]> git.ipfire.org Git - thirdparty/linux.git/blob - security/selinux/hooks.c
projects / thirdparty / linux.git / blob
? search:


595ceb314aeb3ee12a5966792e1cda88b2bdf107
[thirdparty/linux.git] / security / selinux / hooks.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/sctp.h>
69 #include <net/sctp/structs.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87 #include <uapi/linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring/cmd.h>
95 #include <uapi/linux/lsm.h>
96
97 #include "avc.h"
98 #include "objsec.h"
99 #include "netif.h"
100 #include "netnode.h"
101 #include "netport.h"
102 #include "ibpkey.h"
103 #include "xfrm.h"
104 #include "netlabel.h"
105 #include "audit.h"
106 #include "avc_ss.h"
107
108 #define SELINUX_INODE_INIT_XATTRS 1
109
110 struct selinux_state selinux_state;
111
112 /* SECMARK reference count */
113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
114
115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116 static int selinux_enforcing_boot __initdata;
117
118 static int __init enforcing_setup(char *str)
119 {
120 unsigned long enforcing;
121 if (!kstrtoul(str, 0, &enforcing))
122 selinux_enforcing_boot = enforcing ? 1 : 0;
123 return 1;
124 }
125 __setup("enforcing=", enforcing_setup);
126 #else
127 #define selinux_enforcing_boot 1
128 #endif
129
130 int selinux_enabled_boot __initdata = 1;
131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
132 static int __init selinux_enabled_setup(char *str)
133 {
134 unsigned long enabled;
135 if (!kstrtoul(str, 0, &enabled))
136 selinux_enabled_boot = enabled ? 1 : 0;
137 return 1;
138 }
139 __setup("selinux=", selinux_enabled_setup);
140 #endif
141
142 static int __init checkreqprot_setup(char *str)
143 {
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot)) {
147 if (checkreqprot)
148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
149 }
150 return 1;
151 }
152 __setup("checkreqprot=", checkreqprot_setup);
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
211 static void cred_init_security(void)
212 {
213 struct task_security_struct *tsec;
214
215 /* NOTE: the lsm framework zeros out the buffer on allocation */
216
217 tsec = selinux_cred(unrcu_pointer(current->real_cred));
218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
219 }
220
221 /*
222 * get the security ID of a set of credentials
223 */
224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 const struct task_security_struct *tsec;
227
228 tsec = selinux_cred(cred);
229 return tsec->sid;
230 }
231
232 static void __ad_net_init(struct common_audit_data *ad,
233 struct lsm_network_audit *net,
234 int ifindex, struct sock *sk, u16 family)
235 {
236 ad->type = LSM_AUDIT_DATA_NET;
237 ad->u.net = net;
238 net->netif = ifindex;
239 net->sk = sk;
240 net->family = family;
241 }
242
243 static void ad_net_init_from_sk(struct common_audit_data *ad,
244 struct lsm_network_audit *net,
245 struct sock *sk)
246 {
247 __ad_net_init(ad, net, 0, sk, 0);
248 }
249
250 static void ad_net_init_from_iif(struct common_audit_data *ad,
251 struct lsm_network_audit *net,
252 int ifindex, u16 family)
253 {
254 __ad_net_init(ad, net, ifindex, NULL, family);
255 }
256
257 /*
258 * get the objective security ID of a task
259 */
260 static inline u32 task_sid_obj(const struct task_struct *task)
261 {
262 u32 sid;
263
264 rcu_read_lock();
265 sid = cred_sid(__task_cred(task));
266 rcu_read_unlock();
267 return sid;
268 }
269
270 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271
272 /*
273 * Try reloading inode security labels that have been marked as invalid. The
274 * @may_sleep parameter indicates when sleeping and thus reloading labels is
275 * allowed; when set to false, returns -ECHILD when the label is
276 * invalid. The @dentry parameter should be set to a dentry of the inode.
277 */
278 static int __inode_security_revalidate(struct inode *inode,
279 struct dentry *dentry,
280 bool may_sleep)
281 {
282 if (!selinux_initialized())
283 return 0;
284
285 if (may_sleep)
286 might_sleep();
287 else
288 return -ECHILD;
289
290 /*
291 * Check to ensure that an inode's SELinux state is valid and try
292 * reloading the inode security label if necessary. This will fail if
293 * @dentry is NULL and no dentry for this inode can be found; in that
294 * case, continue using the old label.
295 */
296 inode_doinit_with_dentry(inode, dentry);
297 return 0;
298 }
299
300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301 {
302 return selinux_inode(inode);
303 }
304
305 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,
306 bool rcu)
307 {
308 int rc;
309 struct inode_security_struct *isec = selinux_inode(inode);
310
311 /* check below is racy, but revalidate will recheck with lock held */
312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
313 return isec;
314 rc = __inode_security_revalidate(inode, NULL, !rcu);
315 if (rc)
316 return ERR_PTR(rc);
317 return isec;
318 }
319
320 /*
321 * Get the security label of an inode.
322 */
323 static inline struct inode_security_struct *inode_security(struct inode *inode)
324 {
325 struct inode_security_struct *isec = selinux_inode(inode);
326
327 /* check below is racy, but revalidate will recheck with lock held */
328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
329 return isec;
330 __inode_security_revalidate(inode, NULL, true);
331 return isec;
332 }
333
334 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
335 {
336 return selinux_inode(d_backing_inode(dentry));
337 }
338
339 /*
340 * Get the security label of a dentry's backing inode.
341 */
342 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)
343 {
344 struct inode *inode = d_backing_inode(dentry);
345 struct inode_security_struct *isec = selinux_inode(inode);
346
347 /* check below is racy, but revalidate will recheck with lock held */
348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
349 return isec;
350 __inode_security_revalidate(inode, dentry, true);
351 return isec;
352 }
353
354 static void inode_free_security(struct inode *inode)
355 {
356 struct inode_security_struct *isec = selinux_inode(inode);
357 struct superblock_security_struct *sbsec;
358
359 if (!isec)
360 return;
361 sbsec = selinux_superblock(inode->i_sb);
362 /*
363 * As not all inode security structures are in a list, we check for
364 * empty list outside of the lock to make sure that we won't waste
365 * time taking a lock doing nothing.
366 *
367 * The list_del_init() function can be safely called more than once.
368 * It should not be possible for this function to be called with
369 * concurrent list_add(), but for better safety against future changes
370 * in the code, we use list_empty_careful() here.
371 */
372 if (!list_empty_careful(&isec->list)) {
373 spin_lock(&sbsec->isec_lock);
374 list_del_init(&isec->list);
375 spin_unlock(&sbsec->isec_lock);
376 }
377 }
378
379 struct selinux_mnt_opts {
380 u32 fscontext_sid;
381 u32 context_sid;
382 u32 rootcontext_sid;
383 u32 defcontext_sid;
384 };
385
386 static void selinux_free_mnt_opts(void *mnt_opts)
387 {
388 kfree(mnt_opts);
389 }
390
391 enum {
392 Opt_error = -1,
393 Opt_context = 0,
394 Opt_defcontext = 1,
395 Opt_fscontext = 2,
396 Opt_rootcontext = 3,
397 Opt_seclabel = 4,
398 };
399
400 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
401 static const struct {
402 const char *name;
403 int len;
404 int opt;
405 bool has_arg;
406 } tokens[] = {
407 A(context, true),
408 A(fscontext, true),
409 A(defcontext, true),
410 A(rootcontext, true),
411 A(seclabel, false),
412 };
413 #undef A
414
415 static int match_opt_prefix(char *s, int l, char **arg)
416 {
417 unsigned int i;
418
419 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
420 size_t len = tokens[i].len;
421 if (len > l || memcmp(s, tokens[i].name, len))
422 continue;
423 if (tokens[i].has_arg) {
424 if (len == l || s[len] != '=')
425 continue;
426 *arg = s + len + 1;
427 } else if (len != l)
428 continue;
429 return tokens[i].opt;
430 }
431 return Opt_error;
432 }
433
434 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
435
436 static int may_context_mount_sb_relabel(u32 sid,
437 struct superblock_security_struct *sbsec,
438 const struct cred *cred)
439 {
440 const struct task_security_struct *tsec = selinux_cred(cred);
441 int rc;
442
443 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
444 FILESYSTEM__RELABELFROM, NULL);
445 if (rc)
446 return rc;
447
448 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELTO, NULL);
450 return rc;
451 }
452
453 static int may_context_mount_inode_relabel(u32 sid,
454 struct superblock_security_struct *sbsec,
455 const struct cred *cred)
456 {
457 const struct task_security_struct *tsec = selinux_cred(cred);
458 int rc;
459 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
460 FILESYSTEM__RELABELFROM, NULL);
461 if (rc)
462 return rc;
463
464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__ASSOCIATE, NULL);
466 return rc;
467 }
468
469 static int selinux_is_genfs_special_handling(struct super_block *sb)
470 {
471 /* Special handling. Genfs but also in-core setxattr handler */
472 return !strcmp(sb->s_type->name, "sysfs") ||
473 !strcmp(sb->s_type->name, "pstore") ||
474 !strcmp(sb->s_type->name, "debugfs") ||
475 !strcmp(sb->s_type->name, "tracefs") ||
476 !strcmp(sb->s_type->name, "rootfs") ||
477 (selinux_policycap_cgroupseclabel() &&
478 (!strcmp(sb->s_type->name, "cgroup") ||
479 !strcmp(sb->s_type->name, "cgroup2")));
480 }
481
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 struct superblock_security_struct *sbsec = selinux_superblock(sb);
485
486 /*
487 * IMPORTANT: Double-check logic in this function when adding a new
488 * SECURITY_FS_USE_* definition!
489 */
490 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
491
492 switch (sbsec->behavior) {
493 case SECURITY_FS_USE_XATTR:
494 case SECURITY_FS_USE_TRANS:
495 case SECURITY_FS_USE_TASK:
496 case SECURITY_FS_USE_NATIVE:
497 return 1;
498
499 case SECURITY_FS_USE_GENFS:
500 return selinux_is_genfs_special_handling(sb);
501
502 /* Never allow relabeling on context mounts */
503 case SECURITY_FS_USE_MNTPOINT:
504 case SECURITY_FS_USE_NONE:
505 default:
506 return 0;
507 }
508 }
509
510 static int sb_check_xattr_support(struct super_block *sb)
511 {
512 struct superblock_security_struct *sbsec = selinux_superblock(sb);
513 struct dentry *root = sb->s_root;
514 struct inode *root_inode = d_backing_inode(root);
515 u32 sid;
516 int rc;
517
518 /*
519 * Make sure that the xattr handler exists and that no
520 * error other than -ENODATA is returned by getxattr on
521 * the root directory. -ENODATA is ok, as this may be
522 * the first boot of the SELinux kernel before we have
523 * assigned xattr values to the filesystem.
524 */
525 if (!(root_inode->i_opflags & IOP_XATTR)) {
526 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
527 sb->s_id, sb->s_type->name);
528 goto fallback;
529 }
530
531 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
532 if (rc < 0 && rc != -ENODATA) {
533 if (rc == -EOPNOTSUPP) {
534 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
535 sb->s_id, sb->s_type->name);
536 goto fallback;
537 } else {
538 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
539 sb->s_id, sb->s_type->name, -rc);
540 return rc;
541 }
542 }
543 return 0;
544
545 fallback:
546 /* No xattr support - try to fallback to genfs if possible. */
547 rc = security_genfs_sid(sb->s_type->name, "/",
548 SECCLASS_DIR, &sid);
549 if (rc)
550 return -EOPNOTSUPP;
551
552 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
553 sb->s_id, sb->s_type->name);
554 sbsec->behavior = SECURITY_FS_USE_GENFS;
555 sbsec->sid = sid;
556 return 0;
557 }
558
559 static int sb_finish_set_opts(struct super_block *sb)
560 {
561 struct superblock_security_struct *sbsec = selinux_superblock(sb);
562 struct dentry *root = sb->s_root;
563 struct inode *root_inode = d_backing_inode(root);
564 int rc = 0;
565
566 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
567 rc = sb_check_xattr_support(sb);
568 if (rc)
569 return rc;
570 }
571
572 sbsec->flags |= SE_SBINITIALIZED;
573
574 /*
575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
576 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 * us a superblock that needs the flag to be cleared.
578 */
579 if (selinux_is_sblabel_mnt(sb))
580 sbsec->flags |= SBLABEL_MNT;
581 else
582 sbsec->flags &= ~SBLABEL_MNT;
583
584 /* Initialize the root inode. */
585 rc = inode_doinit_with_dentry(root_inode, root);
586
587 /* Initialize any other inodes associated with the superblock, e.g.
588 inodes created prior to initial policy load or inodes created
589 during get_sb by a pseudo filesystem that directly
590 populates itself. */
591 spin_lock(&sbsec->isec_lock);
592 while (!list_empty(&sbsec->isec_head)) {
593 struct inode_security_struct *isec =
594 list_first_entry(&sbsec->isec_head,
595 struct inode_security_struct, list);
596 struct inode *inode = isec->inode;
597 list_del_init(&isec->list);
598 spin_unlock(&sbsec->isec_lock);
599 inode = igrab(inode);
600 if (inode) {
601 if (!IS_PRIVATE(inode))
602 inode_doinit_with_dentry(inode, NULL);
603 iput(inode);
604 }
605 spin_lock(&sbsec->isec_lock);
606 }
607 spin_unlock(&sbsec->isec_lock);
608 return rc;
609 }
610
611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
613 {
614 char mnt_flags = sbsec->flags & SE_MNTMASK;
615
616 /* check if the old mount command had the same options */
617 if (sbsec->flags & SE_SBINITIALIZED)
618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
620 return 1;
621
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
624 */
625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
627 return 1;
628 return 0;
629 }
630
631 /*
632 * Allow filesystems with binary mount data to explicitly set mount point
633 * labeling information.
634 */
635 static int selinux_set_mnt_opts(struct super_block *sb,
636 void *mnt_opts,
637 unsigned long kern_flags,
638 unsigned long *set_kern_flags)
639 {
640 const struct cred *cred = current_cred();
641 struct superblock_security_struct *sbsec = selinux_superblock(sb);
642 struct dentry *root = sb->s_root;
643 struct selinux_mnt_opts *opts = mnt_opts;
644 struct inode_security_struct *root_isec;
645 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
646 u32 defcontext_sid = 0;
647 int rc = 0;
648
649 /*
650 * Specifying internal flags without providing a place to
651 * place the results is not allowed
652 */
653 if (kern_flags && !set_kern_flags)
654 return -EINVAL;
655
656 mutex_lock(&sbsec->lock);
657
658 if (!selinux_initialized()) {
659 if (!opts) {
660 /* Defer initialization until selinux_complete_init,
661 after the initial policy is loaded and the security
662 server is ready to handle calls. */
663 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
664 sbsec->flags |= SE_SBNATIVE;
665 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
666 }
667 goto out;
668 }
669 rc = -EINVAL;
670 pr_warn("SELinux: Unable to set superblock options "
671 "before the security server is initialized\n");
672 goto out;
673 }
674
675 /*
676 * Binary mount data FS will come through this function twice. Once
677 * from an explicit call and once from the generic calls from the vfs.
678 * Since the generic VFS calls will not contain any security mount data
679 * we need to skip the double mount verification.
680 *
681 * This does open a hole in which we will not notice if the first
682 * mount using this sb set explicit options and a second mount using
683 * this sb does not set any security options. (The first options
684 * will be used for both mounts)
685 */
686 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
687 && !opts)
688 goto out;
689
690 root_isec = backing_inode_security_novalidate(root);
691
692 /*
693 * parse the mount options, check if they are valid sids.
694 * also check if someone is trying to mount the same sb more
695 * than once with different security options.
696 */
697 if (opts) {
698 if (opts->fscontext_sid) {
699 fscontext_sid = opts->fscontext_sid;
700 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
701 fscontext_sid))
702 goto out_double_mount;
703 sbsec->flags |= FSCONTEXT_MNT;
704 }
705 if (opts->context_sid) {
706 context_sid = opts->context_sid;
707 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
708 context_sid))
709 goto out_double_mount;
710 sbsec->flags |= CONTEXT_MNT;
711 }
712 if (opts->rootcontext_sid) {
713 rootcontext_sid = opts->rootcontext_sid;
714 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
715 rootcontext_sid))
716 goto out_double_mount;
717 sbsec->flags |= ROOTCONTEXT_MNT;
718 }
719 if (opts->defcontext_sid) {
720 defcontext_sid = opts->defcontext_sid;
721 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722 defcontext_sid))
723 goto out_double_mount;
724 sbsec->flags |= DEFCONTEXT_MNT;
725 }
726 }
727
728 if (sbsec->flags & SE_SBINITIALIZED) {
729 /* previously mounted with options, but not on this attempt? */
730 if ((sbsec->flags & SE_MNTMASK) && !opts)
731 goto out_double_mount;
732 rc = 0;
733 goto out;
734 }
735
736 if (strcmp(sb->s_type->name, "proc") == 0)
737 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
738
739 if (!strcmp(sb->s_type->name, "debugfs") ||
740 !strcmp(sb->s_type->name, "tracefs") ||
741 !strcmp(sb->s_type->name, "binder") ||
742 !strcmp(sb->s_type->name, "bpf") ||
743 !strcmp(sb->s_type->name, "pstore") ||
744 !strcmp(sb->s_type->name, "securityfs"))
745 sbsec->flags |= SE_SBGENFS;
746
747 if (!strcmp(sb->s_type->name, "sysfs") ||
748 !strcmp(sb->s_type->name, "cgroup") ||
749 !strcmp(sb->s_type->name, "cgroup2"))
750 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
751
752 if (!sbsec->behavior) {
753 /*
754 * Determine the labeling behavior to use for this
755 * filesystem type.
756 */
757 rc = security_fs_use(sb);
758 if (rc) {
759 pr_warn("%s: security_fs_use(%s) returned %d\n",
760 __func__, sb->s_type->name, rc);
761 goto out;
762 }
763 }
764
765 /*
766 * If this is a user namespace mount and the filesystem type is not
767 * explicitly whitelisted, then no contexts are allowed on the command
768 * line and security labels must be ignored.
769 */
770 if (sb->s_user_ns != &init_user_ns &&
771 strcmp(sb->s_type->name, "tmpfs") &&
772 strcmp(sb->s_type->name, "ramfs") &&
773 strcmp(sb->s_type->name, "devpts") &&
774 strcmp(sb->s_type->name, "overlay")) {
775 if (context_sid || fscontext_sid || rootcontext_sid ||
776 defcontext_sid) {
777 rc = -EACCES;
778 goto out;
779 }
780 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
781 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
782 rc = security_transition_sid(current_sid(),
783 current_sid(),
784 SECCLASS_FILE, NULL,
785 &sbsec->mntpoint_sid);
786 if (rc)
787 goto out;
788 }
789 goto out_set_opts;
790 }
791
792 /* sets the context of the superblock for the fs being mounted. */
793 if (fscontext_sid) {
794 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
795 if (rc)
796 goto out;
797
798 sbsec->sid = fscontext_sid;
799 }
800
801 /*
802 * Switch to using mount point labeling behavior.
803 * sets the label used on all file below the mountpoint, and will set
804 * the superblock context if not already set.
805 */
806 if (sbsec->flags & SE_SBNATIVE) {
807 /*
808 * This means we are initializing a superblock that has been
809 * mounted before the SELinux was initialized and the
810 * filesystem requested native labeling. We had already
811 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
812 * in the original mount attempt, so now we just need to set
813 * the SECURITY_FS_USE_NATIVE behavior.
814 */
815 sbsec->behavior = SECURITY_FS_USE_NATIVE;
816 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
817 sbsec->behavior = SECURITY_FS_USE_NATIVE;
818 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
819 }
820
821 if (context_sid) {
822 if (!fscontext_sid) {
823 rc = may_context_mount_sb_relabel(context_sid, sbsec,
824 cred);
825 if (rc)
826 goto out;
827 sbsec->sid = context_sid;
828 } else {
829 rc = may_context_mount_inode_relabel(context_sid, sbsec,
830 cred);
831 if (rc)
832 goto out;
833 }
834 if (!rootcontext_sid)
835 rootcontext_sid = context_sid;
836
837 sbsec->mntpoint_sid = context_sid;
838 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
839 }
840
841 if (rootcontext_sid) {
842 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
843 cred);
844 if (rc)
845 goto out;
846
847 root_isec->sid = rootcontext_sid;
848 root_isec->initialized = LABEL_INITIALIZED;
849 }
850
851 if (defcontext_sid) {
852 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
853 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
854 rc = -EINVAL;
855 pr_warn("SELinux: defcontext option is "
856 "invalid for this filesystem type\n");
857 goto out;
858 }
859
860 if (defcontext_sid != sbsec->def_sid) {
861 rc = may_context_mount_inode_relabel(defcontext_sid,
862 sbsec, cred);
863 if (rc)
864 goto out;
865 }
866
867 sbsec->def_sid = defcontext_sid;
868 }
869
870 out_set_opts:
871 rc = sb_finish_set_opts(sb);
872 out:
873 mutex_unlock(&sbsec->lock);
874 return rc;
875 out_double_mount:
876 rc = -EINVAL;
877 pr_warn("SELinux: mount invalid. Same superblock, different "
878 "security settings for (dev %s, type %s)\n", sb->s_id,
879 sb->s_type->name);
880 goto out;
881 }
882
883 static int selinux_cmp_sb_context(const struct super_block *oldsb,
884 const struct super_block *newsb)
885 {
886 struct superblock_security_struct *old = selinux_superblock(oldsb);
887 struct superblock_security_struct *new = selinux_superblock(newsb);
888 char oldflags = old->flags & SE_MNTMASK;
889 char newflags = new->flags & SE_MNTMASK;
890
891 if (oldflags != newflags)
892 goto mismatch;
893 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
894 goto mismatch;
895 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
896 goto mismatch;
897 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
898 goto mismatch;
899 if (oldflags & ROOTCONTEXT_MNT) {
900 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
901 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
902 if (oldroot->sid != newroot->sid)
903 goto mismatch;
904 }
905 return 0;
906 mismatch:
907 pr_warn("SELinux: mount invalid. Same superblock, "
908 "different security settings for (dev %s, "
909 "type %s)\n", newsb->s_id, newsb->s_type->name);
910 return -EBUSY;
911 }
912
913 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
914 struct super_block *newsb,
915 unsigned long kern_flags,
916 unsigned long *set_kern_flags)
917 {
918 int rc = 0;
919 const struct superblock_security_struct *oldsbsec =
920 selinux_superblock(oldsb);
921 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
922
923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
926
927 /*
928 * Specifying internal flags without providing a place to
929 * place the results is not allowed.
930 */
931 if (kern_flags && !set_kern_flags)
932 return -EINVAL;
933
934 mutex_lock(&newsbsec->lock);
935
936 /*
937 * if the parent was able to be mounted it clearly had no special lsm
938 * mount options. thus we can safely deal with this superblock later
939 */
940 if (!selinux_initialized()) {
941 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
942 newsbsec->flags |= SE_SBNATIVE;
943 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
944 }
945 goto out;
946 }
947
948 /* how can we clone if the old one wasn't set up?? */
949 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
950
951 /* if fs is reusing a sb, make sure that the contexts match */
952 if (newsbsec->flags & SE_SBINITIALIZED) {
953 mutex_unlock(&newsbsec->lock);
954 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
955 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
956 return selinux_cmp_sb_context(oldsb, newsb);
957 }
958
959 newsbsec->flags = oldsbsec->flags;
960
961 newsbsec->sid = oldsbsec->sid;
962 newsbsec->def_sid = oldsbsec->def_sid;
963 newsbsec->behavior = oldsbsec->behavior;
964
965 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
966 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
967 rc = security_fs_use(newsb);
968 if (rc)
969 goto out;
970 }
971
972 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
973 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
974 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
975 }
976
977 if (set_context) {
978 u32 sid = oldsbsec->mntpoint_sid;
979
980 if (!set_fscontext)
981 newsbsec->sid = sid;
982 if (!set_rootcontext) {
983 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
987 }
988 if (set_rootcontext) {
989 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
990 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
991
992 newisec->sid = oldisec->sid;
993 }
994
995 sb_finish_set_opts(newsb);
996 out:
997 mutex_unlock(&newsbsec->lock);
998 return rc;
999 }
1000
1001 /*
1002 * NOTE: the caller is responsible for freeing the memory even if on error.
