Gitiles
Code Review Sign In
192.168.1.100 / T108 / e958203796650e3959a43708d67534bf36f4c83b / . / marvell / linux / security / selinux / hooks.c
blob: 60b1ab4deabf31f2b160644f64c74ae804656f6f [file] [log] [blame]
b.liue9582032025-04-17 19:18:16 +0800[diff] [blame^]1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24#include <linux/init.h>
25#include <linux/kd.h>
26#include <linux/kernel.h>
27#include <linux/tracehook.h>
28#include <linux/errno.h>
29#include <linux/sched/signal.h>
30#include <linux/sched/task.h>
31#include <linux/lsm_hooks.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/proc_fs.h>
40#include <linux/swap.h>
41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
43#include <linux/dcache.h>
44#include <linux/file.h>
45#include <linux/fdtable.h>
46#include <linux/namei.h>
47#include <linux/mount.h>
48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
54#include <net/ip.h> /* for local_port_range[] */
55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56#include <net/inet_connection_sock.h>
57#include <net/net_namespace.h>
58#include <net/netlabel.h>
59#include <linux/uaccess.h>
60#include <asm/ioctls.h>
61#include <linux/atomic.h>
62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
65#include <net/netlink.h>
66#include <linux/tcp.h>
67#include <linux/udp.h>
68#include <linux/dccp.h>
69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
79#include <linux/audit.h>
80#include <linux/string.h>
81#include <linux/mutex.h>
82#include <linux/posix-timers.h>
83#include <linux/syslog.h>
84#include <linux/user_namespace.h>
85#include <linux/export.h>
86#include <linux/msg.h>
87#include <linux/shm.h>
88#include <linux/bpf.h>
89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
91#include <uapi/linux/mount.h>
92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
94
95#include "avc.h"
96#include "objsec.h"
97#include "netif.h"
98#include "netnode.h"
99#include "netport.h"
100#include "ibpkey.h"
101#include "xfrm.h"
102#include "netlabel.h"
103#include "audit.h"
104#include "avc_ss.h"
105
106struct selinux_state selinux_state;
107
108/* SECMARK reference count */
109static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110
111#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112static int selinux_enforcing_boot;
113
114static int __init enforcing_setup(char *str)
115{
116 unsigned long enforcing;
117 if (!kstrtoul(str, 0, &enforcing))
118 selinux_enforcing_boot = enforcing ? 1 : 0;
119 return 1;
120}
121__setup("enforcing=", enforcing_setup);
122#else
123#define selinux_enforcing_boot 1
124#endif
125
126int selinux_enabled __lsm_ro_after_init = 1;
127#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128static int __init selinux_enabled_setup(char *str)
129{
130 unsigned long enabled;
131 if (!kstrtoul(str, 0, &enabled))
132 selinux_enabled = enabled ? 1 : 0;
133 return 1;
134}
135__setup("selinux=", selinux_enabled_setup);
136#endif
137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
151/**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
160 *
161 */
162static int selinux_secmark_enabled(void)
163{
164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
166}
167
168/**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178static int selinux_peerlbl_enabled(void)
179{
180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
182}
183
184static int selinux_netcache_avc_callback(u32 event)
185{
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193}
194
195static int selinux_lsm_notifier_avc_callback(u32 event)
196{
197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 }
201
202 return 0;
203}
204
205/*
206 * initialise the security for the init task
207 */
208static void cred_init_security(void)
209{
210 struct cred *cred = (struct cred *) current->real_cred;
211 struct task_security_struct *tsec;
212
213 tsec = selinux_cred(cred);
214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
215}
216
217/*
218 * get the security ID of a set of credentials
219 */
220static inline u32 cred_sid(const struct cred *cred)
221{
222 const struct task_security_struct *tsec;
223
224 tsec = selinux_cred(cred);
225 return tsec->sid;
226}
227
228/*
229 * get the objective security ID of a task
230 */
231static inline u32 task_sid(const struct task_struct *task)
232{
233 u32 sid;
234
235 rcu_read_lock();
236 sid = cred_sid(__task_cred(task));
237 rcu_read_unlock();
238 return sid;
239}
240
241/* Allocate and free functions for each kind of security blob. */
242
243static int inode_alloc_security(struct inode *inode)
244{
245 struct inode_security_struct *isec = selinux_inode(inode);
246 u32 sid = current_sid();
247
248 spin_lock_init(&isec->lock);
249 INIT_LIST_HEAD(&isec->list);
250 isec->inode = inode;
251 isec->sid = SECINITSID_UNLABELED;
252 isec->sclass = SECCLASS_FILE;
253 isec->task_sid = sid;
254 isec->initialized = LABEL_INVALID;
255
256 return 0;
257}
258
259static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260
261/*
262 * Try reloading inode security labels that have been marked as invalid. The
263 * @may_sleep parameter indicates when sleeping and thus reloading labels is
264 * allowed; when set to false, returns -ECHILD when the label is
265 * invalid. The @dentry parameter should be set to a dentry of the inode.
266 */
267static int __inode_security_revalidate(struct inode *inode,
268 struct dentry *dentry,
269 bool may_sleep)
270{
271 struct inode_security_struct *isec = selinux_inode(inode);
272
273 might_sleep_if(may_sleep);
274
275 if (selinux_state.initialized &&
276 isec->initialized != LABEL_INITIALIZED) {
277 if (!may_sleep)
278 return -ECHILD;
279
280 /*
281 * Try reloading the inode security label. This will fail if
282 * @opt_dentry is NULL and no dentry for this inode can be
283 * found; in that case, continue using the old label.
284 */
285 inode_doinit_with_dentry(inode, dentry);
286 }
287 return 0;
288}
289
290static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291{
292 return selinux_inode(inode);
293}
294
295static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296{
297 int error;
298
299 error = __inode_security_revalidate(inode, NULL, !rcu);
300 if (error)
301 return ERR_PTR(error);
302 return selinux_inode(inode);
303}
304
305/*
306 * Get the security label of an inode.
307 */
308static struct inode_security_struct *inode_security(struct inode *inode)
309{
310 __inode_security_revalidate(inode, NULL, true);
311 return selinux_inode(inode);
312}
313
314static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315{
316 struct inode *inode = d_backing_inode(dentry);
317
318 return selinux_inode(inode);
319}
320
321/*
322 * Get the security label of a dentry's backing inode.
323 */
324static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325{
326 struct inode *inode = d_backing_inode(dentry);
327
328 __inode_security_revalidate(inode, dentry, true);
329 return selinux_inode(inode);
330}
331
332static void inode_free_security(struct inode *inode)
333{
334 struct inode_security_struct *isec = selinux_inode(inode);
335 struct superblock_security_struct *sbsec;
336
337 if (!isec)
338 return;
339 sbsec = inode->i_sb->s_security;
340 /*
341 * As not all inode security structures are in a list, we check for
342 * empty list outside of the lock to make sure that we won't waste
343 * time taking a lock doing nothing.
344 *
345 * The list_del_init() function can be safely called more than once.
346 * It should not be possible for this function to be called with
347 * concurrent list_add(), but for better safety against future changes
348 * in the code, we use list_empty_careful() here.
349 */
350 if (!list_empty_careful(&isec->list)) {
351 spin_lock(&sbsec->isec_lock);
352 list_del_init(&isec->list);
353 spin_unlock(&sbsec->isec_lock);
354 }
355}
356
357static int file_alloc_security(struct file *file)
358{
359 struct file_security_struct *fsec = selinux_file(file);
360 u32 sid = current_sid();
361
362 fsec->sid = sid;
363 fsec->fown_sid = sid;
364
365 return 0;
366}
367
368static int superblock_alloc_security(struct super_block *sb)
369{
370 struct superblock_security_struct *sbsec;
371
372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373 if (!sbsec)
374 return -ENOMEM;
375
376 mutex_init(&sbsec->lock);
377 INIT_LIST_HEAD(&sbsec->isec_head);
378 spin_lock_init(&sbsec->isec_lock);
379 sbsec->sb = sb;
380 sbsec->sid = SECINITSID_UNLABELED;
381 sbsec->def_sid = SECINITSID_FILE;
382 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
383 sb->s_security = sbsec;
384
385 return 0;
386}
387
388static void superblock_free_security(struct super_block *sb)
389{
390 struct superblock_security_struct *sbsec = sb->s_security;
391 sb->s_security = NULL;
392 kfree(sbsec);
393}
394
395struct selinux_mnt_opts {
396 const char *fscontext, *context, *rootcontext, *defcontext;
397};
398
399static void selinux_free_mnt_opts(void *mnt_opts)
400{
401 struct selinux_mnt_opts *opts = mnt_opts;
402 kfree(opts->fscontext);
403 kfree(opts->context);
404 kfree(opts->rootcontext);
405 kfree(opts->defcontext);
406 kfree(opts);
407}
408
409static inline int inode_doinit(struct inode *inode)
410{
411 return inode_doinit_with_dentry(inode, NULL);
412}
413
414enum {
415 Opt_error = -1,
416 Opt_context = 0,
417 Opt_defcontext = 1,
418 Opt_fscontext = 2,
419 Opt_rootcontext = 3,
420 Opt_seclabel = 4,
421};
422
423#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
424static struct {
425 const char *name;
426 int len;
427 int opt;
428 bool has_arg;
429} tokens[] = {
430 A(context, true),
431 A(fscontext, true),
432 A(defcontext, true),
433 A(rootcontext, true),
434 A(seclabel, false),
435};
436#undef A
437
438static int match_opt_prefix(char *s, int l, char **arg)
439{
440 int i;
441
442 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 size_t len = tokens[i].len;
444 if (len > l || memcmp(s, tokens[i].name, len))
445 continue;
446 if (tokens[i].has_arg) {
447 if (len == l || s[len] != '=')
448 continue;
449 *arg = s + len + 1;
450 } else if (len != l)
451 continue;
452 return tokens[i].opt;
453 }
454 return Opt_error;
455}
456
457#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
458
459static int may_context_mount_sb_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
462{
463 const struct task_security_struct *tsec = selinux_cred(cred);
464 int rc;
465
466 rc = avc_has_perm(&selinux_state,
467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468 FILESYSTEM__RELABELFROM, NULL);
469 if (rc)
470 return rc;
471
472 rc = avc_has_perm(&selinux_state,
473 tsec->sid, sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELTO, NULL);
475 return rc;
476}
477
478static int may_context_mount_inode_relabel(u32 sid,
479 struct superblock_security_struct *sbsec,
480 const struct cred *cred)
481{
482 const struct task_security_struct *tsec = selinux_cred(cred);
483 int rc;
484 rc = avc_has_perm(&selinux_state,
485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__RELABELFROM, NULL);
487 if (rc)
488 return rc;
489
490 rc = avc_has_perm(&selinux_state,
491 sid, sbsec->sid, SECCLASS_FILESYSTEM,
492 FILESYSTEM__ASSOCIATE, NULL);
493 return rc;
494}
495
496static int selinux_is_genfs_special_handling(struct super_block *sb)
497{
498 /* Special handling. Genfs but also in-core setxattr handler */
499 return !strcmp(sb->s_type->name, "sysfs") ||
500 !strcmp(sb->s_type->name, "pstore") ||
501 !strcmp(sb->s_type->name, "debugfs") ||
502 !strcmp(sb->s_type->name, "tracefs") ||
503 !strcmp(sb->s_type->name, "rootfs") ||
504 (selinux_policycap_cgroupseclabel() &&
505 (!strcmp(sb->s_type->name, "cgroup") ||
506 !strcmp(sb->s_type->name, "cgroup2")));
507}
508
509static int selinux_is_sblabel_mnt(struct super_block *sb)
510{
511 struct superblock_security_struct *sbsec = sb->s_security;
512
513 /*
514 * IMPORTANT: Double-check logic in this function when adding a new
515 * SECURITY_FS_USE_* definition!
516 */
517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518
519 switch (sbsec->behavior) {
520 case SECURITY_FS_USE_XATTR:
521 case SECURITY_FS_USE_TRANS:
522 case SECURITY_FS_USE_TASK:
523 case SECURITY_FS_USE_NATIVE:
524 return 1;
525
526 case SECURITY_FS_USE_GENFS:
527 return selinux_is_genfs_special_handling(sb);
528
529 /* Never allow relabeling on context mounts */
530 case SECURITY_FS_USE_MNTPOINT:
531 case SECURITY_FS_USE_NONE:
532 default:
533 return 0;
534 }
535}
536
537static int sb_finish_set_opts(struct super_block *sb)
538{
539 struct superblock_security_struct *sbsec = sb->s_security;
540 struct dentry *root = sb->s_root;
541 struct inode *root_inode = d_backing_inode(root);
542 int rc = 0;
543
544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 /* Make sure that the xattr handler exists and that no
546 error other than -ENODATA is returned by getxattr on
547 the root directory. -ENODATA is ok, as this may be
548 the first boot of the SELinux kernel before we have
549 assigned xattr values to the filesystem. */
550 if (!(root_inode->i_opflags & IOP_XATTR)) {
551 pr_warn("SELinux: (dev %s, type %s) has no "
552 "xattr support\n", sb->s_id, sb->s_type->name);
553 rc = -EOPNOTSUPP;
554 goto out;
555 }
556
557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL,
558 0, XATTR_NOSECURITY);
559 if (rc < 0 && rc != -ENODATA) {
560 if (rc == -EOPNOTSUPP)
561 pr_warn("SELinux: (dev %s, type "
562 "%s) has no security xattr handler\n",
563 sb->s_id, sb->s_type->name);
564 else
565 pr_warn("SELinux: (dev %s, type "
566 "%s) getxattr errno %d\n", sb->s_id,
567 sb->s_type->name, -rc);
568 goto out;
569 }
570 }
571
572 sbsec->flags |= SE_SBINITIALIZED;
573
574 /*
575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
576 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 * us a superblock that needs the flag to be cleared.
578 */
579 if (selinux_is_sblabel_mnt(sb))
580 sbsec->flags |= SBLABEL_MNT;
581 else
582 sbsec->flags &= ~SBLABEL_MNT;
583
584 /* Initialize the root inode. */
585 rc = inode_doinit_with_dentry(root_inode, root);
586
587 /* Initialize any other inodes associated with the superblock, e.g.
588 inodes created prior to initial policy load or inodes created
589 during get_sb by a pseudo filesystem that directly
590 populates itself. */
591 spin_lock(&sbsec->isec_lock);
592 while (!list_empty(&sbsec->isec_head)) {
593 struct inode_security_struct *isec =
594 list_first_entry(&sbsec->isec_head,
595 struct inode_security_struct, list);
596 struct inode *inode = isec->inode;
597 list_del_init(&isec->list);
598 spin_unlock(&sbsec->isec_lock);
599 inode = igrab(inode);
600 if (inode) {
601 if (!IS_PRIVATE(inode))
602 inode_doinit(inode);
603 iput(inode);
604 }
605 spin_lock(&sbsec->isec_lock);
606 }
607 spin_unlock(&sbsec->isec_lock);
608out:
609 return rc;
610}
611
612static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614{
615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
617 /* check if the old mount command had the same options */
618 if (sbsec->flags & SE_SBINITIALIZED)
619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
628 return 1;
629 return 0;
630}
631
632static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
633{
634 int rc = security_context_str_to_sid(&selinux_state, s,
635 sid, GFP_KERNEL);
636 if (rc)
637 pr_warn("SELinux: security_context_str_to_sid"
638 "(%s) failed for (dev %s, type %s) errno=%d\n",
639 s, sb->s_id, sb->s_type->name, rc);
640 return rc;
641}
642
643/*
644 * Allow filesystems with binary mount data to explicitly set mount point
645 * labeling information.
646 */
647static int selinux_set_mnt_opts(struct super_block *sb,
648 void *mnt_opts,
649 unsigned long kern_flags,
650 unsigned long *set_kern_flags)
651{
652 const struct cred *cred = current_cred();
653 struct superblock_security_struct *sbsec = sb->s_security;
654 struct dentry *root = sbsec->sb->s_root;
655 struct selinux_mnt_opts *opts = mnt_opts;
656 struct inode_security_struct *root_isec;
657 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
658 u32 defcontext_sid = 0;
659 int rc = 0;
660
661 mutex_lock(&sbsec->lock);
662
663 if (!selinux_state.initialized) {
664 if (!opts) {
665 /* Defer initialization until selinux_complete_init,
666 after the initial policy is loaded and the security
667 server is ready to handle calls. */
668 goto out;
669 }
670 rc = -EINVAL;
671 pr_warn("SELinux: Unable to set superblock options "
672 "before the security server is initialized\n");
673 goto out;
674 }
675 if (kern_flags && !set_kern_flags) {
676 /* Specifying internal flags without providing a place to
677 * place the results is not allowed */
678 rc = -EINVAL;
679 goto out;
680 }
681
682 /*
683 * Binary mount data FS will come through this function twice. Once
684 * from an explicit call and once from the generic calls from the vfs.
685 * Since the generic VFS calls will not contain any security mount data
686 * we need to skip the double mount verification.
687 *
688 * This does open a hole in which we will not notice if the first
689 * mount using this sb set explict options and a second mount using
690 * this sb does not set any security options. (The first options
691 * will be used for both mounts)
692 */
693 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
694 && !opts)
695 goto out;
696
697 root_isec = backing_inode_security_novalidate(root);
698
699 /*
700 * parse the mount options, check if they are valid sids.
701 * also check if someone is trying to mount the same sb more
702 * than once with different security options.
703 */
704 if (opts) {
705 if (opts->fscontext) {
706 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
707 if (rc)
708 goto out;
709 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
710 fscontext_sid))
711 goto out_double_mount;
712 sbsec->flags |= FSCONTEXT_MNT;
713 }
714 if (opts->context) {
715 rc = parse_sid(sb, opts->context, &context_sid);
716 if (rc)
717 goto out;
718 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
719 context_sid))
720 goto out_double_mount;
721 sbsec->flags |= CONTEXT_MNT;
722 }
723 if (opts->rootcontext) {
724 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
725 if (rc)
726 goto out;
727 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
728 rootcontext_sid))
729 goto out_double_mount;
730 sbsec->flags |= ROOTCONTEXT_MNT;
731 }
732 if (opts->defcontext) {
733 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
734 if (rc)
735 goto out;
736 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
737 defcontext_sid))
738 goto out_double_mount;
739 sbsec->flags |= DEFCONTEXT_MNT;
740 }
741 }
742
743 if (sbsec->flags & SE_SBINITIALIZED) {
744 /* previously mounted with options, but not on this attempt? */
745 if ((sbsec->flags & SE_MNTMASK) && !opts)
746 goto out_double_mount;
747 rc = 0;
748 goto out;
749 }
750
751 if (strcmp(sb->s_type->name, "proc") == 0)
752 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
753
754 if (!strcmp(sb->s_type->name, "debugfs") ||
755 !strcmp(sb->s_type->name, "tracefs") ||
756 !strcmp(sb->s_type->name, "binder") ||
757 !strcmp(sb->s_type->name, "bpf") ||
758 !strcmp(sb->s_type->name, "pstore"))
759 sbsec->flags |= SE_SBGENFS;
760
761 if (!strcmp(sb->s_type->name, "sysfs") ||
762 !strcmp(sb->s_type->name, "cgroup") ||
763 !strcmp(sb->s_type->name, "cgroup2"))
764 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
765
766 if (!sbsec->behavior) {
767 /*
768 * Determine the labeling behavior to use for this
769 * filesystem type.
770 */
771 rc = security_fs_use(&selinux_state, sb);
772 if (rc) {
773 pr_warn("%s: security_fs_use(%s) returned %d\n",
774 __func__, sb->s_type->name, rc);
775 goto out;
776 }
777 }
778
779 /*
780 * If this is a user namespace mount and the filesystem type is not
781 * explicitly whitelisted, then no contexts are allowed on the command
782 * line and security labels must be ignored.
783 */
784 if (sb->s_user_ns != &init_user_ns &&
785 strcmp(sb->s_type->name, "tmpfs") &&
786 strcmp(sb->s_type->name, "ramfs") &&
787 strcmp(sb->s_type->name, "devpts")) {
788 if (context_sid || fscontext_sid || rootcontext_sid ||
789 defcontext_sid) {
790 rc = -EACCES;
791 goto out;
792 }
793 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
794 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
795 rc = security_transition_sid(&selinux_state,
796 current_sid(),
797 current_sid(),
798 SECCLASS_FILE, NULL,
799 &sbsec->mntpoint_sid);
800 if (rc)
801 goto out;
802 }
803 goto out_set_opts;
804 }
805
806 /* sets the context of the superblock for the fs being mounted. */
807 if (fscontext_sid) {
808 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
809 if (rc)
810 goto out;
811
812 sbsec->sid = fscontext_sid;
813 }
814
815 /*
816 * Switch to using mount point labeling behavior.
817 * sets the label used on all file below the mountpoint, and will set
818 * the superblock context if not already set.
819 */
820 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
821 sbsec->behavior = SECURITY_FS_USE_NATIVE;
822 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
823 }
824
825 if (context_sid) {
826 if (!fscontext_sid) {
827 rc = may_context_mount_sb_relabel(context_sid, sbsec,
828 cred);
829 if (rc)
830 goto out;
831 sbsec->sid = context_sid;
832 } else {
833 rc = may_context_mount_inode_relabel(context_sid, sbsec,
834 cred);
835 if (rc)
836 goto out;
837 }
838 if (!rootcontext_sid)
839 rootcontext_sid = context_sid;
840
841 sbsec->mntpoint_sid = context_sid;
842 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
843 }
844
845 if (rootcontext_sid) {
846 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
847 cred);
848 if (rc)
849 goto out;
850
851 root_isec->sid = rootcontext_sid;
852 root_isec->initialized = LABEL_INITIALIZED;
853 }
854
855 if (defcontext_sid) {
856 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
857 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
858 rc = -EINVAL;
859 pr_warn("SELinux: defcontext option is "
860 "invalid for this filesystem type\n");
861 goto out;
862 }
863
864 if (defcontext_sid != sbsec->def_sid) {
865 rc = may_context_mount_inode_relabel(defcontext_sid,
866 sbsec, cred);
867 if (rc)
868 goto out;
869 }
870
871 sbsec->def_sid = defcontext_sid;
872 }
873
874out_set_opts:
875 rc = sb_finish_set_opts(sb);
876out:
877 mutex_unlock(&sbsec->lock);
878 return rc;
879out_double_mount:
880 rc = -EINVAL;
881 pr_warn("SELinux: mount invalid. Same superblock, different "
882 "security settings for (dev %s, type %s)\n", sb->s_id,
883 sb->s_type->name);
884 goto out;
885}
886
887static int selinux_cmp_sb_context(const struct super_block *oldsb,
888 const struct super_block *newsb)
889{
890 struct superblock_security_struct *old = oldsb->s_security;
891 struct superblock_security_struct *new = newsb->s_security;
892 char oldflags = old->flags & SE_MNTMASK;
893 char newflags = new->flags & SE_MNTMASK;
894
895 if (oldflags != newflags)
896 goto mismatch;
897 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
898 goto mismatch;
899 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
900 goto mismatch;
901 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
902 goto mismatch;
903 if (oldflags & ROOTCONTEXT_MNT) {
904 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
905 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
906 if (oldroot->sid != newroot->sid)
907 goto mismatch;
908 }
909 return 0;
910mismatch:
911 pr_warn("SELinux: mount invalid. Same superblock, "
912 "different security settings for (dev %s, "
913 "type %s)\n", newsb->s_id, newsb->s_type->name);
914 return -EBUSY;
915}
916
917static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
918 struct super_block *newsb,
919 unsigned long kern_flags,
920 unsigned long *set_kern_flags)
921{
922 int rc = 0;
923 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
924 struct superblock_security_struct *newsbsec = newsb->s_security;
925
926 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
927 int set_context = (oldsbsec->flags & CONTEXT_MNT);
928 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
929
930 /*
931 * if the parent was able to be mounted it clearly had no special lsm
932 * mount options. thus we can safely deal with this superblock later
933 */
934 if (!selinux_state.initialized)
935 return 0;
936
937 /*
938 * Specifying internal flags without providing a place to
939 * place the results is not allowed.
