; 3456 break; 3457 case FSNOTIFY_OBJ_TYPE_SB: 3458 perm = FILE__WATCH_SB; 3459 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3460 FILESYSTEM__WATCH, &ad); 3461 if (ret) 3462 return ret; 3463 break; 3464 case FSNOTIFY_OBJ_TYPE_INODE: 3465 perm = FILE__WATCH; 3466 break; 3467 default: 3468 return -EINVAL; 3469 } 3470 3471 /* blocking watches require the file:watch_with_perm permission */ 3472 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3473 perm |= FILE__WATCH_WITH_PERM; 3474 3475 /* watches on read-like events need the file:watch_reads permission */ 3476 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3477 perm |= FILE__WATCH_READS; 3478 3479 return path_has_perm(current_cred(), path, perm); 3480 } 3481 3482 /* 3483 * Copy the inode security context value to the user. 3484 * 3485 * Permission check is handled by selinux_inode_getxattr hook. 3486 */ 3487 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns, 3488 struct inode *inode, const char *name, 3489 void **buffer, bool alloc) 3490 { 3491 u32 size; 3492 int error; 3493 char *context = NULL; 3494 struct inode_security_struct *isec; 3495 3496 /* 3497 * If we're not initialized yet, then we can't validate contexts, so 3498 * just let vfs_getxattr fall back to using the on-disk xattr. 3499 */ 3500 if (!selinux_initialized(&selinux_state) || 3501 strcmp(name, XATTR_SELINUX_SUFFIX)) 3502 return -EOPNOTSUPP; 3503 3504 /* 3505 * If the caller has CAP_MAC_ADMIN, then get the raw context 3506 * value even if it is not defined by current policy; otherwise, 3507 * use the in-core value under current policy. 3508 * Use the non-auditing forms of the permission checks since 3509 * getxattr may be called by unprivileged processes commonly 3510 * and lack of permission just means that we fall back to the 3511 * in-core context value, not a denial. 3512 */ 3513 isec = inode_security(inode); 3514 if (has_cap_mac_admin(false)) 3515 error = security_sid_to_context_force(&selinux_state, 3516 isec->sid, &context, 3517 &size); 3518 else 3519 error = security_sid_to_context(&selinux_state, isec->sid, 3520 &context, &size); 3521 if (error) 3522 return error; 3523 error = size; 3524 if (alloc) { 3525 *buffer = context; 3526 goto out_nofree; 3527 } 3528 kfree(context); 3529 out_nofree: 3530 return error; 3531 } 3532 3533 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3534 const void *value, size_t size, int flags) 3535 { 3536 struct inode_security_struct *isec = inode_security_novalidate(inode); 3537 struct superblock_security_struct *sbsec; 3538 u32 newsid; 3539 int rc; 3540 3541 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3542 return -EOPNOTSUPP; 3543 3544 sbsec = selinux_superblock(inode->i_sb); 3545 if (!(sbsec->flags & SBLABEL_MNT)) 3546 return -EOPNOTSUPP; 3547 3548 if (!value || !size) 3549 return -EACCES; 3550 3551 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3552 GFP_KERNEL); 3553 if (rc) 3554 return rc; 3555 3556 spin_lock(&isec->lock); 3557 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3558 isec->sid = newsid; 3559 isec->initialized = LABEL_INITIALIZED; 3560 spin_unlock(&isec->lock); 3561 return 0; 3562 } 3563 3564 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3565 { 3566 const int len = sizeof(XATTR_NAME_SELINUX); 3567 3568 if (!selinux_initialized(&selinux_state)) 3569 return 0; 3570 3571 if (buffer && len <= buffer_size) 3572 memcpy(buffer, XATTR_NAME_SELINUX, len); 3573 return len; 3574 } 3575 3576 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3577 { 3578 struct inode_security_struct *isec = inode_security_novalidate(inode); 3579 *secid = isec->sid; 3580 } 3581 3582 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3583 { 3584 u32 sid; 3585 struct task_security_struct *tsec; 3586 struct cred *new_creds = *new; 3587 3588 if (new_creds == NULL) { 3589 new_creds = prepare_creds(); 3590 if (!new_creds) 3591 return -ENOMEM; 3592 } 3593 3594 tsec = selinux_cred(new_creds); 3595 /* Get label from overlay inode and set it in create_sid */ 3596 selinux_inode_getsecid(d_inode(src), &sid); 3597 tsec->create_sid = sid; 3598 *new = new_creds; 3599 return 0; 3600 } 3601 3602 static int selinux_inode_copy_up_xattr(const char *name) 3603 { 3604 /* The copy_up hook above sets the initial context on an inode, but we 3605 * don't then want to overwrite it by blindly copying all the lower 3606 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3607 */ 3608 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3609 return 1; /* Discard */ 3610 /* 3611 * Any other attribute apart from SELINUX is not claimed, supported 3612 * by selinux. 3613 */ 3614 return -EOPNOTSUPP; 3615 } 3616 3617 /* kernfs node operations */ 3618 3619 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3620 struct kernfs_node *kn) 3621 { 3622 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3623 u32 parent_sid, newsid, clen; 3624 int rc; 3625 char *context; 3626 3627 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3628 if (rc == -ENODATA) 3629 return 0; 3630 else if (rc < 0) 3631 return rc; 3632 3633 clen = (u32)rc; 3634 context = kmalloc(clen, GFP_KERNEL); 3635 if (!context) 3636 return -ENOMEM; 3637 3638 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3639 if (rc < 0) { 3640 kfree(context); 3641 return rc; 3642 } 3643 3644 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid, 3645 GFP_KERNEL); 3646 kfree(context); 3647 if (rc) 3648 return rc; 3649 3650 if (tsec->create_sid) { 3651 newsid = tsec->create_sid; 3652 } else { 3653 u16 secclass = inode_mode_to_security_class(kn->mode); 3654 struct qstr q; 3655 3656 q.name = kn->name; 3657 q.hash_len = hashlen_string(kn_dir, kn->name); 3658 3659 rc = security_transition_sid(&selinux_state, tsec->sid, 3660 parent_sid, secclass, &q, 3661 &newsid); 3662 if (rc) 3663 return rc; 3664 } 3665 3666 rc = security_sid_to_context_force(&selinux_state, newsid, 3667 &context, &clen); 3668 if (rc) 3669 return rc; 3670 3671 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3672 XATTR_CREATE); 3673 kfree(context); 3674 return rc; 3675 } 3676 3677 3678 /* file security operations */ 3679 3680 static int selinux_revalidate_file_permission(struct file *file, int mask) 3681 { 3682 const struct cred *cred = current_cred(); 3683 struct inode *inode = file_inode(file); 3684 3685 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3686 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3687 mask |= MAY_APPEND; 3688 3689 return file_has_perm(cred, file, 3690 file_mask_to_av(inode->i_mode, mask)); 3691 } 3692 3693 static int selinux_file_permission(struct file *file, int mask) 3694 { 3695 struct inode *inode = file_inode(file); 3696 struct file_security_struct *fsec = selinux_file(file); 3697 struct inode_security_struct *isec; 3698 u32 sid = current_sid(); 3699 3700 if (!mask) 3701 /* No permission to check. Existence test. */ 3702 return 0; 3703 3704 isec = inode_security(inode); 3705 if (sid == fsec->sid && fsec->isid == isec->sid && 3706 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3707 /* No change since file_open check. */ 3708 return 0; 3709 3710 return selinux_revalidate_file_permission(file, mask); 3711 } 3712 3713 static int selinux_file_alloc_security(struct file *file) 3714 { 3715 struct file_security_struct *fsec = selinux_file(file); 3716 u32 sid = current_sid(); 3717 3718 fsec->sid = sid; 3719 fsec->fown_sid = sid; 3720 3721 return 0; 3722 } 3723 3724 /* 3725 * Check whether a task has the ioctl permission and cmd 3726 * operation to an inode. 3727 */ 3728 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3729 u32 requested, u16 cmd) 3730 { 3731 struct common_audit_data ad; 3732 struct file_security_struct *fsec = selinux_file(file); 3733 struct inode *inode = file_inode(file); 3734 struct inode_security_struct *isec; 3735 struct lsm_ioctlop_audit ioctl; 3736 u32 ssid = cred_sid(cred); 3737 int rc; 3738 u8 driver = cmd >> 8; 3739 u8 xperm = cmd & 0xff; 3740 3741 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3742 ad.u.op = &ioctl; 3743 ad.u.op->cmd = cmd; 3744 ad.u.op->path = file->f_path; 3745 3746 if (ssid != fsec->sid) { 3747 rc = avc_has_perm(&selinux_state, 3748 ssid, fsec->sid, 3749 SECCLASS_FD, 3750 FD__USE, 3751 &ad); 3752 if (rc) 3753 goto out; 3754 } 3755 3756 if (unlikely(IS_PRIVATE(inode))) 3757 return 0; 3758 3759 isec = inode_security(inode); 3760 rc = avc_has_extended_perms(&selinux_state, 3761 ssid, isec->sid, isec->sclass, 3762 requested, driver, xperm, &ad); 3763 out: 3764 return rc; 3765 } 3766 3767 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3768 unsigned long arg) 3769 { 3770 const struct cred *cred = current_cred(); 3771 int error = 0; 3772 3773 switch (cmd) { 3774 case FIONREAD: 3775 case FIBMAP: 3776 case FIGETBSZ: 3777 case FS_IOC_GETFLAGS: 3778 case FS_IOC_GETVERSION: 3779 error = file_has_perm(cred, file, FILE__GETATTR); 3780 break; 3781 3782 case FS_IOC_SETFLAGS: 3783 case FS_IOC_SETVERSION: 3784 error = file_has_perm(cred, file, FILE__SETATTR); 3785 break; 3786 3787 /* sys_ioctl() checks */ 3788 case FIONBIO: 3789 case FIOASYNC: 3790 error = file_has_perm(cred, file, 0); 3791 break; 3792 3793 case KDSKBENT: 3794 case KDSKBSENT: 3795 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3796 CAP_OPT_NONE, true); 3797 break; 3798 3799 /* default case assumes that the command will go 3800 * to the file's ioctl() function. 3801 */ 3802 default: 3803 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3804 } 3805 return error; 3806 } 3807 3808 static int default_noexec __ro_after_init; 3809 3810 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3811 { 3812 const struct cred *cred = current_cred(); 3813 u32 sid = cred_sid(cred); 3814 int rc = 0; 3815 3816 if (default_noexec && 3817 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3818 (!shared && (prot & PROT_WRITE)))) { 3819 /* 3820 * We are making executable an anonymous mapping or a 3821 * private file mapping that will also be writable. 3822 * This has an additional check. 3823 */ 3824 rc = avc_has_perm(&selinux_state, 3825 sid, sid, SECCLASS_PROCESS, 3826 PROCESS__EXECMEM, NULL); 3827 if (rc) 3828 goto error; 3829 } 3830 3831 if (file) { 3832 /* read access is always possible with a mapping */ 3833 u32 av = FILE__READ; 3834 3835 /* write access only matters if the mapping is shared */ 3836 if (shared && (prot & PROT_WRITE)) 3837 av |= FILE__WRITE; 3838 3839 if (prot & PROT_EXEC) 3840 av |= FILE__EXECUTE; 3841 3842 return file_has_perm(cred, file, av); 3843 } 3844 3845 error: 3846 return rc; 3847 } 3848 3849 static int selinux_mmap_addr(unsigned long addr) 3850 { 3851 int rc = 0; 3852 3853 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3854 u32 sid = current_sid(); 3855 rc = avc_has_perm(&selinux_state, 3856 sid, sid, SECCLASS_MEMPROTECT, 3857 MEMPROTECT__MMAP_ZERO, NULL); 3858 } 3859 3860 return rc; 3861 } 3862 3863 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3864 unsigned long prot, unsigned long flags) 3865 { 3866 struct common_audit_data ad; 3867 int rc; 3868 3869 if (file) { 3870 ad.type = LSM_AUDIT_DATA_FILE; 3871 ad.u.file = file; 3872 rc = inode_has_perm(current_cred(), file_inode(file), 3873 FILE__MAP, &ad); 3874 if (rc) 3875 return rc; 3876 } 3877 3878 if (checkreqprot_get(&selinux_state)) 3879 prot = reqprot; 3880 3881 return file_map_prot_check(file, prot, 3882 (flags & MAP_TYPE) == MAP_SHARED); 3883 } 3884 3885 static int selinux_file_mprotect(struct vm_area_struct *vma, 3886 unsigned long reqprot, 3887 unsigned long prot) 3888 { 3889 const struct cred *cred = current_cred(); 3890 u32 sid = cred_sid(cred); 3891 3892 if (checkreqprot_get(&selinux_state)) 3893 prot = reqprot; 3894 3895 if (default_noexec && 3896 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3897 int rc = 0; 3898 if (vma->vm_start >= vma->vm_mm->start_brk && 3899 vma->vm_end <= vma->vm_mm->brk) { 3900 rc = avc_has_perm(&selinux_state, 3901 sid, sid, SECCLASS_PROCESS, 3902 PROCESS__EXECHEAP, NULL); 3903 } else if (!vma->vm_file && 3904 ((vma->vm_start <= vma->vm_mm->start_stack && 3905 vma->vm_end >= vma->vm_mm->start_stack) || 3906 vma_is_stack_for_current(vma))) { 3907 rc = avc_has_perm(&selinux_state, 3908 sid, sid, SECCLASS_PROCESS, 3909 PROCESS__EXECSTACK, NULL); 3910 } else if (vma->vm_file && vma->anon_vma) { 3911 /* 3912 * We are making executable a file mapping that has 3913 * had some COW done. Since pages might have been 3914 * written, check ability to execute the possibly 3915 * modified content. This typically should only 3916 * occur for text relocations. 3917 */ 3918 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3919 } 3920 if (rc) 3921 return rc; 3922 } 3923 3924 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3925 } 3926 3927 static int selinux_file_lock(struct file *file, unsigned int cmd) 3928 { 3929 const struct cred *cred = current_cred(); 3930 3931 return file_has_perm(cred, file, FILE__LOCK); 3932 } 3933 3934 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3935 unsigned long arg) 3936 { 3937 const struct cred *cred = current_cred(); 3938 int err = 0; 3939 3940 switch (cmd) { 3941 case F_SETFL: 3942 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3943 err = file_has_perm(cred, file, FILE__WRITE); 3944 break; 3945 } 3946 fallthrough; 3947 case F_SETOWN: 3948 case F_SETSIG: 3949 case F_GETFL: 3950 case F_GETOWN: 3951 case F_GETSIG: 3952 case F_GETOWNER_UIDS: 3953 /* Just check FD__USE permission */ 3954 err = file_has_perm(cred, file, 0); 3955 break; 3956 case F_GETLK: 3957 case F_SETLK: 3958 case F_SETLKW: 3959 case F_OFD_GETLK: 3960 case F_OFD_SETLK: 3961 case F_OFD_SETLKW: 3962 #if BITS_PER_LONG == 32 3963 case F_GETLK64: 3964 case F_SETLK64: 3965 case F_SETLKW64: 3966 #endif 3967 err = file_has_perm(cred, file, FILE__LOCK); 3968 break; 3969 } 3970 3971 return err; 3972 } 3973 3974 static void selinux_file_set_fowner(struct file *file) 3975 { 3976 struct file_security_struct *fsec; 3977 3978 fsec = selinux_file(file); 3979 fsec->fown_sid = current_sid(); 3980 } 3981 3982 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3983 struct fown_struct *fown, int signum) 3984 { 3985 struct file *file; 3986 u32 sid = task_sid_obj(tsk); 3987 u32 perm; 3988 struct file_security_struct *fsec; 3989 3990 /* struct fown_struct is never outside the context of a struct file */ 3991 file = container_of(fown, struct file, f_owner); 3992 3993 fsec = selinux_file(file); 3994 3995 if (!signum) 3996 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3997 else 3998 perm = signal_to_av(signum); 3999 4000 return avc_has_perm(&selinux_state, 4001 fsec->fown_sid, sid, 4002 SECCLASS_PROCESS, perm, NULL); 4003 } 4004 4005 static int selinux_file_receive(struct file *file) 4006 { 4007 const struct cred *cred = current_cred(); 4008 4009 return file_has_perm(cred, file, file_to_av(file)); 4010 } 4011 4012 static int selinux_file_open(struct file *file) 4013 { 4014 struct file_security_struct *fsec; 4015 struct inode_security_struct *isec; 4016 4017 fsec = selinux_file(file); 4018 isec = inode_security(file_inode(file)); 4019 /* 4020 * Save inode label and policy sequence number 4021 * at open-time so that selinux_file_permission 4022 * can determine whether revalidation is necessary. 