1003 */
1004 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1005 {
1006 struct selinux_mnt_opts *opts = *mnt_opts;
1007 u32 *dst_sid;
1008 int rc;
1009
1010 if (token == Opt_seclabel)
1011 /* eaten and completely ignored */
1012 return 0;
1013 if (!s)
1014 return -EINVAL;
1015
1016 if (!selinux_initialized()) {
1017 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1018 return -EINVAL;
1019 }
1020
1021 if (!opts) {
1022 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1023 if (!opts)
1024 return -ENOMEM;
1025 *mnt_opts = opts;
1026 }
1027
1028 switch (token) {
1029 case Opt_context:
1030 if (opts->context_sid || opts->defcontext_sid)
1031 goto err;
1032 dst_sid = &opts->context_sid;
1033 break;
1034 case Opt_fscontext:
1035 if (opts->fscontext_sid)
1036 goto err;
1037 dst_sid = &opts->fscontext_sid;
1038 break;
1039 case Opt_rootcontext:
1040 if (opts->rootcontext_sid)
1041 goto err;
1042 dst_sid = &opts->rootcontext_sid;
1043 break;
1044 case Opt_defcontext:
1045 if (opts->context_sid || opts->defcontext_sid)
1046 goto err;
1047 dst_sid = &opts->defcontext_sid;
1048 break;
1049 default:
1050 WARN_ON(1);
1051 return -EINVAL;
1052 }
1053 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1054 if (rc)
1055 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1056 s, rc);
1057 return rc;
1058
1059 err:
1060 pr_warn(SEL_MOUNT_FAIL_MSG);
1061 return -EINVAL;
1062 }
1063
1064 static int show_sid(struct seq_file *m, u32 sid)
1065 {
1066 char *context = NULL;
1067 u32 len;
1068 int rc;
1069
1070 rc = security_sid_to_context(sid, &context, &len);
1071 if (!rc) {
1072 bool has_comma = strchr(context, ',');
1073
1074 seq_putc(m, '=');
1075 if (has_comma)
1076 seq_putc(m, '\"');
1077 seq_escape(m, context, "\"\n\\");
1078 if (has_comma)
1079 seq_putc(m, '\"');
1080 }
1081 kfree(context);
1082 return rc;
1083 }
1084
1085 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1086 {
1087 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1088 int rc;
1089
1090 if (!(sbsec->flags & SE_SBINITIALIZED))
1091 return 0;
1092
1093 if (!selinux_initialized())
1094 return 0;
1095
1096 if (sbsec->flags & FSCONTEXT_MNT) {
1097 seq_putc(m, ',');
1098 seq_puts(m, FSCONTEXT_STR);
1099 rc = show_sid(m, sbsec->sid);
1100 if (rc)
1101 return rc;
1102 }
1103 if (sbsec->flags & CONTEXT_MNT) {
1104 seq_putc(m, ',');
1105 seq_puts(m, CONTEXT_STR);
1106 rc = show_sid(m, sbsec->mntpoint_sid);
1107 if (rc)
1108 return rc;
1109 }
1110 if (sbsec->flags & DEFCONTEXT_MNT) {
1111 seq_putc(m, ',');
1112 seq_puts(m, DEFCONTEXT_STR);
1113 rc = show_sid(m, sbsec->def_sid);
1114 if (rc)
1115 return rc;
1116 }
1117 if (sbsec->flags & ROOTCONTEXT_MNT) {
1118 struct dentry *root = sb->s_root;
1119 struct inode_security_struct *isec = backing_inode_security(root);
1120 seq_putc(m, ',');
1121 seq_puts(m, ROOTCONTEXT_STR);
1122 rc = show_sid(m, isec->sid);
1123 if (rc)
1124 return rc;
1125 }
1126 if (sbsec->flags & SBLABEL_MNT) {
1127 seq_putc(m, ',');
1128 seq_puts(m, SECLABEL_STR);
1129 }
1130 return 0;
1131 }
1132
1133 static inline u16 inode_mode_to_security_class(umode_t mode)
1134 {
1135 switch (mode & S_IFMT) {
1136 case S_IFSOCK:
1137 return SECCLASS_SOCK_FILE;
1138 case S_IFLNK:
1139 return SECCLASS_LNK_FILE;
1140 case S_IFREG:
1141 return SECCLASS_FILE;
1142 case S_IFBLK:
1143 return SECCLASS_BLK_FILE;
1144 case S_IFDIR:
1145 return SECCLASS_DIR;
1146 case S_IFCHR:
1147 return SECCLASS_CHR_FILE;
1148 case S_IFIFO:
1149 return SECCLASS_FIFO_FILE;
1150
1151 }
1152
1153 return SECCLASS_FILE;
1154 }
1155
1156 static inline int default_protocol_stream(int protocol)
1157 {
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1159 protocol == IPPROTO_MPTCP);
1160 }
1161
1162 static inline int default_protocol_dgram(int protocol)
1163 {
1164 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1165 }
1166
1167 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1168 {
1169 bool extsockclass = selinux_policycap_extsockclass();
1170
1171 switch (family) {
1172 case PF_UNIX:
1173 switch (type) {
1174 case SOCK_STREAM:
1175 case SOCK_SEQPACKET:
1176 return SECCLASS_UNIX_STREAM_SOCKET;
1177 case SOCK_DGRAM:
1178 case SOCK_RAW:
1179 return SECCLASS_UNIX_DGRAM_SOCKET;
1180 }
1181 break;
1182 case PF_INET:
1183 case PF_INET6:
1184 switch (type) {
1185 case SOCK_STREAM:
1186 case SOCK_SEQPACKET:
1187 if (default_protocol_stream(protocol))
1188 return SECCLASS_TCP_SOCKET;
1189 else if (extsockclass && protocol == IPPROTO_SCTP)
1190 return SECCLASS_SCTP_SOCKET;
1191 else
1192 return SECCLASS_RAWIP_SOCKET;
1193 case SOCK_DGRAM:
1194 if (default_protocol_dgram(protocol))
1195 return SECCLASS_UDP_SOCKET;
1196 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1197 protocol == IPPROTO_ICMPV6))
1198 return SECCLASS_ICMP_SOCKET;
1199 else
1200 return SECCLASS_RAWIP_SOCKET;
1201 default:
1202 return SECCLASS_RAWIP_SOCKET;
1203 }
1204 break;
1205 case PF_NETLINK:
1206 switch (protocol) {
1207 case NETLINK_ROUTE:
1208 return SECCLASS_NETLINK_ROUTE_SOCKET;
1209 case NETLINK_SOCK_DIAG:
1210 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1211 case NETLINK_NFLOG:
1212 return SECCLASS_NETLINK_NFLOG_SOCKET;
1213 case NETLINK_XFRM:
1214 return SECCLASS_NETLINK_XFRM_SOCKET;
1215 case NETLINK_SELINUX:
1216 return SECCLASS_NETLINK_SELINUX_SOCKET;
1217 case NETLINK_ISCSI:
1218 return SECCLASS_NETLINK_ISCSI_SOCKET;
1219 case NETLINK_AUDIT:
1220 return SECCLASS_NETLINK_AUDIT_SOCKET;
1221 case NETLINK_FIB_LOOKUP:
1222 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1223 case NETLINK_CONNECTOR:
1224 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1225 case NETLINK_NETFILTER:
1226 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1227 case NETLINK_DNRTMSG:
1228 return SECCLASS_NETLINK_DNRT_SOCKET;
1229 case NETLINK_KOBJECT_UEVENT:
1230 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1231 case NETLINK_GENERIC:
1232 return SECCLASS_NETLINK_GENERIC_SOCKET;
1233 case NETLINK_SCSITRANSPORT:
1234 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1235 case NETLINK_RDMA:
1236 return SECCLASS_NETLINK_RDMA_SOCKET;
1237 case NETLINK_CRYPTO:
1238 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1239 default:
1240 return SECCLASS_NETLINK_SOCKET;
1241 }
1242 case PF_PACKET:
1243 return SECCLASS_PACKET_SOCKET;
1244 case PF_KEY:
1245 return SECCLASS_KEY_SOCKET;
1246 case PF_APPLETALK:
1247 return SECCLASS_APPLETALK_SOCKET;
1248 }
1249
1250 if (extsockclass) {
1251 switch (family) {
1252 case PF_AX25:
1253 return SECCLASS_AX25_SOCKET;
1254 case PF_IPX:
1255 return SECCLASS_IPX_SOCKET;
1256 case PF_NETROM:
1257 return SECCLASS_NETROM_SOCKET;
1258 case PF_ATMPVC:
1259 return SECCLASS_ATMPVC_SOCKET;
1260 case PF_X25:
1261 return SECCLASS_X25_SOCKET;
1262 case PF_ROSE:
1263 return SECCLASS_ROSE_SOCKET;
1264 case PF_DECnet:
1265 return SECCLASS_DECNET_SOCKET;
1266 case PF_ATMSVC:
1267 return SECCLASS_ATMSVC_SOCKET;
1268 case PF_RDS:
1269 return SECCLASS_RDS_SOCKET;
1270 case PF_IRDA:
1271 return SECCLASS_IRDA_SOCKET;
1272 case PF_PPPOX:
1273 return SECCLASS_PPPOX_SOCKET;
1274 case PF_LLC:
1275 return SECCLASS_LLC_SOCKET;
1276 case PF_CAN:
1277 return SECCLASS_CAN_SOCKET;
1278 case PF_TIPC:
1279 return SECCLASS_TIPC_SOCKET;
1280 case PF_BLUETOOTH:
1281 return SECCLASS_BLUETOOTH_SOCKET;
1282 case PF_IUCV:
1283 return SECCLASS_IUCV_SOCKET;
1284 case PF_RXRPC:
1285 return SECCLASS_RXRPC_SOCKET;
1286 case PF_ISDN:
1287 return SECCLASS_ISDN_SOCKET;
1288 case PF_PHONET:
1289 return SECCLASS_PHONET_SOCKET;
1290 case PF_IEEE802154:
1291 return SECCLASS_IEEE802154_SOCKET;
1292 case PF_CAIF:
1293 return SECCLASS_CAIF_SOCKET;
1294 case PF_ALG:
1295 return SECCLASS_ALG_SOCKET;
1296 case PF_NFC:
1297 return SECCLASS_NFC_SOCKET;
1298 case PF_VSOCK:
1299 return SECCLASS_VSOCK_SOCKET;
1300 case PF_KCM:
1301 return SECCLASS_KCM_SOCKET;
1302 case PF_QIPCRTR:
1303 return SECCLASS_QIPCRTR_SOCKET;
1304 case PF_SMC:
1305 return SECCLASS_SMC_SOCKET;
1306 case PF_XDP:
1307 return SECCLASS_XDP_SOCKET;
1308 case PF_MCTP:
1309 return SECCLASS_MCTP_SOCKET;
1310 #if PF_MAX > 46
1311 #error New address family defined, please update this function.
1312 #endif
1313 }
1314 }
1315
1316 return SECCLASS_SOCKET;
1317 }
1318
1319 static int selinux_genfs_get_sid(struct dentry *dentry,
1320 u16 tclass,
1321 u16 flags,
1322 u32 *sid)
1323 {
1324 int rc;
1325 struct super_block *sb = dentry->d_sb;
1326 char *buffer, *path;
1327
1328 buffer = (char *)__get_free_page(GFP_KERNEL);
1329 if (!buffer)
1330 return -ENOMEM;
1331
1332 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1333 if (IS_ERR(path))
1334 rc = PTR_ERR(path);
1335 else {
1336 if (flags & SE_SBPROC) {
1337 /* each process gets a /proc/PID/ entry. Strip off the
1338 * PID part to get a valid selinux labeling.
1339 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1340 while (path[1] >= '0' && path[1] <= '9') {
1341 path[1] = '/';
1342 path++;
1343 }
1344 }
1345 rc = security_genfs_sid(sb->s_type->name,
1346 path, tclass, sid);
1347 if (rc == -ENOENT) {
1348 /* No match in policy, mark as unlabeled. */
1349 *sid = SECINITSID_UNLABELED;
1350 rc = 0;
1351 }
1352 }
1353 free_page((unsigned long)buffer);
1354 return rc;
1355 }
1356
1357 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1358 u32 def_sid, u32 *sid)
1359 {
1360 #define INITCONTEXTLEN 255
1361 char *context;
1362 unsigned int len;
1363 int rc;
1364
1365 len = INITCONTEXTLEN;
1366 context = kmalloc(len + 1, GFP_NOFS);
1367 if (!context)
1368 return -ENOMEM;
1369
1370 context[len] = '\0';
1371 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1372 if (rc == -ERANGE) {
1373 kfree(context);
1374
1375 /* Need a larger buffer. Query for the right size. */
1376 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1377 if (rc < 0)
1378 return rc;
1379
1380 len = rc;
1381 context = kmalloc(len + 1, GFP_NOFS);
1382 if (!context)
1383 return -ENOMEM;
1384
1385 context[len] = '\0';
1386 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1387 context, len);
1388 }
1389 if (rc < 0) {
1390 kfree(context);
1391 if (rc != -ENODATA) {
1392 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1393 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1394 return rc;
1395 }
1396 *sid = def_sid;
1397 return 0;
1398 }
1399
1400 rc = security_context_to_sid_default(context, rc, sid,
1401 def_sid, GFP_NOFS);
1402 if (rc) {
1403 char *dev = inode->i_sb->s_id;
1404 unsigned long ino = inode->i_ino;
1405
1406 if (rc == -EINVAL) {
1407 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1408 ino, dev, context);
1409 } else {
1410 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1411 __func__, context, -rc, dev, ino);
1412 }
1413 }
1414 kfree(context);
1415 return 0;
1416 }
1417
1418 /* The inode's security attributes must be initialized before first use. */
1419 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1420 {
1421 struct superblock_security_struct *sbsec = NULL;
1422 struct inode_security_struct *isec = selinux_inode(inode);
1423 u32 task_sid, sid = 0;
1424 u16 sclass;
1425 struct dentry *dentry;
1426 int rc = 0;
1427
1428 if (isec->initialized == LABEL_INITIALIZED)
1429 return 0;
1430
1431 spin_lock(&isec->lock);
1432 if (isec->initialized == LABEL_INITIALIZED)
1433 goto out_unlock;
1434
1435 if (isec->sclass == SECCLASS_FILE)
1436 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1437
1438 sbsec = selinux_superblock(inode->i_sb);
1439 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1440 /* Defer initialization until selinux_complete_init,
1441 after the initial policy is loaded and the security
1442 server is ready to handle calls. */
1443 spin_lock(&sbsec->isec_lock);
1444 if (list_empty(&isec->list))
1445 list_add(&isec->list, &sbsec->isec_head);
1446 spin_unlock(&sbsec->isec_lock);
1447 goto out_unlock;
1448 }
1449
1450 sclass = isec->sclass;
1451 task_sid = isec->task_sid;
1452 sid = isec->sid;
1453 isec->initialized = LABEL_PENDING;
1454 spin_unlock(&isec->lock);
1455
1456 switch (sbsec->behavior) {
1457 /*
1458 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1459 * via xattr when called from delayed_superblock_init().
1460 */
1461 case SECURITY_FS_USE_NATIVE:
1462 case SECURITY_FS_USE_XATTR:
1463 if (!(inode->i_opflags & IOP_XATTR)) {
1464 sid = sbsec->def_sid;
1465 break;
1466 }
1467 /* Need a dentry, since the xattr API requires one.
1468 Life would be simpler if we could just pass the inode. */
1469 if (opt_dentry) {
1470 /* Called from d_instantiate or d_splice_alias. */
1471 dentry = dget(opt_dentry);
1472 } else {
1473 /*
1474 * Called from selinux_complete_init, try to find a dentry.
1475 * Some filesystems really want a connected one, so try
1476 * that first. We could split SECURITY_FS_USE_XATTR in
1477 * two, depending upon that...
1478 */
1479 dentry = d_find_alias(inode);
1480 if (!dentry)
1481 dentry = d_find_any_alias(inode);
1482 }
1483 if (!dentry) {
1484 /*
1485 * this is can be hit on boot when a file is accessed
1486 * before the policy is loaded. When we load policy we
1487 * may find inodes that have no dentry on the
1488 * sbsec->isec_head list. No reason to complain as these
1489 * will get fixed up the next time we go through
1490 * inode_doinit with a dentry, before these inodes could
1491 * be used again by userspace.
1492 */
1493 goto out_invalid;
1494 }
1495
1496 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1497 &sid);
1498 dput(dentry);
1499 if (rc)
1500 goto out;
1501 break;
1502 case SECURITY_FS_USE_TASK:
1503 sid = task_sid;
1504 break;
1505 case SECURITY_FS_USE_TRANS:
1506 /* Default to the fs SID. */
1507 sid = sbsec->sid;
1508
1509 /* Try to obtain a transition SID. */
1510 rc = security_transition_sid(task_sid, sid,
1511 sclass, NULL, &sid);
1512 if (rc)
1513 goto out;
1514 break;
1515 case SECURITY_FS_USE_MNTPOINT:
1516 sid = sbsec->mntpoint_sid;
1517 break;
1518 default:
1519 /* Default to the fs superblock SID. */
1520 sid = sbsec->sid;
1521
1522 if ((sbsec->flags & SE_SBGENFS) &&
1523 (!S_ISLNK(inode->i_mode) ||
1524 selinux_policycap_genfs_seclabel_symlinks())) {
1525 /* We must have a dentry to determine the label on
1526 * procfs inodes */
1527 if (opt_dentry) {
1528 /* Called from d_instantiate or
1529 * d_splice_alias. */
1530 dentry = dget(opt_dentry);
1531 } else {
1532 /* Called from selinux_complete_init, try to
1533 * find a dentry. Some filesystems really want
1534 * a connected one, so try that first.
1535 */
1536 dentry = d_find_alias(inode);
1537 if (!dentry)
1538 dentry = d_find_any_alias(inode);
1539 }
1540 /*
1541 * This can be hit on boot when a file is accessed
1542 * before the policy is loaded. When we load policy we
1543 * may find inodes that have no dentry on the
1544 * sbsec->isec_head list. No reason to complain as
1545 * these will get fixed up the next time we go through
1546 * inode_doinit() with a dentry, before these inodes
1547 * could be used again by userspace.
1548 */
1549 if (!dentry)
1550 goto out_invalid;
1551 rc = selinux_genfs_get_sid(dentry, sclass,
1552 sbsec->flags, &sid);
1553 if (rc) {
1554 dput(dentry);
1555 goto out;
1556 }
1557
1558 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1559 (inode->i_opflags & IOP_XATTR)) {
1560 rc = inode_doinit_use_xattr(inode, dentry,
1561 sid, &sid);
1562 if (rc) {
1563 dput(dentry);
1564 goto out;
1565 }
1566 }
1567 dput(dentry);
1568 }
1569 break;
1570 }
1571
1572 out:
1573 spin_lock(&isec->lock);
1574 if (isec->initialized == LABEL_PENDING) {
1575 if (rc) {
1576 isec->initialized = LABEL_INVALID;
1577 goto out_unlock;
1578 }
1579 isec->initialized = LABEL_INITIALIZED;
1580 isec->sid = sid;
1581 }
1582
1583 out_unlock:
1584 spin_unlock(&isec->lock);
1585 return rc;
1586
1587 out_invalid:
1588 spin_lock(&isec->lock);
1589 if (isec->initialized == LABEL_PENDING) {
1590 isec->initialized = LABEL_INVALID;
1591 isec->sid = sid;
1592 }
1593 spin_unlock(&isec->lock);
1594 return 0;
1595 }
1596
1597 /* Convert a Linux signal to an access vector. */
1598 static inline u32 signal_to_av(int sig)
1599 {
1600 u32 perm = 0;
1601
1602 switch (sig) {
1603 case SIGCHLD:
1604 /* Commonly granted from child to parent. */
1605 perm = PROCESS__SIGCHLD;
1606 break;
1607 case SIGKILL:
1608 /* Cannot be caught or ignored */
1609 perm = PROCESS__SIGKILL;
1610 break;
1611 case SIGSTOP:
1612 /* Cannot be caught or ignored */
1613 perm = PROCESS__SIGSTOP;
1614 break;
1615 default:
1616 /* All other signals. */
1617 perm = PROCESS__SIGNAL;
1618 break;
1619 }
1620
1621 return perm;
1622 }
1623
1624 #if CAP_LAST_CAP > 63
1625 #error Fix SELinux to handle capabilities > 63.
1626 #endif
1627
1628 /* Check whether a task is allowed to use a capability. */
1629 static int cred_has_capability(const struct cred *cred,
1630 int cap, unsigned int opts, bool initns)
1631 {
1632 struct common_audit_data ad;
1633 struct av_decision avd;
1634 u16 sclass;
1635 u32 sid = cred_sid(cred);
1636 u32 av = CAP_TO_MASK(cap);
1637 int rc;
1638
1639 ad.type = LSM_AUDIT_DATA_CAP;
1640 ad.u.cap = cap;
1641
1642 switch (CAP_TO_INDEX(cap)) {
1643 case 0:
1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1645 break;
1646 case 1:
1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1648 break;
1649 default:
1650 pr_err("SELinux: out of range capability %d\n", cap);
1651 BUG();
1652 return -EINVAL;
1653 }
1654
1655 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1656 if (!(opts & CAP_OPT_NOAUDIT)) {
1657 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1658 if (rc2)
1659 return rc2;
1660 }
1661 return rc;
1662 }
1663
1664 /* Check whether a task has a particular permission to an inode.
1665 The 'adp' parameter is optional and allows other audit
1666 data to be passed (e.g. the dentry). */
1667 static int inode_has_perm(const struct cred *cred,
1668 struct inode *inode,
1669 u32 perms,
1670 struct common_audit_data *adp)
1671 {
1672 struct inode_security_struct *isec;
1673 u32 sid;
1674
1675 if (unlikely(IS_PRIVATE(inode)))
1676 return 0;
1677
1678 sid = cred_sid(cred);
1679 isec = selinux_inode(inode);
1680
1681 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1682 }
1683
1684 /* Same as inode_has_perm, but pass explicit audit data containing
1685 the dentry to help the auditing code to more easily generate the
1686 pathname if needed. */
1687 static inline int dentry_has_perm(const struct cred *cred,
1688 struct dentry *dentry,
1689 u32 av)
1690 {
1691 struct common_audit_data ad;
1692 struct inode *inode = d_backing_inode(dentry);
1693 struct inode_security_struct *isec = selinux_inode(inode);
1694
1695 ad.type = LSM_AUDIT_DATA_DENTRY;
1696 ad.u.dentry = dentry;
1697 /* check below is racy, but revalidate will recheck with lock held */
1698 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1699 __inode_security_revalidate(inode, dentry, true);
1700 return inode_has_perm(cred, inode, av, &ad);
1701 }
1702
1703 /* Same as inode_has_perm, but pass explicit audit data containing
1704 the path to help the auditing code to more easily generate the
1705 pathname if needed. */
1706 static inline int path_has_perm(const struct cred *cred,
1707 const struct path *path,
1708 u32 av)
1709 {
1710 struct common_audit_data ad;
1711 struct inode *inode = d_backing_inode(path->dentry);
1712 struct inode_security_struct *isec = selinux_inode(inode);
1713
1714 ad.type = LSM_AUDIT_DATA_PATH;
1715 ad.u.path = *path;
1716 /* check below is racy, but revalidate will recheck with lock held */
1717 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1718 __inode_security_revalidate(inode, path->dentry, true);
1719 return inode_has_perm(cred, inode, av, &ad);
1720 }
1721
1722 /* Same as path_has_perm, but uses the inode from the file struct. */
1723 static inline int file_path_has_perm(const struct cred *cred,
1724 struct file *file,
1725 u32 av)
1726 {
1727 struct common_audit_data ad;
1728
1729 ad.type = LSM_AUDIT_DATA_FILE;
1730 ad.u.file = file;
1731 return inode_has_perm(cred, file_inode(file), av, &ad);
1732 }
1733
1734 #ifdef CONFIG_BPF_SYSCALL
1735 static int bpf_fd_pass(const struct file *file, u32 sid);
1736 #endif
1737
1738 /* Check whether a task can use an open file descriptor to
1739 access an inode in a given way. Check access to the
1740 descriptor itself, and then use dentry_has_perm to
1741 check a particular permission to the file.
1742 Access to the descriptor is implicitly granted if it
1743 has the same SID as the process. If av is zero, then
1744 access to the file is not checked, e.g. for cases
1745 where only the descriptor is affected like seek. */
1746 static int file_has_perm(const struct cred *cred,
1747 struct file *file,
1748 u32 av)
1749 {
1750 struct file_security_struct *fsec = selinux_file(file);
1751 struct inode *inode = file_inode(file);
1752 struct common_audit_data ad;
1753 u32 sid = cred_sid(cred);
1754 int rc;
1755
1756 ad.type = LSM_AUDIT_DATA_FILE;
1757 ad.u.file = file;
1758
1759 if (sid != fsec->sid) {
1760 rc = avc_has_perm(sid, fsec->sid,
1761 SECCLASS_FD,
1762 FD__USE,
1763 &ad);
1764 if (rc)
1765 goto out;
1766 }
1767
1768 #ifdef CONFIG_BPF_SYSCALL
1769 rc = bpf_fd_pass(file, cred_sid(cred));
1770 if (rc)
1771 return rc;
1772 #endif
1773
1774 /* av is zero if only checking access to the descriptor. */
1775 rc = 0;
1776 if (av)
1777 rc = inode_has_perm(cred, inode, av, &ad);
1778
1779 out:
1780 return rc;
1781 }
1782
1783 /*
1784 * Determine the label for an inode that might be unioned.
1785 */
1786 static int
1787 selinux_determine_inode_label(const struct task_security_struct *tsec,
1788 struct inode *dir,
1789 const struct qstr *name, u16 tclass,
1790 u32 *_new_isid)
1791 {
1792 const struct superblock_security_struct *sbsec =
1793 selinux_superblock(dir->i_sb);
1794
1795 if ((sbsec->flags & SE_SBINITIALIZED) &&
1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1797 *_new_isid = sbsec->mntpoint_sid;
1798 } else if ((sbsec->flags & SBLABEL_MNT) &&
1799 tsec->create_sid) {
1800 *_new_isid = tsec->create_sid;
1801 } else {
1802 const struct inode_security_struct *dsec = inode_security(dir);
1803 return security_transition_sid(tsec->sid,
1804 dsec->sid, tclass,
1805 name, _new_isid);
1806 }
1807
1808 return 0;
1809 }
1810
1811 /* Check whether a task can create a file. */
1812 static int may_create(struct inode *dir,
1813 struct dentry *dentry,
1814 u16 tclass)
1815 {
1816 const struct task_security_struct *tsec = selinux_cred(current_cred());
1817 struct inode_security_struct *dsec;
1818 struct superblock_security_struct *sbsec;
1819 u32 sid, newsid;
1820 struct common_audit_data ad;
1821 int rc;
1822
1823 dsec = inode_security(dir);
1824 sbsec = selinux_superblock(dir->i_sb);
1825
1826 sid = tsec->sid;
1827
1828 ad.type = LSM_AUDIT_DATA_DENTRY;
1829 ad.u.dentry = dentry;
1830
1831 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1832 DIR__ADD_NAME | DIR__SEARCH,
1833 &ad);
1834 if (rc)
1835 return rc;
1836
1837 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1838 &newsid);
1839 if (rc)
1840 return rc;
1841
1842 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1843 if (rc)
1844 return rc;
1845
1846 return avc_has_perm(newsid, sbsec->sid,
1847 SECCLASS_FILESYSTEM,
1848 FILESYSTEM__ASSOCIATE, &ad);
1849 }
1850
1851 #define MAY_LINK 0
1852 #define MAY_UNLINK 1
1853 #define MAY_RMDIR 2
1854
1855 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1856 static int may_link(struct inode *dir,
1857 struct dentry *dentry,
1858 int kind)
1859
1860 {
1861 struct inode_security_struct *dsec, *isec;
1862 struct common_audit_data ad;
1863 u32 sid = current_sid();
1864 u32 av;
1865 int rc;
1866
1867 dsec = inode_security(dir);
1868 isec = backing_inode_security(dentry);
1869
1870 ad.type = LSM_AUDIT_DATA_DENTRY;
1871 ad.u.dentry = dentry;
1872
1873 av = DIR__SEARCH;
1874 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1875 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1876 if (rc)
1877 return rc;
1878
1879 switch (kind) {
1880 case MAY_LINK:
1881 av = FILE__LINK;
1882 break;
1883 case MAY_UNLINK:
1884 av = FILE__UNLINK;
1885 break;
1886 case MAY_RMDIR:
1887 av = DIR__RMDIR;
1888 break;
1889 default:
1890 pr_warn("SELinux: %s: unrecognized kind %d\n",
1891 __func__, kind);
1892 return 0;
1893 }
1894
1895 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1896 return rc;
1897 }
1898
1899 static inline int may_rename(struct inode *old_dir,
1900 struct dentry *old_dentry,
1901 struct inode *new_dir,
1902 struct dentry *new_dentry)
1903 {
1904 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1905 struct common_audit_data ad;
1906 u32 sid = current_sid();
1907 u32 av;
1908 int old_is_dir, new_is_dir;
1909 int rc;
1910
1911 old_dsec = inode_security(old_dir);
1912 old_isec = backing_inode_security(old_dentry);
1913 old_is_dir = d_is_dir(old_dentry);
1914 new_dsec = inode_security(new_dir);
1915
1916 ad.type = LSM_AUDIT_DATA_DENTRY;
1917
1918 ad.u.dentry = old_dentry;
1919 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1920 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1921 if (rc)
1922 return rc;
1923 rc = avc_has_perm(sid, old_isec->sid,
1924 old_isec->sclass, FILE__RENAME, &ad);
1925 if (rc)
1926 return rc;
1927 if (old_is_dir && new_dir != old_dir) {
1928 rc = avc_has_perm(sid, old_isec->sid,
1929 old_isec->sclass, DIR__REPARENT, &ad);
1930 if (rc)
1931 return rc;
1932 }
1933
1934 ad.u.dentry = new_dentry;
1935 av = DIR__ADD_NAME | DIR__SEARCH;
1936 if (d_is_positive(new_dentry))
1937 av |= DIR__REMOVE_NAME;
1938 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1939 if (rc)
1940 return rc;
1941 if (d_is_positive(new_dentry)) {
1942 new_isec = backing_inode_security(new_dentry);
1943 new_is_dir = d_is_dir(new_dentry);
1944 rc = avc_has_perm(sid, new_isec->sid,
1945 new_isec->sclass,
1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1947 if (rc)
1948 return rc;
1949 }
1950
1951 return 0;
1952 }
1953
1954 /* Check whether a task can perform a filesystem operation. */
1955 static int superblock_has_perm(const struct cred *cred,
1956 const struct super_block *sb,
1957 u32 perms,
1958 struct common_audit_data *ad)
1959 {
1960 struct superblock_security_struct *sbsec;
1961 u32 sid = cred_sid(cred);
1962
1963 sbsec = selinux_superblock(sb);
1964 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1965 }
1966
1967 /* Convert a Linux mode and permission mask to an access vector. */
1968 static inline u32 file_mask_to_av(int mode, int mask)
1969 {
1970 u32 av = 0;
1971
1972 if (!S_ISDIR(mode)) {
1973 if (mask & MAY_EXEC)
1974 av |= FILE__EXECUTE;
1975 if (mask & MAY_READ)
1976 av |= FILE__READ;
1977
1978 if (mask & MAY_APPEND)
1979 av |= FILE__APPEND;
1980 else if (mask & MAY_WRITE)
1981 av |= FILE__WRITE;
1982
1983 } else {
1984 if (mask & MAY_EXEC)
1985 av |= DIR__SEARCH;
1986 if (mask & MAY_WRITE)
1987 av |= DIR__WRITE;
1988 if (mask & MAY_READ)
1989 av |= DIR__READ;
1990 }
1991
1992 return av;
1993 }
1994
1995 /* Convert a Linux file to an access vector. */
1996 static inline u32 file_to_av(const struct file *file)
1997 {
1998 u32 av = 0;
1999
2000 if (file->f_mode & FMODE_READ)
2001 av |= FILE__READ;
2002 if (file->f_mode & FMODE_WRITE) {
2003 if (file->f_flags & O_APPEND)
2004 av |= FILE__APPEND;
2005 else
2006 av |= FILE__WRITE;
2007 }
2008 if (!av) {
2009 /*
2010 * Special file opened with flags 3 for ioctl-only use.