940 */
941 if (kern_flags && !set_kern_flags)
942 return -EINVAL;
943
944 /* how can we clone if the old one wasn't set up?? */
945 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
946
947 /* if fs is reusing a sb, make sure that the contexts match */
948 if (newsbsec->flags & SE_SBINITIALIZED) {
949 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
950 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
951 return selinux_cmp_sb_context(oldsb, newsb);
952 }
953
954 mutex_lock(&newsbsec->lock);
955
956 newsbsec->flags = oldsbsec->flags;
957
958 newsbsec->sid = oldsbsec->sid;
959 newsbsec->def_sid = oldsbsec->def_sid;
960 newsbsec->behavior = oldsbsec->behavior;
961
962 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
963 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
964 rc = security_fs_use(&selinux_state, newsb);
965 if (rc)
966 goto out;
967 }
968
969 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
970 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
971 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
972 }
973
974 if (set_context) {
975 u32 sid = oldsbsec->mntpoint_sid;
976
977 if (!set_fscontext)
978 newsbsec->sid = sid;
979 if (!set_rootcontext) {
980 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
981 newisec->sid = sid;
982 }
983 newsbsec->mntpoint_sid = sid;
984 }
985 if (set_rootcontext) {
986 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988
989 newisec->sid = oldisec->sid;
990 }
991
992 sb_finish_set_opts(newsb);
993out:
994 mutex_unlock(&newsbsec->lock);
995 return rc;
996}
997
998static int selinux_add_opt(int token, const char *s, void **mnt_opts)
999{
1000 struct selinux_mnt_opts *opts = *mnt_opts;
1001 bool is_alloc_opts = false;
1002
1003 if (token == Opt_seclabel) /* eaten and completely ignored */
1004 return 0;
1005
1006 if (!s)
1007 return -ENOMEM;
1008
1009 if (!opts) {
1010 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1011 if (!opts)
1012 return -ENOMEM;
1013 *mnt_opts = opts;
1014 is_alloc_opts = true;
1015 }
1016
1017 switch (token) {
1018 case Opt_context:
1019 if (opts->context || opts->defcontext)
1020 goto Einval;
1021 opts->context = s;
1022 break;
1023 case Opt_fscontext:
1024 if (opts->fscontext)
1025 goto Einval;
1026 opts->fscontext = s;
1027 break;
1028 case Opt_rootcontext:
1029 if (opts->rootcontext)
1030 goto Einval;
1031 opts->rootcontext = s;
1032 break;
1033 case Opt_defcontext:
1034 if (opts->context || opts->defcontext)
1035 goto Einval;
1036 opts->defcontext = s;
1037 break;
1038 }
1039 return 0;
1040Einval:
1041 if (is_alloc_opts) {
1042 kfree(opts);
1043 *mnt_opts = NULL;
1044 }
1045 pr_warn(SEL_MOUNT_FAIL_MSG);
1046 return -EINVAL;
1047}
1048
1049static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1050 void **mnt_opts)
1051{
1052 int token = Opt_error;
1053 int rc, i;
1054
1055 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1056 if (strcmp(option, tokens[i].name) == 0) {
1057 token = tokens[i].opt;
1058 break;
1059 }
1060 }
1061
1062 if (token == Opt_error)
1063 return -EINVAL;
1064
1065 if (token != Opt_seclabel) {
1066 val = kmemdup_nul(val, len, GFP_KERNEL);
1067 if (!val) {
1068 rc = -ENOMEM;
1069 goto free_opt;
1070 }
1071 }
1072 rc = selinux_add_opt(token, val, mnt_opts);
1073 if (unlikely(rc)) {
1074 kfree(val);
1075 goto free_opt;
1076 }
1077 return rc;
1078
1079free_opt:
1080 if (*mnt_opts) {
1081 selinux_free_mnt_opts(*mnt_opts);
1082 *mnt_opts = NULL;
1083 }
1084 return rc;
1085}
1086
1087static int show_sid(struct seq_file *m, u32 sid)
1088{
1089 char *context = NULL;
1090 u32 len;
1091 int rc;
1092
1093 rc = security_sid_to_context(&selinux_state, sid,
1094 &context, &len);
1095 if (!rc) {
1096 bool has_comma = context && strchr(context, ',');
1097
1098 seq_putc(m, '=');
1099 if (has_comma)
1100 seq_putc(m, '\"');
1101 seq_escape(m, context, "\"\n\\");
1102 if (has_comma)
1103 seq_putc(m, '\"');
1104 }
1105 kfree(context);
1106 return rc;
1107}
1108
1109static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1110{
1111 struct superblock_security_struct *sbsec = sb->s_security;
1112 int rc;
1113
1114 if (!(sbsec->flags & SE_SBINITIALIZED))
1115 return 0;
1116
1117 if (!selinux_state.initialized)
1118 return 0;
1119
1120 if (sbsec->flags & FSCONTEXT_MNT) {
1121 seq_putc(m, ',');
1122 seq_puts(m, FSCONTEXT_STR);
1123 rc = show_sid(m, sbsec->sid);
1124 if (rc)
1125 return rc;
1126 }
1127 if (sbsec->flags & CONTEXT_MNT) {
1128 seq_putc(m, ',');
1129 seq_puts(m, CONTEXT_STR);
1130 rc = show_sid(m, sbsec->mntpoint_sid);
1131 if (rc)
1132 return rc;
1133 }
1134 if (sbsec->flags & DEFCONTEXT_MNT) {
1135 seq_putc(m, ',');
1136 seq_puts(m, DEFCONTEXT_STR);
1137 rc = show_sid(m, sbsec->def_sid);
1138 if (rc)
1139 return rc;
1140 }
1141 if (sbsec->flags & ROOTCONTEXT_MNT) {
1142 struct dentry *root = sbsec->sb->s_root;
1143 struct inode_security_struct *isec = backing_inode_security(root);
1144 seq_putc(m, ',');
1145 seq_puts(m, ROOTCONTEXT_STR);
1146 rc = show_sid(m, isec->sid);
1147 if (rc)
1148 return rc;
1149 }
1150 if (sbsec->flags & SBLABEL_MNT) {
1151 seq_putc(m, ',');
1152 seq_puts(m, SECLABEL_STR);
1153 }
1154 return 0;
1155}
1156
1157static inline u16 inode_mode_to_security_class(umode_t mode)
1158{
1159 switch (mode & S_IFMT) {
1160 case S_IFSOCK:
1161 return SECCLASS_SOCK_FILE;
1162 case S_IFLNK:
1163 return SECCLASS_LNK_FILE;
1164 case S_IFREG:
1165 return SECCLASS_FILE;
1166 case S_IFBLK:
1167 return SECCLASS_BLK_FILE;
1168 case S_IFDIR:
1169 return SECCLASS_DIR;
1170 case S_IFCHR:
1171 return SECCLASS_CHR_FILE;
1172 case S_IFIFO:
1173 return SECCLASS_FIFO_FILE;
1174
1175 }
1176
1177 return SECCLASS_FILE;
1178}
1179
1180static inline int default_protocol_stream(int protocol)
1181{
1182 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1183}
1184
1185static inline int default_protocol_dgram(int protocol)
1186{
1187 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1188}
1189
1190static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1191{
1192 int extsockclass = selinux_policycap_extsockclass();
1193
1194 switch (family) {
1195 case PF_UNIX:
1196 switch (type) {
1197 case SOCK_STREAM:
1198 case SOCK_SEQPACKET:
1199 return SECCLASS_UNIX_STREAM_SOCKET;
1200 case SOCK_DGRAM:
1201 case SOCK_RAW:
1202 return SECCLASS_UNIX_DGRAM_SOCKET;
1203 }
1204 break;
1205 case PF_INET:
1206 case PF_INET6:
1207 switch (type) {
1208 case SOCK_STREAM:
1209 case SOCK_SEQPACKET:
1210 if (default_protocol_stream(protocol))
1211 return SECCLASS_TCP_SOCKET;
1212 else if (extsockclass && protocol == IPPROTO_SCTP)
1213 return SECCLASS_SCTP_SOCKET;
1214 else
1215 return SECCLASS_RAWIP_SOCKET;
1216 case SOCK_DGRAM:
1217 if (default_protocol_dgram(protocol))
1218 return SECCLASS_UDP_SOCKET;
1219 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1220 protocol == IPPROTO_ICMPV6))
1221 return SECCLASS_ICMP_SOCKET;
1222 else
1223 return SECCLASS_RAWIP_SOCKET;
1224 case SOCK_DCCP:
1225 return SECCLASS_DCCP_SOCKET;
1226 default:
1227 return SECCLASS_RAWIP_SOCKET;
1228 }
1229 break;
1230 case PF_NETLINK:
1231 switch (protocol) {
1232 case NETLINK_ROUTE:
1233 return SECCLASS_NETLINK_ROUTE_SOCKET;
1234 case NETLINK_SOCK_DIAG:
1235 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1236 case NETLINK_NFLOG:
1237 return SECCLASS_NETLINK_NFLOG_SOCKET;
1238 case NETLINK_XFRM:
1239 return SECCLASS_NETLINK_XFRM_SOCKET;
1240 case NETLINK_SELINUX:
1241 return SECCLASS_NETLINK_SELINUX_SOCKET;
1242 case NETLINK_ISCSI:
1243 return SECCLASS_NETLINK_ISCSI_SOCKET;
1244 case NETLINK_AUDIT:
1245 return SECCLASS_NETLINK_AUDIT_SOCKET;
1246 case NETLINK_FIB_LOOKUP:
1247 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1248 case NETLINK_CONNECTOR:
1249 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1250 case NETLINK_NETFILTER:
1251 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1252 case NETLINK_DNRTMSG:
1253 return SECCLASS_NETLINK_DNRT_SOCKET;
1254 case NETLINK_KOBJECT_UEVENT:
1255 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1256 case NETLINK_GENERIC:
1257 return SECCLASS_NETLINK_GENERIC_SOCKET;
1258 case NETLINK_SCSITRANSPORT:
1259 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1260 case NETLINK_RDMA:
1261 return SECCLASS_NETLINK_RDMA_SOCKET;
1262 case NETLINK_CRYPTO:
1263 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1264 default:
1265 return SECCLASS_NETLINK_SOCKET;
1266 }
1267 case PF_PACKET:
1268 return SECCLASS_PACKET_SOCKET;
1269 case PF_KEY:
1270 return SECCLASS_KEY_SOCKET;
1271 case PF_APPLETALK:
1272 return SECCLASS_APPLETALK_SOCKET;
1273 }
1274
1275 if (extsockclass) {
1276 switch (family) {
1277 case PF_AX25:
1278 return SECCLASS_AX25_SOCKET;
1279 case PF_IPX:
1280 return SECCLASS_IPX_SOCKET;
1281 case PF_NETROM:
1282 return SECCLASS_NETROM_SOCKET;
1283 case PF_ATMPVC:
1284 return SECCLASS_ATMPVC_SOCKET;
1285 case PF_X25:
1286 return SECCLASS_X25_SOCKET;
1287 case PF_ROSE:
1288 return SECCLASS_ROSE_SOCKET;
1289 case PF_DECnet:
1290 return SECCLASS_DECNET_SOCKET;
1291 case PF_ATMSVC:
1292 return SECCLASS_ATMSVC_SOCKET;
1293 case PF_RDS:
1294 return SECCLASS_RDS_SOCKET;
1295 case PF_IRDA:
1296 return SECCLASS_IRDA_SOCKET;
1297 case PF_PPPOX:
1298 return SECCLASS_PPPOX_SOCKET;
1299 case PF_LLC:
1300 return SECCLASS_LLC_SOCKET;
1301 case PF_CAN:
1302 return SECCLASS_CAN_SOCKET;
1303 case PF_TIPC:
1304 return SECCLASS_TIPC_SOCKET;
1305 case PF_BLUETOOTH:
1306 return SECCLASS_BLUETOOTH_SOCKET;
1307 case PF_IUCV:
1308 return SECCLASS_IUCV_SOCKET;
1309 case PF_RXRPC:
1310 return SECCLASS_RXRPC_SOCKET;
1311 case PF_ISDN:
1312 return SECCLASS_ISDN_SOCKET;
1313 case PF_PHONET:
1314 return SECCLASS_PHONET_SOCKET;
1315 case PF_IEEE802154:
1316 return SECCLASS_IEEE802154_SOCKET;
1317 case PF_CAIF:
1318 return SECCLASS_CAIF_SOCKET;
1319 case PF_ALG:
1320 return SECCLASS_ALG_SOCKET;
1321 case PF_NFC:
1322 return SECCLASS_NFC_SOCKET;
1323 case PF_VSOCK:
1324 return SECCLASS_VSOCK_SOCKET;
1325 case PF_KCM:
1326 return SECCLASS_KCM_SOCKET;
1327 case PF_QIPCRTR:
1328 return SECCLASS_QIPCRTR_SOCKET;
1329 case PF_SMC:
1330 return SECCLASS_SMC_SOCKET;
1331 case PF_XDP:
1332 return SECCLASS_XDP_SOCKET;
1333#if PF_MAX > 45
1334#error New address family defined, please update this function.
1335#endif
1336 }
1337 }
1338
1339 return SECCLASS_SOCKET;
1340}
1341
1342static int selinux_genfs_get_sid(struct dentry *dentry,
1343 u16 tclass,
1344 u16 flags,
1345 u32 *sid)
1346{
1347 int rc;
1348 struct super_block *sb = dentry->d_sb;
1349 char *buffer, *path;
1350
1351 buffer = (char *)__get_free_page(GFP_KERNEL);
1352 if (!buffer)
1353 return -ENOMEM;
1354
1355 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356 if (IS_ERR(path))
1357 rc = PTR_ERR(path);
1358 else {
1359 if (flags & SE_SBPROC) {
1360 /* each process gets a /proc/PID/ entry. Strip off the
1361 * PID part to get a valid selinux labeling.
1362 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1363 while (path[1] >= '0' && path[1] <= '9') {
1364 path[1] = '/';
1365 path++;
1366 }
1367 }
1368 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1369 path, tclass, sid);
1370 if (rc == -ENOENT) {
1371 /* No match in policy, mark as unlabeled. */
1372 *sid = SECINITSID_UNLABELED;
1373 rc = 0;
1374 }
1375 }
1376 free_page((unsigned long)buffer);
1377 return rc;
1378}
1379
1380static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1381 u32 def_sid, u32 *sid)
1382{
1383#define INITCONTEXTLEN 255
1384 char *context;
1385 unsigned int len;
1386 int rc;
1387
1388 len = INITCONTEXTLEN;
1389 context = kmalloc(len + 1, GFP_NOFS);
1390 if (!context)
1391 return -ENOMEM;
1392
1393 context[len] = '\0';
1394 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len,
1395 XATTR_NOSECURITY);
1396 if (rc == -ERANGE) {
1397 kfree(context);
1398
1399 /* Need a larger buffer. Query for the right size. */
1400 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0,
1401 XATTR_NOSECURITY);
1402 if (rc < 0)
1403 return rc;
1404
1405 len = rc;
1406 context = kmalloc(len + 1, GFP_NOFS);
1407 if (!context)
1408 return -ENOMEM;
1409
1410 context[len] = '\0';
1411 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1412 context, len, XATTR_NOSECURITY);
1413 }
1414 if (rc < 0) {
1415 kfree(context);
1416 if (rc != -ENODATA) {
1417 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1418 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1419 return rc;
1420 }
1421 *sid = def_sid;
1422 return 0;
1423 }
1424
1425 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1426 def_sid, GFP_NOFS);
1427 if (rc) {
1428 char *dev = inode->i_sb->s_id;
1429 unsigned long ino = inode->i_ino;
1430
1431 if (rc == -EINVAL) {
1432 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1433 ino, dev, context);
1434 } else {
1435 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1436 __func__, context, -rc, dev, ino);
1437 }
1438 }
1439 kfree(context);
1440 return 0;
1441}
1442
1443/* The inode's security attributes must be initialized before first use. */
1444static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1445{
1446 struct superblock_security_struct *sbsec = NULL;
1447 struct inode_security_struct *isec = selinux_inode(inode);
1448 u32 task_sid, sid = 0;
1449 u16 sclass;
1450 struct dentry *dentry;
1451 int rc = 0;
1452
1453 if (isec->initialized == LABEL_INITIALIZED)
1454 return 0;
1455
1456 spin_lock(&isec->lock);
1457 if (isec->initialized == LABEL_INITIALIZED)
1458 goto out_unlock;
1459
1460 if (isec->sclass == SECCLASS_FILE)
1461 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1462
1463 sbsec = inode->i_sb->s_security;
1464 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1465 /* Defer initialization until selinux_complete_init,
1466 after the initial policy is loaded and the security
1467 server is ready to handle calls. */
1468 spin_lock(&sbsec->isec_lock);
1469 if (list_empty(&isec->list))
1470 list_add(&isec->list, &sbsec->isec_head);
1471 spin_unlock(&sbsec->isec_lock);
1472 goto out_unlock;
1473 }
1474
1475 sclass = isec->sclass;
1476 task_sid = isec->task_sid;
1477 sid = isec->sid;
1478 isec->initialized = LABEL_PENDING;
1479 spin_unlock(&isec->lock);
1480
1481 switch (sbsec->behavior) {
1482 case SECURITY_FS_USE_NATIVE:
1483 break;
1484 case SECURITY_FS_USE_XATTR:
1485 if (!(inode->i_opflags & IOP_XATTR)) {
1486 sid = sbsec->def_sid;
1487 break;
1488 }
1489 /* Need a dentry, since the xattr API requires one.
1490 Life would be simpler if we could just pass the inode. */
1491 if (opt_dentry) {
1492 /* Called from d_instantiate or d_splice_alias. */
1493 dentry = dget(opt_dentry);
1494 } else {
1495 /*
1496 * Called from selinux_complete_init, try to find a dentry.
1497 * Some filesystems really want a connected one, so try
1498 * that first. We could split SECURITY_FS_USE_XATTR in
1499 * two, depending upon that...
1500 */
1501 dentry = d_find_alias(inode);
1502 if (!dentry)
1503 dentry = d_find_any_alias(inode);
1504 }
1505 if (!dentry) {
1506 /*
1507 * this is can be hit on boot when a file is accessed
1508 * before the policy is loaded. When we load policy we
1509 * may find inodes that have no dentry on the
1510 * sbsec->isec_head list. No reason to complain as these
1511 * will get fixed up the next time we go through
1512 * inode_doinit with a dentry, before these inodes could
1513 * be used again by userspace.
1514 */
1515 goto out_invalid;
1516 }
1517
1518 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1519 &sid);
1520 dput(dentry);
1521 if (rc)
1522 goto out;
1523 break;
1524 case SECURITY_FS_USE_TASK:
1525 sid = task_sid;
1526 break;
1527 case SECURITY_FS_USE_TRANS:
1528 /* Default to the fs SID. */
1529 sid = sbsec->sid;
1530
1531 /* Try to obtain a transition SID. */
1532 rc = security_transition_sid(&selinux_state, task_sid, sid,
1533 sclass, NULL, &sid);
1534 if (rc)
1535 goto out;
1536 break;
1537 case SECURITY_FS_USE_MNTPOINT:
1538 sid = sbsec->mntpoint_sid;
1539 break;
1540 default:
1541 /* Default to the fs superblock SID. */
1542 sid = sbsec->sid;
1543
1544 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1545 /* We must have a dentry to determine the label on
1546 * procfs inodes */
1547 if (opt_dentry) {
1548 /* Called from d_instantiate or
1549 * d_splice_alias. */
1550 dentry = dget(opt_dentry);
1551 } else {
1552 /* Called from selinux_complete_init, try to
1553 * find a dentry. Some filesystems really want
1554 * a connected one, so try that first.
1555 */
1556 dentry = d_find_alias(inode);
1557 if (!dentry)
1558 dentry = d_find_any_alias(inode);
1559 }
1560 /*
1561 * This can be hit on boot when a file is accessed
1562 * before the policy is loaded. When we load policy we
1563 * may find inodes that have no dentry on the
1564 * sbsec->isec_head list. No reason to complain as
1565 * these will get fixed up the next time we go through
1566 * inode_doinit() with a dentry, before these inodes
1567 * could be used again by userspace.
1568 */
1569 if (!dentry)
1570 goto out_invalid;
1571 rc = selinux_genfs_get_sid(dentry, sclass,
1572 sbsec->flags, &sid);
1573 if (rc) {
1574 dput(dentry);
1575 goto out;
1576 }
1577
1578 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1579 (inode->i_opflags & IOP_XATTR)) {
1580 rc = inode_doinit_use_xattr(inode, dentry,
1581 sid, &sid);
1582 if (rc) {
1583 dput(dentry);
1584 goto out;
1585 }
1586 }
1587 dput(dentry);
1588 }
1589 break;
1590 }
1591
1592out:
1593 spin_lock(&isec->lock);
1594 if (isec->initialized == LABEL_PENDING) {
1595 if (rc) {
1596 isec->initialized = LABEL_INVALID;
1597 goto out_unlock;
1598 }
1599 isec->initialized = LABEL_INITIALIZED;
1600 isec->sid = sid;
1601 }
1602
1603out_unlock:
1604 spin_unlock(&isec->lock);
1605 return rc;
1606
1607out_invalid:
1608 spin_lock(&isec->lock);
1609 if (isec->initialized == LABEL_PENDING) {
1610 isec->initialized = LABEL_INVALID;
1611 isec->sid = sid;
1612 }
1613 spin_unlock(&isec->lock);
1614 return 0;
1615}
1616
1617/* Convert a Linux signal to an access vector. */
1618static inline u32 signal_to_av(int sig)
1619{
1620 u32 perm = 0;
1621
1622 switch (sig) {
1623 case SIGCHLD:
1624 /* Commonly granted from child to parent. */
1625 perm = PROCESS__SIGCHLD;
1626 break;
1627 case SIGKILL:
1628 /* Cannot be caught or ignored */
1629 perm = PROCESS__SIGKILL;
1630 break;
1631 case SIGSTOP:
1632 /* Cannot be caught or ignored */
1633 perm = PROCESS__SIGSTOP;
1634 break;
1635 default:
1636 /* All other signals. */
1637 perm = PROCESS__SIGNAL;
1638 break;
1639 }
1640
1641 return perm;
1642}
1643
1644#if CAP_LAST_CAP > 63
1645#error Fix SELinux to handle capabilities > 63.
1646#endif
1647
1648/* Check whether a task is allowed to use a capability. */
1649static int cred_has_capability(const struct cred *cred,
1650 int cap, unsigned int opts, bool initns)
1651{
1652 struct common_audit_data ad;
1653 struct av_decision avd;
1654 u16 sclass;
1655 u32 sid = cred_sid(cred);
1656 u32 av = CAP_TO_MASK(cap);
1657 int rc;
1658
1659 ad.type = LSM_AUDIT_DATA_CAP;
1660 ad.u.cap = cap;
1661
1662 switch (CAP_TO_INDEX(cap)) {
1663 case 0:
1664 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1665 break;
1666 case 1:
1667 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1668 break;
1669 default:
1670 pr_err("SELinux: out of range capability %d\n", cap);
1671 BUG();
1672 return -EINVAL;
1673 }
1674
1675 rc = avc_has_perm_noaudit(&selinux_state,
1676 sid, sid, sclass, av, 0, &avd);
1677 if (!(opts & CAP_OPT_NOAUDIT)) {
1678 int rc2 = avc_audit(&selinux_state,
1679 sid, sid, sclass, av, &avd, rc, &ad, 0);
1680 if (rc2)
1681 return rc2;
1682 }
1683 return rc;
1684}
1685
1686/* Check whether a task has a particular permission to an inode.
1687 The 'adp' parameter is optional and allows other audit
1688 data to be passed (e.g. the dentry). */
1689static int inode_has_perm(const struct cred *cred,
1690 struct inode *inode,
1691 u32 perms,
1692 struct common_audit_data *adp)
1693{
1694 struct inode_security_struct *isec;
1695 u32 sid;
1696
1697 validate_creds(cred);
1698
1699 if (unlikely(IS_PRIVATE(inode)))
1700 return 0;
1701
1702 sid = cred_sid(cred);
1703 isec = selinux_inode(inode);
1704
1705 return avc_has_perm(&selinux_state,
1706 sid, isec->sid, isec->sclass, perms, adp);
1707}
1708
1709/* Same as inode_has_perm, but pass explicit audit data containing
1710 the dentry to help the auditing code to more easily generate the
1711 pathname if needed. */
1712static inline int dentry_has_perm(const struct cred *cred,
1713 struct dentry *dentry,
1714 u32 av)
1715{
1716 struct inode *inode = d_backing_inode(dentry);
1717 struct common_audit_data ad;
1718
1719 ad.type = LSM_AUDIT_DATA_DENTRY;
1720 ad.u.dentry = dentry;
1721 __inode_security_revalidate(inode, dentry, true);
1722 return inode_has_perm(cred, inode, av, &ad);
1723}
1724
1725/* Same as inode_has_perm, but pass explicit audit data containing
1726 the path to help the auditing code to more easily generate the
1727 pathname if needed. */
1728static inline int path_has_perm(const struct cred *cred,
1729 const struct path *path,
1730 u32 av)
1731{
1732 struct inode *inode = d_backing_inode(path->dentry);
1733 struct common_audit_data ad;
1734
1735 ad.type = LSM_AUDIT_DATA_PATH;
1736 ad.u.path = *path;
1737 __inode_security_revalidate(inode, path->dentry, true);
1738 return inode_has_perm(cred, inode, av, &ad);
1739}
1740
1741/* Same as path_has_perm, but uses the inode from the file struct. */
1742static inline int file_path_has_perm(const struct cred *cred,
1743 struct file *file,
1744 u32 av)
1745{
1746 struct common_audit_data ad;
1747
1748 ad.type = LSM_AUDIT_DATA_FILE;
1749 ad.u.file = file;
1750 return inode_has_perm(cred, file_inode(file), av, &ad);
1751}
1752
1753#ifdef CONFIG_BPF_SYSCALL
1754static int bpf_fd_pass(struct file *file, u32 sid);
1755#endif
1756
1757/* Check whether a task can use an open file descriptor to
1758 access an inode in a given way. Check access to the
1759 descriptor itself, and then use dentry_has_perm to
1760 check a particular permission to the file.