4023 * Task label is already saved in the file security 4024 * struct as its SID. 4025 */ 4026 fsec->isid = isec->sid; 4027 fsec->pseqno = avc_policy_seqno(&selinux_state); 4028 /* 4029 * Since the inode label or policy seqno may have changed 4030 * between the selinux_inode_permission check and the saving 4031 * of state above, recheck that access is still permitted. 4032 * Otherwise, access might never be revalidated against the 4033 * new inode label or new policy. 4034 * This check is not redundant - do not remove. 4035 */ 4036 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4037 } 4038 4039 /* task security operations */ 4040 4041 static int selinux_task_alloc(struct task_struct *task, 4042 unsigned long clone_flags) 4043 { 4044 u32 sid = current_sid(); 4045 4046 return avc_has_perm(&selinux_state, 4047 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4048 } 4049 4050 /* 4051 * prepare a new set of credentials for modification 4052 */ 4053 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4054 gfp_t gfp) 4055 { 4056 const struct task_security_struct *old_tsec = selinux_cred(old); 4057 struct task_security_struct *tsec = selinux_cred(new); 4058 4059 *tsec = *old_tsec; 4060 return 0; 4061 } 4062 4063 /* 4064 * transfer the SELinux data to a blank set of creds 4065 */ 4066 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4067 { 4068 const struct task_security_struct *old_tsec = selinux_cred(old); 4069 struct task_security_struct *tsec = selinux_cred(new); 4070 4071 *tsec = *old_tsec; 4072 } 4073 4074 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4075 { 4076 *secid = cred_sid(c); 4077 } 4078 4079 /* 4080 * set the security data for a kernel service 4081 * - all the creation contexts are set to unlabelled 4082 */ 4083 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4084 { 4085 struct task_security_struct *tsec = selinux_cred(new); 4086 u32 sid = current_sid(); 4087 int ret; 4088 4089 ret = avc_has_perm(&selinux_state, 4090 sid, secid, 4091 SECCLASS_KERNEL_SERVICE, 4092 KERNEL_SERVICE__USE_AS_OVERRIDE, 4093 NULL); 4094 if (ret == 0) { 4095 tsec->sid = secid; 4096 tsec->create_sid = 0; 4097 tsec->keycreate_sid = 0; 4098 tsec->sockcreate_sid = 0; 4099 } 4100 return ret; 4101 } 4102 4103 /* 4104 * set the file creation context in a security record to the same as the 4105 * objective context of the specified inode 4106 */ 4107 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4108 { 4109 struct inode_security_struct *isec = inode_security(inode); 4110 struct task_security_struct *tsec = selinux_cred(new); 4111 u32 sid = current_sid(); 4112 int ret; 4113 4114 ret = avc_has_perm(&selinux_state, 4115 sid, isec->sid, 4116 SECCLASS_KERNEL_SERVICE, 4117 KERNEL_SERVICE__CREATE_FILES_AS, 4118 NULL); 4119 4120 if (ret == 0) 4121 tsec->create_sid = isec->sid; 4122 return ret; 4123 } 4124 4125 static int selinux_kernel_module_request(char *kmod_name) 4126 { 4127 struct common_audit_data ad; 4128 4129 ad.type = LSM_AUDIT_DATA_KMOD; 4130 ad.u.kmod_name = kmod_name; 4131 4132 return avc_has_perm(&selinux_state, 4133 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4134 SYSTEM__MODULE_REQUEST, &ad); 4135 } 4136 4137 static int selinux_kernel_module_from_file(struct file *file) 4138 { 4139 struct common_audit_data ad; 4140 struct inode_security_struct *isec; 4141 struct file_security_struct *fsec; 4142 u32 sid = current_sid(); 4143 int rc; 4144 4145 /* init_module */ 4146 if (file == NULL) 4147 return avc_has_perm(&selinux_state, 4148 sid, sid, SECCLASS_SYSTEM, 4149 SYSTEM__MODULE_LOAD, NULL); 4150 4151 /* finit_module */ 4152 4153 ad.type = LSM_AUDIT_DATA_FILE; 4154 ad.u.file = file; 4155 4156 fsec = selinux_file(file); 4157 if (sid != fsec->sid) { 4158 rc = avc_has_perm(&selinux_state, 4159 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4160 if (rc) 4161 return rc; 4162 } 4163 4164 isec = inode_security(file_inode(file)); 4165 return avc_has_perm(&selinux_state, 4166 sid, isec->sid, SECCLASS_SYSTEM, 4167 SYSTEM__MODULE_LOAD, &ad); 4168 } 4169 4170 static int selinux_kernel_read_file(struct file *file, 4171 enum kernel_read_file_id id, 4172 bool contents) 4173 { 4174 int rc = 0; 4175 4176 switch (id) { 4177 case READING_MODULE: 4178 rc = selinux_kernel_module_from_file(contents ? file : NULL); 4179 break; 4180 default: 4181 break; 4182 } 4183 4184 return rc; 4185 } 4186 4187 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4188 { 4189 int rc = 0; 4190 4191 switch (id) { 4192 case LOADING_MODULE: 4193 rc = selinux_kernel_module_from_file(NULL); 4194 break; 4195 default: 4196 break; 4197 } 4198 4199 return rc; 4200 } 4201 4202 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4203 { 4204 return avc_has_perm(&selinux_state, 4205 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4206 PROCESS__SETPGID, NULL); 4207 } 4208 4209 static int selinux_task_getpgid(struct task_struct *p) 4210 { 4211 return avc_has_perm(&selinux_state, 4212 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4213 PROCESS__GETPGID, NULL); 4214 } 4215 4216 static int selinux_task_getsid(struct task_struct *p) 4217 { 4218 return avc_has_perm(&selinux_state, 4219 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4220 PROCESS__GETSESSION, NULL); 4221 } 4222 4223 static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) 4224 { 4225 *secid = task_sid_subj(p); 4226 } 4227 4228 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4229 { 4230 *secid = task_sid_obj(p); 4231 } 4232 4233 static int selinux_task_setnice(struct task_struct *p, int nice) 4234 { 4235 return avc_has_perm(&selinux_state, 4236 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4237 PROCESS__SETSCHED, NULL); 4238 } 4239 4240 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4241 { 4242 return avc_has_perm(&selinux_state, 4243 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4244 PROCESS__SETSCHED, NULL); 4245 } 4246 4247 static int selinux_task_getioprio(struct task_struct *p) 4248 { 4249 return avc_has_perm(&selinux_state, 4250 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4251 PROCESS__GETSCHED, NULL); 4252 } 4253 4254 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4255 unsigned int flags) 4256 { 4257 u32 av = 0; 4258 4259 if (!flags) 4260 return 0; 4261 if (flags & LSM_PRLIMIT_WRITE) 4262 av |= PROCESS__SETRLIMIT; 4263 if (flags & LSM_PRLIMIT_READ) 4264 av |= PROCESS__GETRLIMIT; 4265 return avc_has_perm(&selinux_state, 4266 cred_sid(cred), cred_sid(tcred), 4267 SECCLASS_PROCESS, av, NULL); 4268 } 4269 4270 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4271 struct rlimit *new_rlim) 4272 { 4273 struct rlimit *old_rlim = p->signal->rlim + resource; 4274 4275 /* Control the ability to change the hard limit (whether 4276 lowering or raising it), so that the hard limit can 4277 later be used as a safe reset point for the soft limit 4278 upon context transitions. See selinux_bprm_committing_creds. */ 4279 if (old_rlim->rlim_max != new_rlim->rlim_max) 4280 return avc_has_perm(&selinux_state, 4281 current_sid(), task_sid_obj(p), 4282 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4283 4284 return 0; 4285 } 4286 4287 static int selinux_task_setscheduler(struct task_struct *p) 4288 { 4289 return avc_has_perm(&selinux_state, 4290 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4291 PROCESS__SETSCHED, NULL); 4292 } 4293 4294 static int selinux_task_getscheduler(struct task_struct *p) 4295 { 4296 return avc_has_perm(&selinux_state, 4297 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4298 PROCESS__GETSCHED, NULL); 4299 } 4300 4301 static int selinux_task_movememory(struct task_struct *p) 4302 { 4303 return avc_has_perm(&selinux_state, 4304 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4305 PROCESS__SETSCHED, NULL); 4306 } 4307 4308 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4309 int sig, const struct cred *cred) 4310 { 4311 u32 secid; 4312 u32 perm; 4313 4314 if (!sig) 4315 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4316 else 4317 perm = signal_to_av(sig); 4318 if (!cred) 4319 secid = current_sid(); 4320 else 4321 secid = cred_sid(cred); 4322 return avc_has_perm(&selinux_state, 4323 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4324 } 4325 4326 static void selinux_task_to_inode(struct task_struct *p, 4327 struct inode *inode) 4328 { 4329 struct inode_security_struct *isec = selinux_inode(inode); 4330 u32 sid = task_sid_obj(p); 4331 4332 spin_lock(&isec->lock); 4333 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4334 isec->sid = sid; 4335 isec->initialized = LABEL_INITIALIZED; 4336 spin_unlock(&isec->lock); 4337 } 4338 4339 /* Returns error only if unable to parse addresses */ 4340 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4341 struct common_audit_data *ad, u8 *proto) 4342 { 4343 int offset, ihlen, ret = -EINVAL; 4344 struct iphdr _iph, *ih; 4345 4346 offset = skb_network_offset(skb); 4347 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4348 if (ih == NULL) 4349 goto out; 4350 4351 ihlen = ih->ihl * 4; 4352 if (ihlen < sizeof(_iph)) 4353 goto out; 4354 4355 ad->u.net->v4info.saddr = ih->saddr; 4356 ad->u.net->v4info.daddr = ih->daddr; 4357 ret = 0; 4358 4359 if (proto) 4360 *proto = ih->protocol; 4361 4362 switch (ih->protocol) { 4363 case IPPROTO_TCP: { 4364 struct tcphdr _tcph, *th; 4365 4366 if (ntohs(ih->frag_off) & IP_OFFSET) 4367 break; 4368 4369 offset += ihlen; 4370 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4371 if (th == NULL) 4372 break; 4373 4374 ad->u.net->sport = th->source; 4375 ad->u.net->dport = th->dest; 4376 break; 4377 } 4378 4379 case IPPROTO_UDP: { 4380 struct udphdr _udph, *uh; 4381 4382 if (ntohs(ih->frag_off) & IP_OFFSET) 4383 break; 4384 4385 offset += ihlen; 4386 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4387 if (uh == NULL) 4388 break; 4389 4390 ad->u.net->sport = uh->source; 4391 ad->u.net->dport = uh->dest; 4392 break; 4393 } 4394 4395 case IPPROTO_DCCP: { 4396 struct dccp_hdr _dccph, *dh; 4397 4398 if (ntohs(ih->frag_off) & IP_OFFSET) 4399 break; 4400 4401 offset += ihlen; 4402 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4403 if (dh == NULL) 4404 break; 4405 4406 ad->u.net->sport = dh->dccph_sport; 4407 ad->u.net->dport = dh->dccph_dport; 4408 break; 4409 } 4410 4411 #if IS_ENABLED(CONFIG_IP_SCTP) 4412 case IPPROTO_SCTP: { 4413 struct sctphdr _sctph, *sh; 4414 4415 if (ntohs(ih->frag_off) & IP_OFFSET) 4416 break; 4417 4418 offset += ihlen; 4419 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4420 if (sh == NULL) 4421 break; 4422 4423 ad->u.net->sport = sh->source; 4424 ad->u.net->dport = sh->dest; 4425 break; 4426 } 4427 #endif 4428 default: 4429 break; 4430 } 4431 out: 4432 return ret; 4433 } 4434 4435 #if IS_ENABLED(CONFIG_IPV6) 4436 4437 /* Returns error only if unable to parse addresses */ 4438 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4439 struct common_audit_data *ad, u8 *proto) 4440 { 4441 u8 nexthdr; 4442 int ret = -EINVAL, offset; 4443 struct ipv6hdr _ipv6h, *ip6; 4444 __be16 frag_off; 4445 4446 offset = skb_network_offset(skb); 4447 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4448 if (ip6 == NULL) 4449 goto out; 4450 4451 ad->u.net->v6info.saddr = ip6->saddr; 4452 ad->u.net->v6info.daddr = ip6->daddr; 4453 ret = 0; 4454 4455 nexthdr = ip6->nexthdr; 4456 offset += sizeof(_ipv6h); 4457 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4458 if (offset < 0) 4459 goto out; 4460 4461 if (proto) 4462 *proto = nexthdr; 4463 4464 switch (nexthdr) { 4465 case IPPROTO_TCP: { 4466 struct tcphdr _tcph, *th; 4467 4468 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4469 if (th == NULL) 4470 break; 4471 4472 ad->u.net->sport = th->source; 4473 ad->u.net->dport = th->dest; 4474 break; 4475 } 4476 4477 case IPPROTO_UDP: { 4478 struct udphdr _udph, *uh; 4479 4480 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4481 if (uh == NULL) 4482 break; 4483 4484 ad->u.net->sport = uh->source; 4485 ad->u.net->dport = uh->dest; 4486 break; 4487 } 4488 4489 case IPPROTO_DCCP: { 4490 struct dccp_hdr _dccph, *dh; 4491 4492 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4493 if (dh == NULL) 4494 break; 4495 4496 ad->u.net->sport = dh->dccph_sport; 4497 ad->u.net->dport = dh->dccph_dport; 4498 break; 4499 } 4500 4501 #if IS_ENABLED(CONFIG_IP_SCTP) 4502 case IPPROTO_SCTP: { 4503 struct sctphdr _sctph, *sh; 4504 4505 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4506 if (sh == NULL) 4507 break; 4508 4509 ad->u.net->sport = sh->source; 4510 ad->u.net->dport = sh->dest; 4511 break; 4512 } 4513 #endif 4514 /* includes fragments */ 4515 default: 4516 break; 4517 } 4518 out: 4519 return ret; 4520 } 4521 4522 #endif /* IPV6 */ 4523 4524 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4525 char **_addrp, int src, u8 *proto) 4526 { 4527 char *addrp; 4528 int ret; 4529 4530 switch (ad->u.net->family) { 4531 case PF_INET: 4532 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4533 if (ret) 4534 goto parse_error; 4535 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4536 &ad->u.net->v4info.daddr); 4537 goto okay; 4538 4539 #if IS_ENABLED(CONFIG_IPV6) 4540 case PF_INET6: 4541 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4542 if (ret) 4543 goto parse_error; 4544 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4545 &ad->u.net->v6info.daddr); 4546 goto okay; 4547 #endif /* IPV6 */ 4548 default: 4549 addrp = NULL; 4550 goto okay; 4551 } 4552 4553 parse_error: 4554 pr_warn( 4555 "SELinux: failure in selinux_parse_skb()," 4556 " unable to parse packet\n"); 4557 return ret; 4558 4559 okay: 4560 if (_addrp) 4561 *_addrp = addrp; 4562 return 0; 4563 } 4564 4565 /** 4566 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4567 * @skb: the packet 4568 * @family: protocol family 4569 * @sid: the packet's peer label SID 4570 * 4571 * Description: 4572 * Check the various different forms of network peer labeling and determine 4573 * the peer label/SID for the packet; most of the magic actually occurs in 4574 * the security server function security_net_peersid_cmp(). The function 4575 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4576 * or -EACCES if @sid is invalid due to inconsistencies with the different 4577 * peer labels. 