2011 */
2012 av = FILE__IOCTL;
2013 }
2014
2015 return av;
2016 }
2017
2018 /*
2019 * Convert a file to an access vector and include the correct
2020 * open permission.
2021 */
2022 static inline u32 open_file_to_av(struct file *file)
2023 {
2024 u32 av = file_to_av(file);
2025 struct inode *inode = file_inode(file);
2026
2027 if (selinux_policycap_openperm() &&
2028 inode->i_sb->s_magic != SOCKFS_MAGIC)
2029 av |= FILE__OPEN;
2030
2031 return av;
2032 }
2033
2034 /* Hook functions begin here. */
2035
2036 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2037 {
2038 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2039 BINDER__SET_CONTEXT_MGR, NULL);
2040 }
2041
2042 static int selinux_binder_transaction(const struct cred *from,
2043 const struct cred *to)
2044 {
2045 u32 mysid = current_sid();
2046 u32 fromsid = cred_sid(from);
2047 u32 tosid = cred_sid(to);
2048 int rc;
2049
2050 if (mysid != fromsid) {
2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2052 BINDER__IMPERSONATE, NULL);
2053 if (rc)
2054 return rc;
2055 }
2056
2057 return avc_has_perm(fromsid, tosid,
2058 SECCLASS_BINDER, BINDER__CALL, NULL);
2059 }
2060
2061 static int selinux_binder_transfer_binder(const struct cred *from,
2062 const struct cred *to)
2063 {
2064 return avc_has_perm(cred_sid(from), cred_sid(to),
2065 SECCLASS_BINDER, BINDER__TRANSFER,
2066 NULL);
2067 }
2068
2069 static int selinux_binder_transfer_file(const struct cred *from,
2070 const struct cred *to,
2071 const struct file *file)
2072 {
2073 u32 sid = cred_sid(to);
2074 struct file_security_struct *fsec = selinux_file(file);
2075 struct dentry *dentry = file->f_path.dentry;
2076 struct inode_security_struct *isec;
2077 struct common_audit_data ad;
2078 int rc;
2079
2080 ad.type = LSM_AUDIT_DATA_PATH;
2081 ad.u.path = file->f_path;
2082
2083 if (sid != fsec->sid) {
2084 rc = avc_has_perm(sid, fsec->sid,
2085 SECCLASS_FD,
2086 FD__USE,
2087 &ad);
2088 if (rc)
2089 return rc;
2090 }
2091
2092 #ifdef CONFIG_BPF_SYSCALL
2093 rc = bpf_fd_pass(file, sid);
2094 if (rc)
2095 return rc;
2096 #endif
2097
2098 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2099 return 0;
2100
2101 isec = backing_inode_security(dentry);
2102 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2103 &ad);
2104 }
2105
2106 static int selinux_ptrace_access_check(struct task_struct *child,
2107 unsigned int mode)
2108 {
2109 u32 sid = current_sid();
2110 u32 csid = task_sid_obj(child);
2111
2112 if (mode & PTRACE_MODE_READ)
2113 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2114 NULL);
2115
2116 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2117 NULL);
2118 }
2119
2120 static int selinux_ptrace_traceme(struct task_struct *parent)
2121 {
2122 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2123 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2124 }
2125
2126 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2127 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2128 {
2129 return avc_has_perm(current_sid(), task_sid_obj(target),
2130 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2131 }
2132
2133 static int selinux_capset(struct cred *new, const struct cred *old,
2134 const kernel_cap_t *effective,
2135 const kernel_cap_t *inheritable,
2136 const kernel_cap_t *permitted)
2137 {
2138 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2139 PROCESS__SETCAP, NULL);
2140 }
2141
2142 /*
2143 * (This comment used to live with the selinux_task_setuid hook,
2144 * which was removed).
2145 *
2146 * Since setuid only affects the current process, and since the SELinux
2147 * controls are not based on the Linux identity attributes, SELinux does not
2148 * need to control this operation. However, SELinux does control the use of
2149 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2150 */
2151
2152 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2153 int cap, unsigned int opts)
2154 {
2155 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2156 }
2157
2158 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2159 {
2160 const struct cred *cred = current_cred();
2161 int rc = 0;
2162
2163 if (!sb)
2164 return 0;
2165
2166 switch (cmds) {
2167 case Q_SYNC:
2168 case Q_QUOTAON:
2169 case Q_QUOTAOFF:
2170 case Q_SETINFO:
2171 case Q_SETQUOTA:
2172 case Q_XQUOTAOFF:
2173 case Q_XQUOTAON:
2174 case Q_XSETQLIM:
2175 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2176 break;
2177 case Q_GETFMT:
2178 case Q_GETINFO:
2179 case Q_GETQUOTA:
2180 case Q_XGETQUOTA:
2181 case Q_XGETQSTAT:
2182 case Q_XGETQSTATV:
2183 case Q_XGETNEXTQUOTA:
2184 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2185 break;
2186 default:
2187 rc = 0; /* let the kernel handle invalid cmds */
2188 break;
2189 }
2190 return rc;
2191 }
2192
2193 static int selinux_quota_on(struct dentry *dentry)
2194 {
2195 const struct cred *cred = current_cred();
2196
2197 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2198 }
2199
2200 static int selinux_syslog(int type)
2201 {
2202 switch (type) {
2203 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2204 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2205 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2206 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2207 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2208 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2209 /* Set level of messages printed to console */
2210 case SYSLOG_ACTION_CONSOLE_LEVEL:
2211 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2212 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2213 NULL);
2214 }
2215 /* All other syslog types */
2216 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2217 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2218 }
2219
2220 /*
2221 * Check permission for allocating a new virtual mapping. Returns
2222 * 0 if permission is granted, negative error code if not.
2223 *
2224 * Do not audit the selinux permission check, as this is applied to all
2225 * processes that allocate mappings.
2226 */
2227 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2228 {
2229 return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2230 CAP_OPT_NOAUDIT, true);
2231 }
2232
2233 /* binprm security operations */
2234
2235 static u32 ptrace_parent_sid(void)
2236 {
2237 u32 sid = 0;
2238 struct task_struct *tracer;
2239
2240 rcu_read_lock();
2241 tracer = ptrace_parent(current);
2242 if (tracer)
2243 sid = task_sid_obj(tracer);
2244 rcu_read_unlock();
2245
2246 return sid;
2247 }
2248
2249 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2250 const struct task_security_struct *old_tsec,
2251 const struct task_security_struct *new_tsec)
2252 {
2253 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2254 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2255 int rc;
2256 u32 av;
2257
2258 if (!nnp && !nosuid)
2259 return 0; /* neither NNP nor nosuid */
2260
2261 if (new_tsec->sid == old_tsec->sid)
2262 return 0; /* No change in credentials */
2263
2264 /*
2265 * If the policy enables the nnp_nosuid_transition policy capability,
2266 * then we permit transitions under NNP or nosuid if the
2267 * policy allows the corresponding permission between
2268 * the old and new contexts.
2269 */
2270 if (selinux_policycap_nnp_nosuid_transition()) {
2271 av = 0;
2272 if (nnp)
2273 av |= PROCESS2__NNP_TRANSITION;
2274 if (nosuid)
2275 av |= PROCESS2__NOSUID_TRANSITION;
2276 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2277 SECCLASS_PROCESS2, av, NULL);
2278 if (!rc)
2279 return 0;
2280 }
2281
2282 /*
2283 * We also permit NNP or nosuid transitions to bounded SIDs,
2284 * i.e. SIDs that are guaranteed to only be allowed a subset
2285 * of the permissions of the current SID.
2286 */
2287 rc = security_bounded_transition(old_tsec->sid,
2288 new_tsec->sid);
2289 if (!rc)
2290 return 0;
2291
2292 /*
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2296 */
2297 if (nnp)
2298 return -EPERM;
2299 return -EACCES;
2300 }
2301
2302 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2303 {
2304 const struct task_security_struct *old_tsec;
2305 struct task_security_struct *new_tsec;
2306 struct inode_security_struct *isec;
2307 struct common_audit_data ad;
2308 struct inode *inode = file_inode(bprm->file);
2309 int rc;
2310
2311 /* SELinux context only depends on initial program or script and not
2312 * the script interpreter */
2313
2314 old_tsec = selinux_cred(current_cred());
2315 new_tsec = selinux_cred(bprm->cred);
2316 isec = inode_security(inode);
2317
2318 /* Default to the current task SID. */
2319 new_tsec->sid = old_tsec->sid;
2320 new_tsec->osid = old_tsec->sid;
2321
2322 /* Reset fs, key, and sock SIDs on execve. */
2323 new_tsec->create_sid = 0;
2324 new_tsec->keycreate_sid = 0;
2325 new_tsec->sockcreate_sid = 0;
2326
2327 /*
2328 * Before policy is loaded, label any task outside kernel space
2329 * as SECINITSID_INIT, so that any userspace tasks surviving from
2330 * early boot end up with a label different from SECINITSID_KERNEL
2331 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2332 */
2333 if (!selinux_initialized()) {
2334 new_tsec->sid = SECINITSID_INIT;
2335 /* also clear the exec_sid just in case */
2336 new_tsec->exec_sid = 0;
2337 return 0;
2338 }
2339
2340 if (old_tsec->exec_sid) {
2341 new_tsec->sid = old_tsec->exec_sid;
2342 /* Reset exec SID on execve. */
2343 new_tsec->exec_sid = 0;
2344
2345 /* Fail on NNP or nosuid if not an allowed transition. */
2346 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2347 if (rc)
2348 return rc;
2349 } else {
2350 /* Check for a default transition on this program. */
2351 rc = security_transition_sid(old_tsec->sid,
2352 isec->sid, SECCLASS_PROCESS, NULL,
2353 &new_tsec->sid);
2354 if (rc)
2355 return rc;
2356
2357 /*
2358 * Fallback to old SID on NNP or nosuid if not an allowed
2359 * transition.
2360 */
2361 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2362 if (rc)
2363 new_tsec->sid = old_tsec->sid;
2364 }
2365
2366 ad.type = LSM_AUDIT_DATA_FILE;
2367 ad.u.file = bprm->file;
2368
2369 if (new_tsec->sid == old_tsec->sid) {
2370 rc = avc_has_perm(old_tsec->sid, isec->sid,
2371 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2372 if (rc)
2373 return rc;
2374 } else {
2375 /* Check permissions for the transition. */
2376 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2377 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2378 if (rc)
2379 return rc;
2380
2381 rc = avc_has_perm(new_tsec->sid, isec->sid,
2382 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2383 if (rc)
2384 return rc;
2385
2386 /* Check for shared state */
2387 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2388 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2389 SECCLASS_PROCESS, PROCESS__SHARE,
2390 NULL);
2391 if (rc)
2392 return -EPERM;
2393 }
2394
2395 /* Make sure that anyone attempting to ptrace over a task that
2396 * changes its SID has the appropriate permit */
2397 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2398 u32 ptsid = ptrace_parent_sid();
2399 if (ptsid != 0) {
2400 rc = avc_has_perm(ptsid, new_tsec->sid,
2401 SECCLASS_PROCESS,
2402 PROCESS__PTRACE, NULL);
2403 if (rc)
2404 return -EPERM;
2405 }
2406 }
2407
2408 /* Clear any possibly unsafe personality bits on exec: */
2409 bprm->per_clear |= PER_CLEAR_ON_SETID;
2410
2411 /* Enable secure mode for SIDs transitions unless
2412 the noatsecure permission is granted between
2413 the two SIDs, i.e. ahp returns 0. */
2414 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2415 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2416 NULL);
2417 bprm->secureexec |= !!rc;
2418 }
2419
2420 return 0;
2421 }
2422
2423 static int match_file(const void *p, struct file *file, unsigned fd)
2424 {
2425 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2426 }
2427
2428 /* Derived from fs/exec.c:flush_old_files. */
2429 static inline void flush_unauthorized_files(const struct cred *cred,
2430 struct files_struct *files)
2431 {
2432 struct file *file, *devnull = NULL;
2433 struct tty_struct *tty;
2434 int drop_tty = 0;
2435 unsigned n;
2436
2437 tty = get_current_tty();
2438 if (tty) {
2439 spin_lock(&tty->files_lock);
2440 if (!list_empty(&tty->tty_files)) {
2441 struct tty_file_private *file_priv;
2442
2443 /* Revalidate access to controlling tty.
2444 Use file_path_has_perm on the tty path directly
2445 rather than using file_has_perm, as this particular
2446 open file may belong to another process and we are
2447 only interested in the inode-based check here. */
2448 file_priv = list_first_entry(&tty->tty_files,
2449 struct tty_file_private, list);
2450 file = file_priv->file;
2451 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2452 drop_tty = 1;
2453 }
2454 spin_unlock(&tty->files_lock);
2455 tty_kref_put(tty);
2456 }
2457 /* Reset controlling tty. */
2458 if (drop_tty)
2459 no_tty();
2460
2461 /* Revalidate access to inherited open files. */
2462 n = iterate_fd(files, 0, match_file, cred);
2463 if (!n) /* none found? */
2464 return;
2465
2466 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2467 if (IS_ERR(devnull))
2468 devnull = NULL;
2469 /* replace all the matching ones with this */
2470 do {
2471 replace_fd(n - 1, devnull, 0);
2472 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2473 if (devnull)
2474 fput(devnull);
2475 }
2476
2477 /*
2478 * Prepare a process for imminent new credential changes due to exec
2479 */
2480 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2481 {
2482 struct task_security_struct *new_tsec;
2483 struct rlimit *rlim, *initrlim;
2484 int rc, i;
2485
2486 new_tsec = selinux_cred(bprm->cred);
2487 if (new_tsec->sid == new_tsec->osid)
2488 return;
2489
2490 /* Close files for which the new task SID is not authorized. */
2491 flush_unauthorized_files(bprm->cred, current->files);
2492
2493 /* Always clear parent death signal on SID transitions. */
2494 current->pdeath_signal = 0;
2495
2496 /* Check whether the new SID can inherit resource limits from the old
2497 * SID. If not, reset all soft limits to the lower of the current
2498 * task's hard limit and the init task's soft limit.
2499 *
2500 * Note that the setting of hard limits (even to lower them) can be
2501 * controlled by the setrlimit check. The inclusion of the init task's
2502 * soft limit into the computation is to avoid resetting soft limits
2503 * higher than the default soft limit for cases where the default is
2504 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2505 */
2506 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2507 PROCESS__RLIMITINH, NULL);
2508 if (rc) {
2509 /* protect against do_prlimit() */
2510 task_lock(current);
2511 for (i = 0; i < RLIM_NLIMITS; i++) {
2512 rlim = current->signal->rlim + i;
2513 initrlim = init_task.signal->rlim + i;
2514 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2515 }
2516 task_unlock(current);
2517 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2518 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2519 }
2520 }
2521
2522 /*
2523 * Clean up the process immediately after the installation of new credentials
2524 * due to exec
2525 */
2526 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2527 {
2528 const struct task_security_struct *tsec = selinux_cred(current_cred());
2529 u32 osid, sid;
2530 int rc;
2531
2532 osid = tsec->osid;
2533 sid = tsec->sid;
2534
2535 if (sid == osid)
2536 return;
2537
2538 /* Check whether the new SID can inherit signal state from the old SID.
2539 * If not, clear itimers to avoid subsequent signal generation and
2540 * flush and unblock signals.
2541 *
2542 * This must occur _after_ the task SID has been updated so that any
2543 * kill done after the flush will be checked against the new SID.
2544 */
2545 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2546 if (rc) {
2547 clear_itimer();
2548
2549 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2550 if (!fatal_signal_pending(current)) {
2551 flush_sigqueue(&current->pending);
2552 flush_sigqueue(&current->signal->shared_pending);
2553 flush_signal_handlers(current, 1);
2554 sigemptyset(&current->blocked);
2555 recalc_sigpending();
2556 }
2557 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2558 }
2559
2560 /* Wake up the parent if it is waiting so that it can recheck
2561 * wait permission to the new task SID. */
2562 read_lock(&tasklist_lock);
2563 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2564 read_unlock(&tasklist_lock);
2565 }
2566
2567 /* superblock security operations */
2568
2569 static int selinux_sb_alloc_security(struct super_block *sb)
2570 {
2571 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2572
2573 mutex_init(&sbsec->lock);
2574 INIT_LIST_HEAD(&sbsec->isec_head);
2575 spin_lock_init(&sbsec->isec_lock);
2576 sbsec->sid = SECINITSID_UNLABELED;
2577 sbsec->def_sid = SECINITSID_FILE;
2578 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2579
2580 return 0;
2581 }
2582
2583 static inline int opt_len(const char *s)
2584 {
2585 bool open_quote = false;
2586 int len;
2587 char c;
2588
2589 for (len = 0; (c = s[len]) != '\0'; len++) {
2590 if (c == '"')
2591 open_quote = !open_quote;
2592 if (c == ',' && !open_quote)
2593 break;
2594 }
2595 return len;
2596 }
2597
2598 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2599 {
2600 char *from = options;
2601 char *to = options;
2602 bool first = true;
2603 int rc;
2604
2605 while (1) {
2606 int len = opt_len(from);
2607 int token;
2608 char *arg = NULL;
2609
2610 token = match_opt_prefix(from, len, &arg);
2611
2612 if (token != Opt_error) {
2613 char *p, *q;
2614
2615 /* strip quotes */
2616 if (arg) {
2617 for (p = q = arg; p < from + len; p++) {
2618 char c = *p;
2619 if (c != '"')
2620 *q++ = c;
2621 }
2622 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2623 if (!arg) {
2624 rc = -ENOMEM;
2625 goto free_opt;
2626 }
2627 }
2628 rc = selinux_add_opt(token, arg, mnt_opts);
2629 kfree(arg);
2630 arg = NULL;
2631 if (unlikely(rc)) {
2632 goto free_opt;
2633 }
2634 } else {
2635 if (!first) { // copy with preceding comma
2636 from--;
2637 len++;
2638 }
2639 if (to != from)
2640 memmove(to, from, len);
2641 to += len;
2642 first = false;
2643 }
2644 if (!from[len])
2645 break;
2646 from += len + 1;
2647 }
2648 *to = '\0';
2649 return 0;
2650
2651 free_opt:
2652 if (*mnt_opts) {
2653 selinux_free_mnt_opts(*mnt_opts);
2654 *mnt_opts = NULL;
2655 }
2656 return rc;
2657 }
2658
2659 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2660 {
2661 struct selinux_mnt_opts *opts = mnt_opts;
2662 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2663
2664 /*
2665 * Superblock not initialized (i.e. no options) - reject if any
2666 * options specified, otherwise accept.
2667 */
2668 if (!(sbsec->flags & SE_SBINITIALIZED))
2669 return opts ? 1 : 0;
2670
2671 /*
2672 * Superblock initialized and no options specified - reject if
2673 * superblock has any options set, otherwise accept.
2674 */
2675 if (!opts)
2676 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2677
2678 if (opts->fscontext_sid) {
2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2680 opts->fscontext_sid))
2681 return 1;
2682 }
2683 if (opts->context_sid) {
2684 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2685 opts->context_sid))
2686 return 1;
2687 }
2688 if (opts->rootcontext_sid) {
2689 struct inode_security_struct *root_isec;
2690
2691 root_isec = backing_inode_security(sb->s_root);
2692 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2693 opts->rootcontext_sid))
2694 return 1;
2695 }
2696 if (opts->defcontext_sid) {
2697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2698 opts->defcontext_sid))
2699 return 1;
2700 }
2701 return 0;
2702 }
2703
2704 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2705 {
2706 struct selinux_mnt_opts *opts = mnt_opts;
2707 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2708
2709 if (!(sbsec->flags & SE_SBINITIALIZED))
2710 return 0;
2711
2712 if (!opts)
2713 return 0;
2714
2715 if (opts->fscontext_sid) {
2716 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2717 opts->fscontext_sid))
2718 goto out_bad_option;
2719 }
2720 if (opts->context_sid) {
2721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2722 opts->context_sid))
2723 goto out_bad_option;
2724 }
2725 if (opts->rootcontext_sid) {
2726 struct inode_security_struct *root_isec;
2727 root_isec = backing_inode_security(sb->s_root);
2728 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2729 opts->rootcontext_sid))
2730 goto out_bad_option;
2731 }
2732 if (opts->defcontext_sid) {
2733 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2734 opts->defcontext_sid))
2735 goto out_bad_option;
2736 }
2737 return 0;
2738
2739 out_bad_option:
2740 pr_warn("SELinux: unable to change security options "
2741 "during remount (dev %s, type=%s)\n", sb->s_id,
2742 sb->s_type->name);
2743 return -EINVAL;
2744 }
2745
2746 static int selinux_sb_kern_mount(const struct super_block *sb)
2747 {
2748 const struct cred *cred = current_cred();
2749 struct common_audit_data ad;
2750
2751 ad.type = LSM_AUDIT_DATA_DENTRY;
2752 ad.u.dentry = sb->s_root;
2753 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2754 }
2755
2756 static int selinux_sb_statfs(struct dentry *dentry)
2757 {
2758 const struct cred *cred = current_cred();
2759 struct common_audit_data ad;
2760
2761 ad.type = LSM_AUDIT_DATA_DENTRY;
2762 ad.u.dentry = dentry->d_sb->s_root;
2763 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2764 }
2765
2766 static int selinux_mount(const char *dev_name,
2767 const struct path *path,
2768 const char *type,
2769 unsigned long flags,
2770 void *data)
2771 {
2772 const struct cred *cred = current_cred();
2773
2774 if (flags & MS_REMOUNT)
2775 return superblock_has_perm(cred, path->dentry->d_sb,
2776 FILESYSTEM__REMOUNT, NULL);
2777 else
2778 return path_has_perm(cred, path, FILE__MOUNTON);
2779 }
2780
2781 static int selinux_move_mount(const struct path *from_path,
2782 const struct path *to_path)
2783 {
2784 const struct cred *cred = current_cred();
2785
2786 return path_has_perm(cred, to_path, FILE__MOUNTON);
2787 }
2788
2789 static int selinux_umount(struct vfsmount *mnt, int flags)
2790 {
2791 const struct cred *cred = current_cred();
2792
2793 return superblock_has_perm(cred, mnt->mnt_sb,
2794 FILESYSTEM__UNMOUNT, NULL);
2795 }
2796
2797 static int selinux_fs_context_submount(struct fs_context *fc,
2798 struct super_block *reference)
2799 {
2800 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2801 struct selinux_mnt_opts *opts;
2802
2803 /*
2804 * Ensure that fc->security remains NULL when no options are set
2805 * as expected by selinux_set_mnt_opts().
2806 */
2807 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2808 return 0;
2809
2810 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2811 if (!opts)
2812 return -ENOMEM;
2813
2814 if (sbsec->flags & FSCONTEXT_MNT)
2815 opts->fscontext_sid = sbsec->sid;
2816 if (sbsec->flags & CONTEXT_MNT)
2817 opts->context_sid = sbsec->mntpoint_sid;
2818 if (sbsec->flags & DEFCONTEXT_MNT)
2819 opts->defcontext_sid = sbsec->def_sid;
2820 fc->security = opts;
2821 return 0;
2822 }
2823
2824 static int selinux_fs_context_dup(struct fs_context *fc,
2825 struct fs_context *src_fc)
2826 {
2827 const struct selinux_mnt_opts *src = src_fc->security;
2828
2829 if (!src)
2830 return 0;
2831
2832 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2833 return fc->security ? 0 : -ENOMEM;
2834 }
2835
2836 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2837 fsparam_string(CONTEXT_STR, Opt_context),
2838 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2839 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2840 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2841 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2842 {}
2843 };
2844
2845 static int selinux_fs_context_parse_param(struct fs_context *fc,
2846 struct fs_parameter *param)
2847 {
2848 struct fs_parse_result result;
2849 int opt;
2850
2851 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2852 if (opt < 0)
2853 return opt;
2854
2855 return selinux_add_opt(opt, param->string, &fc->security);
2856 }
2857
2858 /* inode security operations */
2859
2860 static int selinux_inode_alloc_security(struct inode *inode)
2861 {
2862 struct inode_security_struct *isec = selinux_inode(inode);
2863 u32 sid = current_sid();
2864
2865 spin_lock_init(&isec->lock);
2866 INIT_LIST_HEAD(&isec->list);
2867 isec->inode = inode;
2868 isec->sid = SECINITSID_UNLABELED;
2869 isec->sclass = SECCLASS_FILE;
2870 isec->task_sid = sid;
2871 isec->initialized = LABEL_INVALID;
2872
2873 return 0;
2874 }
2875
2876 static void selinux_inode_free_security(struct inode *inode)
2877 {
2878 inode_free_security(inode);
2879 }
2880
2881 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2882 const struct qstr *name,
2883 const char **xattr_name,
2884 struct lsm_context *cp)
2885 {
2886 u32 newsid;
2887 int rc;
2888
2889 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2890 d_inode(dentry->d_parent), name,
2891 inode_mode_to_security_class(mode),
2892 &newsid);
2893 if (rc)
2894 return rc;
2895
2896 if (xattr_name)
2897 *xattr_name = XATTR_NAME_SELINUX;
2898
2899 cp->id = LSM_ID_SELINUX;
2900 return security_sid_to_context(newsid, &cp->context, &cp->len);
2901 }
2902
2903 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2904 struct qstr *name,
2905 const struct cred *old,
2906 struct cred *new)
2907 {
2908 u32 newsid;
2909 int rc;
2910 struct task_security_struct *tsec;
2911
2912 rc = selinux_determine_inode_label(selinux_cred(old),
2913 d_inode(dentry->d_parent), name,
2914 inode_mode_to_security_class(mode),
2915 &newsid);
2916 if (rc)
2917 return rc;
2918
2919 tsec = selinux_cred(new);
2920 tsec->create_sid = newsid;
2921 return 0;
2922 }
2923
2924 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2925 const struct qstr *qstr,
2926 struct xattr *xattrs, int *xattr_count)
2927 {
2928 const struct task_security_struct *tsec = selinux_cred(current_cred());
2929 struct superblock_security_struct *sbsec;
2930 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2931 u32 newsid, clen;
2932 u16 newsclass;
2933 int rc;
2934 char *context;
2935
2936 sbsec = selinux_superblock(dir->i_sb);
2937
2938 newsid = tsec->create_sid;
2939 newsclass = inode_mode_to_security_class(inode->i_mode);
2940 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
2941 if (rc)
2942 return rc;
2943
2944 /* Possibly defer initialization to selinux_complete_init. */
2945 if (sbsec->flags & SE_SBINITIALIZED) {
2946 struct inode_security_struct *isec = selinux_inode(inode);
2947 isec->sclass = newsclass;
2948 isec->sid = newsid;
2949 isec->initialized = LABEL_INITIALIZED;
2950 }
2951
2952 if (!selinux_initialized() ||
2953 !(sbsec->flags & SBLABEL_MNT))
2954 return -EOPNOTSUPP;
2955
2956 if (xattr) {
2957 rc = security_sid_to_context_force(newsid,
2958 &context, &clen);
2959 if (rc)
2960 return rc;
2961 xattr->value = context;
2962 xattr->value_len = clen;
2963 xattr->name = XATTR_SELINUX_SUFFIX;
2964 }
2965
2966 return 0;
2967 }
2968
2969 static int selinux_inode_init_security_anon(struct inode *inode,
2970 const struct qstr *name,
2971 const struct inode *context_inode)
2972 {
2973 u32 sid = current_sid();
2974 struct common_audit_data ad;
2975 struct inode_security_struct *isec;
2976 int rc;
2977
2978 if (unlikely(!selinux_initialized()))
2979 return 0;
2980
2981 isec = selinux_inode(inode);
2982
2983 /*
2984 * We only get here once per ephemeral inode. The inode has
2985 * been initialized via inode_alloc_security but is otherwise
2986 * untouched.