1761 Access to the descriptor is implicitly granted if it
1762 has the same SID as the process. If av is zero, then
1763 access to the file is not checked, e.g. for cases
1764 where only the descriptor is affected like seek. */
1765static int file_has_perm(const struct cred *cred,
1766 struct file *file,
1767 u32 av)
1768{
1769 struct file_security_struct *fsec = selinux_file(file);
1770 struct inode *inode = file_inode(file);
1771 struct common_audit_data ad;
1772 u32 sid = cred_sid(cred);
1773 int rc;
1774
1775 ad.type = LSM_AUDIT_DATA_FILE;
1776 ad.u.file = file;
1777
1778 if (sid != fsec->sid) {
1779 rc = avc_has_perm(&selinux_state,
1780 sid, fsec->sid,
1781 SECCLASS_FD,
1782 FD__USE,
1783 &ad);
1784 if (rc)
1785 goto out;
1786 }
1787
1788#ifdef CONFIG_BPF_SYSCALL
1789 rc = bpf_fd_pass(file, cred_sid(cred));
1790 if (rc)
1791 return rc;
1792#endif
1793
1794 /* av is zero if only checking access to the descriptor. */
1795 rc = 0;
1796 if (av)
1797 rc = inode_has_perm(cred, inode, av, &ad);
1798
1799out:
1800 return rc;
1801}
1802
1803/*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806static int
1807selinux_determine_inode_label(const struct task_security_struct *tsec,
1808 struct inode *dir,
1809 const struct qstr *name, u16 tclass,
1810 u32 *_new_isid)
1811{
1812 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1813
1814 if ((sbsec->flags & SE_SBINITIALIZED) &&
1815 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1816 *_new_isid = sbsec->mntpoint_sid;
1817 } else if ((sbsec->flags & SBLABEL_MNT) &&
1818 tsec->create_sid) {
1819 *_new_isid = tsec->create_sid;
1820 } else {
1821 const struct inode_security_struct *dsec = inode_security(dir);
1822 return security_transition_sid(&selinux_state, tsec->sid,
1823 dsec->sid, tclass,
1824 name, _new_isid);
1825 }
1826
1827 return 0;
1828}
1829
1830/* Check whether a task can create a file. */
1831static int may_create(struct inode *dir,
1832 struct dentry *dentry,
1833 u16 tclass)
1834{
1835 const struct task_security_struct *tsec = selinux_cred(current_cred());
1836 struct inode_security_struct *dsec;
1837 struct superblock_security_struct *sbsec;
1838 u32 sid, newsid;
1839 struct common_audit_data ad;
1840 int rc;
1841
1842 dsec = inode_security(dir);
1843 sbsec = dir->i_sb->s_security;
1844
1845 sid = tsec->sid;
1846
1847 ad.type = LSM_AUDIT_DATA_DENTRY;
1848 ad.u.dentry = dentry;
1849
1850 rc = avc_has_perm(&selinux_state,
1851 sid, dsec->sid, SECCLASS_DIR,
1852 DIR__ADD_NAME | DIR__SEARCH,
1853 &ad);
1854 if (rc)
1855 return rc;
1856
1857 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1858 &dentry->d_name, tclass, &newsid);
1859 if (rc)
1860 return rc;
1861
1862 rc = avc_has_perm(&selinux_state,
1863 sid, newsid, tclass, FILE__CREATE, &ad);
1864 if (rc)
1865 return rc;
1866
1867 return avc_has_perm(&selinux_state,
1868 newsid, sbsec->sid,
1869 SECCLASS_FILESYSTEM,
1870 FILESYSTEM__ASSOCIATE, &ad);
1871}
1872
1873#define MAY_LINK 0
1874#define MAY_UNLINK 1
1875#define MAY_RMDIR 2
1876
1877/* Check whether a task can link, unlink, or rmdir a file/directory. */
1878static int may_link(struct inode *dir,
1879 struct dentry *dentry,
1880 int kind)
1881
1882{
1883 struct inode_security_struct *dsec, *isec;
1884 struct common_audit_data ad;
1885 u32 sid = current_sid();
1886 u32 av;
1887 int rc;
1888
1889 dsec = inode_security(dir);
1890 isec = backing_inode_security(dentry);
1891
1892 ad.type = LSM_AUDIT_DATA_DENTRY;
1893 ad.u.dentry = dentry;
1894
1895 av = DIR__SEARCH;
1896 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1897 rc = avc_has_perm(&selinux_state,
1898 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1899 if (rc)
1900 return rc;
1901
1902 switch (kind) {
1903 case MAY_LINK:
1904 av = FILE__LINK;
1905 break;
1906 case MAY_UNLINK:
1907 av = FILE__UNLINK;
1908 break;
1909 case MAY_RMDIR:
1910 av = DIR__RMDIR;
1911 break;
1912 default:
1913 pr_warn("SELinux: %s: unrecognized kind %d\n",
1914 __func__, kind);
1915 return 0;
1916 }
1917
1918 rc = avc_has_perm(&selinux_state,
1919 sid, isec->sid, isec->sclass, av, &ad);
1920 return rc;
1921}
1922
1923static inline int may_rename(struct inode *old_dir,
1924 struct dentry *old_dentry,
1925 struct inode *new_dir,
1926 struct dentry *new_dentry)
1927{
1928 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1929 struct common_audit_data ad;
1930 u32 sid = current_sid();
1931 u32 av;
1932 int old_is_dir, new_is_dir;
1933 int rc;
1934
1935 old_dsec = inode_security(old_dir);
1936 old_isec = backing_inode_security(old_dentry);
1937 old_is_dir = d_is_dir(old_dentry);
1938 new_dsec = inode_security(new_dir);
1939
1940 ad.type = LSM_AUDIT_DATA_DENTRY;
1941
1942 ad.u.dentry = old_dentry;
1943 rc = avc_has_perm(&selinux_state,
1944 sid, old_dsec->sid, SECCLASS_DIR,
1945 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1946 if (rc)
1947 return rc;
1948 rc = avc_has_perm(&selinux_state,
1949 sid, old_isec->sid,
1950 old_isec->sclass, FILE__RENAME, &ad);
1951 if (rc)
1952 return rc;
1953 if (old_is_dir && new_dir != old_dir) {
1954 rc = avc_has_perm(&selinux_state,
1955 sid, old_isec->sid,
1956 old_isec->sclass, DIR__REPARENT, &ad);
1957 if (rc)
1958 return rc;
1959 }
1960
1961 ad.u.dentry = new_dentry;
1962 av = DIR__ADD_NAME | DIR__SEARCH;
1963 if (d_is_positive(new_dentry))
1964 av |= DIR__REMOVE_NAME;
1965 rc = avc_has_perm(&selinux_state,
1966 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1967 if (rc)
1968 return rc;
1969 if (d_is_positive(new_dentry)) {
1970 new_isec = backing_inode_security(new_dentry);
1971 new_is_dir = d_is_dir(new_dentry);
1972 rc = avc_has_perm(&selinux_state,
1973 sid, new_isec->sid,
1974 new_isec->sclass,
1975 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1976 if (rc)
1977 return rc;
1978 }
1979
1980 return 0;
1981}
1982
1983/* Check whether a task can perform a filesystem operation. */
1984static int superblock_has_perm(const struct cred *cred,
1985 struct super_block *sb,
1986 u32 perms,
1987 struct common_audit_data *ad)
1988{
1989 struct superblock_security_struct *sbsec;
1990 u32 sid = cred_sid(cred);
1991
1992 sbsec = sb->s_security;
1993 return avc_has_perm(&selinux_state,
1994 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1995}
1996
1997/* Convert a Linux mode and permission mask to an access vector. */
1998static inline u32 file_mask_to_av(int mode, int mask)
1999{
2000 u32 av = 0;
2001
2002 if (!S_ISDIR(mode)) {
2003 if (mask & MAY_EXEC)
2004 av |= FILE__EXECUTE;
2005 if (mask & MAY_READ)
2006 av |= FILE__READ;
2007
2008 if (mask & MAY_APPEND)
2009 av |= FILE__APPEND;
2010 else if (mask & MAY_WRITE)
2011 av |= FILE__WRITE;
2012
2013 } else {
2014 if (mask & MAY_EXEC)
2015 av |= DIR__SEARCH;
2016 if (mask & MAY_WRITE)
2017 av |= DIR__WRITE;
2018 if (mask & MAY_READ)
2019 av |= DIR__READ;
2020 }
2021
2022 return av;
2023}
2024
2025/* Convert a Linux file to an access vector. */
2026static inline u32 file_to_av(struct file *file)
2027{
2028 u32 av = 0;
2029
2030 if (file->f_mode & FMODE_READ)
2031 av |= FILE__READ;
2032 if (file->f_mode & FMODE_WRITE) {
2033 if (file->f_flags & O_APPEND)
2034 av |= FILE__APPEND;
2035 else
2036 av |= FILE__WRITE;
2037 }
2038 if (!av) {
2039 /*
2040 * Special file opened with flags 3 for ioctl-only use.
2041 */
2042 av = FILE__IOCTL;
2043 }
2044
2045 return av;
2046}
2047
2048/*
2049 * Convert a file to an access vector and include the correct open
2050 * open permission.
2051 */
2052static inline u32 open_file_to_av(struct file *file)
2053{
2054 u32 av = file_to_av(file);
2055 struct inode *inode = file_inode(file);
2056
2057 if (selinux_policycap_openperm() &&
2058 inode->i_sb->s_magic != SOCKFS_MAGIC)
2059 av |= FILE__OPEN;
2060
2061 return av;
2062}
2063
2064/* Hook functions begin here. */
2065
2066static int selinux_binder_set_context_mgr(const struct cred *mgr)
2067{
2068 return avc_has_perm(&selinux_state,
2069 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2070 BINDER__SET_CONTEXT_MGR, NULL);
2071}
2072
2073static int selinux_binder_transaction(const struct cred *from,
2074 const struct cred *to)
2075{
2076 u32 mysid = current_sid();
2077 u32 fromsid = cred_sid(from);
2078 u32 tosid = cred_sid(to);
2079 int rc;
2080
2081 if (mysid != fromsid) {
2082 rc = avc_has_perm(&selinux_state,
2083 mysid, fromsid, SECCLASS_BINDER,
2084 BINDER__IMPERSONATE, NULL);
2085 if (rc)
2086 return rc;
2087 }
2088
2089 return avc_has_perm(&selinux_state, fromsid, tosid,
2090 SECCLASS_BINDER, BINDER__CALL, NULL);
2091}
2092
2093static int selinux_binder_transfer_binder(const struct cred *from,
2094 const struct cred *to)
2095{
2096 return avc_has_perm(&selinux_state,
2097 cred_sid(from), cred_sid(to),
2098 SECCLASS_BINDER, BINDER__TRANSFER,
2099 NULL);
2100}
2101
2102static int selinux_binder_transfer_file(const struct cred *from,
2103 const struct cred *to,
2104 struct file *file)
2105{
2106 u32 sid = cred_sid(to);
2107 struct file_security_struct *fsec = selinux_file(file);
2108 struct dentry *dentry = file->f_path.dentry;
2109 struct inode_security_struct *isec;
2110 struct common_audit_data ad;
2111 int rc;
2112
2113 ad.type = LSM_AUDIT_DATA_PATH;
2114 ad.u.path = file->f_path;
2115
2116 if (sid != fsec->sid) {
2117 rc = avc_has_perm(&selinux_state,
2118 sid, fsec->sid,
2119 SECCLASS_FD,
2120 FD__USE,
2121 &ad);
2122 if (rc)
2123 return rc;
2124 }
2125
2126#ifdef CONFIG_BPF_SYSCALL
2127 rc = bpf_fd_pass(file, sid);
2128 if (rc)
2129 return rc;
2130#endif
2131
2132 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2133 return 0;
2134
2135 isec = backing_inode_security(dentry);
2136 return avc_has_perm(&selinux_state,
2137 sid, isec->sid, isec->sclass, file_to_av(file),
2138 &ad);
2139}
2140
2141static int selinux_ptrace_access_check(struct task_struct *child,
2142 unsigned int mode)
2143{
2144 u32 sid = current_sid();
2145 u32 csid = task_sid(child);
2146
2147 if (mode & PTRACE_MODE_READ)
2148 return avc_has_perm(&selinux_state,
2149 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2150
2151 return avc_has_perm(&selinux_state,
2152 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2153}
2154
2155static int selinux_ptrace_traceme(struct task_struct *parent)
2156{
2157 return avc_has_perm(&selinux_state,
2158 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2159 PROCESS__PTRACE, NULL);
2160}
2161
2162static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2163 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2164{
2165 return avc_has_perm(&selinux_state,
2166 current_sid(), task_sid(target), SECCLASS_PROCESS,
2167 PROCESS__GETCAP, NULL);
2168}
2169
2170static int selinux_capset(struct cred *new, const struct cred *old,
2171 const kernel_cap_t *effective,
2172 const kernel_cap_t *inheritable,
2173 const kernel_cap_t *permitted)
2174{
2175 return avc_has_perm(&selinux_state,
2176 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2177 PROCESS__SETCAP, NULL);
2178}
2179
2180/*
2181 * (This comment used to live with the selinux_task_setuid hook,
2182 * which was removed).
2183 *
2184 * Since setuid only affects the current process, and since the SELinux
2185 * controls are not based on the Linux identity attributes, SELinux does not
2186 * need to control this operation. However, SELinux does control the use of
2187 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2188 */
2189
2190static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2191 int cap, unsigned int opts)
2192{
2193 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2194}
2195
2196static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2197{
2198 const struct cred *cred = current_cred();
2199 int rc = 0;
2200
2201 if (!sb)
2202 return 0;
2203
2204 switch (cmds) {
2205 case Q_SYNC:
2206 case Q_QUOTAON:
2207 case Q_QUOTAOFF:
2208 case Q_SETINFO:
2209 case Q_SETQUOTA:
2210 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2211 break;
2212 case Q_GETFMT:
2213 case Q_GETINFO:
2214 case Q_GETQUOTA:
2215 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2216 break;
2217 default:
2218 rc = 0; /* let the kernel handle invalid cmds */
2219 break;
2220 }
2221 return rc;
2222}
2223
2224static int selinux_quota_on(struct dentry *dentry)
2225{
2226 const struct cred *cred = current_cred();
2227
2228 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2229}
2230
2231static int selinux_syslog(int type)
2232{
2233 switch (type) {
2234 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2235 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2236 return avc_has_perm(&selinux_state,
2237 current_sid(), SECINITSID_KERNEL,
2238 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2239 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2240 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2241 /* Set level of messages printed to console */
2242 case SYSLOG_ACTION_CONSOLE_LEVEL:
2243 return avc_has_perm(&selinux_state,
2244 current_sid(), SECINITSID_KERNEL,
2245 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2246 NULL);
2247 }
2248 /* All other syslog types */
2249 return avc_has_perm(&selinux_state,
2250 current_sid(), SECINITSID_KERNEL,
2251 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2252}
2253
2254/*
2255 * Check that a process has enough memory to allocate a new virtual
2256 * mapping. 0 means there is enough memory for the allocation to
2257 * succeed and -ENOMEM implies there is not.
2258 *
2259 * Do not audit the selinux permission check, as this is applied to all
2260 * processes that allocate mappings.
2261 */
2262static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2263{
2264 int rc, cap_sys_admin = 0;
2265
2266 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2267 CAP_OPT_NOAUDIT, true);
2268 if (rc == 0)
2269 cap_sys_admin = 1;
2270
2271 return cap_sys_admin;
2272}
2273
2274/* binprm security operations */
2275
2276static u32 ptrace_parent_sid(void)
2277{
2278 u32 sid = 0;
2279 struct task_struct *tracer;
2280
2281 rcu_read_lock();
2282 tracer = ptrace_parent(current);
2283 if (tracer)
2284 sid = task_sid(tracer);
2285 rcu_read_unlock();
2286
2287 return sid;
2288}
2289
2290static int check_nnp_nosuid(const struct linux_binprm *bprm,
2291 const struct task_security_struct *old_tsec,
2292 const struct task_security_struct *new_tsec)
2293{
2294 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2295 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2296 int rc;
2297 u32 av;
2298
2299 if (!nnp && !nosuid)
2300 return 0; /* neither NNP nor nosuid */
2301
2302 if (new_tsec->sid == old_tsec->sid)
2303 return 0; /* No change in credentials */
2304
2305 /*
2306 * If the policy enables the nnp_nosuid_transition policy capability,
2307 * then we permit transitions under NNP or nosuid if the
2308 * policy allows the corresponding permission between
2309 * the old and new contexts.
2310 */
2311 if (selinux_policycap_nnp_nosuid_transition()) {
2312 av = 0;
2313 if (nnp)
2314 av |= PROCESS2__NNP_TRANSITION;
2315 if (nosuid)
2316 av |= PROCESS2__NOSUID_TRANSITION;
2317 rc = avc_has_perm(&selinux_state,
2318 old_tsec->sid, new_tsec->sid,
2319 SECCLASS_PROCESS2, av, NULL);
2320 if (!rc)
2321 return 0;
2322 }
2323
2324 /*
2325 * We also permit NNP or nosuid transitions to bounded SIDs,
2326 * i.e. SIDs that are guaranteed to only be allowed a subset
2327 * of the permissions of the current SID.
2328 */
2329 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2330 new_tsec->sid);
2331 if (!rc)
2332 return 0;
2333
2334 /*
2335 * On failure, preserve the errno values for NNP vs nosuid.
2336 * NNP: Operation not permitted for caller.
2337 * nosuid: Permission denied to file.
2338 */
2339 if (nnp)
2340 return -EPERM;
2341 return -EACCES;
2342}
2343
2344static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2345{
2346 const struct task_security_struct *old_tsec;
2347 struct task_security_struct *new_tsec;
2348 struct inode_security_struct *isec;
2349 struct common_audit_data ad;
2350 struct inode *inode = file_inode(bprm->file);
2351 int rc;
2352
2353 /* SELinux context only depends on initial program or script and not
2354 * the script interpreter */
2355 if (bprm->called_set_creds)
2356 return 0;
2357
2358 old_tsec = selinux_cred(current_cred());
2359 new_tsec = selinux_cred(bprm->cred);
2360 isec = inode_security(inode);
2361
2362 /* Default to the current task SID. */
2363 new_tsec->sid = old_tsec->sid;
2364 new_tsec->osid = old_tsec->sid;
2365
2366 /* Reset fs, key, and sock SIDs on execve. */
2367 new_tsec->create_sid = 0;
2368 new_tsec->keycreate_sid = 0;
2369 new_tsec->sockcreate_sid = 0;
2370
2371 if (old_tsec->exec_sid) {
2372 new_tsec->sid = old_tsec->exec_sid;
2373 /* Reset exec SID on execve. */
2374 new_tsec->exec_sid = 0;
2375
2376 /* Fail on NNP or nosuid if not an allowed transition. */
2377 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378 if (rc)
2379 return rc;
2380 } else {
2381 /* Check for a default transition on this program. */
2382 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2383 isec->sid, SECCLASS_PROCESS, NULL,
2384 &new_tsec->sid);
2385 if (rc)
2386 return rc;
2387
2388 /*
2389 * Fallback to old SID on NNP or nosuid if not an allowed
2390 * transition.
2391 */
2392 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2393 if (rc)
2394 new_tsec->sid = old_tsec->sid;
2395 }
2396
2397 ad.type = LSM_AUDIT_DATA_FILE;
2398 ad.u.file = bprm->file;
2399
2400 if (new_tsec->sid == old_tsec->sid) {
2401 rc = avc_has_perm(&selinux_state,
2402 old_tsec->sid, isec->sid,
2403 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2404 if (rc)
2405 return rc;
2406 } else {
2407 /* Check permissions for the transition. */
2408 rc = avc_has_perm(&selinux_state,
2409 old_tsec->sid, new_tsec->sid,
2410 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2411 if (rc)
2412 return rc;
2413
2414 rc = avc_has_perm(&selinux_state,
2415 new_tsec->sid, isec->sid,
2416 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2417 if (rc)
2418 return rc;
2419
2420 /* Check for shared state */
2421 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2422 rc = avc_has_perm(&selinux_state,
2423 old_tsec->sid, new_tsec->sid,
2424 SECCLASS_PROCESS, PROCESS__SHARE,
2425 NULL);
2426 if (rc)
2427 return -EPERM;
2428 }
2429
2430 /* Make sure that anyone attempting to ptrace over a task that
2431 * changes its SID has the appropriate permit */
2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433 u32 ptsid = ptrace_parent_sid();
2434 if (ptsid != 0) {
2435 rc = avc_has_perm(&selinux_state,
2436 ptsid, new_tsec->sid,
2437 SECCLASS_PROCESS,
2438 PROCESS__PTRACE, NULL);
2439 if (rc)
2440 return -EPERM;
2441 }
2442 }
2443
2444 /* Clear any possibly unsafe personality bits on exec: */
2445 bprm->per_clear |= PER_CLEAR_ON_SETID;
2446
2447 /* Enable secure mode for SIDs transitions unless
2448 the noatsecure permission is granted between
2449 the two SIDs, i.e. ahp returns 0. */
2450 rc = avc_has_perm(&selinux_state,
2451 old_tsec->sid, new_tsec->sid,
2452 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2453 NULL);
2454 bprm->secureexec |= !!rc;
2455 }
2456
2457 return 0;
2458}
2459
2460static int match_file(const void *p, struct file *file, unsigned fd)
2461{
2462 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2463}
2464
2465/* Derived from fs/exec.c:flush_old_files. */
2466static inline void flush_unauthorized_files(const struct cred *cred,
2467 struct files_struct *files)
2468{
2469 struct file *file, *devnull = NULL;
2470 struct tty_struct *tty;
2471 int drop_tty = 0;
2472 unsigned n;
2473
2474 tty = get_current_tty();
2475 if (tty) {
2476 spin_lock(&tty->files_lock);
2477 if (!list_empty(&tty->tty_files)) {
2478 struct tty_file_private *file_priv;
2479
2480 /* Revalidate access to controlling tty.
2481 Use file_path_has_perm on the tty path directly
2482 rather than using file_has_perm, as this particular
2483 open file may belong to another process and we are
2484 only interested in the inode-based check here. */
2485 file_priv = list_first_entry(&tty->tty_files,
2486 struct tty_file_private, list);
2487 file = file_priv->file;
2488 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2489 drop_tty = 1;
2490 }
2491 spin_unlock(&tty->files_lock);
2492 tty_kref_put(tty);
2493 }
2494 /* Reset controlling tty. */
2495 if (drop_tty)
2496 no_tty();
2497
2498 /* Revalidate access to inherited open files. */
2499 n = iterate_fd(files, 0, match_file, cred);
2500 if (!n) /* none found? */
2501 return;
2502
2503 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2504 if (IS_ERR(devnull))
2505 devnull = NULL;
2506 /* replace all the matching ones with this */
2507 do {
2508 replace_fd(n - 1, devnull, 0);
2509 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2510 if (devnull)
2511 fput(devnull);
2512}
2513
2514/*
2515 * Prepare a process for imminent new credential changes due to exec
2516 */
2517static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2518{
2519 struct task_security_struct *new_tsec;
2520 struct rlimit *rlim, *initrlim;
2521 int rc, i;
2522
2523 new_tsec = selinux_cred(bprm->cred);
2524 if (new_tsec->sid == new_tsec->osid)
2525 return;
2526
2527 /* Close files for which the new task SID is not authorized. */
2528 flush_unauthorized_files(bprm->cred, current->files);
2529
2530 /* Always clear parent death signal on SID transitions. */
2531 current->pdeath_signal = 0;
2532
2533 /* Check whether the new SID can inherit resource limits from the old
2534 * SID. If not, reset all soft limits to the lower of the current
2535 * task's hard limit and the init task's soft limit.
2536 *
2537 * Note that the setting of hard limits (even to lower them) can be
2538 * controlled by the setrlimit check. The inclusion of the init task's
2539 * soft limit into the computation is to avoid resetting soft limits
2540 * higher than the default soft limit for cases where the default is
2541 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2542 */
2543 rc = avc_has_perm(&selinux_state,
2544 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2545 PROCESS__RLIMITINH, NULL);
2546 if (rc) {
2547 /* protect against do_prlimit() */
2548 task_lock(current);
2549 for (i = 0; i < RLIM_NLIMITS; i++) {
2550 rlim = current->signal->rlim + i;
2551 initrlim = init_task.signal->rlim + i;
2552 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2553 }
2554 task_unlock(current);
2555 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2556 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2557 }
2558}
2559
2560/*
2561 * Clean up the process immediately after the installation of new credentials
2562 * due to exec
2563 */
2564static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2565{
2566 const struct task_security_struct *tsec = selinux_cred(current_cred());
2567 u32 osid, sid;
2568 int rc;
2569
2570 osid = tsec->osid;
2571 sid = tsec->sid;
2572
2573 if (sid == osid)
2574 return;
2575
2576 /* Check whether the new SID can inherit signal state from the old SID.
2577 * If not, clear itimers to avoid subsequent signal generation and
2578 * flush and unblock signals.
2579 *
2580 * This must occur _after_ the task SID has been updated so that any
2581 * kill done after the flush will be checked against the new SID.