4578 * 4579 */ 4580 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4581 { 4582 int err; 4583 u32 xfrm_sid; 4584 u32 nlbl_sid; 4585 u32 nlbl_type; 4586 4587 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4588 if (unlikely(err)) 4589 return -EACCES; 4590 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4591 if (unlikely(err)) 4592 return -EACCES; 4593 4594 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4595 nlbl_type, xfrm_sid, sid); 4596 if (unlikely(err)) { 4597 pr_warn( 4598 "SELinux: failure in selinux_skb_peerlbl_sid()," 4599 " unable to determine packet's peer label\n"); 4600 return -EACCES; 4601 } 4602 4603 return 0; 4604 } 4605 4606 /** 4607 * selinux_conn_sid - Determine the child socket label for a connection 4608 * @sk_sid: the parent socket's SID 4609 * @skb_sid: the packet's SID 4610 * @conn_sid: the resulting connection SID 4611 * 4612 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4613 * combined with the MLS information from @skb_sid in order to create 4614 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4615 * of @sk_sid. Returns zero on success, negative values on failure. 4616 * 4617 */ 4618 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4619 { 4620 int err = 0; 4621 4622 if (skb_sid != SECSID_NULL) 4623 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4624 conn_sid); 4625 else 4626 *conn_sid = sk_sid; 4627 4628 return err; 4629 } 4630 4631 /* socket security operations */ 4632 4633 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4634 u16 secclass, u32 *socksid) 4635 { 4636 if (tsec->sockcreate_sid > SECSID_NULL) { 4637 *socksid = tsec->sockcreate_sid; 4638 return 0; 4639 } 4640 4641 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4642 secclass, NULL, socksid); 4643 } 4644 4645 static int sock_has_perm(struct sock *sk, u32 perms) 4646 { 4647 struct sk_security_struct *sksec = sk->sk_security; 4648 struct common_audit_data ad; 4649 struct lsm_network_audit net = {0,}; 4650 4651 if (sksec->sid == SECINITSID_KERNEL) 4652 return 0; 4653 4654 ad.type = LSM_AUDIT_DATA_NET; 4655 ad.u.net = &net; 4656 ad.u.net->sk = sk; 4657 4658 return avc_has_perm(&selinux_state, 4659 current_sid(), sksec->sid, sksec->sclass, perms, 4660 &ad); 4661 } 4662 4663 static int selinux_socket_create(int family, int type, 4664 int protocol, int kern) 4665 { 4666 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4667 u32 newsid; 4668 u16 secclass; 4669 int rc; 4670 4671 if (kern) 4672 return 0; 4673 4674 secclass = socket_type_to_security_class(family, type, protocol); 4675 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4676 if (rc) 4677 return rc; 4678 4679 return avc_has_perm(&selinux_state, 4680 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4681 } 4682 4683 static int selinux_socket_post_create(struct socket *sock, int family, 4684 int type, int protocol, int kern) 4685 { 4686 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4687 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4688 struct sk_security_struct *sksec; 4689 u16 sclass = socket_type_to_security_class(family, type, protocol); 4690 u32 sid = SECINITSID_KERNEL; 4691 int err = 0; 4692 4693 if (!kern) { 4694 err = socket_sockcreate_sid(tsec, sclass, &sid); 4695 if (err) 4696 return err; 4697 } 4698 4699 isec->sclass = sclass; 4700 isec->sid = sid; 4701 isec->initialized = LABEL_INITIALIZED; 4702 4703 if (sock->sk) { 4704 sksec = sock->sk->sk_security; 4705 sksec->sclass = sclass; 4706 sksec->sid = sid; 4707 /* Allows detection of the first association on this socket */ 4708 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4709 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4710 4711 err = selinux_netlbl_socket_post_create(sock->sk, family); 4712 } 4713 4714 return err; 4715 } 4716 4717 static int selinux_socket_socketpair(struct socket *socka, 4718 struct socket *sockb) 4719 { 4720 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4721 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4722 4723 sksec_a->peer_sid = sksec_b->sid; 4724 sksec_b->peer_sid = sksec_a->sid; 4725 4726 return 0; 4727 } 4728 4729 /* Range of port numbers used to automatically bind. 4730 Need to determine whether we should perform a name_bind 4731 permission check between the socket and the port number. */ 4732 4733 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4734 { 4735 struct sock *sk = sock->sk; 4736 struct sk_security_struct *sksec = sk->sk_security; 4737 u16 family; 4738 int err; 4739 4740 err = sock_has_perm(sk, SOCKET__BIND); 4741 if (err) 4742 goto out; 4743 4744 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4745 family = sk->sk_family; 4746 if (family == PF_INET || family == PF_INET6) { 4747 char *addrp; 4748 struct common_audit_data ad; 4749 struct lsm_network_audit net = {0,}; 4750 struct sockaddr_in *addr4 = NULL; 4751 struct sockaddr_in6 *addr6 = NULL; 4752 u16 family_sa; 4753 unsigned short snum; 4754 u32 sid, node_perm; 4755 4756 /* 4757 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4758 * that validates multiple binding addresses. Because of this 4759 * need to check address->sa_family as it is possible to have 4760 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4761 */ 4762 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4763 return -EINVAL; 4764 family_sa = address->sa_family; 4765 switch (family_sa) { 4766 case AF_UNSPEC: 4767 case AF_INET: 4768 if (addrlen < sizeof(struct sockaddr_in)) 4769 return -EINVAL; 4770 addr4 = (struct sockaddr_in *)address; 4771 if (family_sa == AF_UNSPEC) { 4772 /* see __inet_bind(), we only want to allow 4773 * AF_UNSPEC if the address is INADDR_ANY 4774 */ 4775 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4776 goto err_af; 4777 family_sa = AF_INET; 4778 } 4779 snum = ntohs(addr4->sin_port); 4780 addrp = (char *)&addr4->sin_addr.s_addr; 4781 break; 4782 case AF_INET6: 4783 if (addrlen < SIN6_LEN_RFC2133) 4784 return -EINVAL; 4785 addr6 = (struct sockaddr_in6 *)address; 4786 snum = ntohs(addr6->sin6_port); 4787 addrp = (char *)&addr6->sin6_addr.s6_addr; 4788 break; 4789 default: 4790 goto err_af; 4791 } 4792 4793 ad.type = LSM_AUDIT_DATA_NET; 4794 ad.u.net = &net; 4795 ad.u.net->sport = htons(snum); 4796 ad.u.net->family = family_sa; 4797 4798 if (snum) { 4799 int low, high; 4800 4801 inet_get_local_port_range(sock_net(sk), &low, &high); 4802 4803 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4804 snum < low || snum > high) { 4805 err = sel_netport_sid(sk->sk_protocol, 4806 snum, &sid); 4807 if (err) 4808 goto out; 4809 err = avc_has_perm(&selinux_state, 4810 sksec->sid, sid, 4811 sksec->sclass, 4812 SOCKET__NAME_BIND, &ad); 4813 if (err) 4814 goto out; 4815 } 4816 } 4817 4818 switch (sksec->sclass) { 4819 case SECCLASS_TCP_SOCKET: 4820 node_perm = TCP_SOCKET__NODE_BIND; 4821 break; 4822 4823 case SECCLASS_UDP_SOCKET: 4824 node_perm = UDP_SOCKET__NODE_BIND; 4825 break; 4826 4827 case SECCLASS_DCCP_SOCKET: 4828 node_perm = DCCP_SOCKET__NODE_BIND; 4829 break; 4830 4831 case SECCLASS_SCTP_SOCKET: 4832 node_perm = SCTP_SOCKET__NODE_BIND; 4833 break; 4834 4835 default: 4836 node_perm = RAWIP_SOCKET__NODE_BIND; 4837 break; 4838 } 4839 4840 err = sel_netnode_sid(addrp, family_sa, &sid); 4841 if (err) 4842 goto out; 4843 4844 if (family_sa == AF_INET) 4845 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4846 else 4847 ad.u.net->v6info.saddr = addr6->sin6_addr; 4848 4849 err = avc_has_perm(&selinux_state, 4850 sksec->sid, sid, 4851 sksec->sclass, node_perm, &ad); 4852 if (err) 4853 goto out; 4854 } 4855 out: 4856 return err; 4857 err_af: 4858 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4859 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4860 return -EINVAL; 4861 return -EAFNOSUPPORT; 4862 } 4863 4864 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4865 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4866 */ 4867 static int selinux_socket_connect_helper(struct socket *sock, 4868 struct sockaddr *address, int addrlen) 4869 { 4870 struct sock *sk = sock->sk; 4871 struct sk_security_struct *sksec = sk->sk_security; 4872 int err; 4873 4874 err = sock_has_perm(sk, SOCKET__CONNECT); 4875 if (err) 4876 return err; 4877 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4878 return -EINVAL; 4879 4880 /* connect(AF_UNSPEC) has special handling, as it is a documented 4881 * way to disconnect the socket 4882 */ 4883 if (address->sa_family == AF_UNSPEC) 4884 return 0; 4885 4886 /* 4887 * If a TCP, DCCP or SCTP socket, check name_connect permission 4888 * for the port. 4889 */ 4890 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4891 sksec->sclass == SECCLASS_DCCP_SOCKET || 4892 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4893 struct common_audit_data ad; 4894 struct lsm_network_audit net = {0,}; 4895 struct sockaddr_in *addr4 = NULL; 4896 struct sockaddr_in6 *addr6 = NULL; 4897 unsigned short snum; 4898 u32 sid, perm; 4899 4900 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4901 * that validates multiple connect addresses. Because of this 4902 * need to check address->sa_family as it is possible to have 4903 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4904 */ 4905 switch (address->sa_family) { 4906 case AF_INET: 4907 addr4 = (struct sockaddr_in *)address; 4908 if (addrlen < sizeof(struct sockaddr_in)) 4909 return -EINVAL; 4910 snum = ntohs(addr4->sin_port); 4911 break; 4912 case AF_INET6: 4913 addr6 = (struct sockaddr_in6 *)address; 4914 if (addrlen < SIN6_LEN_RFC2133) 4915 return -EINVAL; 4916 snum = ntohs(addr6->sin6_port); 4917 break; 4918 default: 4919 /* Note that SCTP services expect -EINVAL, whereas 4920 * others expect -EAFNOSUPPORT. 4921 */ 4922 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4923 return -EINVAL; 4924 else 4925 return -EAFNOSUPPORT; 4926 } 4927 4928 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4929 if (err) 4930 return err; 4931 4932 switch (sksec->sclass) { 4933 case SECCLASS_TCP_SOCKET: 4934 perm = TCP_SOCKET__NAME_CONNECT; 4935 break; 4936 case SECCLASS_DCCP_SOCKET: 4937 perm = DCCP_SOCKET__NAME_CONNECT; 4938 break; 4939 case SECCLASS_SCTP_SOCKET: 4940 perm = SCTP_SOCKET__NAME_CONNECT; 4941 break; 4942 } 4943 4944 ad.type = LSM_AUDIT_DATA_NET; 4945 ad.u.net = &net; 4946 ad.u.net->dport = htons(snum); 4947 ad.u.net->family = address->sa_family; 4948 err = avc_has_perm(&selinux_state, 4949 sksec->sid, sid, sksec->sclass, perm, &ad); 4950 if (err) 4951 return err; 4952 } 4953 4954 return 0; 4955 } 4956 4957 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4958 static int selinux_socket_connect(struct socket *sock, 4959 struct sockaddr *address, int addrlen) 4960 { 4961 int err; 4962 struct sock *sk = sock->sk; 4963 4964 err = selinux_socket_connect_helper(sock, address, addrlen); 4965 if (err) 4966 return err; 4967 4968 return selinux_netlbl_socket_connect(sk, address); 4969 } 4970 4971 static int selinux_socket_listen(struct socket *sock, int backlog) 4972 { 4973 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4974 } 4975 4976 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4977 { 4978 int err; 4979 struct inode_security_struct *isec; 4980 struct inode_security_struct *newisec; 4981 u16 sclass; 4982 u32 sid; 4983 4984 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4985 if (err) 4986 return err; 4987 4988 isec = inode_security_novalidate(SOCK_INODE(sock)); 4989 spin_lock(&isec->lock); 4990 sclass = isec->sclass; 4991 sid = isec->sid; 4992 spin_unlock(&isec->lock); 4993 4994 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4995 newisec->sclass = sclass; 4996 newisec->sid = sid; 4997 newisec->initialized = LABEL_INITIALIZED; 4998 4999 return 0; 5000 } 5001 5002 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5003 int size) 5004 { 5005 return sock_has_perm(sock->sk, SOCKET__WRITE); 5006 } 5007 5008 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5009 int size, int flags) 5010 { 5011 return sock_has_perm(sock->sk, SOCKET__READ); 5012 } 5013 5014 static int selinux_socket_getsockname(struct socket *sock) 5015 { 5016 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5017 } 5018 5019 static int selinux_socket_getpeername(struct socket *sock) 5020 { 5021 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5022 } 5023 5024 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5025 { 5026 int err; 5027 5028 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5029 if (err) 5030 return err; 5031 5032 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5033 } 5034 5035 static int selinux_socket_getsockopt(struct socket *sock, int level, 5036 int optname) 5037 { 5038 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5039 } 5040 5041 static int selinux_socket_shutdown(struct socket *sock, int how) 5042 { 5043 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5044 } 5045 5046 static int selinux_socket_unix_stream_connect(struct sock *sock, 5047 struct sock *other, 5048 struct sock *newsk) 5049 { 5050 struct sk_security_struct *sksec_sock = sock->sk_security; 5051 struct sk_security_struct *sksec_other = other->sk_security; 5052 struct sk_security_struct *sksec_new = newsk->sk_security; 5053 struct common_audit_data ad; 5054 struct lsm_network_audit net = {0,}; 5055 int err; 5056 5057 ad.type = LSM_AUDIT_DATA_NET; 5058 ad.u.net = &net; 5059 ad.u.net->sk = other; 5060 5061 err = avc_has_perm(&selinux_state, 5062 sksec_sock->sid, sksec_other->sid, 5063 sksec_other->sclass, 5064 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5065 if (err) 5066 return err; 5067 5068 /* server child socket */ 5069 sksec_new->peer_sid = sksec_sock->sid; 5070 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 5071 sksec_sock->sid, &sksec_new->sid); 5072 if (err) 5073 return err; 5074 5075 /* connecting socket */ 5076 sksec_sock->peer_sid = sksec_new->sid; 5077 5078 return 0; 5079 } 5080 5081 static int selinux_socket_unix_may_send(struct socket *sock, 5082 struct socket *other) 5083 { 5084 struct sk_security_struct *ssec = sock->sk->sk_security; 5085 struct sk_security_struct *osec = other->sk->sk_security; 5086 struct common_audit_data ad; 5087 struct lsm_network_audit net = {0,}; 5088 5089 ad.type = LSM_AUDIT_DATA_NET; 5090 ad.u.net = &net; 5091 ad.u.net->sk = other->sk; 5092 5093 return avc_has_perm(&selinux_state, 5094 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5095 &ad); 5096 } 5097 5098 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5099 char *addrp, u16 family, u32 peer_sid, 5100 struct common_audit_data *ad) 5101 { 5102 int err; 5103 u32 if_sid; 5104 u32 node_sid; 5105 5106 err = sel_netif_sid(ns, ifindex, &if_sid); 5107 if (err) 5108 return err; 5109 err = avc_has_perm(&selinux_state, 5110 peer_sid, if_sid, 5111 SECCLASS_NETIF, NETIF__INGRESS, ad); 5112 if (err) 5113 return err; 5114 5115 err = sel_netnode_sid(addrp, family, &node_sid); 5116 if (err) 5117 return err; 5118 return avc_has_perm(&selinux_state, 5119 peer_sid, node_sid, 5120 SECCLASS_NODE, NODE__RECVFROM, ad); 5121 } 5122 5123 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5124 u16 family) 