2987 */
2988
2989 if (context_inode) {
2990 struct inode_security_struct *context_isec =
2991 selinux_inode(context_inode);
2992 if (context_isec->initialized != LABEL_INITIALIZED) {
2993 pr_err("SELinux: context_inode is not initialized\n");
2994 return -EACCES;
2995 }
2996
2997 isec->sclass = context_isec->sclass;
2998 isec->sid = context_isec->sid;
2999 } else {
3000 isec->sclass = SECCLASS_ANON_INODE;
3001 rc = security_transition_sid(
3002 sid, sid,
3003 isec->sclass, name, &isec->sid);
3004 if (rc)
3005 return rc;
3006 }
3007
3008 isec->initialized = LABEL_INITIALIZED;
3009 /*
3010 * Now that we've initialized security, check whether we're
3011 * allowed to actually create this type of anonymous inode.
3012 */
3013
3014 ad.type = LSM_AUDIT_DATA_ANONINODE;
3015 ad.u.anonclass = name ? (const char *)name->name : "?";
3016
3017 return avc_has_perm(sid,
3018 isec->sid,
3019 isec->sclass,
3020 FILE__CREATE,
3021 &ad);
3022 }
3023
3024 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3025 {
3026 return may_create(dir, dentry, SECCLASS_FILE);
3027 }
3028
3029 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3030 {
3031 return may_link(dir, old_dentry, MAY_LINK);
3032 }
3033
3034 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3035 {
3036 return may_link(dir, dentry, MAY_UNLINK);
3037 }
3038
3039 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3040 {
3041 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3042 }
3043
3044 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3045 {
3046 return may_create(dir, dentry, SECCLASS_DIR);
3047 }
3048
3049 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3050 {
3051 return may_link(dir, dentry, MAY_RMDIR);
3052 }
3053
3054 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3055 {
3056 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3057 }
3058
3059 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3060 struct inode *new_inode, struct dentry *new_dentry)
3061 {
3062 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3063 }
3064
3065 static int selinux_inode_readlink(struct dentry *dentry)
3066 {
3067 const struct cred *cred = current_cred();
3068
3069 return dentry_has_perm(cred, dentry, FILE__READ);
3070 }
3071
3072 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3073 bool rcu)
3074 {
3075 struct common_audit_data ad;
3076 struct inode_security_struct *isec;
3077 u32 sid = current_sid();
3078
3079 ad.type = LSM_AUDIT_DATA_DENTRY;
3080 ad.u.dentry = dentry;
3081 isec = inode_security_rcu(inode, rcu);
3082 if (IS_ERR(isec))
3083 return PTR_ERR(isec);
3084
3085 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3086 }
3087
3088 static noinline int audit_inode_permission(struct inode *inode,
3089 u32 perms, u32 audited, u32 denied,
3090 int result)
3091 {
3092 struct common_audit_data ad;
3093 struct inode_security_struct *isec = selinux_inode(inode);
3094
3095 ad.type = LSM_AUDIT_DATA_INODE;
3096 ad.u.inode = inode;
3097
3098 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3099 audited, denied, result, &ad);
3100 }
3101
3102 /**
3103 * task_avdcache_reset - Reset the task's AVD cache
3104 * @tsec: the task's security state
3105 *
3106 * Clear the task's AVD cache in @tsec and reset it to the current policy's
3107 * and task's info.
3108 */
3109 static inline void task_avdcache_reset(struct task_security_struct *tsec)
3110 {
3111 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
3112 tsec->avdcache.sid = tsec->sid;
3113 tsec->avdcache.seqno = avc_policy_seqno();
3114 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
3115 }
3116
3117 /**
3118 * task_avdcache_search - Search the task's AVD cache
3119 * @tsec: the task's security state
3120 * @isec: the inode to search for in the cache
3121 * @avdc: matching avd cache entry returned to the caller
3122 *
3123 * Search @tsec for a AVD cache entry that matches @isec and return it to the
3124 * caller via @avdc. Returns 0 if a match is found, negative values otherwise.
3125 */
3126 static inline int task_avdcache_search(struct task_security_struct *tsec,
3127 struct inode_security_struct *isec,
3128 struct avdc_entry **avdc)
3129 {
3130 int orig, iter;
3131
3132 /* focused on path walk optimization, only cache directories */
3133 if (isec->sclass != SECCLASS_DIR)
3134 return -ENOENT;
3135
3136 if (unlikely(tsec->sid != tsec->avdcache.sid ||
3137 tsec->avdcache.seqno != avc_policy_seqno())) {
3138 task_avdcache_reset(tsec);
3139 return -ENOENT;
3140 }
3141
3142 orig = iter = tsec->avdcache.dir_spot;
3143 do {
3144 if (tsec->avdcache.dir[iter].isid == isec->sid) {
3145 /* cache hit */
3146 tsec->avdcache.dir_spot = iter;
3147 *avdc = &tsec->avdcache.dir[iter];
3148 return 0;
3149 }
3150 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);
3151 } while (iter != orig);
3152
3153 return -ENOENT;
3154 }
3155
3156 /**
3157 * task_avdcache_update - Update the task's AVD cache
3158 * @tsec: the task's security state
3159 * @isec: the inode associated with the cache entry
3160 * @avd: the AVD to cache
3161 * @audited: the permission audit bitmask to cache
3162 *
3163 * Update the AVD cache in @tsec with the @avdc and @audited info associated
3164 * with @isec.
3165 */
3166 static inline void task_avdcache_update(struct task_security_struct *tsec,
3167 struct inode_security_struct *isec,
3168 struct av_decision *avd,
3169 u32 audited)
3170 {
3171 int spot;
3172
3173 /* focused on path walk optimization, only cache directories */
3174 if (isec->sclass != SECCLASS_DIR)
3175 return;
3176
3177 /* update cache */
3178 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
3179 tsec->avdcache.dir_spot = spot;
3180 tsec->avdcache.dir[spot].isid = isec->sid;
3181 tsec->avdcache.dir[spot].audited = audited;
3182 tsec->avdcache.dir[spot].allowed = avd->allowed;
3183 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
3184 }
3185
3186 /**
3187 * selinux_inode_permission - Check if the current task can access an inode
3188 * @inode: the inode that is being accessed
3189 * @requested: the accesses being requested
3190 *
3191 * Check if the current task is allowed to access @inode according to
3192 * @requested. Returns 0 if allowed, negative values otherwise.
3193 */
3194 static int selinux_inode_permission(struct inode *inode, int requested)
3195 {
3196 int mask;
3197 u32 perms;
3198 struct task_security_struct *tsec;
3199 struct inode_security_struct *isec;
3200 struct avdc_entry *avdc;
3201 int rc, rc2;
3202 u32 audited, denied;
3203
3204 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3205
3206 /* No permission to check. Existence test. */
3207 if (!mask)
3208 return 0;
3209
3210 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
3211 if (IS_ERR(isec))
3212 return PTR_ERR(isec);
3213 tsec = selinux_cred(current_cred());
3214 perms = file_mask_to_av(inode->i_mode, mask);
3215
3216 rc = task_avdcache_search(tsec, isec, &avdc);
3217 if (likely(!rc)) {
3218 /* Cache hit. */
3219 audited = perms & avdc->audited;
3220 denied = perms & ~avdc->allowed;
3221 if (unlikely(denied && enforcing_enabled() &&
3222 !avdc->permissive))
3223 rc = -EACCES;
3224 } else {
3225 struct av_decision avd;
3226
3227 /* Cache miss. */
3228 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
3229 perms, 0, &avd);
3230 audited = avc_audit_required(perms, &avd, rc,
3231 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
3232 &denied);
3233 task_avdcache_update(tsec, isec, &avd, audited);
3234 }
3235
3236 if (likely(!audited))
3237 return rc;
3238
3239 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3240 if (rc2)
3241 return rc2;
3242
3243 return rc;
3244 }
3245
3246 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3247 struct iattr *iattr)
3248 {
3249 const struct cred *cred = current_cred();
3250 struct inode *inode = d_backing_inode(dentry);
3251 unsigned int ia_valid = iattr->ia_valid;
3252 u32 av = FILE__WRITE;
3253
3254 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3255 if (ia_valid & ATTR_FORCE) {
3256 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3257 ATTR_FORCE);
3258 if (!ia_valid)
3259 return 0;
3260 }
3261
3262 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3263 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3264 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3265
3266 if (selinux_policycap_openperm() &&
3267 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3268 (ia_valid & ATTR_SIZE) &&
3269 !(ia_valid & ATTR_FILE))
3270 av |= FILE__OPEN;
3271
3272 return dentry_has_perm(cred, dentry, av);
3273 }
3274
3275 static int selinux_inode_getattr(const struct path *path)
3276 {
3277 return path_has_perm(current_cred(), path, FILE__GETATTR);
3278 }
3279
3280 static bool has_cap_mac_admin(bool audit)
3281 {
3282 const struct cred *cred = current_cred();
3283 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3284
3285 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3286 return false;
3287 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3288 return false;
3289 return true;
3290 }
3291
3292 /**
3293 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3294 * @name: name of the xattr
3295 *
3296 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3297 * named @name; the LSM layer should avoid enforcing any traditional
3298 * capability based access controls on this xattr. Returns 0 to indicate that
3299 * SELinux does not "own" the access control rights to xattrs named @name and is
3300 * deferring to the LSM layer for further access controls, including capability
3301 * based controls.
3302 */
3303 static int selinux_inode_xattr_skipcap(const char *name)
3304 {
3305 /* require capability check if not a selinux xattr */
3306 return !strcmp(name, XATTR_NAME_SELINUX);
3307 }
3308
3309 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3310 struct dentry *dentry, const char *name,
3311 const void *value, size_t size, int flags)
3312 {
3313 struct inode *inode = d_backing_inode(dentry);
3314 struct inode_security_struct *isec;
3315 struct superblock_security_struct *sbsec;
3316 struct common_audit_data ad;
3317 u32 newsid, sid = current_sid();
3318 int rc = 0;
3319
3320 /* if not a selinux xattr, only check the ordinary setattr perm */
3321 if (strcmp(name, XATTR_NAME_SELINUX))
3322 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3323
3324 if (!selinux_initialized())
3325 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3326
3327 sbsec = selinux_superblock(inode->i_sb);
3328 if (!(sbsec->flags & SBLABEL_MNT))
3329 return -EOPNOTSUPP;
3330
3331 if (!inode_owner_or_capable(idmap, inode))
3332 return -EPERM;
3333
3334 ad.type = LSM_AUDIT_DATA_DENTRY;
3335 ad.u.dentry = dentry;
3336
3337 isec = backing_inode_security(dentry);
3338 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3339 FILE__RELABELFROM, &ad);
3340 if (rc)
3341 return rc;
3342
3343 rc = security_context_to_sid(value, size, &newsid,
3344 GFP_KERNEL);
3345 if (rc == -EINVAL) {
3346 if (!has_cap_mac_admin(true)) {
3347 struct audit_buffer *ab;
3348 size_t audit_size;
3349
3350 /* We strip a nul only if it is at the end, otherwise the
3351 * context contains a nul and we should audit that */
3352 if (value) {
3353 const char *str = value;
3354
3355 if (str[size - 1] == '\0')
3356 audit_size = size - 1;
3357 else
3358 audit_size = size;
3359 } else {
3360 audit_size = 0;
3361 }
3362 ab = audit_log_start(audit_context(),
3363 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3364 if (!ab)
3365 return rc;
3366 audit_log_format(ab, "op=setxattr invalid_context=");
3367 audit_log_n_untrustedstring(ab, value, audit_size);
3368 audit_log_end(ab);
3369
3370 return rc;
3371 }
3372 rc = security_context_to_sid_force(value,
3373 size, &newsid);
3374 }
3375 if (rc)
3376 return rc;
3377
3378 rc = avc_has_perm(sid, newsid, isec->sclass,
3379 FILE__RELABELTO, &ad);
3380 if (rc)
3381 return rc;
3382
3383 rc = security_validate_transition(isec->sid, newsid,
3384 sid, isec->sclass);
3385 if (rc)
3386 return rc;
3387
3388 return avc_has_perm(newsid,
3389 sbsec->sid,
3390 SECCLASS_FILESYSTEM,
3391 FILESYSTEM__ASSOCIATE,
3392 &ad);
3393 }
3394
3395 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3396 struct dentry *dentry, const char *acl_name,
3397 struct posix_acl *kacl)
3398 {
3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3400 }
3401
3402 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3403 struct dentry *dentry, const char *acl_name)
3404 {
3405 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3406 }
3407
3408 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3409 struct dentry *dentry, const char *acl_name)
3410 {
3411 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3412 }
3413
3414 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3415 const void *value, size_t size,
3416 int flags)
3417 {
3418 struct inode *inode = d_backing_inode(dentry);
3419 struct inode_security_struct *isec;
3420 u32 newsid;
3421 int rc;
3422
3423 if (strcmp(name, XATTR_NAME_SELINUX)) {
3424 /* Not an attribute we recognize, so nothing to do. */
3425 return;
3426 }
3427
3428 if (!selinux_initialized()) {
3429 /* If we haven't even been initialized, then we can't validate
3430 * against a policy, so leave the label as invalid. It may
3431 * resolve to a valid label on the next revalidation try if
3432 * we've since initialized.
3433 */
3434 return;
3435 }
3436
3437 rc = security_context_to_sid_force(value, size,
3438 &newsid);
3439 if (rc) {
3440 pr_err("SELinux: unable to map context to SID"
3441 "for (%s, %lu), rc=%d\n",
3442 inode->i_sb->s_id, inode->i_ino, -rc);
3443 return;
3444 }
3445
3446 isec = backing_inode_security(dentry);
3447 spin_lock(&isec->lock);
3448 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3449 isec->sid = newsid;
3450 isec->initialized = LABEL_INITIALIZED;
3451 spin_unlock(&isec->lock);
3452 }
3453
3454 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3455 {
3456 const struct cred *cred = current_cred();
3457
3458 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3459 }
3460
3461 static int selinux_inode_listxattr(struct dentry *dentry)
3462 {
3463 const struct cred *cred = current_cred();
3464
3465 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3466 }
3467
3468 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3469 struct dentry *dentry, const char *name)
3470 {
3471 /* if not a selinux xattr, only check the ordinary setattr perm */
3472 if (strcmp(name, XATTR_NAME_SELINUX))
3473 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3474
3475 if (!selinux_initialized())
3476 return 0;
3477
3478 /* No one is allowed to remove a SELinux security label.
3479 You can change the label, but all data must be labeled. */
3480 return -EACCES;
3481 }
3482
3483 static int selinux_path_notify(const struct path *path, u64 mask,
3484 unsigned int obj_type)
3485 {
3486 int ret;
3487 u32 perm;
3488
3489 struct common_audit_data ad;
3490
3491 ad.type = LSM_AUDIT_DATA_PATH;
3492 ad.u.path = *path;
3493
3494 /*
3495 * Set permission needed based on the type of mark being set.
3496 * Performs an additional check for sb watches.
3497 */
3498 switch (obj_type) {
3499 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3500 perm = FILE__WATCH_MOUNT;
3501 break;
3502 case FSNOTIFY_OBJ_TYPE_SB:
3503 perm = FILE__WATCH_SB;
3504 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3505 FILESYSTEM__WATCH, &ad);
3506 if (ret)
3507 return ret;
3508 break;
3509 case FSNOTIFY_OBJ_TYPE_INODE:
3510 perm = FILE__WATCH;
3511 break;
3512 case FSNOTIFY_OBJ_TYPE_MNTNS:
3513 perm = FILE__WATCH_MOUNTNS;
3514 break;
3515 default:
3516 return -EINVAL;
3517 }
3518
3519 /* blocking watches require the file:watch_with_perm permission */
3520 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3521 perm |= FILE__WATCH_WITH_PERM;
3522
3523 /* watches on read-like events need the file:watch_reads permission */
3524 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS |
3525 FS_CLOSE_NOWRITE))
3526 perm |= FILE__WATCH_READS;
3527
3528 return path_has_perm(current_cred(), path, perm);
3529 }
3530
3531 /*
3532 * Copy the inode security context value to the user.
3533 *
3534 * Permission check is handled by selinux_inode_getxattr hook.
3535 */
3536 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3537 struct inode *inode, const char *name,
3538 void **buffer, bool alloc)
3539 {
3540 u32 size;
3541 int error;
3542 char *context = NULL;
3543 struct inode_security_struct *isec;
3544
3545 /*
3546 * If we're not initialized yet, then we can't validate contexts, so
3547 * just let vfs_getxattr fall back to using the on-disk xattr.
3548 */
3549 if (!selinux_initialized() ||
3550 strcmp(name, XATTR_SELINUX_SUFFIX))
3551 return -EOPNOTSUPP;
3552
3553 /*
3554 * If the caller has CAP_MAC_ADMIN, then get the raw context
3555 * value even if it is not defined by current policy; otherwise,
3556 * use the in-core value under current policy.
3557 * Use the non-auditing forms of the permission checks since
3558 * getxattr may be called by unprivileged processes commonly
3559 * and lack of permission just means that we fall back to the
3560 * in-core context value, not a denial.
3561 */
3562 isec = inode_security(inode);
3563 if (has_cap_mac_admin(false))
3564 error = security_sid_to_context_force(isec->sid, &context,
3565 &size);
3566 else
3567 error = security_sid_to_context(isec->sid,
3568 &context, &size);
3569 if (error)
3570 return error;
3571 error = size;
3572 if (alloc) {
3573 *buffer = context;
3574 goto out_nofree;
3575 }
3576 kfree(context);
3577 out_nofree:
3578 return error;
3579 }
3580
3581 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3582 const void *value, size_t size, int flags)
3583 {
3584 struct inode_security_struct *isec = inode_security_novalidate(inode);
3585 struct superblock_security_struct *sbsec;
3586 u32 newsid;
3587 int rc;
3588
3589 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3590 return -EOPNOTSUPP;
3591
3592 sbsec = selinux_superblock(inode->i_sb);
3593 if (!(sbsec->flags & SBLABEL_MNT))
3594 return -EOPNOTSUPP;
3595
3596 if (!value || !size)
3597 return -EACCES;
3598
3599 rc = security_context_to_sid(value, size, &newsid,
3600 GFP_KERNEL);
3601 if (rc)
3602 return rc;
3603
3604 spin_lock(&isec->lock);
3605 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3606 isec->sid = newsid;
3607 isec->initialized = LABEL_INITIALIZED;
3608 spin_unlock(&isec->lock);
3609 return 0;
3610 }
3611
3612 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3613 {
3614 const int len = sizeof(XATTR_NAME_SELINUX);
3615
3616 if (!selinux_initialized())
3617 return 0;
3618
3619 if (buffer && len <= buffer_size)
3620 memcpy(buffer, XATTR_NAME_SELINUX, len);
3621 return len;
3622 }
3623
3624 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
3625 {
3626 struct inode_security_struct *isec = inode_security_novalidate(inode);
3627
3628 prop->selinux.secid = isec->sid;
3629 }
3630
3631 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3632 {
3633 struct lsm_prop prop;
3634 struct task_security_struct *tsec;
3635 struct cred *new_creds = *new;
3636
3637 if (new_creds == NULL) {
3638 new_creds = prepare_creds();
3639 if (!new_creds)
3640 return -ENOMEM;
3641 }
3642
3643 tsec = selinux_cred(new_creds);
3644 /* Get label from overlay inode and set it in create_sid */
3645 selinux_inode_getlsmprop(d_inode(src), &prop);
3646 tsec->create_sid = prop.selinux.secid;
3647 *new = new_creds;
3648 return 0;
3649 }
3650
3651 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
3652 {
3653 /* The copy_up hook above sets the initial context on an inode, but we
3654 * don't then want to overwrite it by blindly copying all the lower
3655 * xattrs up. Instead, filter out SELinux-related xattrs following
3656 * policy load.
3657 */
3658 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3659 return -ECANCELED; /* Discard */
3660 /*
3661 * Any other attribute apart from SELINUX is not claimed, supported
3662 * by selinux.
3663 */
3664 return -EOPNOTSUPP;
3665 }
3666
3667 /* kernfs node operations */
3668
3669 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3670 struct kernfs_node *kn)
3671 {
3672 const struct task_security_struct *tsec = selinux_cred(current_cred());
3673 u32 parent_sid, newsid, clen;
3674 int rc;
3675 char *context;
3676
3677 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3678 if (rc == -ENODATA)
3679 return 0;
3680 else if (rc < 0)
3681 return rc;
3682
3683 clen = (u32)rc;
3684 context = kmalloc(clen, GFP_KERNEL);
3685 if (!context)
3686 return -ENOMEM;
3687
3688 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3689 if (rc < 0) {
3690 kfree(context);
3691 return rc;
3692 }
3693
3694 rc = security_context_to_sid(context, clen, &parent_sid,
3695 GFP_KERNEL);
3696 kfree(context);
3697 if (rc)
3698 return rc;
3699
3700 if (tsec->create_sid) {
3701 newsid = tsec->create_sid;
3702 } else {
3703 u16 secclass = inode_mode_to_security_class(kn->mode);
3704 const char *kn_name;
3705 struct qstr q;
3706
3707 /* kn is fresh, can't be renamed, name goes not away */
3708 kn_name = rcu_dereference_check(kn->name, true);
3709 q.name = kn_name;
3710 q.hash_len = hashlen_string(kn_dir, kn_name);
3711
3712 rc = security_transition_sid(tsec->sid,
3713 parent_sid, secclass, &q,
3714 &newsid);
3715 if (rc)
3716 return rc;
3717 }
3718
3719 rc = security_sid_to_context_force(newsid,
3720 &context, &clen);
3721 if (rc)
3722 return rc;
3723
3724 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3725 XATTR_CREATE);
3726 kfree(context);
3727 return rc;
3728 }
3729
3730
3731 /* file security operations */
3732
3733 static int selinux_revalidate_file_permission(struct file *file, int mask)
3734 {
3735 const struct cred *cred = current_cred();
3736 struct inode *inode = file_inode(file);
3737
3738 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3739 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3740 mask |= MAY_APPEND;
3741
3742 return file_has_perm(cred, file,
3743 file_mask_to_av(inode->i_mode, mask));
3744 }
3745
3746 static int selinux_file_permission(struct file *file, int mask)
3747 {
3748 struct inode *inode = file_inode(file);
3749 struct file_security_struct *fsec = selinux_file(file);
3750 struct inode_security_struct *isec;
3751 u32 sid = current_sid();
3752
3753 if (!mask)
3754 /* No permission to check. Existence test. */
3755 return 0;
3756
3757 isec = inode_security(inode);
3758 if (sid == fsec->sid && fsec->isid == isec->sid &&
3759 fsec->pseqno == avc_policy_seqno())
3760 /* No change since file_open check. */
3761 return 0;
3762
3763 return selinux_revalidate_file_permission(file, mask);
3764 }
3765
3766 static int selinux_file_alloc_security(struct file *file)
3767 {
3768 struct file_security_struct *fsec = selinux_file(file);
3769 u32 sid = current_sid();
3770
3771 fsec->sid = sid;
3772 fsec->fown_sid = sid;
3773
3774 return 0;
3775 }
3776
3777 /*
3778 * Check whether a task has the ioctl permission and cmd
3779 * operation to an inode.
3780 */
3781 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3782 u32 requested, u16 cmd)
3783 {
3784 struct common_audit_data ad;
3785 struct file_security_struct *fsec = selinux_file(file);
3786 struct inode *inode = file_inode(file);
3787 struct inode_security_struct *isec;
3788 struct lsm_ioctlop_audit ioctl;
3789 u32 ssid = cred_sid(cred);
3790 int rc;
3791 u8 driver = cmd >> 8;
3792 u8 xperm = cmd & 0xff;
3793
3794 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3795 ad.u.op = &ioctl;
3796 ad.u.op->cmd = cmd;
3797 ad.u.op->path = file->f_path;
3798
3799 if (ssid != fsec->sid) {
3800 rc = avc_has_perm(ssid, fsec->sid,
3801 SECCLASS_FD,
3802 FD__USE,
3803 &ad);
3804 if (rc)
3805 goto out;
3806 }
3807
3808 if (unlikely(IS_PRIVATE(inode)))
3809 return 0;
3810
3811 isec = inode_security(inode);
3812 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested,
3813 driver, AVC_EXT_IOCTL, xperm, &ad);
3814 out:
3815 return rc;
3816 }
3817
3818 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3819 unsigned long arg)
3820 {
3821 const struct cred *cred = current_cred();
3822 int error = 0;
3823
3824 switch (cmd) {
3825 case FIONREAD:
3826 case FIBMAP:
3827 case FIGETBSZ:
3828 case FS_IOC_GETFLAGS:
3829 case FS_IOC_GETVERSION:
3830 error = file_has_perm(cred, file, FILE__GETATTR);
3831 break;
3832
3833 case FS_IOC_SETFLAGS:
3834 case FS_IOC_SETVERSION:
3835 error = file_has_perm(cred, file, FILE__SETATTR);
3836 break;
3837
3838 /* sys_ioctl() checks */
3839 case FIONBIO:
3840 case FIOASYNC:
3841 error = file_has_perm(cred, file, 0);
3842 break;
3843
3844 case KDSKBENT:
3845 case KDSKBSENT:
3846 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3847 CAP_OPT_NONE, true);
3848 break;
3849
3850 case FIOCLEX:
3851 case FIONCLEX:
3852 if (!selinux_policycap_ioctl_skip_cloexec())
3853 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3854 break;
3855
3856 /* default case assumes that the command will go
3857 * to the file's ioctl() function.