2582 */
2583 rc = avc_has_perm(&selinux_state,
2584 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2585 if (rc) {
2586 clear_itimer();
2587
2588 spin_lock_irq(&current->sighand->siglock);
2589 if (!fatal_signal_pending(current)) {
2590 flush_sigqueue(&current->pending);
2591 flush_sigqueue(&current->signal->shared_pending);
2592 flush_signal_handlers(current, 1);
2593 sigemptyset(&current->blocked);
2594 recalc_sigpending();
2595 }
2596 spin_unlock_irq(&current->sighand->siglock);
2597 }
2598
2599 /* Wake up the parent if it is waiting so that it can recheck
2600 * wait permission to the new task SID. */
2601 read_lock(&tasklist_lock);
2602 __wake_up_parent(current, current->real_parent);
2603 read_unlock(&tasklist_lock);
2604}
2605
2606/* superblock security operations */
2607
2608static int selinux_sb_alloc_security(struct super_block *sb)
2609{
2610 return superblock_alloc_security(sb);
2611}
2612
2613static void selinux_sb_free_security(struct super_block *sb)
2614{
2615 superblock_free_security(sb);
2616}
2617
2618static inline int opt_len(const char *s)
2619{
2620 bool open_quote = false;
2621 int len;
2622 char c;
2623
2624 for (len = 0; (c = s[len]) != '\0'; len++) {
2625 if (c == '"')
2626 open_quote = !open_quote;
2627 if (c == ',' && !open_quote)
2628 break;
2629 }
2630 return len;
2631}
2632
2633static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2634{
2635 char *from = options;
2636 char *to = options;
2637 bool first = true;
2638 int rc;
2639
2640 while (1) {
2641 int len = opt_len(from);
2642 int token;
2643 char *arg = NULL;
2644
2645 token = match_opt_prefix(from, len, &arg);
2646
2647 if (token != Opt_error) {
2648 char *p, *q;
2649
2650 /* strip quotes */
2651 if (arg) {
2652 for (p = q = arg; p < from + len; p++) {
2653 char c = *p;
2654 if (c != '"')
2655 *q++ = c;
2656 }
2657 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2658 if (!arg) {
2659 rc = -ENOMEM;
2660 goto free_opt;
2661 }
2662 }
2663 rc = selinux_add_opt(token, arg, mnt_opts);
2664 if (unlikely(rc)) {
2665 kfree(arg);
2666 goto free_opt;
2667 }
2668 } else {
2669 if (!first) { // copy with preceding comma
2670 from--;
2671 len++;
2672 }
2673 if (to != from)
2674 memmove(to, from, len);
2675 to += len;
2676 first = false;
2677 }
2678 if (!from[len])
2679 break;
2680 from += len + 1;
2681 }
2682 *to = '\0';
2683 return 0;
2684
2685free_opt:
2686 if (*mnt_opts) {
2687 selinux_free_mnt_opts(*mnt_opts);
2688 *mnt_opts = NULL;
2689 }
2690 return rc;
2691}
2692
2693static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2694{
2695 struct selinux_mnt_opts *opts = mnt_opts;
2696 struct superblock_security_struct *sbsec = sb->s_security;
2697 u32 sid;
2698 int rc;
2699
2700 if (!(sbsec->flags & SE_SBINITIALIZED))
2701 return 0;
2702
2703 if (!opts)
2704 return 0;
2705
2706 if (opts->fscontext) {
2707 rc = parse_sid(sb, opts->fscontext, &sid);
2708 if (rc)
2709 return rc;
2710 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2711 goto out_bad_option;
2712 }
2713 if (opts->context) {
2714 rc = parse_sid(sb, opts->context, &sid);
2715 if (rc)
2716 return rc;
2717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2718 goto out_bad_option;
2719 }
2720 if (opts->rootcontext) {
2721 struct inode_security_struct *root_isec;
2722 root_isec = backing_inode_security(sb->s_root);
2723 rc = parse_sid(sb, opts->rootcontext, &sid);
2724 if (rc)
2725 return rc;
2726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2727 goto out_bad_option;
2728 }
2729 if (opts->defcontext) {
2730 rc = parse_sid(sb, opts->defcontext, &sid);
2731 if (rc)
2732 return rc;
2733 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2734 goto out_bad_option;
2735 }
2736 return 0;
2737
2738out_bad_option:
2739 pr_warn("SELinux: unable to change security options "
2740 "during remount (dev %s, type=%s)\n", sb->s_id,
2741 sb->s_type->name);
2742 return -EINVAL;
2743}
2744
2745static int selinux_sb_kern_mount(struct super_block *sb)
2746{
2747 const struct cred *cred = current_cred();
2748 struct common_audit_data ad;
2749
2750 ad.type = LSM_AUDIT_DATA_DENTRY;
2751 ad.u.dentry = sb->s_root;
2752 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2753}
2754
2755static int selinux_sb_statfs(struct dentry *dentry)
2756{
2757 const struct cred *cred = current_cred();
2758 struct common_audit_data ad;
2759
2760 ad.type = LSM_AUDIT_DATA_DENTRY;
2761 ad.u.dentry = dentry->d_sb->s_root;
2762 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2763}
2764
2765static int selinux_mount(const char *dev_name,
2766 const struct path *path,
2767 const char *type,
2768 unsigned long flags,
2769 void *data)
2770{
2771 const struct cred *cred = current_cred();
2772
2773 if (flags & MS_REMOUNT)
2774 return superblock_has_perm(cred, path->dentry->d_sb,
2775 FILESYSTEM__REMOUNT, NULL);
2776 else
2777 return path_has_perm(cred, path, FILE__MOUNTON);
2778}
2779
2780static int selinux_move_mount(const struct path *from_path,
2781 const struct path *to_path)
2782{
2783 const struct cred *cred = current_cred();
2784
2785 return path_has_perm(cred, to_path, FILE__MOUNTON);
2786}
2787
2788static int selinux_umount(struct vfsmount *mnt, int flags)
2789{
2790 const struct cred *cred = current_cred();
2791
2792 return superblock_has_perm(cred, mnt->mnt_sb,
2793 FILESYSTEM__UNMOUNT, NULL);
2794}
2795
2796static int selinux_fs_context_dup(struct fs_context *fc,
2797 struct fs_context *src_fc)
2798{
2799 const struct selinux_mnt_opts *src = src_fc->security;
2800 struct selinux_mnt_opts *opts;
2801
2802 if (!src)
2803 return 0;
2804
2805 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2806 if (!fc->security)
2807 return -ENOMEM;
2808
2809 opts = fc->security;
2810
2811 if (src->fscontext) {
2812 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2813 if (!opts->fscontext)
2814 return -ENOMEM;
2815 }
2816 if (src->context) {
2817 opts->context = kstrdup(src->context, GFP_KERNEL);
2818 if (!opts->context)
2819 return -ENOMEM;
2820 }
2821 if (src->rootcontext) {
2822 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2823 if (!opts->rootcontext)
2824 return -ENOMEM;
2825 }
2826 if (src->defcontext) {
2827 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2828 if (!opts->defcontext)
2829 return -ENOMEM;
2830 }
2831 return 0;
2832}
2833
2834static const struct fs_parameter_spec selinux_param_specs[] = {
2835 fsparam_string(CONTEXT_STR, Opt_context),
2836 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2837 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2838 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2839 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2840 {}
2841};
2842
2843static const struct fs_parameter_description selinux_fs_parameters = {
2844 .name = "SELinux",
2845 .specs = selinux_param_specs,
2846};
2847
2848static int selinux_fs_context_parse_param(struct fs_context *fc,
2849 struct fs_parameter *param)
2850{
2851 struct fs_parse_result result;
2852 int opt, rc;
2853
2854 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2855 if (opt < 0)
2856 return opt;
2857
2858 rc = selinux_add_opt(opt, param->string, &fc->security);
2859 if (!rc)
2860 param->string = NULL;
2861
2862 return rc;
2863}
2864
2865/* inode security operations */
2866
2867static int selinux_inode_alloc_security(struct inode *inode)
2868{
2869 return inode_alloc_security(inode);
2870}
2871
2872static void selinux_inode_free_security(struct inode *inode)
2873{
2874 inode_free_security(inode);
2875}
2876
2877static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2878 const struct qstr *name, void **ctx,
2879 u32 *ctxlen)
2880{
2881 u32 newsid;
2882 int rc;
2883
2884 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2885 d_inode(dentry->d_parent), name,
2886 inode_mode_to_security_class(mode),
2887 &newsid);
2888 if (rc)
2889 return rc;
2890
2891 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2892 ctxlen);
2893}
2894
2895static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2896 struct qstr *name,
2897 const struct cred *old,
2898 struct cred *new)
2899{
2900 u32 newsid;
2901 int rc;
2902 struct task_security_struct *tsec;
2903
2904 rc = selinux_determine_inode_label(selinux_cred(old),
2905 d_inode(dentry->d_parent), name,
2906 inode_mode_to_security_class(mode),
2907 &newsid);
2908 if (rc)
2909 return rc;
2910
2911 tsec = selinux_cred(new);
2912 tsec->create_sid = newsid;
2913 return 0;
2914}
2915
2916static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2917 const struct qstr *qstr,
2918 const char **name,
2919 void **value, size_t *len)
2920{
2921 const struct task_security_struct *tsec = selinux_cred(current_cred());
2922 struct superblock_security_struct *sbsec;
2923 u32 newsid, clen;
2924 int rc;
2925 char *context;
2926
2927 sbsec = dir->i_sb->s_security;
2928
2929 newsid = tsec->create_sid;
2930
2931 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2932 dir, qstr,
2933 inode_mode_to_security_class(inode->i_mode),
2934 &newsid);
2935 if (rc)
2936 return rc;
2937
2938 /* Possibly defer initialization to selinux_complete_init. */
2939 if (sbsec->flags & SE_SBINITIALIZED) {
2940 struct inode_security_struct *isec = selinux_inode(inode);
2941 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2942 isec->sid = newsid;
2943 isec->initialized = LABEL_INITIALIZED;
2944 }
2945
2946 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2947 return -EOPNOTSUPP;
2948
2949 if (name)
2950 *name = XATTR_SELINUX_SUFFIX;
2951
2952 if (value && len) {
2953 rc = security_sid_to_context_force(&selinux_state, newsid,
2954 &context, &clen);
2955 if (rc)
2956 return rc;
2957 *value = context;
2958 *len = clen;
2959 }
2960
2961 return 0;
2962}
2963
2964static int selinux_inode_init_security_anon(struct inode *inode,
2965 const struct qstr *name,
2966 const struct inode *context_inode)
2967{
2968 const struct task_security_struct *tsec = selinux_cred(current_cred());
2969 struct common_audit_data ad;
2970 struct inode_security_struct *isec;
2971 int rc;
2972
2973 if (unlikely(!selinux_state.initialized))
2974 return 0;
2975
2976 isec = selinux_inode(inode);
2977
2978 /*
2979 * We only get here once per ephemeral inode. The inode has
2980 * been initialized via inode_alloc_security but is otherwise
2981 * untouched.
2982 */
2983
2984 if (context_inode) {
2985 struct inode_security_struct *context_isec =
2986 selinux_inode(context_inode);
2987 if (context_isec->initialized != LABEL_INITIALIZED) {
2988 pr_err("SELinux: context_inode is not initialized");
2989 return -EACCES;
2990 }
2991
2992 isec->sclass = context_isec->sclass;
2993 isec->sid = context_isec->sid;
2994 } else {
2995 isec->sclass = SECCLASS_ANON_INODE;
2996 rc = security_transition_sid(
2997 &selinux_state, tsec->sid, tsec->sid,
2998 isec->sclass, name, &isec->sid);
2999 if (rc)
3000 return rc;
3001 }
3002
3003 isec->initialized = LABEL_INITIALIZED;
3004 /*
3005 * Now that we've initialized security, check whether we're
3006 * allowed to actually create this type of anonymous inode.
3007 */
3008
3009 ad.type = LSM_AUDIT_DATA_INODE;
3010 ad.u.inode = inode;
3011
3012 return avc_has_perm(&selinux_state,
3013 tsec->sid,
3014 isec->sid,
3015 isec->sclass,
3016 FILE__CREATE,
3017 &ad);
3018}
3019
3020static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3021{
3022 return may_create(dir, dentry, SECCLASS_FILE);
3023}
3024
3025static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3026{
3027 return may_link(dir, old_dentry, MAY_LINK);
3028}
3029
3030static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3031{
3032 return may_link(dir, dentry, MAY_UNLINK);
3033}
3034
3035static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3036{
3037 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3038}
3039
3040static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3041{
3042 return may_create(dir, dentry, SECCLASS_DIR);
3043}
3044
3045static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3046{
3047 return may_link(dir, dentry, MAY_RMDIR);
3048}
3049
3050static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3051{
3052 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3053}
3054
3055static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3056 struct inode *new_inode, struct dentry *new_dentry)
3057{
3058 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3059}
3060
3061static int selinux_inode_readlink(struct dentry *dentry)
3062{
3063 const struct cred *cred = current_cred();
3064
3065 return dentry_has_perm(cred, dentry, FILE__READ);
3066}
3067
3068static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3069 bool rcu)
3070{
3071 const struct cred *cred = current_cred();
3072 struct common_audit_data ad;
3073 struct inode_security_struct *isec;
3074 u32 sid;
3075
3076 validate_creds(cred);
3077
3078 ad.type = LSM_AUDIT_DATA_DENTRY;
3079 ad.u.dentry = dentry;
3080 sid = cred_sid(cred);
3081 isec = inode_security_rcu(inode, rcu);
3082 if (IS_ERR(isec))
3083 return PTR_ERR(isec);
3084
3085 return avc_has_perm_flags(&selinux_state,
3086 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3087 rcu ? MAY_NOT_BLOCK : 0);
3088}
3089
3090static noinline int audit_inode_permission(struct inode *inode,
3091 u32 perms, u32 audited, u32 denied,
3092 int result)
3093{
3094 struct common_audit_data ad;
3095 struct inode_security_struct *isec = selinux_inode(inode);
3096 int rc;
3097
3098 ad.type = LSM_AUDIT_DATA_INODE;
3099 ad.u.inode = inode;
3100
3101 rc = slow_avc_audit(&selinux_state,
3102 current_sid(), isec->sid, isec->sclass, perms,
3103 audited, denied, result, &ad);
3104 if (rc)
3105 return rc;
3106 return 0;
3107}
3108
3109static int selinux_inode_permission(struct inode *inode, int mask)
3110{
3111 const struct cred *cred = current_cred();
3112 u32 perms;
3113 bool from_access;
3114 unsigned flags = mask & MAY_NOT_BLOCK;
3115 struct inode_security_struct *isec;
3116 u32 sid;
3117 struct av_decision avd;
3118 int rc, rc2;
3119 u32 audited, denied;
3120
3121 from_access = mask & MAY_ACCESS;
3122 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3123
3124 /* No permission to check. Existence test. */
3125 if (!mask)
3126 return 0;
3127
3128 validate_creds(cred);
3129
3130 if (unlikely(IS_PRIVATE(inode)))
3131 return 0;
3132
3133 perms = file_mask_to_av(inode->i_mode, mask);
3134
3135 sid = cred_sid(cred);
3136 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3137 if (IS_ERR(isec))
3138 return PTR_ERR(isec);
3139
3140 rc = avc_has_perm_noaudit(&selinux_state,
3141 sid, isec->sid, isec->sclass, perms,
3142 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3143 &avd);
3144 audited = avc_audit_required(perms, &avd, rc,
3145 from_access ? FILE__AUDIT_ACCESS : 0,
3146 &denied);
3147 if (likely(!audited))
3148 return rc;
3149
3150 /* fall back to ref-walk if we have to generate audit */
3151 if (flags & MAY_NOT_BLOCK)
3152 return -ECHILD;
3153
3154 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3155 if (rc2)
3156 return rc2;
3157 return rc;
3158}
3159
3160static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3161{
3162 const struct cred *cred = current_cred();
3163 struct inode *inode = d_backing_inode(dentry);
3164 unsigned int ia_valid = iattr->ia_valid;
3165 __u32 av = FILE__WRITE;
3166
3167 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3168 if (ia_valid & ATTR_FORCE) {
3169 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3170 ATTR_FORCE);
3171 if (!ia_valid)
3172 return 0;
3173 }
3174
3175 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3176 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3177 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3178
3179 if (selinux_policycap_openperm() &&
3180 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3181 (ia_valid & ATTR_SIZE) &&
3182 !(ia_valid & ATTR_FILE))
3183 av |= FILE__OPEN;
3184
3185 return dentry_has_perm(cred, dentry, av);
3186}
3187
3188static int selinux_inode_getattr(const struct path *path)
3189{
3190 return path_has_perm(current_cred(), path, FILE__GETATTR);
3191}
3192
3193static bool has_cap_mac_admin(bool audit)
3194{
3195 const struct cred *cred = current_cred();
3196 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3197
3198 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3199 return false;
3200 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3201 return false;
3202 return true;
3203}
3204
3205static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3206 const void *value, size_t size, int flags)
3207{
3208 struct inode *inode = d_backing_inode(dentry);
3209 struct inode_security_struct *isec;
3210 struct superblock_security_struct *sbsec;
3211 struct common_audit_data ad;
3212 u32 newsid, sid = current_sid();
3213 int rc = 0;
3214
3215 if (strcmp(name, XATTR_NAME_SELINUX)) {
3216 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3217 if (rc)
3218 return rc;
3219
3220 /* Not an attribute we recognize, so just check the
3221 ordinary setattr permission. */
3222 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3223 }
3224
3225 if (!selinux_state.initialized)
3226 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3227
3228 sbsec = inode->i_sb->s_security;
3229 if (!(sbsec->flags & SBLABEL_MNT))
3230 return -EOPNOTSUPP;
3231
3232 if (!inode_owner_or_capable(inode))
3233 return -EPERM;
3234
3235 ad.type = LSM_AUDIT_DATA_DENTRY;
3236 ad.u.dentry = dentry;
3237
3238 isec = backing_inode_security(dentry);
3239 rc = avc_has_perm(&selinux_state,
3240 sid, isec->sid, isec->sclass,
3241 FILE__RELABELFROM, &ad);
3242 if (rc)
3243 return rc;
3244
3245 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3246 GFP_KERNEL);
3247 if (rc == -EINVAL) {
3248 if (!has_cap_mac_admin(true)) {
3249 struct audit_buffer *ab;
3250 size_t audit_size;
3251
3252 /* We strip a nul only if it is at the end, otherwise the
3253 * context contains a nul and we should audit that */
3254 if (value) {
3255 const char *str = value;
3256
3257 if (str[size - 1] == '\0')
3258 audit_size = size - 1;
3259 else
3260 audit_size = size;
3261 } else {
3262 audit_size = 0;
3263 }
3264 ab = audit_log_start(audit_context(),
3265 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3266 audit_log_format(ab, "op=setxattr invalid_context=");
3267 audit_log_n_untrustedstring(ab, value, audit_size);
3268 audit_log_end(ab);
3269
3270 return rc;
3271 }
3272 rc = security_context_to_sid_force(&selinux_state, value,
3273 size, &newsid);
3274 }
3275 if (rc)
3276 return rc;
3277
3278 rc = avc_has_perm(&selinux_state,
3279 sid, newsid, isec->sclass,
3280 FILE__RELABELTO, &ad);
3281 if (rc)
3282 return rc;
3283
3284 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3285 sid, isec->sclass);
3286 if (rc)
3287 return rc;
3288
3289 return avc_has_perm(&selinux_state,
3290 newsid,
3291 sbsec->sid,
3292 SECCLASS_FILESYSTEM,
3293 FILESYSTEM__ASSOCIATE,
3294 &ad);
3295}
3296
3297static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3298 const void *value, size_t size,
3299 int flags)
3300{
3301 struct inode *inode = d_backing_inode(dentry);
3302 struct inode_security_struct *isec;
3303 u32 newsid;
3304 int rc;
3305
3306 if (strcmp(name, XATTR_NAME_SELINUX)) {
3307 /* Not an attribute we recognize, so nothing to do. */
3308 return;
3309 }
3310
3311 if (!selinux_state.initialized) {
3312 /* If we haven't even been initialized, then we can't validate
3313 * against a policy, so leave the label as invalid. It may
3314 * resolve to a valid label on the next revalidation try if
3315 * we've since initialized.
3316 */
3317 return;
3318 }
3319
3320 rc = security_context_to_sid_force(&selinux_state, value, size,
3321 &newsid);
3322 if (rc) {
3323 pr_err("SELinux: unable to map context to SID"
3324 "for (%s, %lu), rc=%d\n",
3325 inode->i_sb->s_id, inode->i_ino, -rc);
3326 return;
3327 }
3328
3329 isec = backing_inode_security(dentry);
3330 spin_lock(&isec->lock);
3331 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3332 isec->sid = newsid;
3333 isec->initialized = LABEL_INITIALIZED;
3334 spin_unlock(&isec->lock);
3335
3336 return;
3337}
3338
3339static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3340{
3341 const struct cred *cred = current_cred();
3342
3343 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3344}
3345
3346static int selinux_inode_listxattr(struct dentry *dentry)
3347{
3348 const struct cred *cred = current_cred();
3349
3350 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3351}
3352
3353static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3354{
3355 if (strcmp(name, XATTR_NAME_SELINUX)) {
3356 int rc = cap_inode_removexattr(dentry, name);
3357 if (rc)
3358 return rc;
3359
3360 /* Not an attribute we recognize, so just check the
3361 ordinary setattr permission. */
3362 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3363 }
3364
3365 /* No one is allowed to remove a SELinux security label.
3366 You can change the label, but all data must be labeled. */
3367 return -EACCES;
3368}
3369
3370static int selinux_path_notify(const struct path *path, u64 mask,
3371 unsigned int obj_type)
3372{
3373 int ret;
3374 u32 perm;
3375
3376 struct common_audit_data ad;
3377
3378 ad.type = LSM_AUDIT_DATA_PATH;
3379 ad.u.path = *path;
3380
3381 /*
3382 * Set permission needed based on the type of mark being set.
3383 * Performs an additional check for sb watches.
3384 */
3385 switch (obj_type) {
3386 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3387 perm = FILE__WATCH_MOUNT;
3388 break;
3389 case FSNOTIFY_OBJ_TYPE_SB:
3390 perm = FILE__WATCH_SB;
3391 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3392 FILESYSTEM__WATCH, &ad);
3393 if (ret)
3394 return ret;
3395 break;
3396 case FSNOTIFY_OBJ_TYPE_INODE:
3397 perm = FILE__WATCH;
3398 break;
3399 default:
3400 return -EINVAL;
3401 }
3402
3403 /* blocking watches require the file:watch_with_perm permission */
3404 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3405 perm |= FILE__WATCH_WITH_PERM;
3406
3407 /* watches on read-like events need the file:watch_reads permission */
3408 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3409 perm |= FILE__WATCH_READS;
3410
3411 return path_has_perm(current_cred(), path, perm);
3412}
3413
3414/*
3415 * Copy the inode security context value to the user.
3416 *
3417 * Permission check is handled by selinux_inode_getxattr hook.
3418 */
3419static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3420{
3421 u32 size;
3422 int error;
3423 char *context = NULL;
3424 struct inode_security_struct *isec;
3425
3426 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3427 return -EOPNOTSUPP;
3428
3429 /*
3430 * If the caller has CAP_MAC_ADMIN, then get the raw context
3431 * value even if it is not defined by current policy; otherwise,
3432 * use the in-core value under current policy.
3433 * Use the non-auditing forms of the permission checks since
3434 * getxattr may be called by unprivileged processes commonly
3435 * and lack of permission just means that we fall back to the
3436 * in-core context value, not a denial.
3437 */
3438 isec = inode_security(inode);
3439 if (has_cap_mac_admin(false))
3440 error = security_sid_to_context_force(&selinux_state,
3441 isec->sid, &context,
3442 &size);
3443 else
3444 error = security_sid_to_context(&selinux_state, isec->sid,
3445 &context, &size);
3446 if (error)
3447 return error;
3448 error = size;
3449 if (alloc) {
3450 *buffer = context;
3451 goto out_nofree;
3452 }
3453 kfree(context);
3454out_nofree:
3455 return error;
3456}
3457
3458static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3459 const void *value, size_t size, int flags)
3460{
3461 struct inode_security_struct *isec = inode_security_novalidate(inode);
3462 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3463 u32 newsid;
3464 int rc;
3465
3466 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3467 return -EOPNOTSUPP;
3468
3469 if (!(sbsec->flags & SBLABEL_MNT))
3470 return -EOPNOTSUPP;
3471
3472 if (!value || !size)
3473 return -EACCES;
3474
3475 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3476 GFP_KERNEL);
3477 if (rc)
3478 return rc;
3479
3480 spin_lock(&isec->lock);
3481 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3482 isec->sid = newsid;
3483 isec->initialized = LABEL_INITIALIZED;
3484 spin_unlock(&isec->lock);
3485 return 0;
3486}
3487
3488static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3489{
3490 const int len = sizeof(XATTR_NAME_SELINUX);
3491 if (buffer && len <= buffer_size)
3492 memcpy(buffer, XATTR_NAME_SELINUX, len);
3493 return len;
3494}
3495
3496static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3497{
3498 struct inode_security_struct *isec = inode_security_novalidate(inode);
3499 *secid = isec->sid;
3500}
3501
3502static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3503{
3504 u32 sid;
3505 struct task_security_struct *tsec;
3506 struct cred *new_creds = *new;
3507
3508 if (new_creds == NULL) {
3509 new_creds = prepare_creds();
3510 if (!new_creds)
3511 return -ENOMEM;
3512 }
3513
3514 tsec = selinux_cred(new_creds);
3515 /* Get label from overlay inode and set it in create_sid */
3516 selinux_inode_getsecid(d_inode(src), &sid);
3517 tsec->create_sid = sid;
3518 *new = new_creds;
3519 return 0;
3520}
3521
3522static int selinux_inode_copy_up_xattr(const char *name)
3523{
3524 /* The copy_up hook above sets the initial context on an inode, but we
3525 * don't then want to overwrite it by blindly copying all the lower
3526 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3527 */
3528 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3529 return 1; /* Discard */
3530 /*
3531 * Any other attribute apart from SELINUX is not claimed, supported
3532 * by selinux.
3533 */
3534 return -EOPNOTSUPP;
3535}
3536
3537/* kernfs node operations */
3538
3539static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3540 struct kernfs_node *kn)
3541{
3542 const struct task_security_struct *tsec = selinux_cred(current_cred());
3543 u32 parent_sid, newsid, clen;
3544 int rc;
3545 char *context;
3546
3547 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3548 if (rc == -ENODATA)
3549 return 0;
3550 else if (rc < 0)
3551 return rc;
3552
3553 clen = (u32)rc;
3554 context = kmalloc(clen, GFP_KERNEL);
3555 if (!context)
3556 return -ENOMEM;
3557
3558 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3559 if (rc < 0) {
3560 kfree(context);
3561 return rc;
3562 }
3563
3564 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3565 GFP_KERNEL);
3566 kfree(context);
3567 if (rc)
3568 return rc;
3569
3570 if (tsec->create_sid) {
3571 newsid = tsec->create_sid;
3572 } else {
3573 u16 secclass = inode_mode_to_security_class(kn->mode);
3574 struct qstr q;
3575
3576 q.name = kn->name;
3577 q.hash_len = hashlen_string(kn_dir, kn->name);
3578
3579 rc = security_transition_sid(&selinux_state, tsec->sid,
3580 parent_sid, secclass, &q,
3581 &newsid);
3582 if (rc)
3583 return rc;
3584 }
3585
3586 rc = security_sid_to_context_force(&selinux_state, newsid,
3587 &context, &clen);
3588 if (rc)
3589 return rc;
3590
3591 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3592 XATTR_CREATE);
3593 kfree(context);
3594 return rc;
3595}
3596
3597
3598/* file security operations */
3599
3600static int selinux_revalidate_file_permission(struct file *file, int mask)
3601{
3602 const struct cred *cred = current_cred();
3603 struct inode *inode = file_inode(file);
3604
3605 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3606 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3607 mask |= MAY_APPEND;
3608
3609 return file_has_perm(cred, file,
3610 file_mask_to_av(inode->i_mode, mask));
3611}
3612
3613static int selinux_file_permission(struct file *file, int mask)
3614{
3615 struct inode *inode = file_inode(file);
3616 struct file_security_struct *fsec = selinux_file(file);
3617 struct inode_security_struct *isec;
3618 u32 sid = current_sid();
3619
3620 if (!mask)
3621 /* No permission to check. Existence test. */
3622 return 0;
3623
3624 isec = inode_security(inode);
3625 if (sid == fsec->sid && fsec->isid == isec->sid &&
3626 fsec->pseqno == avc_policy_seqno(&selinux_state))
3627 /* No change since file_open check. */
3628 return 0;
3629
3630 return selinux_revalidate_file_permission(file, mask);
3631}
3632
3633static int selinux_file_alloc_security(struct file *file)
3634{
3635 return file_alloc_security(file);
3636}
3637
3638/*
3639 * Check whether a task has the ioctl permission and cmd
3640 * operation to an inode.
3641 */
3642static int ioctl_has_perm(const struct cred *cred, struct file *file,
3643 u32 requested, u16 cmd)
3644{
3645 struct common_audit_data ad;
3646 struct file_security_struct *fsec = selinux_file(file);
3647 struct inode *inode = file_inode(file);
3648 struct inode_security_struct *isec;
3649 struct lsm_ioctlop_audit ioctl;
3650 u32 ssid = cred_sid(cred);
3651 int rc;
3652 u8 driver = cmd >> 8;
3653 u8 xperm = cmd & 0xff;
3654
3655 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3656 ad.u.op = &ioctl;
3657 ad.u.op->cmd = cmd;
3658 ad.u.op->path = file->f_path;
3659
3660 if (ssid != fsec->sid) {
3661 rc = avc_has_perm(&selinux_state,
3662 ssid, fsec->sid,
3663 SECCLASS_FD,
3664 FD__USE,
3665 &ad);
3666 if (rc)
3667 goto out;
3668 }
3669
3670 if (unlikely(IS_PRIVATE(inode)))
3671 return 0;
3672
3673 isec = inode_security(inode);
3674 rc = avc_has_extended_perms(&selinux_state,
3675 ssid, isec->sid, isec->sclass,
3676 requested, driver, xperm, &ad);
3677out:
3678 return rc;
3679}
3680
3681static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682 unsigned long arg)
3683{
3684 const struct cred *cred = current_cred();
3685 int error = 0;
3686
3687 switch (cmd) {
3688 case FIONREAD:
3689 /* fall through */
3690 case FIBMAP:
3691 /* fall through */
3692 case FIGETBSZ:
3693 /* fall through */
3694 case FS_IOC_GETFLAGS:
3695 /* fall through */
3696 case FS_IOC_GETVERSION:
3697 error = file_has_perm(cred, file, FILE__GETATTR);
3698 break;
3699
3700 case FS_IOC_SETFLAGS:
3701 /* fall through */
3702 case FS_IOC_SETVERSION:
3703 error = file_has_perm(cred, file, FILE__SETATTR);
3704 break;
3705
3706 /* sys_ioctl() checks */
3707 case FIONBIO:
3708 /* fall through */
3709 case FIOASYNC:
3710 error = file_has_perm(cred, file, 0);
3711 break;
3712
3713 case KDSKBENT:
3714 case KDSKBSENT:
3715 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3716 CAP_OPT_NONE, true);
3717 break;
3718
3719 /* default case assumes that the command will go
3720 * to the file's ioctl() function.