5125 { 5126 int err = 0; 5127 struct sk_security_struct *sksec = sk->sk_security; 5128 u32 sk_sid = sksec->sid; 5129 struct common_audit_data ad; 5130 struct lsm_network_audit net = {0,}; 5131 char *addrp; 5132 5133 ad.type = LSM_AUDIT_DATA_NET; 5134 ad.u.net = &net; 5135 ad.u.net->netif = skb->skb_iif; 5136 ad.u.net->family = family; 5137 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5138 if (err) 5139 return err; 5140 5141 if (selinux_secmark_enabled()) { 5142 err = avc_has_perm(&selinux_state, 5143 sk_sid, skb->secmark, SECCLASS_PACKET, 5144 PACKET__RECV, &ad); 5145 if (err) 5146 return err; 5147 } 5148 5149 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5150 if (err) 5151 return err; 5152 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5153 5154 return err; 5155 } 5156 5157 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5158 { 5159 int err; 5160 struct sk_security_struct *sksec = sk->sk_security; 5161 u16 family = sk->sk_family; 5162 u32 sk_sid = sksec->sid; 5163 struct common_audit_data ad; 5164 struct lsm_network_audit net = {0,}; 5165 char *addrp; 5166 u8 secmark_active; 5167 u8 peerlbl_active; 5168 5169 if (family != PF_INET && family != PF_INET6) 5170 return 0; 5171 5172 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5173 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5174 family = PF_INET; 5175 5176 /* If any sort of compatibility mode is enabled then handoff processing 5177 * to the selinux_sock_rcv_skb_compat() function to deal with the 5178 * special handling. We do this in an attempt to keep this function 5179 * as fast and as clean as possible. */ 5180 if (!selinux_policycap_netpeer()) 5181 return selinux_sock_rcv_skb_compat(sk, skb, family); 5182 5183 secmark_active = selinux_secmark_enabled(); 5184 peerlbl_active = selinux_peerlbl_enabled(); 5185 if (!secmark_active && !peerlbl_active) 5186 return 0; 5187 5188 ad.type = LSM_AUDIT_DATA_NET; 5189 ad.u.net = &net; 5190 ad.u.net->netif = skb->skb_iif; 5191 ad.u.net->family = family; 5192 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5193 if (err) 5194 return err; 5195 5196 if (peerlbl_active) { 5197 u32 peer_sid; 5198 5199 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5200 if (err) 5201 return err; 5202 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5203 addrp, family, peer_sid, &ad); 5204 if (err) { 5205 selinux_netlbl_err(skb, family, err, 0); 5206 return err; 5207 } 5208 err = avc_has_perm(&selinux_state, 5209 sk_sid, peer_sid, SECCLASS_PEER, 5210 PEER__RECV, &ad); 5211 if (err) { 5212 selinux_netlbl_err(skb, family, err, 0); 5213 return err; 5214 } 5215 } 5216 5217 if (secmark_active) { 5218 err = avc_has_perm(&selinux_state, 5219 sk_sid, skb->secmark, SECCLASS_PACKET, 5220 PACKET__RECV, &ad); 5221 if (err) 5222 return err; 5223 } 5224 5225 return err; 5226 } 5227 5228 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5229 int __user *optlen, unsigned len) 5230 { 5231 int err = 0; 5232 char *scontext; 5233 u32 scontext_len; 5234 struct sk_security_struct *sksec = sock->sk->sk_security; 5235 u32 peer_sid = SECSID_NULL; 5236 5237 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5238 sksec->sclass == SECCLASS_TCP_SOCKET || 5239 sksec->sclass == SECCLASS_SCTP_SOCKET) 5240 peer_sid = sksec->peer_sid; 5241 if (peer_sid == SECSID_NULL) 5242 return -ENOPROTOOPT; 5243 5244 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5245 &scontext_len); 5246 if (err) 5247 return err; 5248 5249 if (scontext_len > len) { 5250 err = -ERANGE; 5251 goto out_len; 5252 } 5253 5254 if (copy_to_user(optval, scontext, scontext_len)) 5255 err = -EFAULT; 5256 5257 out_len: 5258 if (put_user(scontext_len, optlen)) 5259 err = -EFAULT; 5260 kfree(scontext); 5261 return err; 5262 } 5263 5264 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5265 { 5266 u32 peer_secid = SECSID_NULL; 5267 u16 family; 5268 struct inode_security_struct *isec; 5269 5270 if (skb && skb->protocol == htons(ETH_P_IP)) 5271 family = PF_INET; 5272 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5273 family = PF_INET6; 5274 else if (sock) 5275 family = sock->sk->sk_family; 5276 else 5277 goto out; 5278 5279 if (sock && family == PF_UNIX) { 5280 isec = inode_security_novalidate(SOCK_INODE(sock)); 5281 peer_secid = isec->sid; 5282 } else if (skb) 5283 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5284 5285 out: 5286 *secid = peer_secid; 5287 if (peer_secid == SECSID_NULL) 5288 return -EINVAL; 5289 return 0; 5290 } 5291 5292 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5293 { 5294 struct sk_security_struct *sksec; 5295 5296 sksec = kzalloc(sizeof(*sksec), priority); 5297 if (!sksec) 5298 return -ENOMEM; 5299 5300 sksec->peer_sid = SECINITSID_UNLABELED; 5301 sksec->sid = SECINITSID_UNLABELED; 5302 sksec->sclass = SECCLASS_SOCKET; 5303 selinux_netlbl_sk_security_reset(sksec); 5304 sk->sk_security = sksec; 5305 5306 return 0; 5307 } 5308 5309 static void selinux_sk_free_security(struct sock *sk) 5310 { 5311 struct sk_security_struct *sksec = sk->sk_security; 5312 5313 sk->sk_security = NULL; 5314 selinux_netlbl_sk_security_free(sksec); 5315 kfree(sksec); 5316 } 5317 5318 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5319 { 5320 struct sk_security_struct *sksec = sk->sk_security; 5321 struct sk_security_struct *newsksec = newsk->sk_security; 5322 5323 newsksec->sid = sksec->sid; 5324 newsksec->peer_sid = sksec->peer_sid; 5325 newsksec->sclass = sksec->sclass; 5326 5327 selinux_netlbl_sk_security_reset(newsksec); 5328 } 5329 5330 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5331 { 5332 if (!sk) 5333 *secid = SECINITSID_ANY_SOCKET; 5334 else { 5335 struct sk_security_struct *sksec = sk->sk_security; 5336 5337 *secid = sksec->sid; 5338 } 5339 } 5340 5341 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5342 { 5343 struct inode_security_struct *isec = 5344 inode_security_novalidate(SOCK_INODE(parent)); 5345 struct sk_security_struct *sksec = sk->sk_security; 5346 5347 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5348 sk->sk_family == PF_UNIX) 5349 isec->sid = sksec->sid; 5350 sksec->sclass = isec->sclass; 5351 } 5352 5353 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5354 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5355 * already present). 5356 */ 5357 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5358 struct sk_buff *skb) 5359 { 5360 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5361 struct common_audit_data ad; 5362 struct lsm_network_audit net = {0,}; 5363 u8 peerlbl_active; 5364 u32 peer_sid = SECINITSID_UNLABELED; 5365 u32 conn_sid; 5366 int err = 0; 5367 5368 if (!selinux_policycap_extsockclass()) 5369 return 0; 5370 5371 peerlbl_active = selinux_peerlbl_enabled(); 5372 5373 if (peerlbl_active) { 5374 /* This will return peer_sid = SECSID_NULL if there are 5375 * no peer labels, see security_net_peersid_resolve(). 5376 */ 5377 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5378 &peer_sid); 5379 if (err) 5380 return err; 5381 5382 if (peer_sid == SECSID_NULL) 5383 peer_sid = SECINITSID_UNLABELED; 5384 } 5385 5386 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5387 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5388 5389 /* Here as first association on socket. As the peer SID 5390 * was allowed by peer recv (and the netif/node checks), 5391 * then it is approved by policy and used as the primary 5392 * peer SID for getpeercon(3). 5393 */ 5394 sksec->peer_sid = peer_sid; 5395 } else if (sksec->peer_sid != peer_sid) { 5396 /* Other association peer SIDs are checked to enforce 5397 * consistency among the peer SIDs. 5398 */ 5399 ad.type = LSM_AUDIT_DATA_NET; 5400 ad.u.net = &net; 5401 ad.u.net->sk = ep->base.sk; 5402 err = avc_has_perm(&selinux_state, 5403 sksec->peer_sid, peer_sid, sksec->sclass, 5404 SCTP_SOCKET__ASSOCIATION, &ad); 5405 if (err) 5406 return err; 5407 } 5408 5409 /* Compute the MLS component for the connection and store 5410 * the information in ep. This will be used by SCTP TCP type 5411 * sockets and peeled off connections as they cause a new 5412 * socket to be generated. selinux_sctp_sk_clone() will then 5413 * plug this into the new socket. 5414 */ 5415 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5416 if (err) 5417 return err; 5418 5419 ep->secid = conn_sid; 5420 ep->peer_secid = peer_sid; 5421 5422 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5423 return selinux_netlbl_sctp_assoc_request(ep, skb); 5424 } 5425 5426 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5427 * based on their @optname. 5428 */ 5429 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5430 struct sockaddr *address, 5431 int addrlen) 5432 { 5433 int len, err = 0, walk_size = 0; 5434 void *addr_buf; 5435 struct sockaddr *addr; 5436 struct socket *sock; 5437 5438 if (!selinux_policycap_extsockclass()) 5439 return 0; 5440 5441 /* Process one or more addresses that may be IPv4 or IPv6 */ 5442 sock = sk->sk_socket; 5443 addr_buf = address; 5444 5445 while (walk_size < addrlen) { 5446 if (walk_size + sizeof(sa_family_t) > addrlen) 5447 return -EINVAL; 5448 5449 addr = addr_buf; 5450 switch (addr->sa_family) { 5451 case AF_UNSPEC: 5452 case AF_INET: 5453 len = sizeof(struct sockaddr_in); 5454 break; 5455 case AF_INET6: 5456 len = sizeof(struct sockaddr_in6); 5457 break; 5458 default: 5459 return -EINVAL; 5460 } 5461 5462 if (walk_size + len > addrlen) 5463 return -EINVAL; 5464 5465 err = -EINVAL; 5466 switch (optname) { 5467 /* Bind checks */ 5468 case SCTP_PRIMARY_ADDR: 5469 case SCTP_SET_PEER_PRIMARY_ADDR: 5470 case SCTP_SOCKOPT_BINDX_ADD: 5471 err = selinux_socket_bind(sock, addr, len); 5472 break; 5473 /* Connect checks */ 5474 case SCTP_SOCKOPT_CONNECTX: 5475 case SCTP_PARAM_SET_PRIMARY: 5476 case SCTP_PARAM_ADD_IP: 5477 case SCTP_SENDMSG_CONNECT: 5478 err = selinux_socket_connect_helper(sock, addr, len); 5479 if (err) 5480 return err; 5481 5482 /* As selinux_sctp_bind_connect() is called by the 5483 * SCTP protocol layer, the socket is already locked, 5484 * therefore selinux_netlbl_socket_connect_locked() 5485 * is called here. The situations handled are: 5486 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5487 * whenever a new IP address is added or when a new 5488 * primary address is selected. 5489 * Note that an SCTP connect(2) call happens before 5490 * the SCTP protocol layer and is handled via 5491 * selinux_socket_connect(). 5492 */ 5493 err = selinux_netlbl_socket_connect_locked(sk, addr); 5494 break; 5495 } 5496 5497 if (err) 5498 return err; 5499 5500 addr_buf += len; 5501 walk_size += len; 5502 } 5503 5504 return 0; 5505 } 5506 5507 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5508 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5509 struct sock *newsk) 5510 { 5511 struct sk_security_struct *sksec = sk->sk_security; 5512 struct sk_security_struct *newsksec = newsk->sk_security; 5513 5514 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5515 * the non-sctp clone version. 5516 */ 5517 if (!selinux_policycap_extsockclass()) 5518 return selinux_sk_clone_security(sk, newsk); 5519 5520 newsksec->sid = ep->secid; 5521 newsksec->peer_sid = ep->peer_secid; 5522 newsksec->sclass = sksec->sclass; 5523 selinux_netlbl_sctp_sk_clone(sk, newsk); 5524 } 5525 5526 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5527 struct request_sock *req) 5528 { 5529 struct sk_security_struct *sksec = sk->sk_security; 5530 int err; 5531 u16 family = req->rsk_ops->family; 5532 u32 connsid; 5533 u32 peersid; 5534 5535 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5536 if (err) 5537 return err; 5538 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5539 if (err) 5540 return err; 5541 req->secid = connsid; 5542 req->peer_secid = peersid; 5543 5544 return selinux_netlbl_inet_conn_request(req, family); 5545 } 5546 5547 static void selinux_inet_csk_clone(struct sock *newsk, 5548 const struct request_sock *req) 5549 { 5550 struct sk_security_struct *newsksec = newsk->sk_security; 5551 5552 newsksec->sid = req->secid; 5553 newsksec->peer_sid = req->peer_secid; 5554 /* NOTE: Ideally, we should also get the isec->sid for the 5555 new socket in sync, but we don't have the isec available yet. 5556 So we will wait until sock_graft to do it, by which 5557 time it will have been created and available. */ 5558 5559 /* We don't need to take any sort of lock here as we are the only 5560 * thread with access to newsksec */ 5561 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5562 } 5563 5564 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5565 { 5566 u16 family = sk->sk_family; 5567 struct sk_security_struct *sksec = sk->sk_security; 5568 5569 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5570 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5571 family = PF_INET; 5572 5573 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5574 } 5575 5576 static int selinux_secmark_relabel_packet(u32 sid) 5577 { 5578 const struct task_security_struct *__tsec; 5579 u32 tsid; 5580 5581 __tsec = selinux_cred(current_cred()); 5582 tsid = __tsec->sid; 5583 5584 return avc_has_perm(&selinux_state, 5585 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5586 NULL); 5587 } 5588 5589 static void selinux_secmark_refcount_inc(void) 5590 { 5591 atomic_inc(&selinux_secmark_refcount); 5592 } 5593 5594 static void selinux_secmark_refcount_dec(void) 5595 { 5596 atomic_dec(&selinux_secmark_refcount); 5597 } 5598 5599 static void selinux_req_classify_flow(const struct request_sock *req, 5600 struct flowi_common *flic) 5601 { 5602 flic->flowic_secid = req->secid; 5603 } 5604 5605 static int selinux_tun_dev_alloc_security(void **security) 5606 { 5607 struct tun_security_struct *tunsec; 5608 5609 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5610 if (!tunsec) 5611 return -ENOMEM; 5612 tunsec->sid = current_sid(); 5613 5614 *security = tunsec; 5615 return 0; 5616 } 5617 5618 static void selinux_tun_dev_free_security(void *security) 5619 { 5620 kfree(security); 5621 } 5622 5623 static int selinux_tun_dev_create(void) 5624 { 5625 u32 sid = current_sid(); 5626 5627 /* we aren't taking into account the "sockcreate" SID since the socket 5628 * that is being created here is not a socket in the traditional sense, 5629 * instead it is a private sock, accessible only to the kernel, and 5630 * representing a wide range of network traffic spanning multiple 5631 * connections unlike traditional sockets - check the TUN driver to 5632 * get a better understanding of why this socket is special */ 5633 5634 return avc_has_perm(&selinux_state, 5635 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5636 NULL); 5637 } 5638 5639 static int selinux_tun_dev_attach_queue(void *security) 5640 { 5641 struct tun_security_struct *tunsec = security; 5642 5643 return avc_has_perm(&selinux_state, 5644 