3858 */
3859 default:
3860 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3861 }
3862 return error;
3863 }
3864
3865 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3866 unsigned long arg)
3867 {
3868 /*
3869 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3870 * make sure we don't compare 32-bit flags to 64-bit flags.
3871 */
3872 switch (cmd) {
3873 case FS_IOC32_GETFLAGS:
3874 cmd = FS_IOC_GETFLAGS;
3875 break;
3876 case FS_IOC32_SETFLAGS:
3877 cmd = FS_IOC_SETFLAGS;
3878 break;
3879 case FS_IOC32_GETVERSION:
3880 cmd = FS_IOC_GETVERSION;
3881 break;
3882 case FS_IOC32_SETVERSION:
3883 cmd = FS_IOC_SETVERSION;
3884 break;
3885 default:
3886 break;
3887 }
3888
3889 return selinux_file_ioctl(file, cmd, arg);
3890 }
3891
3892 static int default_noexec __ro_after_init;
3893
3894 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3895 {
3896 const struct cred *cred = current_cred();
3897 u32 sid = cred_sid(cred);
3898 int rc = 0;
3899
3900 if (default_noexec &&
3901 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3902 (!shared && (prot & PROT_WRITE)))) {
3903 /*
3904 * We are making executable an anonymous mapping or a
3905 * private file mapping that will also be writable.
3906 * This has an additional check.
3907 */
3908 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3909 PROCESS__EXECMEM, NULL);
3910 if (rc)
3911 goto error;
3912 }
3913
3914 if (file) {
3915 /* read access is always possible with a mapping */
3916 u32 av = FILE__READ;
3917
3918 /* write access only matters if the mapping is shared */
3919 if (shared && (prot & PROT_WRITE))
3920 av |= FILE__WRITE;
3921
3922 if (prot & PROT_EXEC)
3923 av |= FILE__EXECUTE;
3924
3925 return file_has_perm(cred, file, av);
3926 }
3927
3928 error:
3929 return rc;
3930 }
3931
3932 static int selinux_mmap_addr(unsigned long addr)
3933 {
3934 int rc = 0;
3935
3936 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3937 u32 sid = current_sid();
3938 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3939 MEMPROTECT__MMAP_ZERO, NULL);
3940 }
3941
3942 return rc;
3943 }
3944
3945 static int selinux_mmap_file(struct file *file,
3946 unsigned long reqprot __always_unused,
3947 unsigned long prot, unsigned long flags)
3948 {
3949 struct common_audit_data ad;
3950 int rc;
3951
3952 if (file) {
3953 ad.type = LSM_AUDIT_DATA_FILE;
3954 ad.u.file = file;
3955 rc = inode_has_perm(current_cred(), file_inode(file),
3956 FILE__MAP, &ad);
3957 if (rc)
3958 return rc;
3959 }
3960
3961 return file_map_prot_check(file, prot,
3962 (flags & MAP_TYPE) == MAP_SHARED);
3963 }
3964
3965 static int selinux_file_mprotect(struct vm_area_struct *vma,
3966 unsigned long reqprot __always_unused,
3967 unsigned long prot)
3968 {
3969 const struct cred *cred = current_cred();
3970 u32 sid = cred_sid(cred);
3971
3972 if (default_noexec &&
3973 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3974 int rc = 0;
3975 /*
3976 * We don't use the vma_is_initial_heap() helper as it has
3977 * a history of problems and is currently broken on systems
3978 * where there is no heap, e.g. brk == start_brk. Before
3979 * replacing the conditional below with vma_is_initial_heap(),
3980 * or something similar, please ensure that the logic is the
3981 * same as what we have below or you have tested every possible
3982 * corner case you can think to test.
3983 */
3984 if (vma->vm_start >= vma->vm_mm->start_brk &&
3985 vma->vm_end <= vma->vm_mm->brk) {
3986 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3987 PROCESS__EXECHEAP, NULL);
3988 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3989 vma_is_stack_for_current(vma))) {
3990 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3991 PROCESS__EXECSTACK, NULL);
3992 } else if (vma->vm_file && vma->anon_vma) {
3993 /*
3994 * We are making executable a file mapping that has
3995 * had some COW done. Since pages might have been
3996 * written, check ability to execute the possibly
3997 * modified content. This typically should only
3998 * occur for text relocations.
3999 */
4000 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
4001 }
4002 if (rc)
4003 return rc;
4004 }
4005
4006 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
4007 }
4008
4009 static int selinux_file_lock(struct file *file, unsigned int cmd)
4010 {
4011 const struct cred *cred = current_cred();
4012
4013 return file_has_perm(cred, file, FILE__LOCK);
4014 }
4015
4016 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
4017 unsigned long arg)
4018 {
4019 const struct cred *cred = current_cred();
4020 int err = 0;
4021
4022 switch (cmd) {
4023 case F_SETFL:
4024 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
4025 err = file_has_perm(cred, file, FILE__WRITE);
4026 break;
4027 }
4028 fallthrough;
4029 case F_SETOWN:
4030 case F_SETSIG:
4031 case F_GETFL:
4032 case F_GETOWN:
4033 case F_GETSIG:
4034 case F_GETOWNER_UIDS:
4035 /* Just check FD__USE permission */
4036 err = file_has_perm(cred, file, 0);
4037 break;
4038 case F_GETLK:
4039 case F_SETLK:
4040 case F_SETLKW:
4041 case F_OFD_GETLK:
4042 case F_OFD_SETLK:
4043 case F_OFD_SETLKW:
4044 #if BITS_PER_LONG == 32
4045 case F_GETLK64:
4046 case F_SETLK64:
4047 case F_SETLKW64:
4048 #endif
4049 err = file_has_perm(cred, file, FILE__LOCK);
4050 break;
4051 }
4052
4053 return err;
4054 }
4055
4056 static void selinux_file_set_fowner(struct file *file)
4057 {
4058 struct file_security_struct *fsec;
4059
4060 fsec = selinux_file(file);
4061 fsec->fown_sid = current_sid();
4062 }
4063
4064 static int selinux_file_send_sigiotask(struct task_struct *tsk,
4065 struct fown_struct *fown, int signum)
4066 {
4067 struct file *file;
4068 u32 sid = task_sid_obj(tsk);
4069 u32 perm;
4070 struct file_security_struct *fsec;
4071
4072 /* struct fown_struct is never outside the context of a struct file */
4073 file = fown->file;
4074
4075 fsec = selinux_file(file);
4076
4077 if (!signum)
4078 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4079 else
4080 perm = signal_to_av(signum);
4081
4082 return avc_has_perm(fsec->fown_sid, sid,
4083 SECCLASS_PROCESS, perm, NULL);
4084 }
4085
4086 static int selinux_file_receive(struct file *file)
4087 {
4088 const struct cred *cred = current_cred();
4089
4090 return file_has_perm(cred, file, file_to_av(file));
4091 }
4092
4093 static int selinux_file_open(struct file *file)
4094 {
4095 struct file_security_struct *fsec;
4096 struct inode_security_struct *isec;
4097
4098 fsec = selinux_file(file);
4099 isec = inode_security(file_inode(file));
4100 /*
4101 * Save inode label and policy sequence number
4102 * at open-time so that selinux_file_permission
4103 * can determine whether revalidation is necessary.
4104 * Task label is already saved in the file security
4105 * struct as its SID.
4106 */
4107 fsec->isid = isec->sid;
4108 fsec->pseqno = avc_policy_seqno();
4109 /*
4110 * Since the inode label or policy seqno may have changed
4111 * between the selinux_inode_permission check and the saving
4112 * of state above, recheck that access is still permitted.
4113 * Otherwise, access might never be revalidated against the
4114 * new inode label or new policy.
4115 * This check is not redundant - do not remove.
4116 */
4117 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4118 }
4119
4120 /* task security operations */
4121
4122 static int selinux_task_alloc(struct task_struct *task,
4123 unsigned long clone_flags)
4124 {
4125 u32 sid = current_sid();
4126
4127 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4128 }
4129
4130 /*
4131 * prepare a new set of credentials for modification
4132 */
4133 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4134 gfp_t gfp)
4135 {
4136 const struct task_security_struct *old_tsec = selinux_cred(old);
4137 struct task_security_struct *tsec = selinux_cred(new);
4138
4139 *tsec = *old_tsec;
4140 return 0;
4141 }
4142
4143 /*
4144 * transfer the SELinux data to a blank set of creds
4145 */
4146 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4147 {
4148 const struct task_security_struct *old_tsec = selinux_cred(old);
4149 struct task_security_struct *tsec = selinux_cred(new);
4150
4151 *tsec = *old_tsec;
4152 }
4153
4154 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4155 {
4156 *secid = cred_sid(c);
4157 }
4158
4159 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
4160 {
4161 prop->selinux.secid = cred_sid(c);
4162 }
4163
4164 /*
4165 * set the security data for a kernel service
4166 * - all the creation contexts are set to unlabelled
4167 */
4168 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4169 {
4170 struct task_security_struct *tsec = selinux_cred(new);
4171 u32 sid = current_sid();
4172 int ret;
4173
4174 ret = avc_has_perm(sid, secid,
4175 SECCLASS_KERNEL_SERVICE,
4176 KERNEL_SERVICE__USE_AS_OVERRIDE,
4177 NULL);
4178 if (ret == 0) {
4179 tsec->sid = secid;
4180 tsec->create_sid = 0;
4181 tsec->keycreate_sid = 0;
4182 tsec->sockcreate_sid = 0;
4183 }
4184 return ret;
4185 }
4186
4187 /*
4188 * set the file creation context in a security record to the same as the
4189 * objective context of the specified inode
4190 */
4191 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4192 {
4193 struct inode_security_struct *isec = inode_security(inode);
4194 struct task_security_struct *tsec = selinux_cred(new);
4195 u32 sid = current_sid();
4196 int ret;
4197
4198 ret = avc_has_perm(sid, isec->sid,
4199 SECCLASS_KERNEL_SERVICE,
4200 KERNEL_SERVICE__CREATE_FILES_AS,
4201 NULL);
4202
4203 if (ret == 0)
4204 tsec->create_sid = isec->sid;
4205 return ret;
4206 }
4207
4208 static int selinux_kernel_module_request(char *kmod_name)
4209 {
4210 struct common_audit_data ad;
4211
4212 ad.type = LSM_AUDIT_DATA_KMOD;
4213 ad.u.kmod_name = kmod_name;
4214
4215 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4216 SYSTEM__MODULE_REQUEST, &ad);
4217 }
4218
4219 static int selinux_kernel_load_from_file(struct file *file, u32 requested)
4220 {
4221 struct common_audit_data ad;
4222 struct inode_security_struct *isec;
4223 struct file_security_struct *fsec;
4224 u32 sid = current_sid();
4225 int rc;
4226
4227 if (file == NULL)
4228 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL);
4229
4230 ad.type = LSM_AUDIT_DATA_FILE;
4231 ad.u.file = file;
4232
4233 fsec = selinux_file(file);
4234 if (sid != fsec->sid) {
4235 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4236 if (rc)
4237 return rc;
4238 }
4239
4240 isec = inode_security(file_inode(file));
4241 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad);
4242 }
4243
4244 static int selinux_kernel_read_file(struct file *file,
4245 enum kernel_read_file_id id,
4246 bool contents)
4247 {
4248 int rc = 0;
4249
4250 BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
4251 "New kernel_read_file_id introduced; update SELinux!");
4252
4253 switch (id) {
4254 case READING_FIRMWARE:
4255 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD);
4256 break;
4257 case READING_MODULE:
4258 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD);
4259 break;
4260 case READING_KEXEC_IMAGE:
4261 rc = selinux_kernel_load_from_file(file,
4262 SYSTEM__KEXEC_IMAGE_LOAD);
4263 break;
4264 case READING_KEXEC_INITRAMFS:
4265 rc = selinux_kernel_load_from_file(file,
4266 SYSTEM__KEXEC_INITRAMFS_LOAD);
4267 break;
4268 case READING_POLICY:
4269 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD);
4270 break;
4271 case READING_X509_CERTIFICATE:
4272 rc = selinux_kernel_load_from_file(file,
4273 SYSTEM__X509_CERTIFICATE_LOAD);
4274 break;
4275 default:
4276 break;
4277 }
4278
4279 return rc;
4280 }
4281
4282 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4283 {
4284 int rc = 0;
4285
4286 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
4287 "New kernel_load_data_id introduced; update SELinux!");
4288
4289 switch (id) {
4290 case LOADING_FIRMWARE:
4291 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD);
4292 break;
4293 case LOADING_MODULE:
4294 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD);
4295 break;
4296 case LOADING_KEXEC_IMAGE:
4297 rc = selinux_kernel_load_from_file(NULL,
4298 SYSTEM__KEXEC_IMAGE_LOAD);
4299 break;
4300 case LOADING_KEXEC_INITRAMFS:
4301 rc = selinux_kernel_load_from_file(NULL,
4302 SYSTEM__KEXEC_INITRAMFS_LOAD);
4303 break;
4304 case LOADING_POLICY:
4305 rc = selinux_kernel_load_from_file(NULL,
4306 SYSTEM__POLICY_LOAD);
4307 break;
4308 case LOADING_X509_CERTIFICATE:
4309 rc = selinux_kernel_load_from_file(NULL,
4310 SYSTEM__X509_CERTIFICATE_LOAD);
4311 break;
4312 default:
4313 break;
4314 }
4315
4316 return rc;
4317 }
4318
4319 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4320 {
4321 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4322 PROCESS__SETPGID, NULL);
4323 }
4324
4325 static int selinux_task_getpgid(struct task_struct *p)
4326 {
4327 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4328 PROCESS__GETPGID, NULL);
4329 }
4330
4331 static int selinux_task_getsid(struct task_struct *p)
4332 {
4333 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4334 PROCESS__GETSESSION, NULL);
4335 }
4336
4337 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop)
4338 {
4339 prop->selinux.secid = current_sid();
4340 }
4341
4342 static void selinux_task_getlsmprop_obj(struct task_struct *p,
4343 struct lsm_prop *prop)
4344 {
4345 prop->selinux.secid = task_sid_obj(p);
4346 }
4347
4348 static int selinux_task_setnice(struct task_struct *p, int nice)
4349 {
4350 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4351 PROCESS__SETSCHED, NULL);
4352 }
4353
4354 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4355 {
4356 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4357 PROCESS__SETSCHED, NULL);
4358 }
4359
4360 static int selinux_task_getioprio(struct task_struct *p)
4361 {
4362 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4363 PROCESS__GETSCHED, NULL);
4364 }
4365
4366 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4367 unsigned int flags)
4368 {
4369 u32 av = 0;
4370
4371 if (!flags)
4372 return 0;
4373 if (flags & LSM_PRLIMIT_WRITE)
4374 av |= PROCESS__SETRLIMIT;
4375 if (flags & LSM_PRLIMIT_READ)
4376 av |= PROCESS__GETRLIMIT;
4377 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4378 SECCLASS_PROCESS, av, NULL);
4379 }
4380
4381 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4382 struct rlimit *new_rlim)
4383 {
4384 struct rlimit *old_rlim = p->signal->rlim + resource;
4385
4386 /* Control the ability to change the hard limit (whether
4387 lowering or raising it), so that the hard limit can
4388 later be used as a safe reset point for the soft limit
4389 upon context transitions. See selinux_bprm_committing_creds. */
4390 if (old_rlim->rlim_max != new_rlim->rlim_max)
4391 return avc_has_perm(current_sid(), task_sid_obj(p),
4392 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4393
4394 return 0;
4395 }
4396
4397 static int selinux_task_setscheduler(struct task_struct *p)
4398 {
4399 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4400 PROCESS__SETSCHED, NULL);
4401 }
4402
4403 static int selinux_task_getscheduler(struct task_struct *p)
4404 {
4405 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4406 PROCESS__GETSCHED, NULL);
4407 }
4408
4409 static int selinux_task_movememory(struct task_struct *p)
4410 {
4411 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4412 PROCESS__SETSCHED, NULL);
4413 }
4414
4415 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4416 int sig, const struct cred *cred)
4417 {
4418 u32 secid;
4419 u32 perm;
4420
4421 if (!sig)
4422 perm = PROCESS__SIGNULL; /* null signal; existence test */
4423 else
4424 perm = signal_to_av(sig);
4425 if (!cred)
4426 secid = current_sid();
4427 else
4428 secid = cred_sid(cred);
4429 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4430 }
4431
4432 static void selinux_task_to_inode(struct task_struct *p,
4433 struct inode *inode)
4434 {
4435 struct inode_security_struct *isec = selinux_inode(inode);
4436 u32 sid = task_sid_obj(p);
4437
4438 spin_lock(&isec->lock);
4439 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4440 isec->sid = sid;
4441 isec->initialized = LABEL_INITIALIZED;
4442 spin_unlock(&isec->lock);
4443 }
4444
4445 static int selinux_userns_create(const struct cred *cred)
4446 {
4447 u32 sid = current_sid();
4448
4449 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4450 USER_NAMESPACE__CREATE, NULL);
4451 }
4452
4453 /* Returns error only if unable to parse addresses */
4454 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4455 struct common_audit_data *ad, u8 *proto)
4456 {
4457 int offset, ihlen, ret = -EINVAL;
4458 struct iphdr _iph, *ih;
4459
4460 offset = skb_network_offset(skb);
4461 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4462 if (ih == NULL)
4463 goto out;
4464
4465 ihlen = ih->ihl * 4;
4466 if (ihlen < sizeof(_iph))
4467 goto out;
4468
4469 ad->u.net->v4info.saddr = ih->saddr;
4470 ad->u.net->v4info.daddr = ih->daddr;
4471 ret = 0;
4472
4473 if (proto)
4474 *proto = ih->protocol;
4475
4476 switch (ih->protocol) {
4477 case IPPROTO_TCP: {
4478 struct tcphdr _tcph, *th;
4479
4480 if (ntohs(ih->frag_off) & IP_OFFSET)
4481 break;
4482
4483 offset += ihlen;
4484 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4485 if (th == NULL)
4486 break;
4487
4488 ad->u.net->sport = th->source;
4489 ad->u.net->dport = th->dest;
4490 break;
4491 }
4492
4493 case IPPROTO_UDP: {
4494 struct udphdr _udph, *uh;
4495
4496 if (ntohs(ih->frag_off) & IP_OFFSET)
4497 break;
4498
4499 offset += ihlen;
4500 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4501 if (uh == NULL)
4502 break;
4503
4504 ad->u.net->sport = uh->source;
4505 ad->u.net->dport = uh->dest;
4506 break;
4507 }
4508
4509 #if IS_ENABLED(CONFIG_IP_SCTP)
4510 case IPPROTO_SCTP: {
4511 struct sctphdr _sctph, *sh;
4512
4513 if (ntohs(ih->frag_off) & IP_OFFSET)
4514 break;
4515
4516 offset += ihlen;
4517 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4518 if (sh == NULL)
4519 break;
4520
4521 ad->u.net->sport = sh->source;
4522 ad->u.net->dport = sh->dest;
4523 break;
4524 }
4525 #endif
4526 default:
4527 break;
4528 }
4529 out:
4530 return ret;
4531 }
4532
4533 #if IS_ENABLED(CONFIG_IPV6)
4534
4535 /* Returns error only if unable to parse addresses */
4536 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4537 struct common_audit_data *ad, u8 *proto)
4538 {
4539 u8 nexthdr;
4540 int ret = -EINVAL, offset;
4541 struct ipv6hdr _ipv6h, *ip6;
4542 __be16 frag_off;
4543
4544 offset = skb_network_offset(skb);
4545 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4546 if (ip6 == NULL)
4547 goto out;
4548
4549 ad->u.net->v6info.saddr = ip6->saddr;
4550 ad->u.net->v6info.daddr = ip6->daddr;
4551 ret = 0;
4552
4553 nexthdr = ip6->nexthdr;
4554 offset += sizeof(_ipv6h);
4555 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4556 if (offset < 0)
4557 goto out;
4558
4559 if (proto)
4560 *proto = nexthdr;
4561
4562 switch (nexthdr) {
4563 case IPPROTO_TCP: {
4564 struct tcphdr _tcph, *th;
4565
4566 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4567 if (th == NULL)
4568 break;
4569
4570 ad->u.net->sport = th->source;
4571 ad->u.net->dport = th->dest;
4572 break;
4573 }
4574
4575 case IPPROTO_UDP: {
4576 struct udphdr _udph, *uh;
4577
4578 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4579 if (uh == NULL)
4580 break;
4581
4582 ad->u.net->sport = uh->source;
4583 ad->u.net->dport = uh->dest;
4584 break;
4585 }
4586
4587 #if IS_ENABLED(CONFIG_IP_SCTP)
4588 case IPPROTO_SCTP: {
4589 struct sctphdr _sctph, *sh;
4590
4591 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4592 if (sh == NULL)
4593 break;
4594
4595 ad->u.net->sport = sh->source;
4596 ad->u.net->dport = sh->dest;
4597 break;
4598 }
4599 #endif
4600 /* includes fragments */
4601 default:
4602 break;
4603 }
4604 out:
4605 return ret;
4606 }
4607
4608 #endif /* IPV6 */
4609
4610 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4611 char **_addrp, int src, u8 *proto)
4612 {
4613 char *addrp;
4614 int ret;
4615
4616 switch (ad->u.net->family) {
4617 case PF_INET:
4618 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4619 if (ret)
4620 goto parse_error;
4621 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4622 &ad->u.net->v4info.daddr);
4623 goto okay;
4624
4625 #if IS_ENABLED(CONFIG_IPV6)
4626 case PF_INET6:
4627 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4628 if (ret)
4629 goto parse_error;
4630 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4631 &ad->u.net->v6info.daddr);
4632 goto okay;
4633 #endif /* IPV6 */
4634 default:
4635 addrp = NULL;
4636 goto okay;
4637 }
4638
4639 parse_error:
4640 pr_warn(
4641 "SELinux: failure in selinux_parse_skb(),"
4642 " unable to parse packet\n");
4643 return ret;
4644
4645 okay:
4646 if (_addrp)
4647 *_addrp = addrp;
4648 return 0;
4649 }
4650
4651 /**
4652 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4653 * @skb: the packet
4654 * @family: protocol family
4655 * @sid: the packet's peer label SID
4656 *
4657 * Description:
4658 * Check the various different forms of network peer labeling and determine
4659 * the peer label/SID for the packet; most of the magic actually occurs in
4660 * the security server function security_net_peersid_cmp(). The function
4661 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4662 * or -EACCES if @sid is invalid due to inconsistencies with the different
4663 * peer labels.
4664 *
4665 */
4666 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4667 {
4668 int err;
4669 u32 xfrm_sid;
4670 u32 nlbl_sid;
4671 u32 nlbl_type;
4672
4673 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4674 if (unlikely(err))
4675 return -EACCES;
4676 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4677 if (unlikely(err))
4678 return -EACCES;
4679
4680 err = security_net_peersid_resolve(nlbl_sid,
4681 nlbl_type, xfrm_sid, sid);
4682 if (unlikely(err)) {
4683 pr_warn(
4684 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4685 " unable to determine packet's peer label\n");
4686 return -EACCES;
4687 }
4688
4689 return 0;
4690 }
4691
4692 /**
4693 * selinux_conn_sid - Determine the child socket label for a connection
4694 * @sk_sid: the parent socket's SID
4695 * @skb_sid: the packet's SID
4696 * @conn_sid: the resulting connection SID
4697 *
4698 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4699 * combined with the MLS information from @skb_sid in order to create
4700 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4701 * of @sk_sid. Returns zero on success, negative values on failure.
4702 *
4703 */
4704 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4705 {
4706 int err = 0;
4707
4708 if (skb_sid != SECSID_NULL)
4709 err = security_sid_mls_copy(sk_sid, skb_sid,
4710 conn_sid);
4711 else
4712 *conn_sid = sk_sid;
4713
4714 return err;
4715 }
4716
4717 /* socket security operations */
4718
4719 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4720 u16 secclass, u32 *socksid)
4721 {
4722 if (tsec->sockcreate_sid > SECSID_NULL) {
4723 *socksid = tsec->sockcreate_sid;
4724 return 0;
4725 }
4726
4727 return security_transition_sid(tsec->sid, tsec->sid,
4728 secclass, NULL, socksid);
4729 }
4730
4731 static bool sock_skip_has_perm(u32 sid)
4732 {
4733 if (sid == SECINITSID_KERNEL)
4734 return true;
4735
4736 /*
4737 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4738 * inherited the kernel context from early boot used to be skipped
4739 * here, so preserve that behavior unless the capability is set.
4740 *
4741 * By setting the capability the policy signals that it is ready
4742 * for this quirk to be fixed. Note that sockets created by a kernel
4743 * thread or a usermode helper executed without a transition will
4744 * still be skipped in this check regardless of the policycap
4745 * setting.
4746 */
4747 if (!selinux_policycap_userspace_initial_context() &&
4748 sid == SECINITSID_INIT)
4749 return true;
4750 return false;
4751 }
4752
4753
4754 static int sock_has_perm(struct sock *sk, u32 perms)
4755 {
4756 struct sk_security_struct *sksec = sk->sk_security;
4757 struct common_audit_data ad;
4758 struct lsm_network_audit net;
4759
4760 if (sock_skip_has_perm(sksec->sid))
4761 return 0;
4762
4763 ad_net_init_from_sk(&ad, &net, sk);
4764
4765 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4766 &ad);
4767 }
4768
4769 static int selinux_socket_create(int family, int type,
4770 int protocol, int kern)
4771 {
4772 const struct task_security_struct *tsec = selinux_cred(current_cred());
4773 u32 newsid;
4774 u16 secclass;
4775 int rc;
4776
4777 if (kern)
4778 return 0;
4779
4780 secclass = socket_type_to_security_class(family, type, protocol);
4781 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4782 if (rc)
4783 return rc;
4784
4785 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4786 }
4787
4788 static int selinux_socket_post_create(struct socket *sock, int family,
4789 int type, int protocol, int kern)
4790 {
4791 const struct task_security_struct *tsec = selinux_cred(current_cred());
4792 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4793 struct sk_security_struct *sksec;
4794 u16 sclass = socket_type_to_security_class(family, type, protocol);
4795 u32 sid = SECINITSID_KERNEL;
4796 int err = 0;
4797
4798 if (!kern) {
4799 err = socket_sockcreate_sid(tsec, sclass, &sid);
4800 if (err)
4801 return err;
4802 }
4803
4804 isec->sclass = sclass;
4805 isec->sid = sid;
4806 isec->initialized = LABEL_INITIALIZED;
4807
4808 if (sock->sk) {
4809 sksec = selinux_sock(sock->sk);
4810 sksec->sclass = sclass;
4811 sksec->sid = sid;
4812 /* Allows detection of the first association on this socket */
4813 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4814 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4815
4816 err = selinux_netlbl_socket_post_create(sock->sk, family);
4817 }
4818
4819 return err;
4820 }
4821
4822 static int selinux_socket_socketpair(struct socket *socka,
4823 struct socket *sockb)
4824 {
4825 struct sk_security_struct *sksec_a = selinux_sock(socka->sk);
4826 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk);
4827
4828 sksec_a->peer_sid = sksec_b->sid;
4829 sksec_b->peer_sid = sksec_a->sid;
4830
4831 return 0;
4832 }
4833
4834 /* Range of port numbers used to automatically bind.