3721 */
3722 default:
3723 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3724 }
3725 return error;
3726}
3727
3728static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3729 unsigned long arg)
3730{
3731 /*
3732 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3733 * make sure we don't compare 32-bit flags to 64-bit flags.
3734 */
3735 switch (cmd) {
3736 case FS_IOC32_GETFLAGS:
3737 cmd = FS_IOC_GETFLAGS;
3738 break;
3739 case FS_IOC32_SETFLAGS:
3740 cmd = FS_IOC_SETFLAGS;
3741 break;
3742 case FS_IOC32_GETVERSION:
3743 cmd = FS_IOC_GETVERSION;
3744 break;
3745 case FS_IOC32_SETVERSION:
3746 cmd = FS_IOC_SETVERSION;
3747 break;
3748 default:
3749 break;
3750 }
3751
3752 return selinux_file_ioctl(file, cmd, arg);
3753}
3754
3755static int default_noexec;
3756
3757static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3758{
3759 const struct cred *cred = current_cred();
3760 u32 sid = cred_sid(cred);
3761 int rc = 0;
3762
3763 if (default_noexec &&
3764 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3765 (!shared && (prot & PROT_WRITE)))) {
3766 /*
3767 * We are making executable an anonymous mapping or a
3768 * private file mapping that will also be writable.
3769 * This has an additional check.
3770 */
3771 rc = avc_has_perm(&selinux_state,
3772 sid, sid, SECCLASS_PROCESS,
3773 PROCESS__EXECMEM, NULL);
3774 if (rc)
3775 goto error;
3776 }
3777
3778 if (file) {
3779 /* read access is always possible with a mapping */
3780 u32 av = FILE__READ;
3781
3782 /* write access only matters if the mapping is shared */
3783 if (shared && (prot & PROT_WRITE))
3784 av |= FILE__WRITE;
3785
3786 if (prot & PROT_EXEC)
3787 av |= FILE__EXECUTE;
3788
3789 return file_has_perm(cred, file, av);
3790 }
3791
3792error:
3793 return rc;
3794}
3795
3796static int selinux_mmap_addr(unsigned long addr)
3797{
3798 int rc = 0;
3799
3800 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3801 u32 sid = current_sid();
3802 rc = avc_has_perm(&selinux_state,
3803 sid, sid, SECCLASS_MEMPROTECT,
3804 MEMPROTECT__MMAP_ZERO, NULL);
3805 }
3806
3807 return rc;
3808}
3809
3810static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3811 unsigned long prot, unsigned long flags)
3812{
3813 struct common_audit_data ad;
3814 int rc;
3815
3816 if (file) {
3817 ad.type = LSM_AUDIT_DATA_FILE;
3818 ad.u.file = file;
3819 rc = inode_has_perm(current_cred(), file_inode(file),
3820 FILE__MAP, &ad);
3821 if (rc)
3822 return rc;
3823 }
3824
3825 if (selinux_state.checkreqprot)
3826 prot = reqprot;
3827
3828 return file_map_prot_check(file, prot,
3829 (flags & MAP_TYPE) == MAP_SHARED);
3830}
3831
3832static int selinux_file_mprotect(struct vm_area_struct *vma,
3833 unsigned long reqprot,
3834 unsigned long prot)
3835{
3836 const struct cred *cred = current_cred();
3837 u32 sid = cred_sid(cred);
3838
3839 if (selinux_state.checkreqprot)
3840 prot = reqprot;
3841
3842 if (default_noexec &&
3843 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3844 int rc = 0;
3845 if (vma->vm_start >= vma->vm_mm->start_brk &&
3846 vma->vm_end <= vma->vm_mm->brk) {
3847 rc = avc_has_perm(&selinux_state,
3848 sid, sid, SECCLASS_PROCESS,
3849 PROCESS__EXECHEAP, NULL);
3850 } else if (!vma->vm_file &&
3851 ((vma->vm_start <= vma->vm_mm->start_stack &&
3852 vma->vm_end >= vma->vm_mm->start_stack) ||
3853 vma_is_stack_for_current(vma))) {
3854 rc = avc_has_perm(&selinux_state,
3855 sid, sid, SECCLASS_PROCESS,
3856 PROCESS__EXECSTACK, NULL);
3857 } else if (vma->vm_file && vma->anon_vma) {
3858 /*
3859 * We are making executable a file mapping that has
3860 * had some COW done. Since pages might have been
3861 * written, check ability to execute the possibly
3862 * modified content. This typically should only
3863 * occur for text relocations.
3864 */
3865 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3866 }
3867 if (rc)
3868 return rc;
3869 }
3870
3871 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3872}
3873
3874static int selinux_file_lock(struct file *file, unsigned int cmd)
3875{
3876 const struct cred *cred = current_cred();
3877
3878 return file_has_perm(cred, file, FILE__LOCK);
3879}
3880
3881static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3882 unsigned long arg)
3883{
3884 const struct cred *cred = current_cred();
3885 int err = 0;
3886
3887 switch (cmd) {
3888 case F_SETFL:
3889 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3890 err = file_has_perm(cred, file, FILE__WRITE);
3891 break;
3892 }
3893 /* fall through */
3894 case F_SETOWN:
3895 case F_SETSIG:
3896 case F_GETFL:
3897 case F_GETOWN:
3898 case F_GETSIG:
3899 case F_GETOWNER_UIDS:
3900 /* Just check FD__USE permission */
3901 err = file_has_perm(cred, file, 0);
3902 break;
3903 case F_GETLK:
3904 case F_SETLK:
3905 case F_SETLKW:
3906 case F_OFD_GETLK:
3907 case F_OFD_SETLK:
3908 case F_OFD_SETLKW:
3909#if BITS_PER_LONG == 32
3910 case F_GETLK64:
3911 case F_SETLK64:
3912 case F_SETLKW64:
3913#endif
3914 err = file_has_perm(cred, file, FILE__LOCK);
3915 break;
3916 }
3917
3918 return err;
3919}
3920
3921static void selinux_file_set_fowner(struct file *file)
3922{
3923 struct file_security_struct *fsec;
3924
3925 fsec = selinux_file(file);
3926 fsec->fown_sid = current_sid();
3927}
3928
3929static int selinux_file_send_sigiotask(struct task_struct *tsk,
3930 struct fown_struct *fown, int signum)
3931{
3932 struct file *file;
3933 u32 sid = task_sid(tsk);
3934 u32 perm;
3935 struct file_security_struct *fsec;
3936
3937 /* struct fown_struct is never outside the context of a struct file */
3938 file = container_of(fown, struct file, f_owner);
3939
3940 fsec = selinux_file(file);
3941
3942 if (!signum)
3943 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3944 else
3945 perm = signal_to_av(signum);
3946
3947 return avc_has_perm(&selinux_state,
3948 fsec->fown_sid, sid,
3949 SECCLASS_PROCESS, perm, NULL);
3950}
3951
3952static int selinux_file_receive(struct file *file)
3953{
3954 const struct cred *cred = current_cred();
3955
3956 return file_has_perm(cred, file, file_to_av(file));
3957}
3958
3959static int selinux_file_open(struct file *file)
3960{
3961 struct file_security_struct *fsec;
3962 struct inode_security_struct *isec;
3963
3964 fsec = selinux_file(file);
3965 isec = inode_security(file_inode(file));
3966 /*
3967 * Save inode label and policy sequence number
3968 * at open-time so that selinux_file_permission
3969 * can determine whether revalidation is necessary.
3970 * Task label is already saved in the file security
3971 * struct as its SID.
3972 */
3973 fsec->isid = isec->sid;
3974 fsec->pseqno = avc_policy_seqno(&selinux_state);
3975 /*
3976 * Since the inode label or policy seqno may have changed
3977 * between the selinux_inode_permission check and the saving
3978 * of state above, recheck that access is still permitted.
3979 * Otherwise, access might never be revalidated against the
3980 * new inode label or new policy.
3981 * This check is not redundant - do not remove.
3982 */
3983 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3984}
3985
3986/* task security operations */
3987
3988static int selinux_task_alloc(struct task_struct *task,
3989 unsigned long clone_flags)
3990{
3991 u32 sid = current_sid();
3992
3993 return avc_has_perm(&selinux_state,
3994 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3995}
3996
3997/*
3998 * prepare a new set of credentials for modification
3999 */
4000static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4001 gfp_t gfp)
4002{
4003 const struct task_security_struct *old_tsec = selinux_cred(old);
4004 struct task_security_struct *tsec = selinux_cred(new);
4005
4006 *tsec = *old_tsec;
4007 return 0;
4008}
4009
4010/*
4011 * transfer the SELinux data to a blank set of creds
4012 */
4013static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4014{
4015 const struct task_security_struct *old_tsec = selinux_cred(old);
4016 struct task_security_struct *tsec = selinux_cred(new);
4017
4018 *tsec = *old_tsec;
4019}
4020
4021static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4022{
4023 *secid = cred_sid(c);
4024}
4025
4026/*
4027 * set the security data for a kernel service
4028 * - all the creation contexts are set to unlabelled
4029 */
4030static int selinux_kernel_act_as(struct cred *new, u32 secid)
4031{
4032 struct task_security_struct *tsec = selinux_cred(new);
4033 u32 sid = current_sid();
4034 int ret;
4035
4036 ret = avc_has_perm(&selinux_state,
4037 sid, secid,
4038 SECCLASS_KERNEL_SERVICE,
4039 KERNEL_SERVICE__USE_AS_OVERRIDE,
4040 NULL);
4041 if (ret == 0) {
4042 tsec->sid = secid;
4043 tsec->create_sid = 0;
4044 tsec->keycreate_sid = 0;
4045 tsec->sockcreate_sid = 0;
4046 }
4047 return ret;
4048}
4049
4050/*
4051 * set the file creation context in a security record to the same as the
4052 * objective context of the specified inode
4053 */
4054static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4055{
4056 struct inode_security_struct *isec = inode_security(inode);
4057 struct task_security_struct *tsec = selinux_cred(new);
4058 u32 sid = current_sid();
4059 int ret;
4060
4061 ret = avc_has_perm(&selinux_state,
4062 sid, isec->sid,
4063 SECCLASS_KERNEL_SERVICE,
4064 KERNEL_SERVICE__CREATE_FILES_AS,
4065 NULL);
4066
4067 if (ret == 0)
4068 tsec->create_sid = isec->sid;
4069 return ret;
4070}
4071
4072static int selinux_kernel_module_request(char *kmod_name)
4073{
4074 struct common_audit_data ad;
4075
4076 ad.type = LSM_AUDIT_DATA_KMOD;
4077 ad.u.kmod_name = kmod_name;
4078
4079 return avc_has_perm(&selinux_state,
4080 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4081 SYSTEM__MODULE_REQUEST, &ad);
4082}
4083
4084static int selinux_kernel_module_from_file(struct file *file)
4085{
4086 struct common_audit_data ad;
4087 struct inode_security_struct *isec;
4088 struct file_security_struct *fsec;
4089 u32 sid = current_sid();
4090 int rc;
4091
4092 /* init_module */
4093 if (file == NULL)
4094 return avc_has_perm(&selinux_state,
4095 sid, sid, SECCLASS_SYSTEM,
4096 SYSTEM__MODULE_LOAD, NULL);
4097
4098 /* finit_module */
4099
4100 ad.type = LSM_AUDIT_DATA_FILE;
4101 ad.u.file = file;
4102
4103 fsec = selinux_file(file);
4104 if (sid != fsec->sid) {
4105 rc = avc_has_perm(&selinux_state,
4106 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4107 if (rc)
4108 return rc;
4109 }
4110
4111 isec = inode_security(file_inode(file));
4112 return avc_has_perm(&selinux_state,
4113 sid, isec->sid, SECCLASS_SYSTEM,
4114 SYSTEM__MODULE_LOAD, &ad);
4115}
4116
4117static int selinux_kernel_read_file(struct file *file,
4118 enum kernel_read_file_id id)
4119{
4120 int rc = 0;
4121
4122 switch (id) {
4123 case READING_MODULE:
4124 rc = selinux_kernel_module_from_file(file);
4125 break;
4126 default:
4127 break;
4128 }
4129
4130 return rc;
4131}
4132
4133static int selinux_kernel_load_data(enum kernel_load_data_id id)
4134{
4135 int rc = 0;
4136
4137 switch (id) {
4138 case LOADING_MODULE:
4139 rc = selinux_kernel_module_from_file(NULL);
4140 default:
4141 break;
4142 }
4143
4144 return rc;
4145}
4146
4147static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4148{
4149 return avc_has_perm(&selinux_state,
4150 current_sid(), task_sid(p), SECCLASS_PROCESS,
4151 PROCESS__SETPGID, NULL);
4152}
4153
4154static int selinux_task_getpgid(struct task_struct *p)
4155{
4156 return avc_has_perm(&selinux_state,
4157 current_sid(), task_sid(p), SECCLASS_PROCESS,
4158 PROCESS__GETPGID, NULL);
4159}
4160
4161static int selinux_task_getsid(struct task_struct *p)
4162{
4163 return avc_has_perm(&selinux_state,
4164 current_sid(), task_sid(p), SECCLASS_PROCESS,
4165 PROCESS__GETSESSION, NULL);
4166}
4167
4168static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4169{
4170 *secid = task_sid(p);
4171}
4172
4173static int selinux_task_setnice(struct task_struct *p, int nice)
4174{
4175 return avc_has_perm(&selinux_state,
4176 current_sid(), task_sid(p), SECCLASS_PROCESS,
4177 PROCESS__SETSCHED, NULL);
4178}
4179
4180static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4181{
4182 return avc_has_perm(&selinux_state,
4183 current_sid(), task_sid(p), SECCLASS_PROCESS,
4184 PROCESS__SETSCHED, NULL);
4185}
4186
4187static int selinux_task_getioprio(struct task_struct *p)
4188{
4189 return avc_has_perm(&selinux_state,
4190 current_sid(), task_sid(p), SECCLASS_PROCESS,
4191 PROCESS__GETSCHED, NULL);
4192}
4193
4194static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4195 unsigned int flags)
4196{
4197 u32 av = 0;
4198
4199 if (!flags)
4200 return 0;
4201 if (flags & LSM_PRLIMIT_WRITE)
4202 av |= PROCESS__SETRLIMIT;
4203 if (flags & LSM_PRLIMIT_READ)
4204 av |= PROCESS__GETRLIMIT;
4205 return avc_has_perm(&selinux_state,
4206 cred_sid(cred), cred_sid(tcred),
4207 SECCLASS_PROCESS, av, NULL);
4208}
4209
4210static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4211 struct rlimit *new_rlim)
4212{
4213 struct rlimit *old_rlim = p->signal->rlim + resource;
4214
4215 /* Control the ability to change the hard limit (whether
4216 lowering or raising it), so that the hard limit can
4217 later be used as a safe reset point for the soft limit
4218 upon context transitions. See selinux_bprm_committing_creds. */
4219 if (old_rlim->rlim_max != new_rlim->rlim_max)
4220 return avc_has_perm(&selinux_state,
4221 current_sid(), task_sid(p),
4222 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4223
4224 return 0;
4225}
4226
4227static int selinux_task_setscheduler(struct task_struct *p)
4228{
4229 return avc_has_perm(&selinux_state,
4230 current_sid(), task_sid(p), SECCLASS_PROCESS,
4231 PROCESS__SETSCHED, NULL);
4232}
4233
4234static int selinux_task_getscheduler(struct task_struct *p)
4235{
4236 return avc_has_perm(&selinux_state,
4237 current_sid(), task_sid(p), SECCLASS_PROCESS,
4238 PROCESS__GETSCHED, NULL);
4239}
4240
4241static int selinux_task_movememory(struct task_struct *p)
4242{
4243 return avc_has_perm(&selinux_state,
4244 current_sid(), task_sid(p), SECCLASS_PROCESS,
4245 PROCESS__SETSCHED, NULL);
4246}
4247
4248static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4249 int sig, const struct cred *cred)
4250{
4251 u32 secid;
4252 u32 perm;
4253
4254 if (!sig)
4255 perm = PROCESS__SIGNULL; /* null signal; existence test */
4256 else
4257 perm = signal_to_av(sig);
4258 if (!cred)
4259 secid = current_sid();
4260 else
4261 secid = cred_sid(cred);
4262 return avc_has_perm(&selinux_state,
4263 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4264}
4265
4266static void selinux_task_to_inode(struct task_struct *p,
4267 struct inode *inode)
4268{
4269 struct inode_security_struct *isec = selinux_inode(inode);
4270 u32 sid = task_sid(p);
4271
4272 spin_lock(&isec->lock);
4273 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4274 isec->sid = sid;
4275 isec->initialized = LABEL_INITIALIZED;
4276 spin_unlock(&isec->lock);
4277}
4278
4279/* Returns error only if unable to parse addresses */
4280static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4281 struct common_audit_data *ad, u8 *proto)
4282{
4283 int offset, ihlen, ret = -EINVAL;
4284 struct iphdr _iph, *ih;
4285
4286 offset = skb_network_offset(skb);
4287 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4288 if (ih == NULL)
4289 goto out;
4290
4291 ihlen = ih->ihl * 4;
4292 if (ihlen < sizeof(_iph))
4293 goto out;
4294
4295 ad->u.net->v4info.saddr = ih->saddr;
4296 ad->u.net->v4info.daddr = ih->daddr;
4297 ret = 0;
4298
4299 if (proto)
4300 *proto = ih->protocol;
4301
4302 switch (ih->protocol) {
4303 case IPPROTO_TCP: {
4304 struct tcphdr _tcph, *th;
4305
4306 if (ntohs(ih->frag_off) & IP_OFFSET)
4307 break;
4308
4309 offset += ihlen;
4310 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4311 if (th == NULL)
4312 break;
4313
4314 ad->u.net->sport = th->source;
4315 ad->u.net->dport = th->dest;
4316 break;
4317 }
4318
4319 case IPPROTO_UDP: {
4320 struct udphdr _udph, *uh;
4321
4322 if (ntohs(ih->frag_off) & IP_OFFSET)
4323 break;
4324
4325 offset += ihlen;
4326 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4327 if (uh == NULL)
4328 break;
4329
4330 ad->u.net->sport = uh->source;
4331 ad->u.net->dport = uh->dest;
4332 break;
4333 }
4334
4335 case IPPROTO_DCCP: {
4336 struct dccp_hdr _dccph, *dh;
4337
4338 if (ntohs(ih->frag_off) & IP_OFFSET)
4339 break;
4340
4341 offset += ihlen;
4342 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4343 if (dh == NULL)
4344 break;
4345
4346 ad->u.net->sport = dh->dccph_sport;
4347 ad->u.net->dport = dh->dccph_dport;
4348 break;
4349 }
4350
4351#if IS_ENABLED(CONFIG_IP_SCTP)
4352 case IPPROTO_SCTP: {
4353 struct sctphdr _sctph, *sh;
4354
4355 if (ntohs(ih->frag_off) & IP_OFFSET)
4356 break;
4357
4358 offset += ihlen;
4359 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4360 if (sh == NULL)
4361 break;
4362
4363 ad->u.net->sport = sh->source;
4364 ad->u.net->dport = sh->dest;
4365 break;
4366 }
4367#endif
4368 default:
4369 break;
4370 }
4371out:
4372 return ret;
4373}
4374
4375#if IS_ENABLED(CONFIG_IPV6)
4376
4377/* Returns error only if unable to parse addresses */
4378static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4379 struct common_audit_data *ad, u8 *proto)
4380{
4381 u8 nexthdr;
4382 int ret = -EINVAL, offset;
4383 struct ipv6hdr _ipv6h, *ip6;
4384 __be16 frag_off;
4385
4386 offset = skb_network_offset(skb);
4387 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4388 if (ip6 == NULL)
4389 goto out;
4390
4391 ad->u.net->v6info.saddr = ip6->saddr;
4392 ad->u.net->v6info.daddr = ip6->daddr;
4393 ret = 0;
4394
4395 nexthdr = ip6->nexthdr;
4396 offset += sizeof(_ipv6h);
4397 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4398 if (offset < 0)
4399 goto out;
4400
4401 if (proto)
4402 *proto = nexthdr;
4403
4404 switch (nexthdr) {
4405 case IPPROTO_TCP: {
4406 struct tcphdr _tcph, *th;
4407
4408 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4409 if (th == NULL)
4410 break;
4411
4412 ad->u.net->sport = th->source;
4413 ad->u.net->dport = th->dest;
4414 break;
4415 }
4416
4417 case IPPROTO_UDP: {
4418 struct udphdr _udph, *uh;
4419
4420 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4421 if (uh == NULL)
4422 break;
4423
4424 ad->u.net->sport = uh->source;
4425 ad->u.net->dport = uh->dest;
4426 break;
4427 }
4428
4429 case IPPROTO_DCCP: {
4430 struct dccp_hdr _dccph, *dh;
4431
4432 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4433 if (dh == NULL)
4434 break;
4435
4436 ad->u.net->sport = dh->dccph_sport;
4437 ad->u.net->dport = dh->dccph_dport;
4438 break;
4439 }
4440
4441#if IS_ENABLED(CONFIG_IP_SCTP)
4442 case IPPROTO_SCTP: {
4443 struct sctphdr _sctph, *sh;
4444
4445 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4446 if (sh == NULL)
4447 break;
4448
4449 ad->u.net->sport = sh->source;
4450 ad->u.net->dport = sh->dest;
4451 break;
4452 }
4453#endif
4454 /* includes fragments */
4455 default:
4456 break;
4457 }
4458out:
4459 return ret;
4460}
4461
4462#endif /* IPV6 */
4463
4464static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4465 char **_addrp, int src, u8 *proto)
4466{
4467 char *addrp;
4468 int ret;
4469
4470 switch (ad->u.net->family) {
4471 case PF_INET:
4472 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4473 if (ret)
4474 goto parse_error;
4475 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4476 &ad->u.net->v4info.daddr);
4477 goto okay;
4478
4479#if IS_ENABLED(CONFIG_IPV6)
4480 case PF_INET6:
4481 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4482 if (ret)
4483 goto parse_error;
4484 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4485 &ad->u.net->v6info.daddr);
4486 goto okay;
4487#endif /* IPV6 */
4488 default:
4489 addrp = NULL;
4490 goto okay;
4491 }
4492
4493parse_error:
4494 pr_warn(
4495 "SELinux: failure in selinux_parse_skb(),"
4496 " unable to parse packet\n");
4497 return ret;
4498
4499okay:
4500 if (_addrp)
4501 *_addrp = addrp;
4502 return 0;
4503}
4504
4505/**
4506 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4507 * @skb: the packet
4508 * @family: protocol family
4509 * @sid: the packet's peer label SID
4510 *
4511 * Description:
4512 * Check the various different forms of network peer labeling and determine
4513 * the peer label/SID for the packet; most of the magic actually occurs in
4514 * the security server function security_net_peersid_cmp(). The function
4515 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4516 * or -EACCES if @sid is invalid due to inconsistencies with the different
4517 * peer labels.
4518 *
4519 */
4520static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4521{
4522 int err;
4523 u32 xfrm_sid;
4524 u32 nlbl_sid;
4525 u32 nlbl_type;
4526
4527 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4528 if (unlikely(err))
4529 return -EACCES;
4530 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4531 if (unlikely(err))
4532 return -EACCES;
4533
4534 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4535 nlbl_type, xfrm_sid, sid);
4536 if (unlikely(err)) {
4537 pr_warn(
4538 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4539 " unable to determine packet's peer label\n");
4540 return -EACCES;
4541 }
4542
4543 return 0;
4544}
4545
4546/**
4547 * selinux_conn_sid - Determine the child socket label for a connection
4548 * @sk_sid: the parent socket's SID
4549 * @skb_sid: the packet's SID
4550 * @conn_sid: the resulting connection SID
4551 *
4552 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4553 * combined with the MLS information from @skb_sid in order to create
4554 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4555 * of @sk_sid. Returns zero on success, negative values on failure.
4556 *
4557 */
4558static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4559{
4560 int err = 0;
4561
4562 if (skb_sid != SECSID_NULL)
4563 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4564 conn_sid);
4565 else
4566 *conn_sid = sk_sid;
4567
4568 return err;
4569}
4570
4571/* socket security operations */
4572
4573static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4574 u16 secclass, u32 *socksid)
4575{
4576 if (tsec->sockcreate_sid > SECSID_NULL) {
4577 *socksid = tsec->sockcreate_sid;
4578 return 0;
4579 }
4580
4581 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4582 secclass, NULL, socksid);
4583}
4584
4585static int sock_has_perm(struct sock *sk, u32 perms)
4586{
4587 struct sk_security_struct *sksec = sk->sk_security;
4588 struct common_audit_data ad;
4589 struct lsm_network_audit net = {0,};
4590
4591 if (sksec->sid == SECINITSID_KERNEL)
4592 return 0;
4593
4594 ad.type = LSM_AUDIT_DATA_NET;
4595 ad.u.net = &net;
4596 ad.u.net->sk = sk;
4597
4598 return avc_has_perm(&selinux_state,
4599 current_sid(), sksec->sid, sksec->sclass, perms,
4600 &ad);
4601}
4602
4603static int selinux_socket_create(int family, int type,
4604 int protocol, int kern)
4605{
4606 const struct task_security_struct *tsec = selinux_cred(current_cred());
4607 u32 newsid;
4608 u16 secclass;
4609 int rc;
4610
4611 if (kern)
4612 return 0;
4613
4614 secclass = socket_type_to_security_class(family, type, protocol);
4615 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4616 if (rc)
4617 return rc;
4618
4619 return avc_has_perm(&selinux_state,
4620 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4621}
4622
4623static int selinux_socket_post_create(struct socket *sock, int family,
4624 int type, int protocol, int kern)
4625{
4626 const struct task_security_struct *tsec = selinux_cred(current_cred());
4627 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4628 struct sk_security_struct *sksec;
4629 u16 sclass = socket_type_to_security_class(family, type, protocol);
4630 u32 sid = SECINITSID_KERNEL;
4631 int err = 0;
4632
4633 if (!kern) {
4634 err = socket_sockcreate_sid(tsec, sclass, &sid);
4635 if (err)
4636 return err;
4637 }
4638
4639 isec->sclass = sclass;
4640 isec->sid = sid;
4641 isec->initialized = LABEL_INITIALIZED;
4642
4643 if (sock->sk) {
4644 sksec = sock->sk->sk_security;
4645 sksec->sclass = sclass;
4646 sksec->sid = sid;
4647 /* Allows detection of the first association on this socket */
4648 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4649 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4650
4651 err = selinux_netlbl_socket_post_create(sock->sk, family);
4652 }
4653
4654 return err;
4655}
4656
4657static int selinux_socket_socketpair(struct socket *socka,
4658 struct socket *sockb)
4659{
4660 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4661 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4662
4663 sksec_a->peer_sid = sksec_b->sid;
4664 sksec_b->peer_sid = sksec_a->sid;
4665
4666 return 0;
4667}
4668
4669/* Range of port numbers used to automatically bind.