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5645 TUN_SOCKET__ATTACH_QUEUE, NULL); 5646 } 5647 5648 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5649 { 5650 struct tun_security_struct *tunsec = security; 5651 struct sk_security_struct *sksec = sk->sk_security; 5652 5653 /* we don't currently perform any NetLabel based labeling here and it 5654 * isn't clear that we would want to do so anyway; while we could apply 5655 * labeling without the support of the TUN user the resulting labeled 5656 * traffic from the other end of the connection would almost certainly 5657 * cause confusion to the TUN user that had no idea network labeling 5658 * protocols were being used */ 5659 5660 sksec->sid = tunsec->sid; 5661 sksec->sclass = SECCLASS_TUN_SOCKET; 5662 5663 return 0; 5664 } 5665 5666 static int selinux_tun_dev_open(void *security) 5667 { 5668 struct tun_security_struct *tunsec = security; 5669 u32 sid = current_sid(); 5670 int err; 5671 5672 err = avc_has_perm(&selinux_state, 5673 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5674 TUN_SOCKET__RELABELFROM, NULL); 5675 if (err) 5676 return err; 5677 err = avc_has_perm(&selinux_state, 5678 sid, sid, SECCLASS_TUN_SOCKET, 5679 TUN_SOCKET__RELABELTO, NULL); 5680 if (err) 5681 return err; 5682 tunsec->sid = sid; 5683 5684 return 0; 5685 } 5686 5687 #ifdef CONFIG_NETFILTER 5688 5689 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5690 const struct net_device *indev, 5691 u16 family) 5692 { 5693 int err; 5694 char *addrp; 5695 u32 peer_sid; 5696 struct common_audit_data ad; 5697 struct lsm_network_audit net = {0,}; 5698 u8 secmark_active; 5699 u8 netlbl_active; 5700 u8 peerlbl_active; 5701 5702 if (!selinux_policycap_netpeer()) 5703 return NF_ACCEPT; 5704 5705 secmark_active = selinux_secmark_enabled(); 5706 netlbl_active = netlbl_enabled(); 5707 peerlbl_active = selinux_peerlbl_enabled(); 5708 if (!secmark_active && !peerlbl_active) 5709 return NF_ACCEPT; 5710 5711 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5712 return NF_DROP; 5713 5714 ad.type = LSM_AUDIT_DATA_NET; 5715 ad.u.net = &net; 5716 ad.u.net->netif = indev->ifindex; 5717 ad.u.net->family = family; 5718 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5719 return NF_DROP; 5720 5721 if (peerlbl_active) { 5722 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5723 addrp, family, peer_sid, &ad); 5724 if (err) { 5725 selinux_netlbl_err(skb, family, err, 1); 5726 return NF_DROP; 5727 } 5728 } 5729 5730 if (secmark_active) 5731 if (avc_has_perm(&selinux_state, 5732 peer_sid, skb->secmark, 5733 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5734 return NF_DROP; 5735 5736 if (netlbl_active) 5737 /* we do this in the FORWARD path and not the POST_ROUTING 5738 * path because we want to make sure we apply the necessary 5739 * labeling before IPsec is applied so we can leverage AH 5740 * protection */ 5741 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5742 return NF_DROP; 5743 5744 return NF_ACCEPT; 5745 } 5746 5747 static unsigned int selinux_ipv4_forward(void *priv, 5748 struct sk_buff *skb, 5749 const struct nf_hook_state *state) 5750 { 5751 return selinux_ip_forward(skb, state->in, PF_INET); 5752 } 5753 5754 #if IS_ENABLED(CONFIG_IPV6) 5755 static unsigned int selinux_ipv6_forward(void *priv, 5756 struct sk_buff *skb, 5757 const struct nf_hook_state *state) 5758 { 5759 return selinux_ip_forward(skb, state->in, PF_INET6); 5760 } 5761 #endif /* IPV6 */ 5762 5763 static unsigned int selinux_ip_output(struct sk_buff *skb, 5764 u16 family) 5765 { 5766 struct sock *sk; 5767 u32 sid; 5768 5769 if (!netlbl_enabled()) 5770 return NF_ACCEPT; 5771 5772 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5773 * because we want to make sure we apply the necessary labeling 5774 * before IPsec is applied so we can leverage AH protection */ 5775 sk = skb->sk; 5776 if (sk) { 5777 struct sk_security_struct *sksec; 5778 5779 if (sk_listener(sk)) 5780 /* if the socket is the listening state then this 5781 * packet is a SYN-ACK packet which means it needs to 5782 * be labeled based on the connection/request_sock and 5783 * not the parent socket. unfortunately, we can't 5784 * lookup the request_sock yet as it isn't queued on 5785 * the parent socket until after the SYN-ACK is sent. 5786 * the "solution" is to simply pass the packet as-is 5787 * as any IP option based labeling should be copied 5788 * from the initial connection request (in the IP 5789 * layer). it is far from ideal, but until we get a 5790 * security label in the packet itself this is the 5791 * best we can do. */ 5792 return NF_ACCEPT; 5793 5794 /* standard practice, label using the parent socket */ 5795 sksec = sk->sk_security; 5796 sid = sksec->sid; 5797 } else 5798 sid = SECINITSID_KERNEL; 5799 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5800 return NF_DROP; 5801 5802 return NF_ACCEPT; 5803 } 5804 5805 static unsigned int selinux_ipv4_output(void *priv, 5806 struct sk_buff *skb, 5807 const struct nf_hook_state *state) 5808 { 5809 return selinux_ip_output(skb, PF_INET); 5810 } 5811 5812 #if IS_ENABLED(CONFIG_IPV6) 5813 static unsigned int selinux_ipv6_output(void *priv, 5814 struct sk_buff *skb, 5815 const struct nf_hook_state *state) 5816 { 5817 return selinux_ip_output(skb, PF_INET6); 5818 } 5819 #endif /* IPV6 */ 5820 5821 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5822 int ifindex, 5823 u16 family) 5824 { 5825 struct sock *sk = skb_to_full_sk(skb); 5826 struct sk_security_struct *sksec; 5827 struct common_audit_data ad; 5828 struct lsm_network_audit net = {0,}; 5829 char *addrp; 5830 u8 proto; 5831 5832 if (sk == NULL) 5833 return NF_ACCEPT; 5834 sksec = sk->sk_security; 5835 5836 ad.type = LSM_AUDIT_DATA_NET; 5837 ad.u.net = &net; 5838 ad.u.net->netif = ifindex; 5839 ad.u.net->family = family; 5840 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5841 return NF_DROP; 5842 5843 if (selinux_secmark_enabled()) 5844 if (avc_has_perm(&selinux_state, 5845 sksec->sid, skb->secmark, 5846 SECCLASS_PACKET, PACKET__SEND, &ad)) 5847 return NF_DROP_ERR(-ECONNREFUSED); 5848 5849 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5850 return NF_DROP_ERR(-ECONNREFUSED); 5851 5852 return NF_ACCEPT; 5853 } 5854 5855 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5856 const struct net_device *outdev, 5857 u16 family) 5858 { 5859 u32 secmark_perm; 5860 u32 peer_sid; 5861 int ifindex = outdev->ifindex; 5862 struct sock *sk; 5863 struct common_audit_data ad; 5864 struct lsm_network_audit net = {0,}; 5865 char *addrp; 5866 u8 secmark_active; 5867 u8 peerlbl_active; 5868 5869 /* If any sort of compatibility mode is enabled then handoff processing 5870 * to the selinux_ip_postroute_compat() function to deal with the 5871 * special handling. We do this in an attempt to keep this function 5872 * as fast and as clean as possible. */ 5873 if (!selinux_policycap_netpeer()) 5874 return selinux_ip_postroute_compat(skb, ifindex, family); 5875 5876 secmark_active = selinux_secmark_enabled(); 5877 peerlbl_active = selinux_peerlbl_enabled(); 5878 if (!secmark_active && !peerlbl_active) 5879 return NF_ACCEPT; 5880 5881 sk = skb_to_full_sk(skb); 5882 5883 #ifdef CONFIG_XFRM 5884 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5885 * packet transformation so allow the packet to pass without any checks 5886 * since we'll have another chance to perform access control checks 5887 * when the packet is on it's final way out. 5888 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5889 * is NULL, in this case go ahead and apply access control. 5890 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5891 * TCP listening state we cannot wait until the XFRM processing 5892 * is done as we will miss out on the SA label if we do; 5893 * unfortunately, this means more work, but it is only once per 5894 * connection. */ 5895 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5896 !(sk && sk_listener(sk))) 5897 return NF_ACCEPT; 5898 #endif 5899 5900 if (sk == NULL) { 5901 /* Without an associated socket the packet is either coming 5902 * from the kernel or it is being forwarded; check the packet 5903 * to determine which and if the packet is being forwarded 5904 * query the packet directly to determine the security label. */ 5905 if (skb->skb_iif) { 5906 secmark_perm = PACKET__FORWARD_OUT; 5907 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5908 return NF_DROP; 5909 } else { 5910 secmark_perm = PACKET__SEND; 5911 peer_sid = SECINITSID_KERNEL; 5912 } 5913 } else if (sk_listener(sk)) { 5914 /* Locally generated packet but the associated socket is in the 5915 * listening state which means this is a SYN-ACK packet. In 5916 * this particular case the correct security label is assigned 5917 * to the connection/request_sock but unfortunately we can't 5918 * query the request_sock as it isn't queued on the parent 5919 * socket until after the SYN-ACK packet is sent; the only 5920 * viable choice is to regenerate the label like we do in 5921 * selinux_inet_conn_request(). See also selinux_ip_output() 5922 * for similar problems. */ 5923 u32 skb_sid; 5924 struct sk_security_struct *sksec; 5925 5926 sksec = sk->sk_security; 5927 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5928 return NF_DROP; 5929 /* At this point, if the returned skb peerlbl is SECSID_NULL 5930 * and the packet has been through at least one XFRM 5931 * transformation then we must be dealing with the "final" 5932 * form of labeled IPsec packet; since we've already applied 5933 * all of our access controls on this packet we can safely 5934 * pass the packet. */ 5935 if (skb_sid == SECSID_NULL) { 5936 switch (family) { 5937 case PF_INET: 5938 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5939 return NF_ACCEPT; 5940 break; 5941 case PF_INET6: 5942 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5943 return NF_ACCEPT; 5944 break; 5945 default: 5946 return NF_DROP_ERR(-ECONNREFUSED); 5947 } 5948 } 5949 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5950 return NF_DROP; 5951 secmark_perm = PACKET__SEND; 5952 } else { 5953 /* Locally generated packet, fetch the security label from the 5954 * associated socket. */ 5955 struct sk_security_struct *sksec = sk->sk_security; 5956 peer_sid = sksec->sid; 5957 secmark_perm = PACKET__SEND; 5958 } 5959 5960 ad.type = LSM_AUDIT_DATA_NET; 5961 ad.u.net = &net; 5962 ad.u.net->netif = ifindex; 5963 ad.u.net->family = family; 5964 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5965 return NF_DROP; 5966 5967 if (secmark_active) 5968 if (avc_has_perm(&selinux_state, 5969 peer_sid, skb->secmark, 5970 SECCLASS_PACKET, secmark_perm, &ad)) 5971 return NF_DROP_ERR(-ECONNREFUSED); 5972 5973 if (peerlbl_active) { 5974 u32 if_sid; 5975 u32 node_sid; 5976 5977 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5978 return NF_DROP; 5979 if (avc_has_perm(&selinux_state, 5980 peer_sid, if_sid, 5981 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5982 return NF_DROP_ERR(-ECONNREFUSED); 5983 5984 if (sel_netnode_sid(addrp, family, &node_sid)) 5985 return NF_DROP; 5986 if (avc_has_perm(&selinux_state, 5987 peer_sid, node_sid, 5988 SECCLASS_NODE, NODE__SENDTO, &ad)) 5989 return NF_DROP_ERR(-ECONNREFUSED); 5990 } 5991 5992 return NF_ACCEPT; 5993 } 5994 5995 static unsigned int selinux_ipv4_postroute(void *priv, 5996 struct sk_buff *skb, 5997 const struct nf_hook_state *state) 5998 { 5999 return selinux_ip_postroute(skb, state->out, PF_INET); 6000 } 6001 6002 #if IS_ENABLED(CONFIG_IPV6) 6003 static unsigned int selinux_ipv6_postroute(void *priv, 6004 struct sk_buff *skb, 6005 const struct nf_hook_state *state) 6006 { 6007 return selinux_ip_postroute(skb, state->out, PF_INET6); 6008 } 6009 #endif /* IPV6 */ 6010 6011 #endif /* CONFIG_NETFILTER */ 6012 6013 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6014 { 6015 int rc = 0; 6016 unsigned int msg_len; 6017 unsigned int data_len = skb->len; 6018 unsigned char *data = skb->data; 6019 struct nlmsghdr *nlh; 6020 struct sk_security_struct *sksec = sk->sk_security; 6021 u16 sclass = sksec->sclass; 6022 u32 perm; 6023 6024 while (data_len >= nlmsg_total_size(0)) { 6025 nlh = (struct nlmsghdr *)data; 6026 6027 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6028 * users which means we can't reject skb's with bogus 6029 * length fields; our solution is to follow what 6030 * netlink_rcv_skb() does and simply skip processing at 6031 * messages with length fields that are clearly junk 6032 */ 6033 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6034 return 0; 6035 6036 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6037 if (rc == 0) { 6038 rc = sock_has_perm(sk, perm); 6039 if (rc) 6040 return rc; 6041 } else if (rc == -EINVAL) { 6042 /* -EINVAL is a missing msg/perm mapping */ 6043 pr_warn_ratelimited("SELinux: unrecognized netlink" 6044 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6045 " pid=%d comm=%s\n", 6046 sk->sk_protocol, nlh->nlmsg_type, 6047 secclass_map[sclass - 1].name, 6048 task_pid_nr(current), current->comm); 6049 if (enforcing_enabled(&selinux_state) && 6050 !security_get_allow_unknown(&selinux_state)) 6051 return rc; 6052 rc = 0; 6053 } else if (rc == -ENOENT) { 6054 /* -ENOENT is a missing socket/class mapping, ignore */ 6055 rc = 0; 6056 } else { 6057 return rc; 6058 } 6059 6060 /* move to the next message after applying netlink padding */ 6061 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6062 if (msg_len >= data_len) 6063 return 0; 6064 data_len -= msg_len; 6065 data += msg_len; 6066 } 6067 6068 return rc; 6069 } 6070 6071 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6072 { 6073 isec->sclass = sclass; 6074 isec->sid = current_sid(); 6075 } 6076 6077 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6078 u32 perms) 6079 { 6080 struct ipc_security_struct *isec; 6081 struct common_audit_data ad; 6082 u32 sid = current_sid(); 6083 6084 isec = selinux_ipc(ipc_perms); 6085 6086 ad.type = LSM_AUDIT_DATA_IPC; 6087 ad.u.ipc_id = ipc_perms->key; 6088 6089 return avc_has_perm(&selinux_state, 6090 sid, isec->sid, isec->sclass, perms, &ad); 6091 } 6092 6093 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6094 { 6095 struct msg_security_struct *msec; 6096 6097 msec = selinux_msg_msg(msg); 6098 msec->sid = SECINITSID_UNLABELED; 6099 6100 return 0; 6101 } 6102 6103 /* message queue security operations */ 6104 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6105 { 6106 struct ipc_security_struct *isec; 6107 struct common_audit_data ad; 6108 u32 sid = current_sid(); 6109 int rc; 6110 6111 isec = selinux_ipc(msq); 6112 ipc_init_security(isec, SECCLASS_MSGQ); 6113 6114 ad.type = LSM_AUDIT_DATA_IPC; 6115 ad.u.ipc_id = msq->key; 6116 6117 rc = avc_has_perm(&selinux_state, 6118 sid, isec->sid, SECCLASS_MSGQ, 6119 MSGQ__CREATE, &ad); 6120 return rc; 6121 } 6122 6123 