4835 Need to determine whether we should perform a name_bind
4836 permission check between the socket and the port number. */
4837
4838 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4839 {
4840 struct sock *sk = sock->sk;
4841 struct sk_security_struct *sksec = selinux_sock(sk);
4842 u16 family;
4843 int err;
4844
4845 err = sock_has_perm(sk, SOCKET__BIND);
4846 if (err)
4847 goto out;
4848
4849 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4850 family = sk->sk_family;
4851 if (family == PF_INET || family == PF_INET6) {
4852 char *addrp;
4853 struct common_audit_data ad;
4854 struct lsm_network_audit net = {0,};
4855 struct sockaddr_in *addr4 = NULL;
4856 struct sockaddr_in6 *addr6 = NULL;
4857 u16 family_sa;
4858 unsigned short snum;
4859 u32 sid, node_perm;
4860
4861 /*
4862 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4863 * that validates multiple binding addresses. Because of this
4864 * need to check address->sa_family as it is possible to have
4865 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4866 */
4867 if (addrlen < offsetofend(struct sockaddr, sa_family))
4868 return -EINVAL;
4869 family_sa = address->sa_family;
4870 switch (family_sa) {
4871 case AF_UNSPEC:
4872 case AF_INET:
4873 if (addrlen < sizeof(struct sockaddr_in))
4874 return -EINVAL;
4875 addr4 = (struct sockaddr_in *)address;
4876 if (family_sa == AF_UNSPEC) {
4877 if (family == PF_INET6) {
4878 /* Length check from inet6_bind_sk() */
4879 if (addrlen < SIN6_LEN_RFC2133)
4880 return -EINVAL;
4881 /* Family check from __inet6_bind() */
4882 goto err_af;
4883 }
4884 /* see __inet_bind(), we only want to allow
4885 * AF_UNSPEC if the address is INADDR_ANY
4886 */
4887 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4888 goto err_af;
4889 family_sa = AF_INET;
4890 }
4891 snum = ntohs(addr4->sin_port);
4892 addrp = (char *)&addr4->sin_addr.s_addr;
4893 break;
4894 case AF_INET6:
4895 if (addrlen < SIN6_LEN_RFC2133)
4896 return -EINVAL;
4897 addr6 = (struct sockaddr_in6 *)address;
4898 snum = ntohs(addr6->sin6_port);
4899 addrp = (char *)&addr6->sin6_addr.s6_addr;
4900 break;
4901 default:
4902 goto err_af;
4903 }
4904
4905 ad.type = LSM_AUDIT_DATA_NET;
4906 ad.u.net = &net;
4907 ad.u.net->sport = htons(snum);
4908 ad.u.net->family = family_sa;
4909
4910 if (snum) {
4911 int low, high;
4912
4913 inet_get_local_port_range(sock_net(sk), &low, &high);
4914
4915 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4916 snum < low || snum > high) {
4917 err = sel_netport_sid(sk->sk_protocol,
4918 snum, &sid);
4919 if (err)
4920 goto out;
4921 err = avc_has_perm(sksec->sid, sid,
4922 sksec->sclass,
4923 SOCKET__NAME_BIND, &ad);
4924 if (err)
4925 goto out;
4926 }
4927 }
4928
4929 switch (sksec->sclass) {
4930 case SECCLASS_TCP_SOCKET:
4931 node_perm = TCP_SOCKET__NODE_BIND;
4932 break;
4933
4934 case SECCLASS_UDP_SOCKET:
4935 node_perm = UDP_SOCKET__NODE_BIND;
4936 break;
4937
4938 case SECCLASS_SCTP_SOCKET:
4939 node_perm = SCTP_SOCKET__NODE_BIND;
4940 break;
4941
4942 default:
4943 node_perm = RAWIP_SOCKET__NODE_BIND;
4944 break;
4945 }
4946
4947 err = sel_netnode_sid(addrp, family_sa, &sid);
4948 if (err)
4949 goto out;
4950
4951 if (family_sa == AF_INET)
4952 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4953 else
4954 ad.u.net->v6info.saddr = addr6->sin6_addr;
4955
4956 err = avc_has_perm(sksec->sid, sid,
4957 sksec->sclass, node_perm, &ad);
4958 if (err)
4959 goto out;
4960 }
4961 out:
4962 return err;
4963 err_af:
4964 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4965 if (sk->sk_protocol == IPPROTO_SCTP)
4966 return -EINVAL;
4967 return -EAFNOSUPPORT;
4968 }
4969
4970 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4971 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4972 */
4973 static int selinux_socket_connect_helper(struct socket *sock,
4974 struct sockaddr *address, int addrlen)
4975 {
4976 struct sock *sk = sock->sk;
4977 struct sk_security_struct *sksec = selinux_sock(sk);
4978 int err;
4979
4980 err = sock_has_perm(sk, SOCKET__CONNECT);
4981 if (err)
4982 return err;
4983 if (addrlen < offsetofend(struct sockaddr, sa_family))
4984 return -EINVAL;
4985
4986 /* connect(AF_UNSPEC) has special handling, as it is a documented
4987 * way to disconnect the socket
4988 */
4989 if (address->sa_family == AF_UNSPEC)
4990 return 0;
4991
4992 /*
4993 * If a TCP or SCTP socket, check name_connect permission
4994 * for the port.
4995 */
4996 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4997 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4998 struct common_audit_data ad;
4999 struct lsm_network_audit net = {0,};
5000 struct sockaddr_in *addr4 = NULL;
5001 struct sockaddr_in6 *addr6 = NULL;
5002 unsigned short snum;
5003 u32 sid, perm;
5004
5005 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
5006 * that validates multiple connect addresses. Because of this
5007 * need to check address->sa_family as it is possible to have
5008 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
5009 */
5010 switch (address->sa_family) {
5011 case AF_INET:
5012 addr4 = (struct sockaddr_in *)address;
5013 if (addrlen < sizeof(struct sockaddr_in))
5014 return -EINVAL;
5015 snum = ntohs(addr4->sin_port);
5016 break;
5017 case AF_INET6:
5018 addr6 = (struct sockaddr_in6 *)address;
5019 if (addrlen < SIN6_LEN_RFC2133)
5020 return -EINVAL;
5021 snum = ntohs(addr6->sin6_port);
5022 break;
5023 default:
5024 /* Note that SCTP services expect -EINVAL, whereas
5025 * others expect -EAFNOSUPPORT.
5026 */
5027 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
5028 return -EINVAL;
5029 else
5030 return -EAFNOSUPPORT;
5031 }
5032
5033 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
5034 if (err)
5035 return err;
5036
5037 switch (sksec->sclass) {
5038 case SECCLASS_TCP_SOCKET:
5039 perm = TCP_SOCKET__NAME_CONNECT;
5040 break;
5041 case SECCLASS_SCTP_SOCKET:
5042 perm = SCTP_SOCKET__NAME_CONNECT;
5043 break;
5044 }
5045
5046 ad.type = LSM_AUDIT_DATA_NET;
5047 ad.u.net = &net;
5048 ad.u.net->dport = htons(snum);
5049 ad.u.net->family = address->sa_family;
5050 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
5051 if (err)
5052 return err;
5053 }
5054
5055 return 0;
5056 }
5057
5058 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
5059 static int selinux_socket_connect(struct socket *sock,
5060 struct sockaddr *address, int addrlen)
5061 {
5062 int err;
5063 struct sock *sk = sock->sk;
5064
5065 err = selinux_socket_connect_helper(sock, address, addrlen);
5066 if (err)
5067 return err;
5068
5069 return selinux_netlbl_socket_connect(sk, address);
5070 }
5071
5072 static int selinux_socket_listen(struct socket *sock, int backlog)
5073 {
5074 return sock_has_perm(sock->sk, SOCKET__LISTEN);
5075 }
5076
5077 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
5078 {
5079 int err;
5080 struct inode_security_struct *isec;
5081 struct inode_security_struct *newisec;
5082 u16 sclass;
5083 u32 sid;
5084
5085 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
5086 if (err)
5087 return err;
5088
5089 isec = inode_security_novalidate(SOCK_INODE(sock));
5090 spin_lock(&isec->lock);
5091 sclass = isec->sclass;
5092 sid = isec->sid;
5093 spin_unlock(&isec->lock);
5094
5095 newisec = inode_security_novalidate(SOCK_INODE(newsock));
5096 newisec->sclass = sclass;
5097 newisec->sid = sid;
5098 newisec->initialized = LABEL_INITIALIZED;
5099
5100 return 0;
5101 }
5102
5103 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5104 int size)
5105 {
5106 return sock_has_perm(sock->sk, SOCKET__WRITE);
5107 }
5108
5109 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5110 int size, int flags)
5111 {
5112 return sock_has_perm(sock->sk, SOCKET__READ);
5113 }
5114
5115 static int selinux_socket_getsockname(struct socket *sock)
5116 {
5117 return sock_has_perm(sock->sk, SOCKET__GETATTR);
5118 }
5119
5120 static int selinux_socket_getpeername(struct socket *sock)
5121 {
5122 return sock_has_perm(sock->sk, SOCKET__GETATTR);
5123 }
5124
5125 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5126 {
5127 int err;
5128
5129 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
5130 if (err)
5131 return err;
5132
5133 return selinux_netlbl_socket_setsockopt(sock, level, optname);
5134 }
5135
5136 static int selinux_socket_getsockopt(struct socket *sock, int level,
5137 int optname)
5138 {
5139 return sock_has_perm(sock->sk, SOCKET__GETOPT);
5140 }
5141
5142 static int selinux_socket_shutdown(struct socket *sock, int how)
5143 {
5144 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5145 }
5146
5147 static int selinux_socket_unix_stream_connect(struct sock *sock,
5148 struct sock *other,
5149 struct sock *newsk)
5150 {
5151 struct sk_security_struct *sksec_sock = selinux_sock(sock);
5152 struct sk_security_struct *sksec_other = selinux_sock(other);
5153 struct sk_security_struct *sksec_new = selinux_sock(newsk);
5154 struct common_audit_data ad;
5155 struct lsm_network_audit net;
5156 int err;
5157
5158 ad_net_init_from_sk(&ad, &net, other);
5159
5160 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
5161 sksec_other->sclass,
5162 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5163 if (err)
5164 return err;
5165
5166 /* server child socket */
5167 sksec_new->peer_sid = sksec_sock->sid;
5168 err = security_sid_mls_copy(sksec_other->sid,
5169 sksec_sock->sid, &sksec_new->sid);
5170 if (err)
5171 return err;
5172
5173 /* connecting socket */
5174 sksec_sock->peer_sid = sksec_new->sid;
5175
5176 return 0;
5177 }
5178
5179 static int selinux_socket_unix_may_send(struct socket *sock,
5180 struct socket *other)
5181 {
5182 struct sk_security_struct *ssec = selinux_sock(sock->sk);
5183 struct sk_security_struct *osec = selinux_sock(other->sk);
5184 struct common_audit_data ad;
5185 struct lsm_network_audit net;
5186
5187 ad_net_init_from_sk(&ad, &net, other->sk);
5188
5189 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5190 &ad);
5191 }
5192
5193 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5194 char *addrp, u16 family, u32 peer_sid,
5195 struct common_audit_data *ad)
5196 {
5197 int err;
5198 u32 if_sid;
5199 u32 node_sid;
5200
5201 err = sel_netif_sid(ns, ifindex, &if_sid);
5202 if (err)
5203 return err;
5204 err = avc_has_perm(peer_sid, if_sid,
5205 SECCLASS_NETIF, NETIF__INGRESS, ad);
5206 if (err)
5207 return err;
5208
5209 err = sel_netnode_sid(addrp, family, &node_sid);
5210 if (err)
5211 return err;
5212 return avc_has_perm(peer_sid, node_sid,
5213 SECCLASS_NODE, NODE__RECVFROM, ad);
5214 }
5215
5216 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5217 u16 family)
5218 {
5219 int err = 0;
5220 struct sk_security_struct *sksec = selinux_sock(sk);
5221 u32 sk_sid = sksec->sid;
5222 struct common_audit_data ad;
5223 struct lsm_network_audit net;
5224 char *addrp;
5225
5226 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5227 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5228 if (err)
5229 return err;
5230
5231 if (selinux_secmark_enabled()) {
5232 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5233 PACKET__RECV, &ad);
5234 if (err)
5235 return err;
5236 }
5237
5238 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5239 if (err)
5240 return err;
5241 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5242
5243 return err;
5244 }
5245
5246 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5247 {
5248 int err, peerlbl_active, secmark_active;
5249 struct sk_security_struct *sksec = selinux_sock(sk);
5250 u16 family = sk->sk_family;
5251 u32 sk_sid = sksec->sid;
5252 struct common_audit_data ad;
5253 struct lsm_network_audit net;
5254 char *addrp;
5255
5256 if (family != PF_INET && family != PF_INET6)
5257 return 0;
5258
5259 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5260 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5261 family = PF_INET;
5262
5263 /* If any sort of compatibility mode is enabled then handoff processing
5264 * to the selinux_sock_rcv_skb_compat() function to deal with the
5265 * special handling. We do this in an attempt to keep this function
5266 * as fast and as clean as possible. */
5267 if (!selinux_policycap_netpeer())
5268 return selinux_sock_rcv_skb_compat(sk, skb, family);
5269
5270 secmark_active = selinux_secmark_enabled();
5271 peerlbl_active = selinux_peerlbl_enabled();
5272 if (!secmark_active && !peerlbl_active)
5273 return 0;
5274
5275 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5276 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5277 if (err)
5278 return err;
5279
5280 if (peerlbl_active) {
5281 u32 peer_sid;
5282
5283 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5284 if (err)
5285 return err;
5286 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5287 addrp, family, peer_sid, &ad);
5288 if (err) {
5289 selinux_netlbl_err(skb, family, err, 0);
5290 return err;
5291 }
5292 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5293 PEER__RECV, &ad);
5294 if (err) {
5295 selinux_netlbl_err(skb, family, err, 0);
5296 return err;
5297 }
5298 }
5299
5300 if (secmark_active) {
5301 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5302 PACKET__RECV, &ad);
5303 if (err)
5304 return err;
5305 }
5306
5307 return err;
5308 }
5309
5310 static int selinux_socket_getpeersec_stream(struct socket *sock,
5311 sockptr_t optval, sockptr_t optlen,
5312 unsigned int len)
5313 {
5314 int err = 0;
5315 char *scontext = NULL;
5316 u32 scontext_len;
5317 struct sk_security_struct *sksec = selinux_sock(sock->sk);
5318 u32 peer_sid = SECSID_NULL;
5319
5320 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5321 sksec->sclass == SECCLASS_TCP_SOCKET ||
5322 sksec->sclass == SECCLASS_SCTP_SOCKET)
5323 peer_sid = sksec->peer_sid;
5324 if (peer_sid == SECSID_NULL)
5325 return -ENOPROTOOPT;
5326
5327 err = security_sid_to_context(peer_sid, &scontext,
5328 &scontext_len);
5329 if (err)
5330 return err;
5331 if (scontext_len > len) {
5332 err = -ERANGE;
5333 goto out_len;
5334 }
5335
5336 if (copy_to_sockptr(optval, scontext, scontext_len))
5337 err = -EFAULT;
5338 out_len:
5339 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5340 err = -EFAULT;
5341 kfree(scontext);
5342 return err;
5343 }
5344
5345 static int selinux_socket_getpeersec_dgram(struct socket *sock,
5346 struct sk_buff *skb, u32 *secid)
5347 {
5348 u32 peer_secid = SECSID_NULL;
5349 u16 family;
5350
5351 if (skb && skb->protocol == htons(ETH_P_IP))
5352 family = PF_INET;
5353 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5354 family = PF_INET6;
5355 else if (sock)
5356 family = sock->sk->sk_family;
5357 else {
5358 *secid = SECSID_NULL;
5359 return -EINVAL;
5360 }
5361
5362 if (sock && family == PF_UNIX) {
5363 struct inode_security_struct *isec;
5364 isec = inode_security_novalidate(SOCK_INODE(sock));
5365 peer_secid = isec->sid;
5366 } else if (skb)
5367 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5368
5369 *secid = peer_secid;
5370 if (peer_secid == SECSID_NULL)
5371 return -ENOPROTOOPT;
5372 return 0;
5373 }
5374
5375 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5376 {
5377 struct sk_security_struct *sksec = selinux_sock(sk);
5378
5379 sksec->peer_sid = SECINITSID_UNLABELED;
5380 sksec->sid = SECINITSID_UNLABELED;
5381 sksec->sclass = SECCLASS_SOCKET;
5382 selinux_netlbl_sk_security_reset(sksec);
5383
5384 return 0;
5385 }
5386
5387 static void selinux_sk_free_security(struct sock *sk)
5388 {
5389 struct sk_security_struct *sksec = selinux_sock(sk);
5390
5391 selinux_netlbl_sk_security_free(sksec);
5392 }
5393
5394 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5395 {
5396 struct sk_security_struct *sksec = selinux_sock(sk);
5397 struct sk_security_struct *newsksec = selinux_sock(newsk);
5398
5399 newsksec->sid = sksec->sid;
5400 newsksec->peer_sid = sksec->peer_sid;
5401 newsksec->sclass = sksec->sclass;
5402
5403 selinux_netlbl_sk_security_reset(newsksec);
5404 }
5405
5406 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5407 {
5408 if (!sk)
5409 *secid = SECINITSID_ANY_SOCKET;
5410 else {
5411 const struct sk_security_struct *sksec = selinux_sock(sk);
5412
5413 *secid = sksec->sid;
5414 }
5415 }
5416
5417 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5418 {
5419 struct inode_security_struct *isec =
5420 inode_security_novalidate(SOCK_INODE(parent));
5421 struct sk_security_struct *sksec = selinux_sock(sk);
5422
5423 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5424 sk->sk_family == PF_UNIX)
5425 isec->sid = sksec->sid;
5426 sksec->sclass = isec->sclass;
5427 }
5428
5429 /*
5430 * Determines peer_secid for the asoc and updates socket's peer label
5431 * if it's the first association on the socket.
5432 */
5433 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5434 struct sk_buff *skb)
5435 {
5436 struct sock *sk = asoc->base.sk;
5437 u16 family = sk->sk_family;
5438 struct sk_security_struct *sksec = selinux_sock(sk);
5439 struct common_audit_data ad;
5440 struct lsm_network_audit net;
5441 int err;
5442
5443 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5444 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5445 family = PF_INET;
5446
5447 if (selinux_peerlbl_enabled()) {
5448 asoc->peer_secid = SECSID_NULL;
5449
5450 /* This will return peer_sid = SECSID_NULL if there are
5451 * no peer labels, see security_net_peersid_resolve().
5452 */
5453 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5454 if (err)
5455 return err;
5456
5457 if (asoc->peer_secid == SECSID_NULL)
5458 asoc->peer_secid = SECINITSID_UNLABELED;
5459 } else {
5460 asoc->peer_secid = SECINITSID_UNLABELED;
5461 }
5462
5463 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5464 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5465
5466 /* Here as first association on socket. As the peer SID
5467 * was allowed by peer recv (and the netif/node checks),
5468 * then it is approved by policy and used as the primary
5469 * peer SID for getpeercon(3).
5470 */
5471 sksec->peer_sid = asoc->peer_secid;
5472 } else if (sksec->peer_sid != asoc->peer_secid) {
5473 /* Other association peer SIDs are checked to enforce
5474 * consistency among the peer SIDs.
5475 */
5476 ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5477 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5478 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5479 &ad);
5480 if (err)
5481 return err;
5482 }
5483 return 0;
5484 }
5485
5486 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5487 * happens on an incoming connect(2), sctp_connectx(3) or
5488 * sctp_sendmsg(3) (with no association already present).
5489 */
5490 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5491 struct sk_buff *skb)
5492 {
5493 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5494 u32 conn_sid;
5495 int err;
5496
5497 if (!selinux_policycap_extsockclass())
5498 return 0;
5499
5500 err = selinux_sctp_process_new_assoc(asoc, skb);
5501 if (err)
5502 return err;
5503
5504 /* Compute the MLS component for the connection and store
5505 * the information in asoc. This will be used by SCTP TCP type
5506 * sockets and peeled off connections as they cause a new
5507 * socket to be generated. selinux_sctp_sk_clone() will then
5508 * plug this into the new socket.
5509 */
5510 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5511 if (err)
5512 return err;
5513
5514 asoc->secid = conn_sid;
5515
5516 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5517 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5518 }
5519
5520 /* Called when SCTP receives a COOKIE ACK chunk as the final
5521 * response to an association request (initited by us).
5522 */
5523 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5524 struct sk_buff *skb)
5525 {
5526 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5527
5528 if (!selinux_policycap_extsockclass())
5529 return 0;
5530
5531 /* Inherit secid from the parent socket - this will be picked up
5532 * by selinux_sctp_sk_clone() if the association gets peeled off
5533 * into a new socket.
5534 */
5535 asoc->secid = sksec->sid;
5536
5537 return selinux_sctp_process_new_assoc(asoc, skb);
5538 }
5539
5540 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5541 * based on their @optname.
5542 */
5543 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5544 struct sockaddr *address,
5545 int addrlen)
5546 {
5547 int len, err = 0, walk_size = 0;
5548 void *addr_buf;
5549 struct sockaddr *addr;
5550 struct socket *sock;
5551
5552 if (!selinux_policycap_extsockclass())
5553 return 0;
5554
5555 /* Process one or more addresses that may be IPv4 or IPv6 */
5556 sock = sk->sk_socket;
5557 addr_buf = address;
5558
5559 while (walk_size < addrlen) {
5560 if (walk_size + sizeof(sa_family_t) > addrlen)
5561 return -EINVAL;
5562
5563 addr = addr_buf;
5564 switch (addr->sa_family) {
5565 case AF_UNSPEC:
5566 case AF_INET:
5567 len = sizeof(struct sockaddr_in);
5568 break;
5569 case AF_INET6:
5570 len = sizeof(struct sockaddr_in6);
5571 break;
5572 default:
5573 return -EINVAL;
5574 }
5575
5576 if (walk_size + len > addrlen)
5577 return -EINVAL;
5578
5579 err = -EINVAL;
5580 switch (optname) {
5581 /* Bind checks */
5582 case SCTP_PRIMARY_ADDR:
5583 case SCTP_SET_PEER_PRIMARY_ADDR:
5584 case SCTP_SOCKOPT_BINDX_ADD:
5585 err = selinux_socket_bind(sock, addr, len);
5586 break;
5587 /* Connect checks */
5588 case SCTP_SOCKOPT_CONNECTX:
5589 case SCTP_PARAM_SET_PRIMARY:
5590 case SCTP_PARAM_ADD_IP:
5591 case SCTP_SENDMSG_CONNECT:
5592 err = selinux_socket_connect_helper(sock, addr, len);
5593 if (err)
5594 return err;
5595
5596 /* As selinux_sctp_bind_connect() is called by the
5597 * SCTP protocol layer, the socket is already locked,
5598 * therefore selinux_netlbl_socket_connect_locked()
5599 * is called here. The situations handled are:
5600 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5601 * whenever a new IP address is added or when a new
5602 * primary address is selected.
5603 * Note that an SCTP connect(2) call happens before
5604 * the SCTP protocol layer and is handled via
5605 * selinux_socket_connect().
5606 */
5607 err = selinux_netlbl_socket_connect_locked(sk, addr);
5608 break;
5609 }
5610
5611 if (err)
5612 return err;
5613
5614 addr_buf += len;
5615 walk_size += len;
5616 }
5617
5618 return 0;
5619 }
5620
5621 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5622 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5623 struct sock *newsk)
5624 {
5625 struct sk_security_struct *sksec = selinux_sock(sk);
5626 struct sk_security_struct *newsksec = selinux_sock(newsk);
5627
5628 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5629 * the non-sctp clone version.
5630 */
5631 if (!selinux_policycap_extsockclass())
5632 return selinux_sk_clone_security(sk, newsk);
5633
5634 newsksec->sid = asoc->secid;
5635 newsksec->peer_sid = asoc->peer_secid;
5636 newsksec->sclass = sksec->sclass;
5637 selinux_netlbl_sctp_sk_clone(sk, newsk);
5638 }
5639
5640 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5641 {
5642 struct sk_security_struct *ssksec = selinux_sock(ssk);
5643 struct sk_security_struct *sksec = selinux_sock(sk);
5644
5645 ssksec->sclass = sksec->sclass;
5646 ssksec->sid = sksec->sid;
5647
5648 /* replace the existing subflow label deleting the existing one
5649 * and re-recreating a new label using the updated context
5650 */
5651 selinux_netlbl_sk_security_free(ssksec);
5652 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5653 }
5654
5655 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5656 struct request_sock *req)
5657 {
5658 struct sk_security_struct *sksec = selinux_sock(sk);
5659 int err;
5660 u16 family = req->rsk_ops->family;
5661 u32 connsid;
5662 u32 peersid;
5663
5664 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5665 if (err)
5666 return err;
5667 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5668 if (err)
5669 return err;
5670 req->secid = connsid;
5671 req->peer_secid = peersid;
5672
5673 return selinux_netlbl_inet_conn_request(req, family);
5674 }
5675
5676 static void selinux_inet_csk_clone(struct sock *newsk,
5677 const struct request_sock *req)
5678 {
5679 struct sk_security_struct *newsksec = selinux_sock(newsk);
5680
5681 newsksec->sid = req->secid;
5682 newsksec->peer_sid = req->peer_secid;
5683 /* NOTE: Ideally, we should also get the isec->sid for the
5684 new socket in sync, but we don't have the isec available yet.