4670 Need to determine whether we should perform a name_bind
4671 permission check between the socket and the port number. */
4672
4673static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4674{
4675 struct sock *sk = sock->sk;
4676 struct sk_security_struct *sksec = sk->sk_security;
4677 u16 family;
4678 int err;
4679
4680 err = sock_has_perm(sk, SOCKET__BIND);
4681 if (err)
4682 goto out;
4683
4684 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4685 family = sk->sk_family;
4686 if (family == PF_INET || family == PF_INET6) {
4687 char *addrp;
4688 struct common_audit_data ad;
4689 struct lsm_network_audit net = {0,};
4690 struct sockaddr_in *addr4 = NULL;
4691 struct sockaddr_in6 *addr6 = NULL;
4692 u16 family_sa;
4693 unsigned short snum;
4694 u32 sid, node_perm;
4695
4696 /*
4697 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4698 * that validates multiple binding addresses. Because of this
4699 * need to check address->sa_family as it is possible to have
4700 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4701 */
4702 if (addrlen < offsetofend(struct sockaddr, sa_family))
4703 return -EINVAL;
4704 family_sa = address->sa_family;
4705 switch (family_sa) {
4706 case AF_UNSPEC:
4707 case AF_INET:
4708 if (addrlen < sizeof(struct sockaddr_in))
4709 return -EINVAL;
4710 addr4 = (struct sockaddr_in *)address;
4711 if (family_sa == AF_UNSPEC) {
4712 if (family == PF_INET6) {
4713 /* Length check from inet6_bind_sk() */
4714 if (addrlen < SIN6_LEN_RFC2133)
4715 return -EINVAL;
4716 /* Family check from __inet6_bind() */
4717 goto err_af;
4718 }
4719 /* see __inet_bind(), we only want to allow
4720 * AF_UNSPEC if the address is INADDR_ANY
4721 */
4722 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4723 goto err_af;
4724 family_sa = AF_INET;
4725 }
4726 snum = ntohs(addr4->sin_port);
4727 addrp = (char *)&addr4->sin_addr.s_addr;
4728 break;
4729 case AF_INET6:
4730 if (addrlen < SIN6_LEN_RFC2133)
4731 return -EINVAL;
4732 addr6 = (struct sockaddr_in6 *)address;
4733 snum = ntohs(addr6->sin6_port);
4734 addrp = (char *)&addr6->sin6_addr.s6_addr;
4735 break;
4736 default:
4737 goto err_af;
4738 }
4739
4740 ad.type = LSM_AUDIT_DATA_NET;
4741 ad.u.net = &net;
4742 ad.u.net->sport = htons(snum);
4743 ad.u.net->family = family_sa;
4744
4745 if (snum) {
4746 int low, high;
4747
4748 inet_get_local_port_range(sock_net(sk), &low, &high);
4749
4750 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4751 snum > high) {
4752 err = sel_netport_sid(sk->sk_protocol,
4753 snum, &sid);
4754 if (err)
4755 goto out;
4756 err = avc_has_perm(&selinux_state,
4757 sksec->sid, sid,
4758 sksec->sclass,
4759 SOCKET__NAME_BIND, &ad);
4760 if (err)
4761 goto out;
4762 }
4763 }
4764
4765 switch (sksec->sclass) {
4766 case SECCLASS_TCP_SOCKET:
4767 node_perm = TCP_SOCKET__NODE_BIND;
4768 break;
4769
4770 case SECCLASS_UDP_SOCKET:
4771 node_perm = UDP_SOCKET__NODE_BIND;
4772 break;
4773
4774 case SECCLASS_DCCP_SOCKET:
4775 node_perm = DCCP_SOCKET__NODE_BIND;
4776 break;
4777
4778 case SECCLASS_SCTP_SOCKET:
4779 node_perm = SCTP_SOCKET__NODE_BIND;
4780 break;
4781
4782 default:
4783 node_perm = RAWIP_SOCKET__NODE_BIND;
4784 break;
4785 }
4786
4787 err = sel_netnode_sid(addrp, family_sa, &sid);
4788 if (err)
4789 goto out;
4790
4791 if (family_sa == AF_INET)
4792 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4793 else
4794 ad.u.net->v6info.saddr = addr6->sin6_addr;
4795
4796 err = avc_has_perm(&selinux_state,
4797 sksec->sid, sid,
4798 sksec->sclass, node_perm, &ad);
4799 if (err)
4800 goto out;
4801 }
4802out:
4803 return err;
4804err_af:
4805 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4806 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4807 return -EINVAL;
4808 return -EAFNOSUPPORT;
4809}
4810
4811/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4812 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4813 */
4814static int selinux_socket_connect_helper(struct socket *sock,
4815 struct sockaddr *address, int addrlen)
4816{
4817 struct sock *sk = sock->sk;
4818 struct sk_security_struct *sksec = sk->sk_security;
4819 int err;
4820
4821 err = sock_has_perm(sk, SOCKET__CONNECT);
4822 if (err)
4823 return err;
4824 if (addrlen < offsetofend(struct sockaddr, sa_family))
4825 return -EINVAL;
4826
4827 /* connect(AF_UNSPEC) has special handling, as it is a documented
4828 * way to disconnect the socket
4829 */
4830 if (address->sa_family == AF_UNSPEC)
4831 return 0;
4832
4833 /*
4834 * If a TCP, DCCP or SCTP socket, check name_connect permission
4835 * for the port.
4836 */
4837 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4838 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4839 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4840 struct common_audit_data ad;
4841 struct lsm_network_audit net = {0,};
4842 struct sockaddr_in *addr4 = NULL;
4843 struct sockaddr_in6 *addr6 = NULL;
4844 unsigned short snum;
4845 u32 sid, perm;
4846
4847 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4848 * that validates multiple connect addresses. Because of this
4849 * need to check address->sa_family as it is possible to have
4850 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4851 */
4852 switch (address->sa_family) {
4853 case AF_INET:
4854 addr4 = (struct sockaddr_in *)address;
4855 if (addrlen < sizeof(struct sockaddr_in))
4856 return -EINVAL;
4857 snum = ntohs(addr4->sin_port);
4858 break;
4859 case AF_INET6:
4860 addr6 = (struct sockaddr_in6 *)address;
4861 if (addrlen < SIN6_LEN_RFC2133)
4862 return -EINVAL;
4863 snum = ntohs(addr6->sin6_port);
4864 break;
4865 default:
4866 /* Note that SCTP services expect -EINVAL, whereas
4867 * others expect -EAFNOSUPPORT.
4868 */
4869 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4870 return -EINVAL;
4871 else
4872 return -EAFNOSUPPORT;
4873 }
4874
4875 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4876 if (err)
4877 return err;
4878
4879 switch (sksec->sclass) {
4880 case SECCLASS_TCP_SOCKET:
4881 perm = TCP_SOCKET__NAME_CONNECT;
4882 break;
4883 case SECCLASS_DCCP_SOCKET:
4884 perm = DCCP_SOCKET__NAME_CONNECT;
4885 break;
4886 case SECCLASS_SCTP_SOCKET:
4887 perm = SCTP_SOCKET__NAME_CONNECT;
4888 break;
4889 }
4890
4891 ad.type = LSM_AUDIT_DATA_NET;
4892 ad.u.net = &net;
4893 ad.u.net->dport = htons(snum);
4894 ad.u.net->family = address->sa_family;
4895 err = avc_has_perm(&selinux_state,
4896 sksec->sid, sid, sksec->sclass, perm, &ad);
4897 if (err)
4898 return err;
4899 }
4900
4901 return 0;
4902}
4903
4904/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4905static int selinux_socket_connect(struct socket *sock,
4906 struct sockaddr *address, int addrlen)
4907{
4908 int err;
4909 struct sock *sk = sock->sk;
4910
4911 err = selinux_socket_connect_helper(sock, address, addrlen);
4912 if (err)
4913 return err;
4914
4915 return selinux_netlbl_socket_connect(sk, address);
4916}
4917
4918static int selinux_socket_listen(struct socket *sock, int backlog)
4919{
4920 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4921}
4922
4923static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4924{
4925 int err;
4926 struct inode_security_struct *isec;
4927 struct inode_security_struct *newisec;
4928 u16 sclass;
4929 u32 sid;
4930
4931 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4932 if (err)
4933 return err;
4934
4935 isec = inode_security_novalidate(SOCK_INODE(sock));
4936 spin_lock(&isec->lock);
4937 sclass = isec->sclass;
4938 sid = isec->sid;
4939 spin_unlock(&isec->lock);
4940
4941 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4942 newisec->sclass = sclass;
4943 newisec->sid = sid;
4944 newisec->initialized = LABEL_INITIALIZED;
4945
4946 return 0;
4947}
4948
4949static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4950 int size)
4951{
4952 return sock_has_perm(sock->sk, SOCKET__WRITE);
4953}
4954
4955static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4956 int size, int flags)
4957{
4958 return sock_has_perm(sock->sk, SOCKET__READ);
4959}
4960
4961static int selinux_socket_getsockname(struct socket *sock)
4962{
4963 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4964}
4965
4966static int selinux_socket_getpeername(struct socket *sock)
4967{
4968 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4969}
4970
4971static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4972{
4973 int err;
4974
4975 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4976 if (err)
4977 return err;
4978
4979 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4980}
4981
4982static int selinux_socket_getsockopt(struct socket *sock, int level,
4983 int optname)
4984{
4985 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4986}
4987
4988static int selinux_socket_shutdown(struct socket *sock, int how)
4989{
4990 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4991}
4992
4993static int selinux_socket_unix_stream_connect(struct sock *sock,
4994 struct sock *other,
4995 struct sock *newsk)
4996{
4997 struct sk_security_struct *sksec_sock = sock->sk_security;
4998 struct sk_security_struct *sksec_other = other->sk_security;
4999 struct sk_security_struct *sksec_new = newsk->sk_security;
5000 struct common_audit_data ad;
5001 struct lsm_network_audit net = {0,};
5002 int err;
5003
5004 ad.type = LSM_AUDIT_DATA_NET;
5005 ad.u.net = &net;
5006 ad.u.net->sk = other;
5007
5008 err = avc_has_perm(&selinux_state,
5009 sksec_sock->sid, sksec_other->sid,
5010 sksec_other->sclass,
5011 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5012 if (err)
5013 return err;
5014
5015 /* server child socket */
5016 sksec_new->peer_sid = sksec_sock->sid;
5017 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
5018 sksec_sock->sid, &sksec_new->sid);
5019 if (err)
5020 return err;
5021
5022 /* connecting socket */
5023 sksec_sock->peer_sid = sksec_new->sid;
5024
5025 return 0;
5026}
5027
5028static int selinux_socket_unix_may_send(struct socket *sock,
5029 struct socket *other)
5030{
5031 struct sk_security_struct *ssec = sock->sk->sk_security;
5032 struct sk_security_struct *osec = other->sk->sk_security;
5033 struct common_audit_data ad;
5034 struct lsm_network_audit net = {0,};
5035
5036 ad.type = LSM_AUDIT_DATA_NET;
5037 ad.u.net = &net;
5038 ad.u.net->sk = other->sk;
5039
5040 return avc_has_perm(&selinux_state,
5041 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5042 &ad);
5043}
5044
5045static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5046 char *addrp, u16 family, u32 peer_sid,
5047 struct common_audit_data *ad)
5048{
5049 int err;
5050 u32 if_sid;
5051 u32 node_sid;
5052
5053 err = sel_netif_sid(ns, ifindex, &if_sid);
5054 if (err)
5055 return err;
5056 err = avc_has_perm(&selinux_state,
5057 peer_sid, if_sid,
5058 SECCLASS_NETIF, NETIF__INGRESS, ad);
5059 if (err)
5060 return err;
5061
5062 err = sel_netnode_sid(addrp, family, &node_sid);
5063 if (err)
5064 return err;
5065 return avc_has_perm(&selinux_state,
5066 peer_sid, node_sid,
5067 SECCLASS_NODE, NODE__RECVFROM, ad);
5068}
5069
5070static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5071 u16 family)
5072{
5073 int err = 0;
5074 struct sk_security_struct *sksec = sk->sk_security;
5075 u32 sk_sid = sksec->sid;
5076 struct common_audit_data ad;
5077 struct lsm_network_audit net = {0,};
5078 char *addrp;
5079
5080 ad.type = LSM_AUDIT_DATA_NET;
5081 ad.u.net = &net;
5082 ad.u.net->netif = skb->skb_iif;
5083 ad.u.net->family = family;
5084 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5085 if (err)
5086 return err;
5087
5088 if (selinux_secmark_enabled()) {
5089 err = avc_has_perm(&selinux_state,
5090 sk_sid, skb->secmark, SECCLASS_PACKET,
5091 PACKET__RECV, &ad);
5092 if (err)
5093 return err;
5094 }
5095
5096 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5097 if (err)
5098 return err;
5099 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5100
5101 return err;
5102}
5103
5104static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5105{
5106 int err;
5107 struct sk_security_struct *sksec = sk->sk_security;
5108 u16 family = sk->sk_family;
5109 u32 sk_sid = sksec->sid;
5110 struct common_audit_data ad;
5111 struct lsm_network_audit net = {0,};
5112 char *addrp;
5113 u8 secmark_active;
5114 u8 peerlbl_active;
5115
5116 if (family != PF_INET && family != PF_INET6)
5117 return 0;
5118
5119 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5120 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5121 family = PF_INET;
5122
5123 /* If any sort of compatibility mode is enabled then handoff processing
5124 * to the selinux_sock_rcv_skb_compat() function to deal with the
5125 * special handling. We do this in an attempt to keep this function
5126 * as fast and as clean as possible. */
5127 if (!selinux_policycap_netpeer())
5128 return selinux_sock_rcv_skb_compat(sk, skb, family);
5129
5130 secmark_active = selinux_secmark_enabled();
5131 peerlbl_active = selinux_peerlbl_enabled();
5132 if (!secmark_active && !peerlbl_active)
5133 return 0;
5134
5135 ad.type = LSM_AUDIT_DATA_NET;
5136 ad.u.net = &net;
5137 ad.u.net->netif = skb->skb_iif;
5138 ad.u.net->family = family;
5139 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5140 if (err)
5141 return err;
5142
5143 if (peerlbl_active) {
5144 u32 peer_sid;
5145
5146 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5147 if (err)
5148 return err;
5149 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5150 addrp, family, peer_sid, &ad);
5151 if (err) {
5152 selinux_netlbl_err(skb, family, err, 0);
5153 return err;
5154 }
5155 err = avc_has_perm(&selinux_state,
5156 sk_sid, peer_sid, SECCLASS_PEER,
5157 PEER__RECV, &ad);
5158 if (err) {
5159 selinux_netlbl_err(skb, family, err, 0);
5160 return err;
5161 }
5162 }
5163
5164 if (secmark_active) {
5165 err = avc_has_perm(&selinux_state,
5166 sk_sid, skb->secmark, SECCLASS_PACKET,
5167 PACKET__RECV, &ad);
5168 if (err)
5169 return err;
5170 }
5171
5172 return err;
5173}
5174
5175static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5176 int __user *optlen, unsigned len)
5177{
5178 int err = 0;
5179 char *scontext;
5180 u32 scontext_len;
5181 struct sk_security_struct *sksec = sock->sk->sk_security;
5182 u32 peer_sid = SECSID_NULL;
5183
5184 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5185 sksec->sclass == SECCLASS_TCP_SOCKET ||
5186 sksec->sclass == SECCLASS_SCTP_SOCKET)
5187 peer_sid = sksec->peer_sid;
5188 if (peer_sid == SECSID_NULL)
5189 return -ENOPROTOOPT;
5190
5191 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5192 &scontext_len);
5193 if (err)
5194 return err;
5195
5196 if (scontext_len > len) {
5197 err = -ERANGE;
5198 goto out_len;
5199 }
5200
5201 if (copy_to_user(optval, scontext, scontext_len))
5202 err = -EFAULT;
5203
5204out_len:
5205 if (put_user(scontext_len, optlen))
5206 err = -EFAULT;
5207 kfree(scontext);
5208 return err;
5209}
5210
5211static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5212{
5213 u32 peer_secid = SECSID_NULL;
5214 u16 family;
5215 struct inode_security_struct *isec;
5216
5217 if (skb && skb->protocol == htons(ETH_P_IP))
5218 family = PF_INET;
5219 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5220 family = PF_INET6;
5221 else if (sock)
5222 family = sock->sk->sk_family;
5223 else
5224 goto out;
5225
5226 if (sock && family == PF_UNIX) {
5227 isec = inode_security_novalidate(SOCK_INODE(sock));
5228 peer_secid = isec->sid;
5229 } else if (skb)
5230 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5231
5232out:
5233 *secid = peer_secid;
5234 if (peer_secid == SECSID_NULL)
5235 return -EINVAL;
5236 return 0;
5237}
5238
5239static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5240{
5241 struct sk_security_struct *sksec;
5242
5243 sksec = kzalloc(sizeof(*sksec), priority);
5244 if (!sksec)
5245 return -ENOMEM;
5246
5247 sksec->peer_sid = SECINITSID_UNLABELED;
5248 sksec->sid = SECINITSID_UNLABELED;
5249 sksec->sclass = SECCLASS_SOCKET;
5250 selinux_netlbl_sk_security_reset(sksec);
5251 sk->sk_security = sksec;
5252
5253 return 0;
5254}
5255
5256static void selinux_sk_free_security(struct sock *sk)
5257{
5258 struct sk_security_struct *sksec = sk->sk_security;
5259
5260 sk->sk_security = NULL;
5261 selinux_netlbl_sk_security_free(sksec);
5262 kfree(sksec);
5263}
5264
5265static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5266{
5267 struct sk_security_struct *sksec = sk->sk_security;
5268 struct sk_security_struct *newsksec = newsk->sk_security;
5269
5270 newsksec->sid = sksec->sid;
5271 newsksec->peer_sid = sksec->peer_sid;
5272 newsksec->sclass = sksec->sclass;
5273
5274 selinux_netlbl_sk_security_reset(newsksec);
5275}
5276
5277static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5278{
5279 if (!sk)
5280 *secid = SECINITSID_ANY_SOCKET;
5281 else {
5282 struct sk_security_struct *sksec = sk->sk_security;
5283
5284 *secid = sksec->sid;
5285 }
5286}
5287
5288static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5289{
5290 struct inode_security_struct *isec =
5291 inode_security_novalidate(SOCK_INODE(parent));
5292 struct sk_security_struct *sksec = sk->sk_security;
5293
5294 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5295 sk->sk_family == PF_UNIX)
5296 isec->sid = sksec->sid;
5297 sksec->sclass = isec->sclass;
5298}
5299
5300/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5301 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5302 * already present).
5303 */
5304static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5305 struct sk_buff *skb)
5306{
5307 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5308 struct common_audit_data ad;
5309 struct lsm_network_audit net = {0,};
5310 u8 peerlbl_active;
5311 u32 peer_sid = SECINITSID_UNLABELED;
5312 u32 conn_sid;
5313 int err = 0;
5314
5315 if (!selinux_policycap_extsockclass())
5316 return 0;
5317
5318 peerlbl_active = selinux_peerlbl_enabled();
5319
5320 if (peerlbl_active) {
5321 /* This will return peer_sid = SECSID_NULL if there are
5322 * no peer labels, see security_net_peersid_resolve().
5323 */
5324 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5325 &peer_sid);
5326 if (err)
5327 return err;
5328
5329 if (peer_sid == SECSID_NULL)
5330 peer_sid = SECINITSID_UNLABELED;
5331 }
5332
5333 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5334 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5335
5336 /* Here as first association on socket. As the peer SID
5337 * was allowed by peer recv (and the netif/node checks),
5338 * then it is approved by policy and used as the primary
5339 * peer SID for getpeercon(3).
5340 */
5341 sksec->peer_sid = peer_sid;
5342 } else if (sksec->peer_sid != peer_sid) {
5343 /* Other association peer SIDs are checked to enforce
5344 * consistency among the peer SIDs.
5345 */
5346 ad.type = LSM_AUDIT_DATA_NET;
5347 ad.u.net = &net;
5348 ad.u.net->sk = ep->base.sk;
5349 err = avc_has_perm(&selinux_state,
5350 sksec->peer_sid, peer_sid, sksec->sclass,
5351 SCTP_SOCKET__ASSOCIATION, &ad);
5352 if (err)
5353 return err;
5354 }
5355
5356 /* Compute the MLS component for the connection and store
5357 * the information in ep. This will be used by SCTP TCP type
5358 * sockets and peeled off connections as they cause a new
5359 * socket to be generated. selinux_sctp_sk_clone() will then
5360 * plug this into the new socket.
5361 */
5362 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5363 if (err)
5364 return err;
5365
5366 ep->secid = conn_sid;
5367 ep->peer_secid = peer_sid;
5368
5369 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5370 return selinux_netlbl_sctp_assoc_request(ep, skb);
5371}
5372
5373/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5374 * based on their @optname.
5375 */
5376static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5377 struct sockaddr *address,
5378 int addrlen)
5379{
5380 int len, err = 0, walk_size = 0;
5381 void *addr_buf;
5382 struct sockaddr *addr;
5383 struct socket *sock;
5384
5385 if (!selinux_policycap_extsockclass())
5386 return 0;
5387
5388 /* Process one or more addresses that may be IPv4 or IPv6 */
5389 sock = sk->sk_socket;
5390 addr_buf = address;
5391
5392 while (walk_size < addrlen) {
5393 if (walk_size + sizeof(sa_family_t) > addrlen)
5394 return -EINVAL;
5395
5396 addr = addr_buf;
5397 switch (addr->sa_family) {
5398 case AF_UNSPEC:
5399 case AF_INET:
5400 len = sizeof(struct sockaddr_in);
5401 break;
5402 case AF_INET6:
5403 len = sizeof(struct sockaddr_in6);
5404 break;
5405 default:
5406 return -EINVAL;
5407 }
5408
5409 if (walk_size + len > addrlen)
5410 return -EINVAL;
5411
5412 err = -EINVAL;
5413 switch (optname) {
5414 /* Bind checks */
5415 case SCTP_PRIMARY_ADDR:
5416 case SCTP_SET_PEER_PRIMARY_ADDR:
5417 case SCTP_SOCKOPT_BINDX_ADD:
5418 err = selinux_socket_bind(sock, addr, len);
5419 break;
5420 /* Connect checks */
5421 case SCTP_SOCKOPT_CONNECTX:
5422 case SCTP_PARAM_SET_PRIMARY:
5423 case SCTP_PARAM_ADD_IP:
5424 case SCTP_SENDMSG_CONNECT:
5425 err = selinux_socket_connect_helper(sock, addr, len);
5426 if (err)
5427 return err;
5428
5429 /* As selinux_sctp_bind_connect() is called by the
5430 * SCTP protocol layer, the socket is already locked,
5431 * therefore selinux_netlbl_socket_connect_locked() is
5432 * is called here. The situations handled are:
5433 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5434 * whenever a new IP address is added or when a new
5435 * primary address is selected.
5436 * Note that an SCTP connect(2) call happens before
5437 * the SCTP protocol layer and is handled via
5438 * selinux_socket_connect().
5439 */
5440 err = selinux_netlbl_socket_connect_locked(sk, addr);
5441 break;
5442 }
5443
5444 if (err)
5445 return err;
5446
5447 addr_buf += len;
5448 walk_size += len;
5449 }
5450
5451 return 0;
5452}
5453
5454/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5455static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5456 struct sock *newsk)
5457{
5458 struct sk_security_struct *sksec = sk->sk_security;
5459 struct sk_security_struct *newsksec = newsk->sk_security;
5460
5461 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5462 * the non-sctp clone version.
5463 */
5464 if (!selinux_policycap_extsockclass())
5465 return selinux_sk_clone_security(sk, newsk);
5466
5467 newsksec->sid = ep->secid;
5468 newsksec->peer_sid = ep->peer_secid;
5469 newsksec->sclass = sksec->sclass;
5470 selinux_netlbl_sctp_sk_clone(sk, newsk);
5471}
5472
5473static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5474 struct request_sock *req)
5475{
5476 struct sk_security_struct *sksec = sk->sk_security;
5477 int err;
5478 u16 family = req->rsk_ops->family;
5479 u32 connsid;
5480 u32 peersid;
5481
5482 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5483 if (err)
5484 return err;
5485 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5486 if (err)
5487 return err;
5488 req->secid = connsid;
5489 req->peer_secid = peersid;
5490
5491 return selinux_netlbl_inet_conn_request(req, family);
5492}
5493
5494static void selinux_inet_csk_clone(struct sock *newsk,
5495 const struct request_sock *req)
5496{
5497 struct sk_security_struct *newsksec = newsk->sk_security;
5498
5499 newsksec->sid = req->secid;
5500 newsksec->peer_sid = req->peer_secid;
5501 /* NOTE: Ideally, we should also get the isec->sid for the
5502 new socket in sync, but we don't have the isec available yet.