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6124 { 6125 struct ipc_security_struct *isec; 6126 struct common_audit_data ad; 6127 u32 sid = current_sid(); 6128 6129 isec = selinux_ipc(msq); 6130 6131 ad.type = LSM_AUDIT_DATA_IPC; 6132 ad.u.ipc_id = msq->key; 6133 6134 return avc_has_perm(&selinux_state, 6135 sid, isec->sid, SECCLASS_MSGQ, 6136 MSGQ__ASSOCIATE, &ad); 6137 } 6138 6139 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6140 { 6141 int err; 6142 int perms; 6143 6144 switch (cmd) { 6145 case IPC_INFO: 6146 case MSG_INFO: 6147 /* No specific object, just general system-wide information. */ 6148 return avc_has_perm(&selinux_state, 6149 current_sid(), SECINITSID_KERNEL, 6150 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6151 case IPC_STAT: 6152 case MSG_STAT: 6153 case MSG_STAT_ANY: 6154 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6155 break; 6156 case IPC_SET: 6157 perms = MSGQ__SETATTR; 6158 break; 6159 case IPC_RMID: 6160 perms = MSGQ__DESTROY; 6161 break; 6162 default: 6163 return 0; 6164 } 6165 6166 err = ipc_has_perm(msq, perms); 6167 return err; 6168 } 6169 6170 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6171 { 6172 struct ipc_security_struct *isec; 6173 struct msg_security_struct *msec; 6174 struct common_audit_data ad; 6175 u32 sid = current_sid(); 6176 int rc; 6177 6178 isec = selinux_ipc(msq); 6179 msec = selinux_msg_msg(msg); 6180 6181 /* 6182 * First time through, need to assign label to the message 6183 */ 6184 if (msec->sid == SECINITSID_UNLABELED) { 6185 /* 6186 * Compute new sid based on current process and 6187 * message queue this message will be stored in 6188 */ 6189 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6190 SECCLASS_MSG, NULL, &msec->sid); 6191 if (rc) 6192 return rc; 6193 } 6194 6195 ad.type = LSM_AUDIT_DATA_IPC; 6196 ad.u.ipc_id = msq->key; 6197 6198 /* Can this process write to the queue? */ 6199 rc = avc_has_perm(&selinux_state, 6200 sid, isec->sid, SECCLASS_MSGQ, 6201 MSGQ__WRITE, &ad); 6202 if (!rc) 6203 /* Can this process send the message */ 6204 rc = avc_has_perm(&selinux_state, 6205 sid, msec->sid, SECCLASS_MSG, 6206 MSG__SEND, &ad); 6207 if (!rc) 6208 /* Can the message be put in the queue? */ 6209 rc = avc_has_perm(&selinux_state, 6210 msec->sid, isec->sid, SECCLASS_MSGQ, 6211 MSGQ__ENQUEUE, &ad); 6212 6213 return rc; 6214 } 6215 6216 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6217 struct task_struct *target, 6218 long type, int mode) 6219 { 6220 struct ipc_security_struct *isec; 6221 struct msg_security_struct *msec; 6222 struct common_audit_data ad; 6223 u32 sid = task_sid_subj(target); 6224 int rc; 6225 6226 isec = selinux_ipc(msq); 6227 msec = selinux_msg_msg(msg); 6228 6229 ad.type = LSM_AUDIT_DATA_IPC; 6230 ad.u.ipc_id = msq->key; 6231 6232 rc = avc_has_perm(&selinux_state, 6233 sid, isec->sid, 6234 SECCLASS_MSGQ, MSGQ__READ, &ad); 6235 if (!rc) 6236 rc = avc_has_perm(&selinux_state, 6237 sid, msec->sid, 6238 SECCLASS_MSG, MSG__RECEIVE, &ad); 6239 return rc; 6240 } 6241 6242 /* Shared Memory security operations */ 6243 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6244 { 6245 struct ipc_security_struct *isec; 6246 struct common_audit_data ad; 6247 u32 sid = current_sid(); 6248 int rc; 6249 6250 isec = selinux_ipc(shp); 6251 ipc_init_security(isec, SECCLASS_SHM); 6252 6253 ad.type = LSM_AUDIT_DATA_IPC; 6254 ad.u.ipc_id = shp->key; 6255 6256 rc = avc_has_perm(&selinux_state, 6257 sid, isec->sid, SECCLASS_SHM, 6258 SHM__CREATE, &ad); 6259 return rc; 6260 } 6261 6262 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6263 { 6264 struct ipc_security_struct *isec; 6265 struct common_audit_data ad; 6266 u32 sid = current_sid(); 6267 6268 isec = selinux_ipc(shp); 6269 6270 ad.type = LSM_AUDIT_DATA_IPC; 6271 ad.u.ipc_id = shp->key; 6272 6273 return avc_has_perm(&selinux_state, 6274 sid, isec->sid, SECCLASS_SHM, 6275 SHM__ASSOCIATE, &ad); 6276 } 6277 6278 /* Note, at this point, shp is locked down */ 6279 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6280 { 6281 int perms; 6282 int err; 6283 6284 switch (cmd) { 6285 case IPC_INFO: 6286 case SHM_INFO: 6287 /* No specific object, just general system-wide information. */ 6288 return avc_has_perm(&selinux_state, 6289 current_sid(), SECINITSID_KERNEL, 6290 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6291 case IPC_STAT: 6292 case SHM_STAT: 6293 case SHM_STAT_ANY: 6294 perms = SHM__GETATTR | SHM__ASSOCIATE; 6295 break; 6296 case IPC_SET: 6297 perms = SHM__SETATTR; 6298 break; 6299 case SHM_LOCK: 6300 case SHM_UNLOCK: 6301 perms = SHM__LOCK; 6302 break; 6303 case IPC_RMID: 6304 perms = SHM__DESTROY; 6305 break; 6306 default: 6307 return 0; 6308 } 6309 6310 err = ipc_has_perm(shp, perms); 6311 return err; 6312 } 6313 6314 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6315 char __user *shmaddr, int shmflg) 6316 { 6317 u32 perms; 6318 6319 if (shmflg & SHM_RDONLY) 6320 perms = SHM__READ; 6321 else 6322 perms = SHM__READ | SHM__WRITE; 6323 6324 return ipc_has_perm(shp, perms); 6325 } 6326 6327 /* Semaphore security operations */ 6328 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6329 { 6330 struct ipc_security_struct *isec; 6331 struct common_audit_data ad; 6332 u32 sid = current_sid(); 6333 int rc; 6334 6335 isec = selinux_ipc(sma); 6336 ipc_init_security(isec, SECCLASS_SEM); 6337 6338 ad.type = LSM_AUDIT_DATA_IPC; 6339 ad.u.ipc_id = sma->key; 6340 6341 rc = avc_has_perm(&selinux_state, 6342 sid, isec->sid, SECCLASS_SEM, 6343 SEM__CREATE, &ad); 6344 return rc; 6345 } 6346 6347 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6348 { 6349 struct ipc_security_struct *isec; 6350 struct common_audit_data ad; 6351 u32 sid = current_sid(); 6352 6353 isec = selinux_ipc(sma); 6354 6355 ad.type = LSM_AUDIT_DATA_IPC; 6356 ad.u.ipc_id = sma->key; 6357 6358 return avc_has_perm(&selinux_state, 6359 sid, isec->sid, SECCLASS_SEM, 6360 SEM__ASSOCIATE, &ad); 6361 } 6362 6363 /* Note, at this point, sma is locked down */ 6364 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6365 { 6366 int err; 6367 u32 perms; 6368 6369 switch (cmd) { 6370 case IPC_INFO: 6371 case SEM_INFO: 6372 /* No specific object, just general system-wide information. */ 6373 return avc_has_perm(&selinux_state, 6374 current_sid(), SECINITSID_KERNEL, 6375 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6376 case GETPID: 6377 case GETNCNT: 6378 case GETZCNT: 6379 perms = SEM__GETATTR; 6380 break; 6381 case GETVAL: 6382 case GETALL: 6383 perms = SEM__READ; 6384 break; 6385 case SETVAL: 6386 case SETALL: 6387 perms = SEM__WRITE; 6388 break; 6389 case IPC_RMID: 6390 perms = SEM__DESTROY; 6391 break; 6392 case IPC_SET: 6393 perms = SEM__SETATTR; 6394 break; 6395 case IPC_STAT: 6396 case SEM_STAT: 6397 case SEM_STAT_ANY: 6398 perms = SEM__GETATTR | SEM__ASSOCIATE; 6399 break; 6400 default: 6401 return 0; 6402 } 6403 6404 err = ipc_has_perm(sma, perms); 6405 return err; 6406 } 6407 6408 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6409 struct sembuf *sops, unsigned nsops, int alter) 6410 { 6411 u32 perms; 6412 6413 if (alter) 6414 perms = SEM__READ | SEM__WRITE; 6415 else 6416 perms = SEM__READ; 6417 6418 return ipc_has_perm(sma, perms); 6419 } 6420 6421 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6422 { 6423 u32 av = 0; 6424 6425 av = 0; 6426 if (flag & S_IRUGO) 6427 av |= IPC__UNIX_READ; 6428 if (flag & S_IWUGO) 6429 av |= IPC__UNIX_WRITE; 6430 6431 if (av == 0) 6432 return 0; 6433 6434 return ipc_has_perm(ipcp, av); 6435 } 6436 6437 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6438 { 6439 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6440 *secid = isec->sid; 6441 } 6442 6443 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6444 { 6445 if (inode) 6446 inode_doinit_with_dentry(inode, dentry); 6447 } 6448 6449 static int selinux_getprocattr(struct task_struct *p, 6450 char *name, char **value) 6451 { 6452 const struct task_security_struct *__tsec; 6453 u32 sid; 6454 int error; 6455 unsigned len; 6456 6457 rcu_read_lock(); 6458 __tsec = selinux_cred(__task_cred(p)); 6459 6460 if (current != p) { 6461 error = avc_has_perm(&selinux_state, 6462 current_sid(), __tsec->sid, 6463 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6464 if (error) 6465 goto bad; 6466 } 6467 6468 if (!strcmp(name, "current")) 6469 sid = __tsec->sid; 6470 else if (!strcmp(name, "prev")) 6471 sid = __tsec->osid; 6472 else if (!strcmp(name, "exec")) 6473 sid = __tsec->exec_sid; 6474 else if (!strcmp(name, "fscreate")) 6475 sid = __tsec->create_sid; 6476 else if (!strcmp(name, "keycreate")) 6477 sid = __tsec->keycreate_sid; 6478 else if (!strcmp(name, "sockcreate")) 6479 sid = __tsec->sockcreate_sid; 6480 else { 6481 error = -EINVAL; 6482 goto bad; 6483 } 6484 rcu_read_unlock(); 6485 6486 if (!sid) 6487 return 0; 6488 6489 error = security_sid_to_context(&selinux_state, sid, value, &len); 6490 if (error) 6491 return error; 6492 return len; 6493 6494 bad: 6495 rcu_read_unlock(); 6496 return error; 6497 } 6498 6499 static int selinux_setprocattr(const char *name, void *value, size_t size) 6500 { 6501 struct task_security_struct *tsec; 6502 struct cred *new; 6503 u32 mysid = current_sid(), sid = 0, ptsid; 6504 int error; 6505 char *str = value; 6506 6507 /* 6508 * Basic control over ability to set these attributes at all. 6509 */ 6510 if (!strcmp(name, "exec")) 6511 error = avc_has_perm(&selinux_state, 6512 mysid, mysid, SECCLASS_PROCESS, 6513 PROCESS__SETEXEC, NULL); 6514 else if (!strcmp(name, "fscreate")) 6515 error = avc_has_perm(&selinux_state, 6516 mysid, mysid, SECCLASS_PROCESS, 6517 PROCESS__SETFSCREATE, NULL); 6518 else if (!strcmp(name, "keycreate")) 6519 error = avc_has_perm(&selinux_state, 6520 mysid, mysid, SECCLASS_PROCESS, 6521 PROCESS__SETKEYCREATE, NULL); 6522 else if (!strcmp(name, "sockcreate")) 6523 error = avc_has_perm(&selinux_state, 6524 mysid, mysid, SECCLASS_PROCESS, 6525 PROCESS__SETSOCKCREATE, NULL); 6526 else if (!strcmp(name, "current")) 6527 error = avc_has_perm(&selinux_state, 6528 mysid, mysid, SECCLASS_PROCESS, 6529 PROCESS__SETCURRENT, NULL); 6530 else 6531 error = -EINVAL; 6532 if (error) 6533 return error; 6534 6535 /* Obtain a SID for the context, if one was specified. */ 6536 if (size && str[0] && str[0] != '\n') { 6537 if (str[size-1] == '\n') { 6538 str[size-1] = 0; 6539 size--; 6540 } 6541 error = security_context_to_sid(&selinux_state, value, size, 6542 &sid, GFP_KERNEL); 6543 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6544 if (!has_cap_mac_admin(true)) { 6545 struct audit_buffer *ab; 6546 size_t audit_size; 6547 6548 /* We strip a nul only if it is at the end, otherwise the 6549 * context contains a nul and we should audit that */ 6550 if (str[size - 1] == '\0') 6551 audit_size = size - 1; 6552 else 6553 audit_size = size; 6554 ab = audit_log_start(audit_context(), 6555 GFP_ATOMIC, 6556 AUDIT_SELINUX_ERR); 6557 audit_log_format(ab, "op=fscreate invalid_context="); 6558 audit_log_n_untrustedstring(ab, value, audit_size); 6559 audit_log_end(ab); 6560 6561 return error; 6562 } 6563 error = security_context_to_sid_force( 6564 &selinux_state, 6565 value, size, &sid); 6566 } 6567 if (error) 6568 return error; 6569 } 6570 6571 new = prepare_creds(); 6572 if (!new) 6573 return -ENOMEM; 6574 6575 /* Permission checking based on the specified context is 6576 performed during the actual operation (execve, 6577 open/mkdir/...), when we know the full context of the 6578 operation. See selinux_bprm_creds_for_exec for the execve 6579 checks and may_create for the file creation checks. The 6580 operation will then fail if the context is not permitted. */ 6581 tsec = selinux_cred(new); 6582 if (!strcmp(name, "exec")) { 6583 tsec->exec_sid = sid; 6584 } else if (!strcmp(name, "fscreate")) { 6585 tsec->create_sid = sid; 6586 } else if (!strcmp(name, "keycreate")) { 6587 if (sid) { 6588 error = avc_has_perm(&selinux_state, mysid, sid, 6589 SECCLASS_KEY, KEY__CREATE, NULL); 6590 if (error) 6591 goto abort_change; 6592 } 6593 tsec->keycreate_sid = sid; 6594 } else if (!strcmp(name, "sockcreate")) { 6595 tsec->sockcreate_sid = sid; 6596 } else if (!strcmp(name, "current")) { 6597 error = -EINVAL; 6598 if (sid == 0) 6599 goto abort_change; 6600 6601 /* Only allow single threaded processes to change context */ 6602 error = -EPERM; 6603 if (!current_is_single_threaded()) { 6604 error = security_bounded_transition(&selinux_state, 6605 tsec->sid, sid); 6606 if (error) 6607 goto abort_change; 6608 } 6609 6610 /* Check permissions for the transition. */ 6611 error = avc_has_perm(&selinux_state, 6612 tsec->sid, sid, SECCLASS_PROCESS, 6613 PROCESS__DYNTRANSITION, NULL); 6614 if (error) 6615 goto abort_change; 6616 6617 /* Check for ptracing, and update the task SID if ok. 6618 Otherwise, leave SID unchanged and fail. */ 6619 ptsid = ptrace_parent_sid(); 6620 if (ptsid != 0) { 6621 error = avc_has_perm(&selinux_state, 6622 ptsid, sid, SECCLASS_PROCESS, 6623 PROCESS__PTRACE, NULL); 6624 if (error) 6625 goto abort_change; 6626 } 6627 6628 tsec->sid = sid; 6629 } else { 6630 error = -EINVAL; 6631 goto abort_change; 6632 } 6633 6634 commit_creds(new); 6635 return size; 6636 6637 abort_change: 6638 abort_creds(new); 6639 return error; 6640 } 6641 6642 static int selinux_ismaclabel(const char *name) 6643 { 6644 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6645 } 6646 6647 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6648 { 6649 return security_sid_to_context(&selinux_state, secid, 6650 secdata, seclen); 6651 } 6652 6653 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6654 { 6655 return security_context_to_sid(&selinux_state, secdata, seclen, 6656 secid, GFP_KERNEL); 6657 } 6658 6659 static void selinux_release_secctx(char *secdata, u32 seclen) 6660 { 6661 kfree(secdata); 6662 } 6663 6664 static void selinux_inode_invalidate_secctx(struct inode *inode) 6665 { 6666 struct inode_security_struct *isec = selinux_inode(inode); 6667 6668 spin_lock(&isec->lock); 6669 isec->initialized = LABEL_INVALID; 6670 spin_unlock(&isec->lock); 6671 } 6672 6673 /* 6674 * called with inode->i_mutex locked 6675 */ 6676 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6677 { 6678 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6679 ctx, ctxlen, 0); 6680 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6681 return rc == -EOPNOTSUPP ? 