5685 So we will wait until sock_graft to do it, by which
5686 time it will have been created and available. */
5687
5688 /* We don't need to take any sort of lock here as we are the only
5689 * thread with access to newsksec */
5690 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5691 }
5692
5693 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5694 {
5695 u16 family = sk->sk_family;
5696 struct sk_security_struct *sksec = selinux_sock(sk);
5697
5698 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5699 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5700 family = PF_INET;
5701
5702 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5703 }
5704
5705 static int selinux_secmark_relabel_packet(u32 sid)
5706 {
5707 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
5708 NULL);
5709 }
5710
5711 static void selinux_secmark_refcount_inc(void)
5712 {
5713 atomic_inc(&selinux_secmark_refcount);
5714 }
5715
5716 static void selinux_secmark_refcount_dec(void)
5717 {
5718 atomic_dec(&selinux_secmark_refcount);
5719 }
5720
5721 static void selinux_req_classify_flow(const struct request_sock *req,
5722 struct flowi_common *flic)
5723 {
5724 flic->flowic_secid = req->secid;
5725 }
5726
5727 static int selinux_tun_dev_alloc_security(void *security)
5728 {
5729 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5730
5731 tunsec->sid = current_sid();
5732 return 0;
5733 }
5734
5735 static int selinux_tun_dev_create(void)
5736 {
5737 u32 sid = current_sid();
5738
5739 /* we aren't taking into account the "sockcreate" SID since the socket
5740 * that is being created here is not a socket in the traditional sense,
5741 * instead it is a private sock, accessible only to the kernel, and
5742 * representing a wide range of network traffic spanning multiple
5743 * connections unlike traditional sockets - check the TUN driver to
5744 * get a better understanding of why this socket is special */
5745
5746 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5747 NULL);
5748 }
5749
5750 static int selinux_tun_dev_attach_queue(void *security)
5751 {
5752 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5753
5754 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5755 TUN_SOCKET__ATTACH_QUEUE, NULL);
5756 }
5757
5758 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5759 {
5760 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5761 struct sk_security_struct *sksec = selinux_sock(sk);
5762
5763 /* we don't currently perform any NetLabel based labeling here and it
5764 * isn't clear that we would want to do so anyway; while we could apply
5765 * labeling without the support of the TUN user the resulting labeled
5766 * traffic from the other end of the connection would almost certainly
5767 * cause confusion to the TUN user that had no idea network labeling
5768 * protocols were being used */
5769
5770 sksec->sid = tunsec->sid;
5771 sksec->sclass = SECCLASS_TUN_SOCKET;
5772
5773 return 0;
5774 }
5775
5776 static int selinux_tun_dev_open(void *security)
5777 {
5778 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5779 u32 sid = current_sid();
5780 int err;
5781
5782 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5783 TUN_SOCKET__RELABELFROM, NULL);
5784 if (err)
5785 return err;
5786 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5787 TUN_SOCKET__RELABELTO, NULL);
5788 if (err)
5789 return err;
5790 tunsec->sid = sid;
5791
5792 return 0;
5793 }
5794
5795 #ifdef CONFIG_NETFILTER
5796
5797 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5798 const struct nf_hook_state *state)
5799 {
5800 int ifindex;
5801 u16 family;
5802 char *addrp;
5803 u32 peer_sid;
5804 struct common_audit_data ad;
5805 struct lsm_network_audit net;
5806 int secmark_active, peerlbl_active;
5807
5808 if (!selinux_policycap_netpeer())
5809 return NF_ACCEPT;
5810
5811 secmark_active = selinux_secmark_enabled();
5812 peerlbl_active = selinux_peerlbl_enabled();
5813 if (!secmark_active && !peerlbl_active)
5814 return NF_ACCEPT;
5815
5816 family = state->pf;
5817 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5818 return NF_DROP;
5819
5820 ifindex = state->in->ifindex;
5821 ad_net_init_from_iif(&ad, &net, ifindex, family);
5822 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5823 return NF_DROP;
5824
5825 if (peerlbl_active) {
5826 int err;
5827
5828 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5829 addrp, family, peer_sid, &ad);
5830 if (err) {
5831 selinux_netlbl_err(skb, family, err, 1);
5832 return NF_DROP;
5833 }
5834 }
5835
5836 if (secmark_active)
5837 if (avc_has_perm(peer_sid, skb->secmark,
5838 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5839 return NF_DROP;
5840
5841 if (netlbl_enabled())
5842 /* we do this in the FORWARD path and not the POST_ROUTING
5843 * path because we want to make sure we apply the necessary
5844 * labeling before IPsec is applied so we can leverage AH
5845 * protection */
5846 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5847 return NF_DROP;
5848
5849 return NF_ACCEPT;
5850 }
5851
5852 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5853 const struct nf_hook_state *state)
5854 {
5855 struct sock *sk;
5856 u32 sid;
5857
5858 if (!netlbl_enabled())
5859 return NF_ACCEPT;
5860
5861 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5862 * because we want to make sure we apply the necessary labeling
5863 * before IPsec is applied so we can leverage AH protection */
5864 sk = sk_to_full_sk(skb->sk);
5865 if (sk) {
5866 struct sk_security_struct *sksec;
5867
5868 if (sk_listener(sk))
5869 /* if the socket is the listening state then this
5870 * packet is a SYN-ACK packet which means it needs to
5871 * be labeled based on the connection/request_sock and
5872 * not the parent socket. unfortunately, we can't
5873 * lookup the request_sock yet as it isn't queued on
5874 * the parent socket until after the SYN-ACK is sent.
5875 * the "solution" is to simply pass the packet as-is
5876 * as any IP option based labeling should be copied
5877 * from the initial connection request (in the IP
5878 * layer). it is far from ideal, but until we get a
5879 * security label in the packet itself this is the
5880 * best we can do. */
5881 return NF_ACCEPT;
5882
5883 /* standard practice, label using the parent socket */
5884 sksec = selinux_sock(sk);
5885 sid = sksec->sid;
5886 } else
5887 sid = SECINITSID_KERNEL;
5888 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5889 return NF_DROP;
5890
5891 return NF_ACCEPT;
5892 }
5893
5894
5895 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5896 const struct nf_hook_state *state)
5897 {
5898 struct sock *sk;
5899 struct sk_security_struct *sksec;
5900 struct common_audit_data ad;
5901 struct lsm_network_audit net;
5902 u8 proto = 0;
5903
5904 sk = skb_to_full_sk(skb);
5905 if (sk == NULL)
5906 return NF_ACCEPT;
5907 sksec = selinux_sock(sk);
5908
5909 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5910 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5911 return NF_DROP;
5912
5913 if (selinux_secmark_enabled())
5914 if (avc_has_perm(sksec->sid, skb->secmark,
5915 SECCLASS_PACKET, PACKET__SEND, &ad))
5916 return NF_DROP_ERR(-ECONNREFUSED);
5917
5918 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5919 return NF_DROP_ERR(-ECONNREFUSED);
5920
5921 return NF_ACCEPT;
5922 }
5923
5924 static unsigned int selinux_ip_postroute(void *priv,
5925 struct sk_buff *skb,
5926 const struct nf_hook_state *state)
5927 {
5928 u16 family;
5929 u32 secmark_perm;
5930 u32 peer_sid;
5931 int ifindex;
5932 struct sock *sk;
5933 struct common_audit_data ad;
5934 struct lsm_network_audit net;
5935 char *addrp;
5936 int secmark_active, peerlbl_active;
5937
5938 /* If any sort of compatibility mode is enabled then handoff processing
5939 * to the selinux_ip_postroute_compat() function to deal with the
5940 * special handling. We do this in an attempt to keep this function
5941 * as fast and as clean as possible. */
5942 if (!selinux_policycap_netpeer())
5943 return selinux_ip_postroute_compat(skb, state);
5944
5945 secmark_active = selinux_secmark_enabled();
5946 peerlbl_active = selinux_peerlbl_enabled();
5947 if (!secmark_active && !peerlbl_active)
5948 return NF_ACCEPT;
5949
5950 sk = skb_to_full_sk(skb);
5951
5952 #ifdef CONFIG_XFRM
5953 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5954 * packet transformation so allow the packet to pass without any checks
5955 * since we'll have another chance to perform access control checks
5956 * when the packet is on it's final way out.
5957 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5958 * is NULL, in this case go ahead and apply access control.
5959 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5960 * TCP listening state we cannot wait until the XFRM processing
5961 * is done as we will miss out on the SA label if we do;
5962 * unfortunately, this means more work, but it is only once per
5963 * connection. */
5964 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5965 !(sk && sk_listener(sk)))
5966 return NF_ACCEPT;
5967 #endif
5968
5969 family = state->pf;
5970 if (sk == NULL) {
5971 /* Without an associated socket the packet is either coming
5972 * from the kernel or it is being forwarded; check the packet
5973 * to determine which and if the packet is being forwarded
5974 * query the packet directly to determine the security label. */
5975 if (skb->skb_iif) {
5976 secmark_perm = PACKET__FORWARD_OUT;
5977 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5978 return NF_DROP;
5979 } else {
5980 secmark_perm = PACKET__SEND;
5981 peer_sid = SECINITSID_KERNEL;
5982 }
5983 } else if (sk_listener(sk)) {
5984 /* Locally generated packet but the associated socket is in the
5985 * listening state which means this is a SYN-ACK packet. In
5986 * this particular case the correct security label is assigned
5987 * to the connection/request_sock but unfortunately we can't
5988 * query the request_sock as it isn't queued on the parent
5989 * socket until after the SYN-ACK packet is sent; the only
5990 * viable choice is to regenerate the label like we do in
5991 * selinux_inet_conn_request(). See also selinux_ip_output()
5992 * for similar problems. */
5993 u32 skb_sid;
5994 struct sk_security_struct *sksec;
5995
5996 sksec = selinux_sock(sk);
5997 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5998 return NF_DROP;
5999 /* At this point, if the returned skb peerlbl is SECSID_NULL
6000 * and the packet has been through at least one XFRM
6001 * transformation then we must be dealing with the "final"
6002 * form of labeled IPsec packet; since we've already applied
6003 * all of our access controls on this packet we can safely
6004 * pass the packet. */
6005 if (skb_sid == SECSID_NULL) {
6006 switch (family) {
6007 case PF_INET:
6008 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
6009 return NF_ACCEPT;
6010 break;
6011 case PF_INET6:
6012 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
6013 return NF_ACCEPT;
6014 break;
6015 default:
6016 return NF_DROP_ERR(-ECONNREFUSED);
6017 }
6018 }
6019 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
6020 return NF_DROP;
6021 secmark_perm = PACKET__SEND;
6022 } else {
6023 /* Locally generated packet, fetch the security label from the
6024 * associated socket. */
6025 struct sk_security_struct *sksec = selinux_sock(sk);
6026 peer_sid = sksec->sid;
6027 secmark_perm = PACKET__SEND;
6028 }
6029
6030 ifindex = state->out->ifindex;
6031 ad_net_init_from_iif(&ad, &net, ifindex, family);
6032 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
6033 return NF_DROP;
6034
6035 if (secmark_active)
6036 if (avc_has_perm(peer_sid, skb->secmark,
6037 SECCLASS_PACKET, secmark_perm, &ad))
6038 return NF_DROP_ERR(-ECONNREFUSED);
6039
6040 if (peerlbl_active) {
6041 u32 if_sid;
6042 u32 node_sid;
6043
6044 if (sel_netif_sid(state->net, ifindex, &if_sid))
6045 return NF_DROP;
6046 if (avc_has_perm(peer_sid, if_sid,
6047 SECCLASS_NETIF, NETIF__EGRESS, &ad))
6048 return NF_DROP_ERR(-ECONNREFUSED);
6049
6050 if (sel_netnode_sid(addrp, family, &node_sid))
6051 return NF_DROP;
6052 if (avc_has_perm(peer_sid, node_sid,
6053 SECCLASS_NODE, NODE__SENDTO, &ad))
6054 return NF_DROP_ERR(-ECONNREFUSED);
6055 }
6056
6057 return NF_ACCEPT;
6058 }
6059 #endif /* CONFIG_NETFILTER */
6060
6061 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
6062 {
6063 struct sk_security_struct *sksec = sk->sk_security;
6064 struct common_audit_data ad;
6065 u8 driver;
6066 u8 xperm;
6067
6068 if (sock_skip_has_perm(sksec->sid))
6069 return 0;
6070
6071 ad.type = LSM_AUDIT_DATA_NLMSGTYPE;
6072 ad.u.nlmsg_type = nlmsg_type;
6073
6074 driver = nlmsg_type >> 8;
6075 xperm = nlmsg_type & 0xff;
6076
6077 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass,
6078 perms, driver, AVC_EXT_NLMSG, xperm, &ad);
6079 }
6080
6081 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6082 {
6083 int rc = 0;
6084 unsigned int msg_len;
6085 unsigned int data_len = skb->len;
6086 unsigned char *data = skb->data;
6087 struct nlmsghdr *nlh;
6088 struct sk_security_struct *sksec = selinux_sock(sk);
6089 u16 sclass = sksec->sclass;
6090 u32 perm;
6091
6092 while (data_len >= nlmsg_total_size(0)) {
6093 nlh = (struct nlmsghdr *)data;
6094
6095 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
6096 * users which means we can't reject skb's with bogus
6097 * length fields; our solution is to follow what
6098 * netlink_rcv_skb() does and simply skip processing at
6099 * messages with length fields that are clearly junk
6100 */
6101 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6102 return 0;
6103
6104 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
6105 if (rc == 0) {
6106 if (selinux_policycap_netlink_xperm()) {
6107 rc = nlmsg_sock_has_extended_perms(
6108 sk, perm, nlh->nlmsg_type);
6109 } else {
6110 rc = sock_has_perm(sk, perm);
6111 }
6112 if (rc)
6113 return rc;
6114 } else if (rc == -EINVAL) {
6115 /* -EINVAL is a missing msg/perm mapping */
6116 pr_warn_ratelimited("SELinux: unrecognized netlink"
6117 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
6118 " pid=%d comm=%s\n",
6119 sk->sk_protocol, nlh->nlmsg_type,
6120 secclass_map[sclass - 1].name,
6121 task_pid_nr(current), current->comm);
6122 if (enforcing_enabled() &&
6123 !security_get_allow_unknown())
6124 return rc;
6125 rc = 0;
6126 } else if (rc == -ENOENT) {
6127 /* -ENOENT is a missing socket/class mapping, ignore */
6128 rc = 0;
6129 } else {
6130 return rc;
6131 }
6132
6133 /* move to the next message after applying netlink padding */
6134 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6135 if (msg_len >= data_len)
6136 return 0;
6137 data_len -= msg_len;
6138 data += msg_len;
6139 }
6140
6141 return rc;
6142 }
6143
6144 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6145 {
6146 isec->sclass = sclass;
6147 isec->sid = current_sid();
6148 }
6149
6150 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6151 u32 perms)
6152 {
6153 struct ipc_security_struct *isec;
6154 struct common_audit_data ad;
6155 u32 sid = current_sid();
6156
6157 isec = selinux_ipc(ipc_perms);
6158
6159 ad.type = LSM_AUDIT_DATA_IPC;
6160 ad.u.ipc_id = ipc_perms->key;
6161
6162 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
6163 }
6164
6165 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6166 {
6167 struct msg_security_struct *msec;
6168
6169 msec = selinux_msg_msg(msg);
6170 msec->sid = SECINITSID_UNLABELED;
6171
6172 return 0;
6173 }
6174
6175 /* message queue security operations */
6176 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6177 {
6178 struct ipc_security_struct *isec;
6179 struct common_audit_data ad;
6180 u32 sid = current_sid();
6181
6182 isec = selinux_ipc(msq);
6183 ipc_init_security(isec, SECCLASS_MSGQ);
6184
6185 ad.type = LSM_AUDIT_DATA_IPC;
6186 ad.u.ipc_id = msq->key;
6187
6188 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6189 MSGQ__CREATE, &ad);
6190 }
6191
6192 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6193 {
6194 struct ipc_security_struct *isec;
6195 struct common_audit_data ad;
6196 u32 sid = current_sid();
6197
6198 isec = selinux_ipc(msq);
6199
6200 ad.type = LSM_AUDIT_DATA_IPC;
6201 ad.u.ipc_id = msq->key;
6202
6203 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6204 MSGQ__ASSOCIATE, &ad);
6205 }
6206
6207 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6208 {
6209 u32 perms;
6210
6211 switch (cmd) {
6212 case IPC_INFO:
6213 case MSG_INFO:
6214 /* No specific object, just general system-wide information. */
6215 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6216 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6217 case IPC_STAT:
6218 case MSG_STAT:
6219 case MSG_STAT_ANY:
6220 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6221 break;
6222 case IPC_SET:
6223 perms = MSGQ__SETATTR;
6224 break;
6225 case IPC_RMID:
6226 perms = MSGQ__DESTROY;
6227 break;
6228 default:
6229 return 0;
6230 }
6231
6232 return ipc_has_perm(msq, perms);
6233 }
6234
6235 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6236 {
6237 struct ipc_security_struct *isec;
6238 struct msg_security_struct *msec;
6239 struct common_audit_data ad;
6240 u32 sid = current_sid();
6241 int rc;
6242
6243 isec = selinux_ipc(msq);
6244 msec = selinux_msg_msg(msg);
6245
6246 /*
6247 * First time through, need to assign label to the message
6248 */
6249 if (msec->sid == SECINITSID_UNLABELED) {
6250 /*
6251 * Compute new sid based on current process and
6252 * message queue this message will be stored in
6253 */
6254 rc = security_transition_sid(sid, isec->sid,
6255 SECCLASS_MSG, NULL, &msec->sid);
6256 if (rc)
6257 return rc;
6258 }
6259
6260 ad.type = LSM_AUDIT_DATA_IPC;
6261 ad.u.ipc_id = msq->key;
6262
6263 /* Can this process write to the queue? */
6264 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6265 MSGQ__WRITE, &ad);
6266 if (!rc)
6267 /* Can this process send the message */
6268 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6269 MSG__SEND, &ad);
6270 if (!rc)
6271 /* Can the message be put in the queue? */
6272 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6273 MSGQ__ENQUEUE, &ad);
6274
6275 return rc;
6276 }
6277
6278 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6279 struct task_struct *target,
6280 long type, int mode)
6281 {
6282 struct ipc_security_struct *isec;
6283 struct msg_security_struct *msec;
6284 struct common_audit_data ad;
6285 u32 sid = task_sid_obj(target);
6286 int rc;
6287
6288 isec = selinux_ipc(msq);
6289 msec = selinux_msg_msg(msg);
6290
6291 ad.type = LSM_AUDIT_DATA_IPC;
6292 ad.u.ipc_id = msq->key;
6293
6294 rc = avc_has_perm(sid, isec->sid,
6295 SECCLASS_MSGQ, MSGQ__READ, &ad);
6296 if (!rc)
6297 rc = avc_has_perm(sid, msec->sid,
6298 SECCLASS_MSG, MSG__RECEIVE, &ad);
6299 return rc;
6300 }
6301
6302 /* Shared Memory security operations */
6303 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6304 {
6305 struct ipc_security_struct *isec;
6306 struct common_audit_data ad;
6307 u32 sid = current_sid();
6308
6309 isec = selinux_ipc(shp);
6310 ipc_init_security(isec, SECCLASS_SHM);
6311
6312 ad.type = LSM_AUDIT_DATA_IPC;
6313 ad.u.ipc_id = shp->key;
6314
6315 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6316 SHM__CREATE, &ad);
6317 }
6318
6319 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6320 {
6321 struct ipc_security_struct *isec;
6322 struct common_audit_data ad;
6323 u32 sid = current_sid();
6324
6325 isec = selinux_ipc(shp);
6326
6327 ad.type = LSM_AUDIT_DATA_IPC;
6328 ad.u.ipc_id = shp->key;
6329
6330 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6331 SHM__ASSOCIATE, &ad);
6332 }
6333
6334 /* Note, at this point, shp is locked down */
6335 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6336 {
6337 u32 perms;
6338
6339 switch (cmd) {
6340 case IPC_INFO:
6341 case SHM_INFO:
6342 /* No specific object, just general system-wide information. */
6343 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6344 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6345 case IPC_STAT:
6346 case SHM_STAT:
6347 case SHM_STAT_ANY:
6348 perms = SHM__GETATTR | SHM__ASSOCIATE;
6349 break;
6350 case IPC_SET:
6351 perms = SHM__SETATTR;
6352 break;
6353 case SHM_LOCK:
6354 case SHM_UNLOCK:
6355 perms = SHM__LOCK;
6356 break;
6357 case IPC_RMID:
6358 perms = SHM__DESTROY;
6359 break;
6360 default:
6361 return 0;
6362 }
6363
6364 return ipc_has_perm(shp, perms);
6365 }
6366
6367 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6368 char __user *shmaddr, int shmflg)
6369 {
6370 u32 perms;
6371
6372 if (shmflg & SHM_RDONLY)
6373 perms = SHM__READ;
6374 else
6375 perms = SHM__READ | SHM__WRITE;
6376
6377 return ipc_has_perm(shp, perms);
6378 }
6379
6380 /* Semaphore security operations */
6381 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6382 {
6383 struct ipc_security_struct *isec;
6384 struct common_audit_data ad;
6385 u32 sid = current_sid();
6386
6387 isec = selinux_ipc(sma);
6388 ipc_init_security(isec, SECCLASS_SEM);
6389
6390 ad.type = LSM_AUDIT_DATA_IPC;
6391 ad.u.ipc_id = sma->key;
6392
6393 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6394 SEM__CREATE, &ad);
6395 }
6396
6397 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6398 {
6399 struct ipc_security_struct *isec;
6400 struct common_audit_data ad;
6401 u32 sid = current_sid();
6402
6403 isec = selinux_ipc(sma);
6404
6405 ad.type = LSM_AUDIT_DATA_IPC;
6406 ad.u.ipc_id = sma->key;
6407
6408 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6409 SEM__ASSOCIATE, &ad);
6410 }
6411
6412 /* Note, at this point, sma is locked down */
6413 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6414 {
6415 int err;
6416 u32 perms;
6417
6418 switch (cmd) {
6419 case IPC_INFO:
6420 case SEM_INFO:
6421 /* No specific object, just general system-wide information. */
6422 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6423 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6424 case GETPID:
6425 case GETNCNT:
6426 case GETZCNT:
6427 perms = SEM__GETATTR;
6428 break;
6429 case GETVAL:
6430 case GETALL:
6431 perms = SEM__READ;
6432 break;
6433 case SETVAL:
6434 case SETALL:
6435 perms = SEM__WRITE;
6436 break;
6437 case IPC_RMID:
6438 perms = SEM__DESTROY;
6439 break;
6440 case IPC_SET:
6441 perms = SEM__SETATTR;
6442 break;
6443 case IPC_STAT:
6444 case SEM_STAT:
6445 case SEM_STAT_ANY:
6446 perms = SEM__GETATTR | SEM__ASSOCIATE;
6447 break;
6448 default:
6449 return 0;
6450 }
6451
6452 err = ipc_has_perm(sma, perms);
6453 return err;
6454 }
6455
6456 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6457 struct sembuf *sops, unsigned nsops, int alter)
6458 {
6459 u32 perms;
6460
6461 if (alter)
6462 perms = SEM__READ | SEM__WRITE;
6463 else
6464 perms = SEM__READ;
6465
6466 return ipc_has_perm(sma, perms);
6467 }
6468
6469 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6470 {
6471 u32 av = 0;
6472
6473 av = 0;
6474 if (flag & S_IRUGO)
6475 av |= IPC__UNIX_READ;
6476 if (flag & S_IWUGO)
6477 av |= IPC__UNIX_WRITE;
6478
6479 if (av == 0)
6480 return 0;
6481
6482 return ipc_has_perm(ipcp, av);
6483 }
6484
6485 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp,
6486 struct lsm_prop *prop)
6487 {
6488 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6489 prop->selinux.secid = isec->sid;
6490 }
6491
6492 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6493 {
6494 if (inode)
6495 inode_doinit_with_dentry(inode, dentry);
6496 }
6497
6498 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6499 char **value)
6500 {
6501 const struct task_security_struct *tsec;
6502 int error;
6503 u32 sid;
6504 u32 len;
6505
6506 rcu_read_lock();
6507 tsec = selinux_cred(__task_cred(p));
6508 if (p != current) {
6509 error = avc_has_perm(current_sid(), tsec->sid,
6510 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6511 if (error)
6512 goto err_unlock;
6513 }
6514 switch (attr) {
6515 case LSM_ATTR_CURRENT:
6516 sid = tsec->sid;
6517 break;
6518 case LSM_ATTR_PREV:
6519 sid = tsec->osid;
6520 break;
6521 case LSM_ATTR_EXEC:
6522 sid = tsec->exec_sid;
6523 break;
6524 case LSM_ATTR_FSCREATE:
6525 sid = tsec->create_sid;
6526 break;
6527 case LSM_ATTR_KEYCREATE:
6528 sid = tsec->keycreate_sid;
6529 break;
6530 case LSM_ATTR_SOCKCREATE:
6531 sid = tsec->sockcreate_sid;
6532 break;
6533 default:
6534 error = -EOPNOTSUPP;
6535 goto err_unlock;
6536 }
6537 rcu_read_unlock();
6538
6539 if (sid == SECSID_NULL) {
6540 *value = NULL;
6541 return 0;
6542 }
6543
6544 error = security_sid_to_context(sid, value, &len);
6545 if (error)
6546 return error;
6547 return len;
6548
6549 err_unlock:
6550 rcu_read_unlock();
6551 return error;
6552 }
6553
6554 static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6555 {
6556 struct task_security_struct *tsec;
6557 struct cred *new;
6558 u32 mysid = current_sid(), sid = 0, ptsid;
6559 int error;
6560 char *str = value;
6561
6562 /*
6563 * Basic control over ability to set these attributes at all.
6564 */
6565 switch (attr) {
6566 case LSM_ATTR_EXEC:
6567 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6568 PROCESS__SETEXEC, NULL);
6569 break;
6570 case LSM_ATTR_FSCREATE:
6571 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6572 PROCESS__SETFSCREATE, NULL);
6573 break;
6574 case LSM_ATTR_KEYCREATE:
6575 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6576 PROCESS__SETKEYCREATE, NULL);
6577 break;
6578 case LSM_ATTR_SOCKCREATE:
6579 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6580 PROCESS__SETSOCKCREATE, NULL);
6581 break;
6582 case LSM_ATTR_CURRENT:
6583 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6584 PROCESS__SETCURRENT, NULL);
6585 break;
6586 default:
6587 error = -EOPNOTSUPP;
6588 break;
6589 }
6590 if (error)
6591 return error;
6592
6593 /* Obtain a SID for the context, if one was specified. */
6594 if (size && str[0] && str[0] != '\n') {
6595 if (str[size-1] == '\n') {
6596 str[size-1] = 0;
6597 size--;
6598 }
6599 error = security_context_to_sid(value, size,
6600 &sid, GFP_KERNEL);
6601 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6602 if (!has_cap_mac_admin(true)) {
6603 struct audit_buffer *ab;
6604 size_t audit_size;
6605
6606 /* We strip a nul only if it is at the end,
6607 * otherwise the context contains a nul and
6608 * we should audit that */
6609 if (str[size - 1] == '\0')
6610 audit_size = size - 1;
6611 else
6612 audit_size = size;
6613 ab = audit_log_start(audit_context(),
6614 GFP_ATOMIC,
6615 AUDIT_SELINUX_ERR);
6616 if (!ab)
6617 return error;
6618 audit_log_format(ab, "op=fscreate invalid_context=");
6619 audit_log_n_untrustedstring(ab, value,
6620 audit_size);
6621 audit_log_end(ab);
6622
6623 return error;
6624 }
6625 error = security_context_to_sid_force(value, size,
6626 &sid);
6627 }
6628 if (error)
6629 return error;
6630 }
6631
6632 new = prepare_creds();
6633 if (!new)
6634 return -ENOMEM;
6635
6636 /* Permission checking based on the specified context is
6637 performed during the actual operation (execve,
6638 open/mkdir/...), when we know the full context of the
6639 operation. See selinux_bprm_creds_for_exec for the execve
6640 checks and may_create for the file creation checks. The
6641 operation will then fail if the context is not permitted. */
6642 tsec = selinux_cred(new);
6643 if (attr == LSM_ATTR_EXEC) {
6644 tsec->exec_sid = sid;
6645 } else if (attr == LSM_ATTR_FSCREATE) {
6646 tsec->create_sid = sid;
6647 } else if (attr == LSM_ATTR_KEYCREATE) {
6648 if (sid) {
6649 error = avc_has_perm(mysid, sid,
6650 SECCLASS_KEY, KEY__CREATE, NULL);
6651 if (error)
6652 goto abort_change;
6653 }
6654 tsec->keycreate_sid = sid;
6655 } else if (attr == LSM_ATTR_SOCKCREATE) {
6656 tsec->sockcreate_sid = sid;
6657 } else if (attr == LSM_ATTR_CURRENT) {
6658 error = -EINVAL;
6659 if (sid == 0)
6660 goto abort_change;
6661
6662 if (!current_is_single_threaded()) {
6663 error = security_bounded_transition(tsec->sid, sid);
6664 if (error)
6665 goto abort_change;
6666 }
6667
6668 /* Check permissions for the transition. */
6669 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6670 PROCESS__DYNTRANSITION, NULL);
6671 if (error)
6672 goto abort_change;
6673
6674 /* Check for ptracing, and update the task SID if ok.