5503 So we will wait until sock_graft to do it, by which
5504 time it will have been created and available. */
5505
5506 /* We don't need to take any sort of lock here as we are the only
5507 * thread with access to newsksec */
5508 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5509}
5510
5511static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5512{
5513 u16 family = sk->sk_family;
5514 struct sk_security_struct *sksec = sk->sk_security;
5515
5516 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5517 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5518 family = PF_INET;
5519
5520 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5521}
5522
5523static int selinux_secmark_relabel_packet(u32 sid)
5524{
5525 const struct task_security_struct *__tsec;
5526 u32 tsid;
5527
5528 __tsec = selinux_cred(current_cred());
5529 tsid = __tsec->sid;
5530
5531 return avc_has_perm(&selinux_state,
5532 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5533 NULL);
5534}
5535
5536static void selinux_secmark_refcount_inc(void)
5537{
5538 atomic_inc(&selinux_secmark_refcount);
5539}
5540
5541static void selinux_secmark_refcount_dec(void)
5542{
5543 atomic_dec(&selinux_secmark_refcount);
5544}
5545
5546static void selinux_req_classify_flow(const struct request_sock *req,
5547 struct flowi *fl)
5548{
5549 fl->flowi_secid = req->secid;
5550}
5551
5552static int selinux_tun_dev_alloc_security(void **security)
5553{
5554 struct tun_security_struct *tunsec;
5555
5556 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5557 if (!tunsec)
5558 return -ENOMEM;
5559 tunsec->sid = current_sid();
5560
5561 *security = tunsec;
5562 return 0;
5563}
5564
5565static void selinux_tun_dev_free_security(void *security)
5566{
5567 kfree(security);
5568}
5569
5570static int selinux_tun_dev_create(void)
5571{
5572 u32 sid = current_sid();
5573
5574 /* we aren't taking into account the "sockcreate" SID since the socket
5575 * that is being created here is not a socket in the traditional sense,
5576 * instead it is a private sock, accessible only to the kernel, and
5577 * representing a wide range of network traffic spanning multiple
5578 * connections unlike traditional sockets - check the TUN driver to
5579 * get a better understanding of why this socket is special */
5580
5581 return avc_has_perm(&selinux_state,
5582 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5583 NULL);
5584}
5585
5586static int selinux_tun_dev_attach_queue(void *security)
5587{
5588 struct tun_security_struct *tunsec = security;
5589
5590 return avc_has_perm(&selinux_state,
5591 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5592 TUN_SOCKET__ATTACH_QUEUE, NULL);
5593}
5594
5595static int selinux_tun_dev_attach(struct sock *sk, void *security)
5596{
5597 struct tun_security_struct *tunsec = security;
5598 struct sk_security_struct *sksec = sk->sk_security;
5599
5600 /* we don't currently perform any NetLabel based labeling here and it
5601 * isn't clear that we would want to do so anyway; while we could apply
5602 * labeling without the support of the TUN user the resulting labeled
5603 * traffic from the other end of the connection would almost certainly
5604 * cause confusion to the TUN user that had no idea network labeling
5605 * protocols were being used */
5606
5607 sksec->sid = tunsec->sid;
5608 sksec->sclass = SECCLASS_TUN_SOCKET;
5609
5610 return 0;
5611}
5612
5613static int selinux_tun_dev_open(void *security)
5614{
5615 struct tun_security_struct *tunsec = security;
5616 u32 sid = current_sid();
5617 int err;
5618
5619 err = avc_has_perm(&selinux_state,
5620 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5621 TUN_SOCKET__RELABELFROM, NULL);
5622 if (err)
5623 return err;
5624 err = avc_has_perm(&selinux_state,
5625 sid, sid, SECCLASS_TUN_SOCKET,
5626 TUN_SOCKET__RELABELTO, NULL);
5627 if (err)
5628 return err;
5629 tunsec->sid = sid;
5630
5631 return 0;
5632}
5633
5634static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5635{
5636 int rc = 0;
5637 unsigned int msg_len;
5638 unsigned int data_len = skb->len;
5639 unsigned char *data = skb->data;
5640 struct nlmsghdr *nlh;
5641 struct sk_security_struct *sksec = sk->sk_security;
5642 u16 sclass = sksec->sclass;
5643 u32 perm;
5644
5645 while (data_len >= nlmsg_total_size(0)) {
5646 nlh = (struct nlmsghdr *)data;
5647
5648 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5649 * users which means we can't reject skb's with bogus
5650 * length fields; our solution is to follow what
5651 * netlink_rcv_skb() does and simply skip processing at
5652 * messages with length fields that are clearly junk
5653 */
5654 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5655 return 0;
5656
5657 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5658 if (rc == 0) {
5659 rc = sock_has_perm(sk, perm);
5660 if (rc)
5661 return rc;
5662 } else if (rc == -EINVAL) {
5663 /* -EINVAL is a missing msg/perm mapping */
5664 pr_warn_ratelimited("SELinux: unrecognized netlink"
5665 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5666 " pid=%d comm=%s\n",
5667 sk->sk_protocol, nlh->nlmsg_type,
5668 secclass_map[sclass - 1].name,
5669 task_pid_nr(current), current->comm);
5670 if (enforcing_enabled(&selinux_state) &&
5671 !security_get_allow_unknown(&selinux_state))
5672 return rc;
5673 rc = 0;
5674 } else if (rc == -ENOENT) {
5675 /* -ENOENT is a missing socket/class mapping, ignore */
5676 rc = 0;
5677 } else {
5678 return rc;
5679 }
5680
5681 /* move to the next message after applying netlink padding */
5682 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5683 if (msg_len >= data_len)
5684 return 0;
5685 data_len -= msg_len;
5686 data += msg_len;
5687 }
5688
5689 return rc;
5690}
5691
5692#ifdef CONFIG_NETFILTER
5693
5694static unsigned int selinux_ip_forward(struct sk_buff *skb,
5695 const struct net_device *indev,
5696 u16 family)
5697{
5698 int err;
5699 char *addrp;
5700 u32 peer_sid;
5701 struct common_audit_data ad;
5702 struct lsm_network_audit net = {0,};
5703 u8 secmark_active;
5704 u8 netlbl_active;
5705 u8 peerlbl_active;
5706
5707 if (!selinux_policycap_netpeer())
5708 return NF_ACCEPT;
5709
5710 secmark_active = selinux_secmark_enabled();
5711 netlbl_active = netlbl_enabled();
5712 peerlbl_active = selinux_peerlbl_enabled();
5713 if (!secmark_active && !peerlbl_active)
5714 return NF_ACCEPT;
5715
5716 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5717 return NF_DROP;
5718
5719 ad.type = LSM_AUDIT_DATA_NET;
5720 ad.u.net = &net;
5721 ad.u.net->netif = indev->ifindex;
5722 ad.u.net->family = family;
5723 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5724 return NF_DROP;
5725
5726 if (peerlbl_active) {
5727 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5728 addrp, family, peer_sid, &ad);
5729 if (err) {
5730 selinux_netlbl_err(skb, family, err, 1);
5731 return NF_DROP;
5732 }
5733 }
5734
5735 if (secmark_active)
5736 if (avc_has_perm(&selinux_state,
5737 peer_sid, skb->secmark,
5738 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5739 return NF_DROP;
5740
5741 if (netlbl_active)
5742 /* we do this in the FORWARD path and not the POST_ROUTING
5743 * path because we want to make sure we apply the necessary
5744 * labeling before IPsec is applied so we can leverage AH
5745 * protection */
5746 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5747 return NF_DROP;
5748
5749 return NF_ACCEPT;
5750}
5751
5752static unsigned int selinux_ipv4_forward(void *priv,
5753 struct sk_buff *skb,
5754 const struct nf_hook_state *state)
5755{
5756 return selinux_ip_forward(skb, state->in, PF_INET);
5757}
5758
5759#if IS_ENABLED(CONFIG_IPV6)
5760static unsigned int selinux_ipv6_forward(void *priv,
5761 struct sk_buff *skb,
5762 const struct nf_hook_state *state)
5763{
5764 return selinux_ip_forward(skb, state->in, PF_INET6);
5765}
5766#endif /* IPV6 */
5767
5768static unsigned int selinux_ip_output(struct sk_buff *skb,
5769 u16 family)
5770{
5771 struct sock *sk;
5772 u32 sid;
5773
5774 if (!netlbl_enabled())
5775 return NF_ACCEPT;
5776
5777 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5778 * because we want to make sure we apply the necessary labeling
5779 * before IPsec is applied so we can leverage AH protection */
5780 sk = skb->sk;
5781 if (sk) {
5782 struct sk_security_struct *sksec;
5783
5784 if (sk_listener(sk))
5785 /* if the socket is the listening state then this
5786 * packet is a SYN-ACK packet which means it needs to
5787 * be labeled based on the connection/request_sock and
5788 * not the parent socket. unfortunately, we can't
5789 * lookup the request_sock yet as it isn't queued on
5790 * the parent socket until after the SYN-ACK is sent.
5791 * the "solution" is to simply pass the packet as-is
5792 * as any IP option based labeling should be copied
5793 * from the initial connection request (in the IP
5794 * layer). it is far from ideal, but until we get a
5795 * security label in the packet itself this is the
5796 * best we can do. */
5797 return NF_ACCEPT;
5798
5799 /* standard practice, label using the parent socket */
5800 sksec = sk->sk_security;
5801 sid = sksec->sid;
5802 } else
5803 sid = SECINITSID_KERNEL;
5804 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5805 return NF_DROP;
5806
5807 return NF_ACCEPT;
5808}
5809
5810static unsigned int selinux_ipv4_output(void *priv,
5811 struct sk_buff *skb,
5812 const struct nf_hook_state *state)
5813{
5814 return selinux_ip_output(skb, PF_INET);
5815}
5816
5817#if IS_ENABLED(CONFIG_IPV6)
5818static unsigned int selinux_ipv6_output(void *priv,
5819 struct sk_buff *skb,
5820 const struct nf_hook_state *state)
5821{
5822 return selinux_ip_output(skb, PF_INET6);
5823}
5824#endif /* IPV6 */
5825
5826static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5827 int ifindex,
5828 u16 family)
5829{
5830 struct sock *sk = skb_to_full_sk(skb);
5831 struct sk_security_struct *sksec;
5832 struct common_audit_data ad;
5833 struct lsm_network_audit net = {0,};
5834 char *addrp;
5835 u8 proto = 0;
5836
5837 if (sk == NULL)
5838 return NF_ACCEPT;
5839 sksec = sk->sk_security;
5840
5841 ad.type = LSM_AUDIT_DATA_NET;
5842 ad.u.net = &net;
5843 ad.u.net->netif = ifindex;
5844 ad.u.net->family = family;
5845 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5846 return NF_DROP;
5847
5848 if (selinux_secmark_enabled())
5849 if (avc_has_perm(&selinux_state,
5850 sksec->sid, skb->secmark,
5851 SECCLASS_PACKET, PACKET__SEND, &ad))
5852 return NF_DROP_ERR(-ECONNREFUSED);
5853
5854 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5855 return NF_DROP_ERR(-ECONNREFUSED);
5856
5857 return NF_ACCEPT;
5858}
5859
5860static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5861 const struct net_device *outdev,
5862 u16 family)
5863{
5864 u32 secmark_perm;
5865 u32 peer_sid;
5866 int ifindex = outdev->ifindex;
5867 struct sock *sk;
5868 struct common_audit_data ad;
5869 struct lsm_network_audit net = {0,};
5870 char *addrp;
5871 u8 secmark_active;
5872 u8 peerlbl_active;
5873
5874 /* If any sort of compatibility mode is enabled then handoff processing
5875 * to the selinux_ip_postroute_compat() function to deal with the
5876 * special handling. We do this in an attempt to keep this function
5877 * as fast and as clean as possible. */
5878 if (!selinux_policycap_netpeer())
5879 return selinux_ip_postroute_compat(skb, ifindex, family);
5880
5881 secmark_active = selinux_secmark_enabled();
5882 peerlbl_active = selinux_peerlbl_enabled();
5883 if (!secmark_active && !peerlbl_active)
5884 return NF_ACCEPT;
5885
5886 sk = skb_to_full_sk(skb);
5887
5888#ifdef CONFIG_XFRM
5889 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5890 * packet transformation so allow the packet to pass without any checks
5891 * since we'll have another chance to perform access control checks
5892 * when the packet is on it's final way out.
5893 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5894 * is NULL, in this case go ahead and apply access control.
5895 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5896 * TCP listening state we cannot wait until the XFRM processing
5897 * is done as we will miss out on the SA label if we do;
5898 * unfortunately, this means more work, but it is only once per
5899 * connection. */
5900 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5901 !(sk && sk_listener(sk)))
5902 return NF_ACCEPT;
5903#endif
5904
5905 if (sk == NULL) {
5906 /* Without an associated socket the packet is either coming
5907 * from the kernel or it is being forwarded; check the packet
5908 * to determine which and if the packet is being forwarded
5909 * query the packet directly to determine the security label. */
5910 if (skb->skb_iif) {
5911 secmark_perm = PACKET__FORWARD_OUT;
5912 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5913 return NF_DROP;
5914 } else {
5915 secmark_perm = PACKET__SEND;
5916 peer_sid = SECINITSID_KERNEL;
5917 }
5918 } else if (sk_listener(sk)) {
5919 /* Locally generated packet but the associated socket is in the
5920 * listening state which means this is a SYN-ACK packet. In
5921 * this particular case the correct security label is assigned
5922 * to the connection/request_sock but unfortunately we can't
5923 * query the request_sock as it isn't queued on the parent
5924 * socket until after the SYN-ACK packet is sent; the only
5925 * viable choice is to regenerate the label like we do in
5926 * selinux_inet_conn_request(). See also selinux_ip_output()
5927 * for similar problems. */
5928 u32 skb_sid;
5929 struct sk_security_struct *sksec;
5930
5931 sksec = sk->sk_security;
5932 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5933 return NF_DROP;
5934 /* At this point, if the returned skb peerlbl is SECSID_NULL
5935 * and the packet has been through at least one XFRM
5936 * transformation then we must be dealing with the "final"
5937 * form of labeled IPsec packet; since we've already applied
5938 * all of our access controls on this packet we can safely
5939 * pass the packet. */
5940 if (skb_sid == SECSID_NULL) {
5941 switch (family) {
5942 case PF_INET:
5943 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5944 return NF_ACCEPT;
5945 break;
5946 case PF_INET6:
5947 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5948 return NF_ACCEPT;
5949 break;
5950 default:
5951 return NF_DROP_ERR(-ECONNREFUSED);
5952 }
5953 }
5954 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5955 return NF_DROP;
5956 secmark_perm = PACKET__SEND;
5957 } else {
5958 /* Locally generated packet, fetch the security label from the
5959 * associated socket. */
5960 struct sk_security_struct *sksec = sk->sk_security;
5961 peer_sid = sksec->sid;
5962 secmark_perm = PACKET__SEND;
5963 }
5964
5965 ad.type = LSM_AUDIT_DATA_NET;
5966 ad.u.net = &net;
5967 ad.u.net->netif = ifindex;
5968 ad.u.net->family = family;
5969 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5970 return NF_DROP;
5971
5972 if (secmark_active)
5973 if (avc_has_perm(&selinux_state,
5974 peer_sid, skb->secmark,
5975 SECCLASS_PACKET, secmark_perm, &ad))
5976 return NF_DROP_ERR(-ECONNREFUSED);
5977
5978 if (peerlbl_active) {
5979 u32 if_sid;
5980 u32 node_sid;
5981
5982 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5983 return NF_DROP;
5984 if (avc_has_perm(&selinux_state,
5985 peer_sid, if_sid,
5986 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5987 return NF_DROP_ERR(-ECONNREFUSED);
5988
5989 if (sel_netnode_sid(addrp, family, &node_sid))
5990 return NF_DROP;
5991 if (avc_has_perm(&selinux_state,
5992 peer_sid, node_sid,
5993 SECCLASS_NODE, NODE__SENDTO, &ad))
5994 return NF_DROP_ERR(-ECONNREFUSED);
5995 }
5996
5997 return NF_ACCEPT;
5998}
5999
6000static unsigned int selinux_ipv4_postroute(void *priv,
6001 struct sk_buff *skb,
6002 const struct nf_hook_state *state)
6003{
6004 return selinux_ip_postroute(skb, state->out, PF_INET);
6005}
6006
6007#if IS_ENABLED(CONFIG_IPV6)
6008static unsigned int selinux_ipv6_postroute(void *priv,
6009 struct sk_buff *skb,
6010 const struct nf_hook_state *state)
6011{
6012 return selinux_ip_postroute(skb, state->out, PF_INET6);
6013}
6014#endif /* IPV6 */
6015
6016#endif /* CONFIG_NETFILTER */
6017
6018static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6019{
6020 return selinux_nlmsg_perm(sk, skb);
6021}
6022
6023static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6024{
6025 isec->sclass = sclass;
6026 isec->sid = current_sid();
6027}
6028
6029static int msg_msg_alloc_security(struct msg_msg *msg)
6030{
6031 struct msg_security_struct *msec;
6032
6033 msec = selinux_msg_msg(msg);
6034 msec->sid = SECINITSID_UNLABELED;
6035
6036 return 0;
6037}
6038
6039static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6040 u32 perms)
6041{
6042 struct ipc_security_struct *isec;
6043 struct common_audit_data ad;
6044 u32 sid = current_sid();
6045
6046 isec = selinux_ipc(ipc_perms);
6047
6048 ad.type = LSM_AUDIT_DATA_IPC;
6049 ad.u.ipc_id = ipc_perms->key;
6050
6051 return avc_has_perm(&selinux_state,
6052 sid, isec->sid, isec->sclass, perms, &ad);
6053}
6054
6055static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6056{
6057 return msg_msg_alloc_security(msg);
6058}
6059
6060/* message queue security operations */
6061static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6062{
6063 struct ipc_security_struct *isec;
6064 struct common_audit_data ad;
6065 u32 sid = current_sid();
6066 int rc;
6067
6068 isec = selinux_ipc(msq);
6069 ipc_init_security(isec, SECCLASS_MSGQ);
6070
6071 ad.type = LSM_AUDIT_DATA_IPC;
6072 ad.u.ipc_id = msq->key;
6073
6074 rc = avc_has_perm(&selinux_state,
6075 sid, isec->sid, SECCLASS_MSGQ,
6076 MSGQ__CREATE, &ad);
6077 return rc;
6078}
6079
6080static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6081{
6082 struct ipc_security_struct *isec;
6083 struct common_audit_data ad;
6084 u32 sid = current_sid();
6085
6086 isec = selinux_ipc(msq);
6087
6088 ad.type = LSM_AUDIT_DATA_IPC;
6089 ad.u.ipc_id = msq->key;
6090
6091 return avc_has_perm(&selinux_state,
6092 sid, isec->sid, SECCLASS_MSGQ,
6093 MSGQ__ASSOCIATE, &ad);
6094}
6095
6096static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6097{
6098 int err;
6099 int perms;
6100
6101 switch (cmd) {
6102 case IPC_INFO:
6103 case MSG_INFO:
6104 /* No specific object, just general system-wide information. */
6105 return avc_has_perm(&selinux_state,
6106 current_sid(), SECINITSID_KERNEL,
6107 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6108 case IPC_STAT:
6109 case MSG_STAT:
6110 case MSG_STAT_ANY:
6111 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6112 break;
6113 case IPC_SET:
6114 perms = MSGQ__SETATTR;
6115 break;
6116 case IPC_RMID:
6117 perms = MSGQ__DESTROY;
6118 break;
6119 default:
6120 return 0;
6121 }
6122
6123 err = ipc_has_perm(msq, perms);
6124 return err;
6125}
6126
6127static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6128{
6129 struct ipc_security_struct *isec;
6130 struct msg_security_struct *msec;
6131 struct common_audit_data ad;
6132 u32 sid = current_sid();
6133 int rc;
6134
6135 isec = selinux_ipc(msq);
6136 msec = selinux_msg_msg(msg);
6137
6138 /*
6139 * First time through, need to assign label to the message
6140 */
6141 if (msec->sid == SECINITSID_UNLABELED) {
6142 /*
6143 * Compute new sid based on current process and
6144 * message queue this message will be stored in
6145 */
6146 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6147 SECCLASS_MSG, NULL, &msec->sid);
6148 if (rc)
6149 return rc;
6150 }
6151
6152 ad.type = LSM_AUDIT_DATA_IPC;
6153 ad.u.ipc_id = msq->key;
6154
6155 /* Can this process write to the queue? */
6156 rc = avc_has_perm(&selinux_state,
6157 sid, isec->sid, SECCLASS_MSGQ,
6158 MSGQ__WRITE, &ad);
6159 if (!rc)
6160 /* Can this process send the message */
6161 rc = avc_has_perm(&selinux_state,
6162 sid, msec->sid, SECCLASS_MSG,
6163 MSG__SEND, &ad);
6164 if (!rc)
6165 /* Can the message be put in the queue? */
6166 rc = avc_has_perm(&selinux_state,
6167 msec->sid, isec->sid, SECCLASS_MSGQ,
6168 MSGQ__ENQUEUE, &ad);
6169
6170 return rc;
6171}
6172
6173static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6174 struct task_struct *target,
6175 long type, int mode)
6176{
6177 struct ipc_security_struct *isec;
6178 struct msg_security_struct *msec;
6179 struct common_audit_data ad;
6180 u32 sid = task_sid(target);
6181 int rc;
6182
6183 isec = selinux_ipc(msq);
6184 msec = selinux_msg_msg(msg);
6185
6186 ad.type = LSM_AUDIT_DATA_IPC;
6187 ad.u.ipc_id = msq->key;
6188
6189 rc = avc_has_perm(&selinux_state,
6190 sid, isec->sid,
6191 SECCLASS_MSGQ, MSGQ__READ, &ad);
6192 if (!rc)
6193 rc = avc_has_perm(&selinux_state,
6194 sid, msec->sid,
6195 SECCLASS_MSG, MSG__RECEIVE, &ad);
6196 return rc;
6197}
6198
6199/* Shared Memory security operations */
6200static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6201{
6202 struct ipc_security_struct *isec;
6203 struct common_audit_data ad;
6204 u32 sid = current_sid();
6205 int rc;
6206
6207 isec = selinux_ipc(shp);
6208 ipc_init_security(isec, SECCLASS_SHM);
6209
6210 ad.type = LSM_AUDIT_DATA_IPC;
6211 ad.u.ipc_id = shp->key;
6212
6213 rc = avc_has_perm(&selinux_state,
6214 sid, isec->sid, SECCLASS_SHM,
6215 SHM__CREATE, &ad);
6216 return rc;
6217}
6218
6219static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6220{
6221 struct ipc_security_struct *isec;
6222 struct common_audit_data ad;
6223 u32 sid = current_sid();
6224
6225 isec = selinux_ipc(shp);
6226
6227 ad.type = LSM_AUDIT_DATA_IPC;
6228 ad.u.ipc_id = shp->key;
6229
6230 return avc_has_perm(&selinux_state,
6231 sid, isec->sid, SECCLASS_SHM,
6232 SHM__ASSOCIATE, &ad);
6233}
6234
6235/* Note, at this point, shp is locked down */
6236static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6237{
6238 int perms;
6239 int err;
6240
6241 switch (cmd) {
6242 case IPC_INFO:
6243 case SHM_INFO:
6244 /* No specific object, just general system-wide information. */
6245 return avc_has_perm(&selinux_state,
6246 current_sid(), SECINITSID_KERNEL,
6247 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6248 case IPC_STAT:
6249 case SHM_STAT:
6250 case SHM_STAT_ANY:
6251 perms = SHM__GETATTR | SHM__ASSOCIATE;
6252 break;
6253 case IPC_SET:
6254 perms = SHM__SETATTR;
6255 break;
6256 case SHM_LOCK:
6257 case SHM_UNLOCK:
6258 perms = SHM__LOCK;
6259 break;
6260 case IPC_RMID:
6261 perms = SHM__DESTROY;
6262 break;
6263 default:
6264 return 0;
6265 }
6266
6267 err = ipc_has_perm(shp, perms);
6268 return err;
6269}
6270
6271static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6272 char __user *shmaddr, int shmflg)
6273{
6274 u32 perms;
6275
6276 if (shmflg & SHM_RDONLY)
6277 perms = SHM__READ;
6278 else
6279 perms = SHM__READ | SHM__WRITE;
6280
6281 return ipc_has_perm(shp, perms);
6282}
6283
6284/* Semaphore security operations */
6285static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6286{
6287 struct ipc_security_struct *isec;
6288 struct common_audit_data ad;
6289 u32 sid = current_sid();
6290 int rc;
6291
6292 isec = selinux_ipc(sma);
6293 ipc_init_security(isec, SECCLASS_SEM);
6294
6295 ad.type = LSM_AUDIT_DATA_IPC;
6296 ad.u.ipc_id = sma->key;
6297
6298 rc = avc_has_perm(&selinux_state,
6299 sid, isec->sid, SECCLASS_SEM,
6300 SEM__CREATE, &ad);
6301 return rc;
6302}
6303
6304static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6305{
6306 struct ipc_security_struct *isec;
6307 struct common_audit_data ad;
6308 u32 sid = current_sid();
6309
6310 isec = selinux_ipc(sma);
6311
6312 ad.type = LSM_AUDIT_DATA_IPC;
6313 ad.u.ipc_id = sma->key;
6314
6315 return avc_has_perm(&selinux_state,
6316 sid, isec->sid, SECCLASS_SEM,
6317 SEM__ASSOCIATE, &ad);
6318}
6319
6320/* Note, at this point, sma is locked down */
6321static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6322{
6323 int err;
6324 u32 perms;
6325
6326 switch (cmd) {
6327 case IPC_INFO:
6328 case SEM_INFO:
6329 /* No specific object, just general system-wide information. */
6330 return avc_has_perm(&selinux_state,
6331 current_sid(), SECINITSID_KERNEL,
6332 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6333 case GETPID:
6334 case GETNCNT:
6335 case GETZCNT:
6336 perms = SEM__GETATTR;
6337 break;
6338 case GETVAL:
6339 case GETALL:
6340 perms = SEM__READ;
6341 break;
6342 case SETVAL:
6343 case SETALL:
6344 perms = SEM__WRITE;
6345 break;
6346 case IPC_RMID:
6347 perms = SEM__DESTROY;
6348 break;
6349 case IPC_SET:
6350 perms = SEM__SETATTR;
6351 break;
6352 case IPC_STAT:
6353 case SEM_STAT:
6354 case SEM_STAT_ANY:
6355 perms = SEM__GETATTR | SEM__ASSOCIATE;
6356 break;
6357 default:
6358 return 0;
6359 }
6360
6361 err = ipc_has_perm(sma, perms);
6362 return err;
6363}
6364
6365static int selinux_sem_semop(struct kern_ipc_perm *sma,
6366 struct sembuf *sops, unsigned nsops, int alter)
6367{
6368 u32 perms;
6369
6370 if (alter)
6371 perms = SEM__READ | SEM__WRITE;
6372 else
6373 perms = SEM__READ;
6374
6375 return ipc_has_perm(sma, perms);
6376}
6377
6378static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6379{
6380 u32 av = 0;
6381
6382 av = 0;
6383 if (flag & S_IRUGO)
6384 av |= IPC__UNIX_READ;
6385 if (flag & S_IWUGO)
6386 av |= IPC__UNIX_WRITE;
6387
6388 if (av == 0)
6389 return 0;
6390
6391 return ipc_has_perm(ipcp, av);
6392}
6393
6394static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6395{
6396 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6397 *secid = isec->sid;
6398}
6399
6400static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6401{
6402 if (inode)
6403 inode_doinit_with_dentry(inode, dentry);
6404}
6405
6406static int selinux_getprocattr(struct task_struct *p,
6407 char *name, char **value)
6408{
6409 const struct task_security_struct *__tsec;
6410 u32 sid;
6411 int error;
6412 unsigned len;
6413
6414 rcu_read_lock();
6415 __tsec = selinux_cred(__task_cred(p));
6416
6417 if (current != p) {
6418 error = avc_has_perm(&selinux_state,
6419 current_sid(), __tsec->sid,
6420 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6421 if (error)
6422 goto bad;
6423 }
6424
6425 if (!strcmp(name, "current"))
6426 sid = __tsec->sid;
6427 else if (!strcmp(name, "prev"))
6428 sid = __tsec->osid;
6429 else if (!strcmp(name, "exec"))
6430 sid = __tsec->exec_sid;
6431 else if (!strcmp(name, "fscreate"))
6432 sid = __tsec->create_sid;
6433 else if (!strcmp(name, "keycreate"))
6434 sid = __tsec->keycreate_sid;
6435 else if (!strcmp(name, "sockcreate"))
6436 sid = __tsec->sockcreate_sid;
6437 else {
6438 error = -EINVAL;
6439 goto bad;
6440 }
6441 rcu_read_unlock();
6442
6443 if (!sid)
6444 return 0;
6445
6446 error = security_sid_to_context(&selinux_state, sid, value, &len);
6447 if (error)
6448 return error;
6449 return len;
6450
6451bad:
6452 rcu_read_unlock();
6453 return error;
6454}
6455
6456static int selinux_setprocattr(const char *name, void *value, size_t size)
6457{
6458 struct task_security_struct *tsec;
6459 struct cred *new;
6460 u32 mysid = current_sid(), sid = 0, ptsid;
6461 int error;
6462 char *str = value;
6463
6464 /*
6465 * Basic control over ability to set these attributes at all.