0 : rc; 6682 } 6683 6684 /* 6685 * called with inode->i_mutex locked 6686 */ 6687 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6688 { 6689 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX, 6690 ctx, ctxlen, 0); 6691 } 6692 6693 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6694 { 6695 int len = 0; 6696 len = selinux_inode_getsecurity(&init_user_ns, inode, 6697 XATTR_SELINUX_SUFFIX, ctx, true); 6698 if (len < 0) 6699 return len; 6700 *ctxlen = len; 6701 return 0; 6702 } 6703 #ifdef CONFIG_KEYS 6704 6705 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6706 unsigned long flags) 6707 { 6708 const struct task_security_struct *tsec; 6709 struct key_security_struct *ksec; 6710 6711 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6712 if (!ksec) 6713 return -ENOMEM; 6714 6715 tsec = selinux_cred(cred); 6716 if (tsec->keycreate_sid) 6717 ksec->sid = tsec->keycreate_sid; 6718 else 6719 ksec->sid = tsec->sid; 6720 6721 k->security = ksec; 6722 return 0; 6723 } 6724 6725 static void selinux_key_free(struct key *k) 6726 { 6727 struct key_security_struct *ksec = k->security; 6728 6729 k->security = NULL; 6730 kfree(ksec); 6731 } 6732 6733 static int selinux_key_permission(key_ref_t key_ref, 6734 const struct cred *cred, 6735 enum key_need_perm need_perm) 6736 { 6737 struct key *key; 6738 struct key_security_struct *ksec; 6739 u32 perm, sid; 6740 6741 switch (need_perm) { 6742 case KEY_NEED_VIEW: 6743 perm = KEY__VIEW; 6744 break; 6745 case KEY_NEED_READ: 6746 perm = KEY__READ; 6747 break; 6748 case KEY_NEED_WRITE: 6749 perm = KEY__WRITE; 6750 break; 6751 case KEY_NEED_SEARCH: 6752 perm = KEY__SEARCH; 6753 break; 6754 case KEY_NEED_LINK: 6755 perm = KEY__LINK; 6756 break; 6757 case KEY_NEED_SETATTR: 6758 perm = KEY__SETATTR; 6759 break; 6760 case KEY_NEED_UNLINK: 6761 case KEY_SYSADMIN_OVERRIDE: 6762 case KEY_AUTHTOKEN_OVERRIDE: 6763 case KEY_DEFER_PERM_CHECK: 6764 return 0; 6765 default: 6766 WARN_ON(1); 6767 return -EPERM; 6768 6769 } 6770 6771 sid = cred_sid(cred); 6772 key = key_ref_to_ptr(key_ref); 6773 ksec = key->security; 6774 6775 return avc_has_perm(&selinux_state, 6776 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6777 } 6778 6779 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6780 { 6781 struct key_security_struct *ksec = key->security; 6782 char *context = NULL; 6783 unsigned len; 6784 int rc; 6785 6786 rc = security_sid_to_context(&selinux_state, ksec->sid, 6787 &context, &len); 6788 if (!rc) 6789 rc = len; 6790 *_buffer = context; 6791 return rc; 6792 } 6793 6794 #ifdef CONFIG_KEY_NOTIFICATIONS 6795 static int selinux_watch_key(struct key *key) 6796 { 6797 struct key_security_struct *ksec = key->security; 6798 u32 sid = current_sid(); 6799 6800 return avc_has_perm(&selinux_state, 6801 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6802 } 6803 #endif 6804 #endif 6805 6806 #ifdef CONFIG_SECURITY_INFINIBAND 6807 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6808 { 6809 struct common_audit_data ad; 6810 int err; 6811 u32 sid = 0; 6812 struct ib_security_struct *sec = ib_sec; 6813 struct lsm_ibpkey_audit ibpkey; 6814 6815 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6816 if (err) 6817 return err; 6818 6819 ad.type = LSM_AUDIT_DATA_IBPKEY; 6820 ibpkey.subnet_prefix = subnet_prefix; 6821 ibpkey.pkey = pkey_val; 6822 ad.u.ibpkey = &ibpkey; 6823 return avc_has_perm(&selinux_state, 6824 sec->sid, sid, 6825 SECCLASS_INFINIBAND_PKEY, 6826 INFINIBAND_PKEY__ACCESS, &ad); 6827 } 6828 6829 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6830 u8 port_num) 6831 { 6832 struct common_audit_data ad; 6833 int err; 6834 u32 sid = 0; 6835 struct ib_security_struct *sec = ib_sec; 6836 struct lsm_ibendport_audit ibendport; 6837 6838 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6839 &sid); 6840 6841 if (err) 6842 return err; 6843 6844 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6845 ibendport.dev_name = dev_name; 6846 ibendport.port = port_num; 6847 ad.u.ibendport = &ibendport; 6848 return avc_has_perm(&selinux_state, 6849 sec->sid, sid, 6850 SECCLASS_INFINIBAND_ENDPORT, 6851 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6852 } 6853 6854 static int selinux_ib_alloc_security(void **ib_sec) 6855 { 6856 struct ib_security_struct *sec; 6857 6858 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6859 if (!sec) 6860 return -ENOMEM; 6861 sec->sid = current_sid(); 6862 6863 *ib_sec = sec; 6864 return 0; 6865 } 6866 6867 static void selinux_ib_free_security(void *ib_sec) 6868 { 6869 kfree(ib_sec); 6870 } 6871 #endif 6872 6873 #ifdef CONFIG_BPF_SYSCALL 6874 static int selinux_bpf(int cmd, union bpf_attr *attr, 6875 unsigned int size) 6876 { 6877 u32 sid = current_sid(); 6878 int ret; 6879 6880 switch (cmd) { 6881 case BPF_MAP_CREATE: 6882 ret = avc_has_perm(&selinux_state, 6883 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6884 NULL); 6885 break; 6886 case BPF_PROG_LOAD: 6887 ret = avc_has_perm(&selinux_state, 6888 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6889 NULL); 6890 break; 6891 default: 6892 ret = 0; 6893 break; 6894 } 6895 6896 return ret; 6897 } 6898 6899 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6900 { 6901 u32 av = 0; 6902 6903 if (fmode & FMODE_READ) 6904 av |= BPF__MAP_READ; 6905 if (fmode & FMODE_WRITE) 6906 av |= BPF__MAP_WRITE; 6907 return av; 6908 } 6909 6910 /* This function will check the file pass through unix socket or binder to see 6911 * if it is a bpf related object. And apply correspinding checks on the bpf 6912 * object based on the type. The bpf maps and programs, not like other files and 6913 * socket, are using a shared anonymous inode inside the kernel as their inode. 6914 * So checking that inode cannot identify if the process have privilege to 6915 * access the bpf object and that's why we have to add this additional check in 6916 * selinux_file_receive and selinux_binder_transfer_files. 6917 */ 6918 static int bpf_fd_pass(struct file *file, u32 sid) 6919 { 6920 struct bpf_security_struct *bpfsec; 6921 struct bpf_prog *prog; 6922 struct bpf_map *map; 6923 int ret; 6924 6925 if (file->f_op == &bpf_map_fops) { 6926 map = file->private_data; 6927 bpfsec = map->security; 6928 ret = avc_has_perm(&selinux_state, 6929 sid, bpfsec->sid, SECCLASS_BPF, 6930 bpf_map_fmode_to_av(file->f_mode), NULL); 6931 if (ret) 6932 return ret; 6933 } else if (file->f_op == &bpf_prog_fops) { 6934 prog = file->private_data; 6935 bpfsec = prog->aux->security; 6936 ret = avc_has_perm(&selinux_state, 6937 sid, bpfsec->sid, SECCLASS_BPF, 6938 BPF__PROG_RUN, NULL); 6939 if (ret) 6940 return ret; 6941 } 6942 return 0; 6943 } 6944 6945 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6946 { 6947 u32 sid = current_sid(); 6948 struct bpf_security_struct *bpfsec; 6949 6950 bpfsec = map->security; 6951 return avc_has_perm(&selinux_state, 6952 sid, bpfsec->sid, SECCLASS_BPF, 6953 bpf_map_fmode_to_av(fmode), NULL); 6954 } 6955 6956 static int selinux_bpf_prog(struct bpf_prog *prog) 6957 { 6958 u32 sid = current_sid(); 6959 struct bpf_security_struct *bpfsec; 6960 6961 bpfsec = prog->aux->security; 6962 return avc_has_perm(&selinux_state, 6963 sid, bpfsec->sid, SECCLASS_BPF, 6964 BPF__PROG_RUN, NULL); 6965 } 6966 6967 static int selinux_bpf_map_alloc(struct bpf_map *map) 6968 { 6969 struct bpf_security_struct *bpfsec; 6970 6971 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6972 if (!bpfsec) 6973 return -ENOMEM; 6974 6975 bpfsec->sid = current_sid(); 6976 map->security = bpfsec; 6977 6978 return 0; 6979 } 6980 6981 static void selinux_bpf_map_free(struct bpf_map *map) 6982 { 6983 struct bpf_security_struct *bpfsec = map->security; 6984 6985 map->security = NULL; 6986 kfree(bpfsec); 6987 } 6988 6989 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6990 { 6991 struct bpf_security_struct *bpfsec; 6992 6993 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6994 if (!bpfsec) 6995 return -ENOMEM; 6996 6997 bpfsec->sid = current_sid(); 6998 aux->security = bpfsec; 6999 7000 return 0; 7001 } 7002 7003 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 7004 { 7005 struct bpf_security_struct *bpfsec = aux->security; 7006 7007 aux->security = NULL; 7008 kfree(bpfsec); 7009 } 7010 #endif 7011 7012 static int selinux_lockdown(enum lockdown_reason what) 7013 { 7014 struct common_audit_data ad; 7015 u32 sid = current_sid(); 7016 int invalid_reason = (what <= LOCKDOWN_NONE) || 7017 (what == LOCKDOWN_INTEGRITY_MAX) || 7018 (what >= LOCKDOWN_CONFIDENTIALITY_MAX); 7019 7020 if (WARN(invalid_reason, "Invalid lockdown reason")) { 7021 audit_log(audit_context(), 7022 GFP_ATOMIC, AUDIT_SELINUX_ERR, 7023 "lockdown_reason=invalid"); 7024 return -EINVAL; 7025 } 7026 7027 ad.type = LSM_AUDIT_DATA_LOCKDOWN; 7028 ad.u.reason = what; 7029 7030 if (what <= LOCKDOWN_INTEGRITY_MAX) 7031 return avc_has_perm(&selinux_state, 7032 sid, sid, SECCLASS_LOCKDOWN, 7033 LOCKDOWN__INTEGRITY, &ad); 7034 else 7035 return avc_has_perm(&selinux_state, 7036 sid, sid, SECCLASS_LOCKDOWN, 7037 LOCKDOWN__CONFIDENTIALITY, &ad); 7038 } 7039 7040 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 7041 .lbs_cred = sizeof(struct task_security_struct), 7042 .lbs_file = sizeof(struct file_security_struct), 7043 .lbs_inode = sizeof(struct inode_security_struct), 7044 .lbs_ipc = sizeof(struct ipc_security_struct), 7045 .lbs_msg_msg = sizeof(struct msg_security_struct), 7046 .lbs_superblock = sizeof(struct superblock_security_struct), 7047 }; 7048 7049 #ifdef CONFIG_PERF_EVENTS 7050 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 7051 { 7052 u32 requested, sid = current_sid(); 7053 7054 if (type == PERF_SECURITY_OPEN) 7055 requested = PERF_EVENT__OPEN; 7056 else if (type == PERF_SECURITY_CPU) 7057 requested = PERF_EVENT__CPU; 7058 else if (type == PERF_SECURITY_KERNEL) 7059 requested = PERF_EVENT__KERNEL; 7060 else if (type == PERF_SECURITY_TRACEPOINT) 7061 requested = PERF_EVENT__TRACEPOINT; 7062 else 7063 return -EINVAL; 7064 7065 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT, 7066 requested, NULL); 7067 } 7068 7069 static int selinux_perf_event_alloc(struct perf_event *event) 7070 { 7071 struct perf_event_security_struct *perfsec; 7072 7073 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 7074 if (!perfsec) 7075 return -ENOMEM; 7076 7077 perfsec->sid = current_sid(); 7078 event->security = perfsec; 7079 7080 return 0; 7081 } 7082 7083 static void selinux_perf_event_free(struct perf_event *event) 7084 { 7085 struct perf_event_security_struct *perfsec = event->security; 7086 7087 event->security = NULL; 7088 kfree(perfsec); 7089 } 7090 7091 static int selinux_perf_event_read(struct perf_event *event) 7092 { 7093 struct perf_event_security_struct *perfsec = event->security; 7094 u32 sid = current_sid(); 7095 7096 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7097 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7098 } 7099 7100 static int selinux_perf_event_write(struct perf_event *event) 7101 { 7102 struct perf_event_security_struct *perfsec = event->security; 7103 u32 sid = current_sid(); 7104 7105 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7106 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7107 } 7108 #endif 7109 7110 /* 7111 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7112 * 1. any hooks that don't belong to (2.) or (3.) below, 7113 * 2. hooks that both access structures allocated by other hooks, and allocate 7114 * structures that can be later accessed by other hooks (mostly "cloning" 7115 * hooks), 7116 * 3. hooks that only allocate structures that can be later accessed by other 7117 * hooks ("allocating" hooks). 7118 * 7119 * Please follow block comment delimiters in the list to keep this order. 7120 * 7121 * This ordering is needed for SELinux runtime disable to work at least somewhat 7122 * safely. Breaking the ordering rules above might lead to NULL pointer derefs 7123 * when disabling SELinux at runtime. 7124 */ 7125 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 7126 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7127 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7128 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7129 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7130 7131 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7132 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7133 LSM_HOOK_INIT(capget, selinux_capget), 7134 LSM_HOOK_INIT(capset, selinux_capset), 7135 LSM_HOOK_INIT(capable, selinux_capable), 7136 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7137 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7138 LSM_HOOK_INIT(syslog, selinux_syslog), 7139 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7140 7141 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7142 7143 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7144 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7145 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7146 7147 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7148 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7149 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7150 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7151 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7152 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7153 LSM_HOOK_INIT(sb_mount, selinux_mount), 7154 LSM_HOOK_INIT(sb_umount, selinux_umount), 7155 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7156 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7157 7158 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7159 7160 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7161 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7162 7163 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7164 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7165 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7166 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7167 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7168 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7169 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7170 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7171 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7172 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7173 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7174 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7175 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7176 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7177 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7178 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7179 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7180 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7181 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7182 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7183 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7184 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7185 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7186 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7187 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 7188 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7189 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7190 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7191 