6675 Otherwise, leave SID unchanged and fail. */
6676 ptsid = ptrace_parent_sid();
6677 if (ptsid != 0) {
6678 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6679 PROCESS__PTRACE, NULL);
6680 if (error)
6681 goto abort_change;
6682 }
6683
6684 tsec->sid = sid;
6685 } else {
6686 error = -EINVAL;
6687 goto abort_change;
6688 }
6689
6690 commit_creds(new);
6691 return size;
6692
6693 abort_change:
6694 abort_creds(new);
6695 return error;
6696 }
6697
6698 /**
6699 * selinux_getselfattr - Get SELinux current task attributes
6700 * @attr: the requested attribute
6701 * @ctx: buffer to receive the result
6702 * @size: buffer size (input), buffer size used (output)
6703 * @flags: unused
6704 *
6705 * Fill the passed user space @ctx with the details of the requested
6706 * attribute.
6707 *
6708 * Returns the number of attributes on success, an error code otherwise.
6709 * There will only ever be one attribute.
6710 */
6711 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6712 u32 *size, u32 flags)
6713 {
6714 int rc;
6715 char *val = NULL;
6716 int val_len;
6717
6718 val_len = selinux_lsm_getattr(attr, current, &val);
6719 if (val_len < 0)
6720 return val_len;
6721 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0);
6722 kfree(val);
6723 return (!rc ? 1 : rc);
6724 }
6725
6726 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6727 u32 size, u32 flags)
6728 {
6729 int rc;
6730
6731 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len);
6732 if (rc > 0)
6733 return 0;
6734 return rc;
6735 }
6736
6737 static int selinux_getprocattr(struct task_struct *p,
6738 const char *name, char **value)
6739 {
6740 unsigned int attr = lsm_name_to_attr(name);
6741 int rc;
6742
6743 if (attr) {
6744 rc = selinux_lsm_getattr(attr, p, value);
6745 if (rc != -EOPNOTSUPP)
6746 return rc;
6747 }
6748
6749 return -EINVAL;
6750 }
6751
6752 static int selinux_setprocattr(const char *name, void *value, size_t size)
6753 {
6754 int attr = lsm_name_to_attr(name);
6755
6756 if (attr)
6757 return selinux_lsm_setattr(attr, value, size);
6758 return -EINVAL;
6759 }
6760
6761 static int selinux_ismaclabel(const char *name)
6762 {
6763 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6764 }
6765
6766 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp)
6767 {
6768 u32 seclen;
6769 int ret;
6770
6771 if (cp) {
6772 cp->id = LSM_ID_SELINUX;
6773 ret = security_sid_to_context(secid, &cp->context, &cp->len);
6774 if (ret < 0)
6775 return ret;
6776 return cp->len;
6777 }
6778 ret = security_sid_to_context(secid, NULL, &seclen);
6779 if (ret < 0)
6780 return ret;
6781 return seclen;
6782 }
6783
6784 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop,
6785 struct lsm_context *cp)
6786 {
6787 return selinux_secid_to_secctx(prop->selinux.secid, cp);
6788 }
6789
6790 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6791 {
6792 return security_context_to_sid(secdata, seclen,
6793 secid, GFP_KERNEL);
6794 }
6795
6796 static void selinux_release_secctx(struct lsm_context *cp)
6797 {
6798 if (cp->id == LSM_ID_SELINUX) {
6799 kfree(cp->context);
6800 cp->context = NULL;
6801 cp->id = LSM_ID_UNDEF;
6802 }
6803 }
6804
6805 static void selinux_inode_invalidate_secctx(struct inode *inode)
6806 {
6807 struct inode_security_struct *isec = selinux_inode(inode);
6808
6809 spin_lock(&isec->lock);
6810 isec->initialized = LABEL_INVALID;
6811 spin_unlock(&isec->lock);
6812 }
6813
6814 /*
6815 * called with inode->i_mutex locked
6816 */
6817 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6818 {
6819 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6820 ctx, ctxlen, 0);
6821 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6822 return rc == -EOPNOTSUPP ? 0 : rc;
6823 }
6824
6825 /*
6826 * called with inode->i_mutex locked
6827 */
6828 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6829 {
6830 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6831 ctx, ctxlen, 0, NULL);
6832 }
6833
6834 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
6835 {
6836 int len;
6837 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6838 XATTR_SELINUX_SUFFIX,
6839 (void **)&cp->context, true);
6840 if (len < 0)
6841 return len;
6842 cp->len = len;
6843 cp->id = LSM_ID_SELINUX;
6844 return 0;
6845 }
6846 #ifdef CONFIG_KEYS
6847
6848 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6849 unsigned long flags)
6850 {
6851 const struct task_security_struct *tsec;
6852 struct key_security_struct *ksec = selinux_key(k);
6853
6854 tsec = selinux_cred(cred);
6855 if (tsec->keycreate_sid)
6856 ksec->sid = tsec->keycreate_sid;
6857 else
6858 ksec->sid = tsec->sid;
6859
6860 return 0;
6861 }
6862
6863 static int selinux_key_permission(key_ref_t key_ref,
6864 const struct cred *cred,
6865 enum key_need_perm need_perm)
6866 {
6867 struct key *key;
6868 struct key_security_struct *ksec;
6869 u32 perm, sid;
6870
6871 switch (need_perm) {
6872 case KEY_NEED_VIEW:
6873 perm = KEY__VIEW;
6874 break;
6875 case KEY_NEED_READ:
6876 perm = KEY__READ;
6877 break;
6878 case KEY_NEED_WRITE:
6879 perm = KEY__WRITE;
6880 break;
6881 case KEY_NEED_SEARCH:
6882 perm = KEY__SEARCH;
6883 break;
6884 case KEY_NEED_LINK:
6885 perm = KEY__LINK;
6886 break;
6887 case KEY_NEED_SETATTR:
6888 perm = KEY__SETATTR;
6889 break;
6890 case KEY_NEED_UNLINK:
6891 case KEY_SYSADMIN_OVERRIDE:
6892 case KEY_AUTHTOKEN_OVERRIDE:
6893 case KEY_DEFER_PERM_CHECK:
6894 return 0;
6895 default:
6896 WARN_ON(1);
6897 return -EPERM;
6898
6899 }
6900
6901 sid = cred_sid(cred);
6902 key = key_ref_to_ptr(key_ref);
6903 ksec = selinux_key(key);
6904
6905 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6906 }
6907
6908 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6909 {
6910 struct key_security_struct *ksec = selinux_key(key);
6911 char *context = NULL;
6912 unsigned len;
6913 int rc;
6914
6915 rc = security_sid_to_context(ksec->sid,
6916 &context, &len);
6917 if (!rc)
6918 rc = len;
6919 *_buffer = context;
6920 return rc;
6921 }
6922
6923 #ifdef CONFIG_KEY_NOTIFICATIONS
6924 static int selinux_watch_key(struct key *key)
6925 {
6926 struct key_security_struct *ksec = selinux_key(key);
6927 u32 sid = current_sid();
6928
6929 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6930 }
6931 #endif
6932 #endif
6933
6934 #ifdef CONFIG_SECURITY_INFINIBAND
6935 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6936 {
6937 struct common_audit_data ad;
6938 int err;
6939 u32 sid = 0;
6940 struct ib_security_struct *sec = ib_sec;
6941 struct lsm_ibpkey_audit ibpkey;
6942
6943 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6944 if (err)
6945 return err;
6946
6947 ad.type = LSM_AUDIT_DATA_IBPKEY;
6948 ibpkey.subnet_prefix = subnet_prefix;
6949 ibpkey.pkey = pkey_val;
6950 ad.u.ibpkey = &ibpkey;
6951 return avc_has_perm(sec->sid, sid,
6952 SECCLASS_INFINIBAND_PKEY,
6953 INFINIBAND_PKEY__ACCESS, &ad);
6954 }
6955
6956 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6957 u8 port_num)
6958 {
6959 struct common_audit_data ad;
6960 int err;
6961 u32 sid = 0;
6962 struct ib_security_struct *sec = ib_sec;
6963 struct lsm_ibendport_audit ibendport;
6964
6965 err = security_ib_endport_sid(dev_name, port_num,
6966 &sid);
6967
6968 if (err)
6969 return err;
6970
6971 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6972 ibendport.dev_name = dev_name;
6973 ibendport.port = port_num;
6974 ad.u.ibendport = &ibendport;
6975 return avc_has_perm(sec->sid, sid,
6976 SECCLASS_INFINIBAND_ENDPORT,
6977 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6978 }
6979
6980 static int selinux_ib_alloc_security(void *ib_sec)
6981 {
6982 struct ib_security_struct *sec = selinux_ib(ib_sec);
6983
6984 sec->sid = current_sid();
6985 return 0;
6986 }
6987 #endif
6988
6989 #ifdef CONFIG_BPF_SYSCALL
6990 static int selinux_bpf(int cmd, union bpf_attr *attr,
6991 unsigned int size, bool kernel)
6992 {
6993 u32 sid = current_sid();
6994 int ret;
6995
6996 switch (cmd) {
6997 case BPF_MAP_CREATE:
6998 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6999 NULL);
7000 break;
7001 case BPF_PROG_LOAD:
7002 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
7003 NULL);
7004 break;
7005 default:
7006 ret = 0;
7007 break;
7008 }
7009
7010 return ret;
7011 }
7012
7013 static u32 bpf_map_fmode_to_av(fmode_t fmode)
7014 {
7015 u32 av = 0;
7016
7017 if (fmode & FMODE_READ)
7018 av |= BPF__MAP_READ;
7019 if (fmode & FMODE_WRITE)
7020 av |= BPF__MAP_WRITE;
7021 return av;
7022 }
7023
7024 /* This function will check the file pass through unix socket or binder to see
7025 * if it is a bpf related object. And apply corresponding checks on the bpf
7026 * object based on the type. The bpf maps and programs, not like other files and
7027 * socket, are using a shared anonymous inode inside the kernel as their inode.
7028 * So checking that inode cannot identify if the process have privilege to
7029 * access the bpf object and that's why we have to add this additional check in
7030 * selinux_file_receive and selinux_binder_transfer_files.
7031 */
7032 static int bpf_fd_pass(const struct file *file, u32 sid)
7033 {
7034 struct bpf_security_struct *bpfsec;
7035 struct bpf_prog *prog;
7036 struct bpf_map *map;
7037 int ret;
7038
7039 if (file->f_op == &bpf_map_fops) {
7040 map = file->private_data;
7041 bpfsec = map->security;
7042 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7043 bpf_map_fmode_to_av(file->f_mode), NULL);
7044 if (ret)
7045 return ret;
7046 } else if (file->f_op == &bpf_prog_fops) {
7047 prog = file->private_data;
7048 bpfsec = prog->aux->security;
7049 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7050 BPF__PROG_RUN, NULL);
7051 if (ret)
7052 return ret;
7053 }
7054 return 0;
7055 }
7056
7057 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
7058 {
7059 u32 sid = current_sid();
7060 struct bpf_security_struct *bpfsec;
7061
7062 bpfsec = map->security;
7063 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7064 bpf_map_fmode_to_av(fmode), NULL);
7065 }
7066
7067 static int selinux_bpf_prog(struct bpf_prog *prog)
7068 {
7069 u32 sid = current_sid();
7070 struct bpf_security_struct *bpfsec;
7071
7072 bpfsec = prog->aux->security;
7073 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7074 BPF__PROG_RUN, NULL);
7075 }
7076
7077 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
7078 struct bpf_token *token, bool kernel)
7079 {
7080 struct bpf_security_struct *bpfsec;
7081
7082 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7083 if (!bpfsec)
7084 return -ENOMEM;
7085
7086 bpfsec->sid = current_sid();
7087 map->security = bpfsec;
7088
7089 return 0;
7090 }
7091
7092 static void selinux_bpf_map_free(struct bpf_map *map)
7093 {
7094 struct bpf_security_struct *bpfsec = map->security;
7095
7096 map->security = NULL;
7097 kfree(bpfsec);
7098 }
7099
7100 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
7101 struct bpf_token *token, bool kernel)
7102 {
7103 struct bpf_security_struct *bpfsec;
7104
7105 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7106 if (!bpfsec)
7107 return -ENOMEM;
7108
7109 bpfsec->sid = current_sid();
7110 prog->aux->security = bpfsec;
7111
7112 return 0;
7113 }
7114
7115 static void selinux_bpf_prog_free(struct bpf_prog *prog)
7116 {
7117 struct bpf_security_struct *bpfsec = prog->aux->security;
7118
7119 prog->aux->security = NULL;
7120 kfree(bpfsec);
7121 }
7122
7123 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
7124 const struct path *path)
7125 {
7126 struct bpf_security_struct *bpfsec;
7127
7128 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7129 if (!bpfsec)
7130 return -ENOMEM;
7131
7132 bpfsec->sid = current_sid();
7133 token->security = bpfsec;
7134
7135 return 0;
7136 }
7137
7138 static void selinux_bpf_token_free(struct bpf_token *token)
7139 {
7140 struct bpf_security_struct *bpfsec = token->security;
7141
7142 token->security = NULL;
7143 kfree(bpfsec);
7144 }
7145 #endif
7146
7147 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
7148 .lbs_cred = sizeof(struct task_security_struct),
7149 .lbs_file = sizeof(struct file_security_struct),
7150 .lbs_inode = sizeof(struct inode_security_struct),
7151 .lbs_ipc = sizeof(struct ipc_security_struct),
7152 .lbs_key = sizeof(struct key_security_struct),
7153 .lbs_msg_msg = sizeof(struct msg_security_struct),
7154 #ifdef CONFIG_PERF_EVENTS
7155 .lbs_perf_event = sizeof(struct perf_event_security_struct),
7156 #endif
7157 .lbs_sock = sizeof(struct sk_security_struct),
7158 .lbs_superblock = sizeof(struct superblock_security_struct),
7159 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
7160 .lbs_tun_dev = sizeof(struct tun_security_struct),
7161 .lbs_ib = sizeof(struct ib_security_struct),
7162 };
7163
7164 #ifdef CONFIG_PERF_EVENTS
7165 static int selinux_perf_event_open(int type)
7166 {
7167 u32 requested, sid = current_sid();
7168
7169 if (type == PERF_SECURITY_OPEN)
7170 requested = PERF_EVENT__OPEN;
7171 else if (type == PERF_SECURITY_CPU)
7172 requested = PERF_EVENT__CPU;
7173 else if (type == PERF_SECURITY_KERNEL)
7174 requested = PERF_EVENT__KERNEL;
7175 else if (type == PERF_SECURITY_TRACEPOINT)
7176 requested = PERF_EVENT__TRACEPOINT;
7177 else
7178 return -EINVAL;
7179
7180 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
7181 requested, NULL);
7182 }
7183
7184 static int selinux_perf_event_alloc(struct perf_event *event)
7185 {
7186 struct perf_event_security_struct *perfsec;
7187
7188 perfsec = selinux_perf_event(event->security);
7189 perfsec->sid = current_sid();
7190
7191 return 0;
7192 }
7193
7194 static int selinux_perf_event_read(struct perf_event *event)
7195 {
7196 struct perf_event_security_struct *perfsec = event->security;
7197 u32 sid = current_sid();
7198
7199 return avc_has_perm(sid, perfsec->sid,
7200 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7201 }
7202
7203 static int selinux_perf_event_write(struct perf_event *event)
7204 {
7205 struct perf_event_security_struct *perfsec = event->security;
7206 u32 sid = current_sid();
7207
7208 return avc_has_perm(sid, perfsec->sid,
7209 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7210 }
7211 #endif
7212
7213 #ifdef CONFIG_IO_URING
7214 /**
7215 * selinux_uring_override_creds - check the requested cred override
7216 * @new: the target creds
7217 *
7218 * Check to see if the current task is allowed to override it's credentials
7219 * to service an io_uring operation.
7220 */
7221 static int selinux_uring_override_creds(const struct cred *new)
7222 {
7223 return avc_has_perm(current_sid(), cred_sid(new),
7224 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7225 }
7226
7227 /**
7228 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7229 *
7230 * Check to see if the current task is allowed to create a new io_uring
7231 * kernel polling thread.
7232 */
7233 static int selinux_uring_sqpoll(void)
7234 {
7235 u32 sid = current_sid();
7236
7237 return avc_has_perm(sid, sid,
7238 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7239 }
7240
7241 /**
7242 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7243 * @ioucmd: the io_uring command structure
7244 *
7245 * Check to see if the current domain is allowed to execute an
7246 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7247 *
7248 */
7249 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7250 {
7251 struct file *file = ioucmd->file;
7252 struct inode *inode = file_inode(file);
7253 struct inode_security_struct *isec = selinux_inode(inode);
7254 struct common_audit_data ad;
7255
7256 ad.type = LSM_AUDIT_DATA_FILE;
7257 ad.u.file = file;
7258
7259 return avc_has_perm(current_sid(), isec->sid,
7260 SECCLASS_IO_URING, IO_URING__CMD, &ad);
7261 }
7262
7263 /**
7264 * selinux_uring_allowed - check if io_uring_setup() can be called
7265 *
7266 * Check to see if the current task is allowed to call io_uring_setup().
7267 */
7268 static int selinux_uring_allowed(void)
7269 {
7270 u32 sid = current_sid();
7271
7272 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
7273 NULL);
7274 }
7275 #endif /* CONFIG_IO_URING */
7276
7277 static const struct lsm_id selinux_lsmid = {
7278 .name = "selinux",
7279 .id = LSM_ID_SELINUX,
7280 };
7281
7282 /*
7283 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7284 * 1. any hooks that don't belong to (2.) or (3.) below,
7285 * 2. hooks that both access structures allocated by other hooks, and allocate
7286 * structures that can be later accessed by other hooks (mostly "cloning"
7287 * hooks),
7288 * 3. hooks that only allocate structures that can be later accessed by other
7289 * hooks ("allocating" hooks).
7290 *
7291 * Please follow block comment delimiters in the list to keep this order.
7292 */
7293 static struct security_hook_list selinux_hooks[] __ro_after_init = {
7294 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7295 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7296 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7297 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7298
7299 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7300 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7301 LSM_HOOK_INIT(capget, selinux_capget),
7302 LSM_HOOK_INIT(capset, selinux_capset),
7303 LSM_HOOK_INIT(capable, selinux_capable),
7304 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7305 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7306 LSM_HOOK_INIT(syslog, selinux_syslog),
7307 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7308
7309 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7310
7311 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7312 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7313 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7314
7315 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7316 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7317 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7318 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7319 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7320 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7321 LSM_HOOK_INIT(sb_mount, selinux_mount),
7322 LSM_HOOK_INIT(sb_umount, selinux_umount),
7323 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7324 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7325
7326 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7327
7328 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7329 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7330
7331 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7332 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7333 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7334 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7335 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7336 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7337 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7338 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7339 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7340 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7341 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7342 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7343 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7344 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7345 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7346 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7347 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap),
7348 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7349 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7350 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7351 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7352 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7353 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7354 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7355 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7356 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7357 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7358 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7359 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop),
7360 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7361 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7362 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7363
7364 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7365
7366 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7367 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7368 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7369 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7370 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7371 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7372 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7373 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7374 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7375 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7376 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7377 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7378
7379 LSM_HOOK_INIT(file_open, selinux_file_open),
7380
7381 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7382 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7383 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7384 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7385 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),
7386 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7387 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7388 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7389 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7390 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7391 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7392 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7393 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7394 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj),
7395 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj),
7396 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7397 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7398 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7399 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7400 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7401 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7402 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7403 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7404 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7405 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7406 LSM_HOOK_INIT(userns_create, selinux_userns_create),
7407
7408 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7409 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop),
7410
7411 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7412 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7413 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7414 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7415
7416 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7417 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7418 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7419
7420 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7421 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7422 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7423
7424 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7425
7426 LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7427 LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7428 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7429 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7430
7431 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7432 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7433 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7434 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7435 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7436 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7437
7438 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7439 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7440
7441 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7442 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7443 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7444 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7445 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7446 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7447 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7448 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7449 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7450 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7451 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7452 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7453 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7454 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7455 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7456 LSM_HOOK_INIT(socket_getpeersec_stream,
7457 selinux_socket_getpeersec_stream),
7458 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7459 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7460 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7461 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7462 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7463 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7464 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7465 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7466 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7467 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7468 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7469 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7470 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7471 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7472 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7473 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7474 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7475 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7476 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7477 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7478 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7479 #ifdef CONFIG_SECURITY_INFINIBAND
7480 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7481 LSM_HOOK_INIT(ib_endport_manage_subnet,
7482 selinux_ib_endport_manage_subnet),
7483 #endif
7484 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7485 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7486 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7487 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7488 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7489 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7490 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7491 selinux_xfrm_state_pol_flow_match),
7492 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7493 #endif
7494
7495 #ifdef CONFIG_KEYS
7496 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7497 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7498 #ifdef CONFIG_KEY_NOTIFICATIONS
7499 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7500 #endif
7501 #endif
7502
7503 #ifdef CONFIG_AUDIT
7504 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7505 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7506 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7507 #endif
7508
7509 #ifdef CONFIG_BPF_SYSCALL
7510 LSM_HOOK_INIT(bpf, selinux_bpf),
7511 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7512 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7513 LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
7514 LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
7515 LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
7516 #endif
7517
7518 #ifdef CONFIG_PERF_EVENTS
7519 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7520 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7521 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7522 #endif
7523
7524 #ifdef CONFIG_IO_URING
7525 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7526 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7527 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7528 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
7529 #endif
7530
7531 /*
7532 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7533 */
7534 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7535 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7536 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7537 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7538 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7539 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7540 #endif
7541
7542 /*
7543 * PUT "ALLOCATING" HOOKS HERE
7544 */
7545 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7546 LSM_HOOK_INIT(msg_queue_alloc_security,
7547 selinux_msg_queue_alloc_security),
7548 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7549 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7550 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7551 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7552 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7553 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx),
7554 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7555 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7556 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7557 #ifdef CONFIG_SECURITY_INFINIBAND
7558 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7559 #endif
7560 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7561 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7562 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7563 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7564 selinux_xfrm_state_alloc_acquire),
7565 #endif
7566 #ifdef CONFIG_KEYS
7567 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7568 #endif
7569 #ifdef CONFIG_AUDIT
7570 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7571 #endif
7572 #ifdef CONFIG_BPF_SYSCALL
7573 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
7574 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
7575 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
7576 #endif
7577 #ifdef CONFIG_PERF_EVENTS
7578 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7579 #endif
7580 };
7581
7582 static __init int selinux_init(void)
7583 {
7584 pr_info("SELinux: Initializing.\n");
7585
7586 memset(&selinux_state, 0, sizeof(selinux_state));
7587 enforcing_set(selinux_enforcing_boot);
7588 selinux_avc_init();
7589 mutex_init(&selinux_state.status_lock);
7590 mutex_init(&selinux_state.policy_mutex);
7591
7592 /* Set the security state for the initial task. */
7593 cred_init_security();
7594
7595 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7596 if (!default_noexec)
7597 pr_notice("SELinux: virtual memory is executable by default\n");
7598
7599 avc_init();
7600
7601 avtab_cache_init();
7602
7603 ebitmap_cache_init();
7604
7605 hashtab_cache_init();
7606
7607 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
7608 &selinux_lsmid);
7609
7610 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7611 panic("SELinux: Unable to register AVC netcache callback\n");
7612
7613 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7614 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7615
7616 if (selinux_enforcing_boot)
7617 pr_debug("SELinux: Starting in enforcing mode\n");
7618 else
7619 pr_debug("SELinux: Starting in permissive mode\n");
7620
7621 fs_validate_description("selinux", selinux_fs_parameters);
7622
7623 return 0;
7624 }
7625
7626 static void delayed_superblock_init(struct super_block *sb, void *unused)
7627 {
7628 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7629 }
7630
7631 void selinux_complete_init(void)
7632 {
7633 pr_debug("SELinux: Completing initialization.\n");
7634
7635 /* Set up any superblocks initialized prior to the policy load. */
7636 pr_debug("SELinux: Setting up existing superblocks.\n");
7637 iterate_supers(delayed_superblock_init, NULL);
7638 }
7639
7640 /* SELinux requires early initialization in order to label
7641 all processes and objects when they are created. */
7642 DEFINE_LSM(selinux) = {
7643 .name = "selinux",
7644 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7645 .enabled = &selinux_enabled_boot,
7646 .blobs = &selinux_blob_sizes,
7647 .init = selinux_init,
7648 };
7649
7650 #if defined(CONFIG_NETFILTER)
7651 static const struct nf_hook_ops selinux_nf_ops[] = {
7652 {
7653 .hook = selinux_ip_postroute,
7654 .pf = NFPROTO_IPV4,
7655 .hooknum = NF_INET_POST_ROUTING,
7656 .priority = NF_IP_PRI_SELINUX_LAST,
7657 },
7658 {
7659 .hook = selinux_ip_forward,
7660 .pf = NFPROTO_IPV4,
7661 .hooknum = NF_INET_FORWARD,
7662 .priority = NF_IP_PRI_SELINUX_FIRST,
7663 },
7664 {
7665 .hook = selinux_ip_output,
7666 .pf = NFPROTO_IPV4,
7667 .hooknum = NF_INET_LOCAL_OUT,
7668 .priority = NF_IP_PRI_SELINUX_FIRST,
7669 },
7670 #if IS_ENABLED(CONFIG_IPV6)
7671 {
7672 .hook = selinux_ip_postroute,
7673 .pf = NFPROTO_IPV6,
7674 .hooknum = NF_INET_POST_ROUTING,
7675 .priority = NF_IP6_PRI_SELINUX_LAST,
7676 },
7677 {
7678 .hook = selinux_ip_forward,
7679 .pf = NFPROTO_IPV6,
7680 .hooknum = NF_INET_FORWARD,
7681 .priority = NF_IP6_PRI_SELINUX_FIRST,
7682 },
7683 {
7684 .hook = selinux_ip_output,
7685 .pf = NFPROTO_IPV6,
7686 .hooknum = NF_INET_LOCAL_OUT,
7687 .priority = NF_IP6_PRI_SELINUX_FIRST,
7688 },
7689 #endif /* IPV6 */
7690 };
7691
7692 static int __net_init selinux_nf_register(struct net *net)
7693 {
7694 return nf_register_net_hooks(net, selinux_nf_ops,
7695 ARRAY_SIZE(selinux_nf_ops));
7696 }
7697
7698 static void __net_exit selinux_nf_unregister(struct net *net)
7699 {
7700 nf_unregister_net_hooks(net, selinux_nf_ops,
7701 ARRAY_SIZE(selinux_nf_ops));
7702 }
7703
7704 static struct pernet_operations selinux_net_ops = {
7705 .init = selinux_nf_register,
7706 .exit = selinux_nf_unregister,
7707 };
7708
7709 static int __init selinux_nf_ip_init(void)
7710 {
7711 int err;
7712
7713 if (!selinux_enabled_boot)
7714 return 0;
7715
7716 pr_debug("SELinux: Registering netfilter hooks\n");
7717
7718 err = register_pernet_subsys(&selinux_net_ops);
7719 if (err)
7720 panic("SELinux: register_pernet_subsys: error %d\n", err);
7721
7722 return 0;
7723 }
7724 __initcall(selinux_nf_ip_init);
7725 #endif /* CONFIG_NETFILTER */
A mirror of Linus' kernel repository