6466 */
6467 if (!strcmp(name, "exec"))
6468 error = avc_has_perm(&selinux_state,
6469 mysid, mysid, SECCLASS_PROCESS,
6470 PROCESS__SETEXEC, NULL);
6471 else if (!strcmp(name, "fscreate"))
6472 error = avc_has_perm(&selinux_state,
6473 mysid, mysid, SECCLASS_PROCESS,
6474 PROCESS__SETFSCREATE, NULL);
6475 else if (!strcmp(name, "keycreate"))
6476 error = avc_has_perm(&selinux_state,
6477 mysid, mysid, SECCLASS_PROCESS,
6478 PROCESS__SETKEYCREATE, NULL);
6479 else if (!strcmp(name, "sockcreate"))
6480 error = avc_has_perm(&selinux_state,
6481 mysid, mysid, SECCLASS_PROCESS,
6482 PROCESS__SETSOCKCREATE, NULL);
6483 else if (!strcmp(name, "current"))
6484 error = avc_has_perm(&selinux_state,
6485 mysid, mysid, SECCLASS_PROCESS,
6486 PROCESS__SETCURRENT, NULL);
6487 else
6488 error = -EINVAL;
6489 if (error)
6490 return error;
6491
6492 /* Obtain a SID for the context, if one was specified. */
6493 if (size && str[0] && str[0] != '\n') {
6494 if (str[size-1] == '\n') {
6495 str[size-1] = 0;
6496 size--;
6497 }
6498 error = security_context_to_sid(&selinux_state, value, size,
6499 &sid, GFP_KERNEL);
6500 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6501 if (!has_cap_mac_admin(true)) {
6502 struct audit_buffer *ab;
6503 size_t audit_size;
6504
6505 /* We strip a nul only if it is at the end, otherwise the
6506 * context contains a nul and we should audit that */
6507 if (str[size - 1] == '\0')
6508 audit_size = size - 1;
6509 else
6510 audit_size = size;
6511 ab = audit_log_start(audit_context(),
6512 GFP_ATOMIC,
6513 AUDIT_SELINUX_ERR);
6514 audit_log_format(ab, "op=fscreate invalid_context=");
6515 audit_log_n_untrustedstring(ab, value, audit_size);
6516 audit_log_end(ab);
6517
6518 return error;
6519 }
6520 error = security_context_to_sid_force(
6521 &selinux_state,
6522 value, size, &sid);
6523 }
6524 if (error)
6525 return error;
6526 }
6527
6528 new = prepare_creds();
6529 if (!new)
6530 return -ENOMEM;
6531
6532 /* Permission checking based on the specified context is
6533 performed during the actual operation (execve,
6534 open/mkdir/...), when we know the full context of the
6535 operation. See selinux_bprm_set_creds for the execve
6536 checks and may_create for the file creation checks. The
6537 operation will then fail if the context is not permitted. */
6538 tsec = selinux_cred(new);
6539 if (!strcmp(name, "exec")) {
6540 tsec->exec_sid = sid;
6541 } else if (!strcmp(name, "fscreate")) {
6542 tsec->create_sid = sid;
6543 } else if (!strcmp(name, "keycreate")) {
6544 if (sid) {
6545 error = avc_has_perm(&selinux_state, mysid, sid,
6546 SECCLASS_KEY, KEY__CREATE, NULL);
6547 if (error)
6548 goto abort_change;
6549 }
6550 tsec->keycreate_sid = sid;
6551 } else if (!strcmp(name, "sockcreate")) {
6552 tsec->sockcreate_sid = sid;
6553 } else if (!strcmp(name, "current")) {
6554 error = -EINVAL;
6555 if (sid == 0)
6556 goto abort_change;
6557
6558 /* Only allow single threaded processes to change context */
6559 error = -EPERM;
6560 if (!current_is_single_threaded()) {
6561 error = security_bounded_transition(&selinux_state,
6562 tsec->sid, sid);
6563 if (error)
6564 goto abort_change;
6565 }
6566
6567 /* Check permissions for the transition. */
6568 error = avc_has_perm(&selinux_state,
6569 tsec->sid, sid, SECCLASS_PROCESS,
6570 PROCESS__DYNTRANSITION, NULL);
6571 if (error)
6572 goto abort_change;
6573
6574 /* Check for ptracing, and update the task SID if ok.
6575 Otherwise, leave SID unchanged and fail. */
6576 ptsid = ptrace_parent_sid();
6577 if (ptsid != 0) {
6578 error = avc_has_perm(&selinux_state,
6579 ptsid, sid, SECCLASS_PROCESS,
6580 PROCESS__PTRACE, NULL);
6581 if (error)
6582 goto abort_change;
6583 }
6584
6585 tsec->sid = sid;
6586 } else {
6587 error = -EINVAL;
6588 goto abort_change;
6589 }
6590
6591 commit_creds(new);
6592 return size;
6593
6594abort_change:
6595 abort_creds(new);
6596 return error;
6597}
6598
6599static int selinux_ismaclabel(const char *name)
6600{
6601 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6602}
6603
6604static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6605{
6606 return security_sid_to_context(&selinux_state, secid,
6607 secdata, seclen);
6608}
6609
6610static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6611{
6612 return security_context_to_sid(&selinux_state, secdata, seclen,
6613 secid, GFP_KERNEL);
6614}
6615
6616static void selinux_release_secctx(char *secdata, u32 seclen)
6617{
6618 kfree(secdata);
6619}
6620
6621static void selinux_inode_invalidate_secctx(struct inode *inode)
6622{
6623 struct inode_security_struct *isec = selinux_inode(inode);
6624
6625 spin_lock(&isec->lock);
6626 isec->initialized = LABEL_INVALID;
6627 spin_unlock(&isec->lock);
6628}
6629
6630/*
6631 * called with inode->i_mutex locked
6632 */
6633static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6634{
6635 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6636 ctx, ctxlen, 0);
6637 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6638 return rc == -EOPNOTSUPP ? 0 : rc;
6639}
6640
6641/*
6642 * called with inode->i_mutex locked
6643 */
6644static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6645{
6646 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6647}
6648
6649static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6650{
6651 int len = 0;
6652 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6653 ctx, true);
6654 if (len < 0)
6655 return len;
6656 *ctxlen = len;
6657 return 0;
6658}
6659#ifdef CONFIG_KEYS
6660
6661static int selinux_key_alloc(struct key *k, const struct cred *cred,
6662 unsigned long flags)
6663{
6664 const struct task_security_struct *tsec;
6665 struct key_security_struct *ksec;
6666
6667 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6668 if (!ksec)
6669 return -ENOMEM;
6670
6671 tsec = selinux_cred(cred);
6672 if (tsec->keycreate_sid)
6673 ksec->sid = tsec->keycreate_sid;
6674 else
6675 ksec->sid = tsec->sid;
6676
6677 k->security = ksec;
6678 return 0;
6679}
6680
6681static void selinux_key_free(struct key *k)
6682{
6683 struct key_security_struct *ksec = k->security;
6684
6685 k->security = NULL;
6686 kfree(ksec);
6687}
6688
6689static int selinux_key_permission(key_ref_t key_ref,
6690 const struct cred *cred,
6691 unsigned perm)
6692{
6693 struct key *key;
6694 struct key_security_struct *ksec;
6695 u32 sid;
6696
6697 /* if no specific permissions are requested, we skip the
6698 permission check. No serious, additional covert channels
6699 appear to be created. */
6700 if (perm == 0)
6701 return 0;
6702
6703 sid = cred_sid(cred);
6704
6705 key = key_ref_to_ptr(key_ref);
6706 ksec = key->security;
6707
6708 return avc_has_perm(&selinux_state,
6709 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6710}
6711
6712static int selinux_key_getsecurity(struct key *key, char **_buffer)
6713{
6714 struct key_security_struct *ksec = key->security;
6715 char *context = NULL;
6716 unsigned len;
6717 int rc;
6718
6719 rc = security_sid_to_context(&selinux_state, ksec->sid,
6720 &context, &len);
6721 if (!rc)
6722 rc = len;
6723 *_buffer = context;
6724 return rc;
6725}
6726#endif
6727
6728#ifdef CONFIG_SECURITY_INFINIBAND
6729static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6730{
6731 struct common_audit_data ad;
6732 int err;
6733 u32 sid = 0;
6734 struct ib_security_struct *sec = ib_sec;
6735 struct lsm_ibpkey_audit ibpkey;
6736
6737 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6738 if (err)
6739 return err;
6740
6741 ad.type = LSM_AUDIT_DATA_IBPKEY;
6742 ibpkey.subnet_prefix = subnet_prefix;
6743 ibpkey.pkey = pkey_val;
6744 ad.u.ibpkey = &ibpkey;
6745 return avc_has_perm(&selinux_state,
6746 sec->sid, sid,
6747 SECCLASS_INFINIBAND_PKEY,
6748 INFINIBAND_PKEY__ACCESS, &ad);
6749}
6750
6751static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6752 u8 port_num)
6753{
6754 struct common_audit_data ad;
6755 int err;
6756 u32 sid = 0;
6757 struct ib_security_struct *sec = ib_sec;
6758 struct lsm_ibendport_audit ibendport;
6759
6760 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6761 &sid);
6762
6763 if (err)
6764 return err;
6765
6766 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6767 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6768 ibendport.port = port_num;
6769 ad.u.ibendport = &ibendport;
6770 return avc_has_perm(&selinux_state,
6771 sec->sid, sid,
6772 SECCLASS_INFINIBAND_ENDPORT,
6773 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6774}
6775
6776static int selinux_ib_alloc_security(void **ib_sec)
6777{
6778 struct ib_security_struct *sec;
6779
6780 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6781 if (!sec)
6782 return -ENOMEM;
6783 sec->sid = current_sid();
6784
6785 *ib_sec = sec;
6786 return 0;
6787}
6788
6789static void selinux_ib_free_security(void *ib_sec)
6790{
6791 kfree(ib_sec);
6792}
6793#endif
6794
6795#ifdef CONFIG_BPF_SYSCALL
6796static int selinux_bpf(int cmd, union bpf_attr *attr,
6797 unsigned int size)
6798{
6799 u32 sid = current_sid();
6800 int ret;
6801
6802 switch (cmd) {
6803 case BPF_MAP_CREATE:
6804 ret = avc_has_perm(&selinux_state,
6805 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6806 NULL);
6807 break;
6808 case BPF_PROG_LOAD:
6809 ret = avc_has_perm(&selinux_state,
6810 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6811 NULL);
6812 break;
6813 default:
6814 ret = 0;
6815 break;
6816 }
6817
6818 return ret;
6819}
6820
6821static u32 bpf_map_fmode_to_av(fmode_t fmode)
6822{
6823 u32 av = 0;
6824
6825 if (fmode & FMODE_READ)
6826 av |= BPF__MAP_READ;
6827 if (fmode & FMODE_WRITE)
6828 av |= BPF__MAP_WRITE;
6829 return av;
6830}
6831
6832/* This function will check the file pass through unix socket or binder to see
6833 * if it is a bpf related object. And apply correspinding checks on the bpf
6834 * object based on the type. The bpf maps and programs, not like other files and
6835 * socket, are using a shared anonymous inode inside the kernel as their inode.
6836 * So checking that inode cannot identify if the process have privilege to
6837 * access the bpf object and that's why we have to add this additional check in
6838 * selinux_file_receive and selinux_binder_transfer_files.
6839 */
6840static int bpf_fd_pass(struct file *file, u32 sid)
6841{
6842 struct bpf_security_struct *bpfsec;
6843 struct bpf_prog *prog;
6844 struct bpf_map *map;
6845 int ret;
6846
6847 if (file->f_op == &bpf_map_fops) {
6848 map = file->private_data;
6849 bpfsec = map->security;
6850 ret = avc_has_perm(&selinux_state,
6851 sid, bpfsec->sid, SECCLASS_BPF,
6852 bpf_map_fmode_to_av(file->f_mode), NULL);
6853 if (ret)
6854 return ret;
6855 } else if (file->f_op == &bpf_prog_fops) {
6856 prog = file->private_data;
6857 bpfsec = prog->aux->security;
6858 ret = avc_has_perm(&selinux_state,
6859 sid, bpfsec->sid, SECCLASS_BPF,
6860 BPF__PROG_RUN, NULL);
6861 if (ret)
6862 return ret;
6863 }
6864 return 0;
6865}
6866
6867static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6868{
6869 u32 sid = current_sid();
6870 struct bpf_security_struct *bpfsec;
6871
6872 bpfsec = map->security;
6873 return avc_has_perm(&selinux_state,
6874 sid, bpfsec->sid, SECCLASS_BPF,
6875 bpf_map_fmode_to_av(fmode), NULL);
6876}
6877
6878static int selinux_bpf_prog(struct bpf_prog *prog)
6879{
6880 u32 sid = current_sid();
6881 struct bpf_security_struct *bpfsec;
6882
6883 bpfsec = prog->aux->security;
6884 return avc_has_perm(&selinux_state,
6885 sid, bpfsec->sid, SECCLASS_BPF,
6886 BPF__PROG_RUN, NULL);
6887}
6888
6889static int selinux_bpf_map_alloc(struct bpf_map *map)
6890{
6891 struct bpf_security_struct *bpfsec;
6892
6893 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6894 if (!bpfsec)
6895 return -ENOMEM;
6896
6897 bpfsec->sid = current_sid();
6898 map->security = bpfsec;
6899
6900 return 0;
6901}
6902
6903static void selinux_bpf_map_free(struct bpf_map *map)
6904{
6905 struct bpf_security_struct *bpfsec = map->security;
6906
6907 map->security = NULL;
6908 kfree(bpfsec);
6909}
6910
6911static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6912{
6913 struct bpf_security_struct *bpfsec;
6914
6915 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6916 if (!bpfsec)
6917 return -ENOMEM;
6918
6919 bpfsec->sid = current_sid();
6920 aux->security = bpfsec;
6921
6922 return 0;
6923}
6924
6925static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6926{
6927 struct bpf_security_struct *bpfsec = aux->security;
6928
6929 aux->security = NULL;
6930 kfree(bpfsec);
6931}
6932#endif
6933
6934struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6935 .lbs_cred = sizeof(struct task_security_struct),
6936 .lbs_file = sizeof(struct file_security_struct),
6937 .lbs_inode = sizeof(struct inode_security_struct),
6938 .lbs_ipc = sizeof(struct ipc_security_struct),
6939 .lbs_msg_msg = sizeof(struct msg_security_struct),
6940};
6941
6942#ifdef CONFIG_PERF_EVENTS
6943static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6944{
6945 u32 requested, sid = current_sid();
6946
6947 if (type == PERF_SECURITY_OPEN)
6948 requested = PERF_EVENT__OPEN;
6949 else if (type == PERF_SECURITY_CPU)
6950 requested = PERF_EVENT__CPU;
6951 else if (type == PERF_SECURITY_KERNEL)
6952 requested = PERF_EVENT__KERNEL;
6953 else if (type == PERF_SECURITY_TRACEPOINT)
6954 requested = PERF_EVENT__TRACEPOINT;
6955 else
6956 return -EINVAL;
6957
6958 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6959 requested, NULL);
6960}
6961
6962static int selinux_perf_event_alloc(struct perf_event *event)
6963{
6964 struct perf_event_security_struct *perfsec;
6965
6966 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6967 if (!perfsec)
6968 return -ENOMEM;
6969
6970 perfsec->sid = current_sid();
6971 event->security = perfsec;
6972
6973 return 0;
6974}
6975
6976static void selinux_perf_event_free(struct perf_event *event)
6977{
6978 struct perf_event_security_struct *perfsec = event->security;
6979
6980 event->security = NULL;
6981 kfree(perfsec);
6982}
6983
6984static int selinux_perf_event_read(struct perf_event *event)
6985{
6986 struct perf_event_security_struct *perfsec = event->security;
6987 u32 sid = current_sid();
6988
6989 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6990 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6991}
6992
6993static int selinux_perf_event_write(struct perf_event *event)
6994{
6995 struct perf_event_security_struct *perfsec = event->security;
6996 u32 sid = current_sid();
6997
6998 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6999 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7000}
7001#endif
7002
7003static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7004 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7005 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7006 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7007 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7008
7009 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7010 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7011 LSM_HOOK_INIT(capget, selinux_capget),
7012 LSM_HOOK_INIT(capset, selinux_capset),
7013 LSM_HOOK_INIT(capable, selinux_capable),
7014 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7015 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7016 LSM_HOOK_INIT(syslog, selinux_syslog),
7017 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7018
7019 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7020
7021 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
7022 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7023 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7024
7025 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7026 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7027
7028 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7029 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
7030 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7031 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7032 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7033 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7034 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7035 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7036 LSM_HOOK_INIT(sb_mount, selinux_mount),
7037 LSM_HOOK_INIT(sb_umount, selinux_umount),
7038 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7039 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7040 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7041
7042 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7043
7044 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7045 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7046
7047 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7048 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7049 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7050 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7051 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7052 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7053 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7054 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7055 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7056 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7057 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7058 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7059 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7060 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7061 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7062 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7063 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7064 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7065 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7066 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7067 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7068 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7069 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7070 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7071 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7072 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7073 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7074 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7075 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7076
7077 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7078
7079 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7080 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7081 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7082 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7083 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7084 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7085 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7086 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7087 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7088 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7089 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7090 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7091
7092 LSM_HOOK_INIT(file_open, selinux_file_open),
7093
7094 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7095 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7096 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7097 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7098 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7099 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7100 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7101 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7102 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7103 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7104 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7105 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7106 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7107 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7108 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7109 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7110 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7111 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7112 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7113 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7114 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7115 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7116 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7117
7118 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7119 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7120
7121 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7122
7123 LSM_HOOK_INIT(msg_queue_alloc_security,
7124 selinux_msg_queue_alloc_security),
7125 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7126 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7127 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7128 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7129
7130 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7131 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7132 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7133 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7134
7135 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7136 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7137 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7138 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7139
7140 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7141
7142 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7143 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7144
7145 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7146 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7147 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7148 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7149 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7150 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7151 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7152 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7153
7154 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7155 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7156
7157 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7158 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7159 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7160 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7161 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7162 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7163 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7164 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7165 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7166 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7167 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7168 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7169 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7170 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7171 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7172 LSM_HOOK_INIT(socket_getpeersec_stream,
7173 selinux_socket_getpeersec_stream),
7174 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7175 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7176 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7177 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7178 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7179 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7180 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7181 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7182 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7183 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7184 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7185 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7186 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7187 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7188 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7189 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7190 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7191 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7192 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7193 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7194 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7195 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7196#ifdef CONFIG_SECURITY_INFINIBAND
7197 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7198 LSM_HOOK_INIT(ib_endport_manage_subnet,
7199 selinux_ib_endport_manage_subnet),
7200 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7201 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7202#endif
7203#ifdef CONFIG_SECURITY_NETWORK_XFRM
7204 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7205 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7206 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7207 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7208 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7209 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7210 selinux_xfrm_state_alloc_acquire),
7211 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7212 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7213 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7214 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7215 selinux_xfrm_state_pol_flow_match),
7216 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7217#endif
7218
7219#ifdef CONFIG_KEYS
7220 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7221 LSM_HOOK_INIT(key_free, selinux_key_free),
7222 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7223 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7224#endif
7225
7226#ifdef CONFIG_AUDIT
7227 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7228 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7229 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7230 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7231#endif
7232
7233#ifdef CONFIG_BPF_SYSCALL
7234 LSM_HOOK_INIT(bpf, selinux_bpf),
7235 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7236 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7237 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7238 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7239 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7240 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7241#endif
7242
7243#ifdef CONFIG_PERF_EVENTS
7244 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7245 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7246 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7247 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7248 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7249#endif
7250};
7251
7252static __init int selinux_init(void)
7253{
7254 pr_info("SELinux: Initializing.\n");
7255
7256 memset(&selinux_state, 0, sizeof(selinux_state));
7257 enforcing_set(&selinux_state, selinux_enforcing_boot);
7258 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7259 selinux_ss_init(&selinux_state.ss);
7260 selinux_avc_init(&selinux_state.avc);
7261
7262 /* Set the security state for the initial task. */
7263 cred_init_security();
7264
7265 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7266
7267 avc_init();
7268
7269 avtab_cache_init();
7270
7271 ebitmap_cache_init();
7272
7273 hashtab_cache_init();
7274
7275 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7276
7277 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7278 panic("SELinux: Unable to register AVC netcache callback\n");
7279
7280 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7281 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7282
7283 if (selinux_enforcing_boot)
7284 pr_debug("SELinux: Starting in enforcing mode\n");
7285 else
7286 pr_debug("SELinux: Starting in permissive mode\n");
7287
7288 fs_validate_description(&selinux_fs_parameters);
7289
7290 return 0;
7291}
7292
7293static void delayed_superblock_init(struct super_block *sb, void *unused)
7294{
7295 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7296}
7297
7298void selinux_complete_init(void)
7299{
7300 pr_debug("SELinux: Completing initialization.\n");
7301
7302 /* Set up any superblocks initialized prior to the policy load. */
7303 pr_debug("SELinux: Setting up existing superblocks.\n");
7304 iterate_supers(delayed_superblock_init, NULL);
7305}
7306
7307/* SELinux requires early initialization in order to label
7308 all processes and objects when they are created. */
7309DEFINE_LSM(selinux) = {
7310 .name = "selinux",
7311 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7312 .enabled = &selinux_enabled,
7313 .blobs = &selinux_blob_sizes,
7314 .init = selinux_init,
7315};
7316
7317#if defined(CONFIG_NETFILTER)
7318
7319static const struct nf_hook_ops selinux_nf_ops[] = {
7320 {
7321 .hook = selinux_ipv4_postroute,
7322 .pf = NFPROTO_IPV4,
7323 .hooknum = NF_INET_POST_ROUTING,
7324 .priority = NF_IP_PRI_SELINUX_LAST,
7325 },
7326 {
7327 .hook = selinux_ipv4_forward,
7328 .pf = NFPROTO_IPV4,
7329 .hooknum = NF_INET_FORWARD,
7330 .priority = NF_IP_PRI_SELINUX_FIRST,
7331 },
7332 {
7333 .hook = selinux_ipv4_output,
7334 .pf = NFPROTO_IPV4,
7335 .hooknum = NF_INET_LOCAL_OUT,
7336 .priority = NF_IP_PRI_SELINUX_FIRST,
7337 },
7338#if IS_ENABLED(CONFIG_IPV6)
7339 {
7340 .hook = selinux_ipv6_postroute,
7341 .pf = NFPROTO_IPV6,
7342 .hooknum = NF_INET_POST_ROUTING,
7343 .priority = NF_IP6_PRI_SELINUX_LAST,
7344 },
7345 {
7346 .hook = selinux_ipv6_forward,
7347 .pf = NFPROTO_IPV6,
7348 .hooknum = NF_INET_FORWARD,
7349 .priority = NF_IP6_PRI_SELINUX_FIRST,
7350 },
7351 {
7352 .hook = selinux_ipv6_output,
7353 .pf = NFPROTO_IPV6,
7354 .hooknum = NF_INET_LOCAL_OUT,
7355 .priority = NF_IP6_PRI_SELINUX_FIRST,
7356 },
7357#endif /* IPV6 */
7358};
7359
7360static int __net_init selinux_nf_register(struct net *net)
7361{
7362 return nf_register_net_hooks(net, selinux_nf_ops,
7363 ARRAY_SIZE(selinux_nf_ops));
7364}
7365
7366static void __net_exit selinux_nf_unregister(struct net *net)
7367{
7368 nf_unregister_net_hooks(net, selinux_nf_ops,
7369 ARRAY_SIZE(selinux_nf_ops));
7370}
7371
7372static struct pernet_operations selinux_net_ops = {
7373 .init = selinux_nf_register,
7374 .exit = selinux_nf_unregister,
7375};
7376
7377static int __init selinux_nf_ip_init(void)
7378{
7379 int err;
7380
7381 if (!selinux_enabled)
7382 return 0;
7383
7384 pr_debug("SELinux: Registering netfilter hooks\n");
7385
7386 err = register_pernet_subsys(&selinux_net_ops);
7387 if (err)
7388 panic("SELinux: register_pernet_subsys: error %d\n", err);
7389
7390 return 0;
7391}
7392__initcall(selinux_nf_ip_init);
7393
7394#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7395static void selinux_nf_ip_exit(void)
7396{
7397 pr_debug("SELinux: Unregistering netfilter hooks\n");
7398
7399 unregister_pernet_subsys(&selinux_net_ops);
7400}
7401#endif
7402
7403#else /* CONFIG_NETFILTER */
7404
7405#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7406#define selinux_nf_ip_exit()
7407#endif
7408
7409#endif /* CONFIG_NETFILTER */
7410
7411#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7412int selinux_disable(struct selinux_state *state)
7413{
7414 if (state->initialized) {
7415 /* Not permitted after initial policy load. */
7416 return -EINVAL;
7417 }
7418
7419 if (state->disabled) {
7420 /* Only do this once. */
7421 return -EINVAL;
7422 }
7423
7424 state->disabled = 1;
7425
7426 pr_info("SELinux: Disabled at runtime.\n");
7427
7428 selinux_enabled = 0;
7429
7430 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7431
7432 /* Try to destroy the avc node cache */
7433 avc_disable();
7434
7435 /* Unregister netfilter hooks. */
7436 selinux_nf_ip_exit();
7437
7438 /* Unregister selinuxfs. */
7439 exit_sel_fs();
7440
7441 return 0;
7442}
7443#endif