7192 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7193 7194 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7195 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7196 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7197 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7198 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7199 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7200 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7201 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7202 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7203 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7204 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7205 7206 LSM_HOOK_INIT(file_open, selinux_file_open), 7207 7208 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7209 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7210 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7211 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7212 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7213 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7214 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7215 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7216 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7217 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7218 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7219 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7220 LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), 7221 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7222 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7223 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7224 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7225 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7226 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7227 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7228 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7229 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7230 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7231 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7232 7233 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7234 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7235 7236 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7237 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7238 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7239 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7240 7241 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7242 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7243 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7244 7245 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7246 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7247 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7248 7249 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7250 7251 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7252 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7253 7254 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7255 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7256 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7257 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7258 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7259 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7260 7261 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7262 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7263 7264 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7265 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7266 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7267 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7268 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7269 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7270 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7271 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7272 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7273 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7274 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7275 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7276 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7277 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7278 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7279 LSM_HOOK_INIT(socket_getpeersec_stream, 7280 selinux_socket_getpeersec_stream), 7281 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7282 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7283 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7284 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7285 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7286 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7287 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7288 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7289 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7290 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7291 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7292 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7293 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7294 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7295 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7296 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7297 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7298 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7299 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7300 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7301 #ifdef CONFIG_SECURITY_INFINIBAND 7302 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7303 LSM_HOOK_INIT(ib_endport_manage_subnet, 7304 selinux_ib_endport_manage_subnet), 7305 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7306 #endif 7307 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7308 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7309 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7310 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7311 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7312 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7313 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7314 selinux_xfrm_state_pol_flow_match), 7315 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7316 #endif 7317 7318 #ifdef CONFIG_KEYS 7319 LSM_HOOK_INIT(key_free, selinux_key_free), 7320 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7321 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7322 #ifdef CONFIG_KEY_NOTIFICATIONS 7323 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7324 #endif 7325 #endif 7326 7327 #ifdef CONFIG_AUDIT 7328 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7329 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7330 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7331 #endif 7332 7333 #ifdef CONFIG_BPF_SYSCALL 7334 LSM_HOOK_INIT(bpf, selinux_bpf), 7335 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7336 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7337 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7338 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7339 #endif 7340 7341 #ifdef CONFIG_PERF_EVENTS 7342 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7343 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7344 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7345 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7346 #endif 7347 7348 LSM_HOOK_INIT(locked_down, selinux_lockdown), 7349 7350 /* 7351 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7352 */ 7353 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7354 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7355 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7356 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 7357 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7358 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7359 #endif 7360 7361 /* 7362 * PUT "ALLOCATING" HOOKS HERE 7363 */ 7364 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7365 LSM_HOOK_INIT(msg_queue_alloc_security, 7366 selinux_msg_queue_alloc_security), 7367 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7368 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7369 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7370 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7371 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7372 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7373 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7374 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7375 #ifdef CONFIG_SECURITY_INFINIBAND 7376 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7377 #endif 7378 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7379 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7380 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7381 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7382 selinux_xfrm_state_alloc_acquire), 7383 #endif 7384 #ifdef CONFIG_KEYS 7385 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7386 #endif 7387 #ifdef CONFIG_AUDIT 7388 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7389 #endif 7390 #ifdef CONFIG_BPF_SYSCALL 7391 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7392 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7393 #endif 7394 #ifdef CONFIG_PERF_EVENTS 7395 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7396 #endif 7397 }; 7398 7399 static __init int selinux_init(void) 7400 { 7401 pr_info("SELinux: Initializing.\n"); 7402 7403 memset(&selinux_state, 0, sizeof(selinux_state)); 7404 enforcing_set(&selinux_state, selinux_enforcing_boot); 7405 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot); 7406 selinux_avc_init(&selinux_state.avc); 7407 mutex_init(&selinux_state.status_lock); 7408 mutex_init(&selinux_state.policy_mutex); 7409 7410 /* Set the security state for the initial task. */ 7411 cred_init_security(); 7412 7413 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7414 7415 avc_init(); 7416 7417 avtab_cache_init(); 7418 7419 ebitmap_cache_init(); 7420 7421 hashtab_cache_init(); 7422 7423 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7424 7425 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7426 panic("SELinux: Unable to register AVC netcache callback\n"); 7427 7428 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7429 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7430 7431 if (selinux_enforcing_boot) 7432 pr_debug("SELinux: Starting in enforcing mode\n"); 7433 else 7434 pr_debug("SELinux: Starting in permissive mode\n"); 7435 7436 fs_validate_description("selinux", selinux_fs_parameters); 7437 7438 return 0; 7439 } 7440 7441 static void delayed_superblock_init(struct super_block *sb, void *unused) 7442 { 7443 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7444 } 7445 7446 void selinux_complete_init(void) 7447 { 7448 pr_debug("SELinux: Completing initialization.\n"); 7449 7450 /* Set up any superblocks initialized prior to the policy load. */ 7451 pr_debug("SELinux: Setting up existing superblocks.\n"); 7452 iterate_supers(delayed_superblock_init, NULL); 7453 } 7454 7455 /* SELinux requires early initialization in order to label 7456 all processes and objects when they are created. */ 7457 DEFINE_LSM(selinux) = { 7458 .name = "selinux", 7459 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7460 .enabled = &selinux_enabled_boot, 7461 .blobs = &selinux_blob_sizes, 7462 .init = selinux_init, 7463 }; 7464 7465 #if defined(CONFIG_NETFILTER) 7466 7467 static const struct nf_hook_ops selinux_nf_ops[] = { 7468 { 7469 .hook = selinux_ipv4_postroute, 7470 .pf = NFPROTO_IPV4, 7471 .hooknum = NF_INET_POST_ROUTING, 7472 .priority = NF_IP_PRI_SELINUX_LAST, 7473 }, 7474 { 7475 .hook = selinux_ipv4_forward, 7476 .pf = NFPROTO_IPV4, 7477 .hooknum = NF_INET_FORWARD, 7478 .priority = NF_IP_PRI_SELINUX_FIRST, 7479 }, 7480 { 7481 .hook = selinux_ipv4_output, 7482 .pf = NFPROTO_IPV4, 7483 .hooknum = NF_INET_LOCAL_OUT, 7484 .priority = NF_IP_PRI_SELINUX_FIRST, 7485 }, 7486 #if IS_ENABLED(CONFIG_IPV6) 7487 { 7488 .hook = selinux_ipv6_postroute, 7489 .pf = NFPROTO_IPV6, 7490 .hooknum = NF_INET_POST_ROUTING, 7491 .priority = NF_IP6_PRI_SELINUX_LAST, 7492 }, 7493 { 7494 .hook = selinux_ipv6_forward, 7495 .pf = NFPROTO_IPV6, 7496 .hooknum = NF_INET_FORWARD, 7497 .priority = NF_IP6_PRI_SELINUX_FIRST, 7498 }, 7499 { 7500 .hook = selinux_ipv6_output, 7501 .pf = NFPROTO_IPV6, 7502 .hooknum = NF_INET_LOCAL_OUT, 7503 .priority = NF_IP6_PRI_SELINUX_FIRST, 7504 }, 7505 #endif /* IPV6 */ 7506 }; 7507 7508 static int __net_init selinux_nf_register(struct net *net) 7509 { 7510 return nf_register_net_hooks(net, selinux_nf_ops, 7511 ARRAY_SIZE(selinux_nf_ops)); 7512 } 7513 7514 static void __net_exit selinux_nf_unregister(struct net *net) 7515 { 7516 nf_unregister_net_hooks(net, selinux_nf_ops, 7517 ARRAY_SIZE(selinux_nf_ops)); 7518 } 7519 7520 static struct pernet_operations selinux_net_ops = { 7521 .init = selinux_nf_register, 7522 .exit = selinux_nf_unregister, 7523 }; 7524 7525 static int __init selinux_nf_ip_init(void) 7526 { 7527 int err; 7528 7529 if (!selinux_enabled_boot) 7530 return 0; 7531 7532 pr_debug("SELinux: Registering netfilter hooks\n"); 7533 7534 err = register_pernet_subsys(&selinux_net_ops); 7535 if (err) 7536 panic("SELinux: register_pernet_subsys: error %d\n", err); 7537 7538 return 0; 7539 } 7540 __initcall(selinux_nf_ip_init); 7541 7542 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7543 static void selinux_nf_ip_exit(void) 7544 { 7545 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7546 7547 unregister_pernet_subsys(&selinux_net_ops); 7548 } 7549 #endif 7550 7551 #else /* CONFIG_NETFILTER */ 7552 7553 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7554 #define selinux_nf_ip_exit() 7555 #endif 7556 7557 #endif /* CONFIG_NETFILTER */ 7558 7559 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7560 int selinux_disable(struct selinux_state *state) 7561 { 7562 if (selinux_initialized(state)) { 7563 /* Not permitted after initial policy load. */ 7564 return -EINVAL; 7565 } 7566 7567 if (selinux_disabled(state)) { 7568 /* Only do this once. */ 7569 return -EINVAL; 7570 } 7571 7572 selinux_mark_disabled(state); 7573 7574 pr_info("SELinux: Disabled at runtime.\n"); 7575 7576 /* 7577 * Unregister netfilter hooks. 7578 * Must be done before security_delete_hooks() to avoid breaking 7579 * runtime disable. 7580 */ 7581 selinux_nf_ip_exit(); 7582 7583 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7584 7585 /* Try to destroy the avc node cache */ 7586 avc_disable(); 7587 7588 /* Unregister selinuxfs. */ 7589 exit_sel_fs(); 7590 7591 return 0; 7592 } 7593 #endif 7594